Skip to main content
CVE-2025-12500 MEDIUM This Month

The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to unauthenticated limited file upload in all versions up to, and including, 7.8.1. This is due to the plugin not properly verifying that a user is authorized to perform file upload actions via the "ajax_checkout_attachment_upload" function. This makes it possible for unauthenticated attackers to upload files to the server, though file types are limited to WordPress's default allowed MIME types (i...

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-13079 MEDIUM This Month

mobile friendly marketing popups. versions up to 4.4.2. contains a security vulnerability (CVSS 5.3).

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-13930 MEDIUM This Month

The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-25006 MEDIUM This Month

XStore versions 9.6.4 and earlier fail to properly sanitize HTML script tags, enabling attackers to inject malicious code that executes in users' browsers. This stored or reflected cross-site scripting vulnerability requires no authentication or user interaction, allowing attackers to steal session tokens, deface content, or redirect users to malicious sites. No patch is currently available, leaving affected installations vulnerable.

XSS
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-22422 MEDIUM This Month

Everest Forms through version 3.4.1 fails to properly sanitize HTML script tags, enabling unauthenticated attackers to inject malicious code and compromise site integrity. The vulnerability allows attackers to perform code injection attacks without authentication or user interaction, potentially leading to data theft or malware distribution. No patch is currently available for this vulnerability.

Code Injection
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-25348 MEDIUM This Month

Improper access control in Alt Text AI versions up to 1.10.15 enables unauthenticated remote attackers to cause denial of service through misconfigured authorization checks. The vulnerability allows an attacker to disrupt service availability without requiring authentication or user interaction. No patch is currently available for this issue.

Authentication Bypass AI / ML
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-25336 MEDIUM This Month

Coachify plugin versions 1.1.5 and earlier contain an authorization bypass that allows unauthenticated remote attackers to exploit misconfigured access controls. This vulnerability enables denial of service attacks without requiring user interaction or authentication.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-15563 MEDIUM This Month

Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. No authorization check is applied here. [CVSS 5.3 MEDIUM]

Authentication Bypass Worktime
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-13842 MEDIUM This Month

The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusting the $_REQUEST['post_id'] parameter without verification in the includes/blocks/build/breadcrumb-trail/render.php file. This makes it possible for unauthenticated attackers to enumerate and view breadcrumb trails for draft or private posts by manipulating the post_id parameter, revealing post titl...

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13113 MEDIUM This Month

The Web Accessibility by accessiBe plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11. This is due to the `accessibe_render_js_in_footer()` function logging the complete plugin options array to the browser console on public pages, without restricting output to privileged users or checking for debug mode. This makes it possible for unauthenticated attackers to view sensitive configuration data, including email addresses, accessiBe us...

WordPress Information Disclosure PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-26744 MEDIUM This Month

FormaLMS 4.1.18 and earlier allows unauthenticated attackers to enumerate valid usernames through the password recovery endpoint by observing differential error messages. This user enumeration vulnerability could enable an attacker to build a list of active accounts for targeted attacks. No patch is currently available for this medium-severity issue.

Information Disclosure Formalms
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-27368 MEDIUM This Month

SeedProd Coming Soon Page plugin versions 6.19.7 and earlier contain a missing authorization vulnerability that allows unauthenticated attackers to modify application content by exploiting improperly configured access controls. An attacker can leverage this flaw to alter website settings without proper authentication, potentially defacing or redirecting traffic on affected sites. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-27328 MEDIUM This Month

DevsBlink EduBlink versions 2.0.7 and earlier contain an authorization bypass that allows unauthenticated remote attackers to modify data through improperly configured access controls. The vulnerability enables integrity compromise without requiring authentication or user interaction, affecting all installations of the vulnerable software versions. No patch is currently available to address this issue.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-27066 MEDIUM This Month

PI Web Solution Live sales notification for WooCommerce live-sales-notifications-for-woocommerce is affected by missing authorization (CVSS 5.3).

