Broken access control in the Contact Form by WPForms plugin (versions <= 1.10.0.4) for WordPress allows remote unauthenticated attackers to perform unauthorized actions affecting data integrity. The flaw stems from missing authorization checks (CWE-862) on plugin functionality, enabling tampering without any credentials or user interaction. No public exploit identified at time of analysis, and EPSS data was not provided in the input.
Availability-impacting broken access control in the AWP Classifieds (Another WordPress Classifieds Plugin) WordPress plugin through version 4.4.4 allows unauthenticated remote attackers to invoke privileged functionality due to a missing authorization check (CWE-862). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/C:N/I:N/A:H) indicates the flaw exposes a sensitive action - most plausibly a destructive or resource-consuming operation - over the network with no credentials or user interaction. No public exploit identified at time of analysis.
Unauthenticated sensitive data exposure in the IDPay Payment Gateway for WooCommerce WordPress plugin (versions ≤ 2.2.5) allows remote attackers to retrieve confidential information without credentials or user interaction over the network. The flaw was reported by Patchstack and tracked as EUVD-2026-36918; no public exploit identified at time of analysis. With a CVSS 7.5 (high) score driven entirely by confidentiality impact, the issue is significant for any WooCommerce site processing payments through this Iranian payment gateway integration.
Unauthenticated sensitive data exposure in the Simply Schedule Appointments WordPress plugin versions prior to 1.6.11.2 allows remote attackers to retrieve protected information without credentials over the network. The flaw is reported by Patchstack and carries a CVSS 7.5 (high) confidentiality-only impact, with no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Unauthenticated information disclosure in the Easy Appointments WordPress plugin (versions ≤ 3.12.21) allows remote attackers to access protected appointment data without authentication due to missing authorization checks. Patchstack reports the issue as a broken access control flaw with high confidentiality impact (CVSS 7.5); no public exploit identified at time of analysis, and the plugin is not currently listed in CISA KEV.
Information disclosure in the Projectopia WordPress plugin (versions <= 5.1.25.2) allows remote unauthenticated attackers to access custom role data belonging to other users via Insecure Direct Object Reference flaws. The CVSS 7.5 score reflects high confidentiality impact with no integrity or availability consequences, and no public exploit identified at time of analysis.
Unauthenticated sensitive data exposure in the EmbedPress WordPress plugin (versions 4.5.2 and earlier) allows remote attackers to retrieve confidential information from affected sites without any credentials or user interaction. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation against any vulnerable installation, though no public exploit identified at time of analysis. The flaw was disclosed via Patchstack and is classified under CWE-639, suggesting authorization checks are bypassed via predictable or user-controlled object references.
Unauthorized data access in the WordPress Simple Shopping Cart plugin (versions <= 5.2.9) allows remote unauthenticated attackers to retrieve sensitive information belonging to other users through an Insecure Direct Object Reference (IDOR) flaw. Per the CVSS vector (AV:N/AC:L/PR:N/UI:N), exploitation is network-reachable with low complexity and no authentication. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Denial of service in the Express.js multer middleware (versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1) allows unauthenticated remote attackers to exhaust CPU and memory by sending a single multipart form request with deeply nested bracket-notation field names. The flaw lives in the append-field dependency, which parses nesting depth without any cap, so one crafted POST can degrade or crash Node.js services. No public exploit identified at time of analysis, but the issue is trivially reproducible against any default multer deployment exposed on the network.
Denial of service in Starlette (and downstream FastAPI applications) versions 0.4.1 through 1.3.0 allows remote unauthenticated attackers to exhaust CPU or memory by sending crafted application/x-www-form-urlencoded request bodies. The max_fields and max_part_size limits accepted by request.form() are silently ignored for urlencoded content, so a sub-10MB body can block the event loop for seconds or force unbounded memory allocation. No public exploit identified at time of analysis, but the bug is documented in detail in the upstream GHSA advisory.
