Export limit exceeded: 42827 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 10411 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10411 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-2078 | 1 Buymeacoffee | 1 Buy Me A Coffee | 2026-04-08 | 7.3 High |
| The "Buy Me a Coffee – Button and Widget Plugin" plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the recieve_post, bmc_disconnect, name_post, and widget_post functions in versions up to, and including, 3.7. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to update the plugins settings. CVE-2023-25030 may be a duplicate of this issue. | ||||
| CVE-2023-2066 | 1 Bulletin | 1 Announcement \& Notification Banner - Bulletin | 2026-04-08 | 6.3 Medium |
| The Announcement & Notification Banner – Bulletin plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'bulletinwp_update_bulletin_status', 'bulletinwp_update_bulletin', 'bulletinwp_update_settings', 'bulletinwp_update_status', 'bulletinwp_export_bulletins', and 'bulletinwp_import_bulletins' functions functions in versions up to, and including, 3.6.0. This makes it possible for authenticated attackers with subscriber-level access, and above, to modify the plugin's settings, modify bulletins, create new bulletins, and more. | ||||
| CVE-2023-1931 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2026-04-08 | 4.3 Medium |
| The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the deleteCssAndJsCacheToolbar function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers with subscriber-level access to perform cache deletion. | ||||
| CVE-2023-1930 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2026-04-08 | 4.3 Medium |
| The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the wpfc_clear_cache_of_allsites_callback function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers with subscriber-level access to delete caches. | ||||
| CVE-2023-1844 | 1 Subscribe2 Project | 1 Subscribe2 | 2026-04-08 | 4.3 Medium |
| The Subscribe2 plugin for WordPress is vulnerable to unauthorized access to email functionality due to a missing capability check when sending test emails in versions up to, and including, 10.40. This makes it possible for author-level attackers to send emails with arbitrary content and attachments to site users. | ||||
| CVE-2023-1375 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2026-04-08 | 4.3 Medium |
| The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized cache deletion in versions up to, and including, 1.1.2 due to a missing capability check in the deleteCacheToolbar function . This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete the site's cache. | ||||
| CVE-2023-1337 | 1 Rapidload | 1 Rapidload Power-up For Autoptimize | 2026-04-08 | 4.3 Medium |
| The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the clear_uucss_logs function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to delete plugin log files. | ||||
| CVE-2023-1336 | 1 Rapidload | 1 Rapidload Power-up For Autoptimize | 2026-04-08 | 4.3 Medium |
| The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized settings update due to a missing capability check on the ajax_deactivate function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to disable caching. | ||||
| CVE-2023-1335 | 1 Rapidload | 1 Rapidload Power-up For Autoptimize | 2026-04-08 | 4.3 Medium |
| The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the ucss_connect function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to connect a new license key to the site. | ||||
| CVE-2023-1334 | 1 Rapidload | 1 Rapidload Power-up For Autoptimize | 2026-04-08 | 4.3 Medium |
| The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized cache modification due to a missing capability check on the queue_posts function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to modify the plugin's cache. | ||||
| CVE-2023-1169 | 1 Ooohboi Steroids For Elementor Project | 1 Ooohboi Steroids For Elementor | 2026-04-08 | 4.3 Medium |
| The OoohBoi Steroids for Elementor plugin for WordPress is vulnerable to missing authorization due to a missing capability check on the 'file_uploader_callback' function in versions up to, and including, 2.1.4. This makes it possible for subscriber-level attackers to upload image attachments to the site. | ||||
| CVE-2023-0958 | 6 Backupbliss, Copy-delete-posts, Inisev and 3 more | 11 Backup Migration, Clone, Duplicate Post and 8 more | 2026-04-08 | 4.3 Medium |
| Several plugins for WordPress by Inisev are vulnerable to unauthorized installation of plugins due to a missing capability check on the handle_installation function that is called via the inisev_installation AJAX aciton in various versions. This makes it possible for authenticated attackers with minimal permissions, such as subscribers, to install select plugins from Inisev on vulnerable sites. CVE-2023-38514 appears to be a duplicate of this vulnerability. | ||||
| CVE-2023-0814 | 1 Cozmoslabs | 1 Profile Builder | 2026-04-08 | 6.5 Medium |
| The Profile Builder – User Profile & User Registration Forms plugin for WordPress is vulnerable to sensitive information disclosure via the [user_meta] shortcode in versions up to, and including 3.9.0. This is due to insufficient restriction on sensitive user meta values that can be called via that shortcode. This makes it possible for authenticated attackers, with subscriber-level permissions, and above to retrieve sensitive user meta that can be used to gain access to a high privileged user account. This does require the Usermeta shortcode be enabled to be exploited. | ||||
| CVE-2023-0715 | 1 Wickedplugins | 1 Wicked Folders | 2026-04-08 | 5.4 Medium |
| The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_clone_folder function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke this function and perform actions intended for administrators such as modifying the folder structure maintained by the plugin. | ||||
| CVE-2023-0711 | 1 Wickedplugins | 1 Wicked Folders | 2026-04-08 | 5.4 Medium |
| The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_save_state function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke this function and perform actions intended for administrators such as modifying the view state of the folder structure maintained by the plugin. | ||||
| CVE-2023-0619 | 1 Kraken | 1 Kraken.io Image Optimizer | 2026-04-08 | 6.5 Medium |
| The Kraken.io Image Optimizer plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on its AJAX actions in versions up to, and including, 2.6.8. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to reset image optimizations. | ||||
| CVE-2023-0293 | 1 Frenify | 1 Mediamatic | 2026-04-08 | 4.3 Medium |
| The Mediamatic – Media Library Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on its AJAX actions in versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change image categories, which it uses to arrange them in folder views. | ||||
| CVE-2022-4950 | 2 Coolplugins, Cryptocurrency Payment \& Donation Box Plugins | 10 Cool Timeline, Cryptocurrency Widgets, Cryptocurrency Widgets For Elementor and 7 more | 2026-04-08 | 8.8 High |
| Several WordPress plugins developed by Cool Plugins are vulnerable to arbitrary plugin installation and activation that can lead to remote code execution by authenticated attackers with minimal permissions, such as a subscriber. | ||||
| CVE-2022-4501 | 1 Topdigitaltrends | 1 Mega Addons For Wpbakery Page Builder | 2026-04-08 | 7.1 High |
| The Mega Addons plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the vc_saving_data function in versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to update the plugin's settings. | ||||
| CVE-2022-3622 | 1 Adenion | 1 Blog2social | 2026-04-08 | 4.1 Medium |
| The Blog2Social plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in versions up to, and including, 6.9.11. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change some plugin settings intended to be modifiable by admins only. | ||||