Skip to main content
CVE-2026-25428 MEDIUM This Month

Server-Side Request Forgery in totalsoft TS Poll versions 2.5.5 and earlier enables authenticated attackers with high privileges to make arbitrary network requests from the affected server. While this MEDIUM severity vulnerability (CVSS 4.4) requires high-privilege credentials and difficult exploitation conditions, it could facilitate reconnaissance or attacks against internal resources. No patch is currently available.

SSRF
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1055 MEDIUM This Month

Stored XSS in the TalkJS WordPress plugin through version 0.1.15 permits high-privilege administrators to inject malicious scripts into admin settings that execute for all users viewing affected pages, restricted to multisite installations or those with unfiltered_html disabled. The vulnerability stems from inadequate input sanitization and output escaping in the plugin's settings handling. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-2282 MEDIUM This Month

Stored XSS in WordPress Slidorion plugin through version 1.0.2 allows administrators to inject malicious scripts via insufficiently sanitized settings that execute when other users view affected pages. The vulnerability requires high privileges and only manifests in multisite WordPress installations or those with unfiltered HTML disabled. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-2817 MEDIUM This Month

Spring Data Geode's snapshot import functionality uses predictable temporary directories with overly permissive permissions, allowing local users on shared systems to read cache data belonging to other users. An attacker with basic local privileges can access and extract snapshot contents without authorization, compromising the confidentiality of sensitive cached information. No patch is currently available for this medium-severity vulnerability.

Spring Red Hat
NVD HeroDevs
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-25738 MEDIUM PATCH This Month

Indico versions before 3.3.10 allow authenticated event organizers to conduct server-side request forgery attacks by providing arbitrary URLs that the application will access, potentially exposing internal services and cloud metadata endpoints. An attacker with event organizer privileges can leverage this to retrieve sensitive data from localhost or cloud infrastructure endpoints that lack authentication controls. The vulnerability affects deployments on cloud platforms like AWS where metadata services are accessible; administrators should upgrade to version 3.3.10 to remediate.

Golang Flask SSRF Indico
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-25420 MEDIUM This Month

MailerLite MailerLite official-mailerlite-sign-up-forms is affected by missing authorization (CVSS 4.3).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25399 MEDIUM This Month

CryoutCreations Serious Slider cryout-serious-slider is affected by missing authorization (CVSS 4.3).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25375 MEDIUM This Month

WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite is affected by missing authorization (CVSS 4.3).

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13091 MEDIUM This Month

The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the shopire_admin_install_plugin() function in all versions up to, and including, 1.0.57. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2504 MEDIUM This Month

The Dealia - Request a quote WordPress plugin fails to properly validate user permissions on AJAX endpoints, allowing authenticated users with Contributor-level access or higher to reset plugin configuration by exploiting an exposed admin nonce. An attacker with basic edit_posts capability can bypass the capability check and modify critical plugin settings without administrative privileges. The vulnerability affects all versions up to 1.0.6 and currently has no available patch.

WordPress PHP Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-23621 MEDIUM This Month

GFI MailEssentials AI versions prior to 22.4 allow authenticated users to enumerate arbitrary directories on the server through the ListServer.IsPathExist() web method, which fails to validate filesystem paths before checking their existence. An attacker with valid credentials can exploit this information disclosure vulnerability to map the server's directory structure and identify sensitive locations. No patch is currently available for this vulnerability.

RCE Mailessentials
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-23620 MEDIUM This Month

GFI MailEssentials AI versions before 22.4 expose a file enumeration vulnerability in the ListServer.IsDBExist() web method that allows authenticated users to probe arbitrary filesystem paths and determine file existence on the server. An attacker can exploit this by submitting unrestricted paths via the JSON "path" parameter, which are processed without validation, disclosing sensitive information about the server's filesystem structure. No patch is currently available for this vulnerability.

RCE Mailessentials
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25008 MEDIUM This Month

Ninja Tables plugin through version 5.2.5 inadvertently exposes sensitive data in outbound communications, allowing authenticated users to retrieve embedded sensitive information. This authenticated vulnerability affects all installations of the affected versions, though exploitation requires valid user credentials. No patch is currently available.

Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14864 MEDIUM This Month

The Virusdie - One-click website security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.7. This is due to missing capability checks on the `vd_get_apikey` function which is hooked to `wp_ajax_virusdie_apikey`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve the site's Virusdie API key, which could be used to access the site owner's Virusdie account and potentially compromis...

WordPress Information Disclosure PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12081 MEDIUM This Month

The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "acf_photo_gallery_edit_save" function in all versions up to, and including, 3.0. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-27327 MEDIUM This Month

Authenticated users can modify email configurations in YayMail for WooCommerce through version 4.3.2 due to missing authorization checks on access control settings. An attacker with low-level WordPress user privileges could alter email templates or settings without proper permissions. No patch is currently available for this vulnerability.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-27472 MEDIUM This Month

SPIP versions prior to 4.4.9 contain a blind server-side request forgery vulnerability in the syndication feature that allows authenticated users to manipulate the application into making arbitrary network requests to internal or external systems. An attacker with valid credentials can exploit this by crafting malicious syndication URLs during site editing, bypassing the security filter mechanisms. No patch is currently available for this vulnerability.

SSRF Spip
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-27056 MEDIUM This Month

Improper access control in StellarWP iThemes Sync through version 3.2.8 allows authenticated attackers to modify data they should not have permission to access. An attacker with valid login credentials could exploit misconfigured authorization checks to perform unauthorized modifications within the plugin. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-27055 MEDIUM This Month

Penci AI SmartContent Creator version 2.0 and earlier contains an authorization bypass vulnerability that allows authenticated users to perform unauthorized actions due to improperly configured access controls. An attacker with valid credentials could exploit this to modify data or functionality they should not have access to. No patch is currently available for this issue.

Authentication Bypass AI / ML
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25459 MEDIUM This Month

Improper access control in uixthemes Sober through version 3.5.12 enables authenticated attackers to modify data or resources they should not have permission to access. An attacker with valid login credentials can bypass authorization checks to perform unauthorized actions. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25416 MEDIUM This Month

blazethemes News Kit Elementor Addons news-kit-elementor-addons is affected by missing authorization (CVSS 4.3).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25410 MEDIUM This Month

The WP-CORS WordPress plugin through version 0.2.2 contains an authorization bypass that allows authenticated users to modify content due to improperly configured access controls. An attacker with valid WordPress credentials could exploit this to make unauthorized changes to website data. No patch is currently available for this vulnerability.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25409 MEDIUM This Month

crgeary JAMstack Deployments wp-jamstack-deployments is affected by missing authorization (CVSS 4.3).

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25402 MEDIUM This Month

The echo-knowledge-base plugin through version 16.011.0 fails to properly enforce access controls, enabling authenticated users to modify content they should not have permission to change. An attacker with valid login credentials could exploit misconfigured authorization rules to alter documentation or FAQ entries within the knowledge base system.

Authentication Bypass AI / ML
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25395 MEDIUM This Month

Insufficient access control in ikreatethemes Business Roy versions up to 1.1.4 enables authenticated users to modify data they should not have permission to access. An attacker with valid credentials could exploit misconfigured security levels to perform unauthorized changes within the application. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25394 MEDIUM This Month

Sparklewpthemes Fitness FSE plugin versions up to 1.0.6 contains a missing authorization check that allows authenticated users to modify content they should not have access to. An attacker with low-level user privileges can exploit this access control misconfiguration to alter website data without proper permission.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25393 MEDIUM This Month

Unauthorized data modification in Hello FSE WordPress theme version 1.0.6 and earlier results from improper access control enforcement. Authenticated users can exploit this vulnerability to make unauthorized changes to website content or settings without proper permission checks.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25387 MEDIUM This Month

Elementor Image Optimizer by Elementor image-optimization is affected by missing authorization (CVSS 4.3).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25363 MEDIUM This Month