Authentication bypass in the MagePeople WpTravelly WordPress plugin through version 2.1.7 allows remote unauthenticated attackers to circumvent identity verification and tamper with integrity-protected data. The flaw, reported by Patchstack and tracked as EUVD-2026-36914, is a CWE-290 Authentication Bypass by Spoofing impacting tour booking workflows on any WordPress site running the affected plugin. No public exploit identified at time of analysis, but the network-reachable, no-interaction attack vector elevates urgency for site operators.
Uncontrolled CPU consumption in python-multipart's QuerystringParser (versions <0.0.30) allows remote unauthenticated attackers to cause denial of service by submitting small crafted application/x-www-form-urlencoded bodies using semicolons as field separators. The two-step separator lookup degenerates into O(B²) byte comparisons, letting a ~1 MiB body burn seconds of CPU per request and exhaust workers in Starlette/FastAPI applications that call request.form(). No public exploit identified at time of analysis, though a clear proof-of-concept payload pattern (a;a;a;...) is described in the GHSA advisory.
Unauthenticated integrity compromise in the WpEvently WordPress plugin (versions 5.3.3 and earlier) by MagePeople allows remote attackers to alter application data over the network without privileges or user interaction. The vendor-supplied description is a Patchstack placeholder ('Other Vulnerability Type') and does not identify the specific endpoint or function, but the CVSS vector indicates high integrity impact with no confidentiality or availability impact. No public exploit identified at time of analysis.
Unauthenticated SQL injection in the WPGraphQL WordPress plugin versions prior to 2.11.1 allows remote attackers to inject SQL through the plugin's GraphQL interface without any credentials. The flaw, tracked by Patchstack and assigned CVSS 7.5 with a scope-change impact, can lead to disclosure of database contents and partial availability impact on affected WordPress sites. No public exploit identified at time of analysis, but the unauthenticated nature and broad install base of WPGraphQL make patching urgent.
Denial of service in Multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 allows remote unauthenticated attackers to exhaust server disk space when the library is configured with diskStorage. Aborted or malformed multipart uploads leave orphaned partial files because stream destruction is not propagated to the underlying fs.WriteStream, enabling resource exhaustion at scale with no public exploit identified at time of analysis. EPSS probability is low at 0.25% but SSVC marks the issue automatable with partial technical impact.
Broken access control in the Redsys for WooCommerce Light WordPress plugin (versions up to and including 7.0.0) allows remote unauthenticated attackers to invoke privileged functionality without proper authorization checks, leading to integrity impact on payment gateway operations. The flaw stems from missing authorization (CWE-862) on plugin endpoints, and at time of analysis no public exploit was identified, though the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) makes it trivially reachable. The vulnerability was reported by Patchstack and tracked as EUVD-2026-36973.
Unauthenticated broken access control in the Easy Digital Downloads WordPress plugin (versions <= 3.6.5) allows remote attackers to invoke privileged plugin functions without authentication, leading to unauthorized modification of plugin data. The flaw stems from a missing authorization check (CWE-862) and primarily impacts integrity of the affected WordPress sites. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Broken access control in the Event Tickets Manager for WooCommerce WordPress plugin (versions up to and including 1.5.3) allows remote unauthenticated attackers to perform restricted actions or modify data without proper authorization checks. The flaw stems from a missing authorization layer (CWE-862) on one or more plugin endpoints, making it reachable directly over HTTP by anyone who can talk to the WordPress site. No public exploit has been identified at time of analysis, but the vulnerability was reported by Patchstack and is tracked under EUVD-2026-36920.
Broken access control in the Montonio for WooCommerce WordPress plugin versions 10.1.2 and earlier allows remote unauthenticated attackers to perform integrity-impacting actions without proper authorization checks. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates the flaw is trivially reachable over the network against default deployments, with high integrity impact but no direct confidentiality or availability consequences. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Broken authentication in the Upsell Order Bump Offer for WooCommerce plugin (versions 3.1.4 and earlier) allows remote unauthenticated attackers to manipulate offer/price integrity on affected WordPress storefronts. Patchstack classifies the issue as a price manipulation vulnerability with high integrity impact, and no public exploit identified at time of analysis. The defect is reachable over the network without authentication or user interaction, making any WooCommerce store running the plugin a direct target.
