Total
7691 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12876 | 2 Projectopia, Wordpress | 2 Projectopia, Wordpress | 2026-04-15 | 5.3 Medium |
| The Projectopia – WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pto_delete_file AJAX action in all versions up to, and including, 5.1.19. This makes it possible for unauthenticated attackers to delete arbitrary attachments. | ||||
| CVE-2025-10184 | 2 Google, Oneplus | 2 Android, Oxygenos | 2026-04-15 | N/A |
| The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. The root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the update method of those providers. | ||||
| CVE-2025-10706 | 2 Cridio Studio, Wordpress | 2 Classifiedpro, Wordpress | 2026-04-15 | 8.8 High |
| The Classified Pro theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'cwp_addons_update_plugin_cb' function in all versions up to, and including, 1.0.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected site's server which may make remote code execution possible. Note: The required nonce for the vulnerability is in the CubeWP Framework plugin. | ||||
| CVE-2024-3520 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Country State City Dropdown CF7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tc_csca_patch_settings function in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with subscriber access and above, to add states or cities to the dropdown. | ||||
| CVE-2025-14581 | 2 Villatheme, Wordpress | 2 Happy, Wordpress | 2026-04-15 | 4.3 Medium |
| The HAPPY – Helpdesk Support Ticket System plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'submit_form_reply' AJAX action in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit replies to arbitrary support tickets by manipulating the 'happy_topic_id' parameter, regardless of whether they are the ticket owner or have been assigned to the ticket. | ||||
| CVE-2025-13528 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The Feedback Modal for Website plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'handle_export' function in all versions up to, and including, 1.0.1. This makes it possible for unauthenticated attackers to export all feedback data in CSV or JSON format via the 'export_data' parameter. | ||||
| CVE-2025-10637 | 2 Quadlayers, Wordpress | 2 Wp Social Feed Gallery, Wordpress | 2026-04-15 | 5.3 Medium |
| The Social Feed Gallery plugin for WordPress is vulnerable to Information Exposure in versions less than, or equal to, 4.9.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to exfiltrate Instagram profile and media data from any account the site owner connected to their site. | ||||
| CVE-2025-12891 | 2 Ays-pro, Wordpress | 2 Survey Maker, Wordpress | 2026-04-15 | 5.3 Medium |
| The Survey Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ays_survey_show_results' AJAX endpoint in all versions up to, and including, 5.1.9.4. This makes it possible for unauthenticated attackers to view all survey submissions. | ||||
| CVE-2025-12845 | 2 Essekia, Wordpress | 2 Tablesome Table – Contact Form Db – Wpforms, Cf7, Gravity, Forminator, Fluent, Wordpress | 2026-04-15 | 8.8 High |
| The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to unauthorized access of data that leads to privilege escalation due to a missing capability check on the get_table_data() function in versions 0.5.4 to 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve plugin table data that can expose email log information. Attackers can leverage this on sites where the table log is enabled in order to trigger a password reset and obtain the reset key. | ||||
| CVE-2025-49265 | 1 Wpswings | 1 Membership For Woocommerce | 2026-04-15 | N/A |
| Missing Authorization vulnerability in WP Swings Membership For WooCommerce membership-for-woocommerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Membership For WooCommerce: from n/a through <= 2.8.1. | ||||
| CVE-2025-62754 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 9.1 Critical |
| Missing Authorization vulnerability in Kapil Paul Payment Gateway bKash for WC woo-payment-bkash allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payment Gateway bKash for WC: from n/a through <= 3.1.0. | ||||
| CVE-2025-11833 | 2 Saadiqbal, Wordpress | 2 Post Smtp, Wordpress | 2026-04-15 | 9.8 Critical |
| The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover. | ||||
| CVE-2025-48147 | 2026-04-15 | N/A | ||
| Missing Authorization vulnerability in Crypto Cloud CryptoCloud - Crypto Payment Gateway cryptocloud-crypto-payment-gateway allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CryptoCloud - Crypto Payment Gateway: from n/a through <= 2.1.2. | ||||
| CVE-2024-52395 | 1 Quantumcloud | 1 Floating Buttons | 2026-04-15 | N/A |
| Missing Authorization vulnerability in QuantumCloud Floating Buttons for WooCommerce shop-assistant-for-woocommerce-jarvis allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Floating Buttons for WooCommerce: from n/a through <= 2.8.8. | ||||
| CVE-2025-12937 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| The ACF Flexible Layouts Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'acf_flm_update_template_with_pasted_layout' function in all versions up to, and including, 1.1.6. This makes it possible for unauthenticated attackers to update custom field values on individual posts and pages. | ||||
| CVE-2025-47527 | 2026-04-15 | N/A | ||
| Missing Authorization vulnerability in Icegram Icegram Collect icegram-rainmaker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Icegram Collect: from n/a through <= 1.3.18. | ||||
| CVE-2025-67573 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| Missing Authorization vulnerability in ThimPress Sailing sailing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sailing: from n/a through < 4.4.6. | ||||
| CVE-2025-13092 | 2 Ajitdas, Wordpress | 2 Devs Crm, Wordpress | 2026-04-15 | 5.3 Medium |
| The Devs CRM – Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/devs-crm/v1/attendances REST API Endpoint in all versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to retrieve private user data, including password hashes. | ||||
| CVE-2025-12849 | 2 Contest-gallery, Wordpress | 2 Contest Gallery, Wordpress | 2026-04-15 | 5.3 Medium |
| The Contest Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 28.0.2. This is due to the plugin registering the `cg_check_wp_admin_upload_v10` AJAX action for both authenticated and unauthenticated users without implementing capability checks or nonce verification. This makes it possible for unauthenticated attackers to inject arbitrary WordPress media attachments into galleries and manipulate gallery metadata via the `cg_check_wp_admin_upload_v10` action. It does not enable an attacker to move or upload files. | ||||
| CVE-2025-66069 | 3 Themeisle, Woocommerce, Wordpress | 3 Ppom For Woocommerce, Woocommerce, Wordpress | 2026-04-15 | 4.3 Medium |
| Missing Authorization vulnerability in Themeisle PPOM for WooCommerce woocommerce-product-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PPOM for WooCommerce: from n/a through <= 33.0.16. | ||||