Total
7650 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-36730 | 1 Niteothemes | 1 Cmp | 2026-04-08 | 8.3 High |
| The CMP for WordPress is vulnerable to authorization bypass due to a missing capability check on the cmp_get_post_detail(), niteo_export_csv(), and cmp_disable_comingsoon_ajax() functions in versions up to, and including, 3.8.1. This makes it possible for unauthenticated attackers to read posts, export subscriber lists, and/or deactivate the plugin. | ||||
| CVE-2020-36729 | 1 2joomla | 1 2j Slideshow | 2026-04-08 | 5.4 Medium |
| The 2J-SlideShow Plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'twoj_slideshow_setup' function called via the wp_ajax_twoj_slideshow_setup AJAX action in versions up to, and including, 1.3.31. This makes it possible for authenticated attackers (Subscriber, or above level access) to allow attackers to perform otherwise restricted actions and subsequently deactivate any plugins on the blog. | ||||
| CVE-2020-36725 | 1 Templateinvaders | 1 Ti Woocommerce Wishlist | 2026-04-08 | 8.8 High |
| The TI WooCommerce Wishlist and TI WooCommerce Wishlist Pro plugins for WordPress are vulnerable to an Options Change vulnerability in versions up to, and including, 1.21.11 and 1.21.4 via the 'ti-woocommerce-wishlist/includes/export.class.php' file. This makes it possible for authenticated attackers to gain otherwise restricted access to the vulnerable blog and update any settings. | ||||
| CVE-2020-36721 | 3 Colorlib, Cpothemes, Machothemes | 15 Activello, Bonkers, Illdy and 12 more | 2026-04-08 | 6.5 Medium |
| The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activello_deactivate_plugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' file missing capability and security checks/nonces. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins installed on a vulnerable site. | ||||
| CVE-2025-7664 | 2 Loword, Wordpress | 2 Al Pack, Wordpress | 2026-04-08 | 7.5 High |
| The AL Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the check_activate_permission() permission callback for the /wp-json/presslearn/v1/activate REST API endpoint in all versions up to, and including, 1.1.1. The callback reads the client-supplied Origin header and, after parsing, allows the request if it matches one of the trusted domains, without ever verifying user authentication, capabilities, or nonce tokens. This makes it possible for unauthenticated attackers to activate premium features by simply spoofing the Origin header. | ||||
| CVE-2025-6754 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 8.8 High |
| The SEO Metrics plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks in both the seo_metrics_handle_connect_button_click() AJAX handler and the seo_metrics_handle_custom_endpoint() function in all versions up to, and including, 1.0.15. Because the AJAX action only verifies a nonce, without checking the caller’s capabilities, a subscriber-level user can retrieve the token and then access the custom endpoint to obtain full administrator cookies. | ||||
| CVE-2025-5018 | 2026-04-08 | 7.1 High | ||
| The Hive Support plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and overwrite the site’s OpenAI API key and inspection data or modify AI-chat prompts and behavior. This vulnerability is potentially a duplicate of CVE-2025-32208 or/and CVE-2025-32242. | ||||
| CVE-2025-2815 | 2026-04-08 | 8.8 High | ||
| The Administrator Z plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the adminz_import_backup() function in all versions up to, and including, 2025.03.24. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. CVE-2025-26959 is a duplicate of this issue. | ||||
| CVE-2025-2267 | 1 Wp01ru | 1 Wp01 | 2026-04-08 | 6.5 Medium |
| The WP01 plugin for WordPress is vulnerable to Arbitrary File Download in all versions up to, and including, 2.6.2 due to a missing capability check and insufficient restrictions on the make_archive() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download and read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-30567 is a duplicate of this issue. | ||||
| CVE-2025-1508 | 1 Themeum | 1 Wp Crowdfunding | 2026-04-08 | 5.3 Medium |
| The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_data action in all versions up to, and including, 2.1.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to download all of a site's post content when WooCommerce is installed. | ||||
| CVE-2025-15507 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 5.3 Medium |
| The Magic Import Document Extractor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_sync_usage() function in all versions up to, and including, 1.0.5. This makes it possible for unauthenticated attackers to modify the plugin's license status and credit balance. | ||||
| CVE-2025-14070 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 7.5 High |
| The Reviewify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'send_test_email' AJAX action in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to create arbitrary WooCommerce discount coupons, potentially causing financial loss to the store. | ||||
| CVE-2025-12877 | 2 Themeatelier, Wordpress | 2 Idonate, Wordpress | 2026-04-08 | 5.3 Medium |
| The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to unauthorized modification od data due to a missing capability check on the panding_blood_request_action() function in all versions up to, and including, 2.1.15. This makes it possible for unauthenticated attackers to delete arbitrary posts. CVE-2025-67583 is likely a duplicate of this. | ||||
| CVE-2025-12526 | 2 Michielvaneerd, Wordpress | 2 Private Google Calendars, Wordpress | 2026-04-08 | 4.3 Medium |
| The Private Google Calendars plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pgc_remove' action in all versions up to, and including, 20250811. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings. | ||||
| CVE-2025-12392 | 3 Tripleatechnology, Woocommerce, Wordpress | 3 Cryptocurrency Payment Gateway For Woocommerce, Woocommerce, Wordpress | 2026-04-08 | 5.3 Medium |
| The Cryptocurrency Payment Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_optin_optout' function in all versions up to, and including, 2.0.25. This makes it possible for unauthenticated attackers to opt in and out of tracking. | ||||
| CVE-2025-12354 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 4.3 Medium |
| The Live CSS Preview plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_frontend_save' AJAX endpoint in all versions up to, and including, 2.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's css setting. | ||||
| CVE-2024-9630 | 1 10web | 1 Wps Telegram Chat | 2026-04-08 | 5.4 Medium |
| The WPS Telegram Chat plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when accessing messages in versions up to, and including, 4.6.0. This makes it possible for unauthenticated attackers to view the messages that are sent through the Telegram Bot API. | ||||
| CVE-2024-9109 | 1 Octolize | 1 Woocommerce Ups Shipping | 2026-04-08 | 4.3 Medium |
| The WooCommerce UPS Shipping – Live Rates and Access Points plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_oauth_data function in all versions up to, and including, 2.3.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's API key. | ||||
| CVE-2024-9065 | 1 Matbao | 1 Wp Helper Premium | 2026-04-08 | 5.3 Medium |
| The WP Helper Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'whp_smtp_send_mail_test' function in all versions up to, and including, 4.6.1. This makes it possible for unauthenticated attackers to send emails containing any content and originating from the vulnerable WordPress instance to any recipient. CVE-2025-24737 is likely a duplicate of this issue. | ||||
| CVE-2024-8548 | 2 Cagdasdag, Logon | 2 Kb Support Wordpress Help Desk And Knowledge Base, Kb Support | 2026-04-08 | 8.1 High |
| The KB Support – WordPress Help Desk and Knowledge Base plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on several functions in the /includes/ajax-functions.php file all versions up to, and including, 1.6.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform multiple administrative actions, such as replying to arbitrary tickets, updating the status of any post, deleting any post, adding notes to tickets, flagging or unflagging tickets, and adding or removing ticket participants. | ||||