Lucene search
K

173 matches found

EUVD
EUVD
added 13 hours ago4 views

EUVD-2026-43290

The Tutor LMS WordPress plugin before 3.9.13 does not, in its Droip and Kirki page-builder integration, perform the enrollment, purchase, and private-course capability checks it enforces in its core course handler, allowing authenticated users with subscriber-level access to enroll in paid or...

7.1CVSS6.2AI score
Exploits0References2
CVE
CVE
added 17 hours ago10 views

CVE-2026-12275

The Tutor LMS WordPress plugin before 3.9.13 does not, in its Droip and Kirki page-builder integration, perform the enrollment, purchase, and private-course capability checks it enforces in its core course handler, allowing authenticated users with subscriber-level access to enroll in paid or...

7.1CVSS6.2AI score
Exploits0References1
NVD
NVD
added 2026/07/02 6:16 a.m.10 views

CVE-2026-11600

The Envo's Templates & Widgets for Elementor and WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the Envo Tabs and Off Canvas widget's template rendering in versions up to, and including, 1.4.26. The render method of the Tabs...

4.3CVSS0.00223EPSS
Exploits0References8
EUVD
EUVD
added 2026/07/02 6:0 a.m.8 views

EUVD-2026-41254

The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role Contributor to disclose non-public content that WordPress would not otherwise expose to them,...

2.7CVSS5.7AI score0.00189EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/02 5:35 a.m.6 views

EUVD-2026-41244

The Envo's Templates & Widgets for Elementor and WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the Envo Tabs and Off Canvas widget's template rendering in versions up to, and including, 1.4.26. The render method of the Tabs...

4.3CVSS5.7AI score0.00223EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/07/02 5:35 a.m.6 views

CVE-2026-11600

The Envo's Templates & Widgets for Elementor and WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the Envo Tabs and Off Canvas widget's template rendering in versions up to, and including, 1.4.26. The render method of the Tabs...

4.3CVSS5.7AI score0.00223EPSS
Exploits0References9
CVE
CVE
added 2026/07/02 5:35 a.m.16 views

CVE-2026-11600

The CVE-2026-11600 entry concerns Envo’s Templates & Widgets for Elementor and WooCommerce (WordPress). Affected: Tabs and Off Canvas widgets up to version 1.4.26. Root cause: the Tabs widget render() passes a user-controlled template/post ID to Elementor’s get_builder_content_for_display() witho...

4.3CVSS5.7AI score0.00223EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/07/02 5:35 a.m.36 views

CVE-2026-11600 Envo's Templates & Widgets for Elementor and WooCommerce <= 1.4.26 - Missing Authorization to Authenticated (Author+) Private Content Disclosure via Envo Tabs Widget 'templates' Setting

The Envo's Templates & Widgets for Elementor and WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the Envo Tabs and Off Canvas widget's template rendering in versions up to, and including, 1.4.26. The render method of the Tabs...

4.3CVSS0.00223EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/07/01 7:53 a.m.40 views

CVE-2026-12408 Slim SEO <= 4.9.8 - Authenticated (Contributor+) Insufficient Authorization to Private Content Disclosure via 'object.ID' Parameter

The Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin for WordPress is vulnerable to Unauthorized Private Content Disclosure in all versions up to, and including, 4.9.8 via the /wp-json/slim-seo/meta-tags/ai REST API endpoint. This is due to the endpoint's permissioncallback performin...

4.3CVSS0.00257EPSS
Exploits0References8
CVE
CVE
added 2026/07/01 7:53 a.m.15 views

CVE-2026-12408

The CVE-2026-12408 entry concerns the WordPress plugin Slim SEO (versions up to and including 4.9.8). The vulnerability arises from the REST endpoint /wp-json/slim-seo/meta-tags/ai: the permission_callback only checks a top-level edit_posts capability and does not verify that the requester can re...

