Total
7119 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-11370 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
| The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'store' function of the RulesAjaxController class in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to update pop-up display settings. | |||||
| CVE-2025-13964 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
| The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the catch_lp_ajax function in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to modify course contents by adding/removing/updating/re-ordering sections or modifying section items. | |||||
| CVE-2025-46434 | 2026-01-08 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in POSIMYTH Innovation The Plus Addons for Elementor Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Plus Addons for Elementor Pro: from n/a before 6.3.7. | |||||
| CVE-2025-13493 | 2026-01-08 | N/A | 7.5 HIGH | ||
| The Latest Registered Users plugin for WordPress is vulnerable to unauthorized user data export in all versions up to, and including, 1.4. This is due to missing authorization and nonce validation in the rnd_handle_form_submit function hooked to both admin_post_my_simple_form and admin_post_nopriv_my_simple_form actions. This makes it possible for unauthenticated attackers to export complete user details (excluding passwords and sensitive tokens) in CSV format via the 'action' parameter. | |||||
| CVE-2025-14460 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
| The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the payment gateway. This makes it possible for unauthenticated attackers to change any order's status to 'failed' via the publicly accessible WooCommerce API endpoint by providing only the order ID (MerchantReference parameter), which can be easily enumerated as order IDs are sequential integers. This can cause significant business disruption including canceled shipments, inventory issues, and loss of revenue. | |||||
| CVE-2025-13419 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
| The Guest posting / Frontend Posting / Front Editor – WP Front User Submit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bfe/v1/revert' REST API endpoint in all versions up to, and including, 5.0.0. This makes it possible for unauthenticated attackers to delete arbitrary media attachments. | |||||
| CVE-2026-0656 | 2026-01-08 | N/A | 8.2 HIGH | ||
| The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenticity through signature verification or origin checks. This makes it possible for unauthenticated attackers to mark WooCommerce orders as paid by sending crafted POST requests to the webhook endpoint without any payment occurring, as well as enumerate order IDs and obtain valid order keys via GET requests, exposing customer order PII including names, addresses, and purchased products. | |||||
| CVE-2025-13496 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
| The Moosend Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the moosend_landings_auth_get function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the 'moosend_landing_api_key' option value. | |||||
| CVE-2025-13722 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
| The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.7. This is due to missing capability checks on the `fluentform_ai_create_form` AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary forms via the publicly exposed AI builder. | |||||
| CVE-2025-14070 | 2026-01-08 | N/A | 7.5 HIGH | ||
| The Reviewify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'send_test_email' AJAX action in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to create arbitrary WooCommerce discount coupons, potentially causing financial loss to the store. | |||||
| CVE-2025-14901 | 2026-01-08 | N/A | 6.5 MEDIUM | ||
| The Bit Form – Contact Form Plugin plugin for WordPress is vulnerable to unauthorized workflow execution due to missing authorization in the triggerWorkFlow function in all versions up to, and including, 2.21.6. This is due to a logic flaw in the nonce verification where the security check only blocks requests when both the nonce verification fails and the user is logged in. This makes it possible for unauthenticated attackers to replay form workflow executions and trigger all configured integrations including webhooks, email notifications, CRM integrations, and automation platforms via the bitforms_trigger_workflow AJAX action granted they can obtain the entry ID and log IDs from a legitimate form submission response. | |||||
| CVE-2025-13529 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
| The Unify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'init' action in all versions up to, and including, 3.4.9. This makes it possible for unauthenticated attackers to delete specific plugin options via the 'unify_plugin_downgrade' parameter. | |||||
| CVE-2025-69333 | 2026-01-08 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in Crocoblock JetEngine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through 3.8.1.1. | |||||
| CVE-2025-14370 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
| The Quote Comments plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.0.0. This is due to missing authorization checks in the quotecomments_add_admin function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin options via the 'action' parameter. | |||||
| CVE-2025-69344 | 2026-01-08 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in ThemeHunk Oneline Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Oneline Lite: from n/a through 6.6. | |||||
| CVE-2026-22487 | 2026-01-08 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in baqend Speed Kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Speed Kit: from n/a through 2.0.2. | |||||
| CVE-2025-13679 | 2026-01-08 | N/A | 6.5 MEDIUM | ||
| The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate order IDs and exfiltrate sensitive data (PII), such as student name, email address, phone number, and billing address. | |||||
| CVE-2026-22517 | 2026-01-08 | N/A | 5.4 MEDIUM | ||
| Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through 2.10.0. | |||||
| CVE-2026-22490 | 2026-01-08 | N/A | 5.4 MEDIUM | ||
| Missing Authorization vulnerability in niklaslindemann Bulk Landing Page Creator for WordPress LPagery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bulk Landing Page Creator for WordPress LPagery: from n/a through 2.4.9. | |||||
| CVE-2026-22492 | 2026-01-08 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in Nawawi Jamili Docket Cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Docket Cache: from n/a through 24.07.04. | |||||