FooGallery through version 3.1.11 contains a missing authorization check that allows authenticated users to modify gallery content they should not have access to. An attacker with valid login credentials can exploit improperly configured access controls to alter galleries, potentially defacing or corrupting gallery data. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25335 MEDIUM This Month

Ays Pro Secure Copy Content Protection and Content Locking secure-copy-content-protection is affected by missing authorization (CVSS 4.3).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25330 MEDIUM This Month

PublishPress PublishPress Authors publishpress-authors is affected by missing authorization (CVSS 4.3).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25329 MEDIUM This Month

ExpressTech Systems Quiz And Survey Master quiz-master-next is affected by missing authorization (CVSS 4.3).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25323 MEDIUM This Month

Improper access control in MiKa OSM through version 6.1.12 allows authenticated users to modify data or settings they should not have permission to access. An attacker with valid credentials could exploit misconfigured security levels to escalate privileges or alter system configuration. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25318 MEDIUM This Month

Wisernotify team WiserReview Product Reviews for WooCommerce wiser-review is affected by missing authorization (CVSS 4.3).

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25314 MEDIUM This Month

WP Messiah TOP Table Of Contents top-table-of-contents is affected by missing authorization (CVSS 4.3).

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25313 MEDIUM This Month

FluentForm versions 6.1.14 and earlier contain an access control bypass that allows authenticated users to perform unauthorized modifications. An attacker with valid credentials can exploit improperly configured security levels to alter data they should not have access to. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25308 MEDIUM This Month

Improper access control in wp.insider Simple Membership plugin versions 4.6.9 and earlier allows authenticated users to bypass security level restrictions and modify content they should not have access to. An attacker with valid credentials can exploit misconfigured access controls to escalate privileges within the plugin. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25003 MEDIUM This Month

Improper access control in madalin.ungureanu Client Portal versions up to 1.2.1 allows authenticated users to modify data they should not have access to due to incorrectly configured security levels. An attacker with valid credentials can exploit this missing authorization check to perform unauthorized modifications, though no patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14427 MEDIUM This Month

The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `MfaEmailDisable` action in all versions up to, and including, 21.0.9. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25419 MEDIUM This Month

UpsellWP versions 2.2.3 and earlier contain an authorization bypass vulnerability that allows authenticated users to access checkout upsell features they should not have permission to modify. An attacker with low-privilege account access could exploit improper access control to manipulate order bump and upsell configurations, potentially affecting store operations and revenue.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25407 MEDIUM This Month

Cookiebot versions 4.6.4 and earlier contain an access control bypass that allows authenticated attackers to exploit misconfigured security levels and gain unauthorized access to sensitive information. An attacker with low-level user credentials can leverage this vulnerability to read restricted data without proper authorization. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14342 MEDIUM This Month

SEO Plugin by Squirrly SEO (WordPress plugin) versions up to 12.4.14. is affected by missing authorization (CVSS 4.3).

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12884 MEDIUM This Month

The Advanced Ads - Ad Manager & AdSense plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `placement_update_item()` function. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12027 MEDIUM This Month

The Mesmerize Companion plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the "openPageInCustomizer" and "openPageInDefaultEditor" functions in all versions up to, and including, 1.6.158. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-27090 MEDIUM This Month

WP Moose Kenta Companion kenta-companion is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25411 MEDIUM This Month

themastercut Revision Manager TMC revision-manager-tmc is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25319 MEDIUM This Month

wpzita Zita Elementor Site Library zita-site-library is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12172 MEDIUM This Month

Mailchimp List Subscribe Form (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1455 MEDIUM This Month

Whatsiplus Scheduled Notification for Woocommerce (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14167 MEDIUM This Month

The Remove Post Type Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to incorrect nonce validation logic that uses OR (||) instead of AND (&&), causing the validation to fail when the nonce field is not empty OR when verification fails, rather than when it's empty AND verification fails. This makes it possible for unauthenticated attackers to modify the plugin's post type slug removal settings via a forged request ...

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
Prev Page 5 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy