CVE-2026-2554 WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.25 - Authenticated (Vendor+) Insecure Direct Object Reference to Arbitrary User Deletion

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfmdeletewcfmcustomer' due to missing validation on the 'customerid' user...

CVE-2026-35063

CVE-2026-35063 concerns OpenPLC_V3 REST API: an endpoint checks for JWT but does not verify the caller’s role. This allows any authenticated user with role=user to delete other users (including admins) by specifying a user_id, or to create new accounts with role=admin, effectively escalating to f...

CVE-2026-3477

CVE-2026-3477 concerns the PZ Frontend Manager plugin for WordPress (versions up to 1.0.6). The vulnerability stems from the AJAX handler pzfm_user_request_action_callback(), registered via wp_ajax_pzfm_user_request_action, which lacks both capability checks and nonce verification. When the reque...

CVE-2026-3477 PZ Frontend Manager <= 1.0.6 - Missing Authorization to Arbitrary User Deletion via 'dataType' Parameter

The PZ Frontend Manager plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.6. The pzfmuserrequestactioncallback function, registered via the wpajaxpzfmuserrequestaction action hook, lacks both capability checks and nonce verification. This function...

EUVD-2026-18215

A vulnerability was found in SourceCodester/mayurik Best Courier Management System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=deleteuser of the component User Delete Handler. Performing a manipulation of the argument ID results in improper access...

GO-2026-4497 Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change in github.com/pterodactyl/wings

Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change in github.com/pterodactyl/wings...

CVE-2026-2199 code-projects Online Reviewer System user-delete.php sql injection

A security flaw has been discovered in code-projects Online Reviewer System 1.0. The impacted element is an unknown function of the file /reviewer/system/system/admins/manage/users/user-delete.php. Performing a manipulation of the argument ID results in sql injection. The attack can be initiated...

CVE-2010-0711

Cross-site request forgery CSRF vulnerability in default.asp in ASPCode CMS 1.5.8, 2.0.0 Build 103, and possibly other versions, allows remote attackers to hijack the authentication of an administrator for requests that 1 delete users via the delete action in the ma2 parameter or 2 create...

CVE-2022-26588

A Cross-Site Request Forgery CSRF in IceHrm 31.0.0.OS allows attackers to delete arbitrary users or achieve account takeover via the app/service.php URI...

CVE-2019-20178

Advisto PEEL Shopping 9.2.1 has CSRF via administrer/utilisateurs.php to delete a user...

CVE-2017-6914

CSRF exists in BigTree CMS 4.1.18 and 4.2.16 with the id parameter to the admin/ajax/users/delete/ page. A user can be deleted...

CVE-2025-13029

The Knowband Mobile App Builder WordPress plugin before 3.0.0 does not have authorisation when deleting users via its REST API, allowing unauthenticated attackers to delete arbitrary users...

WordPress plugin Knowband Mobile App Builder 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerabili...

CVE-2025-63221

The Axel Technology puma devices firmware versions 0.8.5 to 1.0.3 are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system...

CVE-2025-63223

The Axel Technology StreamerMAX MK II devices firmware versions 0.8.5 to 1.0.3 are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and...

PT-2025-47310

Name of the Vulnerable Software and Affected Versions Windu CMS version 4.1 Windu CMS affected versions not specified Description Windu CMS is susceptible to a Cross-Site Request Forgery CSRF issue within the user editing functionality. A malicious actor can create a specially crafted website tha...

EUVD-2025-44058

A Cross-Site Request Forgery CSRF vulnerability in the SourceCodester Client Database Management System 1.0 allows an attacker to cause an authenticated administrative user to perform user deletion actions without their consent. The application's user deletion endpoint e.g.,...

CVE-2025-12155

A Command Injection vulnerability, resulting from improper file path sanitization Directory Traversal in Looker allows an attacker with Developer permission to execute arbitrary shell commands when a user is deleted on the host system. Looker-hosted and Self-hosted were found to be vulnerable. Th...

CVE-2025-12155 Command Injection in Looker

A Command Injection vulnerability, resulting from improper file path sanitization Directory Traversal in Looker allows an attacker with Developer permission to execute arbitrary shell commands when a user is deleted on the host system. Looker-hosted and Self-hosted were found to be vulnerable. Th...

CVE-2025-12155

CVE-2025-12155 describes a Command Injection in Looker caused by improper file path sanitization (Directory Traversal). The vulnerability allows an attacker with Developer permission to execute arbitrary shell commands when a user is deleted on the host system. Affected products are Looker (both ...