Total
8300 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-1044 | 1 Cusrev | 1 Customer Reviews For Woocommerce | 2026-04-08 | 5.3 Medium |
| The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_review' function in all versions up to, and including, 5.38.12. This makes it possible for unauthenticated attackers to submit reviews with arbitrary email addresses regardless of whether reviews are globally enabled. | ||||
| CVE-2024-9578 | 2 Avovkdesign, Wp Puzzle | 2 Hide Links, Hide Links | 2026-04-08 | 5.3 Medium |
| The Hide Links plugin for WordPress is vulnerable to unauthorized shortcode execution due to do_shortcode being hooked through the comment_text filter in all versions up to and including 1.4.2. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes available on the target site. | ||||
| CVE-2024-12713 | 1 Brainstormforce | 1 Sureforms | 2026-04-08 | 5.3 Medium |
| The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.2 via the handle_export_form() function due to a missing capability check. This makes it possible for unauthenticated attackers to export data from password protected, private, or draft posts that they should not have access to. | ||||
| CVE-2024-11715 | 1 Wpjobportal | 1 Wp Job Portal | 2026-04-08 | 4.8 Medium |
| The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the assignUserRole() function in all versions up to, and including, 2.2.2. This makes it possible for unauthenticated attackers to elevate their privileges to that of an employer. | ||||
| CVE-2024-12825 | 1 Brechtvds | 1 Custom Related Posts | 2026-04-08 | 5.4 Medium |
| The Custom Related Posts plugin for WordPress is vulnerable to unauthorized access & modification of data due to a missing capability check on three AJAX actions in all versions up to, and including, 1.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to search posts and link/unlink relations. | ||||
| CVE-2023-6742 | 1 Enviragallery | 1 Envira Gallery | 2026-04-08 | 4.3 Medium |
| The Gallery Plugin for WordPress – Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'envira_gallery_insert_images' function in all versions up to, and including, 1.8.7.1. This makes it possible for authenticated attackers, with contributor access and above, to modify galleries on other users' posts. | ||||
| CVE-2023-4024 | 2 Softlab, Softlabbd | 2 Radio Player, Radio Player | 2026-04-08 | 5.3 Medium |
| The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_player function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to delete player instances. | ||||
| CVE-2024-11936 | 1 Mvpthemes | 1 Zox News | 2026-04-08 | 8.8 High |
| The Zox News theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'backup_options' and 'restore_options' function in all versions up to, and including, 3.16.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | ||||
| CVE-2024-6709 | 1 Syncpostwithothersite | 1 Sync Post With Other Site | 2026-04-08 | 4.3 Medium |
| The Sync Post With Other Site plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'sps_add_update_post' function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new draft posts and update existing posts. | ||||
| CVE-2024-13769 | 1 Themerex | 1 Puzzles | 2026-04-08 | 6.4 Medium |
| The Puzzles | WP Magazine / Review with Store WordPress Theme + RTL theme for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check on the 'theme_options_ajax_post_action' AJAX action in all versions up to, and including, 4.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings and inject malicious web scripts. The developer opted to remove the software from the repository, so an update is not available and it is recommended to find a replacement software. | ||||
| CVE-2021-4448 | 1 Kaswara Project | 1 Kaswara | 2026-04-08 | 7.3 High |
| The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions such as importing data, uploading arbitrary files, deleting arbitrary files, and more. | ||||
| CVE-2024-8552 | 1 Wpchill | 1 Download Monitor | 2026-04-08 | 4.3 Medium |
| The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enable_shop() function in all versions up to, and including, 5.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable shop functionality. | ||||
| CVE-2024-10216 | 1 Wpusermanager | 1 Wp User Manager | 2026-04-08 | 4.3 Medium |
| The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'add_sidebar' and 'remove_sidebar' functions in all versions up to, and including, 2.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add or remove a Carbon Fields custom sidebar if the Carbon Fields (carbon-fields) plugin is installed. | ||||
| CVE-2024-13698 | 1 Astoundify | 1 Jobify | 2026-04-08 | 6.5 Medium |
| The Jobify - Job Board WordPress Theme for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'download_image_via_ai' and 'generate_image_via_ai' functions in all versions up to, and including, 4.2.7. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application to upload files in an image format, and to generate AI images using the site's OpenAI key. | ||||
| CVE-2023-6855 | 1 Strangerstudios | 1 Paid Memberships Pro | 2026-04-08 | 5.3 Medium |
| The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to unauthorized modification of membership levels created by the plugin due to an incorrectly implemented capability check in the pmpro_rest_api_get_permissions_check function in all versions up to 2.12.5 (inclusive). This makes it possible for unauthenticated attackers to change membership levels including prices. | ||||
| CVE-2020-36831 | 1 Nextscripts | 1 Social Networks Auto Poster | 2026-04-08 | 5 Medium |
| The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on multiple user privilege/security functions provided in versions up to, and including 4.3.17. This makes it possible for low-privileged attackers, like subscribers, to perform restricted actions that would be otherwise locked to a administrative-level user. | ||||
| CVE-2024-6750 | 1 Wpwebinfotech | 1 Social Auto Poster | 2026-04-08 | 7.3 High |
| The Social Auto Poster plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.3.14. This makes it possible for unauthenticated attackers to add, modify, or delete post meta and plugin options. | ||||
| CVE-2024-0452 | 1 Quantumcloud | 1 Ai Chatbot | 2026-04-08 | 5 Medium |
| The AI ChatBot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the openai_file_upload_callback function in all versions up to, and including, 5.3.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload files to a linked OpenAI account. | ||||
| CVE-2024-11844 | 1 Northernbeacheswebsites | 1 Ideapush | 2026-04-08 | 4.3 Medium |
| The IdeaPush plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the idea_push_taxonomy_save_routine function in all versions up to, and including, 8.71. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete terms for the "boards" taxonomy. | ||||
| CVE-2024-11725 | 1 Cozyvision | 1 Sms Alert Order Notifications | 2026-04-08 | 8.8 High |
| The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the updateWcWarrantySettings() function in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. Please note this requires the woocommerce-warranty plugin to be installed in order to be exploited. | ||||