Total
7119 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-0628 | 1 Google | 1 Chrome | 2026-01-12 | N/A | 8.8 HIGH |
| Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: High) | |||||
| CVE-2025-58192 | 1 Xylusthemes | 1 Wp Bulk Delete | 2026-01-12 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in Xylus Themes WP Bulk Delete allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Bulk Delete: from n/a through 1.3.6. | |||||
| CVE-2025-12061 | 2026-01-09 | N/A | 8.6 HIGH | ||
| The TAX SERVICE Electronic HDM WordPress plugin before 1.2.1 does not authorization and CSRF checks in an AJAX action, allowing unauthenticated users to import and execute arbitrary SQL statements | |||||
| CVE-2025-11191 | 2026-01-09 | N/A | 5.3 MEDIUM | ||
| The RealPress WordPress plugin before 1.1.0 registers the REST routes without proper permission checks, allowing the creation of pages and sending of emails from the site. | |||||
| CVE-2015-10140 | 1 Connekthq | 1 Ajax Load More | 2026-01-09 | N/A | 8.8 HIGH |
| The Ajax Load More plugin before 2.8.1.2 does not have authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber, to upload and delete arbitrary files. | |||||
| CVE-2025-30881 | 1 Themehunk | 1 Big Store | 2026-01-09 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in ThemeHunk Big Store allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Big Store: from n/a through 2.0.8. | |||||
| CVE-2025-30990 | 1 Themehunk | 1 Mega Menu | 2026-01-09 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in ThemeHunk ThemeHunk allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ThemeHunk: from n/a through 1.1.1. | |||||
| CVE-2022-40218 | 1 Themehunk | 1 Advance Product Search | 2026-01-09 | N/A | 6.5 MEDIUM |
| Missing Authorization vulnerability in ThemeHunk Advance WordPress Search Plugin.This issue affects Advance WordPress Search Plugin: from n/a through 1.1.4. | |||||
| CVE-2024-37505 | 1 Rarathemes | 1 Business One Page | 2026-01-09 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in Rara Themes Business One Page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Business One Page: from n/a through 1.2.9. | |||||
| CVE-2025-9637 | 1 Expresstech | 1 Quiz And Survey Master | 2026-01-09 | N/A | 6.5 MEDIUM |
| The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability and status checks on multiple functions in all versions up to, and including, 10.3.1. This makes it possible for unauthenticated attackers to view the details of unpublished, private, or password-protected quizzes, as well as submit file responses to questions from those quizzes, which allow file upload. | |||||
| CVE-2025-9294 | 1 Expresstech | 1 Quiz And Survey Master | 2026-01-09 | N/A | 4.3 MEDIUM |
| The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the qsm_dashboard_delete_result function in all versions up to, and including, 10.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete quiz results. | |||||
| CVE-2025-5919 | 2026-01-08 | N/A | 6.5 MEDIUM | ||
| The Appointment Booking and Scheduling Calendar Plugin – WP Timetics plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the update and register_routes functions in all versions up to, and including, 1.0.36. This makes it possible for unauthenticated attackers to view and modify booking details. | |||||
| CVE-2025-14371 | 2026-01-08 | N/A | 4.3 MEDIUM | ||
| The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the taxopress_ai_add_post_term function in all versions up to, and including, 3.41.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to add or remove taxonomy terms (tags, categories) on any post, including ones they do not own. | |||||
| CVE-2025-13812 | 2026-01-08 | N/A | 4.3 MEDIUM | ||
| The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the gamipress_ajax_get_posts and gamipress_ajax_get_users functions in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate users, including their email addresses and to retrieve titles of private posts. | |||||
| CVE-2025-14034 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
| The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'delete_single_ticket_callback' and 'change_ticket_status_callback' functions in all versions up to, and including, 1.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary support tickets and modify their status. | |||||
| CVE-2025-14441 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
| The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE `/subscribers` REST API endpoint in all versions up to, and including, 2.2.0. This is due to the `permission_callback` only validating wp_rest nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary subscriber records. | |||||
| CVE-2025-39477 | 2026-01-08 | N/A | 9.8 CRITICAL | ||
| Missing Authorization vulnerability in Sfwebservice InWave Jobs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InWave Jobs: from n/a through 3.5.8. | |||||
| CVE-2025-13766 | 2026-01-08 | N/A | 5.4 MEDIUM | ||
| The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates | |||||
| CVE-2025-12449 | 2026-01-08 | N/A | 5.4 MEDIUM | ||
| The aBlocks – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJAX actions in all versions up to, and including, 2.4.0. This makes it possible for authenticated attackers, with subscriber level access and above, to read plugin settings including block visibility, maintenance mode configuration, and third-party email marketing API keys, as well as read sensitive configuration data including API keys for email marketing services. | |||||
| CVE-2025-11877 | 2026-01-08 | N/A | 7.5 HIGH | ||
| The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for unauthenticated attackers to push select site options from 0 to a non-zero value, allowing them to reopen registration or corrupt options like 'wp_user_roles', breaking wp-admin access. | |||||