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-27042 MEDIUM This Month

Unauthorized modification of content is possible in WPDeveloper NotificationX through version 3.2.1 due to improper access control checks that allow unauthenticated attackers to manipulate notification data. This vulnerability affects all installations of the plugin without authentication requirements, enabling attackers to alter or inject malicious content. No security patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25441 MEDIUM This Month

LeadConnector versions 3.0.21 and earlier contain an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data due to improperly configured access controls. An attacker can exploit this vulnerability without authentication or user interaction to tamper with application data, though confidentiality and availability are not affected. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25415 MEDIUM This Month

Inadequate access control in WPBookit Pro through version 1.6.18 permits unauthenticated attackers to modify data by bypassing authorization checks. The vulnerability allows remote attackers without credentials to perform unauthorized actions on the plugin, affecting all installations running the vulnerable versions. No patch is currently available to remediate this issue.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25408 MEDIUM This Month

Broken Link Notifier plugin versions 1.3.5 and earlier contain an authorization bypass vulnerability that allows unauthenticated attackers to modify data through improperly configured access controls. An attacker can exploit this flaw to alter link notifications without proper authentication, potentially disrupting the plugin's functionality or manipulating stored information. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25404 MEDIUM This Month

Improper access control in WP Job Manager through version 2.4.0 permits unauthenticated attackers to access sensitive information by bypassing authorization checks. The vulnerability affects WordPress sites running the vulnerable plugin and could allow unauthorized disclosure of job-related data. No patch is currently available.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25386 MEDIUM This Month

Elementor Ally versions up to 4.0.2 contain an authorization bypass vulnerability that allows unauthenticated remote attackers to modify content through improperly configured access controls. The vulnerability has a network attack vector with low complexity and no user interaction required, potentially enabling unauthorized alterations to website content. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25384 MEDIUM This Month

WP-Lister Lite for eBay through version 3.8.5 contains a missing authorization vulnerability allowing unauthenticated remote attackers to bypass access controls and gain unauthorized information disclosure. The improper access control configuration enables attackers to exploit the plugin's functionality without proper authentication or permissions. No patch is currently available for affected WordPress installations.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25374 MEDIUM This Month

Inadequate access control in raratheme Spa and Salon plugin versions 1.3.2 and earlier permits unauthorized users to modify sensitive data through improperly configured security levels. An unauthenticated remote attacker can exploit this vulnerability to perform unauthorized actions without authentication. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25370 MEDIUM This Month

Improper access control in the WP Compress image optimizer plugin for WordPress (versions up to 6.60.28) enables unauthenticated attackers to modify plugin data and settings. The vulnerability allows unauthorized manipulation of the plugin's functionality without requiring user interaction or special network conditions. Currently, no patch is available for affected installations.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25367 MEDIUM This Month

NooTheme CitiLights versions below 3.7.2 contain an authorization bypass that allows unauthenticated remote attackers to modify data through improperly configured access controls. The vulnerability enables unauthorized state changes without requiring user interaction or elevated privileges. A patch is not currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25364 MEDIUM This Month

BoldGrid Client Invoicing by Sprout Invoices sprout-invoices is affected by missing authorization (CVSS 5.3).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25338 MEDIUM This Month

Ays Pro AI ChatBot with ChatGPT and Content Generator by AYS ays-chatgpt-assistant is affected by missing authorization (CVSS 5.3).

Authentication Bypass AI / ML
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25333 MEDIUM This Month

The Shopwell theme for Shopify versions 1.0.11 and earlier contains improper access control that allows unauthenticated remote attackers to view sensitive information through incorrectly configured authorization checks. This vulnerability exposes confidential data without requiring authentication or user interaction. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25332 MEDIUM This Month

Fahad Mahmood Endless Posts Navigation endless-posts-navigation is affected by missing authorization (CVSS 5.3).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25324 MEDIUM This Month

ExpressTech Systems Quiz And Survey Master quiz-master-next is affected by authorization bypass through user-controlled key (CVSS 5.3).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25321 MEDIUM This Month

Insufficient access control in SupportCandy plugin versions 3.4.4 and earlier allows unauthenticated remote attackers to modify data through improperly configured security permissions. This vulnerability affects WordPress installations using the vulnerable plugin, enabling attackers to perform unauthorized actions without requiring authentication. No patch is currently available for this issue.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25320 MEDIUM This Month

Cool Plugins Elementor Contact Form DB sb-elementor-contact-form-db is affected by missing authorization (CVSS 5.3).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25315 MEDIUM This Month

hcaptcha hCaptcha for WP hcaptcha-for-forms-and-more is affected by missing authorization (CVSS 5.3).

