CVE-2026-4261

The CVE-2026-4261 entry concerns the WordPress Expire Users plugin (all versions up to 1.2.2). The root cause is that the plugin allows updating the on_expire_default_to_role meta via the save_extra_user_profile_fields function, enabling privilege escalation. As documented, authenticated users wi...

CVE-2026-4261 Expire Users <= 1.2.2 - Authenticated (Subscriber+) Privilege Escalation to Administrator via save_extra_user_profile_fields

The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.2. This is due to the plugin allowing a user to update the 'onexpiredefaulttorole' meta through the 'saveextrauserprofilefields' function. This makes it possible for authenticated...

PT-2026-26880

The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.2. This is due to the plugin allowing a user to update the 'on expire default to role' meta through the 'save extra user profile fields' function. This makes it possible for...

CVE-2025-13493 Latest Registered Users <= 1.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via User Data Export

The Latest Registered Users plugin for WordPress is vulnerable to unauthorized user data export in all versions up to, and including, 1.4. This is due to missing authorization and nonce validation in the rndhandleformsubmit function hooked to both adminpostmysimpleform and...

PT-2025-45199

Cross-Site Request Forgery CSRF vulnerability in andriassundskard wpNamedUsers wpnamedusers allows Stored XSS.This issue affects wpNamedUsers: from n/a through = 0.5...

EUVD-2019-6330

Malware in sbrugna...

EUVD-2021-11389

Malware in sbrugna...

EUVD-2011-4587

Malware in sbrugna...

EUVD-2022-5718

Malicious code in bioql PyPI...

EUVD-2022-24894

Malicious code in bioql PyPI...

WordPress Front End Users plugin <= 3.2.35 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by theviper17 in WordPress Plugin Front End Users versions = 3.2.35...

CVE-2023-6390

The WordPress Users WordPress plugin through 1.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2022-1605

The Email Users WordPress plugin through 4.8.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and change the notification settings of arbitrary users...

CVE-2021-24400

The Edit Role functionality in the Display Users WordPress plugin through 2.0.0 had an id parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection...

CVE-2019-15327

The import-users-from-csv-with-meta plugin before 1.14.1.3 for WordPress has XSS via imported data...

CVE-2024-13569

The Front End Users WordPress plugin through 3.2.32 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-13569

The Front End Users WordPress plugin through 3.2.32 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

WordPress plugin Front End Users 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

CVE-2024-12410

CVE-2024-12410 involves the Front End Users WordPress plugin. It is vulnerable to SQL Injection via the UserSearchField parameter in all versions up to and including 3.2.32 due to insufficient escaping and lack of proper SQL query preparation. This allows unauthenticated attackers to append extra...

WordPress Export and Import Users and Customers plugin <= 2.6.2 - Authenticated (Admin+) PHP Object Injection via form_data Parameter vulnerability

Authenticated Admin+ PHP Object Injection via formdata Parameter vulnerability discovered by HayMiz in WordPress Plugin Import Export WordPress Users versions = 2.6.2...