Search Results (8525 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-34024 1 Wertheim 1 Safecontroller Software For Vault Rooms (safe Deposit Locker System) 2026-06-23 N/A
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains missing authorization checks on multiple web application endpoints. An authenticated attacker with minimal privileges can access endpoints that are not visible in the frontend but remain directly reachable. This allows the attacker to perform restricted actions such as switching the user's branch, uploading arbitrary files, downloading arbitrary files, and viewing details of arbitrary branches.
CVE-2026-5230 1 Mia Technology 1 Pizzy Library 2026-06-23 7.1 High
Improper Access Control, Missing Authorization vulnerability in MIA Technology Inc. Pizzy Library allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.
CVE-2025-68049 2 Bunny.net, Wordpress 2 Bunny.net, Wordpress 2026-06-23 6.3 Medium
Subscriber Broken Access Control in bunny.net <= 2.3.6 versions.
CVE-2025-69332 2 Mycred, Wordpress 2 Bookify, Wordpress 2026-06-23 6.5 Medium
Subscriber Broken Access Control in Bookify <= 1.1.1 versions.
CVE-2026-25425 2 Themegrill, Wordpress 2 User Registration, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in User Registration <= 5.1.2 versions.
CVE-2026-34898 2 Wordpress, Wp Swings 2 Wordpress, Event Tickets Manager For Woocommerce 2026-06-23 7.5 High
Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions.
CVE-2026-39525 2 Booking Activities Team, Wordpress 2 Booking Activities, Wordpress 2026-06-23 6.5 Medium
Unauthenticated Broken Access Control in Booking Activities <= 1.16.48.1 versions.
CVE-2026-39594 2 Themefic, Wordpress 2 Ultra Addons For Wpforms, Wordpress 2026-06-23 6.4 Medium
Subscriber Broken Access Control in Ultra Addons for WPForms <= 1.0.11 versions.
CVE-2026-40741 2 Jose Conti, Wordpress 2 Redsys For Woocommerce Light, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in Redsys for WooCommerce Light <= 7.0.0 versions.
CVE-2026-40775 2 Royal Plugins, Wordpress 2 Royal Mcp, Wordpress 2026-06-23 7.3 High
Unauthenticated Broken Access Control in Royal MCP <= 1.4.2 versions.
CVE-2026-40776 2 Arraytics, Wordpress 2 Wp Event Solution, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.8 versions.
CVE-2026-40795 2 Tms, Wordpress 2 Amelia, Wordpress 2026-06-23 6.5 Medium
Subscriber Broken Access Control in Amelia <= 2.2 versions.
CVE-2026-42664 2 Motive Commerce Search, Wordpress 2 Ai Product Search For Woocommerce – Motive Commerce Search, Wordpress 2026-06-23 8.2 High
Unauthenticated Broken Access Control in AI Product Search for WooCommerce &#8211; Motive Commerce Search <= 1.38.2 versions.
CVE-2026-42666 2 Dimitri Grassi, Wordpress 2 Salon Booking System, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in Salon booking system <= 10.30.25 versions.
CVE-2026-48835 2 Awesomemotive, Wordpress 2 Contact Form By Wpforms, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in Contact Form by WPForms <= 1.10.0.4 versions.
CVE-2026-48887 2 Ahmad, Wordpress 2 Js Help Desk, Wordpress 2026-06-23 6.5 Medium
Unauthenticated Broken Access Control in JS Help Desk <= 3.0.9 versions.
CVE-2026-49070 2 Knit Pay, Wordpress 2 Knit Pay, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in Knit Pay <= 9.4.0.0 versions.
CVE-2026-9187 2 Wordpress, Zealopensource 2 Wordpress, Abandoned Contact Form 7 2026-06-23 5.3 Medium
The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action__remove_abandoned() function, which is registered to both the wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned hooks. The handler takes a user-supplied recover_id parameter from $_POST and passes it directly to wp_delete_post() with the force-delete flag set to true, without verifying that the ID belongs to the plugin's own cf7af_data post type. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, or other content on the affected site by sending a single admin-ajax.
CVE-2025-68045 2 Arraytics, Wordpress 2 Wp Event Solution, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.12 versions.
CVE-2026-52711 2 Kilbot, Wordpress 2 Woocommerce Pos, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in WooCommerce POS <= 1.8.14 versions.