Skip to main content
CVE-2026-24615 MEDIUM This Month

Cream Magazine versions up to 2.1.10 contain an authorization bypass vulnerability that allows unauthenticated remote attackers to access restricted functionality through misconfigured access control settings. The vulnerability exposes sensitive information with no authentication or user interaction required, affecting all installations running the vulnerable versions. No patch is currently available for this issue.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24613 MEDIUM This Month

Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart is affected by missing authorization (CVSS 5.3).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24612 MEDIUM This Month

Orchid Store versions up to 1.5.15 contain an authorization bypass that allows unauthenticated remote attackers to access sensitive information due to improperly configured access controls. This vulnerability enables unauthorized users to read restricted data without requiring authentication or user interaction. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24607 MEDIUM This Month

Unauthorized access in Travel Monster WordPress plugin versions up to 1.3.3 results from improper access control configuration, allowing unauthenticated attackers to gain limited information disclosure. The vulnerability affects all installations of the affected plugin versions and currently has no available patch.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24606 MEDIUM This Month

The Bayarcash WooCommerce plugin for WordPress (versions up to 4.3.11) contains an authorization bypass that allows unauthenticated attackers to exploit misconfigured access controls and gain unauthorized information disclosure. An attacker can leverage this missing authorization check over the network without authentication to access sensitive data. This vulnerability affects WordPress installations using the vulnerable plugin versions and has a CVSS score of 5.3.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24583 MEDIUM This Month

sumup SumUp Payment Gateway For WooCommerce sumup-payment-gateway-for-woocommerce is affected by missing authorization (CVSS 5.3).

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24577 MEDIUM This Month

Genetech Products Pie Register through version 3.8.4.7 contains an authorization bypass that allows unauthenticated remote attackers to access sensitive information due to improperly configured access controls. The vulnerability enables information disclosure without requiring user interaction or special network conditions. No patch is currently available for this medium-severity issue.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24568 MEDIUM This Month

WP Travel plugin versions 11.0.0 and earlier contain an access control bypass that allows unauthenticated remote attackers to view sensitive information due to improperly configured authorization checks. An attacker can exploit this vulnerability to access restricted data without proper credentials. A patch is not currently available for affected WordPress installations.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24556 MEDIUM This Month

Missing authorization controls in ElementCamp plugin versions through 2.3.2 permit unauthenticated attackers to bypass access restrictions and gain unauthorized access to sensitive functionality. The improper access control implementation allows remote exploitation without authentication or user interaction, potentially exposing protected features and data to unauthorized users. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24557 MEDIUM This Month

WEN Solutions Contact Form 7 GetResponse Extension contact-form-7-getresponse-extension contains a security vulnerability (CVSS 5.3).

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24559 MEDIUM This Month

CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot contains a security vulnerability (CVSS 5.4).

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-0927 MEDIUM This Month

Unauthenticated attackers can upload arbitrary files through the KiviCare plugin for WordPress versions up to 3.6.15 due to missing authorization checks in the file upload function. This allows adversaries to host malicious content, phishing pages, or other attack payloads on vulnerable sites without authentication. No patch is currently available for this medium-severity vulnerability.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24604 MEDIUM This Month

themebeez Simple GDPR Cookie Compliance simple-gdpr-cookie-compliance is affected by missing authorization (CVSS 5.3).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24603 MEDIUM This Month

themebeez Universal Google Adsense and Ads manager universal-google-adsense-and-ads-manager is affected by missing authorization (CVSS 5.3).

Authentication Bypass Google
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24599 MEDIUM This Month

XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite is affected by authorization bypass through user-controlled key (CVSS 5.3).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24593 MEDIUM This Month

Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin contains a security vulnerability (CVSS 5.3).

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24589 MEDIUM This Month

Cargus eCommerce versions 1.5.8 and earlier expose sensitive data in outbound communications due to improper information handling, allowing remote unauthenticated attackers to retrieve embedded sensitive information. The vulnerability requires no user interaction and carries a CVSS score of 5.3, though no patch is currently available.

