Total
7679 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-6754 | 1 Wpwebinfotech | 1 Social Auto Poster | 2026-04-08 | 5.4 Medium |
| The Social Auto Poster plugin for WordPress is vulnerable to unauthorized modification of data to a missing capability check on the ‘wpw_auto_poster_update_tweet_template’ function in all versions up to, and including, 5.3.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary post metadata. | ||||
| CVE-2024-10543 | 1 Tumult | 1 Tumult Hype Animations | 2026-04-08 | 4.3 Medium |
| The Tumult Hype Animations plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hypeanimations_getcontent function in all versions up to, and including, 1.9.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve animation information. | ||||
| CVE-2022-4943 | 1 Miniorange | 1 Google Authenticator | 2026-04-08 | 7.5 High |
| The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. This makes it possible for unauthenticated attackers to change the plugin's settings. | ||||
| CVE-2025-12469 | 3 Funnelkit, Woocommerce, Wordpress | 3 Funnelkit Automations, Woocommerce, Wordpress | 2026-04-08 | 4.3 Medium |
| The FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.4.1. This is due to the plugin not properly verifying that a user is authorized to perform administrative actions in the `bwfan_test_email` AJAX handler. The nonce used for verification is publicly exposed to all visitors (including unauthenticated users) via the frontend JavaScript localization, and the `check_nonce()` function accepts low-privilege authenticated users who possess this nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send arbitrary emails from the site with attacker-controlled subject and body content. | ||||
| CVE-2023-6966 | 1 Themoneytizer | 1 The Moneytizer | 2026-04-08 | 8.1 High |
| The The Moneytizer plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX functions in the /core/core_ajax.php file in all versions up to, and including, 9.6.3. This makes it possible for authenticated attackers, with subscriber access and above, to update and retrieve billing and bank details, update and reset the plugin's settings, and update languages as well as other lower-severity actions. | ||||
| CVE-2025-12782 | 2 Fastlinemedia, Wordpress | 2 Beaver Builder, Wordpress | 2026-04-08 | 4.3 Medium |
| The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.9.4. This is due to the plugin not properly verifying a user's authorization in the disable() function. This makes it possible for authenticated attackers, with contributor level access and above, to disable the Beaver Builder layout on arbitrary posts and pages, causing content integrity issues and layout disruption on those pages. | ||||
| CVE-2024-4958 | 2026-04-08 | 7.1 High | ||
| The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'import_form_action' function in versions up to, and including, 3.2.0.1. This makes it possible for authenticated attackers, with contributor-level permissions and above, to import a registration form with a default user role of administrator. If an administrator approves or publishes a post or page with the shortcode to the imported form, any user can register as an administrator. | ||||
| CVE-2025-0954 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 6.5 Medium |
| The WP Online Contract plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the json_import() and json_export() functions in all versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to import and export the plugin's settings. | ||||
| CVE-2023-5712 | 1 Bowo | 1 System Dashboard | 2026-04-08 | 4.3 Medium |
| The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_global_value() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive global value information. | ||||
| CVE-2024-3711 | 1 Brizy | 1 Brizy | 2026-04-08 | 4.3 Medium |
| The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized plugin setting update due to a missing capability check on the functions action_request_disable, action_change_template, and action_request_enable in all versions up to, and including, 2.4.43. This makes it possible for authenticated attackers, with contributor access or above, to enable/disable the Brizy editor and modify the template used. | ||||
| CVE-2025-14079 | 2 Elextensions, Wordpress | 2 Elex Wordpress Helpdesk & Customer Ticketing System, Wordpress | 2026-04-08 | 5.3 Medium |
| The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.5. This is due to missing capability checks on the eh_crm_ticket_general function combined with a shared nonce that is exposed to low-privileged users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global WSDesk settings via the `eh_crm_ticket_general` AJAX action. | ||||
| CVE-2025-14798 | 2 Thimpress, Wordpress | 2 Learnpress, Wordpress | 2026-04-08 | 5.3 Medium |
| The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. This makes it possible for unauthenticated attackers to extract sensitive data including user first names and last names. Other information such as social profile links and enrollment are also included. | ||||
| CVE-2025-0935 | 1 Maxfoundry | 1 Media Library Folders | 2026-04-08 | 4.3 Medium |
| The Media Library Folders plugin for WordPress is vulnerable to unauthorized plugin settings change due to a missing capability check on several AJAX actions in all versions up to, and including, 8.3.0. This makes it possible for authenticated attackers, with Author-level access and above, to change plugin settings related to things such as IP-blocking. | ||||
| CVE-2023-5415 | 1 Funnelforms | 1 Funnelforms | 2026-04-08 | 4.3 Medium |
| The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_add_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to add new categories. | ||||
| CVE-2025-14047 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 5.3 Medium |
| The Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'Frontend_Form_Ajax::submit_post' function in all versions up to, and including, 4.2.4. This makes it possible for unauthenticated attackers to delete attachment. | ||||
| CVE-2025-8342 | 2 Woocommerce, Wordpress | 2 Woocommerce, Wordpress | 2026-04-08 | 8.1 High |
| The WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass due to insufficient empty value checking in the lwp_ajax_register function in all versions up to, and including, 1.8.47. This makes it possible for unauthenticated attackers to bypass OTP verification and gain administrative access to any user account with a configured phone number by exploiting improper Firebase API error handling when the Firebase API key is not configured. | ||||
| CVE-2023-2284 | 1 Wpwhitesecurity | 1 Wp Activity Log | 2026-04-08 | 4.3 Medium |
| The WP Activity Log Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_switch_db function in versions up to, and including, 4.5.0. This makes it possible for authenticated attackers with subscriber-level or higher to make changes to the plugin's settings. | ||||
| CVE-2024-7721 | 1 Bplugins | 1 Html5 Video Player | 2026-04-08 | 4.3 Medium |
| The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_password' function in all versions up to, and including, 2.5.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to set any options that are not explicitly checked as false to an array, including enabling user registration if it has been disabled. | ||||
| CVE-2023-4728 | 1 Ladipage | 1 Ladipage | 2026-04-08 | 4.3 Medium |
| The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the publish_lp() function hooked via an AJAX action in versions up to, and including, 4.4. This makes it possible for authenticated attackers with subscriber-level access and above to change the LadiPage key (a key fully controlled by the attacker), enabling them to freely create new pages, including web pages that trigger stored XSS | ||||
| CVE-2026-2001 | 2 Wordpress, Wpxpo | 2 Wordpress, Wowrevenue – Product Bundles & Bulk Discounts | 2026-04-08 | 8.8 High |
| The WowRevenue plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'Notice::install_activate_plugin' function in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected site's server which may make remote code execution possible. | ||||