Export limit exceeded: 10426 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10426 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-2538 | 1 Permalink Manager Lite Project | 1 Permalink Manager Lite | 2026-04-08 | 5.4 Medium |
| The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_permalink' function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and above, to modify the permalinks of arbitrary posts. | ||||
| CVE-2024-2476 | 2026-04-08 | 4.3 Medium | ||
| The OceanWP theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_theme_panel_pane function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to expose sensitive information such as system/environment data and API keys. | ||||
| CVE-2024-2395 | 2 Autopolis, Autopolisbs | 2 Bulgarisation For Woocommerce, Bulgarisation For Woocommerce | 2026-04-08 | 7.3 High |
| The Bulgarisation for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.14. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to generate and delete labels via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-2298 | 1 Servit | 1 Affiliate-toolkit | 2026-04-08 | 4.3 Medium |
| The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the atkp_import_product() function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to to perform unauthorized actions such as creating importing products. | ||||
| CVE-2024-2109 | 2 Themeinwp, Wordpress | 2 Booster Extension, Wordpress | 2026-04-08 | 5.3 Medium |
| The Booster Extension plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.0 via the 'booster_extension_authorbox_shortcode_display' function. This makes it possible for unauthenticated attackers to extract sensitive data including user emails | ||||
| CVE-2024-2107 | 1 Blossomthemes | 1 Blossom Spa | 2026-04-08 | 5.8 Medium |
| The Blossom Spa theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.3 via generated source. This makes it possible for unauthenticated attackers to extract sensitive data including contents of password-protected or scheduled posts. | ||||
| CVE-2024-2043 | 1 Theinnovs | 1 Eleforms | 2026-04-08 | 5.3 Medium |
| The EleForms – All In One Form Integration including DB for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when downloading form submissions in all versions up to, and including, 2.9.9.7. This makes it possible for unauthenticated attackers to view form submissions. | ||||
| CVE-2024-2036 | 2026-04-08 | 4.3 Medium | ||
| The ApplyOnline – Application Form Builder and Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the aol_modal_box AJAX action in all versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with subscriber access or higher, to view Application submissions. | ||||
| CVE-2024-1991 | 1 Metagauss | 1 Registrationmagic | 2026-04-08 | 8.8 High |
| The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the update_users_role() function in all versions up to, and including, 5.3.0.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an administrator | ||||
| CVE-2024-1982 | 1 Wpvivid | 1 Migration\, Backup\, Staging | 2026-04-08 | 6.5 Medium |
| The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the get_restore_progress() and restore() functions in all versions up to, and including, 0.9.68. This makes it possible for unauthenticated attackers to exploit a SQL injection vulnerability or trigger a DoS. | ||||
| CVE-2024-1934 | 1 Wpcompress | 2 Image Optimizer, Wp Compress | 2026-04-08 | 7.5 High |
| The WP Compress – Image Optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wps_local_compress::__construct' function in all versions up to, and including, 6.11.10. This makes it possible for unauthenticated attackers to reset the CDN region and set a malicious URL to deliver images. | ||||
| CVE-2024-1862 | 1 Renventura | 1 Woocommerce Add To Cart Custom Redirect | 2026-04-08 | 8.1 High |
| The WooCommerce Add to Cart Custom Redirect plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'wcr_dismiss_admin_notice' function in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with contributor access and above, to update the values of arbitrary site options to 'dismissed'. | ||||
| CVE-2024-1860 | 2 Billminozzi, Sminozzi | 2 Anti Hacker, Disable Json Api Login Lockdown Xml Rpc Pingback Stop User Enumeration Anit Hacker Scan | 2026-04-08 | 6.5 Medium |
| The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the antihacker_add_whitelist() function in all versions up to, and including, 4.51. This makes it possible for unauthenticated attackers to add their IP Address to the whitelist circumventing protection | ||||
| CVE-2024-1850 | 2026-04-08 | 6.3 Medium | ||
| The AI Post Generator | AutoWriter plugin for WordPress is vulnerable to unauthorized access, modification or deletion of posts due to a missing capability check on functions hooked by AJAX actions in all versions up to, and including, 3.3. This makes it possible for authenticated attackers, with subscriber access or higher, to view all posts generated with this plugin (even in non-published status), create new posts (and publish them), publish unpublished post or perform post deletions. CVE-2024-32713 may be a duplicate of this issue. | ||||
| CVE-2024-1844 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 4.3 Medium |
| The RevivePress – Keep your Old Content Evergreen plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the import_data and copy_data functions in all versions up to, and including, 1.5.6. This makes it possible for authenticated attackers, with subscriber-level access or higher, to overwrite plugin settings and view them. | ||||
| CVE-2024-1809 | 1 Analytify | 1 Analytify - Google Analytics Dashboard | 2026-04-08 | 5.4 Medium |
| The Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on AJAX functions in combination with nonce leakage in all versions up to, and including, 5.2.3. This makes it possible for authenticated attackers, with subscriber access and higher, to obtain certain sensitive information related to plugin settings. | ||||
| CVE-2024-1779 | 1 Zestard | 1 Admin Side Data Storage For Contact Form 7 | 2026-04-08 | 5.3 Medium |
| The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the zt_dcfcf_change_status() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to alter the message read status of messages. | ||||
| CVE-2024-1763 | 1 Wpmet | 1 Wp Social Login And Register Social Counter | 2026-04-08 | 6.5 Medium |
| The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wp_social/v1/ REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to enable and disable certain providers for the social share and login features. | ||||
| CVE-2024-1732 | 2 Wooproductimporter, Wordpress | 2 Sharkdropship Dropshipping And Affiliate, Wordpress | 2026-04-08 | 5.3 Medium |
| The Sharkdropship for AliExpress Dropshipping and Affiliate plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the wads_removeProductFromShop() function in all versions up to, and including, 2.2.4. This makes it possible for unauthenticated attackers to delete arbitrary posts. | ||||
| CVE-2024-1689 | 1 Themefarmer | 1 Woocommerce Tools | 2026-04-08 | 4.3 Medium |
| The WooCommerce Tools plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woocommerce_tool_toggle_module() function in all versions up to, and including, 1.2.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to deactivate arbitrary plugin modules. | ||||