PT-2026-20700

Missing Authorization vulnerability in Fahad Mahmood Endless Posts Navigation endless-posts-navigation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Endless Posts Navigation: from n/a through = 2.2.9...

PT-2026-20776

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load track note ajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated...

CVE-2025-70147

creationtimestamp| type| source ---|---|--- 2026-02-18 19:37:21+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mf5tcjlz5b2s 2026-02-18 19:37:52+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mf5tdgzstj2n...

CVE-2025-70148

creationtimestamp| type| source ---|---|--- 2026-02-18 18:32:13+00:00| seen| https://bsky.app/profile/cyberhub.blog/post/3mf5pnyqhuz2h 2026-02-18 19:00:24+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mf5rahomoq2k...

CVE-2026-2507

creationtimestamp| type| source ---|---|--- 2026-02-18 17:23:26+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mf5lt2ytbd25 2026-02-18 17:23:38+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mf5ltgkt3r2c 2026-02-18 17:24:19+00:00| seen|...

CVE-2025-60035

creationtimestamp| type| source ---|---|--- 2026-02-18 14:18:27+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mf5biceh3r2n 2026-02-18 14:18:54+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mf5bj4fgfo2d 2026-02-19 05:00:00+00:00| seen|...

CVE-2025-33253

creationtimestamp| type| source ---|---|--- 2026-02-18 14:18:20+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mf5bi3a7bc2s 2026-02-18 14:18:47+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mf5biuzxew25...

CVE-2025-33252

creationtimestamp| type| source ---|---|--- 2026-02-18 14:18:12+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mf5bhtpgd72s 2026-02-18 14:18:39+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mf5bio2fvx2s...

CVE-2026-2386

The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 6.4.7. This is due to the tpaecreatepage AJAX handler authorizing users only with...

CVE-2026-2386 The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.7 - Incorrect Authorization to Authenticated (Author+) Arbitrary Draft Post Creation via 'post_type'

The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 6.4.7. This is due to the tpaecreatepage AJAX handler authorizing users only with...

CVE-2026-2386 The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.7 - Incorrect Authorization to Authenticated (Author+) Arbitrary Draft Post Creation via 'post_type'

The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 6.4.7. This is due to the tpaecreatepage AJAX handler authorizing users only with...

CVE-2026-2386

The Plus Addons for Elementor vulnerability (CVE-2026-2386) affects WordPress plugin The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce. It relies on tpae_create_page() AJAX handler which authorizes only current_user_can('edit_posts') but passes ...

CVE-2026-2126

The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 20260113. This is due to the uspgetsubmittedcategory function accepting user-submitted category IDs from the POST body...

Improper Access Control

misskey-js is vulnerable to improper access control. The vulnerability is due to insufficient authorization checks when exporting posts, which allows an attacker without permission to export posts and view favorites or clips they should not be able to access...

CVE-2026-2126 User Submitted Posts <= 20260113 - Incorrect Authorization to Unauthenticated Category Restriction Bypass via 'user-submitted-category' Parameter

The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 20260113. This is due to the uspgetsubmittedcategory function accepting user-submitted category IDs from the POST body...

CVE-2026-1655

The EventPrime plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization checks in all versions up to, and including, 4.2.8.4. This is due to the savefrontendeventsubmission function accepting a user-controlled eventid parameter and updating the correspondi...

CVE-2026-1655

CVE-2026-1655 — EventPrime for WordPress : Unauthorized post modification due to missing authorization checks in save_frontend_event_submission, which uses a user-controlled event_id to update posts. Affected versions are up to 4.2.8.4; patch exists in 4.2.8.4+. The issue allows authenticated (Cu...

CVE-2026-1714

creationtimestamp| type| source ---|---|--- 2026-02-18 05:20:22+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mf4dg4om5y2n 2026-02-18 05:20:40+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mf4dgodgjv2c...

CVE-2026-2576

creationtimestamp| type| source ---|---|--- 2026-02-18 05:20:15+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mf4dfvkk7t2s 2026-02-18 05:20:33+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mf4dgh6zvt2v 2026-03-27 00:00:04+00:00|...

CVE-2025-12074

The Context Blog theme for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.5 via the 'contextblogmodalpopup' due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from passwor...