Unauthenticated mass data deletion in the AI Copilot - Content Generator WordPress plugin (all versions through 1.4.12) exposes sites to complete wipeout of plugin-managed database records by any remote visitor. The vulnerability stems from a permanently open authorization gate: the base controller's getPermissions() returns an empty array causing the auth check to unconditionally pass, while the removeGroup and clear AJAX actions are excluded from getNoncedMethods(), bypassing nonce verification entirely. No active exploitation has been confirmed in CISA KEV and no public exploit code has been identified at time of analysis, though the attack requires no credentials and minimal technical skill given the straightforward AJAX endpoint targeting.
Sensitive information exposure in the Members - Membership & User Role Editor Plugin for WordPress (all versions through 3.2.22) allows unauthenticated network attackers to exploit the REST API filter `members_filter_protected_posts_for_rest` as a boolean oracle, revealing the existence, count, and inferred keyword content of posts explicitly restricted by membership rules. The mechanism abuses per-page pagination parameters to observe response count changes, enabling iterative inference of hidden post content without ever receiving the post body directly. No public exploit code has been identified at time of analysis, and this is not listed in CISA KEV, but the zero-authentication, network-accessible attack surface means any WordPress site using this plugin with sensitive restricted content is exposed by default.
Authorization bypass in the NEX-Forms WordPress plugin (all versions through 9.2.2) allows unauthenticated remote attackers to overwrite email metadata fields on arbitrary form entries and weaponize the victim WordPress site as an outbound email relay. The CVSS vector (PR:N/AC:L/AV:N) confirms zero authentication and zero configuration prerequisites beyond plugin activation. No public exploit has been identified at time of analysis, but the trivially low exploitation complexity makes mass scanning and abuse for phishing or spam distribution operationally realistic at scale.
Permanent, irreversible deletion of all Starter Template-imported site content in the Solace Extra WordPress plugin (all versions through 1.5.3) is achievable by fully unauthenticated network attackers due to the complete absence of authorization checks on the responsible AJAX handler. The handler is registered via wp_ajax_nopriv_, removing WordPress's authentication gate entirely, while the required nonce is leaked to any Subscriber-level user visiting any wp-admin page - eliminating both authentication and authorization barriers simultaneously. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the Wordfence disclosure includes exact file and line references enabling straightforward reproduction; the official CVSS score of 5.3 significantly understates the destructive impact.
Context Blog WordPress theme (all versions through 1.3.5) exposes the full content of password-protected posts to unauthenticated remote attackers through the `context_blog_modal_popup` component, effectively bypassing WordPress's native content-gating mechanism. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivially low exploitation complexity with no authentication or user interaction required. No public exploit code or active exploitation has been identified at time of analysis, and real-world impact is bounded entirely by what site owners store behind password-protected posts.
Billing authorization bypass in Capgo (prior to 12.128.12) enables authenticated organizations with exhausted or expired usage credit grants to continue consuming paid API endpoints without valid entitlement. The divergence between the plugin's hot-path plan_valid expression and the authoritative billing gate creates a logic gap exploitable by any organization that reaches credit depletion, granting continued access to /updates, /stats, /channel_self, and attachment upload endpoints. No public exploit or CISA KEV listing exists at time of analysis, but the low attack complexity and network accessibility make this straightforward for any affected account holder to abuse.
Payment bypass in WP Hotel Booking (WordPress plugin, all versions ≤2.3.1) allows unauthenticated attackers to mark arbitrary hotel reservations as fully paid without submitting genuine payment. The PayPal IPN handler `web_hook_process_paypal_standard()` accepts an attacker-controlled `test_ipn=1` parameter that silently reroutes IPN validation to PayPal's sandbox environment, where a free sandbox account returns a legitimate 'VERIFIED' response; the handler then promotes any pending booking to completed while skipping critical post-verification checks on `receiver_email`, `mc_currency`, and `txn_id` uniqueness. No public exploit is identified at time of analysis, but the attack requires only a free PayPal sandbox account, making it nearly zero-cost for any motivated attacker.
Time-based blind SQL injection in the Catalyst Connect Zoho CRM Client Portal WordPress plugin (all versions ≤ 2.2.0) enables authenticated administrators to exfiltrate arbitrary data from the underlying WordPress database via the unsanitized 'uid' parameter. The CVSS vector (PR:H) confirms exploitation requires administrator-level credentials, meaningfully constraining the attack surface. A public proof-of-concept is available on GitHub (BFS-Lab/BFSDV), and no confirmed patch version has been identified in available intelligence at time of analysis.
Stored XSS in Premium Addons for Elementor (all versions ≤4.11.84) lets authenticated contributors plant persistent JavaScript payloads via the `premium_tooltip_text` parameter that execute specifically when an administrator opens the injected post in the Elementor editor - not on public-facing pages. The root cause is unescaped output in the `print_template()` method registered on the `elementor/section/print_template` hook, meaning the attack surface is confined to the Elementor editor backend. No public exploit or CISA KEV listing has been identified at time of analysis; however, the scope-changed CVSS rating reflects real privilege-escalation potential from contributor to admin session context.
Policy bypass in ImageMagick before 7.1.2-26 allows low-privileged local users to write files to filesystem paths explicitly blocked by the application's security policy framework. The APNG encoder and external delegate mechanisms omit required validation against policy.xml restrictions, enabling circumvention of configured path-based access controls. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the impact is meaningful in multi-tenant or shared-processing environments that rely on ImageMagick's policy layer as a security boundary.
Heap-based out-of-bounds read in ImageMagick before 7.1.2-19 is triggered when processing an image carrying an unrecognized magnify:method value, causing the magnify operation to read beyond allocated heap memory. Affected systems running any version prior to 7.1.2-19 can be impacted when a user or automated pipeline processes a specially crafted image file, with outcomes ranging from partial memory disclosure to application crash. No active exploitation is confirmed (not in CISA KEV) and no public proof-of-concept has been identified at time of analysis, and the CVSS 4.0 score of 4.8 (Medium) reflects the limited local/interactive nature of the attack.
Memory allocation policy bypass in ImageMagick's matrix-backed operations allows a crafted image to exhaust process memory and cause a denial of service. Affected across both the version 7 series (before 7.1.2-26) and the legacy version 6 series (before 6.9.13-51), the flaw arises because operations such as -canny fail to enforce the memory ceiling set in the configured policy, nullifying a key security control. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS 4.0 score of 4.8 reflects a local attack vector requiring user interaction, keeping real-world exposure moderate.
Stored Cross-Site Scripting in the Lockme OAuth2 Calendars Integration WordPress plugin (all versions through 2.11.0) permits authenticated administrators to persist arbitrary JavaScript in four settings fields - App ID, App Secret, Bookings ID prefix, and API domain - which then executes in the browser of any user who loads the plugin settings page. The root cause is a missing sanitize callback in register_setting() (Plugin.php:197) paired with unescaped output via direct echo into an HTML value attribute without esc_attr() (lines 212, 223, 245, 256), a classic CWE-79 dual-failure pattern. Exploitation risk is highest in WordPress multisite environments where per-site administrators, who should not have cross-site authority, could poison settings to harvest session tokens or perform actions in the context of super-administrators. No public exploit code and no CISA KEV listing have been identified at time of analysis; an upstream patch changeset (revision 3495564) has been committed to the WordPress plugin repository.
Stored Cross-Site Scripting in the Widgets for Google Reviews WordPress plugin (versions ≤ 13.3) enables authenticated attackers holding editor-level WordPress roles to inject persistent JavaScript through admin settings, which then executes in any site visitor's browser on pages rendering the compromised widget. Exploitation is gated by two environmental prerequisites - multi-site WordPress deployments or single-site installs where unfiltered_html has been explicitly disabled - substantially narrowing the attack surface despite the network-accessible entry point. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the fix is referenced via a WordPress plugin repository changeset but an exact patched release version is not independently confirmed.
