Export limit exceeded: 18998 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 10756 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10756 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-4301 | 2 Videowhisper, Wordpress | 2 Rate Star Review Vote – Ajax Reviews, Votes, Star Ratings, Wordpress | 2026-05-13 | 4.3 Medium |
| The Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. The vwrsr_review() AJAX handler lacks both capability checks and nonce verification. The only access control is an is_user_logged_in() check. When the 'form' parameter is set to 'update', the function takes an arbitrary post ID from the user-supplied 'rating_id' GET parameter, sets it as the post ID in the update array, and passes it directly to wp_update_post(). This overwrites the target post's title, content, author (changed to the attacker's user ID), post_type (changed to the plugin's custom post type, default 'review'), and status. Additionally, update_post_meta() is called on the arbitrary post ID at lines 758-763, modifying its metadata. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the title, content, author, post type, and metadata of arbitrary posts and pages on the site via the 'rating_id' parameter, effectively allowing full post content takeover. | ||||
| CVE-2026-41050 | 1 Suse | 1 Rancher | 2026-05-13 | 9.9 Critical |
| Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their `GitRepo`. | ||||
| CVE-2026-6663 | 2 Thewebsitesupply, Wordpress | 2 Gwd Conex, Wordpress | 2026-05-13 | 4.8 Medium |
| The GWD Connect plugin for WordPress is vulnerable to missing authorization to limited code execution in all versions up to, and including, 2.9. This is due to the plugin's standalone agent endpoints (gwd-backup.php and gwd-logs.php) not verifying authentication when the API key has not been configured, which is the default state. This makes it possible for unauthenticated attackers - on unregistered installations only, in certain environments - to execute arbitrary code on the server via the update_agent action, which writes attacker-supplied PHP code to the agent file. | ||||
| CVE-2026-7050 | 2 Rbplugins, Wordpress | 2 Forms Rb, Wordpress | 2026-05-13 | 4.3 Medium |
| The Forms Rb plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to read form submission records, modify form configuration options, and delete records belonging to any form they do not own. | ||||
| CVE-2026-6709 | 2 Coderpress, Wordpress | 2 Coinbase Commerce For Contact Form 7, Wordpress | 2026-05-13 | 4.3 Medium |
| The Coinbase Commerce for Contact Form 7 plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.1.2. This is due to a missing capability check and missing nonce verification in the save_settings() function, which is registered on the admin_post_cccf7_save_settings hook. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the plugin's Coinbase Commerce API key option (cccf7_api_key) via a crafted POST request to /wp-admin/admin-post. | ||||
| CVE-2026-5693 | 2 Wordpress, Zealopensource | 2 Wordpress, Smart Appointment & Booking | 2026-05-13 | 5.3 Medium |
| The Smart Appointment & Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and a nonce validation logic flaw in the saab_cancel_booking() function in all versions up to, and including, 1.0.8. The nonce check uses && (AND) instead of || (OR), which means providing any value for the security parameter causes the entire check to be skipped. This makes it possible for unauthenticated attackers to cancel arbitrary bookings by supplying a predictable booking ID. | ||||
| CVE-2026-1934 | 2 Stylemixthemes, Wordpress | 2 Motors - Car Dealer, Classifieds & Listing, Wordpress | 2026-05-13 | 4.3 Medium |
| The Motors – Car Dealership & Classified Listings plugin for WordPress is vulnerable to Payment Bypass via insecure user meta update in all versions up to, and including, 1.4.103 This is due to the stm_save_user_extra_fields() function updating sensitive user meta fields from POST data without verifying that the current user should have permission to modify those fields. The function hooks into the 'personal_options_update' action and only checks current_user_can('edit_user', $user_id), which passes for any user editing their own profile. This makes it possible for authenticated attackers, with Subscriber-level access and above, to set their stm_payment_status to 'completed', bypassing the PayPal payment verification and gaining access to paid Dealer membership features without completing any transaction. | ||||
| CVE-2026-45212 | 2 Gabe Livan, Wordpress | 2 Asset Cleanup: Page Speed Booster, Wordpress | 2026-05-13 | 5.3 Medium |
| Missing Authorization vulnerability in Gabe Livan Asset CleanUp: Page Speed Booster wp-asset-clean-up allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Asset CleanUp: Page Speed Booster: from n/a through <= 1.4.0.3. | ||||
| CVE-2026-35555 | 1 Subnet Solutions | 2 Powersystem Center 2024, Powersystem Center 2026 | 2026-05-13 | 6.3 Medium |
