Export limit exceeded: 19010 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (7893 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-6088 | 1 Thimpress | 1 Learnpress | 2026-04-08 | 5.3 Medium |
| The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized user registration due to a missing capability check on the 'register' function in all versions up to, and including, 4.2.6.8.1. This makes it possible for unauthenticated attackers to bypass disabled user registration to create a new account with the default role. | ||||
| CVE-2024-6033 | 1 Themewinter | 1 Eventin | 2026-04-08 | 4.3 Medium |
| The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized data importation due to a missing capability check on the 'import_file' function in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to import events, speakers, schedules and attendee data. | ||||
| CVE-2024-10402 | 2 Incsub, Wpmudev | 2 Forminator, Forminator Forms | 2026-04-08 | 7.5 High |
| The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.35.1. This makes it possible for authenticated attackers, with Contributor-level access and above, and permissions granted by an Administrator, to create new or edit existing forms, including updating the default registration role to Administrator on User Registration forms. | ||||
| CVE-2024-5703 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2026-04-08 | 4.3 Medium |
| The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized API access due to a missing capability check in all versions up to, and including, 5.7.26. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access the API (provided it is enabled) and add, edit, and delete audience users. | ||||
| CVE-2021-4447 | 1 Wpdeveloper | 1 Essential Addons For Elementor | 2026-04-08 | 8.8 High |
| The Essential Addons for Elementor plugin for WordPress is vulnerable to privilege escalation in versions up to and including 4.6.4 due to a lack of restrictions on who can add a registration form and a custom registration role to an Elementor created page. This makes it possible for attackers with access to the Elementor page builder to create a new registration form that defaults to the user role being set to administrator and subsequently register as an administrative user. | ||||
| CVE-2024-5489 | 1 Wbcomdesigns | 1 Custom Font Uploader | 2026-04-08 | 4.3 Medium |
| The Wbcom Designs – Custom Font Uploader plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'cfu_delete_customfont' function in all versions up to, and including, 2.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete any custom font. | ||||
| CVE-2024-5459 | 1 Fivestarplugins | 1 Five Star Restaurant Menu | 2026-04-08 | 4.3 Medium |
| The Restaurant Menu and Food Ordering plugin for WordPress is vulnerable to unauthorized creation of data due to a missing capability check on 'add_section', 'add_menu', 'add_menu_item', and 'add_menu_page' functions in all versions up to, and including, 2.4.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create menu sections, menus, food items, and new menu pages. | ||||
| CVE-2024-5324 | 1 Xootix | 4 Login\/signup Popup, Otp Login Woocommerce \& Gravity Forms, Side Cart Woocommerce and 1 more | 2026-04-08 | 8.8 High |
| Multiple plugins for WordPress utilizing the XootiX Framework are vulnerable to unauthorized modification of data due to a missing capability check on the 'import_settings' function in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator. | ||||
| CVE-2024-4858 | 2 Uapp, Uapp Group | 2 Testimonial Carousel For Elementor, Testimonial Carousel For Elementor | 2026-04-08 | 5.3 Medium |
| The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_testimonials_option_callback' function in versions up to, and including, 10.2.0. This makes it possible for unauthenticated attackers to update the OpenAI API key, disabling the feature. | ||||
| CVE-2024-4788 | 1 Woostify | 1 Boostify Header Footer Builder For Elementor | 2026-04-08 | 4.3 Medium |
| The Boostify Header Footer Builder for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_bhf_post function in all versions up to, and including, 1.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to create pages or posts with arbitrary content. | ||||
| CVE-2024-13752 | 1 Wedevs | 1 Wp Project Manager | 2026-04-08 | 6.5 Medium |
| The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check in the '/pm/v2/settings/notice' endpoint all versions up to, and including, 2.6.17. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cause a persistent denial of service condition. | ||||
| CVE-2024-4661 | 1 Webfactoryltd | 1 Wp Reset | 2026-04-08 | 4.3 Medium |
| The WP Reset plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_ajax function in all versions up to, and including, 2.02. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the value fo the 'License Key' field for the 'Activate Pro License' setting. | ||||
| CVE-2024-4450 | 1 Ali2woo | 1 Aliexpress Dropshipping With Alinext | 2026-04-08 | 6.3 Medium |
| The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ImportAjaxController.php file in all versions up to, and including, 3.3.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several actions like importing and modifying products. CVE-2024-37210 is likely a duplicate of this issue. | ||||
| CVE-2024-4422 | 1 Comparisonslider | 1 Comparison Slider | 2026-04-08 | 6.4 Medium |
| The Comparison Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the slider title parameter in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-4205 | 1 Leap13 | 1 Premium Addons For Elementor | 2026-04-08 | 4.3 Medium |
| The Premium Addons for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_template_content() function in all versions up to, and including, 4.10.31. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve Elementor template data. | ||||
| CVE-2024-3678 | 1 Adenion | 1 Blog2social | 2026-04-08 | 5.3 Medium |
| The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.4.2. This makes it possible for unauthenticated attackers to view limited information from password protected posts. | ||||
| CVE-2024-3627 | 1 Kraftplugins | 1 Wheel Of Life | 2026-04-08 | 5.4 Medium |
| The Wheel of Life: Coaching and Assessment Tool for Life Coach plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on several functions in the AjaxFunctions.php file in all versions up to, and including, 1.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts and modify settings. | ||||
| CVE-2024-13447 | 1 Thimpress | 1 Wp Hotel Booking | 2026-04-08 | 4.3 Medium |
| The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hotel_booking_load_order_user AJAX action in all versions up to, and including, 2.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a list of registered user emails. | ||||
| CVE-2024-3602 | 1 Promolayer | 1 Popup Builder | 2026-04-08 | 4.3 Medium |
| The Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the disconnect_promolayer function in all versions up to, and including, 1.1.0. This makes it possible for authenticated attackers, with subscriber access or higher, to remove the Promolayer connection. | ||||
| CVE-2024-3268 | 1 Emarketdesign | 1 Youtube Video Gallery | 2026-04-08 | 5.3 Medium |
| The YouTube Video Gallery by YouTube Showcase – Video Gallery Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the emd_form_builder_lite_submit_form function in all versions up to, and including, 3.3.6. This makes it possible for unauthenticated attackers to create arbitrary posts or pages. | ||||