Total
8261 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-34898 | 2026-06-16 | 7.5 High | ||
| Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions. | ||||
| CVE-2026-9187 | 2026-06-16 | 5.3 Medium | ||
| The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action__remove_abandoned() function, which is registered to both the wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned hooks. The handler takes a user-supplied recover_id parameter from $_POST and passes it directly to wp_delete_post() with the force-delete flag set to true, without verifying that the ID belongs to the plugin's own cf7af_data post type. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, or other content on the affected site by sending a single admin-ajax. | ||||
| CVE-2026-39533 | 2026-06-16 | 7.5 High | ||
| Unauthenticated Broken Access Control in AWP Classifieds <= 4.4.4 versions. | ||||
| CVE-2026-40743 | 2 Themeum, Wordpress | 2 Tutor Lms, Wordpress | 2026-06-16 | 6.5 Medium |
| Unauthenticated Broken Access Control in Tutor LMS <= 3.9.7 versions. | ||||
| CVE-2026-42664 | 2026-06-16 | 8.2 High | ||
| Unauthenticated Broken Access Control in AI Product Search for WooCommerce – Motive Commerce Search <= 1.38.2 versions. | ||||
| CVE-2026-39490 | 2 Artbees, Wordpress | 2 Jupiter X Core, Wordpress | 2026-06-16 | 7.5 High |
| Unauthenticated Broken Access Control in JupiterX Core <= 4.14.1 versions. | ||||
| CVE-2026-52711 | 2026-06-16 | 7.5 High | ||
| Unauthenticated Broken Access Control in WooCommerce POS <= 1.8.14 versions. | ||||
| CVE-2026-6964 | 2026-06-16 | 5.3 Medium | ||
| The Video Conferencing with Zoom plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.6.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to obtain the site's Zoom SDK API key and a freshly-signed JWT that can be used with the Zoom Web SDK to join any Zoom meeting associated with those credentials without a legitimate invitation. | ||||
| CVE-2026-52714 | 2026-06-16 | 7.5 High | ||
| Unauthenticated Broken Access Control in SEO Plugin by Squirrly SEO <= 12.4.16 versions. | ||||
| CVE-2026-42651 | 2 Mamunur Rashid, Wordpress | 2 Classified Listing, Wordpress | 2026-06-16 | 6.3 Medium |
| Subscriber Broken Access Control in Classified Listing <= 5.3.9 versions. | ||||
| CVE-2026-48709 | 1 Olivetin | 1 Olivetin | 2026-06-16 | 3.7 Low |
| OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, The ValidateArgumentType RPC endpoint in service/internal/api/api.go does not perform any authentication or authorization checks. Unlike all other data-returning API endpoints, it does not call auth.UserFromApiCall or checkDashboardAccess. When AuthRequireGuestsToLogin is enabled (the security-conscious configuration), this endpoint remains accessible to unauthenticated users and can be used as an oracle to enumerate valid action binding IDs and their argument configurations. This issue has been fixed in version 3000.13.0. | ||||
| CVE-2026-40793 | 2 Groundhogg, Wordpress | 2 Groundhogg, Wordpress | 2026-06-16 | 6.5 Medium |
| Subscriber Broken Access Control in Groundhogg < 4.4.1 versions. | ||||
| CVE-2026-42640 | 2 Mamunur Rashid, Wordpress | 2 Classified Listing, Wordpress | 2026-06-16 | 6.5 Medium |
| Unauthenticated Broken Access Control in Classified Listing <= 5.3.8 versions. | ||||
| CVE-2026-42659 | 2 Nasirahmed, Wordpress | 2 Advanced Form Integration, Wordpress | 2026-06-16 | 6.5 Medium |
| Subscriber Broken Access Control in Advanced Form Integration <= 1.126.12 versions. | ||||
| CVE-2026-48881 | 2 Themetechmount, Wordpress | 2 Truebooker, Wordpress | 2026-06-16 | 9.1 Critical |
| Unauthenticated Broken Access Control in TrueBooker <= 1.1.9 versions. | ||||
| CVE-2026-49065 | 2 Hippooo, Wordpress | 2 Hippoo Mobile App For Woocommerce, Wordpress | 2026-06-16 | 8.2 High |
| Unauthenticated Broken Access Control in Hippoo Mobile App for WooCommerce <= 1.9.5 versions. | ||||
| CVE-2026-34886 | 2 Wordpress, Wp.insider | 2 Wordpress, Simple Membership | 2026-06-16 | 7.5 High |
| Unauthenticated Broken Access Control in Simple Membership <= 4.7.1 versions. | ||||
| CVE-2026-40782 | 2 Greg Winiarski, Wordpress | 2 Wpadverts, Wordpress | 2026-06-16 | 6.5 Medium |
| Unauthenticated Broken Access Control in WPAdverts <= 2.3.0 versions. | ||||
| CVE-2026-40788 | 2 Quantumcloud, Wordpress | 2 Chatbot, Wordpress | 2026-06-16 | 7.1 High |
| Subscriber Broken Access Control in ChatBot <= 7.9.7 versions. | ||||
| CVE-2026-40794 | 2 Mycred, Wordpress | 2 Mycred, Wordpress | 2026-06-16 | 6.5 Medium |
| Subscriber Broken Access Control in myCred <= 3.0.3 versions. | ||||