Stored Cross-Site Scripting in the White Label CMS WordPress plugin (versions through 2.7.12) permits authenticated administrators to persist arbitrary JavaScript payloads via plugin settings pages, which then execute in the browsers of other users who access affected pages. Exploitation is gated behind two hard constraints: the attacker must hold administrator-level WordPress credentials, and the target site must be either a WordPress multisite installation or a site where the unfiltered_html capability has been explicitly disabled. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Stored Cross-Site Scripting in the Print, PDF, Email by PrintFriendly WordPress plugin (versions through 5.5.10) allows authenticated administrators to inject persistent JavaScript via the 'content_position_css' parameter, which executes in the browsers of any user who visits an affected page. The scope change (S:C) in the CVSS vector confirms the injected script breaks out of the plugin's security context into victim browsers, enabling session hijacking, credential theft, or malicious redirects against site visitors. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.
User enumeration via authorization bypass in the Wallet for WooCommerce WordPress plugin (versions up to and including 1.6.4) allows any authenticated subscriber-level user to extract login names, email addresses, and user IDs for every WordPress account on the site, including administrators. The flaw exists because the plugin exposes a 'search-user' nonce - required to call its AJAX search handler - directly in the wallet_param JavaScript object rendered on the publicly accessible WooCommerce My Account page, making it trivially obtainable by any logged-in user. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and wide subscriber-level accessibility make exploitation straightforward on sites with open user registration.
Authorization bypass in Points and Rewards for WooCommerce (all versions through 2.10.0) allows authenticated subscribers to drain any user's reward points into a wallet balance, exfiltrate all user emails and point balances to an attacker-controlled Klaviyo account, and overwrite the site's Klaviyo API key - compounding financial fraud with third-party data exfiltration. Critically, the plugin exposes its authentication nonce (wps-wpr-verify-nonce) on every public-facing page via wp_localize_script(), and the wallet-draining handler is registered on the wp_ajax_nopriv_ hook, meaning the most financially damaging action - converting points to wallet balance - is exploitable by unauthenticated visitors. No public exploit code or CISA KEV listing identified at time of analysis.
Unauthorized cross-vendor manipulation in WCFM - Frontend Manager for WooCommerce (all versions ≤ 6.7.27) allows authenticated subscriber-level users to archive competitor vendors' product listings, toggle featured status on arbitrary listings, mark WooCommerce orders as completed, and permanently delete enquiries and bulk messages belonging to other vendors within the same marketplace. Multiple AJAX handlers in class-wcfm-ajax.php, class-wcfm-enquiry.php, and class-wcfm-notification.php accept user-controlled object IDs without verifying ownership - a textbook CWE-639 IDOR pattern enabling horizontal privilege escalation across vendor accounts. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Unauthorized affiliate management actions in the Affilia plugin for WordPress (all versions through 3.3.3) allow any subscriber-level authenticated user to approve or reject referrals, credit commissions to affiliate wallets, delete referral records, and modify banner options - enabling direct financial fraud against WooCommerce stores. The root cause is that the sole authentication gate relies on a WordPress nonce that is publicly embedded in every frontend page load via the JavaScript global `rtwalwm_global_params.rtwalwm_nonce`, making role-based access enforcement trivially bypassable. No public exploit code or CISA KEV listing is identified at time of analysis, but the low exploitation complexity and direct financial fraud impact make this a meaningful operational risk for any site running an affiliate program on this plugin.
Authorization bypass in the Notification for Telegram WordPress plugin (all versions through 3.5.1) allows authenticated subscribers to manipulate WordPress cron scheduling logic. Authenticated attackers with subscriber-level access or above can create, modify, or reschedule the nftb_cron_hook cron event due to missing authorization checks in nftncron.php, disrupting the plugin's background task scheduling for Telegram notifications. No public exploit or active exploitation has been identified at time of analysis; CVSS rates this Medium (4.3) with integrity-only impact.
Sensitive Information Exposure in the Mux Video Uploader WordPress plugin (all versions through 1.1.4) allows any authenticated WordPress user at subscriber level or higher to retrieve Mux API credentials via the `muxvideo_enqueue_settings_script` function. Mux API keys exposed this way could enable unauthorized access to the site's Mux account, including video management and potential billing abuse. Reported by Wordfence; no public exploit code or CISA KEV listing identified at time of analysis.
