Export limit exceeded: 363419 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (12037 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-2538 1 Permalink Manager Lite Project 1 Permalink Manager Lite 2026-04-08 5.4 Medium
The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_permalink' function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and above, to modify the permalinks of arbitrary posts.
CVE-2024-2472 1 Latepoint 2 Latepoint, Latepoint Plugin 2026-04-08 9.1 Critical
The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'start_or_use_session_for_customer' function in all versions up to and including 4.9.9. This makes it possible for unauthenticated attackers to view other customer's cabinets, including the ability to view PII such as email addresses and to change their LatePoint user password, which may or may not be associated with a WordPress account.
CVE-2024-2346 1 Ninjateam 1 Filebird 2026-04-08 5.4 Medium
The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.3 via folder deletion due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author access or higher, to delete folders created by other users and make their file uploads visible. CVE-2024-35166 may be a duplicate of this issue.
CVE-2024-1640 1 Bitapps 1 Contact Form Builder 2026-04-08 5.3 Medium
The Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form plugin for WordPress is vulnerable to unauthorized modification of data due to a insufficient user validation on the bitforms_update_form_entry AJAX action in all versions up to, and including, 2.10.1. This makes it possible for unauthenticated attackers to modify form submissions.
CVE-2024-13832 1 Uncodethemes 1 Ultra Addons Lite For Elementor 2026-04-08 4.3 Medium
The Ultra Addons Lite for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.8 via the 'ut_elementor' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.
CVE-2024-13719 2 Pepro, Wordpress 2 Peprodev Ultimate Invoice, Wordpress 2026-04-08 5.3 Medium
The PeproDev Ultimate Invoice plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.9 via the invoicing viewer due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view invoices for completed orders which can contain PII of users.
CVE-2024-12062 1 Nicheaddons 1 Charity Addon For Elementor 2026-04-08 4.3 Medium
The Charity Addon for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.3.3 via the 'nacharity_elementor_template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.
CVE-2024-10696 1 Codeastrology 1 Ultraaddons 2026-04-08 4.3 Medium
The UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.8 via the show_template due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to expose the contents of draft, private, and pending posts.
CVE-2023-7014 1 Amitzy 1 Molongui Authorship 2026-04-08 5.3 Medium
The Author Box, Guest Author and Co-Authors for Your Posts – Molongui plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.7.4 via the 'ma_debu' parameter. This makes it possible for unauthenticated attackers to extract sensitive data including post author emails and names if applicable.
CVE-2023-6969 1 Kylebjohnson 1 User Shortcodes Plus 2026-04-08 4.3 Medium
The User Shortcodes Plus plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.2 via the user_meta shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve potentially sensitive user meta.
CVE-2023-4214 1 Apppresser 1 Apppresser 2026-04-08 8.1 High
The AppPresser plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 4.2.5. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit.
CVE-2023-4213 1 Mikevanwinkle 1 Simplr Registration Form Plus\+ 2026-04-08 8.8 High
The Simplr Registration Form Plus+ plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 2.4.5. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with subscriber-level permissions or above to change user passwords and potentially take over administrator accounts.
CVE-2023-3063 1 Smartypantsplugins 1 Sp Project \& Document Manager 2026-04-08 8.8 High
The SP Project & Document Manager plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.67. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with subscriber privileges or above, to change user passwords and potentially take over administrator accounts.
CVE-2023-2276 1 Wclovers 1 Wcfm Membership 2026-04-08 9.8 Critical
The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 2.10.7. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.
CVE-2023-2172 1 Badgeos 1 Badgeos 2026-04-08 4.3 Medium
The BadgeOS plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.7.1.6. This is due to improper validation and authorization checks within the badgeos_update_steps_ajax_handler, badgeos_update_award_steps_ajax_handler, badgeos_update_deduct_steps_ajax_handler, and badgeos_update_ranks_req_steps_ajax_handler functions. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to overwrite arbitrary post titles.
CVE-2023-0691 1 Wpmet 1 Metform Elementor Contact Form Builder 2026-04-08 4.3 Medium
The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_last_name' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary form submissions, specifically the submitter's last name.
CVE-2023-0689 1 Wpmet 1 Metform Elementor Contact Form Builder 2026-04-08 4.3 Medium
The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_first_name' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary form submissions, including the submitter's first name.
CVE-2023-0688 1 Wpmet 1 Metform Elementor Contact Form Builder 2026-04-08 6.5 Medium
The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_thankyou' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about form submissions, including payment status, and transaction ID.
CVE-2022-3794 1 Jegtheme 1 Jeg Elementor Kit 2026-04-08 5.4 Medium
The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various AJAX actions in versions up to, and including, 2.5.6. Authenticated users can use an easily available nonce value to create header templates and make additional changes to the site, as the plugin does not use capability checks for this purpose.
CVE-2021-4348 1 Createit 1 Ultimate Gdpr \& Ccpa Compliance Toolkit 2026-04-08 7.5 High
The Ultimate GDPR & CCPA plugin for WordPress is vulnerable to unauthenticated settings import and export via the export_settings & import_settings functions in versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to change plugin settings and conduct attacks such as redirecting visitors to malicious sites.