PT-2025-26211 · WordPress · Ai Engine Wordpress Plugin

Name of the Vulnerable Software and Affected Versions: WordPress AI Engine plugin affected versions not specified Description: A critical flaw in WordPress's AI Engine plugin allows subscribers to escalate privileges and take over websites with Dev Tools/MCP enabled. Recommendations: Update the...

CVE-2024-46446

Mecha CMS 3.0.0 is vulnerable to Directory Traversal. An attacker can construct cookies and URIs that bypass user identity checks. Parameters can then be passed through the POST method, resulting in the Deletion of Arbitrary Files or Website Takeover...

WordPress InspiryThemes RealHomes Theme Privilege Escalation Vulnerability (Jan 2025)

The WordPress theme RealHomes by InspiryThemes is prone to a privilege escalation vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-onl...

CVE-2024-46446

Mecha CMS 3.0.0 is vulnerable to Directory Traversal. An attacker can construct cookies and URIs that bypass user identity checks. Parameters can then be passed through the POST method, resulting in the Deletion of Arbitrary Files or Website Takeover...

CVE-2024-46446

Mecha CMS 3.0.0 is vulnerable to Directory Traversal. An attacker can construct cookies and URIs that bypass user identity checks. Parameters can then be passed through the POST method, resulting in the Deletion of Arbitrary Files or Website Takeover...

Mecha CMS 安全漏洞

Mecha CMS is a Mecha open source flat file content management system for minimalists. A security vulnerability exists in Mecha CMS version 3.0.0 that stems from vulnerability to directory traversal attacks. An attacker can construct cookies and URIs that bypass user identity checks and then pass...

CVE-2024-46446

Mecha CMS 3.0.0 is vulnerable to Directory Traversal. An attacker can construct cookies and URIs that bypass user identity checks. Parameters can then be passed through the POST method, resulting in the Deletion of Arbitrary Files or Website Takeover...

CVE-2024-46446

Mecha CMS 3.0.0 is vulnerable to Directory Traversal. An attacker can construct cookies and URIs that bypass user identity checks. Parameters can then be passed through the POST method, resulting in the Deletion of Arbitrary Files or Website Takeover...

CVE-2024-46446

CVE-2024-46446 affects Mecha CMS 3.0.0. A directory traversal vulnerability allows an attacker to craft cookies and URIs that bypass user identity checks, then pass parameters via POST to perform arbitrary file deletion or take over the website. The issue is rooted in inadequate validation of inp...

Website Takeover Campaign Takes Advantage of Unauthenticated Stored Cross-Site Scripting Vulnerability in Popup Builder Plugin

On December 11, 2023, we added an Unauthenticated Stored XSS vulnerability in the Popup Builder WordPress plugin to our Wordfence Intelligence Vulnerability Database. This vulnerability, which was originally reported by WPScan, allows an unauthenticated attacker to inject arbitrary JavaScript tha...

Vulnerability in WordPress Plugin threatens Website takeover

Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary WordPress Ultimate Member Plugin, with over 200K installations helps in streamlining user registration and login processes. It has been found vulnerable to unauthenticated privilege escalation,...

New vulnerability allows attackers to takeover entire WordPress website

Threat Level Vulnerability Report For a detailed advisory, download the pdf file here Summary An unauthenticated attacker can call multiple methods in Ninja Forms class in order to inject objects to eventually perform Remote Code ExecutionRCE...

CVE-2021-24803

The Core Tweaks WP Setup WordPress plugin through 4.1 allows to bulk-set many settings in WordPress, including the admin email, as well as creating a new admin account. There is no CSRF protection in place, allowing an attacker to arbitrary change the admin email or create another admin account a...

CVE-2021-24803

The CVE-2021-24803 entry concerns the WordPress plugin Core Tweaks WP Setup (versions

CVE-2021-24803 Core Tweaks WP Setup <= 4.1 - Arbitrary Admin Account Creation / Admin Email Update via CSRF

The Core Tweaks WP Setup WordPress plugin through 4.1 allows to bulk-set many settings in WordPress, including the admin email, as well as creating a new admin account. There is no CSRF protection in place, allowing an attacker to arbitrary change the admin email or create another admin account a...

AdSanity, AccessPress Plugins Open Scads of WordPress Sites to Takeover

The WordPress content management system CMS is offering admins more headaches this week, thanks to a pair of disparate but concerning security problems in add-ons for the platform. The first issue affects the WordPress AdSanity plugin. It’s a critical security vulnerability that could allow remot...

CVE-2021-36909 WordPress WP Reset PRO Premium plugin <= 5.98 - Authenticated Database Reset vulnerability

Authenticated Database Reset vulnerability in WordPress WP Reset PRO Premium plugin versions = 5.98 allows any authenticated user to wipe the entire database regardless of their authorization. It leads to a complete website reset and takeover...

Critical WordPress Plugin Flaw Allows Complete Website Takeover

A critical vulnerability in popular WordPress plugin Simple Social Buttons enables non-admin users to modify WordPress installation options – and ultimately take over websites. Simple Social Buttons enables users to add social-media sharing buttons to various locations of their websites. The plug...

Hitshop Elevation of Privilege Vulnerability

hitshop is an online shopping mall system. A power-up vulnerability exists in hitshop 2014-07-15 and earlier versions, which stems from the ability to add an administrator account to the storekeeper account. The vulnerability can be exploited by an attacker to take control of the entire website...

Swape Theme - Authentication Bypass and Stored XSS

Similar to https://wpvulndb.com/vulnerabilities/8061, but with no authentication The theme suffers from a privilege escalation vulnerability, any user can trigger this vulnerability due to weak permissions checking. An attacker can update options, such as changing user's default role, registratio...