Total
8121 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-7050 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The Forms Rb plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to read form submission records, modify form configuration options, and delete records belonging to any form they do not own. | |||||
| CVE-2026-6964 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| The Video Conferencing with Zoom plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.6.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to obtain the site's Zoom SDK API key and a freshly-signed JWT that can be used with the Zoom Web SDK to join any Zoom meeting associated with those credentials without a legitimate invitation. | |||||
| CVE-2026-6963 | 2026-06-17 | N/A | 8.8 HIGH | ||
| The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wmg_save_provider_config AJAX action in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update SMTP settings and redirect mail which can be used for privilege escalation by triggering a password reset email and using that to access and administrator's account. | |||||
| CVE-2026-6937 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.11.8 due to the plugin not properly verifying that a user is authorized to perform an action via the bulk appointments REST API endpoint. This makes it possible for unauthenticated attackers to modify arbitrary appointment records including customer PII, payment status, and meeting URL fields, and to expose full customer PII from existing appointment records via the bulk endpoint response. The public nonce is a static, user-independent value present in the HTML source of any page hosting the [ssa_booking] shortcode, meaning any visitor who has viewed such a page can obtain it and target any appointment in the system without authentication. | |||||
| CVE-2026-6883 | 1 Gitlab | 1 Gitlab | 2026-06-17 | N/A | 2.6 LOW |
| GitLab has remediated an issue in GitLab EE affecting all versions from 15.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to bypass merge request approval requirements due to improper cleanup of orphaned policy records. | |||||
| CVE-2026-6834 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| The a+HRD developed by aEnrich has a Missing Authorization vulnerability, allowing authenticated remote attackers to arbitrarily read database contents through a specific API method. | |||||
| CVE-2026-6709 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The Coinbase Commerce for Contact Form 7 plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.1.2. This is due to a missing capability check and missing nonce verification in the save_settings() function, which is registered on the admin_post_cccf7_save_settings hook. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the plugin's Coinbase Commerce API key option (cccf7_api_key) via a crafted POST request to /wp-admin/admin-post. | |||||
| CVE-2026-6708 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| The HEL Online Classroom: AI-powered Online Classrooms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.3. This is due to a missing capability check on a REST API endpoint registered with a permission_callback of '__return_true', which bypasses all WordPress authentication and authorization checks. This makes it possible for unauthenticated attackers to delete any classroom record by supplying its ID in the request, resulting in permanent data loss. | |||||
| CVE-2026-6706 | 1 Devolutions | 1 Devolutions Server | 2026-06-17 | N/A | 6.5 MEDIUM |
| Improper access control in the vault documentation feature in Devolutions Server allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request. This issue affects Server: from 2026.1.6.0 through 2026.1.14.0, through 2025.3.18.0. | |||||
| CVE-2026-6703 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The Responsive Blocks – Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to modify global site-wide plugin configuration options, including toggling custom CSS, disabling blocks, changing layout defaults such as content width, container padding, and container gap, and altering auto-block-recovery behavior. | |||||
| CVE-2026-6667 | 1 Pgbouncer | 1 Pgbouncer | 2026-06-17 | N/A | 4.3 MEDIUM |
| PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed in the admin_users parameter. | |||||
| CVE-2026-6663 | 2026-06-17 | N/A | 4.8 MEDIUM | ||
| The GWD Connect plugin for WordPress is vulnerable to missing authorization to limited code execution in all versions up to, and including, 2.9. This is due to the plugin's standalone agent endpoints (gwd-backup.php and gwd-logs.php) not verifying authentication when the API key has not been configured, which is the default state. This makes it possible for unauthenticated attackers - on unregistered installations only, in certain environments - to execute arbitrary code on the server via the update_agent action, which writes attacker-supplied PHP code to the agent file. | |||||
| CVE-2026-6589 | 2026-06-17 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A security vulnerability has been detected in ComfyUI up to 0.13.0. This affects the function create_origin_only_middleware of the file server.py. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-6512 | 2026-06-17 | N/A | 9.1 CRITICAL | ||
| The InfusedWoo Pro plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, products, or orders, mass-delete all comments on any post, and change any post's status. | |||||
| CVE-2026-6510 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and including, 5.1.2. This is due to missing nonce verification and capability checks in the iwar_save_recipe() AJAX handler. This makes it possible for unauthenticated attackers to create a malicious automation recipe that pairs an HTTP post trigger with an auto-login action, allowing any unauthenticated visitor to visit a crafted URL and receive authentication cookies for any targeted user account (e.g., administrator), achieving complete authentication bypass and privilege escalation. | |||||
| CVE-2026-6506 | 2026-06-17 | N/A | 8.8 HIGH | ||
| The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.1.2. This is due to the infusedwoo_gdpr_upddata() function missing authorization and capability checks, as well as lacking restrictions on which user meta keys can be updated. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their own wp_capabilities user meta to grant themselves Administrator role privileges. | |||||
| CVE-2026-6472 | 1 Postgresql | 1 Postgresql | 2026-06-17 | N/A | 5.4 MEDIUM |
| Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. | |||||
| CVE-2026-6441 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The Canto plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 3.1.1. This is due to the absence of any capability check or nonce verification in the updateOptions() function, which is exposed via two AJAX hooks: wp_ajax_updateOptions (class-canto.php line 231) and wp_ajax_fbc_updateOptions (class-canto-settings.php line 76). Both hooks are registered exclusively under the wp_ajax_ prefix (requiring only a logged-in user), with no call to current_user_can() or check_ajax_referer(). This makes it possible for authenticated attackers with subscriber-level access and above to arbitrarily modify or delete plugin options controlling cron scheduling behavior (fbc_duplicates, fbc_cron, fbc_schedule, fbc_cron_time_day, fbc_cron_time_hour, fbc_cron_start) and to manipulate or clear the plugin's scheduled WordPress cron event (fbc_scheduled_update). | |||||
| CVE-2026-6393 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generate_openai_content_callback() function, which relies solely on a nonce rather than verifying user permissions. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger OpenAI API calls using the site's configured API key with arbitrary user-controlled prompts, leading to unauthorized consumption of the site owner's paid AI API quota. | |||||
| CVE-2026-6372 | 2026-06-17 | N/A | 7.5 HIGH | ||
| Missing Authorization vulnerability in Plisio Accept Cryptocurrencies with Plisio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accept Cryptocurrencies with Plisio: from n/a through 2.0.5. | |||||