CVE-2026-4066 Smart Custom Fields <= 5.0.6 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Relational Post Search

The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relationalpostssearch function in all versions up to, and including, 5.0.6. This makes it possible for authenticated attackers, with Contributor-level access and abov...

EUVD-2021-11651

Malware in sbrugna...

CVE-2025-9984

CVE-2025-9984 (FIFU, Featured Image from URL, WordPress) : The FIFU plugin is vulnerable to an unauthorized access exposure due to a missing capability check in fifu_api_debug_posts(). This allows unauthenticated attackers to read private/password protected posts in all versions up to 5.2.7. Conn...

CVE-2024-7836

The Themify Builder plugin for WordPress is vulnerable to unauthorized post duplication due to missing checks on the duplicatepageajaxify function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate...

CVE-2024-0421

The MapPress Maps for WordPress plugin before 2.88.16 is affected by an IDOR as it does not ensure that posts to be retrieve via an AJAX action is a public map, allowing unauthenticated users to read arbitrary private and draft posts...

CVE-2024-5942

The Page and Post Clone plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.0 via the 'contentclone' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access...

CVE-2024-10693

The SKT Addons for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.3 via the Unfold widget due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level acces...

CVE-2024-11915

The RRAddons for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.0 via the Popup block due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access...

Unauthorized Access

pixelfed/pixelfed is vulnerable to Unauthorized Access. The vulnerability is due to insufficient verification of follow requests, allowing unauthorized users to access private posts across Fediverse servers...

CVE-2024-13430 Page Builder: Pagelayer – Drag and Drop website builder <= 1.9.8 - Authenticated (Contributor+) Private Post Disclosure in pagelayer_builder_posts_shortcode

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.8 via the 'pagelayerbuilderpostsshortcode' function due to insufficient restrictions on which posts can be included. This makes it...

CVE-2024-13514

The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.5 via the 'bsb-slider' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, wi...

CVE-2024-12102

The Typer Core plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.6 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level...

CVE-2024-12116

The CVE-2024-12116 vulnerability in Unlimited Theme Addon For Elementor and WooCommerce (WordPress) allows Information Exposure via the uta-template shortcode in all versions up to 1.2.1. Exploitation requires Contributor-level authentication. A fix exists in version 1.2.2 (and later) per Wordfen...

PT-2024-16557 · WordPress · The Royal Elementor Addons/Templates

Name of the Vulnerable Software and Affected Versions: The Royal Elementor Addons and Templates plugin for WordPress versions up to, and including, 1.7.1003 Description: The issue allows authenticated attackers with Contributor-level access and above to extract data from private or draft posts...

PT-2023-16593 · WordPress · Shortcodes Ultimate

Name of the Vulnerable Software and Affected Versions: Shortcodes Ultimate WordPress plugin versions prior to 5.12.8 Description: The issue allows any authenticated users, such as subscribers, to view draft, private, or even password-protected posts. It is also possible to leak the password of...