Directory traversal in Zhoros SuperBin v1.0.0 allows remote unauthenticated attackers to read or write files outside intended directories by uploading files whose names contain traversal sequences such as '../'. The flaw stems from inadequate sanitization of user-supplied filenames during file handling operations. Publicly available exploit code exists via a referenced GitHub gist, though there is no public exploit identified as weaponized at scale and the vulnerability is not listed in CISA KEV.
Denial of service in LLDAP v0.6.2 allows remote unauthenticated attackers to disrupt the authentication service by sending a crafted refresh-token header to the HTTP refresh endpoint. The flaw is a CWE-400 resource handling defect with CVSS 7.5 (availability-only impact); no public exploit is identified, though a referenced gist may contain proof-of-concept material. EPSS is low at 0.18% (8th percentile) and the issue is not on CISA KEV.
Denial of service in Feuerhamster MailForm v1.1.0 allows remote unauthenticated attackers to exhaust server resources by sending a crafted request to the attachment handling component. The flaw aligns with CWE-400 (Uncontrolled Resource Consumption) and carries a CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/A:H), with no public exploit identified at time of analysis and no inclusion in CISA KEV.
An issue in Observeinc's Observe v.2026-01-28 and before allows a remote attacker to obtain sensitive information via the CSV Log export component.
Authorization bypass in Mastodon's experimental Collections feature allows remote attackers to forge FeatureAuthorization objects and falsely list non-consenting accounts in remote Collections. The flaw stems from a missing cross-reference between the featured object's actor URI and the authorization's interactionTarget, letting an attacker assert consent on behalf of another account on the same domain. Patched in 4.6.0-beta.1; no public exploit identified at time of analysis and the issue only manifests when the EXPERIMENTAL_FEATURES env var explicitly enables 'collections'.
Denial of service in Andrei Marcu linx-server v2.3.8 allows remote unauthenticated attackers to crash or exhaust the file-upload service by sending a crafted POST request to the uploadPostHandler component. CVSS 3.1 rates availability impact High (7.5) with no confidentiality or integrity loss, and publicly available exploit code exists via a referenced GitHub gist, though there is no public exploit identified as actively exploited at time of analysis.
Denial of service in anna-is-cute paste v0.1.1 allows remote unauthenticated attackers to disrupt service availability by sending a crafted POST request to the /api/v0/pastes endpoint. The flaw is categorized under CWE-400 (Uncontrolled Resource Consumption) and carries a CVSS 3.1 score of 7.5 with availability-only impact; no public exploit identified at time of analysis, and EPSS is low at 0.15% (4th percentile), suggesting minimal observed interest. The vulnerability is not listed in CISA KEV.
An information disclosure vulnerability in the configuration endpoint of Ben Busby whoogle-search v1.2.3 allows attackers to obtain sensitive information via a crafted GET request.
Unauthorized information disclosure in Sismics Docs (Teedy) v1.11 allows remote attackers to bypass access controls on share-based read endpoints and retrieve sensitive document data via crafted requests. The flaw stems from broken access control logic (CWE-284) on endpoints intended for shared documents, enabling unauthenticated retrieval of resources that should be restricted. There is no public exploit identified at time of analysis, EPSS is low (0.15%), and the vulnerability is not listed in CISA KEV.
Unauthenticated Insecure Direct Object References in the VikRentCar WordPress plugin versions 1.4.5 and earlier allow remote attackers to access sensitive resources belonging to other users by manipulating predictable object identifiers. The flaw was disclosed via Patchstack and affects WordPress sites running the e4jvikwp VikRentCar booking plugin, with no public exploit identified at time of analysis but a high CVSS confidentiality impact reflecting potential exposure of booking, customer, or reservation data.
