Total
7119 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-46255 | 2 Marketing Fire, Wordpress | 2 Loginwp, Wordpress | 2026-01-20 | 7.5 High |
| Missing Authorization vulnerability in Marketing Fire LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5. | ||||
| CVE-2025-39561 | 2 Marketing Fire, Wordpress | 2 Loginwp, Wordpress | 2026-01-20 | 6.5 Medium |
| Missing Authorization vulnerability in Marketing Fire, LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5. | ||||
| CVE-2025-39465 | 2 Flippercode, Wordpress | 2 Advanced Google Maps, Wordpress | 2026-01-20 | 8.1 High |
| Missing Authorization vulnerability in flippercode Advanced Google Maps wp-google-map-gold allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Google Maps: from n/a through <= 5.8.4. | ||||
| CVE-2025-31046 | 2 Wordpress, Wpvibes | 2 Wordpress, Anywhere Elementor | 2026-01-20 | 4.3 Medium |
| Missing Authorization vulnerability in WPvibes AnyWhere Elementor Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyWhere Elementor Pro: from n/a through 2.29. | ||||
| CVE-2025-30944 | 1 Wordpress | 1 Wordpress | 2026-01-20 | 7.5 High |
| Missing Authorization vulnerability in Essekia Tablesome Table Premium tablesome-premium allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Tablesome Table Premium: from n/a through <= 1.1.23. | ||||
| CVE-2025-22715 | 2 Loopus, Wordpress | 2 Wp Attractive Donations System, Wordpress | 2026-01-20 | 8.1 High |
| Missing Authorization vulnerability in loopus WP Attractive Donations System - Easy Stripe & Paypal donations WP_AttractiveDonationsSystem allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Attractive Donations System - Easy Stripe & Paypal donations: from n/a through <= 1.25. | ||||
| CVE-2025-14360 | 1 Wordpress | 1 Wordpress | 2026-01-20 | 9.8 Critical |
| Missing Authorization vulnerability in Kaira Blockons blockons allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Blockons: from n/a through <= 1.2.15. | ||||
| CVE-2025-14358 | 1 Wordpress | 1 Wordpress | 2026-01-20 | 9.8 Critical |
| Missing Authorization vulnerability in sizam REHub Framework rehub-framework allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects REHub Framework: from n/a through <= 19.9.5. | ||||
| CVE-2024-24844 | 2 Ideabox, Wordpress | 2 Powerpack Pro For Elementor, Wordpress | 2026-01-20 | 7.5 High |
| Missing Authorization vulnerability in IdeaBox Creations PowerPack Pro for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PowerPack Pro for Elementor: from n/a through 2.10.6. | ||||
| CVE-2024-58337 | 1 Akuvox | 28 C313w-2, C313w-2 Firmware, E16c and 25 more | 2026-01-16 | 4.3 Medium |
| Akuvox Smart Intercom S539 contains an improper access control vulnerability that allows users with 'User' privileges to modify API access settings and configurations. Attackers can exploit this vulnerability to escalate privileges and gain unauthorized access to administrative functionalities. | ||||
| CVE-2026-21429 | 1 Emlog | 1 Emlog | 2026-01-16 | 4.3 Medium |
| Emlog is an open source website building system. In version 2.5.23, the admin can set controls which makes users unable to edit or delete their articles after publishing them. As of time of publication, no known patched versions are available. | ||||
| CVE-2025-12895 | 3 Laborator, Woocommerce, Wordpress | 3 Kalium, Woocommerce, Wordpress | 2026-01-16 | 5.3 Medium |
| The Kalium 3 | Creative WordPress & WooCommerce Theme theme for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the kalium_vc_contact_form_request() function in all versions up to, and including, 3.29. This makes it possible for unauthenticated attackers to use the theme an an open mail relay and send email to arbitrary email addresses on the server's behalf. | ||||
| CVE-2025-13859 | 1 Wordpress | 1 Wordpress | 2026-01-16 | 6.4 Medium |
| The AffiliateX – Amazon Affiliate Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_customization_settings AJAX action in versions 1.0.0 to 1.3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to store arbitrary JavaScript that executes whenever an AffiliateX block renders on the site. | ||||
| CVE-2026-1000 | 3 Mailerlite, Woocommerce, Wordpress | 3 Mailerlite, Woocommerce, Wordpress | 2026-01-16 | 6.5 Medium |
| The MailerLite - WooCommerce integration plugin for WordPress is vulnerable to unauthorized data modification and deletion in all versions up to, and including, 3.1.3. This is due to missing capability checks on the resetIntegration() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's integration settings, delete all plugin options, and drop the plugin's database tables (woo_mailerlite_carts and woo_mailerlite_jobs), resulting in complete loss of plugin data including customer abandoned cart information and sync job history. | ||||
| CVE-2026-1003 | 1 Wordpress | 1 Wordpress | 2026-01-16 | 4.3 Medium |
| The GetGenie plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.3.0. This is due to the plugin not properly verifying that a user is authorized to delete a specific post. This makes it possible for authenticated attackers, with Author-level access and above, to delete any post on the WordPress site, including posts authored by other users. | ||||
| CVE-2026-1004 | 2 Wordpress, Wpdevteam | 2 Wordpress, Essential Addons For Elementor | 2026-01-16 | 5.3 Medium |
| The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted. | ||||
| CVE-2025-12641 | 2 Awesomesupport, Wordpress | 2 Awesome Support Wordpress Helpdesk & Support, Wordpress | 2026-01-16 | 6.5 Medium |
| The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce. | ||||
| CVE-2025-14982 | 2 Wordpress, Wpdevelop | 2 Wordpress, Booking Calendar | 2026-01-16 | 4.3 Medium |
| The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the database, including personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other users. | ||||
| CVE-2025-14384 | 2 Smub, Wordpress | 2 All In One Seo, Wordpress | 2026-01-16 | 4.3 Medium |
| The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token. | ||||
| CVE-2025-7047 | 1 Utarit | 1 Soliclub | 2026-01-16 | 4.3 Medium |
| Missing Authorization vulnerability in Utarit Informatics Services Inc. SoliClub allows Privilege Abuse.This issue affects SoliClub: before 5.3.7. | ||||