Total
7663 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-10664 | 2026-04-08 | 4.3 Medium | ||
| The Knowledge Base documentation & wiki plugin – BasePress Docs plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the basepress_db_posts_update() function in all versions up to, and including, 2.16.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the database. | ||||
| CVE-2025-11996 | 2 Toastwebsites, Wordpress | 2 Find Unused Images, Wordpress | 2026-04-08 | 5.3 Medium |
| The Find Unused Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the fui_delete_image() and fui_delete_all_images() functiosn in all versions up to, and including, 1.0.7. This makes it possible for unauthenticated attackers to delete all of a site's attachments. | ||||
| CVE-2025-12157 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 5.3 Medium |
| The Simple User Capabilities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_reset_capability' AJAX endpoint in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to reset any user's capabilities. | ||||
| CVE-2022-4974 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 6.3 Medium |
| The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable. | ||||
| CVE-2025-12168 | 2 Memsource, Wordpress | 2 Phrase Tms Integration For Wordpress, Wordpress | 2026-04-08 | 4.3 Medium |
| The Phrase TMS Integration for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_delete_log' AJAX endpoint in all versions up to, and including, 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete log files. | ||||
| CVE-2025-14581 | 2 Villatheme, Wordpress | 2 Happy, Wordpress | 2026-04-08 | 4.3 Medium |
| The HAPPY – Helpdesk Support Ticket System plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'submit_form_reply' AJAX action in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit replies to arbitrary support tickets by manipulating the 'happy_topic_id' parameter, regardless of whether they are the ticket owner or have been assigned to the ticket. | ||||
| CVE-2024-13698 | 1 Astoundify | 1 Jobify | 2026-04-08 | 6.5 Medium |
| The Jobify - Job Board WordPress Theme for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'download_image_via_ai' and 'generate_image_via_ai' functions in all versions up to, and including, 4.2.7. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application to upload files in an image format, and to generate AI images using the site's OpenAI key. | ||||
| CVE-2026-1003 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 4.3 Medium |
| The GetGenie plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.3.0. This is due to the plugin not properly verifying that a user is authorized to delete a specific post. This makes it possible for authenticated attackers, with Author-level access and above, to delete any post on the WordPress site, including posts authored by other users. | ||||
| CVE-2023-2757 | 1 Plugin | 1 Waiting | 2026-04-08 | 7.4 High |
| The Waiting: One-click countdowns plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on 'saveLang' functions in versions up to, and including, 0.6.2. This could lead to Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for subscriber-level attackers to access functions to save plugin data that can potentially lead to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-12042 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 5.3 Medium |
| The Course Booking System plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in the csv-export.php file in all versions up to, and including, 6.1.5. This makes it possible for unauthenticated attackers to directly access the file and obtain an export of all booking data. | ||||
| CVE-2023-6855 | 1 Strangerstudios | 1 Paid Memberships Pro | 2026-04-08 | 5.3 Medium |
| The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to unauthorized modification of membership levels created by the plugin due to an incorrectly implemented capability check in the pmpro_rest_api_get_permissions_check function in all versions up to 2.12.5 (inclusive). This makes it possible for unauthenticated attackers to change membership levels including prices. | ||||
| CVE-2024-1689 | 1 Themefarmer | 1 Woocommerce Tools | 2026-04-08 | 4.3 Medium |
| The WooCommerce Tools plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woocommerce_tool_toggle_module() function in all versions up to, and including, 1.2.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to deactivate arbitrary plugin modules. | ||||
| CVE-2026-2022 | 2 Edgarrojas, Wordpress | 2 Smart Forms – When You Need More Than Just A Contact Form, Wordpress | 2026-04-08 | 4.3 Medium |
| The Smart Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'rednao_smart_forms_get_campaigns' AJAX action in all versions up to, and including, 2.6.99. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve donation campaign data including campaign IDs and names. | ||||
| CVE-2025-11632 | 2 Jgrietveld, Wordpress | 2 Call Now Button, Wordpress | 2026-04-08 | 4.3 Medium |
| The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate links to billing portal, where they can view and modify billing information of the connected, account, generate chat session tokens, view domain status, etc. This vulnerability was partially fixed in version 1.5.4 and fully fixed in version 1.5.5 | ||||
| CVE-2025-12563 | 2 Blog2social, Wordpress | 2 Blog2social, Wordpress | 2026-04-08 | 4.3 Medium |
| The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to limited file upload due to an incorrect capability check on theuploadVideo() function in all versions up to, and including, 8.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload mp4 files to the 'wp-content/uploads/<YYYY>/<MM>/' directory. | ||||
| CVE-2020-36831 | 1 Nextscripts | 1 Social Networks Auto Poster | 2026-04-08 | 5 Medium |
| The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on multiple user privilege/security functions provided in versions up to, and including 4.3.17. This makes it possible for low-privileged attackers, like subscribers, to perform restricted actions that would be otherwise locked to a administrative-level user. | ||||
| CVE-2024-12249 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 4.3 Medium |
| The GS Insever Portfolio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_settings() function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's CSS settings. | ||||
| CVE-2024-6750 | 1 Wpwebinfotech | 1 Social Auto Poster | 2026-04-08 | 7.3 High |
| The Social Auto Poster plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.3.14. This makes it possible for unauthenticated attackers to add, modify, or delete post meta and plugin options. | ||||
| CVE-2025-7827 | 3 Anzia, Woocommerce, Wordpress | 3 Ni Woocommerce Customer Product Report, Woocommerce, Wordpress | 2026-04-08 | 4.3 Medium |
| The Ni WooCommerce Customer Product Report plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ni_woocpr_action() function in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings. | ||||
| CVE-2025-1285 | 2026-04-08 | 5.3 Medium | ||
| The Resido - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_api_key and save_api_key AJAX actions in all versions up to, and including, 3.6. This makes it possible for unauthenticated attackers to issue requests to internal services and update API key details. | ||||