Total
8300 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-9531 | 1 Multivendorx | 1 Multivendorx | 2026-04-08 | 4.3 Medium |
| The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mvx_sent_deactivation_request' function in all versions up to, and including, 4.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send a canned email to the site's administrator asking to delete the profile of an arbitrary vendor. | ||||
| CVE-2024-13800 | 1 Convertplug | 1 Convertplus | 2026-04-08 | 8.1 High |
| The ConvertPlus plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cp_dismiss_notice' AJAX endpoint in all versions up to, and including, 3.5.30. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to '1' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration. | ||||
| CVE-2024-13229 | 1 Rankmath | 1 Seo | 2026-04-08 | 4.3 Medium |
| The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the update_metadata() function in all versions up to, and including, 1.0.235. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete any schema metadata assigned to any post. | ||||
| CVE-2024-0828 | 1 Hammadh | 1 Play.ht | 2026-04-08 | 5.4 Medium |
| The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 3.6.4. This makes it possible for authenticated attackers, with subscriber access or higher, to delete, retrieve, or modify post metadata, retrieve posts contents of protected posts, modify conversion data and delete article audio. | ||||
| CVE-2024-6987 | 1 Themebeez | 1 Orchid Store | 2026-04-08 | 4.3 Medium |
| The Orchid Store theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'orchid_store_activate_plugin' function in all versions up to, and including, 1.5.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate the Addonify Floating Cart For WooCommerce plugin if it is installed. | ||||
| CVE-2023-5714 | 1 Bowo | 1 System Dashboard | 2026-04-08 | 4.3 Medium |
| The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_db_specs() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve data key specs. | ||||
| CVE-2023-0556 | 1 Contentstudio | 1 Contentstudio | 2026-04-08 | 9.8 Critical |
| The ContentStudio plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several functions in versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to obtain the blog metadata (via the function cstu_get_metadata) that includes the plugin's contentstudio_token. Knowing this token allows for other interactions with the plugin such as creating posts in versions prior to 1.2.5, which added other requirements to posting and updating. | ||||
| CVE-2024-10535 | 1 Martinvalchev | 1 Video Gallery For Woocommerce | 2026-04-08 | 5.3 Medium |
| The Video Gallery for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the remove_unused_thumbnails() function in all versions up to, and including, 1.31. This makes it possible for unauthenticated attackers to delete thumbnails in the video-wc-gallery-thumb directory. | ||||
| CVE-2024-1763 | 1 Wpmet | 1 Wp Social Login And Register Social Counter | 2026-04-08 | 6.5 Medium |
| The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wp_social/v1/ REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to enable and disable certain providers for the social share and login features. | ||||
| CVE-2024-13335 | 1 Templatescoder | 1 Spexo Addons For Elementor | 2026-04-08 | 4.3 Medium |
| The Spexo Addons for Elementor – Free Elementor Addons, Widgets and Templates plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the tmpcoder_theme_install_func() function in all versions up to, and including, 1.0.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install a theme. | ||||
| CVE-2023-6600 | 1 Daan | 1 Omgf | 2026-04-08 | 8.6 High |
| The OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting due to a missing capability check on the update_settings() function hooked via admin_init in all versions up to, and including, 5.7.9. This makes it possible for unauthenticated attackers to update the plugin's settings which can be used to inject Cross-Site Scripting payloads and delete entire directories. PLease note there were several attempted patched, and we consider 5.7.10 to be the most sufficiently patched. | ||||
| CVE-2024-10520 | 1 Wedevs | 2 Wp Project Manager, Wp Project Manager Task Team And Project Management Plugin Featuring Kanban Board And Gantt Charts | 2026-04-08 | 5.3 Medium |
| The WP Project Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'check' method of the 'Create_Milestone', 'Create_Task_List', 'Create_Task', and 'Delete_Task' classes in version 2.6.14. This makes it possible for unauthenticated attackers to create milestones, create task lists, create tasks, or delete tasks in any project. NOTE: Version 2.6.14 implemented a partial fix for this vulnerability. | ||||
| CVE-2024-7888 | 1 Radiustheme | 1 Classified Listing | 2026-04-08 | 6.3 Medium |
| The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions like export_forms(), import_forms(), update_fb_options(), and many more in all versions up to, and including, 3.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify forms and various other settings. | ||||
| CVE-2023-6369 | 1 Myrecorp | 1 Export Wp Page To Static Html\/css | 2026-04-08 | 5.4 Medium |
| The Export WP Page to Static HTML/CSS plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 2.1.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to disclose sensitive information or perform unauthorized actions, such as saving advanced plugin settings. | ||||
| CVE-2024-11134 | 2 Imithemes, Wordpress | 2 Eventer, Wordpress | 2026-04-08 | 4.3 Medium |
| The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'eventer_export_bookings_csv' function in all versions up to, and including, 3.9.9. This makes it possible for authenticated attackers with subscriber-level permissions or above, to download bookings, which contains customers' personal data. | ||||
| CVE-2023-6733 | 1 Butlerblog | 1 Wp-members | 2026-04-08 | 6.5 Medium |
| The WP-Members Membership Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.8 via the wpmem_field shortcode. This makes it possible for authenticated attackers, with contributor access and above, to extract sensitive data including user emails, password hashes, usernames, and more. | ||||
| CVE-2024-13439 | 1 Techlabpro | 1 Team | 2026-04-08 | 4.3 Medium |
| The Team – Team Members Showcase Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the response() function in all versions up to, and including, 4.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings. | ||||
| CVE-2024-1653 | 1 Frenify | 1 Categorify | 2026-04-08 | 4.3 Medium |
| The Categorify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the categorifyAjaxUpdateFolderPosition in all versions up to, and including, 1.0.7.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the folder position of categories as well as update the metadata of other taxonomies. | ||||
| CVE-2024-12611 | 1 Dasinfomedia | 1 School Management System | 2026-04-08 | 5.3 Medium |
| The School Management System for Wordpress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'title' parameter in all versions up to, and including, 93.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-5861 | 1 Wpeasypay | 1 Wp Easypay | 2026-04-08 | 5.3 Medium |
| The WP EasyPay – Square for WordPress plugin for WordPress is vulnerable to unauthorized modification of datadue to a missing capability check on the wpep_square_disconnect() function in all versions up to, and including, 4.2.3. This makes it possible for unauthenticated attackers to disconnect square. | ||||