| PowerSYSTEM Center feature for device project groups allows an authenticated user with limited permissions to perform an unauthorized deletion of project groups. | ||||
| CVE-2026-33570 | 1 Subnet Solutions | 1 Powersystem Center 2020 | 2026-05-13 | 5.7 Medium |
| PowerSYSTEM Center REST API endpoint for devices allows a low privilege authenticated user to access information normally limited by operational permissions. | ||||
| CVE-2026-26289 | 1 Subnet Solutions | 3 Powersystem Center 2020, Powersystem Center 2024, Powersystem Center 2026 | 2026-05-13 | 8.2 High |
| PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only. | ||||
| CVE-2026-5371 | 2 Chriscct7, Wordpress | 2 Monsterinsights – Google Analytics Dashboard For Wordpress (website Stats Made Easy), Wordpress | 2026-05-13 | 7.1 High |
| The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability checks on the get_ads_access_token() and reset_experience() functions in all versions up to, and including, 10.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve live Google OAuth access tokens and reset Plugins's Google Ads integration. | ||||
| CVE-2026-2465 | 1 E-kalite Software Hardware Engineering Design And Internet Services Industry And Trade Ltd. Co. | 1 Turboard | 2026-05-13 | 8.8 High |
| Incorrect Authorization vulnerability in E-Kalite Software Hardware Engineering Design and Internet Services Industry and Trade Ltd. Co. Turboard FOR-S allows Privilege Escalation. This issue affects Turboard FOR-S: from 7.01.2026 before 18.02.2026. | ||||
| CVE-2026-45210 | 2 Broadstreetads, Wordpress | 2 Broadstreet, Wordpress | 2026-05-13 | 5.4 Medium |
| Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broadstreet Ads: from n/a through <= 1.52.2. | ||||
| CVE-2025-14755 | 2 Stylemixthemes, Wordpress | 2 Cost Calculator Builder, Wordpress | 2026-05-13 | 5.3 Medium |
| The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Price Manipulation and Insecure Direct Object Reference (IDOR) in all versions up to, and including, 4.0.1 only when used in combination with Cost Calculator Builder PRO. This is due to the ccb_woocommerce_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the renderWooCommercePayment() function passing user-controlled data directly to CCBWooCheckout::init() without authorization checks. This makes it possible for unauthenticated attackers to add WooCommerce products to their cart with attacker-controlled prices. | ||||
| CVE-2026-7051 | 2 Pr-gateway, Wordpress | 2 Blog2social: Social Media Auto Post & Scheduler, Wordpress | 2026-05-13 | 5.4 Medium |
| The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 8.9.0. This is due to a missing ownership verification in the B2S_Post_Tools::deleteUserPublishPost() and B2S_Post_Tools::deleteUserSchedPost() functions, neither function includes a blog_user_id constraint in its database query, allowing authenticated attackers to soft-delete any user's B2S post records by supplying arbitrary sequential wp_b2s_posts.id values via the 'postId' parameter. This makes it possible for authenticated attackers to delete other users' published and scheduled social media post records, disrupting content publishing workflows. | ||||
| CVE-2026-25431 | 2 Wordpress, Wpmudev | 2 Wordpress, Hustle | 2026-05-13 | 5.3 Medium |
| Missing Authorization vulnerability in WPMU DEV Hustle allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hustle: through 7.8.10.1. | ||||
| CVE-2026-44010 | 1 Craftcms | 1 Craftcms | 2026-05-13 | N/A |
| Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18. | ||||
| CVE-2026-20696 | 1 Apple | 1 Macos | 2026-05-13 | 5.5 Medium |
| An authorization issue was addressed with improved state management. This issue is fixed in macOS Tahoe 26.4. An app may be able to access sensitive user data. | ||||
| CVE-2026-42541 | 1 Kubewarden | 1 Kubewarden-controller | 2026-05-12 | 4.3 Medium |
| Kubewarden is a policy engine for Kubernetes. Prior to , An attacker with privileged AdmissionPolicy or AdmissionPolicyGroup create permissions (which isn't the default) can craft a policy that makes use of the can_i host callback. The callback issues a SubjectAccessReview (SAR) requests to enumerate RBAC permissions of any user or service account across the cluster. can_i does not perform that check to enforce the context-aware allow-list and forwards the request directly to the callback handler, which executes a real SubjectAccessReview using policy-server privileges. This creates a policy-level authorization gap: can_i is effectively usable even when the policy has no context-aware resource grant. This is an information disclosure / reconnaissance issue, and not direct workload data exfiltration. The attacker learns permission information, such as whether specific service accounts can "get secrets", "create pods", or "bind clusterroles" in chosen namespaces. This vulnerability is fixed in . | ||||