4.3CVSS5.9AI score0.00257EPSS
Exploits0References8
NVD
NVD
added 2026/07/01 7:16 a.m.12 views

CVE-2026-10750

The Royal MCP WordPress plugin before 1.4.26 does not perform capability checks on the majority of its MCP tools after token authentication, allowing authenticated users with a low-privileged role such as Subscriber to read private content, enumerate all users and their roles, and create, modify,...

8.1CVSS0.00267EPSS
Exploits0References1
CVE
CVE
added 2026/07/01 6:0 a.m.23 views

CVE-2026-10750

CVE-2026-10750 concerns the Royal MCP WordPress plugin prior to 1.4.26. The issue arises because the plugin does not perform capability checks on most MCP tools after token authentication, enabling authenticated, low-privilege users (e.g., Subscriber) to read private content, enumerate users and ...

8.1CVSS5.8AI score0.00267EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/01 6:0 a.m.44 views

CVE-2026-10750 Royal MCP < 1.4.26 - Subscriber+ Insufficient Authorization in MCP Tools

The Royal MCP WordPress plugin before 1.4.26 does not perform capability checks on the majority of its MCP tools after token authentication, allowing authenticated users with a low-privileged role such as Subscriber to read private content, enumerate all users and their roles, and create, modify,...

0.00267EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/07/01 12:0 a.m.6 views

WordPress Envo's Templates & Widgets for Elementor and WooCommerce plugin <= 1.4.26 - Missing Authorization to Authenticated (Author+) Private Content Disclosure vulnerability

Missing Authorization to Authenticated Author+ Private Content Disclosure vulnerability discovered by ? in WordPress Plugin Envo's Elementor Templates & Widgets for WooCommerce versions = 1.4.26...

4.3CVSS5.8AI score0.00223EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2026/06/30 7:21 p.m.7 views

WordPress Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin <= 4.9.8 - Authenticated (Contributor+) Insufficient Authorization to Private Content Disclosure vulnerability

Authenticated Contributor+ Insufficient Authorization to Private Content Disclosure vulnerability discovered by Abu Hurayra HurayraIIT in WordPress Plugin Slim SEO versions = 4.9.8...

4.3CVSS5.8AI score0.00257EPSS
Exploits0References1Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/23 5:10 p.m.11 views

Gogs: LFS dedupe path leaks private repo content across tenants

Summary Git LFS storage is content-addressed by OID alone /// but per-repo authorization lives in the lfsobject table keyed repoid, oid. serveUpload skips re-uploading when the OID file already exists on disk and inserts a new repoid, oid row pointing at it without verifying the request body hash...

7.1CVSS6AI score0.00236EPSS
Exploits0References5Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/10 8:59 a.m.16 views

CVE-2026-25699

Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. Timeline-related APIs lacked proper authorization checks, allowing regular authenticated users to access deleted, private, or unapproved content and i...

6.1CVSS5.4AI score0.00406EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/09 7:33 a.m.7 views

CVE-2026-25699 Apache Answer: Authorization Bypass in Timeline API

Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. Timeline-related APIs lacked proper authorization checks, allowing regular authenticated users to access deleted, private, or unapproved content and i...

5.4AI score0.00406EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/09 12:0 a.m.16 views

PT-2026-47713

Name of the Vulnerable Software and Affected Versions Apache Answer versions prior to 2.0.1 Description Timeline-related APIs lack proper authorization checks, which allows authenticated users to access content that is private, deleted, or unapproved, as well as its associated revision history...

6.1CVSS5.2AI score0.00406EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/06/09 12:0 a.m.15 views

Apache Answer 安全漏洞

Apache Answer is a community platform of the Apache Foundation in the United States. Versions of Apache Answer 2.0.0 and earlier contained security vulnerabilities. These vulnerabilities stemmed from insufficient authorization checks for time-line-related APIs, which could allow ordinary...

6.1CVSS5.4AI score0.00406EPSS
Exploits0References2
Rows per page
Query Builder