WordPress Hybrid Composer plugin <= 1.4.6 Unauthenticated Settings Change vulnerability

WordPress Hybrid Composer plugin = 1.4.6 Unauthenticated Settings Change vulnerability discovered by ? in WordPress Plugin Hybrid Composer versions = 1.4.6...

CVE-2019-25738 WordPress Hybrid Composer 1.4.6 Unauthenticated Settings Change

WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hcajaxsaveoption action. Attackers can send POST requests to the admin-ajax.php endpoint with the action parameter set to...

crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption

A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security TLS session resumption when certificate authority CA settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing ...

CVE-2026-8943 GoStats for WordPress <= 1.4 - Cross-Site Request Forgery via gostats_manage() Function

The GoStats for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the gostatsmanage function. This makes it possible for unauthenticated attackers to update the plugin's...

CVE-2025-14361 WordPress Woocommerce Envato Affiliates plugin <= 1.2.1 - Settings Change vulnerability

Missing Authorization vulnerability in AA-Team Woocommerce Envato Affiliates allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Woocommerce Envato Affiliates: from n/a through 1.2.1...

WordPress Woocommerce Envato Affiliates plugin <= 1.2.1 - Settings Change vulnerability

Settings Change vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Woocommerce Envato Affiliates versions = 1.2.1...

crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption

A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security TLS session resumption when certificate authority CA settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing ...

CVE-2026-42812

In Apache Iceberg, the table's metadata files are control files: they tell readers which data files belong to the table and which table version to read. write.metadata.path is an optional table property that tells Polaris where to write those metadata files. For a table already registered in a...

crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption

A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security TLS session resumption when certificate authority CA settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing ...

CVE-2018-25318

Tenda FH303/A300 firmware V5.07.68EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin cookie to change DNS...

EUVD-2026-24664

The Kcaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.1. This is due to missing nonce validation in the plugin's settings page handler admin/setting.php. The settings form does not include a wpnoncefield and the form processing code...

CVE-2026-4133

The TextP2P Texting Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.7. This is due to missing nonce validation in the imTextP2POptionPage function which processes settings updates. The form at line 314 does not include a wpnoncefield,...

PT-2026-34309

Name of the Vulnerable Software and Affected Versions Google PageRank Display versions prior to 1.5 Description Cross-Site Request Forgery occurs due to missing nonce validation in the gpdisplay option function, which manages the plugin settings page. The settings form lacks a wp nonce field, and...

CVE-2026-2294

The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'uipsaveglobalsettings' function in all versions up to, and including, 3.5.09. This makes it possible for...

CVE-2026-25469 WordPress ViaBill – WooCommerce plugin <= 1.1.53 - Settings Change vulnerability

Missing Authorization vulnerability in ViaBill for WooCommerce ViaBill – WooCommerce viabill-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ViaBill – WooCommerce: from n/a through = 1.1.53...

CVE-2026-25469

CVE-2026-25469 concerns ViaBill – WooCommerce (viabill-woocommerce) up to version 1.1.53, with a Missing Authorization vulnerability that allows unauthenticated changes to settings. The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L, base score 6.5 (Medium). The Wordfence report lists Mis...

CVE-2026-25469 WordPress ViaBill – WooCommerce plugin <= 1.1.53 - Settings Change vulnerability

Missing Authorization vulnerability in ViaBill for WooCommerce ViaBill WooCommerce viabill-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ViaBill WooCommerce: from n/a through = 1.1.53...

CVE-2025-68032

CVE-2025-68032 (WordPress Advanced WC Analytics

CVE-2025-68026

CVE-2025-68026 affects the WordPress LC Wizard (GHL Wizard/Connector Wizard) plugin, with affected versions listed as 2.1.1 and earlier. The vulnerability is described as a Missing Authorization issue that allows unauthenticated setting updates due to incorrectly configured access control. Public...

WordPress Mega Store Woocommerce plugin <= 5.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Page Creation and Settings Change vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Page Creation and Settings Change vulnerability discovered by bugzy in WordPress Theme Mega Store Woocommerce versions = 5.9...