Insecure Direct Object Reference in the PDF Invoices & Packing Slips for WooCommerce plugin (versions through 5.14.0) allows authenticated contributors to mint permanent, session-free download links for arbitrary third-party orders, exposing customer PII including names, billing and shipping addresses, email addresses, phone numbers, line items, payment details, and customer notes. Exploitation is gated on a non-default plugin setting - the 'Document link access type' must be configured to 'full' rather than the default 'logged_in'; the default configuration signs URLs with a per-session nonce, neutralising the attack path. No public exploit code or active exploitation has been identified at time of analysis.
Unauthorized data modification in SurfLink - Link Manager & Backup Restore (all versions up to 2.6.0) allows authenticated attackers with Subscriber-level access to inject arbitrary URLs into the plugin's 410 Gone database table, causing those site paths to return HTTP 410 Gone responses to all visitors. The root cause is a missing capability check (current_user_can()) and absent nonce verification (check_ajax_referer()) in the ajax_import_410() AJAX handler - a conspicuous gap given that every other AJAX handler in the same PHP class correctly implements both controls. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, but the low authentication barrier and clear impact on site availability and SEO ranking make this a meaningful risk for affected WordPress deployments.
Authorization bypass in the MyParcel (woocommerce-myparcel) WordPress plugin allows any authenticated subscriber-level user to view and modify shipment options - including carrier, delivery type, package type, label count, weight, signature requirement, and insurance - on arbitrary WooCommerce orders they do not own. All plugin versions up to and including 4.25.1 are affected, with the flaw rooted in missing capability checks on administrative AJAX handlers. No public exploit or active exploitation has been identified at time of analysis, though the low privilege bar (any registered WordPress user) expands the realistic attacker pool significantly for e-commerce stores.
Unauthorized cache deletion in the ThriveDesk WordPress plugin (all versions through 2.1.7) is possible by any authenticated user holding a Subscriber-level role or above, due to a missing capability check on the `thrivedesk_clear_cache` AJAX action. The root cause is a CWE-862 Missing Authorization flaw in `includes/helper.php` - any logged-in user can invoke the privileged cache-clearing function without role validation. No public exploit has been identified at time of analysis and no CISA KEV listing exists; real-world impact is bounded to cache disruption and potential performance degradation rather than data loss or code execution.
Authorization bypass in the WP Easy Pay WordPress plugin (versions ≤4.5.0) allows any authenticated WordPress user at subscriber level or above to set arbitrary posts and pages to 'draft', silently unpublishing site content without editorial authorization. The flaw stems from missing capability checks in the plugin's action handlers (wpep-setup.php), confirmed by Wordfence with direct source code references. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, but the low barrier to exploitation - any registered user qualifies - makes this a meaningful risk on sites with open user registration.
Stored XSS execution in Parse Server (versions 9.0.0 through pre-9.10.0-alpha.2 and all 8.x releases through 8.6.83) allows authenticated users with file-upload permissions to inject persistent JavaScript that executes in the application's origin against other users, but only when a cloud-based storage adapter is configured. By crafting a deliberately malformed Content-Type header - such as 'image' or 'image/' - an attacker exploits a gap in the mime-package lookup path that renders the fileUpload.fileExtensions blocklist ineffective, causing the malformed value to be stored verbatim in Amazon S3, Google Cloud Storage, or Azure Blob Storage. Browsers receiving a syntactically invalid Content-Type fall back to MIME sniffing and render HTML file bodies as web pages in the application's origin; no public exploit has been identified and the vulnerability is absent from CISA KEV, but the stored nature means a single successful upload persists as a live threat until patched or the file is removed.
Memory exhaustion denial of service in ImageMagick before 7.1.2-26 results from an unreleased memory leak in the VIFF image encoder triggered by failed memory allocation during image processing. Locally-positioned attackers without privileges can supply specially crafted VIFF images to repeatedly trigger this leak, gradually exhausting system memory. The CVSS 4.0 score of 2.1 with local attack vector, high complexity, and additional prerequisites indicates this is a low-severity, operationally limited issue; no public exploit code or CISA KEV listing has been identified at time of analysis.