Lucene search
+L

592 matches found

Nuclei
Nuclei
added 11 hours ago26 views

Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit - Broken Access Control

The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the installoractivateaddonplugins function and a weak nonce hash in all...

9.8CVSS5.3AI score0.02904EPSS
Exploits0References3
Nuclei
Nuclei
added 11 hours ago14 views

ListingPro < 2.6.1 - Arbitrary Plugin Installation/Activation/Deactivation

The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Arbitrary Plugin Installation, Activation and Deactivation in versions before 2.6.1. This is due to a missing capability check on the lpccaddonsactions function. This makes it possible for unauthenticated attacker...

9.8CVSS8.4AI score0.04304EPSS
Exploits1References2
EUVD
EUVD
added 3 days ago5 views

EUVD-2026-44855

The Catch Themes Demo Import plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 3.3. This is due to the catchthemesdemoimportactivateplugin function, hooked on admininit when the activateplugin GET parameter is present, calling PluginUpgrader::install to...

4.3CVSS6.1AI score0.0025EPSS
Exploits0References10
CVE
CVE
added 3 days ago9 views

CVE-2026-15336

The CVE describes a vulnerability in the Catch Themes Demo Import plugin for WordPress (versions up to and including 3.3). The root cause is in catch_themes_demo_import_activate_plugin(), which is hooked on admin_init when the activate_plugin parameter is present and calls Plugin_Upgrader::instal...

4.3CVSS6.1AI score0.0025EPSS
Exploits0References10
Cvelist
Cvelist
added 3 days ago36 views

CVE-2026-15336 Catch Themes Demo Import <= 3.3 - Missing Authorization to Authenticated (Subscriber+) Single Plugin Installation via 'activate_plugin' Parameter

The Catch Themes Demo Import plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 3.3. This is due to the catchthemesdemoimportactivateplugin function, hooked on admininit when the activateplugin GET parameter is present, calling PluginUpgrader::install to...

4.3CVSS0.0025EPSS
Exploits0References10
NVD
NVD
added 6 days ago3 views

CVE-2026-62194

OpenClaw versions 2026.5.20 before 2026.6.9 contain a privilege escalation vulnerability in plugin install commands that allows lower-trust callers to execute or persist actions beyond their intended authorization. Attackers can exploit misconfigured input paths or enabled features to escalate...

8.8CVSS0.00251EPSS
Exploits0References2
CVE
CVE
added 6 days ago19 views

CVE-2026-62194

OpenClaw CVE-2026-62194 affects OpenClaw versions 2026.5.20 before 2026.6.9. Vulnerable: plugin install commands in the OpenClaw stack. Root cause: privilege escalation via misconfigured input paths or enabled features that let lower-trust callers execute/persist actions beyond their authorizatio...

8.8CVSS6.2AI score0.00251EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/07/09 9:31 a.m.7 views

EUVD-2026-42563

The Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.3. This is due to the use of 'returntrue' as the permissioncallback for the /installplugin and /activateplugin REST API endpoint...

8.8CVSS5.9AI score0.00187EPSS
Exploits0References8
CVE
CVE
added 2026/07/09 9:31 a.m.14 views

CVE-2026-4275

CVE-2026-4275 affects the Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme plugin for WordPress up to version 4.2.3. The vulnerability is a Cross-Site Request Forgery (CSRF) flaw arising from using __return_true as the permission_callback for the /install_plugin and /activate_plugin REST...

8.8CVSS5.9AI score0.00187EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/07/09 9:31 a.m.32 views

CVE-2026-4275 Divi Torque Lite <= 4.2.3 - Cross-Site Request Forgery to Arbitrary Plugin Installation via 'install_plugin' REST Endpoint

The Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.3. This is due to the use of 'returntrue' as the permissioncallback for the /installplugin and /activateplugin REST API endpoint...

8.8CVSS0.00187EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/07/09 7:55 a.m.36 views

CVE-2026-8848 Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder <= 1.22.0 - Missing Authorization to Authenticated (Editor+) Arbitrary Plugin Installation

The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.22.0. This is due to the plugin not properly verifying that a user is authorized to perform an...

7.2CVSS0.00659EPSS
Exploits0References12
EUVD
EUVD
added 2026/07/09 7:55 a.m.7 views

EUVD-2026-42541

The Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration plugin for WordPress is vulnerable to unauthorized plugin installation and activation in versions up to, and including, 3.4. This is due to a missing capability check and missing nonce validation on the...

4.3CVSS5.9AI score0.00246EPSS
Exploits0References5
CVE
CVE
added 2026/07/09 7:55 a.m.14 views

CVE-2026-11359

The CVE-2026-11359 entry relates to the Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration plugin for WordPress. Affected versions up to 3.4 are vulnerable due to missing capability checks and nonce validation in the pg_install_profilegrid() AJAX handler (wp_ajax_...

4.3CVSS5.9AI score0.00246EPSS
Exploits0References5
EUVD
EUVD
added 2026/07/08 5:34 a.m.7 views

EUVD-2026-42172

The WP Learn Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to install and activat...

9.8CVSS6AI score0.00364EPSS
Exploits0References5
CVE
CVE
added 2026/07/08 5:34 a.m.16 views

CVE-2026-12153

CVE-2026-12153 affects the WordPress WP Learn Manager plugin up to version 1.1.8. The vulnerability is an authorization bypass in the jslearnmanager_ajax AJAX action, allowing unauthenticated attackers to install and activate arbitrary plugins from the WordPress.org repository on affected sites. ...

9.8CVSS6AI score0.00364EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/08 12:0 a.m.13 views

PT-2026-56320

Name of the Vulnerable Software and Affected Versions WP Learn Manager versions prior to 1.1.9 Description An authorization bypass exists because the plugin fails to properly verify if a user is authorized to perform specific actions. This flaw allows unauthenticated attackers to install and...

9.8CVSS6AI score0.00364EPSS
Exploits0References9
Tenable Nessus
Tenable Nessus
added 2026/07/03 12:0 a.m.13 views

openSUSE 16: docker-stable / docker-stable-bash-completion / etc (openSUSE-SU-2026:21205-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:21205-1 advisory. This update for docker-stable fixes the following issues - CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validati...

9.6CVSS7.5AI score0.08123EPSS
Exploits2References18
OSV
OSV
added 2026/07/02 7:2 a.m.3 views

OPENSUSE-SU-2026:21205-1 Security update for docker-stable

This update for docker-stable fixes the following issues - CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2 :path pseudo- header bsc1260279. - CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad...

9.6CVSS6.6AI score0.08123EPSS
Exploits2References12
EUVD
EUVD
added 2026/06/26 12:32 a.m.8 views

EUVD-2020-31260

Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged users with page editing capabilities can inject malicious scripts to execute arbitrary code and install malicious plugins for system access...

5.4CVSS6.1AI score0.00167EPSS
Exploits0References3
OSV
OSV
added 2026/06/25 10:16 p.m.2 views

CVE-2020-37256

Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged users with page editing capabilities can inject malicious scripts to execute arbitrary code and install malicious plugins for system access...

5.1CVSS6.2AI score
Exploits0References2
Rows per page
Query Builder