Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-14441 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
|
The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE `/subscribers` REST API endpoint in all versions up to, and including, 2.2.0. This is due to the `permission_callback` only validating wp_rest nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary subscriber records.
|
|||||
| CVE-2025-39477 | 2026-01-08 | N/A | 9.8 CRITICAL | ||
|
Missing Authorization vulnerability in Sfwebservice InWave Jobs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InWave Jobs: from n/a through 3.5.8.
|
|||||
| CVE-2025-5919 | 2026-01-08 | N/A | 6.5 MEDIUM | ||
|
The Appointment Booking and Scheduling Calendar Plugin – WP Timetics plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the update and register_routes functions in all versions up to, and including, 1.0.36. This makes it possible for unauthenticated attackers to view and modify booking details.
|
|||||
| CVE-2025-11370 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
|
The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'store' function of the RulesAjaxController class in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to update pop-up display settings.
|
|||||
| CVE-2025-14371 | 2026-01-08 | N/A | 4.3 MEDIUM | ||
|
The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the taxopress_ai_add_post_term function in all versions up to, and including, 3.41.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to add or remove taxonomy terms (tags, categories) on any post, including ones they do not own.
|
|||||
| CVE-2025-12449 | 2026-01-08 | N/A | 5.4 MEDIUM | ||
|
The aBlocks – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJAX actions in all versions up to, and including, 2.4.0. This makes it possible for authenticated attackers, with subscriber level access and above, to read plugin settings including block visibility, maintenance mode configuration, and third-party email marketing API keys, as well as read sensitive ...
Show More |
|||||
| CVE-2025-11877 | 2026-01-08 | N/A | 7.5 HIGH | ||
|
The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for unauthenticated attackers to push select site options from 0 to a non-zero value, allowing them to reopen registration or corrupt options like 'wp_user_roles', breaking wp-admin access.
|
|||||
| CVE-2025-13964 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
|
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the catch_lp_ajax function in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to modify course contents by adding/removing/updating/re-ordering sections or modifying section items.
|
|||||
| CVE-2025-13493 | 2026-01-08 | N/A | 7.5 HIGH | ||
|
The Latest Registered Users plugin for WordPress is vulnerable to unauthorized user data export in all versions up to, and including, 1.4. This is due to missing authorization and nonce validation in the rnd_handle_form_submit function hooked to both admin_post_my_simple_form and admin_post_nopriv_my_simple_form actions. This makes it possible for unauthenticated attackers to export complete user details (excluding passwords and sensitive tokens) in CSV format via the 'action' parameter.
|
|||||
| CVE-2025-13496 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
|
The Moosend Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the moosend_landings_auth_get function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the 'moosend_landing_api_key' option value.
|
|||||
| CVE-2025-14901 | 2026-01-08 | N/A | 6.5 MEDIUM | ||
|
The Bit Form – Contact Form Plugin plugin for WordPress is vulnerable to unauthorized workflow execution due to missing authorization in the triggerWorkFlow function in all versions up to, and including, 2.21.6. This is due to a logic flaw in the nonce verification where the security check only blocks requests when both the nonce verification fails and the user is logged in. This makes it possible for unauthenticated attackers to replay form workflow executions and trigger all configured integra ...
Show More |
|||||
| CVE-2025-13419 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
|
The Guest posting / Frontend Posting / Front Editor – WP Front User Submit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bfe/v1/revert' REST API endpoint in all versions up to, and including, 5.0.0. This makes it possible for unauthenticated attackers to delete arbitrary media attachments.
|
|||||
| CVE-2025-14370 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
|
The Quote Comments plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.0.0. This is due to missing authorization checks in the quotecomments_add_admin function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin options via the 'action' parameter.
|
|||||
| CVE-2025-13529 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
|
The Unify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'init' action in all versions up to, and including, 3.4.9. This makes it possible for unauthenticated attackers to delete specific plugin options via the 'unify_plugin_downgrade' parameter.
|
|||||
| CVE-2025-69333 | 2026-01-08 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in Crocoblock JetEngine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through 3.8.1.1.
|
|||||
| CVE-2025-14460 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
|
The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the payment gateway. This makes it possible for unauthenticated attackers to change any order's status to 'failed' via the publicly accessible WooCommerce API endpoint by providing only the order ID (Merchan ...
Show More |
|||||
| CVE-2025-46434 | 2026-01-08 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in POSIMYTH Innovation The Plus Addons for Elementor Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Plus Addons for Elementor Pro: from n/a before 6.3.7.
|
|||||
| CVE-2025-13722 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
|
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.7. This is due to missing capability checks on the `fluentform_ai_create_form` AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary forms via the publicly exposed AI builder.
|
|||||
| CVE-2025-69344 | 2026-01-08 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in ThemeHunk Oneline Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Oneline Lite: from n/a through 6.6.
|
|||||
| CVE-2026-0656 | 2026-01-08 | N/A | 8.2 HIGH | ||
|
The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenticity through signature verification or origin checks. This makes it possible for unauthenticated attackers to mark WooCommerce orders as paid by sending crafted POST requests to the webhook endpoint without any payment occurring, as well as enum ...
