Search Results (8691 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-35665 1 Namithjawahar 1 Insert Post Ads 2026-04-15 5.3 Medium
Missing Authorization vulnerability in namithjawahar Insert Post Ads.This issue affects Insert Post Ads: from n/a through 1.3.2.
CVE-2024-5863 1 Wordpress 1 Wordpress 2026-04-15 5.4 Medium
The Easy Image Collage plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ajax_image_collage() function in all versions up to, and including, 1.13.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to erase all of the content in arbitrary posts.
CVE-2024-5864 2026-04-15 4.3 Medium
The Easy Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eafl_reset_settings AJAX action in all versions up to, and including, 3.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings.
CVE-2025-14782 2 Wordpress, Wpmudev 2 Wordpress, Forminator Forms 2026-04-15 5.3 Medium
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_export' function. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with access to the Forminator dashboard, to export sensitive form submission data including personally identifiable information.
CVE-2024-7894 1 Andreiigna 1 If Menu 2026-04-15 5.3 Medium
The If Menu plugin for WordPress is vulnerable to unauthorized modification of the plugin's license key due to a missing capability check on the 'actions' function in versions up to, and including, 0.19.1. This makes it possible for unauthenticated attackers to modify delete or modify the license key.
CVE-2023-51523 2026-04-15 4.3 Medium
Missing Authorization vulnerability in WriterSystem WooCommerce Easy Duplicate Product.This issue affects WooCommerce Easy Duplicate Product: from n/a through 0.3.0.7.
CVE-2023-51526 1 Wordpress 1 Wordpress 2026-04-15 4.3 Medium
Missing Authorization vulnerability in Brett Shumaker Simple Staff List.This issue affects Simple Staff List: from n/a through 2.2.4.
CVE-2025-60045 2 Themeatelier, Wordpress 2 Idonate, Wordpress 2026-04-15 7.5 High
Missing Authorization vulnerability in ThemeAtelier IDonatePro idonate-pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects IDonatePro: from n/a through <= 2.1.11.
CVE-2024-6579 2026-04-15 4.3 Medium
The Web and WooCommerce Addons for WPBakery Builder plugin for WordPress is vulnerable to unauthorized plugin settings modification due to a missing capability check on several plugin functions in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change some of the plugin settings.
CVE-2025-43011 2026-04-15 7.7 High
Under certain conditions, SAP Landscape Transformation's PCL Basis module does not perform the necessary authorization checks, allowing authenticated users to access restricted functionalities or data. This can lead to a high impact on confidentiality with no impact on the integrity or availability of the application.
CVE-2024-6591 1 Nitesh Singh 1 Ultimate Wordpress Auction Plugin 2026-04-15 5.8 Medium
The Ultimate WordPress Auction Plugin plugin for WordPress is vulnerable to unauthorized email creation and sending due to a missing capability check on the 'send_auction_email_callback' and 'resend_auction_email_callback' functions in all versions up to, and including, 4.2.7. This makes it possible for unauthenticated attackers to craft emails that include links and send to any email address.
CVE-2024-43277 1 Ayecode 1 Userswp 2026-04-15 5.3 Medium
Missing Authorization vulnerability in AyeCode Ltd UsersWP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UsersWP: from n/a through 1.2.15.
CVE-2024-43285 1 Wordpress 1 Wordpress 2026-04-15 6.3 Medium
Missing Authorization vulnerability in Presto Made, Inc Presto Player allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Presto Player: from n/a through 3.0.2.
CVE-2024-13811 1 Wordpress 1 Wordpress 2026-04-15 4.3 Medium
The Lafka - Multi Store Burger - Pizza & Food Delivery WooCommerce Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'lafka_import_lafka' AJAX actions in all versions up to, and including, 4.5.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo data that overrides the site.
CVE-2024-13810 2026-04-15 4.3 Medium
The Zass - WooCommerce Theme for Handmade Artists and Artisans theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'zass_import_zass' AJAX actions in all versions up to, and including, 3.9.9.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo content and overwrite the site.
CVE-2024-13801 1 Wordpress 1 Wordpress 2026-04-15 8.1 High
The BWL Advanced FAQ Manager plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'baf_set_notice_status' AJAX action in all versions up to, and including, 2.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to '1' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration.
CVE-2024-13780 2026-04-15 6.5 Medium
The Hero Mega Menu - Responsive WordPress Menu Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the hmenu_delete_menu() function in all versions up to, and including, 1.16.5. This makes it possible for unauthenticated attackers to delete arbitrary directories on the server.
CVE-2024-13530 2026-04-15 4.3 Medium
The Custom Login Page Styler – Limit Login Attempts – Restrict Content With Login – Redirect After Login – Change Login URL – Sign in , Sign out plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the lps_handle_delete_all_logs(), lps_handle_delete_login_log(), and lps_handle_end_session() functions in all versions up to, and including, 7.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete login logs and end user sessions.
CVE-2024-13529 1 Wordpress 1 Wordpress 2026-04-15 6.5 Medium
The SocialV - Social Network and Community BuddyPress Theme theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'socialv_send_download_file' function in all versions up to, and including, 2.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download arbitrary files from the target system.
CVE-2024-6599 2 Mekshq, Wordpress 2 Meks Video Importer, Wordpress 2026-04-15 4.3 Medium
The Meks Video Importer plugin for WordPress is vulnerable to unauthorized API key modification due to a missing capability check on the ajax_save_settings function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's API keys. CVE-2024-38733 may be a duplicate of this issue.