CVE-2026-3426

The RTMKit Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the savewidget and resetallwidgets functions in all versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with Author-lev...

WordPress plugin Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

PT-2026-43545

The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the downgrade jquery version function in all versions up to, and including, 1.4.1. This is due to the function only verifying a nonce without checking user...

Malicious code in gt-tester-exp-profiler-exp-00000017 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f1490f970bd52c80c89f33029f9e875f1fb595014621d50e0ce87a167d1cd348 setup.py installs a site-wide.pth file gttesterexpprofilerexp00000017probe.pth into site-packages that imports the package's probe module and calls...

CVE-2026-8610

The TypeSquare Webfonts for ConoHa plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

CVE-2026-8610

The CVE describes an authorization bypass in the TypeSquare Webfonts for ConoHa WordPress plugin up to version 2.0.4. Authenticated users with subscriber-level access (or higher) can modify site-wide font settings by submitting a POST to any wp-admin page, bypassing proper authorization checks. F...

CVE-2026-4607

CVE-2026-4607 concerns the ProfileGrid – User Profiles, Groups and Communities WordPress plugin (versions up to 5.9.8.4). The issue is an authorization bypass in AJAX actions pm_set_group_order, pm_set_group_items, and pm_set_field_order, allowing authenticated users with Subscriber-level access ...

CVE-2026-3426

The RTMKit Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the savewidget and resetallwidgets functions in all versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with Author-lev...

PT-2026-40609

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.8.4. This is due to the plugin not properly verifying that a user is authorized to perform an action via the pm set group order, pm set grou...

EUVD-2026-28236

The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.6.10.6. This is due to a flawed authorization logic in the noncepermissionscheck method combined with the public exposure of a site-wide reusable nonce. The plugin expose...

CVE-2026-4807

CVE-2026-4807 affects the WordPress plugin “Appointment Booking Calendar” (publicly exposed at WordPress.org) up to version 1.6.10.6. The root cause is missing authorization caused by flawed logic in nonce_permissions_check() combined with a site-wide public nonce exposed via /wp-json/ssa/v1/embe...

PT-2026-38327

The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.6.10.6. This is due to a flawed authorization logic in the nonce permissions check method combined with the public exposure of a site-wide reusable nonce. The plugin...

PT-2026-27267

Name of the Vulnerable Software and Affected Versions User Registration & Membership plugin for WordPress versions 5.0.1 through 5.1.4 Description The plugin has a flaw allowing unauthorized data modification. This is due to an insufficient capability check on the Content Access Rules REST API...

CVE-2026-28219

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an improper authorization check in the topic management logic allows authenticated users to modify privileged attributes of their topics. By manipulating specific parameters in a PUT or POST...

CVE-2026-1953

Nukegraphic CMS v3.1.2 contains a stored cross-site scripting XSS vulnerability in the user profile edit functionality at /ngc-cms/user-edit-profile.php. The application fails to properly sanitize user input in the name field before storing it in the database and rendering it across multiple CMS...

CVE-2026-1953

Nukegraphic CMS v3.1.2 contains a stored cross-site scripting XSS vulnerability in the user profile edit functionality at /ngc-cms/user-edit-profile.php. The application fails to properly sanitize user input in the name field before storing it in the database and rendering it across multiple CMS...

CVE-2026-1953

Nukegraphic CMS v3.1.2 is affected by a stored XSS in the user profile edit endpoint (/ngc-cms/user-edit-profile.php). The vulnerability arises because the name field is not properly sanitized before storing to the database and rendering on multiple pages. An authenticated attacker with low privi...

EUVD-2026-5547

Nukegraphic CMS v3.1.2 contains a stored cross-site scripting XSS vulnerability in the user profile edit functionality at /ngc-cms/user-edit-profile.php. The application fails to properly sanitize user input in the name field before storing it in the database and rendering it across multiple CMS...

CVE-2025-11726 Beaver Builder – WordPress Page Builder <= 2.9.4 - Missing Authorization to Authenticated (Contributor+) Global Preset Modification

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.9.4. This is due to insufficient capability checks in the REST API endpoints under the 'fl-controls/v1' namespace that control site-wide Global Presets...

EUVD-2025-60927

The Crypto plugin for WordPress is vulnerable to Information exposure in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action wpajaxnoprivcryptoconnectajaxprocess that allows calling the register and savenft methods with only a...