Lucene search
K

60 matches found

NVD
NVD
added 4 days ago6 views

CVE-2026-5069

The Fluent Forms plugin for WordPress is vulnerable to incorrect authorization via the 'subscriptionid' parameter in versions up to, and including, 6.2.1. This is due to insufficient ownership authorization checks in the payment cancellation AJAX flow. This makes it possible for authenticated...

5.4CVSS0.00176EPSS
Exploits0References2
CVE
CVE
added 4 days ago8 views

CVE-2026-5069

Vulnerability summary (CVE-2026-5069) : The Fluent Forms plugin for WordPress up to version 6.2.1 is vulnerable to incorrect authorization via the subscription_id parameter in the payment cancellation AJAX flow. The root cause is insufficient ownership authorization checks, allowing authenticated...

5.4CVSS5.9AI score0.00176EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago32 views

CVE-2026-5069 Fluent Forms <= 6.2.1 - Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Subscription Cancellation via 'subscription_id'

The Fluent Forms plugin for WordPress is vulnerable to incorrect authorization via the 'subscriptionid' parameter in versions up to, and including, 6.2.1. This is due to insufficient ownership authorization checks in the payment cancellation AJAX flow. This makes it possible for authenticated...

5.4CVSS0.00176EPSS
Exploits0References2
Patchstack
Patchstack
added 5 days ago5 views

WordPress Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin <= 6.2.1 - Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Subscription Cancellation vulnerability

Incorrect Authorization to Authenticated Subscriber+ Arbitrary Subscription Cancellation vulnerability discovered by Fernando Mecozzi in WordPress Plugin FluentForm versions = 6.2.1...

5.4CVSS5.9AI score0.00176EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/07/01 7:16 a.m.10 views

CVE-2026-11880

The Fluent Forms WordPress plugin before 6.2.1 does not properly verify ownership before processing a subscription cancellation request, allowing authenticated users with a low-privilege account to cancel subscriptions belonging to other users...

3.1CVSS0.00139EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/01 6:0 a.m.40 views

CVE-2026-11880 Fluent Forms < 6.2.1 - Subscriber+ Subscription Cancellation via IDOR

The Fluent Forms WordPress plugin before 6.2.1 does not properly verify ownership before processing a subscription cancellation request, allowing authenticated users with a low-privilege account to cancel subscriptions belonging to other users...

0.00139EPSS
Exploits0References1
CVE
CVE
added 2026/07/01 6:0 a.m.17 views

CVE-2026-11880

The CVE-2026-11880 entry concerns Fluent Forms WordPress plugin versions prior to 6.2.1, where ownership is not properly verified before processing a subscription cancellation request. This allows authenticated users with a low-privilege account to cancel subscriptions belonging to other users du...

3.1CVSS5.8AI score0.00139EPSS
Exploits0References1
NVD
NVD
added 2026/06/27 6:16 a.m.10 views

CVE-2026-10820

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.16.17 does not verify that the user performing a subscription action owns the targeted subscription, allowing any authenticated user Subscriber+ to cancel other...

8.1CVSS0.00222EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/27 6:0 a.m.7 views

CVE-2026-10820

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.16.17 does not verify that the user performing a subscription action owns the targeted subscription, allowing any authenticated user Subscriber+ to cancel other...

8.1CVSS5.8AI score0.00222EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/27 6:0 a.m.41 views

CVE-2026-10820 ProfilePress < 4.16.17 - Subscriber+ Subscription Cancellation via IDOR

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.16.17 does not verify that the user performing a subscription action owns the targeted subscription, allowing any authenticated user Subscriber+ to cancel other...

0.00222EPSS
Exploits0References1
CVE
CVE
added 2026/06/27 6:0 a.m.19 views

CVE-2026-10820

The CVE-2026-10820 entry concerns the WordPress plugin family “Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content” prior to version 4.16.17. The root cause is Insecure Direct Object Reference (IDOR): the system does not verify that the user init...

8.1CVSS5.8AI score0.00222EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/27 12:0 a.m.13 views

PT-2026-53044

Name of the Vulnerable Software and Affected Versions Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content versions prior to 4.16.17 Description An Insecure Direct Object Reference occurs because the software fails to verify if the authenticated...

8.1CVSS5.8AI score0.00222EPSS
Exploits0References7
NVD
NVD
added 2026/06/09 10:16 a.m.15 views

CVE-2026-4058

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the usersubscriptioncancel function in all versions up to, and including, 4.3.2. Thi...

4.3CVSS0.00153EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/09 9:28 a.m.41 views

CVE-2026-4058 User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.2 - Missing Authorization to Authenticated (Subscriber+) Subscription Pack Cancellation

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the usersubscriptioncancel function in all versions up to, and including, 4.3.2. Thi...

4.3CVSS0.00153EPSS
Exploits0References2
CVE
CVE
added 2026/06/09 9:28 a.m.27 views

CVE-2026-4058

The CVE-2026-4058 entry concerns the WordPress plugin “User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration”. A missing capability check in user_subscription_cancel() across all versions up to 4.3.2 allows authenticated users with Subscriber-level ac...

4.3CVSS5.5AI score0.00153EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/09 9:28 a.m.9 views

CVE-2026-4058 User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.2 - Missing Authorization to Authenticated (Subscriber+) Subscription Pack Cancellation

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the usersubscriptioncancel function in all versions up to, and including, 4.3.2. Thi...

4.3CVSS5.5AI score0.00153EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/09 9:28 a.m.14 views

EUVD-2026-35388

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the usersubscriptioncancel function in all versions up to, and including, 4.3.2. Thi...

4.3CVSS5.5AI score0.00153EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/06/09 12:0 a.m.19 views

WordPress plugin User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

4.3CVSS5.4AI score0.00153EPSS
Exploits0References2
Patchstack
Patchstack
added 2026/06/08 8:48 p.m.12 views

WordPress User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin <= 4.3.2 - Missing Authorization to Authenticated (Subscriber+) Subscription Pack Cancellation vulnerability

Missing Authorization to Authenticated Subscriber+ Subscription Pack Cancellation vulnerability discovered by Supakiad S. m3ez - E-CQURITY Thailand in WordPress Plugin WP User Frontend versions = 4.3.2...

4.3CVSS5.5AI score0.00153EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/05/11 8:41 p.m.11 views

CVE-2026-43883

Summary: CVE-2026-43883 concerns WWBN/AVideo PayPalYPT plugin where an attacker can misuse an attacker-supplied PayPal billing agreement ID to cancel another user’s subscription. The vulnerable endpoint agreementCancel.json.php validates only that a user is logged in and does not verify ownership...

4.2CVSS5.7AI score0.00167EPSS
Exploits0References2
Rows per page
Query Builder