Export limit exceeded: 11680 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (11680 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-13468 2 Themeisle, Wordpress 2 Visualizer – Tables & Charts Manager With Built-in Ai Generator, Wordpress 2026-07-06 7.5 High
The Visualizer – Tables & Charts Manager with Built-in AI Generator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to access and export the contents of any visualizer chart on the site — including charts in draft, private, pending, future, or trash status — as CSV, Excel, or HTML via the /wp-json/visualizer/v1/action/{chart}/{type}/ REST endpoint. This bypass is particularly impactful because the standard WordPress REST endpoint for the non-public 'visualizer' custom post type correctly enforces capability checks and returns HTTP 401 to unauthenticated callers, whereas this plugin-registered route circumvents that protection entirely.
CVE-2026-53902 1 Mycomplianceoffice 1 Mco 2026-07-06 N/A
MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privilege escalation. An attacker can add themselves to arbitrary groups by supplying a valid group ID, which can be obtained via other application functionalities (e.g. /customer/servlet/mco/webapi/group/picker/groups), provided he has necessary permissions, or potentially inferred through brute-force techniques. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
CVE-2026-53905 1 Mycomplianceoffice 1 Mco 2026-07-06 N/A
MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks. This may expose sensitive permission mappings and internal configuration details. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
CVE-2026-57720 2 Codexpert, Wordpress 2 Thumbpress, Wordpress 2026-07-06 4.3 Medium
Missing Authorization vulnerability in Codexpert Inc ThumbPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ThumbPress: from n/a through 6.3.2.
CVE-2026-57721 2 Wordpress, Wp Reloaded 2 Wordpress, Applyonline 2026-07-06 5.3 Medium
Missing Authorization vulnerability in WP Reloaded ApplyOnline allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ApplyOnline: from n/a through 2.6.7.6.
CVE-2025-69134 2 Merkulove, Wordpress 2 Openai Chatbot For Wordpress – Helper, Wordpress 2026-07-06 7.5 High
Unauthenticated Arbitrary Content Deletion in OpenAI Chatbot for WordPress – Helper <= 1.1.4 versions.
CVE-2026-39448 2 Coderpress, Wordpress 2 Nowpayments For Woocommerce, Wordpress 2026-07-06 7.5 High
Unauthenticated Broken Access Control in NOWPayments for WooCommerce <= 1.4.0 versions.
CVE-2026-57685 2 Drfuri, Wordpress 2 Martfury - Woocommerce Marketplace Wordpress Theme, Wordpress 2026-07-06 4.3 Medium
Subscriber Broken Access Control in Martfury - WooCommerce Marketplace WordPress Theme <= 3.2.8 versions.
CVE-2026-57688 2 Gurmehub, Wordpress 2 Pos Entegratör, Wordpress 2026-07-06 8.2 High
Unauthenticated Broken Access Control in POS Entegratör <= 3.7.103 versions.
CVE-2026-57689 2 Fuelthemes, Wordpress 2 Werkstatt, Wordpress 2026-07-06 4.3 Medium
Subscriber Broken Access Control in Werkstatt <= 4.7.2 versions.
CVE-2026-57750 2 Keksdieb, Wordpress 2 Ez Form Calculator Premium, Wordpress 2026-07-06 5.3 Medium
Unauthenticated Broken Access Control in ez Form Calculator Premium <= 2.14.1.2 versions.
CVE-2026-57760 2 Sendcloud, Wordpress 2 Sendcloud Shipping, Wordpress 2026-07-06 5.3 Medium
Missing Authorization vulnerability in Sendcloud Sendcloud Shipping allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sendcloud Shipping: from n/a through 1.0.29.
CVE-2026-12729 2 Wedevs, Wordpress 2 Wedocs: Ai Powered Knowledge Base, Docs, Documentation, Wiki & Ai Chatbot, Wordpress 2026-07-06 4.3 Medium
The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 2.3.0. This is due to a missing capability check on the do_migration() function registered as the wedocs_migrate_betterdocs_to_wedocs AJAX action, which performs no nonce verification via check_ajax_referer() and no capability check via current_user_can() before executing sensitive operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full BetterDocs-to-weDocs data migration, creating and modifying 'docs' custom post type entries with attacker-controlled titles, updating site options, and deactivating the BetterDocs and BetterDocs Pro plugins via deactivate_plugins().
CVE-2026-27775 1 Gitea 1 Gitea Open Source Git Server 2026-07-06 8.8 High
Gitea 1.25.5 caches a branch-specific write-permission result across multiple refs in one pre-receive hook session, allowing a per-branch maintainer-edit grant to be reused for other refs and escalate to full repository write access.
CVE-2026-27780 1 Gitea 1 Gitea Open Source Git Server 2026-07-06 9.8 Critical
Gitea versions before 1.26.0 do not fail closed on bufio.Scanner errors while processing pre-receive hook input, allowing oversized input to bypass branch-protection checks.
CVE-2026-27783 1 Gitea 1 Gitea Open Source Git Server 2026-07-06 4.3 Medium
Gitea versions up to and including 1.26.1 do not enforce repository-unit authorization on issue-template API endpoints.
CVE-2026-28699 1 Gitea 1 Gitea Open Source Git Server 2026-07-06 8.1 High
Gitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication.
CVE-2026-28744 1 Gitea 1 Gitea Open Source Git Server 2026-07-06 8.1 High
Gitea versions up to and including 1.26.1 allow Git smart HTTP requests authenticated with bearer tokens to bypass repository token scope checks.
CVE-2026-58424 1 Gitea 1 Gitea Open Source Git Server 2026-07-06 8.9 High
Permanent Fork PR Workflow Approval Gate Bypass
CVE-2026-12557 2 Saturdaydrive, Wordpress 2 Ninja Forms - File Uploads, Wordpress 2026-07-06 5.3 Medium
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.3.29. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to read all plugin debug log entries stored in the wp_nf3_log table or permanently delete all rows from that table.