Authentication Bypass
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25005 MEDIUM This Month

N-Media Frontend File Manager nmedia-user-file-uploader is affected by authorization bypass through user-controlled key (CVSS 5.3).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25000 MEDIUM This Month

Kraft Plugins Wheel of Life version 1.2.0 and earlier contains a missing authorization vulnerability that allows unauthenticated remote attackers to modify data through incorrectly configured access controls. The vulnerability enables integrity attacks against affected installations without requiring user interaction. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24999 MEDIUM This Month

The Alma payment gateway plugin for WooCommerce versions up to 5.16.1 contains an authorization bypass that allows unauthenticated attackers to modify data through improper access control enforcement. WordPress sites using this plugin are at risk of unauthorized changes to payment-related settings or configurations. A patch is not currently available, making immediate mitigation through plugin disabling or version control necessary.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24375 MEDIUM This Month

WP Swings Ultimate Gift Cards For WooCommerce woo-gift-cards-lite is affected by missing authorization (CVSS 5.3).

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-23548 MEDIUM This Month

DirectoryPress through version 3.6.25 contains an access control bypass that allows unauthenticated attackers to modify data due to improperly configured authorization checks. An attacker can exploit this vulnerability over the network without authentication or user interaction to alter information in affected installations. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-23543 MEDIUM This Month

WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite is affected by missing authorization (CVSS 5.3).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25389 MEDIUM This Month

Metagauss EventPrime eventprime-event-calendar-management contains a security vulnerability (CVSS 5.3).

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25325 MEDIUM This Month

The rtMedia plugin for WordPress versions up to 4.7.8 exposes sensitive system information through an information disclosure vulnerability that allows unauthenticated remote attackers to retrieve embedded data. This vulnerability affects WordPress installations using rtMedia with BuddyPress and bbPress extensions, potentially exposing confidential system details to unauthorized users. No patch is currently available for this medium-severity issue.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14357 MEDIUM This Month

The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setup_widgets() function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1658 MEDIUM This Month

Directory Services versions up to 25.2. is affected by user interface (ui) misrepresentation of critical information (CVSS 5.3).

Code Injection Directory Services
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-8055 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in OpenText™ XM Fax allows Server Side Request Forgery. The vulnerability could allow an attacker to perform blind SSRF to other systems accessible from the XM Fax server. [CVSS 5.3 MEDIUM]

SSRF Xm Fax
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1219 MEDIUM This Month

Radio by Sonaar versions up to 4.0 is affected by authorization bypass through user-controlled key (CVSS 5.3).

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2243 MEDIUM PATCH This Month

QEMU's VMDK image parser is vulnerable to an out-of-bounds read when processing maliciously crafted disk images, allowing local attackers to leak sensitive information or trigger denial of service. This vulnerability affects systems running QEMU with untrusted VMDK input and currently lacks an available patch.

Denial Of Service Red Hat Suse
NVD
CVSS 3.1
5.1
EPSS
0.0%
CVE-2026-25310 MEDIUM This Month

D-Link products versions 2.0.0 and earlier are vulnerable to server-side request forgery (SSRF) that allows authenticated attackers to make arbitrary HTTP requests from the affected system. This MEDIUM severity vulnerability requires valid credentials but enables attackers to bypass network controls and potentially access internal resources or services. No patch is currently available.

D-Link SSRF
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-22269 MEDIUM This Month

Dell PowerProtect Data Manager versions prior to 19.22 contain improper verification of REST API communication channels that allows high-privileged remote attackers to bypass security protections. The vulnerability requires administrative credentials and network access, enabling authenticated attackers to circumvent established security controls. No patch is currently available.

Authentication Bypass Dell Powerprotect Data Manager
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2025-69725 MEDIUM PATCH This Month

An Open Redirect vulnerability in the go-chi/chi >=5.2.2 RedirectSlashes function allows remote attackers to redirect victim users to malicious websites using the legitimate website domain. [CVSS 4.7 MEDIUM]

Open Redirect
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-25392 MEDIUM This Month

The Update URLs WordPress plugin through version 1.4.0 contains an open redirect vulnerability that allows unauthenticated attackers to craft malicious links redirecting users to arbitrary external sites, enabling phishing attacks. The vulnerability requires user interaction to click a crafted link but has no patch currently available. Affected WordPress sites using this plugin should upgrade or disable it immediately.

WordPress Open Redirect
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-22266 MEDIUM This Month

Dell PowerProtect Data Manager versions prior to 19.22 contain improper verification of communication channels in the REST API, allowing high-privileged remote attackers to bypass security protections. The vulnerability requires administrative credentials but carries no patch availability, creating ongoing risk for affected deployments.

Authentication Bypass Dell Powerprotect Data Manager
NVD
CVSS 3.1
4.7
EPSS
0.0%
Prev Page 6 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy