Lucene search
K

185 matches found

Nuclei
Nuclei
β€’added 3 days agoβ€’9 views

Total Donations Plugin for WordPress < 2.0.6 - Arbitrary Options Update

Incorrect access control in miglaajaxfunctions.php in the Calmar Webmedia Total Donations plugin through 2.0.5 for WordPress allows unauthenticated attackers to update arbitrary WordPress option values, leading to site takeover. These attackers can send requests to wp-admin/admin-ajax.php to call...

9.8CVSS7.3AI score0.26076EPSS
Exploits1References2
RedhatCVE
RedhatCVE
β€’added 2026/06/05 7:14 p.m.β€’12 views

CVE-2026-4030

The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized arbitrary file read and deletion in all versions up to, and including, 2.5.2. This is due to the plugin not properly enforcing the return value of its authorization check combined with a user-controlled backup...

8.1CVSS5.5AI score0.00464EPSS
Exploits0References1
RedhatCVE
RedhatCVE
β€’added 2026/05/26 8:14 p.m.β€’13 views

CVE-2026-6897

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember\Features\TeamAccounts::savesettings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...

8.8CVSS5.8AI score0.00244EPSS
Exploits0References1
NVD
NVD
β€’added 2026/05/23 5:16 a.m.β€’9 views

CVE-2026-6898

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember3Hooks::generateapikey' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...

8.8CVSS0.00244EPSS
Exploits0References2
NVD
NVD
β€’added 2026/05/23 5:16 a.m.β€’12 views

CVE-2026-6897

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember\Features\TeamAccounts::savesettings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...

8.8CVSS0.00244EPSS
Exploits0References2
EUVD
EUVD
β€’added 2026/05/23 4:27 a.m.β€’20 views

EUVD-2026-31525

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember\Features\TeamAccounts::savesettings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...

8.8CVSS5.8AI score0.00244EPSS
Exploits0References2
CVE
CVE
β€’added 2026/05/23 4:27 a.m.β€’46 views

CVE-2026-6897

The CVE describes a missing capability check in Wishlist Member for WordPress (WishListMember\Features\Team_Accounts::save_settings) affecting all versions up to and including 3.30.1. This allows authenticated users with Subscriber-level access or higher to modify arbitrary plugin options, includ...

8.8CVSS5.8AI score0.00244EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
β€’added 2026/05/23 4:27 a.m.β€’13 views

CVE-2026-6897

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember\Features\TeamAccounts::savesettings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...

8.8CVSS5.8AI score0.00244EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
β€’added 2026/05/23 4:27 a.m.β€’11 views

CVE-2026-6895

The WishList Member plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Disclosure and Privilege Escalation in versions up to and including 3.30.1. This is due to the missing capability checks in the 'exportsettings' function. This function returns the RES...

8.8CVSS5.8AI score0.00248EPSS
Exploits0References3
Vulnrichment
Vulnrichment
β€’added 2026/05/23 4:27 a.m.β€’10 views

CVE-2026-6897 Wishlist Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Options Update via 'wishlistmember_team_accounts_save_settings' AJAX action

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember\Features\TeamAccounts::savesettings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...

8.8CVSS5.8AI score0.00244EPSS
Exploits0References2
EUVD
EUVD
β€’added 2026/05/23 4:27 a.m.β€’14 views

EUVD-2026-31523

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember3Hooks::generateapikey' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...

8.8CVSS5.8AI score0.00244EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
β€’added 2026/05/23 4:27 a.m.β€’13 views

CVE-2026-6898

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember3Hooks::generateapikey' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...

8.8CVSS5.8AI score0.00244EPSS
Exploits0References3
Vulnrichment
Vulnrichment
β€’added 2026/05/23 4:27 a.m.β€’9 views

CVE-2026-6898 WishList Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) Generate API Secret Key via 'wlm3_generate_api_key' AJAX action

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember3Hooks::generateapikey' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...

8.8CVSS5.8AI score0.00244EPSS
Exploits0References2
GithubExploit
GithubExploit
β€’added 2026/05/21 10:12 a.m.β€’103 views

Exploit for CVE-2026-5118

πŸ”₯ CVE-2026-5118 Divi Form Builder --- 🎯 Ring...

5.8AI score0.00487EPSS
Exploits4
NVD
NVD
β€’added 2026/05/20 2:16 a.m.β€’18 views

CVE-2026-6072

The Oliver POS – A WooCommerce Point of Sale POS plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire /wp-json/pos-bridge/ REST API namespace through the oliverposrestauthentication...

6.5CVSS0.00475EPSS
Exploits0References11
Vulnrichment
Vulnrichment
β€’added 2026/05/20 1:25 a.m.β€’10 views

CVE-2026-6072 Oliver POS <= 2.4.2.6 - Unauthenticated Authorization Bypass Through User-Controlled Key to 'OliverAuth' Header

The Oliver POS – A WooCommerce Point of Sale POS plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire /wp-json/pos-bridge/ REST API namespace through the oliverposrestauthentication...

6.5CVSS5.7AI score0.00475EPSS
Exploits0References11
Positive Technologies
Positive Technologies
β€’added 2026/04/27 12:0 a.m.β€’10 views

PT-2026-35519

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute method of the connect-customer-to-wp-user ability, which only requires...

8.8CVSS5.2AI score0.00293EPSS
Exploits1References9
Github Security Blog
Github Security Blog
β€’added 2026/04/14 11:12 p.m.β€’7 views

WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials

Summary objects/configurationUpdate.json.php also routed via /updateConfig persists dozens of global site settings from $POST but protects the endpoint only with User::isAdmin. It does not call forbidIfIsUntrustedRequest, does not verify a globalToken, and does not validate the Origin/Referer...

8.3CVSS5.9AI score0.00173EPSS
Exploits1References4Affected Software1
EUVD
EUVD
β€’added 2026/04/03 9:30 a.m.β€’4 views

EUVD-2026-18609

The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 2.5.9.1. This is due to the PMCS::actionhandler method processing the $GET'delete' parameter without any sanitization, authorization check, or nonce verification...

8.1CVSS6AI score0.00658EPSS
Exploits1References3
NVD
NVD
β€’added 2026/04/03 8:16 a.m.β€’5 views

CVE-2026-4350

The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 2.5.9.1. This is due to the PMCS::actionhandler method processing the $GET'delete' parameter without any sanitization, authorization check, or nonce verification...

8.1CVSS0.00658EPSS
Exploits1References2
Rows per page
Query Builder