Lucene search
K

461 matches found

Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.7 views

PT-2026-34296

Name of the Vulnerable Software and Affected Versions mCatFilter versions prior to 0.5.3 Description The mCatFilter plugin for WordPress is susceptible to Cross-Site Request Forgery. The compute post function, which processes settings updates, lacks nonce verification and capability checks. This...

4.3CVSS5.7AI score0.00165EPSS
Exploits0References10
Patchstack
Patchstack
added 2026/04/21 7:3 p.m.6 views

WordPress Fast & Fancy Filter – 3F plugin <= 1.2.2 - Cross-Site Request Forgery to Settings Modification vulnerability

Cross-Site Request Forgery to Settings Modification vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Fast & Fancy Filter – 3F versions = 1.2.2...

4.3CVSS5.8AI score0.0018EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/04/02 8:16 p.m.2 views

CVE-2026-34834

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity function contained logic that returned true if no session cookies were present. This allowed unauthenticated attackers to bypass security checks and access/modify user settings vi...

8.7CVSS0.00252EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/27 12:31 p.m.4 views

EUVD-2026-16583

Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to get a specific device information and change the settings via network...

6.3CVSS5.9AI score0.00142EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/27 11:46 a.m.2 views

CVE-2026-4309

Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to get a specific device information and change the settings via network...

6.3CVSS5.9AI score0.00142EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/03/27 11:46 a.m.29 views

CVE-2026-4309

Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to get a specific device information and change the settings via network...

6.3CVSS0.00142EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:12 p.m.4 views

CVE-2026-3567

The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 4.1132. The plugin exposes two AJAX handlers that, when combined, allow any authenticated user to modify admin-level plugin settings. First, the...

5.3CVSS5.9AI score0.00236EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/21 6:30 a.m.4 views

EUVD-2026-14158

The Neos Connector for Fakturama plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.0.14. This is due to missing nonce validation in the ncffaddpluginpage function which handles settings updates. This makes it possible for unauthenticated...

4.3CVSS5.7AI score0.00128EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/03/21 3:26 a.m.3 views

CVE-2026-3332

The Xhanch - My Advanced Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation in the xmssetting function on the settings update handler. This makes it possible for unauthenticated attackers t...

4.3CVSS5.7AI score0.0014EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/03/21 3:26 a.m.30 views

CVE-2026-2294 UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.09 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update

The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'uipsaveglobalsettings' function in all versions up to, and including, 3.5.09. This makes it possible for...

4.3CVSS0.00192EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/03/20 11:25 p.m.30 views

CVE-2026-3567 RepairBuddy <= 4.1132 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification via wc_rep_shop_settings_submission AJAX Action

The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 4.1132. The plugin exposes two AJAX handlers that, when combined, allow any authenticated user to modify admin-level plugin settings. First, the...

5.3CVSS0.00236EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/03/11 9:25 a.m.3 views

CVE-2026-1993

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the updatesettings function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible fo...

8.8CVSS5.9AI score0.0038EPSS
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/07 7:22 a.m.4 views

CVE-2026-1087

The Guardian News Feed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin's settings,...

4.3CVSS5.6AI score0.00126EPSS
Exploits0References4
OSV
OSV
added 2026/02/28 8:22 p.m.6 views

MAL-2026-1090 Malicious code in isb (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 93750cbddba7897fde1d31836971e11082ad2076012c7caf708980de45827840 Starting the module initiates an infostealer with a Telegram bot and RAT-like functionality and hardcoded credentials. The code automatically adds itself to...

6AI score
Exploits0References1
Patchstack
Patchstack
added 2026/02/20 8:15 a.m.8 views

WordPress Aruba HiSpeed Cache plugin <= 3.0.2 - Missing Authorization to Unauthenticated Plugin's Settings Modification vulnerability

Missing Authorization to Unauthenticated Plugin's Settings Modification vulnerability discovered by mikemyers in WordPress Plugin Aruba HiSpeed Cache versions = 3.0.2...

6.5CVSS5.5AI score0.00277EPSS
Exploits0References1Affected Software1
RedhatCVE
RedhatCVE
added 2026/02/20 7:22 a.m.8 views

CVE-2025-14167

The Remove Post Type Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to incorrect nonce validation logic that uses OR || instead of AND &&, causing the validation to fail when the nonce field is not empty OR when...

4.3CVSS5.4AI score0.00151EPSS
Exploits0References1
NVD
NVD
added 2026/02/19 7:17 a.m.7 views

CVE-2025-14357

The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setupwidgets function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. This makes it possible for authenticated attackers, wit...

5.3CVSS0.0022EPSS
Exploits0References3
NVD
NVD
added 2026/02/19 7:17 a.m.6 views

CVE-2025-14167

The Remove Post Type Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to incorrect nonce validation logic that uses OR || instead of AND &&, causing the validation to fail when the nonce field is not empty OR when...

4.3CVSS0.00151EPSS
Exploits0References3
CVE
CVE
added 2026/02/19 4:36 a.m.28 views

CVE-2026-1455

CVE-2026-1455 refers to the Whatsiplus Scheduled Notification for Woocommerce WordPress plugin. The vulnerability is a Cross‑Site Request Forgery (CSRF) affecting versions up to and including 1.0.1 due to missing nonce validation on the AJAX action named wsnfw_save_users_settings. This weakness a...

4.3CVSS5.4AI score0.00124EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/02/19 4:36 a.m.4 views

CVE-2025-14357 Mega Store Woocommerce <= 5.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Page Creation and Settings Change

The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setupwidgets function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. This makes it possible for authenticated attackers, wit...

5.3CVSS5.6AI score0.0022EPSS
Exploits0References3
Rows per page
Query Builder