CVE-2026-53981 Cap-go < v12.128.2 Account Takeover via Unauthenticated Email Change Mechanism

Cap-go prior to 12.128.2 contains an account takeover vulnerability in its email change mechanism that allows an attacker with temporary authenticated session access to change the registered email address without re-authentication such as password or MFA verification. Attackers can redirect...

CVE-2026-8940

The CVE-2026-8940 entry concerns WordPress plugin WP Meta Sort Posts (versions

WordPress Hybrid Composer plugin <= 1.4.6 Unauthenticated Settings Change vulnerability

WordPress Hybrid Composer plugin = 1.4.6 Unauthenticated Settings Change vulnerability discovered by ? in WordPress Plugin Hybrid Composer versions = 1.4.6...

CVE-2019-25738

WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hcajaxsaveoption action. Attackers can send POST requests to the admin-ajax.php endpoint with the action parameter set to...

CVE-2026-40149

PraisonAI’s multi-agent system is vulnerable to an unauthenticated modification of the tool approval allowlist via the gateway’s /api/approval/allow-list endpoint (pre-4.5.128). By adding dangerous tool names (e.g., shell_exec, file_write) when no auth_token is configured, an attacker can cause t...

CVE-2026-0572 WebPurify Profanity Filter <= 4.0.2 - Missing Authorization to Unauthenticated Plugin Settings Change via webpurify_save_options

The WebPurify Profanity Filter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webpurifysaveoptions' function in all versions up to, and including, 4.0.2. This makes it possible for unauthenticated attackers to change plugin settin...

CVE-2025-59102

The web server of the Access Manager offers a functionality to download a backup of the local database stored on the device. This database contains the whole configuration. This includes encrypted MIFARE keys, card data, user PINs and much more. The PINs are even stored unencrypted. Combined with...

CVE-2023-1843

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to unauthorized permalink structure update due to a missing capability check on the permalinksetup function in versions up to, and including, 3.3.0. This makes it possible for unauthenticated attackers to change the...

VulnCheck KEV: CVE-2019-17228

includes/options.php in the motors-car-dealership-classified-listings aka Motors - Car Dealer & Classified Ads plugin through 1.4.0 for WordPress allows unauthenticated options changes...

CVE-2022-41132

Unauthenticated Plugin Settings Change Leading To Stored XSS Vulnerability in Ezoic plugin = 2.8.8 on WordPress...

CVE-2022-35238

Unauthenticated Plugin Settings Change vulnerability in Awesome Filterable Portfolio plugin = 1.9.7 at WordPress...

Simple Online College Entrance Exam System 1.0 - Account Takeover Vulnerability

Exploit Title: Simple Online College Entrance Exam System 1.0 - Account Takeover Exploit Author: Amine ismail @aminei Vendor Homepage: https://www.sourcecodester.com/php/14976/simple-online-college-entrance-exam-system-php-and-sqlite-free-source-code.html Software Link:...

CVE-2019-20565

An issue was discovered on Samsung mobile devices with O8.x and P9.0 software. Attackers can change the USB configuration without authentication. The Samsung ID is SVE-2018-13300 September 2019...

Search Exclude < 1.2.4 - Arbitrary Settings Change

Unauthenticated plugin settings change via admininit Authenticated plugin settings change via AJAX...

D-Link DSL-2640U DNS Change Vulnerability

The D-Link DSL-2640U is a wireless router. An unauthenticated DNS change vulnerability exists in the D-Link DSL-2640U. An attacker can exploit the vulnerability to access sites and devices on vulnerable systems, redirecting to malicious sites...