Total
6979 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-27396 | 2026-03-05 | N/A | ||
| Missing Authorization vulnerability in e-plugins Directory Pro directory-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directory Pro: from n/a through <= 2.5.6. | ||||
| CVE-2026-27388 | 2026-03-05 | N/A | ||
| Missing Authorization vulnerability in designthemes DesignThemes Booking Manager designthemes-booking-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DesignThemes Booking Manager: from n/a through <= 2.0. | ||||
| CVE-2026-27386 | 2026-03-05 | N/A | ||
| Missing Authorization vulnerability in designthemes DesignThemes Directory Addon designthemes-directory-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DesignThemes Directory Addon: from n/a through <= 1.8. | ||||
| CVE-2026-27374 | 2026-03-05 | N/A | ||
| Missing Authorization vulnerability in vanquish WooCommerce Order Details woocommerce-order-details allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Order Details: from n/a through <= 3.1. | ||||
| CVE-2026-27362 | 2026-03-05 | N/A | ||
| Missing Authorization vulnerability in kamleshyadav WP Bakery Autoresponder Addon vc-autoresponder-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Bakery Autoresponder Addon: from n/a through <= 1.0.6. | ||||
| CVE-2026-27361 | 2026-03-05 | N/A | ||
| Missing Authorization vulnerability in WebCodingPlace Responsive Posts Carousel Pro responsive-posts-carousel-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Posts Carousel Pro: from n/a through <= 15.1. | ||||
| CVE-2026-27344 | 2026-03-05 | N/A | ||
| Missing Authorization vulnerability in inseriswiss inseri core inseri-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects inseri core: from n/a through <= 1.0.5. | ||||
| CVE-2026-23799 | 2026-03-05 | N/A | ||
| Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.5. | ||||
| CVE-2026-22479 | 2026-03-05 | N/A | ||
| Missing Authorization vulnerability in ThemeRuby Easy Post Submission easy-post-submission allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Post Submission: from n/a through <= 2.2.0. | ||||
| CVE-2026-22459 | 2026-03-05 | N/A | ||
| Missing Authorization vulnerability in Blend Media WordPress CTA easy-sticky-sidebar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress CTA: from n/a through <= 1.7.4. | ||||
| CVE-2026-28557 | 2 Gvectors, Wordpress | 2 Wpforo Forum, Wordpress | 2026-03-05 | 6.5 Medium |
| wpForo Forum 2.4.14 contains a missing capability check vulnerability that allows authenticated users to trigger bulk wpForo usergroup reassignment via the wpforo_synch_roles AJAX handler. Attackers access the usergroups admin page, accessible to any authenticated user, to obtain a nonce, then remap all wpForo usergroups to arbitrary WordPress roles. | ||||
| CVE-2026-28556 | 2 Gvectors, Wordpress | 2 Wpforo Forum, Wordpress | 2026-03-05 | 5.4 Medium |
| wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to move, merge, or split any forum topic via the topic_move, topic_merge, and topic_split form action handlers. Attackers with a valid form nonce can reorganize arbitrary forum content without moderator permissions, including relocating topics to private forums. | ||||
| CVE-2026-28555 | 2 Gvectors, Wordpress | 2 Wpforo Forum, Wordpress | 2026-03-05 | 4.3 Medium |
| wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wpforo_close_ajax handler. Attackers submit a valid nonce with an arbitrary topic ID to bypass the moderator permission requirement and disrupt forum discussions. | ||||
| CVE-2026-27181 | 2 Mjdm, Sergejey | 2 Majordomo, Majordomo | 2026-03-05 | 7.5 High |
| MajorDoMo (aka Major Domestic Module) allows unauthenticated arbitrary module uninstallation through the market module. The market module's admin() method reads gr('mode') from $_REQUEST and assigns it to $this->mode at the start of execution, making all mode-gated code paths reachable without authentication via the /objects/?module=market endpoint. The uninstall mode handler calls uninstallPlugin(), which deletes module records from the database, executes the module's uninstall() method via eval(), recursively deletes the module's directory and template files using removeTree(), and removes associated cycle scripts. An attacker can iterate through module names and wipe the entire MajorDoMo installation with a series of unauthenticated GET requests. | ||||
| CVE-2025-34171 | 1 Icewhale | 1 Casaos | 2026-03-05 | 5.3 Medium |
| CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user-controlled path parameter to access files under /var/lib/casaos/1/, which reveals installed applications and configuration details. Additionally, /v1/sys/debug discloses host operating system, kernel, hardware, and storage information. The endpoints also return distinct error messages, enabling file existence enumeration of arbitrary paths on the underlying host filesystem. This information disclosure can be used for reconnaissance and to facilitate targeted follow-up attacks against services deployed on the host. | ||||
| CVE-2021-47812 | 1 Getgrav | 2 Grav, Grav Cms | 2026-03-05 | 9.8 Critical |
| GravCMS 1.10.7 contains an unauthenticated vulnerability that allows remote attackers to write arbitrary YAML configuration and execute PHP code through the scheduler endpoint. Attackers can exploit the admin-nonce parameter to inject base64-encoded payloads and create malicious custom jobs with system command execution. | ||||
| CVE-2026-3193 | 1 Chia | 1 Blockchain | 2026-03-05 | 3.1 Low |
| A vulnerability was detected in Chia Blockchain 2.1.0. Impacted is an unknown function of the file /send_transaction. The manipulation results in cross-site request forgery. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit is now public and may be used. The vendor was informed early via email. A separate report via bugbounty was rejected with the reason "This is by design. The user is responsible for host security". | ||||
| CVE-2025-13734 | 1 Ibm | 1 Engineering Requirements Management Doors Next | 2026-03-04 | 5.4 Medium |
| IBM Engineering Requirements Management DOORS Next 7.1, and 7.2 could allow an authenticated user to view and edit data beyond their authorized access permissions. | ||||
| CVE-2026-3056 | 2 Seraphinitesolutions, Wordpress | 2 Seraphinite Accelerator, Wordpress | 2026-03-04 | 4.3 Medium |
| The Seraphinite Accelerator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `seraph_accel_api` AJAX action with `fn=LogClear` in all versions up to, and including, 2.28.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the plugin's debug/operational logs. | ||||
| CVE-2026-2732 | 2 Shortpixel, Wordpress | 2 Enable Media Replace, Wordpress | 2026-03-04 | 5.4 Medium |
| The Enable Media Replace plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'RemoveBackGroundViewController::load' function in all versions up to, and including, 4.1.7. This makes it possible for authenticated attackers, with Author-level access and above, to replace any attachment with a removed background attachment. | ||||