335 matches found
ListingPro < 2.6.1 - Arbitrary Plugin Installation/Activation/Deactivation
The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Arbitrary Plugin Installation, Activation and Deactivation in versions before 2.6.1. This is due to a missing capability check on the lpccaddonsactions function. This makes it possible for unauthenticated attacker...
CVE-2026-2518
The CVE-2026-2518 entry concerns the WordPress FastX theme. The vulnerability is due to missing capability checks in two callbacks, ultp_install_callback and ultp_activate_callback, affecting all versions up to and including 1.0.2. This allows authenticated attackers with Subscriber-level access ...
PT-2026-42722
Name of the Vulnerable Software and Affected Versions FastX theme for WordPress versions prior to 1.0.3 Description The FastX theme for WordPress allows authenticated attackers with Subscriber-level access or higher to install and activate the PostX plugin. This is caused by missing capability...
WordPress FastX theme <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Installation and Activation vulnerability
Missing Authorization to Authenticated Subscriber+ Limited Plugin Installation and Activation vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Theme FastX versions = 1.0.2...
CVE-2026-5464
The ExactMetrics – Google Analytics Dashboard for WordPress Website Stats Plugin plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the 'onboardingkey' transient to a...
CVE-2026-5464
The CVE concerns the WordPress plugin ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats) up to version 9.1.2. The root cause is exposure of the onboarding_key transient on the reports page to users with the exactmetrics_view_dashboard capability, which gates the /wp-json/exac...
CVE-2026-5464 ExactMetrics <= 9.1.2 - Authenticated (Editor+) Arbitrary Plugin Installation/Activation via exactmetrics_connect_process
The ExactMetrics – Google Analytics Dashboard for WordPress Website Stats Plugin plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the 'onboardingkey' transient to a...
WordPress ExactMetrics plugin <= 9.1.2 - Authenticated (Editor+) Arbitrary Plugin Installation/Activation via exactmetrics_connect_process vulnerability
Authenticated Editor+ Arbitrary Plugin Installation/Activation via exactmetricsconnectprocess vulnerability discovered by Nguyen Ngoc Duc duc193 in WordPress Plugin ExactMetrics versions = 9.1.2...
CVE-2026-6819
HKUDS OpenHarness prior to PR 156 remediation exposes plugin lifecycle commands including /plugin install, /plugin enable, /plugin disable, and /reload-plugins to remote senders by default. Attackers who gain access through the channel layer can remotely manage plugin trust and activation state,...
CVE-2026-6819 HKUDS OpenHarness Plugin Management Command Exposure
HKUDS OpenHarness prior to PR 156 remediation exposes plugin lifecycle commands including /plugin install, /plugin enable, /plugin disable, and /reload-plugins to remote senders by default. Attackers who gain access through the channel layer can remotely manage plugin trust and activation state,...
CVE-2026-6819
The CVE-2026-6819 issue affects HKUDS OpenHarness where the OpenHarness plugin management surface is exposed by default. Specifically, the vulnerability stems from exposing plugin lifecycle commands such as /plugin install, /plugin enable, /plugin disable, and /reload-plugins to remote senders, a...
PT-2026-34065
HKUDS OpenHarness prior to PR 156 remediation exposes plugin lifecycle commands including /plugin install, /plugin enable, /plugin disable, and /reload-plugins to remote senders by default. Attackers who gain access through the channel layer can remotely manage plugin trust and activation state,...
OpenHarness 安全漏洞
OpenHarness is a lightweight development and runtime framework for Data Intelligence Lab@HKU. Versions prior to OpenHarness PR 156 contained security vulnerabilities. These vulnerabilities stemmed from the default exposure of plugin lifecycle commands, which could allow attackers to remotely mana...
CVE-2026-4326
The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. This is due to improper authorization enforcement in the activaterequiredplugins function. Specifically, the currentusercan'installplugins' capability check does...
WordPress plugin Vertex Addons for Elementor 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...
WordPress WowRevenue plugin <= 2.1.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation vulnerability
Missing Authorization to Authenticated Subscriber+ Arbitrary Plugin Installation/Activation vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin WowRevenue versions = 2.1.3...
WordPress Vayu Blocks plugin <= 1.1.1 - Missing Authorization to Unauthenticated Arbitrary plugin Installation/Activation vulnerability
Missing Authorization to Unauthenticated Arbitrary plugin Installation/Activation vulnerability discovered by stealthcopter in WordPress Plugin Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce versions = 1.1.1...
CVE-2023-40201
Cross-Site Request Forgery CSRF vulnerability in FuturioWP Futurio Extra plugin = 1.8.4 versions leads to activation of arbitrary plugin...
WordPress Construction Light theme < 1.6.8 - Subscriber+ Arbitrary Plugin Activation vulnerability
Subscriber+ Arbitrary Plugin Activation vulnerability discovered by Khaled Alenazi Nxploited in WordPress Theme Construction Light versions 1.6.8...
CVE-2023-28619 WordPress Resoto theme <= 1.0.8 - Broken Access Control to Arbitrary Plugin Activation
Missing Authorization vulnerability in bnayawpguy Resoto resoto allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Resoto: from n/a through = 1.0.8...