Unauthenticated sensitive data exposure in the ABC Crypto Checkout WordPress plugin (versions <= 1.8.2) allows remote attackers to retrieve sensitive information without any credentials over the network. The flaw, reported by Patchstack and tracked as CWE-201, carries a CVSS 7.5 with high confidentiality impact and no integrity or availability effect; no public exploit identified at time of analysis.
Unauthenticated sensitive data exposure in the Signature Add-On for WooCommerce WordPress plugin versions 2.0 and earlier allows remote attackers to retrieve protected information without credentials over the network. Reported by Patchstack and tracked as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), the issue carries a CVSS 7.5 score driven entirely by confidentiality impact. At time of analysis there is no public exploit identified and no CISA KEV listing, but the trivial attack complexity makes opportunistic scanning plausible.
Unauthenticated sensitive data exposure in the Affiliates Manager WordPress plugin versions 2.9.50 and earlier allows remote attackers to retrieve confidential information without credentials. The CVSS 7.5 score (AV:N/AC:L/PR:N/UI:N) reflects high confidentiality impact with no integrity or availability effects, and no public exploit identified at time of analysis. Disclosed by Patchstack, the issue affects WordPress sites running the wp.insider Affiliates Manager plugin used to manage affiliate marketing programs.
Privilege escalation in the LatePoint WordPress plugin versions 5.5.1 and earlier allows authenticated users holding low-privileged contributor accounts to elevate to higher-privileged roles, according to a Patchstack advisory. CVSS 3.1 scores this 7.5 (High) with full confidentiality, integrity, and availability impact, though high attack complexity and required low privileges constrain trivial exploitation. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Improper input validation in the WP Travel Engine WordPress plugin (versions 6.7.10 and earlier) allows remote unauthenticated attackers to tamper with integrity-sensitive data over the network with low complexity. The Patchstack-reported issue carries a CVSS 7.5 driven entirely by high integrity impact (I:H) with no confidentiality or availability effect, and no public exploit identified at time of analysis. Despite the 'Information Disclosure' tag inherited from the plugin context, the CVSS vector points to an integrity-affecting weakness rather than data leakage.
Unauthenticated broken access control in the Knit Pay WordPress plugin versions 9.4.0.0 and earlier allows remote attackers to modify integrity-sensitive data without any authentication or user interaction. The flaw is rooted in missing authorization checks (CWE-862) on plugin endpoints, and while no public exploit identified at time of analysis, the network-reachable nature and zero prerequisites make it attractive for opportunistic abuse against WordPress sites running this payment plugin.
Sensitive data exposure in the Coupon Affiliates WordPress plugin (versions 7.8.1 and earlier) allows remote unauthenticated attackers to retrieve confidential subscriber information over the network without any user interaction. The flaw, reported by Patchstack and classified as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), carries a CVSS 7.5 score reflecting high confidentiality impact with no integrity or availability consequences. No public exploit identified at time of analysis.
Unauthenticated sensitive data exposure in the Conekta Payment Gateway WordPress plugin (versions 6.0.0 and earlier) allows remote attackers to retrieve confidential information without authentication or user interaction. The flaw, tracked by Patchstack and classified as CWE-497 (Exposure of Sensitive System Information), carries a CVSS 7.5 score driven entirely by a high confidentiality impact over the network. No public exploit identified at time of analysis, and the CVE is not present in CISA KEV.
Unauthenticated arbitrary file download in the WPC Product Options for WooCommerce WordPress plugin (versions ≤ 3.2.1) allows remote attackers to retrieve arbitrary files from the underlying server without any credentials. The flaw is a classic path traversal (CWE-22) reachable over the network at low complexity, and while no public exploit identified at time of analysis, the disclosure by Patchstack and trivial attack profile make opportunistic scanning likely against WooCommerce storefronts running this plugin.