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24562 MEDIUM This Month

The Ryviu product reviews plugin for WordPress versions 3.1.26 and earlier contains an authorization bypass vulnerability that allows unauthenticated attackers to modify data due to improperly configured access controls. This could enable attackers to manipulate product reviews or other protected functionality without proper authentication. No patch is currently available for this vulnerability.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24539 MEDIUM This Month

ABCdatos Protección de datos – RGPD plugin version 0.68 and earlier contains a missing authorization vulnerability that allows unauthenticated remote attackers to bypass access controls and gain unauthorized information disclosure. The misconfigured access control security levels permit exploitation without authentication or user interaction, affecting all users of the vulnerable plugin versions. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24530 MEDIUM This Month

sheepfish WebP Conversion version 2.1 and earlier contains an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data through improperly configured access controls. The vulnerability affects the webp-conversion component and has a low exploitability score with no patch currently available.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24529 MEDIUM This Month

Alejandro Quick Restaurant Reservations quick-restaurant-reservations is affected by missing authorization (CVSS 5.3).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24525 MEDIUM This Month

CloudPanel CLP Varnish Cache versions 1.0.2 and earlier contain a missing authorization vulnerability that allows unauthenticated remote attackers to modify cache content through improperly configured access controls. This could enable cache poisoning attacks or manipulation of cached responses affecting all users accessing the affected service.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-2204 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tapandsign Technologies Software Inc. Tap&Sign allows Cross-Site Scripting (XSS).This issue affects Tap&Sign: through 23012026. [CVSS 4.7 MEDIUM]

XSS
NVD VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-22986 MEDIUM PATCH This Month

A race condition in the Linux kernel's gpiolib subsystem allows local attackers with privileges to cause a kernel crash by exploiting unprotected access to uninitialized SRCU synchronization structures during concurrent gpiochip driver initialization. An attacker can trigger this vulnerability by causing multiple drivers to call gpiochip_add_data_with_key() simultaneously, resulting in a kernel page fault and denial of service.

Linux Denial Of Service Race Condition
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-22275 MEDIUM This Month

Elastic Cloud Storage versions up to 3.8.1.7 is affected by inclusion of sensitive information in source code (CVSS 4.4).

Information Disclosure Objectscale Elastic Cloud Storage
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-24534 MEDIUM This Month

UPress Booter versions up to 1.5.7 contain an authorization bypass in the booter-bots-crawlers-manager component that allows authenticated users to exploit misconfigured access controls and gain unauthorized administrative capabilities. An attacker with low-privilege credentials could achieve complete compromise of the application, including confidentiality, integrity, and availability violations. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-24541 MEDIUM This Month

Download After Email versions 2.1.9 and earlier contain a missing authorization vulnerability that allows unauthenticated remote attackers to bypass access control restrictions and gain unauthorized access to sensitive functionality. The vulnerability stems from improper validation of user permissions, enabling attackers on the network to read restricted information without authentication. No patch is currently available for this issue.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24564 MEDIUM This Month

Improper HTML tag sanitization in Israpil Textmetrics webtexttool versions up to 3.6.3 enables stored XSS attacks that allow authenticated users with high privileges to inject malicious scripts and compromise data confidentiality and integrity. An attacker with administrative access could inject code through web forms that executes in other users' browsers, potentially leading to session hijacking or credential theft. No patch is currently available for affected industrial deployments.

XSS
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24524 MEDIUM This Month

Essekia Tablesome versions up to 1.1.35.2 contain an authorization bypass vulnerability that allows authenticated attackers to access or modify resources they should not have permission to reach due to misconfigured access controls. The vulnerability requires low attack complexity and network access, potentially exposing sensitive data and allowing unauthorized modifications without authentication bypass. A patch is not currently available, leaving affected users vulnerable to exploitation by authenticated users.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24553 MEDIUM This Month

Dotstore Fraud Prevention For Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers contains a security vulnerability (CVSS 4.3).

