WordPress ProfilePress <= 3.1.3 - Privilege Escalation

ProfilePress plugin before 3.1.4 allows privilege escalation. Due to insufficient validation in the profile update functionality, authenticated users can supply arbitrary usermeta fields, including wpcapabilities, during profile updates. This enables a user to escalate their privileges to...

CVE-2026-3629

The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'saveextrauserprofilefields' function not properly restricting which user meta keys can be updated via profile fields. The...

CVE-2026-3629

The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'saveextrauserprofilefields' function not properly restricting which user meta keys can be updated via profile fields. The...

CVE-2026-2941

The Linksy Search and Replace plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'linksysearchandreplaceitemdetails' function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with...

CVE-2024-10800

The WordPress User Extra Fields plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the ajaxsavefields function in all versions up to, and including, 16.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to ad...

PT-2023-24941 · WordPress · Ultimate Member

Name of the Vulnerable Software and Affected Versions: Ultimate Member WordPress plugin versions prior to 2.6.7 Description: The issue allows attackers to create user accounts with arbitrary capabilities, effectively enabling them to create administrator accounts at will. This is being actively...