Skip to main content
CVE-2026-57640 MEDIUM This Month

Broken Access Control in the MasterStudy LMS WordPress plugin (versions ≤ 3.7.30) permits authenticated subscriber-level users to perform actions that exceed their intended permissions. Rooted in CWE-862 (Missing Authorization), the plugin fails to enforce capability checks on one or more endpoints, allowing low-privileged registered users to make unauthorized integrity-affecting modifications. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the low complexity and network accessibility make it straightforward to exploit on sites with open user registration.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57637 MEDIUM This Month

Cross-Site Request Forgery in the Abandoned Cart Lite for WooCommerce WordPress plugin (versions 6.8.0 and below) enables unauthenticated remote attackers to perform unauthorized state-changing actions by luring an authenticated site user into visiting a malicious page. The CVSS score of 4.3 (Medium) reflects a limited integrity impact with no confidentiality or availability consequences. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress CSRF
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-57634 MEDIUM This Month

Password Protect WordPress Page (PPWP) plugin versions up to and including 1.9.19 expose an Insecure Direct Object Reference (IDOR) flaw exploitable by authenticated Contributors, enabling unauthorized modification of password-protected page objects outside the attacker's authorized scope. The plugin fails to validate that the user-supplied object reference belongs to a resource the requesting Contributor is authorized to manage, as classified under CWE-639. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; real-world risk is meaningfully constrained by the Contributor authentication prerequisite.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57622 MEDIUM This Month

Broken access control in the WPCafe WordPress plugin (versions 3.0.14 and earlier) allows authenticated subscriber-level users to access restricted functionality or data without proper authorization checks. The flaw stems from missing authorization (CWE-862) on one or more plugin endpoints, permitting low-privileged WordPress accounts to bypass intended access restrictions. No public exploit code or active exploitation has been identified at time of analysis, but the network-accessible, low-complexity nature of the issue makes it straightforward to abuse by any registered site user.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-57430 MEDIUM This Month

Broken Access Control in SEOPress PRO WordPress plugin versions up to and including 9.1.1 allows authenticated users holding the Contributor role to perform privileged actions beyond their intended authorization scope. Exploitation requires a valid WordPress account with at least Contributor-level access, making this an insider or low-privilege escalation risk rather than a remote unauthenticated threat. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; however, the low attack complexity and network reachability keep this a realistic risk in multi-author WordPress environments.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-63079 MEDIUM This Month

Broken access control in the Live Copy Paste for Elementor WordPress plugin (versions <= 1.5.3) allows contributor-level authenticated users to access restricted functionality beyond their intended authorization scope, resulting in unauthorized read access to content. The vulnerability stems from missing authorization checks (CWE-862) on plugin endpoints, and the 'Authentication Bypass' tag from Patchstack indicates contributors can bypass role-based restrictions enforced elsewhere. No public exploit code has been identified at time of analysis, and the plugin is not listed in the CISA KEV catalog.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-63078 MEDIUM This Month

Broken access control in the Restaurant Menu by MotoPress WordPress plugin (versions <= 2.4.11) allows authenticated users with subscriber-level privileges to perform actions reserved for higher-privileged roles. The root cause is CWE-862 (Missing Authorization) - the plugin fails to verify whether the authenticated caller holds the required capability before executing sensitive operations, enabling low-privilege users to manipulate menu data or plugin functionality beyond their intended scope. No public exploit code has been identified at time of analysis, and the vulnerability has not been listed in the CISA KEV catalog.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-13218 MEDIUM This Month

Symlink-following in KubeVirt's virt-handler permits a container-level attacker to overwrite arbitrary host files and change their ownership. An attacker with access to the virt-launcher container can plant a symlink at the network cache file path expected by the `WriteToCachedFile` function; virt-handler then follows that symlink when calling `os.WriteFile` and `os.Chown`, enabling writes of attacker-influenced JSON content to any path accessible by virt-handler on the host. This represents a partial container-to-host escape - a scope change from the container context to the underlying node - with no public exploit identified at time of analysis.

Information Disclosure Kubevirt Openshift Virtualization
NVD
CVSS 3.1
4.2
EPSS
0.1%
Prev Page 4 of 4

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy