Total
7651 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-3610 | 1 Wensolutions | 1 Wp Child Theme Generator | 2026-04-08 | 5.3 Medium |
| The WP Child Theme Generator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wctg_easy_child_theme() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to create a blank child theme and activate it cause the site to whitescreen. | ||||
| CVE-2024-3599 | 1 Wpeka | 1 Wp Cookie Consent | 2026-04-08 | 5.3 Medium |
| The WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the gdpr_policy_process_delete() function in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to delete arbitrary posts. | ||||
| CVE-2024-3546 | 1 Webtoffee | 1 Backup And Migration | 2026-04-08 | 4.3 Medium |
| The WordPress Backup & Migration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wp_mgdp_populate_popup function in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with subscriber access or above, to invoke this function and access log files maintained by the plugin. Additionally, the file name is user-provided and not properly sanitized, which allows attackers to read arbitrary log files on the file system. | ||||
| CVE-2024-3312 | 2 Tonjoostudio, Wordpress | 2 Easy Custom Auto Excerpt, Wordpress | 2026-04-08 | 5.3 Medium |
| The Easy Custom Auto Excerpt plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.12. This makes it possible for unauthenticated attackers to obtain excerpts of password-protected posts. | ||||
| CVE-2024-3295 | 2026-04-08 | 6.5 Medium | ||
| The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the profile_pic_remove function in versions up to, and including, 3.1.5. This makes it possible for unauthenticated attackers to delete any media file. | ||||
| CVE-2024-3287 | 1 Wpmudev | 1 Smartcrawl | 2026-04-08 | 5.3 Medium |
| The SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer plugin for WordPress is vulnerable to unauthorized ld+json description injection due to a missing capability check on the save_settings function in all versions up to, and including, 3.10.2. This makes it possible for unauthenticated attackers to save schema types. | ||||
| CVE-2024-3275 | 2026-04-08 | 4.3 Medium | ||
| The eRoom – Zoom Meetings & Webinars plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.18 via the search_posts function. This makes it possible for authenticated attackers, with subscriber access and higher, to obtain post excerpts including those of draft and pending posts. | ||||
| CVE-2024-3249 | 2026-04-08 | 4.3 Medium | ||
| The Zita Elementor Site Library plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_xml_data, xml_data_import, import_option_data, import_widgets, and import_customizer_settings functions in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to create pages, update certain options, including WooCommerce page titles and Elementor settings, import widgets, and update the plugin's customizer settings and the WordPress custom CSS. NOTE: This vulnerability was partially fixed in version 1.6.2. | ||||
| CVE-2024-3243 | 2 Cusrev, Ivole | 2 Customer Reviews For Woocommerce, Customer Reviews For Woocommerce | 2026-04-08 | 4.3 Medium |
| The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the send_test_email() function in all versions up to, and including, 5.46.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to send arbitrary test emails. | ||||
| CVE-2024-3072 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 4.3 Medium |
| The ACF Front End Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_texts() function in all versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary post title, content, and ACF data. | ||||
| CVE-2024-3071 | 1 Wordpress | 2 Acf-on-the-go, Wordpress | 2026-04-08 | 4.3 Medium |
| The ACF On-The-Go plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the acfg_update_fields() function in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary post titles, descriptions, and ACF values. | ||||
| CVE-2024-2538 | 1 Permalink Manager Lite Project | 1 Permalink Manager Lite | 2026-04-08 | 5.4 Medium |
| The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_permalink' function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and above, to modify the permalinks of arbitrary posts. | ||||
| CVE-2024-2395 | 2 Autopolis, Autopolisbs | 2 Bulgarisation For Woocommerce, Bulgarisation For Woocommerce | 2026-04-08 | 7.3 High |
| The Bulgarisation for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.14. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to generate and delete labels via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-2298 | 1 Servit | 1 Affiliate-toolkit | 2026-04-08 | 4.3 Medium |
| The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the atkp_import_product() function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to to perform unauthorized actions such as creating importing products. | ||||
| CVE-2024-2109 | 2 Themeinwp, Wordpress | 2 Booster Extension, Wordpress | 2026-04-08 | 5.3 Medium |
| The Booster Extension plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.0 via the 'booster_extension_authorbox_shortcode_display' function. This makes it possible for unauthenticated attackers to extract sensitive data including user emails | ||||
| CVE-2024-2107 | 1 Blossomthemes | 1 Blossom Spa | 2026-04-08 | 5.8 Medium |
| The Blossom Spa theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.3 via generated source. This makes it possible for unauthenticated attackers to extract sensitive data including contents of password-protected or scheduled posts. | ||||
| CVE-2024-2043 | 1 Theinnovs | 1 Eleforms | 2026-04-08 | 5.3 Medium |
| The EleForms – All In One Form Integration including DB for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when downloading form submissions in all versions up to, and including, 2.9.9.7. This makes it possible for unauthenticated attackers to view form submissions. | ||||
| CVE-2024-1991 | 1 Metagauss | 1 Registrationmagic | 2026-04-08 | 8.8 High |
| The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the update_users_role() function in all versions up to, and including, 5.3.0.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an administrator | ||||
| CVE-2024-1982 | 1 Wpvivid | 1 Migration\, Backup\, Staging | 2026-04-08 | 6.5 Medium |
| The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the get_restore_progress() and restore() functions in all versions up to, and including, 0.9.68. This makes it possible for unauthenticated attackers to exploit a SQL injection vulnerability or trigger a DoS. | ||||
| CVE-2024-1934 | 1 Wpcompress | 2 Image Optimizer, Wp Compress | 2026-04-08 | 7.5 High |
| The WP Compress – Image Optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wps_local_compress::__construct' function in all versions up to, and including, 6.11.10. This makes it possible for unauthenticated attackers to reset the CDN region and set a malicious URL to deliver images. | ||||