Total
7779 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-6966 | 1 Themoneytizer | 1 The Moneytizer | 2026-04-08 | 8.1 High |
| The The Moneytizer plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX functions in the /core/core_ajax.php file in all versions up to, and including, 9.6.3. This makes it possible for authenticated attackers, with subscriber access and above, to update and retrieve billing and bank details, update and reset the plugin's settings, and update languages as well as other lower-severity actions. | ||||
| CVE-2023-6959 | 1 Motopress | 1 Getwid | 2026-04-08 | 4.3 Medium |
| The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the recaptcha_api_key_manage function in all versions up to, and including, 2.0.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to add, modify, or delete the 'Recaptcha Site Key' and 'Recaptcha Secret Key' settings. | ||||
| CVE-2023-6883 | 1 Easysocialfeed | 1 Easy Social Feed | 2026-04-08 | 4.3 Medium |
| The Easy Social Feed plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in all versions up to, and including, 6.5.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions, such as modifying the plugin's Facebook and Instagram access tokens and updating group IDs. | ||||
| CVE-2023-6700 | 1 Cookieinformation | 2 Free Gdpr Consent Solution, Wp-gdpr-compliance | 2026-04-08 | 8.8 High |
| The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler in versions up to, and including, 2.0.22. This makes it possible for authenticated attackers, with subscriber-level access or higher, to edit arbitrary site options which can be used to create administrator accounts. | ||||
| CVE-2023-5506 | 1 Imagemapper Project | 1 Imagemapper | 2026-04-08 | 5.4 Medium |
| The ImageMapper plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'imgmap_delete_area_ajax' function in versions up to, and including, 1.2.6. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts and pages. | ||||
| CVE-2023-5419 | 1 Funnelforms | 1 Funnelforms | 2026-04-08 | 4.3 Medium |
| The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_test_mail function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to send test emails to an arbitrary email address. | ||||
| CVE-2023-5416 | 1 Funnelforms | 1 Funnelforms | 2026-04-08 | 4.3 Medium |
| The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_delete_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete categories. | ||||
| CVE-2023-5415 | 1 Funnelforms | 1 Funnelforms | 2026-04-08 | 4.3 Medium |
| The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_add_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to add new categories. | ||||
| CVE-2023-5411 | 1 Funnelforms | 1 Funnelforms | 2026-04-08 | 4.3 Medium |
| The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_save_post function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to modify certain post values. Note that the extent of modification is limited due to fixed values passed to the wp_update_post function. | ||||
| CVE-2023-5386 | 1 Funnelforms | 1 Funnelforms | 2026-04-08 | 6.5 Medium |
| The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_delete_posts function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts, including administrator posts, and posts not related to the Funnelforms Free plugin. CVE-2023-5990 appears to be a duplicate of this issue. | ||||
| CVE-2023-5314 | 1 Wpvnteam | 1 Wp Extra | 2026-04-08 | 4.3 Medium |
| The WP EXtra plugin for WordPress is vulnerable to unauthorized access to restricted functionality due to a missing capability check on the 'test-email' section of the register() function in versions up to, and including, 6.2. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to send emails with arbitrary content to arbitrary locations from the affected site's mail server. | ||||
| CVE-2023-5311 | 1 Wpvnteam | 1 Wp Extra | 2026-04-08 | 8.8 High |
| The WP EXtra plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the register() function in versions up to, and including, 6.2. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to modify the contents of the .htaccess files located in a site's root directory or /wp-content and /wp-includes folders and achieve remote code execution. CVE-2023-46623 appears to be a duplicate of this issue. | ||||
| CVE-2023-4723 | 1 Webtechstreet | 1 Elementor Addon Elements | 2026-04-08 | 5.3 Medium |
| The Elementor Addon Elements plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.12.7 via the ajax_eae_post_data function. This can allow unauthenticated attackers to extract sensitive data including post/page ids and titles including those of with pending/draft/future/private status. | ||||
| CVE-2023-4645 | 1 Igorfuna | 1 Ad Inserter | 2026-04-08 | 5.3 Medium |
| The Ad Inserter for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.7.30 via the ai_ajax function. This can allow unauthenticated attackers to extract sensitive data such as post titles and slugs (including those of protected posts along with their passwords), usernames, available roles, the plugin license key provided the remote debugging option is enabled. In the default state it is disabled. | ||||
| CVE-2023-4469 | 1 Bestwebsoft | 1 Profile Extra Fields | 2026-04-08 | 5.3 Medium |
| The Profile Extra Fields by BestWebSoft plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the prflxtrflds_export_file function in versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to expose potentially sensitive user data, including data entered into custom fields. | ||||
| CVE-2023-4282 | 1 Wpdeveloper | 1 Embedpress | 2026-04-08 | 5.4 Medium |
| The EmbedPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'admin_post_remove' and 'remove_private_data' functions in versions up to, and including, 3.8.2. This makes it possible for authenticated attackers with subscriber privileges or above, to delete plugin settings. | ||||
| CVE-2023-3956 | 1 Instawp | 1 Instawp Connect | 2026-04-08 | 9.8 Critical |
| The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification of data and loss of data due to a missing capability check on the 'events_receiver' function in versions up to, and including, 0.0.9.18. This makes it possible for unauthenticated attackers to add, modify or delete post and taxonomy, install, activate or deactivate plugin, change customizer settings, add or modify or delete user including administrator user. | ||||
| CVE-2023-3713 | 1 Metagauss | 1 Profilegrid | 2026-04-08 | 8.8 High |
| The ProfileGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'profile_magic_check_smtp_connection' function in versions up to, and including, 5.5.1. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update the site options arbitrarily. This can be used by attackers to achieve privilege escalation. | ||||
| CVE-2023-3244 | 1 Wphappycoders | 1 Comments Like Dislike | 2026-04-08 | 4.3 Medium |
| The Comments Like Dislike plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the restore_settings function called via an AJAX action in versions up to, and including, 1.2.0. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to reset the plugin's settings. NOTE: this issue is was only partially patched in version 1.2.0, as the nonce is still present to subscriber-level users. | ||||
| CVE-2023-3124 | 1 Elementor | 1 Elementor Pro | 2026-04-08 | 8.8 High |
| The Elementor Pro plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the update_page_option function in versions up to, and including, 3.11.6. This makes it possible for authenticated attackers with subscriber-level capabilities to update arbitrary site options, which can lead to privilege escalation. | ||||