55 matches found
CVE-2026-5464
The ExactMetrics – Google Analytics Dashboard for WordPress Website Stats Plugin plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the 'onboardingkey' transient to a...
CVE-2026-2518 FastX <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Installation and Activation
The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultpinstallcallback' and 'ultpactivatecallback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers...
PT-2026-42722
Name of the Vulnerable Software and Affected Versions FastX theme for WordPress versions prior to 1.0.3 Description The FastX theme for WordPress allows authenticated attackers with Subscriber-level access or higher to install and activate the PostX plugin. This is caused by missing capability...
EUVD-2026-9819
The WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the 'installandactiveplugin' function in all versions up to, and including, 1.4.24. This...
CVE-2026-1720
The WowOptin: Next-Gen Popup Maker plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check in the install_and_active_plugin function in all versions up to 1.4.24. This allows authenticated users with Subscriber-level access and above to i...
PT-2026-23448
The WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the 'install and active plugin' function in all versions up to, and including, 1.4.24...
CVE-2025-12975
The CTX Feed – WooCommerce Product Feed Manager plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the woofeedplugininstalling function in all versions up to, and including, 6.6.11. This makes it possible for authenticated...
CVE-2026-0974
The Orderable – WordPress Restaurant Online Ordering System and Food Ordering Plugin plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the 'installplugin' function in all versions up to, and including, 1.20.0. This makes it possible for...
CVE-2025-12975
The CTX Feed – WooCommerce Product Feed Manager plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the woofeedplugininstalling function in all versions up to, and including, 6.6.11. This makes it possible for authenticated...
CVE-2026-0974
The CVE affects the WordPress plugin Orderable (Restaurant Online Ordering System) up to version 1.20.0. A missing capability check in the install_plugin function allows authenticated attackers with Subscriber-level access and above to install arbitrary plugins, which can lead to Remote Code Exec...
CVE-2026-0974
The Orderable – WordPress Restaurant Online Ordering System and Food Ordering Plugin plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the 'installplugin' function in all versions up to, and including, 1.20.0. This makes it possible for...
PT-2026-20631
The Orderable – WordPress Restaurant Online Ordering System and Food Ordering Plugin plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the 'install plugin' function in all versions up to, and including, 1.20.0. This makes it possible for...
CVE-2026-2001
The WowRevenue plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'Notice::installactivateplugin' function in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with subscriber-level access and...
PT-2026-8384
The WowRevenue plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'Notice::install activate plugin' function in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with subscriber-level access a...
CVE-2026-1490
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS PTR record spoofing on the 'checkWithoutToken' function in all versions up to, and including, 6.71. This makes it...
CVE-2025-14465 Sticky Action Buttons <= 1.1 - Cross-Site Request Forgery to Plugin Settings Update
The Sticky Action Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the sabsoptionspageformsubmit function. This makes it possible for unauthenticated attackers to update plug...
WordPress Classified Pro plugin Unauthorized Plugin Installation Vulnerability
WordPress Classified Pro plugin is a plugin for quickly creating a classified ad section on a WordPress website, supporting different scenarios of listings management such as automotive, second-hand trading, etc., and providing features such as searching, ad space configuration, and text...
CVE-2025-10706 Classified Pro <= 1.0.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation
The Classified Pro theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'cwpaddonsupdateplugincb' function in all versions up to, and including, 1.0.14. This makes it possible for authenticated attackers, with subscriber-level access and...
CVE-2025-8682 Newsup <= 5.0.10 - Missing Authorization to Authenticated (Subscriber+) Plugin Installation
The Newsup theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the newsupadmininfoinstallplugin function in all versions up to, and including, 5.0.10. This makes it possible for unauthenticated attackers to install the ansar-import plugin...
EUVD-2025-29548
Malicious code in bioql PyPI...