Show More |
|||||
| CVE-2025-14070 | 2026-01-08 | N/A | 7.5 HIGH | ||
|
The Reviewify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'send_test_email' AJAX action in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to create arbitrary WooCommerce discount coupons, potentially causing financial loss to the store.
|
|||||
| CVE-2026-22488 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in IdeaBox Creations Dashboard Welcome for Beaver Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dashboard Welcome for Beaver Builder: from n/a through 1.0.8.
|
|||||
| CVE-2025-12640 | 2026-01-08 | N/A | 4.3 MEDIUM | ||
|
The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Replacement in all versions up to, and including, 3.1.5. This is due to missing object-level authorization checks in the handle_folders_file_upload() function. This makes it possible for authenticated attackers, with Author-level access and above, to replace arbitrary media files from the WordPress Media Library.
|
|||||
| CVE-2026-22490 | 2026-01-08 | N/A | 5.4 MEDIUM | ||
|
Missing Authorization vulnerability in niklaslindemann Bulk Landing Page Creator for WordPress LPagery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bulk Landing Page Creator for WordPress LPagery: from n/a through 2.4.9.
|
|||||
| CVE-2026-22486 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in Hakob Re Gallery & Responsive Photo Gallery Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Re Gallery & Responsive Photo Gallery Plugin: from n/a through 1.17.18.
|
|||||
| CVE-2026-22487 | 2026-01-08 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in baqend Speed Kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Speed Kit: from n/a through 2.0.2.
|
|||||
| CVE-2026-22517 | 2026-01-08 | N/A | 5.4 MEDIUM | ||
|
Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through 2.10.0.
|
|||||
| CVE-2025-13679 | 2026-01-08 | N/A | 6.5 MEDIUM | ||
|
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate order IDs and exfiltrate sensitive data (PII), such as student name, email address, phone number, and billing address.
|
|||||
| CVE-2026-22492 | 2026-01-08 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in Nawawi Jamili Docket Cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Docket Cache: from n/a through 24.07.04.
|
|||||
| CVE-2026-22522 | 2026-01-08 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in Munir Kamal Block Slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Block Slider: from n/a through 2.2.3.
|
|||||
| CVE-2025-66402 | 1 Misskey | 1 Misskey | 2026-01-06 | N/A | 6.5 MEDIUM |
|
Misskey is an open source, federated social media platform. Starting in version 13.0.0-beta.16 and prior to version 2025.12.0, an actor who does not have permission to view favorites or clips can can export the posts and view the contents. Version 2025.12.0 fixes the issue.
|
|||||
| CVE-2025-15406 | 1 Phpgurukul | 1 Online Course Registration | 2026-01-06 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A flaw has been found in PHPGurukul Online Course Registration up to 3.1. This affects an unknown function. This manipulation causes missing authorization. Remote exploitation of the attack is possible. The exploit has been published and may be used.
|
|||||
| CVE-2025-66735 | 1 Youlai | 1 Youlai-boot | 2026-01-06 | N/A | 7.5 HIGH |
|
youlai-boot V2.21.1 is vulnerable to Incorrect Access Control. The getRoleForm function in SysRoleController.java does not perform permission checks, which may allow non-root users to directly access root roles.
|
|||||
| CVE-2025-66736 | 1 Youlai | 1 Youlai-boot | 2026-01-06 | N/A | 7.1 HIGH |
|
youlai-boot V2.21.1 is vulnerable to Incorrect Access Control. The importUsers function in SysUserController.java does not perform a permission check on the current user's identity, which may allow regular users to import user data into the database, resulting in an authorization bypass vulnerability.
|
|||||
| CVE-2025-14155 | 1 Leap13 | 1 Premium Addons For Elementor | 2026-01-05 | N/A | 5.3 MEDIUM |
|
The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_template_content' function in all versions up to, and including, 4.11.53. This makes it possible for unauthenticated attackers to view the content of private, draft, and pending templates.
|
|||||
| CVE-2025-9549 | 1 Facets Project | 1 Facets | 2026-01-05 | N/A | 6.5 MEDIUM |
|
Missing Authorization vulnerability in Drupal Facets allows Forceful Browsing.This issue affects Facets: from 0.0.0 before 2.0.10, from 3.0.0 before 3.0.1.
|
|||||
| CVE-2025-14817 | 1 Transsion | 2 Hios, Tecno Pova6 Pro 5g | 2026-01-05 | N/A | 6.5 MEDIUM |
|
The component com.transsion.tranfacmode.entrance.main.MainActivity in com.transsion.tranfacmode has no permission control and can be accessed by third-party apps which can construct intents to directly open adb debugging functionality without user interaction.
|
|||||
| CVE-2019-25214 | 1 Wpshop | 1 Shopwp | 2026-01-02 | N/A | 7.2 HIGH |
|
The ShopWP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST API routes in versions up to, and including, 2.0.4. This makes it possible for unauthenticated attackers to call the endpoints and perform unauthorized actions such as updating the plugin's settings and injecting malicious scripts.
|
|||||
| CVE-2025-66022 | 1 Owasp | 1 Faction | 2026-01-02 | N/A | 9.6 CRITICAL |
|
FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious e ...
Show More |
|||||
| CVE-2025-14047 | 2026-01-02 | N/A | 5.3 MEDIUM | ||
|
The Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'Frontend_Form_Ajax::submit_post' function in all versions up to, and including, 4.2.4. This makes it possible for unauthenticated attackers to delete attachment.
|
|||||