CVE-2025-14976

CVE-2025-14976 : The WordPress plugin “User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder” is affected by Cross-Site Request Forgery due to missing/incorrect nonce validation in process_row_actions f...

EUVD-2024-51698

Malicious code in bioql PyPI...

CVE-2022-28423

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php=delete...

CVE-2024-13318

The Essential WP Real Estate plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the cldeletelistingfunc function in all versions up to, and including, 1.1.3. This makes it possible for unauthenticated attackers to delete arbitrary pages and posts...

CVE-2024-3599 WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) <= 3.0.2 - Missing Authorization to Unauthenticated Arbitrary Post Deletion

The WP Cookie Consent for GDPR, CCPA & ePrivacy plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the gdprpolicyprocessdelete function in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to delete...

CVE-2024-1043

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'amppbremovesavedlayoutdata' function in all versions up to, and including, 1.0.93.1. This makes it possible for authenticated attackers, with...

CVE-2023-6029 EazyDocs < 2.3.6 - Unauthenticated Arbitrary Posts Deletion and Document Management

The EazyDocs WordPress plugin before 2.3.6 does not have authorization and CSRF checks when handling documents and does not ensure that they are documents from the plugin, allowing unauthenticated users to delete arbitrary posts, as well as add and delete documents/sections...

EazyDocs < 2.3.6 - Subscriber+ Arbitrary Posts Deletion and Document Management

Description The plugin does not have authorization and CSRF checks when handling documents and does not ensure that they are documents from the plugin, allowing any authenticated users, such as subscriber to delete arbitrary posts, as well as add and delete documents/sections. PoC 1. Install the...

Code injection

The Templately WordPress plugin before 2.2.6 does not properly authorize the saved-templates/delete REST API call, allowing unauthenticated users to delete arbitrary posts...

PT-2023-12466 · WordPress · Ulisting

Name of the Vulnerable Software and Affected Versions: uListing plugin for WordPress versions up to, and including, 1.6.6 Description: The issue is related to authorization bypass due to missing capability checks and a missing security nonce in the UlistingUserRole::save role api function. This...

CVE-2022-4239 Workreap < 2.6.4 - Subscriber+ Arbitrary Posts Deletion via IDOR

The Workreap WordPress theme before 2.6.4 does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreapaddonsserviceremove action, allowing any user to delete any post by knowing or guessing the id...

Workreap < 2.6.4 - Subscriber+ Arbitrary Posts Deletion via IDOR

The theme does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreapaddonsserviceremove action, allowing any user to delete any post by knowing or guessing the id. POST /testt/wp-admin/admin-ajax.php HTTP/2...

Workreap < 2.6.4 - Subscriber+ Arbitrary Posts Deletion via IDOR

The theme does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreapaddonsserviceremove action, allowing any user to delete any post by knowing or guessing the id. PoC POST /testt/wp-admin/admin-ajax.php HTTP/...

CVE-2022-25576

Anchor CMS v0.12.7 was discovered to contain a Cross-Site Request Forgery CSRF via the component anchor/routes/posts.php. This vulnerability allows attackers to arbitrarily delete posts...

WordPress 插件 访问控制错误漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports PHP and MySQL servers to set up a personal blog site.WordPress Plugin is a WordPress open source application plugin . Listeo WordPress has a security vulnerability before...

Vanilla: Abusing "Report as abuse" functionality to delete any user's post.

Hi Team, Greetings!! Description: I would like to report a vulnerability that can be used to delete any user’s post by abusing “Report an abuse” function within application. After specific number of reports submitted to server, it automatically deletes that post of user. Application has...

EZ-Blog beta1 - Delete All Posts SQL Injection

EZ-Blog beta1 - Delete All Posts SQL Injection Salvatore "drosophila" Fresta Application: EZ-Blog http://sourceforge.net/projects/ez-blog/ Version: Beta 1 Bug: Multiple SQL Injection Exploitation: Remote Date: 1 Mar 2009 Discovered by: Salvatore "drosophila" Fresta Author: Salvatore "drosophila"...

CVE-2006-2771

admin/radera/tabort.asp in Hogstorps hogstorp guestbook 2.0 does not verify user credentials, which allows remote attackers to delete arbitrary posts via a modified delID parameter...