Lucene search
K
VulnrichmentRecent

161201 matches found

Vulnrichment
Vulnrichment
added 2026/07/01 1:55 p.m.5 views

CVE-2026-6686 FatFs Use of Uninitialized Clusters After Seek Past EOF

FatFs R0.16 and earlier contains an uninitialized cluster exposure when flseek extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 Use of Uninitialized Resource. Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 4.6, Medium. The...

4.6CVSS5.8AI score0.00177EPSS
Exploits2References4
Vulnrichment
Vulnrichment
added 2026/07/01 1:49 p.m.5 views

CVE-2026-23537 Feast: unauthenticated arbitrary file write

A vulnerability has been identified in the Feast Feature Server’s /save-document endpoint that allows an unauthenticated remote attacker to write arbitrary JSON files to the server's filesystem. Although the system attempts to restrict file locations, these protections can be bypassed, enabling a...

9.1CVSS6.2AI score0.00568EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/07/01 1:47 p.m.6 views

CVE-2026-6685 FatFs Integer Underflow in Dirty-Sector Cache Flush

FatFs R0.16 and earlier exhibits a stale dirty-cache skip via unsigned-subtraction wrap in fread / fwrite fp-sect - sect cc during interleaved read/write on fragmented filesystems. This maps to CWE-191 Integer Underflow. Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H 6.1...

6.1CVSS5.8AI score0.00205EPSS
Exploits2References4
Vulnrichment
Vulnrichment
added 2026/07/01 1:45 p.m.7 views

CVE-2026-13602 Session takeover vulnerability

We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data: The payment integration plugins Stripe included in the core system, pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect,...

9.4CVSS6AI score0.00239EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/07/01 1:45 p.m.7 views

CVE-2026-6684 FatFs Infinite Loop in GPT Partition Scan

FatFs prior to R0.16 that use GPT scanning with 'FFLBA64 = 1' contains an issue where an unbounded loop count derived from GPT header field GPTHPtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 Loop with Unreachable Exit Condition. Estimated CVSS v3.1...

4.6CVSS5.8AI score0.00205EPSS
Exploits2References4
Vulnrichment
Vulnrichment
added 2026/07/01 1:41 p.m.5 views

CVE-2026-6683 FatFs Divide-by-Zero in exFAT Sync

FatFs R0.16 and earlier contains a divide-by-zero in exFAT sync logic bug when crafted metadata causes nfatent - 2 to be zero during write/sync operations. This maps to CWE-369 Divide By Zero. Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 4.6, Medium. Network-delivered...

4.6CVSS5.8AI score0.00205EPSS
Exploits2References4
Vulnrichment
Vulnrichment
added 2026/07/01 1:36 p.m.5 views

CVE-2026-6682 FatFs Integer Overflow in FAT32 Volume Mount

In FatFS R0.16 and earlier contains a FAT32 integer overflow bug in mountvolume where fasize = fs-nfats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers. This maps to CWE-190 Integer Overflow or Wraparound. Estimated CVSS v3.1 vector:...

7.6CVSS5.9AI score0.0021EPSS
Exploits2References4
Vulnrichment
Vulnrichment
added 2026/07/01 1:34 p.m.8 views

CVE-2026-57692 WordPress PrivateContent plugin <= 9.9.2 - Privilege Escalation vulnerability

Incorrect Privilege Assignment vulnerability in LCweb PrivateContent allows Privilege Escalation. This issue affects PrivateContent: from n/a through 9.9.2...

9.8CVSS5.8AI score0.00292EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/07/01 1:28 p.m.6 views

CVE-2026-5136 Foreman: foreman: privilege escalation to administrator-level access via usergroup role assignment manipulation

A flaw was found in Foreman. The Usergroup model in Foreman does not properly validate role assignments against the calling user's permissions. This allows an authenticated user with usergroup management permissions to attach arbitrary roles, including administrative roles, to a user group and th...

8.8CVSS5.8AI score0.00302EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/07/01 1:18 p.m.7 views

CVE-2026-13603 SSRF with API key leak in pretix-oppwa

The payment integration pretix-oppwa provides support for the payment providers VR Payment, Hobex, and potentially others based on Oppwa's technology. The integration of Oppwa, following their official documentation, includes a step where the user is redirected from the payment provider back to o...

