CVE-2026-2518 FastX <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Installation and Activation

The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultpinstallcallback' and 'ultpactivatecallback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers...

EUVD-2026-31412

The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultpinstallcallback' and 'ultpactivatecallback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers...

EUVD-2026-24292

HKUDS OpenHarness prior to PR 156 remediation exposes plugin lifecycle commands including /plugin install, /plugin enable, /plugin disable, and /reload-plugins to remote senders by default. Attackers who gain access through the channel layer can remotely manage plugin trust and activation state,...

CVE-2026-6819 HKUDS OpenHarness Plugin Management Command Exposure

HKUDS OpenHarness prior to PR 156 remediation exposes plugin lifecycle commands including /plugin install, /plugin enable, /plugin disable, and /reload-plugins to remote senders by default. Attackers who gain access through the channel layer can remotely manage plugin trust and activation state,...

WordPress plugin WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2026-1831

The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to missing capability checks on the 'yaymailinstallyaysmtp' AJAX action and /yaymail/v1/addons/activate REST endpoint in all versions up to, and including, 4.3.2...

CVE-2026-1831

The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to missing capability checks on the 'yaymailinstallyaysmtp' AJAX action and /yaymail/v1/addons/activate REST endpoint in all versions up to, and including, 4.3.2...

CVE-2023-4600

The AffiliateWP for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'affwpactivateaddonspageplugin' function called via an AJAX action in versions up to, and including, 2.14.0. This makes it possible for authenticated attackers, with...

EUVD-2025-36218

Easywork Enterprise 2.1.3.354 is vulnerable to Cleartext Storage of Sensitive Information in Memory. The application leaves valid device-bound license keys in process memory after a failed activation attempt. The keys can be obtained by attaching a debugger or analyzing the process/memory dump an...

EUVD-2023-12548

Malicious code in bioql PyPI...

EUVD-2025-26173

Malicious code in bioql PyPI...

CVE-2025-8999

The Sydney theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activatemodules' function in all versions up to, and including, 2.56. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate...

CVE-2025-8147

The CVE-2025-8147 entry concerns the WordPress LWSCache plugin (versions up to and including 2.8.5). The underlying issue is improper authorization in the lwscache_activatePlugin() function, allowing authenticated users with Subscriber-level access and above to activate arbitrary whitelisted LWS ...

CVE-2025-8147 LWSCache <= 2.8.5 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Activation via lwscache_activatePlugin Function

The LWSCache plugin for WordPress is vulnerable to unauthorized modification of data due to improper authorization on the lwscacheactivatePlugin function in all versions up to, and including, 2.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

CVE-2024-13423

The Sparkling theme for WordPress is vulnerable to unauthorized plugin activation/deactivation due to a missing capability check on the 'sparklingactivateplugin' and 'sparklingdeactivateplugin' functions in versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers...

CVE-2024-13423 Sparkling <= 2.4.9 - Missing Authorization to Unauthenticated Arbitrary Plugin Activation/Deactivation

The Sparkling theme for WordPress is vulnerable to unauthorized plugin activation/deactivation due to a missing capability check on the 'sparklingactivateplugin' and 'sparklingdeactivateplugin' functions in versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers...

WordPress plugin PostX 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

CVE-2024-10437

The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to unauthorized Smar Message activation/deactivation due to a missing capability check on the ajaxenable function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with...

CVE-2024-10437 WPC Smart Messages for WooCommerce <= 4.2.1 - Missing Authorization to Authenticated (Subscriber+) Message Activation/Deactivation

The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to unauthorized Smar Message activation/deactivation due to a missing capability check on the ajaxenable function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with...

CVE-2024-10437

CVE-2024-10437 affects the WordPress plugin “WPC Smart Messages for WooCommerce” (versions ≤ 4.2.1). description: a missing capability check in ajax_enable allows authenticated users with Subscriber-level access or higher to activate/deactivate smart messages. Impact: unauthorized modification of...