Export limit exceeded: 10601 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10601 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-5861 | 1 Wpeasypay | 1 Wp Easypay | 2026-04-08 | 5.3 Medium |
| The WP EasyPay – Square for WordPress plugin for WordPress is vulnerable to unauthorized modification of datadue to a missing capability check on the wpep_square_disconnect() function in all versions up to, and including, 4.2.3. This makes it possible for unauthenticated attackers to disconnect square. | ||||
| CVE-2024-9578 | 2 Avovkdesign, Wp Puzzle | 2 Hide Links, Hide Links | 2026-04-08 | 5.3 Medium |
| The Hide Links plugin for WordPress is vulnerable to unauthorized shortcode execution due to do_shortcode being hooked through the comment_text filter in all versions up to and including 1.4.2. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes available on the target site. | ||||
| CVE-2024-12713 | 1 Brainstormforce | 1 Sureforms | 2026-04-08 | 5.3 Medium |
| The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.2 via the handle_export_form() function due to a missing capability check. This makes it possible for unauthenticated attackers to export data from password protected, private, or draft posts that they should not have access to. | ||||
| CVE-2024-11715 | 1 Wpjobportal | 1 Wp Job Portal | 2026-04-08 | 4.8 Medium |
| The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the assignUserRole() function in all versions up to, and including, 2.2.2. This makes it possible for unauthenticated attackers to elevate their privileges to that of an employer. | ||||
| CVE-2024-12825 | 1 Brechtvds | 1 Custom Related Posts | 2026-04-08 | 5.4 Medium |
| The Custom Related Posts plugin for WordPress is vulnerable to unauthorized access & modification of data due to a missing capability check on three AJAX actions in all versions up to, and including, 1.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to search posts and link/unlink relations. | ||||
| CVE-2023-4024 | 2 Softlab, Softlabbd | 2 Radio Player, Radio Player | 2026-04-08 | 5.3 Medium |
| The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_player function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to delete player instances. | ||||
| CVE-2024-11936 | 1 Mvpthemes | 1 Zox News | 2026-04-08 | 8.8 High |
| The Zox News theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'backup_options' and 'restore_options' function in all versions up to, and including, 3.16.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | ||||
| CVE-2024-6709 | 1 Syncpostwithothersite | 1 Sync Post With Other Site | 2026-04-08 | 4.3 Medium |
| The Sync Post With Other Site plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'sps_add_update_post' function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new draft posts and update existing posts. | ||||
| CVE-2024-13769 | 1 Themerex | 1 Puzzles | 2026-04-08 | 6.4 Medium |
| The Puzzles | WP Magazine / Review with Store WordPress Theme + RTL theme for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check on the 'theme_options_ajax_post_action' AJAX action in all versions up to, and including, 4.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings and inject malicious web scripts. The developer opted to remove the software from the repository, so an update is not available and it is recommended to find a replacement software. | ||||
| CVE-2021-4448 | 1 Kaswara Project | 1 Kaswara | 2026-04-08 | 7.3 High |
| The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions such as importing data, uploading arbitrary files, deleting arbitrary files, and more. | ||||
| CVE-2024-8552 | 1 Wpchill | 1 Download Monitor | 2026-04-08 | 4.3 Medium |
| The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enable_shop() function in all versions up to, and including, 5.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable shop functionality. | ||||
| CVE-2024-10216 | 1 Wpusermanager | 1 Wp User Manager | 2026-04-08 | 4.3 Medium |
| The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'add_sidebar' and 'remove_sidebar' functions in all versions up to, and including, 2.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add or remove a Carbon Fields custom sidebar if the Carbon Fields (carbon-fields) plugin is installed. | ||||
| CVE-2024-13698 | 1 Astoundify | 1 Jobify | 2026-04-08 | 6.5 Medium |
| The Jobify - Job Board WordPress Theme for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'download_image_via_ai' and 'generate_image_via_ai' functions in all versions up to, and including, 4.2.7. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application to upload files in an image format, and to generate AI images using the site's OpenAI key. | ||||
| CVE-2020-36831 | 1 Nextscripts | 1 Social Networks Auto Poster | 2026-04-08 | 5 Medium |
| The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on multiple user privilege/security functions provided in versions up to, and including 4.3.17. This makes it possible for low-privileged attackers, like subscribers, to perform restricted actions that would be otherwise locked to a administrative-level user. | ||||
| CVE-2024-6750 | 1 Wpwebinfotech | 1 Social Auto Poster | 2026-04-08 | 7.3 High |
| The Social Auto Poster plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.3.14. This makes it possible for unauthenticated attackers to add, modify, or delete post meta and plugin options. | ||||
| CVE-2024-11844 | 1 Northernbeacheswebsites | 1 Ideapush | 2026-04-08 | 4.3 Medium |
| The IdeaPush plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the idea_push_taxonomy_save_routine function in all versions up to, and including, 8.71. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete terms for the "boards" taxonomy. | ||||
| CVE-2024-11725 | 1 Cozyvision | 1 Sms Alert Order Notifications | 2026-04-08 | 8.8 High |
| The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the updateWcWarrantySettings() function in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. Please note this requires the woocommerce-warranty plugin to be installed in order to be exploited. | ||||
| CVE-2024-12006 | 1 Boldgrid | 1 W3 Total Cache | 2026-04-08 | 5.3 Medium |
| The W3 Total Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 2.8.1. This makes it possible for unauthenticated attackers to deactivate the plugin as well as activate and deactivate plugin extensions. | ||||
| CVE-2024-7836 | 1 Themify | 1 Builder | 2026-04-08 | 4.3 Medium |
| The Themify Builder plugin for WordPress is vulnerable to unauthorized post duplication due to missing checks on the duplicate_page_ajaxify function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate and view private or draft posts created by other users that otherwise shouldn't be accessible to them. | ||||
| CVE-2024-12719 | 1 Iptanus | 1 Wordpress File Upload | 2026-04-08 | 4.3 Medium |
| The WordPress File Upload plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wfu_ajax_action_read_subfolders' function in all versions up to, and including, 4.24.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform limited path traversal to view directories and subdirectories in WordPress. Files cannot be viewed. | ||||