Unauthenticated sensitive data exposure in the WebToffee 'WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels' WordPress plugin versions 4.9.4 and earlier allows remote attackers to retrieve protected information without credentials. The flaw, reported by Patchstack and tracked as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) with confidentiality-only impact. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Unauthorized data tampering in the WPC Product Bundles for WooCommerce WordPress plugin (versions 8.5.3 and earlier) allows remote attackers to manipulate plugin state without authentication due to missing authorization checks. Reported by Patchstack, the flaw carries a CVSS 7.5 reflecting high integrity impact with no confidentiality or availability impact, and no public exploit identified at time of analysis.
Information disclosure in the Email Marketing for WooCommerce by Omnisend WordPress plugin versions 1.18.0 and earlier allows unauthenticated remote attackers to bypass authentication controls and access protected data. The flaw is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and carries CVSS 7.5 driven entirely by confidentiality impact. No public exploit identified at time of analysis, and the issue is not on CISA KEV.
Sensitive data exposure in the Bookly WordPress appointment booking plugin (versions 27.4 and earlier) allows remote unauthenticated attackers to retrieve information that should remain protected, per a Patchstack advisory. With CVSS 7.5 reflecting high confidentiality impact and no required privileges or user interaction, the flaw is reachable over the network against any site running an affected Bookly version, though no public exploit identified at time of analysis.
Unauthenticated information disclosure in the Salon Booking System WordPress plugin (versions up to and including 10.30.25) allows remote attackers to bypass authorization checks and access sensitive data without credentials. The flaw, tracked by Patchstack and tagged as an authentication bypass, is network-reachable with low complexity and no user interaction. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Unauthenticated sensitive data exposure in the Amelia (Amelia Booking) WordPress plugin versions 2.2 and earlier allows remote attackers to retrieve protected information without credentials, per a Patchstack advisory. With a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and CWE-201 classification, the flaw is network-reachable and trivially triggerable, though no public exploit identified at time of analysis and no CISA KEV listing.
Authentication bypass in the ReviewX WordPress plugin versions 2.3.6 and earlier allows remote unauthenticated attackers to perform actions they should not be able to, leading to high-integrity impact on the affected site. The flaw is classified as CWE-288 (authentication bypass using an alternate path/channel) and was disclosed by Patchstack via the WordPress plugin vulnerability database. No public exploit identified at time of analysis and the issue is not listed on CISA KEV.
Unauthenticated broken access control in the SaaSProject Booking Package WordPress plugin versions 1.7.06 and earlier allows remote attackers to invoke privileged plugin functionality without authentication, resulting in unauthorized modification of booking data (CVSS 7.5, integrity-only impact). The flaw is a CWE-862 Missing Authorization issue disclosed via Patchstack and tracked in ENISA EUVD as EUVD-2026-36983, with no public exploit identified at time of analysis.
Unauthenticated information disclosure in the wpForo Forum WordPress plugin versions prior to 3.0.2 allows remote attackers to bypass access controls and read forum content that should be restricted. The flaw stems from improper permission preservation (CWE-281), letting unauthenticated users access data intended only for authorized members. No public exploit identified at time of analysis, but a vendor patch is available via Patchstack advisory.
Broken access control in the Masteriyo - LMS WordPress plugin (versions up to and including 2.1.5) allows remote unauthenticated attackers to bypass payment workflows and tamper with protected resources without authorization. The Patchstack advisory characterizes this as a payment bypass issue rooted in a missing authorization check (CWE-862), and no public exploit identified at time of analysis. EPSS data was not provided and the CVE is not currently listed in CISA KEV.
Broken access control in the WordPress Simple Membership plugin (versions ≤4.7.1) allows remote unauthenticated attackers to modify protected resources due to missing authorization checks. The flaw, reported by Patchstack and tracked as EUVD-2026-36917, carries a CVSS 3.1 score of 7.5 reflecting high integrity impact with no confidentiality or availability effect. No public exploit identified at time of analysis, but the network-reachable, no-auth profile makes WordPress sites running this plugin a realistic target.