Export limit exceeded: 10815 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 13912 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 17842 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 21579 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 10566 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10566 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-4468 | 1 Salonbookingsystem | 1 Salon Booking System | 2026-04-08 | 4.3 Medium |
| The Salon booking system plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions hooked into admin_init in all versions up to, and including, 9.9. This makes it possible for authenticated attackers with subscriber access or higher to modify plugin settings and view discount codes intended for other users. | ||||
| CVE-2024-4445 | 1 Wpcompress | 1 Wp Compress | 2026-04-08 | 6.5 Medium |
| The WP Compress – Image Optimizer [All-In-One] plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the several functions in versions up to, and including, 6.20.01. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to edit plugin settings, including storing cross-site scripting, in multisite environments. | ||||
| CVE-2024-4351 | 1 Themeum | 1 Tutor Lms | 2026-04-08 | 8.8 High |
| The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on the 'authenticate' function in all versions up to, and including, 2.7.0. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to gain control of an existing administrator account. | ||||
| CVE-2024-4222 | 1 Themeum | 1 Tutor Lms | 2026-04-08 | 7.3 High |
| The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options. | ||||
| CVE-2024-3961 | 1 Convertkit | 1 Convertkit - Email Marketing\, Email Newsletter And Landing Pages | 2026-04-08 | 5.3 Medium |
| The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_subscriber function in all versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers to subscribe users to tags. Financial damages may occur to site owners if their API quota is exceeded. | ||||
| CVE-2024-3942 | 1 Stylemixthemes | 1 Masterstudy Lms | 2026-04-08 | 6.3 Medium |
| The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on several functions in versions up to, and including, 3.3.8. This makes it possible for authenticated attackers, with subscriber level permissions and above, to read and modify content such as course questions, post titles, and taxonomies. | ||||
| CVE-2024-3895 | 1 Androidbubbles | 1 Wp Datepicker | 2026-04-08 | 8.8 High |
| The WP Datepicker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpdp_add_new_datepicker_ajax() function in all versions up to, and including, 2.1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options that can be used for privilege escalation. This was partially patched in 2.0.9 and 2.1.0, and fully patched in 2.1.1. | ||||
| CVE-2024-3869 | 1 Cusrev | 1 Customer Reviews For Woocommerce | 2026-04-08 | 4.3 Medium |
| The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'woocommerce_json_search_coupons' function . This makes it possible for attackers with subscriber level access to view coupon codes. | ||||
| CVE-2024-3711 | 1 Brizy | 1 Brizy | 2026-04-08 | 4.3 Medium |
| The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized plugin setting update due to a missing capability check on the functions action_request_disable, action_change_template, and action_request_enable in all versions up to, and including, 2.4.43. This makes it possible for authenticated attackers, with contributor access or above, to enable/disable the Brizy editor and modify the template used. | ||||
| CVE-2024-3610 | 1 Wensolutions | 1 Wp Child Theme Generator | 2026-04-08 | 5.3 Medium |
| The WP Child Theme Generator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wctg_easy_child_theme() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to create a blank child theme and activate it cause the site to whitescreen. | ||||
| CVE-2024-3599 | 1 Wpeka | 1 Wp Cookie Consent | 2026-04-08 | 5.3 Medium |
| The WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the gdpr_policy_process_delete() function in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to delete arbitrary posts. | ||||
| CVE-2024-3243 | 2 Cusrev, Ivole | 2 Customer Reviews For Woocommerce, Customer Reviews For Woocommerce | 2026-04-08 | 4.3 Medium |
| The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the send_test_email() function in all versions up to, and including, 5.46.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to send arbitrary test emails. | ||||
| CVE-2024-3097 | 1 Imagely | 1 Nextgen Gallery | 2026-04-08 | 5.3 Medium |
| The WordPress Gallery Plugin – NextGEN Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_item function in versions up to, and including, 3.59. This makes it possible for unauthenticated attackers to extract sensitive data including EXIF and other metadata of any image uploaded through the plugin. | ||||
| CVE-2024-2619 | 1 Brainstormforce | 1 Elementor Header \& Footer Builder | 2026-04-08 | 5 Medium |
| The Elementor Header & Footer Builder for WordPress is vulnerable to HTML Injection in all versions up to, and including, 1.6.26 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level permissions and above, to inject arbitrary HTML in pages that will be shown whenever a user accesses an injected page. | ||||
| CVE-2024-2543 | 1 Permalink Manager Lite Project | 1 Permalink Manager Lite | 2026-04-08 | 4.3 Medium |
| The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_uri_editor' function in all versions up to, and including, 2.4.3.1. This makes it possible for unauthenticated attackers to view the permalinks of all posts. | ||||
| CVE-2024-2538 | 1 Permalink Manager Lite Project | 1 Permalink Manager Lite | 2026-04-08 | 5.4 Medium |
| The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_permalink' function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and above, to modify the permalinks of arbitrary posts. | ||||
| CVE-2024-2395 | 2 Autopolis, Autopolisbs | 2 Bulgarisation For Woocommerce, Bulgarisation For Woocommerce | 2026-04-08 | 7.3 High |
| The Bulgarisation for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.14. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to generate and delete labels via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-2298 | 1 Servit | 1 Affiliate-toolkit | 2026-04-08 | 4.3 Medium |
| The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the atkp_import_product() function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to to perform unauthorized actions such as creating importing products. | ||||
| CVE-2024-2107 | 1 Blossomthemes | 1 Blossom Spa | 2026-04-08 | 5.8 Medium |
| The Blossom Spa theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.3 via generated source. This makes it possible for unauthenticated attackers to extract sensitive data including contents of password-protected or scheduled posts. | ||||
| CVE-2024-2043 | 1 Theinnovs | 1 Eleforms | 2026-04-08 | 5.3 Medium |
| The EleForms – All In One Form Integration including DB for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when downloading form submissions in all versions up to, and including, 2.9.9.7. This makes it possible for unauthenticated attackers to view form submissions. | ||||