Export limit exceeded: 11515 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11515 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-57323 | 2 Bplugins, Wordpress | 2 Flash & Html5 Video, Wordpress | 2026-06-29 | 5.8 Medium |
| Unauthenticated Broken Access Control in Flash & HTML5 Video <= 2.11.0 versions. | ||||
| CVE-2026-57430 | 2 Seopress Free, Wordpress | 2 Seopress Pro, Wordpress | 2026-06-29 | 4.3 Medium |
| Contributor Broken Access Control in SEOPress PRO <= 9.1.1 versions. | ||||
| CVE-2026-11364 | 2 Dornaweb, Wordpress | 2 Product Specifications For Woocommerce, Wordpress | 2026-06-29 | 4.3 Medium |
| The Product Specifications for WooCommerce plugin for WordPress is vulnerable to unauthorized modification, creation, and deletion of data in versions up to and including 0.8.9. This is due to a missing capability check and missing nonce verification in the __invoke() methods of the AttributeGroupController and AttributeController classes, which are bound to the 'dwps_modify_groups' and 'dwps_modify_attributes' AJAX actions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create, edit, and delete arbitrary product specification groups and attributes (taxonomy terms in the 'spec-group' and attribute taxonomies), corrupting business data and impacting the site's frontend display. | ||||
| CVE-2026-11773 | 2 Masteriyo, Wordpress | 2 Masteriyo Lms – Lms Course Builder, Quizzes & Certificates, Wordpress | 2026-06-29 | 4.3 Medium |
| The Masteriyo LMS – LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with student-level access and above, to modify the description (post content) of arbitrary course announcements authored by instructors or administrators. | ||||
| CVE-2026-12471 | 2 Templatescoderthemes, Wordpress | 2 Spexo, Wordpress | 2026-06-29 | 4.3 Medium |
| The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activate_plugin function in all versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate a limited set of plugins. | ||||
| CVE-2026-12432 | 2 Themeisle, Wordpress | 2 Stripe Payment Forms By Wp Full Pay – Accept Credit Card Payments, Donations & Subscriptions, Wordpress | 2026-06-29 | 5.3 Medium |
| The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed_payment_status AJAX action. The handler is registered through both wp_ajax_ and wp_ajax_nopriv_ hooks and the underlying update_failed_payment_status() function performs no capability check, no nonce verification, and no logged-in check before calling $this->db->updatePaymentByEventId() with attacker-controlled POST parameters. This makes it possible for unauthenticated attackers who can obtain a valid Stripe Payment Intent ID for the target site (Payment Intent IDs are exposed to the customer browser during normal Stripe.js checkout flows) to manipulate payment records in the site's database, marking previously successful payments as failed and overwriting failure codes and messages with attacker-supplied values. | ||||
| CVE-2026-3462 | 2 Reepaydenmark, Wordpress | 2 Frisbii Pay, Wordpress | 2026-06-29 | 6.5 Medium |
| The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'process_batch' functions in all versions up to, and including, 1.8.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary CSV data and overwrite WooCommerce payment tokens, postmeta, and order meta records. | ||||
| CVE-2026-24547 | 2 Siteground, Wordpress | 2 Email-marketing, Wordpress | 2026-06-29 | 5.3 Medium |
| Unauthenticated Broken Access Control in SiteGround Email Marketing <= 1.7.5 versions. | ||||
| CVE-2026-54832 | 2 Jegstudio, Wordpress | 2 Gutenverse, Wordpress | 2026-06-29 | 7.5 High |
| Unauthenticated Broken Access Control in Gutenverse Companion <= 2.5.0 versions. | ||||
| CVE-2026-54840 | 2 Tribulant, Wordpress | 2 Newsletters, Wordpress | 2026-06-29 | 7.3 High |
| Unauthenticated Broken Access Control in Newsletters <= 4.13 versions. | ||||
| CVE-2026-57632 | 2 Omnisend, Wordpress | 2 Email Marketing For Woocommerce, Wordpress | 2026-06-29 | 5.4 Medium |
| Subscriber Broken Access Control in Email Marketing for WooCommerce by Omnisend <= 1.19.0 versions. | ||||
| CVE-2026-57640 | 2 Stylemixthemes, Wordpress | 2 Masterstudy Lms, Wordpress | 2026-06-29 | 4.3 Medium |
| Subscriber Broken Access Control in MasterStudy LMS <= 3.7.30 versions. | ||||
| CVE-2026-57645 | 2 Tribulant, Wordpress | 2 Newsletters, Wordpress | 2026-06-29 | 8.1 High |
| newsletters_subscribers Broken Access Control in Newsletters <= 4.13 versions. | ||||
| CVE-2026-57649 | 2 Studiowombat, Wordpress | 2 Shoppable Images, Wordpress | 2026-06-29 | 4.3 Medium |
| Subscriber Broken Access Control in Shoppable Images Lite <= 1.3 versions. | ||||
| CVE-2026-57660 | 2 Magepeople, Wordpress | 2 Booking & Rental Manager, Wordpress | 2026-06-29 | 5.3 Medium |
| Unauthenticated Broken Access Control in Booking and Rental Manager <= 2.7.1 versions. | ||||
| CVE-2026-57953 | 2026-06-29 | 5.4 Medium | ||
| Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventing_import_automatic_webhook endpoint registered under spectator-permitted middleware. Attackers with spectator role can exploit this misconfigured access control to create and delete automation workflows, making unauthorized modifications to operation automation configuration and EventGroups. | ||||
| CVE-2026-57950 | 2026-06-29 | 8.1 High | ||
| ruoyi-vue-pro through 2026.05, fixed in commit 5d1fd70 contains a broken access control vulnerability in ErpSaleOrderController that allows attackers with erp:sale-out permissions to gain unauthorized access to sale order operations by exploiting an incorrect permission namespace enforcement. Attackers holding shipment-level permissions can perform unauthorized create, update, delete, and read operations on financially sensitive sale orders due to the controller enforcing erp:sale-out instead of the intended erp:sale-order namespace. | ||||
| CVE-2026-12404 | 2 Webaways, Wordpress | 2 Nex-forms-ultimate-forms-plugin, Wordpress | 2026-06-29 | 5.3 Medium |
| The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to enumerate sequential report IDs and download complete form submission data — including names, email addresses, phone numbers, postal addresses, payment details, and uploaded file paths — for any saved report on the site. | ||||
| CVE-2026-13508 | 2 Khoj, Khoj-ai | 2 Khoj, Khoj | 2026-06-29 | 5.5 Medium |
| A flaw has been found in khoj-ai khoj up to 2.0.0-beta.28. This impacts an unknown function of the file src/khoj/routers/api_chat.py of the component Conversation Sharing Handler. This manipulation of the argument conversation.agent causes incorrect authorization. Remote exploitation of the attack is possible. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance. | ||||
| CVE-2026-9233 | 2 Expresstech, Wordpress | 2 Quiz And Survey Master (qsm) – Easy Quiz And Survey Maker, Wordpress | 2026-06-29 | 4.3 Medium |
| The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create, modify, and delete quiz output templates stored in the mlw_quiz_output_templates database table, including storing unsanitized HTML content such as arbitrary script tags. | ||||