CVE-2025-14903 Simple Crypto Shortcodes <= 1.0.2 - Cross-Site Request Forgery to Plugin Settings Update

The Simple Crypto Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2. This is due to missing nonce validation on the scsbackend function. This makes it possible for unauthenticated attackers to update plugin settings via a forged...

WordPress Live CSS Preview plugin <= 2.1.4 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Live CSS Preview versions = 2.1.4...

CVE-2025-11815 UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.08 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update

The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the uipsavesiteoption function in all versions up to, and including, 3.5.08. This makes it possible for authenticate...

CVE-2025-12675 KiotViet Sync <= 1.8.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update

The KiotViet Sync plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveConfig function in all versions up to, and including, 1.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update...

EUVD-2023-59009

Malicious code in bioql PyPI...

EUVD-2023-23594

Malicious code in bioql PyPI...

CVE-2025-11163 SmartCrawl SEO checker, analyzer & optimizer <= 3.14.3 - Missing Authorization to Plugin Settings Update

The SmartCrawl SEO checker, analyzer & optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updatesubmodule function in all versions up to, and including, 3.14.3. This makes it possible for authenticated attackers, with...

CVE-2023-6798

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized settings update due to a missing capability check when updating settings in all versions up to, and including, 4.3.2. This makes it possible for...

CVE-2024-13687 Team Builder – Meet the Team <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Settings Update

The Team Builder – Meet the Team plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveteambuilderoptions function in all versions up to, and including, 1.3. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2024-13687 Team Builder – Meet the Team <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Settings Update

The Team Builder – Meet the Team plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveteambuilderoptions function in all versions up to, and including, 1.3. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2024-12826 GoHero Store Customizer for WooCommerce <= 3.5 - Missing Authorization to Unuthenticated Settings Update

The GoHero Store Customizer for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woohactionsettingssavefrontend function in all versions up to, and including, 3.5. This makes it possible for unauthenticated attackers to...

CVE-2024-12606

CVE-2024-12606 concerns the AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT (GPT-4o 128K) for WordPress. The vulnerability is due to a missing capability check in engine_request_data() across all versions up to and includin...

CVE-2024-9697 Social Rocket – Social Sharing Plugin <= 1.3.4 - Missing Authorization to Settings Update

The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tweetsettingssave and tweetsettingsupdate functions in all versions up to, and including, 1.3.4. This makes it possible for authenticated...

CVE-2024-8427 Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin <= 1.2.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update

The Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveglobalsettings and processformedit functions in all versions up to, and including, 1.2.2. This makes i...

CVE-2024-3602

The Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the disconnectpromolayer function in all versions up to, and including, 1.1.0. This...

CVE-2024-3602

CVE-2024-3602 – Promolayer popup builder for WordPress is vulnerable to an unauthorized plugin settings update due to a missing capability check in the disconnect_promolayer function in versions up to 1.1.0. This allows authenticated attackers with subscriber access or higher to remove the Promol...

CVE-2023-6751

The Hostinger plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the function publishwebsite in all versions up to, and including, 1.9.7. This makes it possible for unauthenticated attackers to enable and disable maintenance mode...

PT-2024-15038 · WordPress · Caos | Host Google Analytics Locally

Name of the Vulnerable Software and Affected Versions: CAOS | Host Google Analytics Locally plugin for WordPress versions up to, and including, 4.7.14 Description: The issue allows unauthorized modification of data due to a missing capability check on the update settings function. This makes it...

CVE-2023-6798

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized settings update due to a missing capability check when updating settings in all versions up to, and including, 4.3.2. This makes it possible for...

Design/Logic Flaw

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized settings update due to a missing capability check when updating settings in all versions up to, and including, 4.3.2. This makes it possible for...