Search Results (1491 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-11768 1 W3eden 1 Download Manager 2026-04-08 5.3 Medium
The Download Manager plugin for WordPress is vulnerable to unauthorized download of password-protected content due to improper password validation on the checkFilePassword function in all versions up to, and including, 3.3.03. This makes it possible for unauthenticated attackers to download password-protected files.
CVE-2024-13724 2 Wordpress, Wpswings 2 Wordpress, Wallet System For Woocommerce 2026-04-08 4.3 Medium
The Wallet System for WooCommerce – Wallet, Wallet Cashback, Refunds, Partial Payment, Wallet Restriction plugin for WordPress is vulnerable to unauthorized access to functionality in all versions up to, and including, 2.6.2. This makes it possible for unauthenticated attackers to increase their own wallet balance, transfer balances between arbitrary users and initiate transfer requests from other users' wallets.
CVE-2024-1803 1 Wpdeveloper 1 Embedpress 2026-04-08 4.3 Medium
The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to unauthorized access of functionality due to insufficient authorization validation on the PDF embed block in all versions up to, and including, 3.9.12. This makes it possible for authenticated attackers, with contributor-level access and above, to embed PDF blocks.
CVE-2024-1289 1 Thimpress 1 Learnpress 2026-04-08 6.5 Medium
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.6.3 due to missing validation on a user controlled key when looking up order information. This makes it possible for authenticated attackers to obtain information on orders placed by other users and guests, which can be leveraged to sign up for paid courses that were purchased by guests. Emails of other users are also exposed.
CVE-2023-6496 1 Freeamigos 1 Manage Notification E-mails 2026-04-08 5.3 Medium
The Manage Notification E-mails plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.8.5 via the card_famne_export_settings function. This makes it possible for unauthenticated attackers to obtain plugin settings.
CVE-2023-0583 1 Vektor-inc 1 Vk Blocks 2026-04-08 4.3 Medium
The VK Blocks plugin for WordPress is vulnerable to improper authorization via the REST 'update_vk_blocks_options' function in versions up to, and including, 1.57.0.5. This allows authenticated attackers, with contributor-level permissions or above, to change plugin settings including default icons.
CVE-2021-4344 1 Najeebmedia 1 Frontend File Manager Plugin 2026-04-08 6.4 Medium
The Frontend File Manager plugin for WordPress is vulnerable to Privilege Escalation in versions up to, and including, 18.2. This is due to lacking mishandling the use of user IDs that is accessible by the visitor. This makes it possible for unauthenticated or authenticated attackers to access the information and privileges of other users, including 'guest users', in their own category (authenticated, or unauthenticated guests).
CVE-2020-36696 1 Tychesoftwares 1 Product Input Fields For Woocommerce 2026-04-08 7.5 High
The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the handle_downloads() function in versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to download files from the vulnerable service.
CVE-2024-13646 1 Aakashbhagat 1 Single User Chat 2026-04-08 8.1 High
The Single-user-chat plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to insufficient validation on the 'single_user_chat_update_login' function in all versions up to, and including, 0.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to update option values to 'login' on the WordPress site. This may be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration.
CVE-2024-13821 1 Wpbookingcalendar 1 Booking Calendar 2026-04-08 5.3 Medium
The WP Booking Calendar plugin for WordPress is vulnerable to Unauthenticated Post-Confirmation Booking Manipulation in all versions up to, and including, 10.10. This is due to the plugin not properly requiring re-verification after a booking has been made and a change is being attempted. This makes it possible for unauthenticated attackers to manipulate their confirmed bookings, even after they have been approved.
CVE-2024-5053 1 Fluentforms 1 Contact Form 2026-04-08 4.2 Medium
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized Malichimp API key update due to an insufficient capability check on the verifyRequest function in all versions up to, and including, 5.1.18. This makes it possible for Form Managers with a Subscriber-level access and above to modify the Mailchimp API key used for integration. At the same time, missing Mailchimp API key validation allows the redirect of the integration requests to the attacker-controlled server.
CVE-2023-6878 1 Leechesnutt 1 Slick Social Share Buttons 2026-04-08 8.8 High
The Slick Social Share Buttons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'dcssb_ajax_update' function in versions up to, and including, 2.4.11. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update the site options arbitrarily.
CVE-2024-9531 1 Multivendorx 1 Multivendorx 2026-04-08 4.3 Medium
The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mvx_sent_deactivation_request' function in all versions up to, and including, 4.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send a canned email to the site's administrator asking to delete the profile of an arbitrary vendor.
CVE-2024-13694 1 Moreconvert 1 Woocommerce Wishlist 2026-04-08 7.5 High
The WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.8.7 via the download_pdf_file() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to extract data from wishlists that they should not have access to.
CVE-2023-53895 2 Pimpmylog, Potsky 2 Pimpmylog, Pimp My Log 2026-04-07 9.8 Critical
PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account, and potentially access sensitive server-side log information and environmental variables.
CVE-2026-5642 1 Cyber-iii 1 Student-management-system 2026-04-07 7.3 High
A vulnerability was determined in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This affects an unknown function of the file /viva/update.php of the component HTTP POST Request Handler. This manipulation of the argument Name causes improper authorization. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
CVE-2026-32716 1 Scitokens 2 Scitokens, Scitokens Library 2026-04-07 8.1 High
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass. This issue has been patched in version 1.9.6.
CVE-2026-33950 1 Signalk 2 Signal K Server, Signalk-server 2026-04-07 9.4 Critical
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.
CVE-2026-4818 2 Floragunn, Search-guard 2 Search Guard Flx, Flx 2026-04-03 6.8 Medium
In Search Guard FLX versions from 3.0.0 up to 4.0.1, there exists an issue which allows users without the necessary privileges to execute some management operations against data streams.
CVE-2026-5326 1 Sourcecodester 1 Leave Application System 2026-04-03 5.3 Medium
A vulnerability was identified in SourceCodester Leave Application System 1.0. Impacted is an unknown function of the file /index.php?page=manage_user of the component User Information Handler. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. The exploit is publicly available and might be used.