Total
8286 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-10054 | 3 Elextensions, Elula, Wordpress | 3 Elex Wordpress Plugin, Wsdesk, Wordpress | 2026-04-08 | 4.3 Medium |
| The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_remove_agent' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to remove the role and capabilities of any user with an Administrator, WSDesk Supervisor, or WSDesk Agents role. | ||||
| CVE-2015-10143 | 2 Pagelines, Wordpress | 3 Platform, Platform Theme, Wordpress | 2026-04-08 | 9.8 Critical |
| The Platform theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the *_ajax_save_options() function in all versions up to 1.4.4 (exclusive). This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | ||||
| CVE-2024-9697 | 1 Wpsocialrocket | 1 Social Rocket | 2026-04-08 | 5.3 Medium |
| The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tweet_settings_save() and tweet_settings_update() functions in all versions up to, and including, 1.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings. | ||||
| CVE-2024-8513 | 1 Quarka | 1 Qa Analytics | 2026-04-08 | 5.3 Medium |
| The QA Analytics – Web Analytics Tool with Heatmaps & Session Replay Across All Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_save_plugin_config() function in all versions up to, and including, 4.1.1.1. This makes it possible for unauthenticated attackers to update the plugin's settings. | ||||
| CVE-2024-7380 | 1 Infinitumform | 1 Geo Controller | 2026-04-08 | 4.3 Medium |
| The Geo Controller plugin for WordPress is vulnerable to unauthorized menu creation/deletion due to missing capability checks on the ajax__geolocate_menu and ajax__geolocate_remove_menu functions in all versions up to, and including, 8.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create or delete WordPress menus. | ||||
| CVE-2024-10393 | 1 Themeum | 1 Tutor Lms | 2026-04-08 | 5.3 Medium |
| The Tutor LMS plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 2.7.6. This is due to a missing check for the 'users_can_register' option in the 'register_instructor' function. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled. | ||||
| CVE-2024-6392 | 1 Sirv | 1 Sirv | 2026-04-08 | 5.4 Medium |
| The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to unauthorized plugin settings modification due to missing capability checks on the plugin functions in all versions up to, and including, 7.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the connected Sirv account to an attacker-controlled one. | ||||
| CVE-2024-6332 | 1 Tmsproducts | 1 Amelia | 2026-04-08 | 6.5 Medium |
| The Booking for Appointments and Events Calendar – Amelia Premium and Lite plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the 'ameliaButtonCommand' function in all versions up to, and including, Premium 7.7 and Lite 1.2.4. This makes it possible for unauthenticated attackers to access employee calendar details, including Google Calendar OAuth tokens in the premium version. | ||||
| CVE-2024-6328 | 2 Fluxbuilder, Inspireui | 2 Mstore Api, Mstore Api | 2026-04-08 | 9.8 Critical |
| The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.14.7. This is due to insufficient verification on the 'phone' parameter of the 'firebase_sms_login' and 'firebase_sms_login_v2' functions. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email address or phone number. Additionally, if a new email address is supplied, a new user account is created with the default role, even if registration is disabled. | ||||
| CVE-2024-6088 | 1 Thimpress | 1 Learnpress | 2026-04-08 | 5.3 Medium |
| The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized user registration due to a missing capability check on the 'register' function in all versions up to, and including, 4.2.6.8.1. This makes it possible for unauthenticated attackers to bypass disabled user registration to create a new account with the default role. | ||||
| CVE-2024-6033 | 1 Themewinter | 1 Eventin | 2026-04-08 | 4.3 Medium |
| The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized data importation due to a missing capability check on the 'import_file' function in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to import events, speakers, schedules and attendee data. | ||||
| CVE-2024-5703 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2026-04-08 | 4.3 Medium |
| The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized API access due to a missing capability check in all versions up to, and including, 5.7.26. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access the API (provided it is enabled) and add, edit, and delete audience users. | ||||
| CVE-2024-5489 | 1 Wbcomdesigns | 1 Custom Font Uploader | 2026-04-08 | 4.3 Medium |
| The Wbcom Designs – Custom Font Uploader plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'cfu_delete_customfont' function in all versions up to, and including, 2.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete any custom font. | ||||
| CVE-2024-5459 | 1 Fivestarplugins | 1 Five Star Restaurant Menu | 2026-04-08 | 4.3 Medium |
| The Restaurant Menu and Food Ordering plugin for WordPress is vulnerable to unauthorized creation of data due to a missing capability check on 'add_section', 'add_menu', 'add_menu_item', and 'add_menu_page' functions in all versions up to, and including, 2.4.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create menu sections, menus, food items, and new menu pages. | ||||
| CVE-2024-5324 | 1 Xootix | 4 Login\/signup Popup, Otp Login Woocommerce \& Gravity Forms, Side Cart Woocommerce and 1 more | 2026-04-08 | 8.8 High |
| Multiple plugins for WordPress utilizing the XootiX Framework are vulnerable to unauthorized modification of data due to a missing capability check on the 'import_settings' function in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator. | ||||
| CVE-2024-4858 | 2 Uapp, Uapp Group | 2 Testimonial Carousel For Elementor, Testimonial Carousel For Elementor | 2026-04-08 | 5.3 Medium |
| The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_testimonials_option_callback' function in versions up to, and including, 10.2.0. This makes it possible for unauthenticated attackers to update the OpenAI API key, disabling the feature. | ||||
| CVE-2024-4788 | 1 Woostify | 1 Boostify Header Footer Builder For Elementor | 2026-04-08 | 4.3 Medium |
| The Boostify Header Footer Builder for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_bhf_post function in all versions up to, and including, 1.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to create pages or posts with arbitrary content. | ||||
| CVE-2024-4661 | 1 Webfactoryltd | 1 Wp Reset | 2026-04-08 | 4.3 Medium |
| The WP Reset plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_ajax function in all versions up to, and including, 2.02. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the value fo the 'License Key' field for the 'Activate Pro License' setting. | ||||
| CVE-2024-4450 | 1 Ali2woo | 1 Aliexpress Dropshipping With Alinext | 2026-04-08 | 6.3 Medium |
| The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ImportAjaxController.php file in all versions up to, and including, 3.3.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several actions like importing and modifying products. CVE-2024-37210 is likely a duplicate of this issue. | ||||
| CVE-2024-4422 | 1 Comparisonslider | 1 Comparison Slider | 2026-04-08 | 6.4 Medium |
| The Comparison Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the slider title parameter in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||