Total
7652 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-2962 | 1 Codesupplyco | 1 Networker Technews Wordpress Theme With Dark Mode | 2026-04-08 | 5.3 Medium |
| The Networker - Tech News WordPress Theme with Dark Mode theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the admin_reload_nav_menu() function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to modify the location of display menus. | ||||
| CVE-2024-2782 | 1 Fluentforms | 1 Contact Form | 2026-04-08 | 7.5 High |
| The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wp-json/fluentform/v1/global-settings REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to modify all of the plugin's settings. | ||||
| CVE-2024-2771 | 1 Fluentforms | 1 Contact Form | 2026-04-08 | 9.8 Critical |
| The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin's settings and features. This also makes it possible for unauthenticated attackers to delete manager accounts. | ||||
| CVE-2024-2544 | 1 Sygnoos | 1 Popup Builder | 2026-04-08 | 7.4 High |
| The Popup Builder plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on all AJAX actions. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform multiple unauthorized actions, such as deleting subscribers, and importing subscribers to conduct stored cross-site scripting attacks. | ||||
| CVE-2024-2033 | 2026-04-08 | 4.3 Medium | ||
| The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.5 via the get_assign_host_id AJAX action. This makes it possible for authenticated attackers, with subscriber access or higher, to enumerate usernames, emails and IDs of all users on a site. | ||||
| CVE-2024-1994 | 2026-04-08 | 4.3 Medium | ||
| The Image Watermark plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the watermark_action_ajax() function in all versions up to, and including, 1.7.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to apply and remove watermarks from images. | ||||
| CVE-2024-1945 | 2026-04-08 | 7.1 High | ||
| The Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'arflite_remove_preview_data' function in all versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with subscriber access and above, to delete arbitrary site options, resulting in loss of availability. | ||||
| CVE-2024-1904 | 1 Stylemixthemes | 1 Masterstudy Lms | 2026-04-08 | 4.3 Medium |
| The MasterStudy LMS plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the search_posts function in all versions up to, and including, 3.2.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to expose draft post titles and excerpts. | ||||
| CVE-2024-1870 | 1 Extendthemes | 1 Colibri Page Builder | 2026-04-08 | 4.3 Medium |
| The Colibri Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callActivateLicenseEndpoint function in all versions up to, and including, 1.0.260. This makes it possible for authenticated attackers, with subscriber access or higher, to update the license key. | ||||
| CVE-2024-1857 | 1 Wpswings | 1 Ultimate Gift Cards For Woocommerce | 2026-04-08 | 5.3 Medium |
| The Ultimate Gift Cards for WooCommerce – Create, Redeem & Manage Digital Gift Certificates with Personalized Templates plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.6 via the wps_wgm_preview_email_template(). This makes it possible for unauthenticated attackers to read password protected and draft posts that may contain sensitive data. | ||||
| CVE-2024-1843 | 1 Flamescorpion | 1 Auto Affiliate Links | 2026-04-08 | 4.3 Medium |
| The Auto Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the aalAddLink function in all versions up to, and including, 6.4.3. This makes it possible for authenticated attackers, with subscriber access or higher, to add arbitrary links to posts. | ||||
| CVE-2024-1804 | 1 Themeum | 1 Tutor Lms - Migration Tool | 2026-04-08 | 4.3 Medium |
| The Tutor LMS – Migration Tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tutor_import_from_xml function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to import courses. | ||||
| CVE-2024-1798 | 1 Themeum | 2 Tutor Lms - Migration Tool, Tutorlms-migrationtool | 2026-04-08 | 5.3 Medium |
| The Tutor LMS – Migration Tool plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the tutor_lp_export_xml function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to export courses, including private and password protected courses. | ||||
| CVE-2024-1771 | 1 Hashthemes | 1 Total | 2026-04-08 | 4.3 Medium |
| The Total theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the total_order_sections() function in all versions up to, and including, 2.1.59. This makes it possible for authenticated attackers, with subscriber-level access and above, to repeat sections on the homepage. | ||||
| CVE-2024-1733 | 2 Charlestsmith, Pdfcrowd | 2 Word Replacer Pro, Word Replacer Pro | 2026-04-08 | 5.3 Medium |
| The Word Replacer Pro plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the word_replacer_ultra() function in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to update arbitrary content on the affected WordPress site. | ||||
| CVE-2024-1717 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 4.3 Medium |
| The Admin Notices Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_ajax_call() function in all versions up to, and including, 1.4.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve a list of registered user emails. | ||||
| CVE-2024-1710 | 2 Unitecms, Unlimited-elements | 2 Addon Library, Addon Library | 2026-04-08 | 8.8 High |
| The Addon Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the onAjaxAction function action in all versions up to, and including, 1.3.76. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several unauthorized actions including uploading arbitrary files. | ||||
| CVE-2024-1690 | 1 Standalonetech | 1 Terawallet | 2026-04-08 | 4.3 Medium |
| The TeraWallet – Best WooCommerce Wallet System With Cashback Rewards, Partial Payment, Wallet Refunds plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the terawallet_export_user_search() function in all versions up to, and including, 1.4.10. This makes it possible for authenticated attackers, with subscriber-level access and above, to export a list of registered users and their emails. | ||||
| CVE-2024-1687 | 1 Villatheme | 1 Woocommerce Thank You Page Customizer | 2026-04-08 | 5.4 Medium |
| The Thank You Page Customizer for WooCommerce – Increase Your Sales plugin for WordPress is vulnerable to unauthorized execution of shortcodes due to a missing capability check on the get_text_editor_content() function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute arbitrary shortcodes. | ||||
| CVE-2024-1686 | 1 Villatheme | 1 Woocommerce Thank You Page Customizer | 2026-04-08 | 4.3 Medium |
| The Thank You Page Customizer for WooCommerce – Increase Your Sales plugin for WordPress is vulnerable to missing authorization e in all versions up to, and including, 1.1.2 via the apply_layout function due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve arbitrary order data which may contain PII. | ||||