10CVSS5.8AI score0.00253EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/07/01 12:26 p.m.12 views

CVE-2026-8387 Relative Path Traversal in allegroai/clearml

A vulnerability in allegroai/clearml versions up to and including 1.16.5 allows for relative path traversal when extracting .zip archives using the ZipFile.extractall method in StorageManager.extracttocache. This issue arises due to the lack of path traversal validation, enabling an attacker to...

2.4CVSS6.5AI score0.00357EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/07/01 12:16 p.m.5 views

CVE-2026-5120 Race Condition vulnerability affecting BIOVIA Workbook from Release 2021 through Release 2026

A Race Condition vulnerability affecting BIOVIA Workbook from Release 2021 through Release 2026 could allow a user to access unauthorized data from another user...

8.1CVSS5.8AI score0.00179EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/07/01 11:59 a.m.6 views

CVE-2026-53909 Arbitrary File Upload in MCO

MCO does not correctly validate types of uploaded files. File upload validation functionality relies only on client-side checks, which can be bypassed. An authorized, low-privileged attacker can upload files with arbitrary types to the server. Because vendor contact attempts were unsuccessful, th...

5.3CVSS6AI score0.00227EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/07/01 11:59 a.m.7 views

CVE-2026-53908 User Enumeration in MCO

MCO is vulnerable to User Enumeration through authentication-related functionalities. The application returns distinguishable responses for valid and invalid users during username reminder and password reset operations. An attacker can leverage these differences to enumerate valid usernames and...

6.9CVSS5.8AI score0.00211EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/07/01 11:58 a.m.6 views

CVE-2026-53907 Stored Cross‑Site Scripting in MCO

MCO is vulnerable to Stored Cross‑Site Scripting XSS via the application logo upload functionality. An attacker with the ability to change the application logo can upload a crafted SVG file containing malicious JavaScript code that is executed when the logo is rendered or opened. Because vendor...

4.8CVSS5.8AI score0.0014EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/07/01 11:58 a.m.7 views

CVE-2026-53906 Path Disclosure and Path Traversal in MCO

MCO is vulnerable to Path Disclosure and Path Traversal in file handling functionality related to data export and upload. Improper validation of the filename parameter allows writing files to arbitrary locations as well as indirect disclosure of absolute server paths through error messages. Becau...

5.1CVSS5.9AI score0.00339EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/07/01 11:58 a.m.7 views

CVE-2026-53905 Unauthorized Access to Administrator ACL View in MCO

MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks. This may expose sensitive...

5.3CVSS5.8AI score0.00183EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/07/01 11:58 a.m.9 views

CVE-2026-53902 Privilege Escalation in MCO

MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privilege escalation. An attacker can add themselves to arbitrar...

7.1CVSS5.9AI score0.00208EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/07/01 11:42 a.m.9 views

CVE-2026-14181 @fastify/middie standalone engine vulnerable to Denial of Service via malformed percent-encoded paths

@fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone engine when incoming request paths contain malformed percent-encoded sequences. Inputs such as an incomplete percent escape or a truncated multibyte sequence cause the underlying decoder t...

7.5CVSS5.8AI score0.00291EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/07/01 11:29 a.m.8 views

CVE-2026-14198 @fastify/middie vulnerable to authorization bypass via encoded slash in path parameter values

@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to...

9.1CVSS5.8AI score0.00299EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/07/01 11:28 a.m.8 views

CVE-2026-13323

In Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoint serves user-supplied HTML files with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition: attachment response header. An unauthenticated attacker can register a publisher account, upload a VSIX...

4.1CVSS5.8AI score0.0019EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/07/01 9:32 a.m.7 views

CVE-2026-12142 NEX-Forms <= 9.2.2 - Unauthenticated Stored Cross-Site Scripting via '_name[]' Array Parameter

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'name' Array Parameter in all versions up to, and including, 9.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

7.2CVSS5.9AI score0.00304EPSS
Exploits0References14
Vulnrichment
Vulnrichment
added 2026/07/01 9:32 a.m.8 views

CVE-2026-13228 LatePoint <= 5.6.3 - Authenticated (Custom+) Privilege Escalation to Administrator via 'order[customer_id]' Parameter

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.6.3 This is due to an Insecure Direct Object Reference IDOR in the createorupdate function of OsOrdersController, whi...

