CVE-2026-41394

CVE-2026-41394 affects OpenClaw prior to 2026.3.31. An authentication bypass allows unauthenticated access to plugin-auth HTTP routes that receive operator runtime write scopes, enabling privileged runtime actions intended for authorized operators. Exploitation status is not detailed in the provi...

CVE-2026-26003 FastGPT Plugin forwarding request is not authenticated, posing a serious risk of attack

FastGPT is an AI Agent building platform. From 4.14.0 to 4.14.5, attackers can directly access the plugin system through FastGPT/api/plugin/xxx without authentication, thereby threatening the plugin system. This may cause the plugin system to crash and the loss of plugin installation status, but ...

CVE-2025-8682

The Newsup theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the newsupadmininfoinstallplugin function in all versions up to, and including, 5.0.10. This makes it possible for unauthenticated attackers to install the ansar-import plugin...

EUVD-2025-33847

The Newsup theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the newsupadmininfoinstallplugin function in all versions up to, and including, 5.0.10. This makes it possible for unauthenticated attackers to install the ansar-import plugin...

CVE-2018-11579

class-woo-banner-management.php in the MULTIDOTS WooCommerce Category Banner Management plugin 1.1.0 for WordPress has an Unauthenticated Settings Change Vulnerability, related to certain wpajaxnopriv usage. Anyone can change the plugin's setting by simply sending a request with a...

WordPress Pubnews theme <= 1.0.7 - Unauthenticated Arbitrary Plugin Installation vulnerability

Unauthenticated Arbitrary Plugin Installation vulnerability discovered by Kevin Murphy knmurphy in WordPress Theme Pubnews versions = 1.0.7...

CVE-2024-10542

The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 6.43.2. This makes it possible for...

CVE-2022-40218 WordPress TH Advance Product Search plugin <= 1.1.4 - Unauthenticated Plugin Settings Change vulnerability

Missing Authorization vulnerability in ThemeHunk Advance WordPress Search Plugin.This issue affects Advance WordPress Search Plugin: from n/a through 1.1.4...

CVE-2022-40218 WordPress TH Advance Product Search plugin <= 1.1.4 - Unauthenticated Plugin Settings Change vulnerability

Missing Authorization vulnerability in ThemeHunk Advance WordPress Search Plugin.This issue affects Advance WordPress Search Plugin: from n/a through 1.1.4...

CVE-2024-1360

The Colibri WP theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.94. This is due to missing or incorrect nonce validation on the colibriwpinstallplugin function. This makes it possible for unauthenticated attackers to install recommended...

PT-2024-17972 · WordPress · Colibri Wp

Name of the Vulnerable Software and Affected Versions: Colibri WP theme for WordPress versions up to, and including, 1.0.94 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the colibriwp install plugin function. This allows...

Webmaster Tools Verification <= 1.2 - Unauthenticated Arbitrary Plugin Deactivation

The plugin does not have authorisation and CSRF checks when disabling plugins, allowing unauthenticated users to disable arbitrary plugins curl -X POST --data "wmtvuninstall=1&wmtvuninstallconfirm=1&plugin=akismet/akismet.php" https://example.com...

WordPress WP Shop plugin <= 3.9.6 - Unauthenticated Plugin Settings Change & Data Deletion vulnerabilities

Unauthenticated Plugin Settings Change & Data Deletion vulnerabilities were discovered by ptsfence Patchstack Alliance in the WordPress WP Shop plugin versions = 3.9.6. Solution Deactivate and delete. No reply from the vendor...

DataEase 安全漏洞

DataEase is an open source data visualization and analysis tool. Used to help users quickly analyze data and insight into business trends , so as to achieve business improvement and optimization . DataEase v1.11.1 There is a security vulnerability , the vulnerability stems from the plug-in...

DataEase 安全漏洞

DataEase is an open source data visualization and analysis tool. Used to help users quickly analyze data and insight into business trends , so as to achieve business improvement and optimization . DataEase v1.11.1 There is a security vulnerability , the vulnerability stems from the plug-in...

WordPress XCloner plugin < 4.3.5 - Unauthenticated Plugin Settings Reset vulnerability

Unauthenticated Plugin Settings Reset vulnerability discovered by Krzysztof Zając in WordPress XCloner plugin versions 4.3.5. Solution Update the WordPress XCloner Backup, Restore and Migrate plugin to the latest available version at least 4.3.6...

CVE-2021-24906 Protect WP Admin < 3.6.2 - Unauthenticated Plugin Deactivation

The Protect WP Admin WordPress plugin before 3.6.2 does not check for authorisation in the lib/pwa-deactivate.php file, which could allow unauthenticated users to disable the plugin and therefore the protection offered via a crafted request...

WordPress CMP – Coming Soon & Maintenance plugin <= 3.8.1 - Unauthenticated Plugin Deactivation vulnerability

Unauthenticated Plugin Deactivation vulnerability discovered by NinTechNet in WordPress CMP – Coming Soon & Maintenance plugin versions = 3.8.1. Solution Update the WordPress CMP – Coming Soon & Maintenance plugin to the latest available version at least 3.8.2...

Advanced AJAX Product Filters < 1.3.7 - Unauthenticated Plugin Settings Update

The Advanced AJAX Product Filters WordPress plugin was affected by an Unauthenticated Plugin Settings Update security vulnerability...