CVE-2026-24990

Missing Authorization vulnerability in Fahad Mahmood WP Docs wp-docs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Docs: from n/a through = 2.2.8...

CVE-2026-24967

Missing Authorization vulnerability in ameliabooking Amelia ameliabooking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Amelia: from n/a through = 1.2.38...

CVE-2026-24984

Missing Authorization vulnerability in Brecht Visual Link Preview visual-link-preview allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Visual Link Preview: from n/a through = 2.2.9...

CVE-2026-24947

Missing Authorization vulnerability in LA-Studio LA-Studio Element Kit for Elementor lastudio-element-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LA-Studio Element Kit for Elementor: from n/a through 1.5.6.3...

CVE-2026-24997

Missing Authorization vulnerability in Wired Impact Wired Impact Volunteer Management wired-impact-volunteer-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wired Impact Volunteer Management: from n/a through = 2.8...

CVE-2026-24996

Missing Authorization vulnerability in wpelemento WPElemento Importer wpelemento-importer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPElemento Importer: from n/a through = 0.6.4...

CVE-2026-24945

Missing Authorization vulnerability in Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for Contact Form 7: from n/a through = 3.5.34...

CVE-2026-24965

Missing Authorization vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contest Gallery: from n/a through = 28.1.1...

CVE-2026-1371

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the ajaxcoupondetails function, which only validates nonces but does not verify use...

WordPress UserPlus plugin <= 2.0 - Missing Authorization via Multiple Functions vulnerability

Missing Authorization via Multiple Functions vulnerability discovered by István Márton - Wordfence in WordPress Plugin UserPlus versions = 2.0...

WordPress MyRewards plugin <= 5.6.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Tharadol Suksamran d3kc4rt1 in WordPress Plugin MyRewards versions = 5.6.1...

CVE-2026-0572 WebPurify Profanity Filter <= 4.0.2 - Missing Authorization to Unauthenticated Plugin Settings Change via webpurify_save_options

The WebPurify Profanity Filter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webpurifysaveoptions' function in all versions up to, and including, 4.0.2. This makes it possible for unauthenticated attackers to change plugin settin...

CVE-2025-15507

The CVE-2025-15507 entry concerns the WordPress plugin Magic Import Document Extractor, affected in all versions up to and including 1.0.4. The root cause is a missing capability/authorization check in the ajax_sync_usage() function, enabling unauthenticated attackers to modify the plugin’s licen...

CVE-2025-15260

The CVE applies to the WordPress plugin “MyRewards – Loyalty Points and Rewards for WooCommerce.” Connected sources confirm: vulnerable in all versions up to 5.6.0 (and PwC+ sources indicate up to 5.6.0) where the plugin fails to verify user authorization in the ajax function. This permits authen...

EUVD-2025-206797

The MyRewards – Loyalty Points and Rewards for WooCommerce plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 5.6.0. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'ajax' function. This makes it...

CVE-2025-15260 MyRewards – Loyalty Points and Rewards for WooCommerce <= 5.6.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Loyalty Rule Modification

The MyRewards – Loyalty Points and Rewards for WooCommerce plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 5.6.1. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'ajax' function. This makes it...

PT-2026-6398

Devtron Attributes API Unauthorized Access Leading to API Token Signing Key Leakage Summary This vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user including low-privileged CI/CD Developers to obtain the global API Token signing key by accessing the...

Missing Authorization

Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Missing Authorization via the preview endpoints in the admin interface. An attacker can obtain unauthorized preview renderings of pages, snippets, or site settings by...

WordPress Royal Elementor Addons and Templates plugin <= 1.3.87 - Missing Authorization via wpr_update_form_action_meta vulnerability

Missing Authorization via wprupdateformactionmeta vulnerability discovered by Francesco Carlucci in WordPress Plugin Royal Elementor Addons versions = 1.3.87...

WordPress AI ChatBot plugin <= 5.3.4 - Missing Authorization via openai_file_delete_callback vulnerability

Missing Authorization via openaifiledeletecallback vulnerability discovered by Francesco Carlucci in WordPress Plugin ChatBot versions = 5.3.4...