8.8CVSS5.9AI score0.00309EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/07/01 9:32 a.m.7 views

CVE-2026-10095 WP Photo Album Plus <= 9.1.13.005 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'subtext' Shortcode Attribute

The WP Photo Album Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtext' parameter in all versions up to, and including, 9.1.13.005 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.9AI score0.00241EPSS
Exploits0References11
Vulnrichment
Vulnrichment
added 2026/07/01 9:24 a.m.6 views

CVE-2026-14258 Dhcpcd: dhcpcd infinite loop and out-of-bounds read via zero-length ipv6 nd option in router advertisement handling

A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can bypass validation during packet storage and later be reparsed without adequate validation, causing the parser ...

6.5CVSS5.7AI score0.00248EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/07/01 8:50 a.m.6 views

CVE-2026-27435 WordPress Woffice theme < 5.4.33 - Broken Access Control vulnerability

Missing Authorization vulnerability in WofficeIO Woffice allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Woffice: from n/a before 5.4.33...

5.3CVSS5.8AI score0.00242EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/07/01 8:30 a.m.6 views

CVE-2026-12754 VikBooking Hotel Booking Engine & PMS <= 1.8.12 - Reflected Cross-Site Scripting via 'layoutstyle' Parameter

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'layoutstyle' parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

6.1CVSS5.9AI score0.00293EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/07/01 8:30 a.m.6 views

CVE-2026-13454 MotoPress Appointment Booking <= 2.4.5 - Authenticated (Staff+) SQL Injection via 's' Parameter

The MotoPress Appointment Booking plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

6.5CVSS5.8AI score0.00361EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/07/01 7:56 a.m.7 views

CVE-2026-10538 Improper deserialization handling in Control-M Components

Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker ...

8.9CVSS5.8AI score0.00246EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/07/01 7:55 a.m.8 views

CVE-2026-10539 Unauthenticated command injection in Control-M/Server communication command

A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server. This...

9.5CVSS5.9AI score0.00235EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/07/01 7:53 a.m.11 views

CVE-2026-13733 Download Manager <= 3.3.60 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'no_data_msg' Shortcode Attribute

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'nodatamsg' Shortcode Attribute in all versions up to, and including, 3.3.60 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.9AI score0.00206EPSS
Exploits0References8
Vulnrichment
Vulnrichment
added 2026/07/01 7:53 a.m.8 views

CVE-2026-12158 RegistrationMagic <= 6.0.9.1 - Cross-Site Request Forgery to Privilege Escalation via 'rmc_assign_user_role_action' Parameter

The RegistrationMagic – User Registration Forms Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0.9.1. This is due to missing or incorrect nonce validation on the processrequest function. This makes it possible for unauthenticated...

8.8CVSS5.8AI score0.00205EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/07/01 7:53 a.m.8 views

CVE-2026-10096 Qi Blocks <= 1.4.9 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Style Modification via 'page_id' Parameter

The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'pageid' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, t...

4.3CVSS5.9AI score0.00196EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/07/01 7:53 a.m.10 views

CVE-2026-11387 SMS Alert <= 3.9.5 - Unauthenticated Privilege Escalation via Arbitrary Password Reset

The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior to updati...

9.8CVSS5.9AI score0.0038EPSS
Exploits1References8
Vulnrichment
Vulnrichment
added 2026/07/01 7:53 a.m.10 views

CVE-2026-12408 Slim SEO <= 4.9.8 - Authenticated (Contributor+) Insufficient Authorization to Private Content Disclosure via 'object.ID' Parameter

The Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin for WordPress is vulnerable to Unauthorized Private Content Disclosure in all versions up to, and including, 4.9.8 via the /wp-json/slim-seo/meta-tags/ai REST API endpoint. This is due to the endpoint's permissioncallback performin...

4.3CVSS5.9AI score0.00257EPSS
Exploits0References8
Vulnrichment
Vulnrichment
added 2026/07/01 7:53 a.m.7 views

CVE-2026-12435 Motors <= 1.4.111 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Modification via 'stm_mark_as_sold_car' Parameter

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.111. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS5.9AI score0.00232EPSS
Exploits0References8
Vulnrichment
Vulnrichment
added 2026/07/01 7:53 a.m.10 views

CVE-2026-12732 LearnPress <= 4.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_wrapper_form' Shortcode Attribute

The LearnPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'classwrapperform' shortcode attribute in versions up to, and including, 4.4.0. This is due to insufficient input sanitization and output escaping in the FilterCourseTemplate::sections method at line 98, wher...

6.4CVSS5.9AI score0.00193EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/07/01 7:52 a.m.8 views

CVE-2026-10540 Weak password hash protection in Control-M/Entreprise Manager

The Control-M/Enterprise Manager uses weak protections for stored hashes of account passwords, potentially allowing offline password recovery attacks if credential data is obtained by an attacker. This vulnerability affects Control-M/Enterprise Manager unsupported versions 9.0.20.x and potentiall...

