ARMember < 3.4.8 - Unauthenticated Admin Account Takeover

The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover even the administrator due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username. id:...

EUVD-2021-11654

Malware in sbrugna...

CVE-2025-6754

CVE-2025-6754 (SEO Metrics for WordPress) : The WordPress plugin versions 1.0.5–1.0.15 are affected by privilege-escalation due to missing authorization checks in seo_metrics_handle_connect_button_click() and seo_metrics_handle_custom_endpoint(). An attacker with subscriber-level access can obtai...