Skip to main content
CVE-2026-2386 MEDIUM This Month

The Plus Addons for Elementor plugin for WordPress fails to validate post-type-specific permissions in its AJAX handler, allowing authenticated authors and above to create draft posts for restricted post types like pages and custom post types. An attacker with author-level access can bypass capability checks by directly specifying arbitrary post types, potentially enabling unauthorized content creation or manipulation of restricted content areas.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12071 MEDIUM This Month

Frontend User Notes (WordPress plugin) versions up to 2.1.0 is affected by authorization bypass through user-controlled key (CVSS 4.3).

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1640 MEDIUM This Month

The Taskbuilder WordPress plugin through version 5.0.2 fails to properly authorize AJAX comment submission functions, allowing authenticated subscribers to post comments on any project or task regardless of access permissions. Attackers can exploit this to comment on private projects they cannot view and inject malicious HTML/CSS through unsanitized input parameters.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12356 MEDIUM This Month

The Tickera - Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_change_ticket_status' AJAX endpoint in all versions up to, and including, 3.5.6.4. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2230 MEDIUM This Month

The Booking Calendar plugin for WordPress through version 10.14.14 contains an insecure direct object reference in the handle_ajax_save function that fails to validate user-controlled input, allowing authenticated subscribers and above with booking permissions to modify other users' plugin settings and disrupt their booking calendar functionality. This vulnerability requires valid WordPress credentials but poses a direct threat to multi-user WordPress installations where booking functionality is delegated across accounts.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2023 MEDIUM This Month

The WP Plugin Info Card plugin for WordPress versions up to 6.2.0 contains a cross-site request forgery vulnerability in its AJAX handler due to disabled nonce validation, allowing unauthenticated attackers to create or modify custom plugin entries if a site administrator can be tricked into clicking a malicious link. An attacker could leverage this to inject arbitrary plugin configurations that could be used for further compromise of the WordPress installation. No patch is currently available.

WordPress CSRF
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1072 MEDIUM This Month

Keybase.io Verification (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1655 MEDIUM This Month

Authenticated users can modify WordPress posts in the EventPrime plugin (versions up to 4.2.8.4) due to missing authorization validation in the event submission function, allowing customer-level attackers to alter administrator-created events by manipulating post identifiers if they possess a valid nonce. The vulnerability requires user authentication and does not enable unauthorized access but permits unauthorized modification of existing content.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2112 MEDIUM This Month

Unauthenticated attackers can delete all pending comments in WordPress sites running the Dam Spam plugin up to version 1.0.8 by exploiting missing CSRF protections, requiring only that an administrator be tricked into clicking a malicious link. An attacker with this capability can disrupt comment moderation workflows and potentially suppress legitimate user feedback. No patch is currently available for this vulnerability.

WordPress CSRF
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1860 MEDIUM This Month

The Kali Forms WordPress plugin through version 2.4.8 allows authenticated contributors and higher-privileged users to read sensitive form data of other users via insecure direct object reference on the REST API, exposing form configurations, reCAPTCHA keys, email templates, and server paths. The vulnerability stems from insufficient permission validation that only checks for the generic `edit_posts` capability rather than verifying ownership of specific form resources. Attackers can exploit this through form ID enumeration without requiring any interaction or elevated privileges beyond basic authenticated access.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy