CVE-2026-2633 Gutenberg Blocks with AI by Kadence WP <= 3.6.1 - Missing Authorization to Authenticated (Contributor+) Unauthorized Media Upload

The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.1. This is due to a missing capability check in the processimagedataajaxcallback function which handles the kadenceimportprocessimagedata AJAX action. T...

CVE-2026-2633

The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.1. This is due to a missing capability check in the processimagedataajaxcallback function which handles the kadenceimportprocessimagedata AJAX action. T...

CVE-2025-12356 Tickera – WordPress Event Ticketing <= 3.5.6.4 - Missing Authorization to Authenticated (Subscriber+) Event/Post Status Update

The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpajaxchangeticketstatus' AJAX endpoint in all versions up to, and including, 3.5.6.4. This makes it possible for authenticated attackers,...

CVE-2026-1925 EmailKit – Email Customizer for WooCommerce & WP <= 1.6.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Title Modification

The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'updatetemplatedata' function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with...

CVE-2026-1925

The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on update_template_data in all versions up to 1.6.2. Authenticated attackers with Subscriber-level access and above can modify the title of a...

CVE-2025-12075 Order Splitter for WooCommerce <= 5.3.5 - Missing Authorization to Authenticated (Subscriber+) Order Information Exposure

The Order Splitter for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wostroubleshooting' AJAX endpoint in all versions up to, and including, 5.3.5. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-12075 Order Splitter for WooCommerce <= 5.3.5 - Missing Authorization to Authenticated (Subscriber+) Order Information Exposure

The Order Splitter for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wostroubleshooting' AJAX endpoint in all versions up to, and including, 5.3.5. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-12075

CVE-2025-12075 affects the WordPress plugin Order Splitter for WooCommerce. The vulnerability is due to a missing capability check on the wos_troubleshooting AJAX endpoint, allowing authenticated users with Subscriber-level access and above to view other users’ order information. Affected version...

WordPress YayMail plugin <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Plugin Installation and Activation vulnerability

Missing Authorization to Authenticated Shop Manager+ Plugin Installation and Activation vulnerability discovered by whizzu in WordPress Plugin YayMail – WooCommerce Email Customizer versions = 4.3.2...

PT-2026-20503

A Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to upload unauthorized content to another user’s repository migration export due to a missing authorization check in the repository migration upload endpoint. By supplying the migration...

PT-2026-20363

The Business Directory Plugin for WordPress is vulnerable to authorization bypass due to a missing authorization check in all versions up to, and including, 6.4.20. This makes it possible for unauthenticated attackers to modify arbitrary listings, including changing titles, content, and email...

PT-2026-20352

The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.1. This is due to a missing capability check in the process image data ajax callback function which handles the kadence import process image data AJAX...

WordPress Gutenberg Blocks with AI by Kadence WP plugin <= 3.6.1 - Missing Authorization to Authenticated (Contributor+) Unauthorized Media Upload vulnerability

Missing Authorization to Authenticated Contributor+ Unauthorized Media Upload vulnerability discovered by Ali Sünbül in WordPress Plugin Gutenberg Blocks by Kadence Blocks versions = 3.6.1...

WordPress Tickera - WordPress Event Ticketing plugin <= 3.5.6.4 - Missing Authorization to Authenticated (Subscriber+) Event/Post Status Update vulnerability

WordPress Tickera - WordPress Event Ticketing plugin = 3.5.6.4 - Missing Authorization to Authenticated Subscriber+ Event/Post Status Update vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Tickera versions = 3.5.6.4...

CVE-2024-31118

Missing Authorization vulnerability in Smartypants SP Project & Document Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SP Project & Document Manager: from n/a through 4.70...

CVE-2022-41650

Missing Authorization vulnerability in Paul Custom Content by Country by Shield Security custom-content-by-country.This issue affects Custom Content by Country by Shield Security: from n/a through 3.1.2...

CVE-2024-31118 WordPress SP Project & Document Manager plugin <= 4.70 - Broken Access Control to XSS vulnerability

Missing Authorization vulnerability in Smartypants SP Project & Document Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SP Project & Document Manager: from n/a through 4.70...

CVE-2022-41650 WordPress Custom Content by Country plugin <= 3.1.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Paul Custom Content by Country by Shield Security custom-content-by-country.This issue affects Custom Content by Country by Shield Security: from n/a through 3.1.2...

CVE-2022-41650 WordPress Custom Content by Country plugin <= 3.1.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Paul Custom Content by Country by Shield Security custom-content-by-country.This issue affects Custom Content by Country by Shield Security: from n/a through 3.1.2...

CVE-2022-41650

CVE-2022-41650 concerns the WordPress plugin “Custom Content by Country” (by Shield Security) with versions through 3.1.2. The Red Hat/NVD/CVE listings, and PT Security enrichment, describe a Missing Authorization vulnerability (Broken Access Control) enabling unauthorized access. The core issue ...