Total
7779 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-2448 | 1 Userproplugin | 1 Userpro | 2026-04-08 | 6.5 Medium |
| The UserPro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'userpro_shortcode_template' function in versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to arbitrary shortcode execution. An attacker can leverage CVE-2023-2446 to get sensitive information via shortcode. | ||||
| CVE-2023-2434 | 1 Kylephillips | 1 Nested Pages | 2026-04-08 | 3.8 Low |
| The Nested Pages plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'reset' function in versions up to, and including, 3.2.3. This makes it possible for authenticated attackers, with editor-level permissions and above, to reset plugin settings. | ||||
| CVE-2023-2414 | 1 Vcita | 1 Online Booking \& Scheduling Calendar | 2026-04-08 | 5.4 Medium |
| The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_save_settings_callback function in versions up to, and including, 4.4.6. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to modify the plugins settings, upload arbitrary files, and inject malicious JavaScript (before 4.3.2). | ||||
| CVE-2023-2353 | 1 Sureshchand | 1 Chp Ads Block Detector | 2026-04-08 | 4.3 Medium |
| The CHP Ads Block Detector plugin for WordPress is vulnerable to unauthorized plugin settings update and reset due to a missing capability check on the chp_abd_action function in versions up to, and including, 3.9.4. This makes it possible for subscriber-level attackers to change or reset plugin settings. CVE-2023-36509 appears to be a duplicate of this issue. | ||||
| CVE-2023-2351 | 1 Wpdirectorykit | 1 Wp Directory Kit | 2026-04-08 | 6.5 Medium |
| The WP Directory Kit plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'ajax_admin' function in versions up to, and including, 1.2.3. This makes it possible for authenticated attackers with subscriber-level permissions or above to delete or change plugin settings, import demo data, delete Directory Kit related posts and terms, and install arbitrary plugins. A partial patch was introduced in version 1.2.0. | ||||
| CVE-2023-2299 | 1 Vcita | 1 Online Booking \& Scheduling Calendar | 2026-04-08 | 5.3 Medium |
| The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized medication of data via the /wp-json/vcita-wordpress/v1/actions/auth REST-API endpoint in versions up to, and including, 4.4.2 due to a missing capability check on the processAction function. This makes it possible for unauthenticated attackers modify the plugin's settings. | ||||
| CVE-2023-2189 | 1 Staxwp | 1 Stax | 2026-04-08 | 4.3 Medium |
| The Elementor Addons, Widgets and Enhancements – Stax plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the toggle_widget function in versions up to, and including, 1.4.3. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to enable or disable Elementor widgets. | ||||
| CVE-2023-2174 | 1 Badgeos | 1 Badgeos | 2026-04-08 | 4.3 Medium |
| The BadgeOS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_badgeos_log_entries function in versions up to, and including, 3.7.1.6. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete the plugin's log entries. | ||||
| CVE-2023-2086 | 1 Wpdeveloper | 1 Essential Blocks | 2026-04-08 | 4.3 Medium |
| The Essential Blocks plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the template_count function in versions up to, and including, 4.0.6. This makes it possible for subscriber-level attackers to obtain plugin template information. While a nonce check is present, it is only executed when a nonce is provided. Not providing a nonce results in the nonce verification to be skipped. There is no capability check. | ||||
| CVE-2023-1928 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2026-04-08 | 4.3 Medium |
| The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the wpfc_preload_single_callback function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers with subscriber-level access to initiate cache creation. | ||||
| CVE-2023-1868 | 1 Plugin | 1 Yourchannel | 2026-04-08 | 6.5 Medium |
| The YourChannel plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check when clearing the plugin cache via the yrc_clear_cache GET parameter in versions up to, and including, 1.2.3. This makes it possible for unauthenticated attackers to clear the plugin's cache. | ||||
| CVE-2023-1865 | 1 Plugin | 1 Yourchannel | 2026-04-08 | 6.5 Medium |
| The YourChannel plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check when resetting plugin settings via the yrc_nuke GET parameter in versions up to, and including, 1.2.3. This makes it possible for unauthenticated attackers to delete YouTube channels from the plugin. | ||||
| CVE-2023-1027 | 1 Joomunited | 1 Wp Meta Seo | 2026-04-08 | 4.3 Medium |
| The WP Meta SEO plugin for WordPress is vulnerable to unauthorized sitemap generation due to a missing capability check on the checkAllCategoryInSitemap function in versions up to, and including, 4.5.3. This makes it possible for authenticated attackers with subscriber-level access to obtain post categories. This vulnerability occurred as a result of the plugin relying on nonce checks as a means of access control, and that nonce being accessible to all authenticated users regardless of role. | ||||
| CVE-2023-1026 | 1 Joomunited | 1 Wp Meta Seo | 2026-04-08 | 4.3 Medium |
| The WP Meta SEO plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the listPostsCategory function in versions up to, and including, 4.5.3. This makes it possible for authenticated attackers with subscriber-level access to get post listings by category as long as those posts are published. This vulnerability occurred as a result of the plugin relying on nonce checks as a means of access control, and that nonce being accessible to all authenticated users regardless of role. | ||||
| CVE-2023-1024 | 1 Joomunited | 1 Wp Meta Seo | 2026-04-08 | 4.3 Medium |
| The WP Meta SEO plugin for WordPress is vulnerable to unauthorized sitemap generation due to a missing capability check on the regenerateSitemaps function in versions up to, and including, 4.5.3. This makes it possible for authenticated attackers with subscriber-level access to generate sitemaps. This vulnerability occurred as a result of the plugin relying on nonce checks as a means of access control, and that nonce being accessible to all authenticated users regardless of role. | ||||
| CVE-2023-1023 | 1 Joomunited | 1 Wp Meta Seo | 2026-04-08 | 5.4 Medium |
| The WP Meta SEO plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the saveSitemapSettings function in versions up to, and including, 4.5.3. This makes it possible for authenticated attackers with subscriber-level access to change sitemap-related settings of the plugin. This vulnerability occurred as a result of the plugin relying on nonce checks as a means of access control, and that nonce being accessible to all authenticated users regardless of role. | ||||
| CVE-2023-1022 | 1 Joomunited | 1 Wp Meta Seo | 2026-04-08 | 5.4 Medium |
| The WP Meta SEO plugin for WordPress is vulnerable to unauthorized options update due to a missing capability check on the wpmsGGSaveInformation function in versions up to, and including, 4.5.3. This makes it possible for authenticated attackers with subscriber-level access to update google analytics options maintained by the plugin. This vulnerability occurred as a result of the plugin relying on nonce checks as a means of access control, and that nonce being accessible to all authenticated users regardless of role. | ||||
| CVE-2023-0993 | 1 Getshieldsecurity | 1 Shield Security | 2026-04-08 | 4.3 Medium |
| The Shield Security plugin for WordPress is vulnerable to Missing Authorization on the 'theme-plugin-file' AJAX action in versions up to, and including, 17.0.17. This allows authenticated attackers to add arbitrary audit log entries indicating that a theme or plugin has been edited, and is also a vector for Cross-Site Scripting via CVE-2023-0992. | ||||
| CVE-2023-0720 | 1 Wickedplugins | 1 Wicked Folders | 2026-04-08 | 5.4 Medium |
| The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_save_folder_order function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke this function and perform actions intended for administrators such as modifying the folder structure maintained by the plugin. | ||||
| CVE-2023-0719 | 1 Wickedplugins | 1 Wicked Folders | 2026-04-08 | 5.4 Medium |
| The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_save_sort_order function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke this function and perform actions intended for administrators such as modifying the folder structure maintained by the plugin. | ||||