5.6CVSS5.8AI score0.00078EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/07/01 7:5 a.m.8 views

CVE-2026-12577 DVP80ES3 Improperly Implemented Security Check for Standard vulnerability

DVP80ES3 with Improperly Implemented Security Check for Standard vulnerability...

8.7CVSS5.8AI score0.00253EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/07/01 7:1 a.m.8 views

CVE-2026-12576 DVP80ES3 Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability

DVP80ES3 with Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability...

7.5CVSS5.8AI score0.00153EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/07/01 6:55 a.m.6 views

CVE-2026-12575 DVP80ES3 Improper Resource Shutdown or Release Vulnerability

DVP80ES3 with Improper Resource Shutdown or Release vulnerability...

7.5CVSS5.8AI score0.00263EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/07/01 6:53 a.m.4 views

CVE-2026-50043

Improper neutralization of special elements used in an OS command 'OS Command Injection' issue exists in SkyBridge MB-A100/MB-A110. If this vulnerability is exploited, an arbitrary OS command may be executed by an attacker who can log in to the product with an administrative privilege...

8.6CVSS7.1AI score0.01129EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/07/01 6:51 a.m.8 views

CVE-2026-12224 Dokan Pro <= 5.0.4 - Authenticated (Vendor+) Privilege Escalation via update_capabilities REST Endpoint

The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via updatecapabilities REST Endpoint in all versions up to, and including, 5.0.4. This is due to the updatecapabilities REST handler accepting arbitrary capability strings from the request body and passing them directly to...

8.8CVSS5.7AI score0.00246EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/07/01 6:46 a.m.5 views

CVE-2026-56016 CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources

CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources. The generateid method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand function. All three are predictable, low-entropy sources: the PID i...

5.8AI score0.00322EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/07/01 6:0 a.m.13 views

CVE-2026-11568 Product Configurator for WooCommerce < 1.7.3 - Unauthenticated Private/Draft Product Data Disclosure via pc_get_data

The Product Configurator for WooCommerce WordPress plugin before 1.7.3 does not perform any authorisation or post-status check before returning WooCommerce product data through a public AJAX action, allowing unauthenticated users to retrieve the data title, price, weight, stock status, and...

5.8AI score0.00284EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/07/01 6:0 a.m.7 views

CVE-2026-11570 User Submitted Posts < 20260608 - Unauthenticated Stored XSS via Author Name

The User Submitted Posts WordPress plugin before 20260608 does not escape a submitted value before outputting it in an admin-configured display template, leading to a Stored Cross-Site Scripting that can be triggered by unauthenticated users when a non-default display option is enabled...

5.7AI score0.00137EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/07/01 6:0 a.m.7 views

CVE-2026-11880 Fluent Forms < 6.2.1 - Subscriber+ Subscription Cancellation via IDOR

The Fluent Forms WordPress plugin before 6.2.1 does not properly verify ownership before processing a subscription cancellation request, allowing authenticated users with a low-privilege account to cancel subscriptions belonging to other users...

5.8AI score0.00139EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/07/01 6:0 a.m.8 views

CVE-2026-11794 Advanced Form Integration < 2.1.1 - Unauthenticated Privilege Escalation via Breakdance Form Role Mapping

The Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 does not restrict the WordPress role assigned when it creates a user from a public form submission, allowing unauthenticated visitors to create an administrator account when an active integration maps the use...

5.8AI score0.00236EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/07/01 6:0 a.m.9 views

CVE-2026-11887 Salon Booking System < 10.30.20 - Subscriber+ Booking Approval Bypass

The Salon Booking System WordPress plugin before 10.30.20 does not have proper authorisation checks on one of its AJAX actions, allowing any authenticated user, such as a subscriber, to modify a Salon Booking System WordPress plugin before 10.30.20 setting and bypass the manual approval of new...

5.8AI score0.00178EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/07/01 6:0 a.m.9 views

CVE-2026-11883 WebAuthn Provider for Two Factor < 2.5.6 - 2FA Bypass

The WebAuthn Provider for Two Factor WordPress plugin before 2.5.6 does not correctly validate the second-factor authentication response, allowing an attacker who already knows a user's password to bypass the two-factor authentication requirement by submitting a malformed request...

5.8AI score0.00365EPSS
Exploits0References1
Total number of security vulnerabilities161201