CVE-2025-0865 WP Media Category Management 2.0 - 2.3.3 - Cross-Site Request Forgery to Settings Update

The WP Media Category Management plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.0 to 2.3.3. This is due to missing or incorrect nonce validation on the wpmcmhandleactionsettings function. This makes it possible for unauthenticated attackers to alter plugin settings...

CVE-2025-0865

The WP Media Category Management plugin for WordPress (WP-MCM) versions 2.0–2.3.3 are affected by a Cross‑Site Request Forgery (CSRF) vulnerability due to missing/incorrect nonce validation in wp_mcm_handle_action_settings(). This could allow unauthenticated attackers to alter the plugin settings...

CVE-2024-13439

CVE-2024-13439 affects the WordPress plugin “Team – Team Members Showcase Plugin” (TLTeam) and is confirmed across multiple sources. The vulnerability is a missing capability check in the response() function in all versions up to and including 4.4.9, enabling authenticated users with Subscriber l...

CVE-2025-0935 Media Library Folders <= 8.3.0 - Missing Authorization to Plugin Settings Change

The Media Library Folders plugin for WordPress is vulnerable to unauthorized plugin settings change due to a missing capability check on several AJAX actions in all versions up to, and including, 8.3.0. This makes it possible for authenticated attackers, with Author-level access and above, to...

CVE-2025-0935 Media Library Folders <= 8.3.0 - Missing Authorization to Plugin Settings Change

The Media Library Folders plugin for WordPress is vulnerable to unauthorized plugin settings change due to a missing capability check on several AJAX actions in all versions up to, and including, 8.3.0. This makes it possible for authenticated attackers, with Author-level access and above, to...

WordPress Media Library Folders plugin <= 8.3.0 - Missing Authorization to Plugin Settings Change vulnerability

Missing Authorization to Plugin Settings Change vulnerability discovered by Brian Sans-Souci liardom in WordPress Plugin Media Library Folders versions = 8.3.0...

CVE-2024-13437

The Book a Room plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.9. This is due to missing or incorrect nonce validation on the 'bookaroomSettings' page. This makes it possible for unauthenticated attackers to update the plugin's settings vi...

CVE-2024-13437

The Book a Room plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.9. This is due to missing or incorrect nonce validation on the 'bookaroomSettings' page. This makes it possible for unauthenticated attackers to update the plugin's settings vi...

CVE-2024-13769

The Puzzles | WP Magazine / Review with Store WordPress Theme + RTL theme for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check on the 'themeoptionsajaxpostaction' AJAX action in all versions up to, and including, 4.2.4. This makes it possible for...

CVE-2024-13769

CVE-2024-13769 – Puzzles theme (WP Magazine / Review with Store WordPress Theme + RTL) Vulnerability: Stored Cross-Site Scripting due to a missing capability check on the theme_options_ajax_post_action AJAX action. Affected versions: all versions up to and including 4.2.4. Impact: Authenticated a...

CVE-2024-53994

Discourse is an open source platform for community discussion. In affected versions users who disable chat in preferences could still be reachable in some cases. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable...

CVE-2024-12614

The Passwords Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pmssavesetting' and 'postnewpass' AJAX actions in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with...

CVE-2024-10567

The TI WooCommerce Wishlist plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wizard' function in all versions up to, and including, 2.9.1. This makes it possible for unauthenticated attackers to create new pages, modify plugin...

CVE-2024-11840

The RapidLoad – Optimize Web Vitals Automatically plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the uucssdata, updaterapidloadsettings, wpajaxupdatehtaccessfile, uucssupdaterule, uploadrules, getallrules,...

PT-2025-2163 · WordPress · The Food Menu – Restaurant Menu & Online Ordering

Name of the Vulnerable Software and Affected Versions: The Food Menu – Restaurant Menu & Online Ordering for WooCommerce plugin for WordPress versions up to, and including, 5.1.4 Description: The issue allows authenticated attackers with Subscriber-level access and above to modify the plugin's...

PT-2025-1973 · WordPress · Zalomení Wordpress Plugin

Name of the Vulnerable Software and Affected Versions: Zalomení WordPress plugin versions 1.5 and earlier Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in a...

CVE-2024-13449

CVE-2024-13449 affects the Boom Fest WordPress plugin and vues up to version 2.2.1. A missing capability check in bf_admin_action allows authenticated users with Subscriber-level access and above to modify plugin settings that affect site appearance. Remediation per sources (PT-2025-2177) is to u...

CVE-2024-12606

The AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT GPT-4o 128K plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enginerequestdata function in all versions up...

CVE-2024-11840 RapidLoad – Optimize Web Vitals Automatically <= 2.4.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification and SQL Injection

The RapidLoad – Optimize Web Vitals Automatically plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the uucssdata, updaterapidloadsettings, wpajaxupdatehtaccessfile, uucssupdaterule, uploadrules, getallrules,...

WordPress RapidLoad plugin <= 2.4.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification and SQL Injection vulnerability

Missing Authorization to Authenticated Subscriber+ Plugin Settings Modification and SQL Injection vulnerability discovered by Lucio Sá in WordPress Plugin RapidLoad versions = 2.4.2...