CVE-2026-27056 WordPress iThemes Sync plugin <= 3.2.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in StellarWP iThemes Sync ithemes-sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iThemes Sync: from n/a through = 3.2.8...

CVE-2026-2284

CVE-2026-2284 concerns the News Element Elementor Blog Magazine plugin for WordPress (

CVE-2026-2284 News Element Elementor Blog Magazine <= 1.0.8 - Missing Authorization to Authenticated (Subscriber+) Data Loss

The News Element Elementor Blog Magazine plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.8. This is due to a missing capability check and nonce verification on the 'necleandata' AJAX action. This makes it possible for authenticated attackers,...

CVE-2026-2284 News Element Elementor Blog Magazine <= 1.0.8 - Missing Authorization to Authenticated (Subscriber+) Data Loss

The News Element Elementor Blog Magazine plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.8. This is due to a missing capability check and nonce verification on the 'necleandata' AJAX action. This makes it possible for authenticated attackers,...

CVE-2025-14357 Mega Store Woocommerce <= 5.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Page Creation and Settings Change

The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setupwidgets function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. This makes it possible for authenticated attackers, wit...

CVE-2026-0974

The CVE affects the WordPress plugin Orderable (Restaurant Online Ordering System) up to version 1.20.0. A missing capability check in the install_plugin function allows authenticated attackers with Subscriber-level access and above to install arbitrary plugins, which can lead to Remote Code Exec...

CVE-2026-0974 Orderable <= 1.20.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation

The Orderable – WordPress Restaurant Online Ordering System and Food Ordering Plugin plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the 'installplugin' function in all versions up to, and including, 1.20.0. This makes it possible for...

CVE-2025-14427

CVE-2025-14427 affects the Shield: Blocks Bots, Protects Users, and Prevents Security Breaches WordPress plugin (Shield Security) with versions up to 21.0.9. Root cause is a missing capability check on the MfaEmailDisable action, enabling authenticated attackers with Subscriber-level access or hi...

CVE-2025-13091 Shopire <= 1.0.57 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install

The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the shopireadmininstallplugin function in all versions up to, and including, 1.0.57. This makes it possible for authenticated attackers, with Subscriber-level access and above, ...

CVE-2025-13091 Shopire <= 1.0.57 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install

The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the shopireadmininstallplugin function in all versions up to, and including, 1.0.57. This makes it possible for authenticated attackers, with Subscriber-level access and above, ...

CVE-2025-13091

CVE-2025-13091 refers to the WordPress Shopire theme (Shopire) with versions up to and including 1.0.57, where a missing capability check in shopire_admin_install_plugin() allows authenticated users with Subscriber-level access and above to install the external plugin “fable-extra”, enabling unau...

CVE-2025-14864

CVE-2025-14864 concerns Virusdie – One-click website security (WordPress) up to version 1.1.7. The vulnerability arises from missing capability checks on the vd_get_apikey function, which is hooked to wp_ajax_virusdie_apikey. This allows authenticated attackers with Subscriber-level access and ab...

CVE-2025-4521 IDonate 2.1.5 - 2.1.9 - Missing Authorization to Authenticated (Subscriber+) Account Takeover/Privilege Escalation via idonate_donor_profile Function

The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonatedonorprofile function in versions 2.1.5 to 2.1.9. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-4521

The IDonate WordPress plugin (versions 2.1.5–2.1.9) is affected by a Privilege Escalation due to a missing capability check in idonate_donor_profile(). An attacker with Subscriber-level access or higher can hijack any account by reassigning its email via the donor_id and triggering a password res...

CVE-2025-12027 Mesmerize Companion <= 1.6.158 - Missing Authorization Authenticated (Subscriber+) Settings Update

The Mesmerize Companion plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the "openPageInCustomizer" and "openPageInDefaultEditor" functions in all versions up to, and including, 1.6.158. This makes it possible for authenticate...

WordPress Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin <= 21.0.9 - Missing Authorization to Authenticated (Subscriber+) Email MFA Update vulnerability

Missing Authorization to Authenticated Subscriber+ Email MFA Update vulnerability discovered by shark3y in WordPress Plugin Shield Security versions = 21.0.9...

WordPress SEO Plugin by Squirrly SEO plugin <= 12.4.14 - Missing Authorization to Authenticated (Subscriber+) Cloud Service Disconnection vulnerability

Missing Authorization to Authenticated Subscriber+ Cloud Service Disconnection vulnerability discovered by Marcin Dudek dudekmar - CERT.PL in WordPress Plugin SEO Plugin by Squirrly SEO versions = 12.4.14...

PT-2026-20737

Missing Authorization vulnerability in mdempfle Advanced iFrame advanced-iframe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced iFrame: from n/a through = 2025.10...

PT-2026-20691

Missing Authorization vulnerability in PSM Plugins SupportCandy supportcandy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SupportCandy: from n/a through = 3.4.4...

PT-2026-20683

Missing Authorization vulnerability in 10up Autoshare for Twitter autoshare-for-twitter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Autoshare for Twitter: from n/a through = 2.3.1...