WordPress Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24636 MEDIUM This Month

Improper access control in Sugar Calendar (Lite) through version 3.10.1 enables authenticated users to access calendar data and functionality beyond their authorized permission level. An attacker with valid login credentials can exploit misconfigured access controls to view sensitive information from other users' calendars. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24627 MEDIUM This Month

The Trusona WordPress plugin version 2.0.0 and earlier contains an authorization bypass that allows authenticated attackers to exploit misconfigured access controls and gain unauthorized information disclosure. An attacker with valid WordPress credentials could leverage this vulnerability to access sensitive data they should not have permission to view. No patch is currently available for this vulnerability.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24580 MEDIUM This Month

Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart is affected by missing authorization (CVSS 4.3).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24579 MEDIUM This Month

WP Messiah Ai Image Alt Text Generator for WP ai-image-alt-text-generator-for-wp is affected by missing authorization (CVSS 4.3).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24578 MEDIUM This Month

Jahid Hasan Admin login URL Change admin-login-url-change is affected by missing authorization (CVSS 4.3).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24571 MEDIUM This Month

Improper access control in BOX NOW Delivery versions up to 3.0.2 enables authenticated attackers to read sensitive information by bypassing authorization checks. An attacker with valid credentials could exploit misconfigured security levels to access data they are not authorized to view, resulting in confidential information disclosure.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24569 MEDIUM This Month

Sully Media Library File Size media-library-file-size is affected by missing authorization (CVSS 4.3).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24567 MEDIUM This Month

briarinc Anything Order by Terms anything-order-by-terms is affected by missing authorization (CVSS 4.3).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24563 MEDIUM This Month

LifePress through version 2.1.3 contains an authorization bypass that allows authenticated users to access resources beyond their assigned permission levels. An attacker with valid credentials can exploit misconfigured access controls to read sensitive information they should not have access to. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24544 MEDIUM This Month

Harmonic Design HD Quiz versions up to 2.0.9 contain an access control vulnerability that allows authenticated users to read sensitive information by exploiting misconfigured security levels. An attacker with valid credentials can bypass authorization checks to access data they should not have permission to view. No patch is currently available for this issue.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24543 MEDIUM This Month

Horea Radu Materialis Companion materialis-companion is affected by missing authorization (CVSS 4.3).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24535 MEDIUM This Month

webdevstudios Automatic Featured Images from Videos automatic-featured-images-from-videos is affected by missing authorization (CVSS 4.3).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24522 MEDIUM This Month

Insufficient access control in MyThemeShop WP Subscribe plugin through version 1.2.16 allows authenticated attackers to bypass authorization checks and gain unauthorized access to sensitive information. An attacker with a user account can exploit misconfigured security levels to view data they should not have permission to access. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24521 MEDIUM This Month

Timur Kamaev Kama Thumbnail kama-thumbnail is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-46699 MEDIUM This Month

Dell Data Protection Advisor, versions prior to 19.12, contains an Improper Neutralization of Special Elements Used in a Template Engine vulnerability in the Server. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. [CVSS 4.3 MEDIUM]

Information Disclosure Data Protection Advisor
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24532 MEDIUM This Month

Incorrect access control in SiteLock Security plugin versions up to 5.0.2 for WordPress allows authenticated users to modify content they should not have permission to access. An attacker with login credentials could exploit misconfigured security levels to bypass authorization checks and alter website data. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13921 MEDIUM This Month

The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' function in all versions up to, and including, 2.1.16. [CVSS 4.3 MEDIUM]

WordPress AI / ML PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24605 MEDIUM This Month

Inadequate access control in X Addons for Elementor up to version 1.0.23 permits authenticated users to bypass authorization checks and access restricted functionality. An attacker with valid credentials can exploit misconfigured security levels to gain unauthorized access to sensitive features or data. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24598 MEDIUM This Month

bestwebsoft Multilanguage by BestWebSoft multilanguage is affected by missing authorization (CVSS 4.3).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24588 MEDIUM This Month

Authenticated users can bypass access controls in topdevs Smart Product Viewer through version 1.5.4 to access resources they should not have permission to view. This missing authorization check allows low-privileged attackers to gain unauthorized read access to sensitive information without requiring any user interaction. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
Prev Page 5 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy