Total
7117 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-24353 | 2 Wordpress, Wpeverest | 2 Wordpress, User Registration | 2026-01-26 | 8.1 High |
| Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through <= 4.4.9. | ||||
| CVE-2026-23974 | 2 Uxper, Wordpress | 2 Golo, Wordpress | 2026-01-26 | 8.8 High |
| Missing Authorization vulnerability in uxper Golo golo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Golo: from n/a through < 1.7.5. | ||||
| CVE-2026-22472 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 8.8 High |
| Missing Authorization vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Form Builder: from n/a through <= 3.9.6. | ||||
| CVE-2026-1103 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 5.4 Medium |
| The AIKTP plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the /aiktp/getToken REST API endpoint in all versions up to, and including, 5.0.04. The endpoint uses the 'verify_user_logged_in' as a permission callback, which only checks if a user is logged in, but fails to verify if the user has administrative capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to retrieve the administrator's 'aiktpz_token' access token, which can then be used to create posts, upload media library files, and access private content as the administrator. | ||||
| CVE-2025-14629 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 5.3 Medium |
| The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments. | ||||
| CVE-2025-14609 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 5.3 Medium |
| The Wise Analytics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.9. This is due to missing capability checks on the REST API endpoint '/wise-analytics/v1/report'. This makes it possible for unauthenticated attackers to access sensitive analytics data including administrator usernames, login timestamps, visitor tracking information, and business intelligence data via the 'name' parameter granted they can send unauthenticated requests. | ||||
| CVE-2026-24563 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 4.3 Medium |
| Missing Authorization vulnerability in Ashan Perera LifePress lifepress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LifePress: from n/a through <= 2.1.3. | ||||
| CVE-2025-15516 | 2 Plugins360, Wordpress | 2 All-in-one Video Gallery, Wordpress | 2026-01-26 | 4.3 Medium |
| The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary string-based user meta keys for their own account. | ||||
| CVE-2026-23477 | 2 Rocket.chat, Rocketchat | 2 Rocket.chat, Rocket.chat | 2026-01-26 | 7.7 High |
| Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat versions up to 6.12.0, the API endpoint GET /api/v1/oauth-apps.get is exposed to any authenticated user, regardless of their role or permissions. This endpoint returns an OAuth application, as long as the user knows its ID, including potentially sensitive fields such as client_id and client_secret. This vulnerability is fixed in 6.12.0. | ||||
| CVE-2026-0687 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 4.3 Medium |
| The Meta-box GalleryMeta plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mb_gallery' custom post type in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Author-level access and above, to create and publish galleries. | ||||
| CVE-2024-39650 | 2 Wpweb, Wpwebelite | 2 Woocommerce Pdf Vouchers, Woocommerce Pdf Vouchers | 2026-01-26 | 7.3 High |
| Missing Authorization vulnerability in WPWeb Elite WooCommerce PDF Vouchers allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WooCommerce PDF Vouchers: from n/a through 4.9.4. | ||||
| CVE-2024-43274 | 2 Joomsky, Jshelpdesk | 2 Js Help Desk, Jshelpdesk | 2026-01-26 | 5.8 Medium |
| Missing Authorization vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.8.6. | ||||
| CVE-2026-0593 | 2 Wordpress, Wpgmaps | 2 Wordpress, Wp Go Maps | 2026-01-26 | 5.3 Medium |
| The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the processBackgroundAction() function in all versions up to, and including, 10.0.04. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global map engine settings. | ||||
| CVE-2026-24522 | 2 Mythemeshop, Wordpress | 2 Wp Subscribe, Wordpress | 2026-01-26 | 4.3 Medium |
| Missing Authorization vulnerability in MyThemeShop WP Subscribe wp-subscribe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Subscribe: from n/a through <= 1.2.16. | ||||
| CVE-2025-14843 | 3 Wizit, Woocommerce, Wordpress | 3 Gateway For Woocommerce, Woocommerce, Wordpress | 2026-01-26 | 5.3 Medium |
| The Wizit Gateway for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Order Cancellation in all versions up to, and including, 1.2.9. This is due to a lack of authentication and authorization checks in the 'handle_checkout_redirecturl_response' function. This makes it possible for unauthenticated attackers to cancel arbitrary WooCommerce orders by sending a crafted request with a valid order ID. | ||||
| CVE-2025-12519 | 1 Centreon | 2 Centreon, Centreon Web | 2026-01-26 | 5.3 Medium |
| Missing Authorization vulnerability in Centreon Infra Monitoring (Administration parameters API endpoint modules) allows Accessing Functionality Not Properly Constrained by ACLs, resulting in Information Disclosure like downtime or acknowledgement configurations. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. | ||||
| CVE-2025-12825 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 5.3 Medium |
| The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_cf7_form_data' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve form settings which includes Facebook app secrets. | ||||
| CVE-2026-23522 | 1 Lobehub | 1 Lobe Chat | 2026-01-26 | 3.7 Low |
| LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, `knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. `userId` filter in the database query is commented out, so it's enabling attackers to delete other users' KB files if they know the knowledge base ID and file ID. While the vulnerability is confirmed, practical exploitation requires knowing target's KB ID and target's file ID. These IDs are random and not easily enumerable. However, IDs may leak through shared links, logs, referrer headers and so on. Missing authorization check is a critical security flaw regardless. Users should upgrade to version 2.0.0-next.193 to receive a patch. | ||||
| CVE-2025-15466 | 2 Wordpress, Wpchill | 2 Wordpress, Image Photo Gallery Final Tiles Grid | 2026-01-26 | 5.4 Medium |
| The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple AJAX actions in all versions up to, and including, 3.6.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to view, create, modify, clone, delete, and reassign ownership of galleries created by other users, including administrators. | ||||
| CVE-2025-14463 | 2 Naa986, Wordpress | 2 Payment Button For Paypal, Wordpress | 2026-01-26 | 5.3 Medium |
| The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint (`wppaypalcheckout_ajax_process_order`) that processes checkout results without any authentication or server-side verification of the PayPal transaction. This makes it possible for unauthenticated attackers to create arbitrary orders on the site with any chosen transaction ID, payment status, product name, amount, or customer information via direct POST requests to the AJAX endpoint, granted they can bypass basic parameter validation. If email sending is enabled, the plugin will also trigger purchase receipt emails to any email address supplied in the request, leading to order database corruption and unauthorized outgoing emails without any real PayPal transaction taking place. | ||||