CVE-2024-12614

The Passwords Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pmssavesetting' and 'postnewpass' AJAX actions in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with...

CVE-2024-10567

The TI WooCommerce Wishlist plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wizard' function in all versions up to, and including, 2.9.1. This makes it possible for unauthenticated attackers to create new pages, modify plugin...

CVE-2024-11840

The RapidLoad – Optimize Web Vitals Automatically plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the uucssdata, updaterapidloadsettings, wpajaxupdatehtaccessfile, uucssupdaterule, uploadrules, getallrules,...

PT-2025-1973 · WordPress · Zalomení Wordpress Plugin

Name of the Vulnerable Software and Affected Versions: Zalomení WordPress plugin versions 1.5 and earlier Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a...

PT-2025-2163 · WordPress · The Food Menu – Restaurant Menu & Online Ordering

Name of the Vulnerable Software and Affected Versions: The Food Menu – Restaurant Menu & Online Ordering for WooCommerce plugin for WordPress versions up to, and including, 5.1.4 Description: The issue allows authenticated attackers with Subscriber-level access and above to modify the plugin's...

CVE-2024-13449

CVE-2024-13449 affects the Boom Fest WordPress plugin and vues up to version 2.2.1. A missing capability check in bf_admin_action allows authenticated users with Subscriber-level access and above to modify plugin settings that affect site appearance. Remediation per sources (PT-2025-2177) is to u...

CVE-2024-12606

The AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT GPT-4o 128K plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enginerequestdata function in all versions up...

CVE-2024-11840 RapidLoad – Optimize Web Vitals Automatically <= 2.4.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification and SQL Injection

The RapidLoad – Optimize Web Vitals Automatically plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the uucssdata, updaterapidloadsettings, wpajaxupdatehtaccessfile, uucssupdaterule, uploadrules, getallrules,...

WordPress RapidLoad plugin <= 2.4.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification and SQL Injection vulnerability

Missing Authorization to Authenticated Subscriber+ Plugin Settings Modification and SQL Injection vulnerability discovered by Lucio Sá in WordPress Plugin RapidLoad versions = 2.4.2...

CVE-2024-12253

The Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'savesettings', 'exportcsv', and 'simpleecommcart-action' actions in all versions up to, and including, 3.1.2. This makes it...

CVE-2024-12253

CVE-2024-12253 concerns the WordPress plugin “Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal” (versions up to 3.1.2). The issue is a missing capability check on actions including ‘save_settings’, ‘export_csv’, and ‘simpleecommcart-action’, which allows an attacker with subscr...

WordPress ARForms plugin <= 6.4.1 - Subscriber+ Plugin Settings Change vulnerability

Subscriber+ Plugin Settings Change vulnerability discovered by Dave Jong Patchstack in WordPress Plugin ARForms versions = 6.4.1...

CVE-2024-11118 404 Error Monitor <= 1.1 - Cross-Site Request Forgery to Plugin Settings Update via updatePluginSettings Function

The 404 Error Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the updatePluginSettings function. This makes it possible for unauthenticated attackers to make changes to plug...

WordPress 404 Error Monitor plugin <= 1.1 - Cross-Site Request Forgery to Plugin Settings Update vulnerability

Cross-Site Request Forgery to Plugin Settings Update vulnerability discovered by Francesco Carlucci in WordPress Plugin 404 Error Monitor versions = 1.1...

CVE-2024-10311

The External Database Based Actions plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.1. This is due to a missing capability check in the 'edbaadminhandle' function. This makes it possible for authenticated attackers, with subscriber-level permissions...

404 Error Monitor <= 1.1 - Cross-Site Request Forgery to Plugin Settings Update via updatePluginSettings Function

Description The 404 Error Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the updatePluginSettings function. This makes it possible for unauthenticated attackers to make...

PT-2024-16771 · WordPress · 404 Error Monitor

Name of the Vulnerable Software and Affected Versions: 404 Error Monitor plugin for WordPress versions up to, and including, 1.1 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the updatePluginSettings function. This allows...

CVE-2024-10854 Buy one click WooCommerce <= 2.2.9 - Missing Authorization to Authenticated (Subscriber+) Settings Import

The Buy one click WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the buyoneclickimportoptions AJAX action in all versions up to, and including, 2.2.9. This makes it possible for authenticated attackers, with Subscriber-leve...

CVE-2024-10854

CVE-2024-10854 concerns the WordPress plugin Buy one click WooCommerce (&lt;= 2.2.9). The root cause is a missing capability check on the AJAX action buy_one_click_import_options , allowing authenticated users with Subscriber-level access and above to modify/import plugin settings. The vulnerabil...

CVE-2024-10294

CVE-2024-10294 affects the WordPress CE21 Suite plugin. The root cause is a missing capability check in ce21_single_sign_on_save_api_settings, allowing unauthenticated attackers to modify plugin settings in versions up to 2.2.0. The impact is unauthorized modification of data/settings. Wordfence ...