Total
7707 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-34903 | 2 Oceanwp, Wordpress | 2 Ocean Extra, Wordpress | 2026-04-08 | 5.4 Medium |
| Missing Authorization vulnerability in OceanWP Ocean Extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ocean Extra: from n/a through 2.5.3. | ||||
| CVE-2026-3098 | 2 Nextendweb, Wordpress | 2 Smart Slider 3, Wordpress | 2026-04-08 | 6.5 Medium |
| The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.5.1.33 via the 'actionExportAll' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | ||||
| CVE-2025-5835 | 2 Themeum, Wordpress | 2 Droip, Wordpress | 2026-04-08 | 8.8 High |
| The Droip plugin for WordPress is vulnerable to unauthorized modification and access of data due to a missing capability check on the droip_post_apis() function in all versions up to, and including, 2.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform many actions as the AJAX hooks to several functions. Some potential impacts include arbitrary post deletion, arbitrary post creation, post duplication, settings update, user manipulation, and much more. | ||||
| CVE-2025-4179 | 1 Flynax | 1 Flynax Bridge | 2026-04-08 | 7.3 High |
| The Flynax Bridge plugin for WordPress is vulnerable to limited Privilege Escalation due to a missing capability check on the registerUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to register new user accounts as authors. | ||||
| CVE-2025-4177 | 1 Flynax | 1 Flynax Bridge | 2026-04-08 | 5.3 Medium |
| The Flynax Bridge plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to delete arbitrary users. | ||||
| CVE-2025-1668 | 1 Igexsolutions | 1 Wpschoolpress | 2026-04-08 | 4.3 Medium |
| The School Management System – WPSchoolPress plugin for WordPress is vulnerable to arbitrary user deletion due to a missing capability check on the wpsp_DeleteUser() function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access and above, to delete arbitrary user accounts. | ||||
| CVE-2025-1667 | 1 Igexsolutions | 1 Wpschoolpress | 2026-04-08 | 8.8 High |
| The School Management System – WPSchoolPress plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wpsp_UpdateTeacher() function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access and above, to update arbitrary user details including email which makes it possible to request a password reset and access arbitrary user accounts, including administrators. | ||||
| CVE-2024-9706 | 1 Rstheme | 2 Ultimate-coming-soon, Ultimate Coming Soon \& Maintenance | 2026-04-08 | 5.3 Medium |
| The Ultimate Coming Soon & Maintenance plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ucsm_activate_lite_template_lite function in all versions up to, and including, 1.0.9. This makes it possible for unauthenticated attackers to change the template used for the coming soon / maintenance page. | ||||
| CVE-2024-9628 | 1 10web | 1 Wps Telegram Chat | 2026-04-08 | 6.3 Medium |
| The WPS Telegram Chat plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Wps_Telegram_Chat_Admin::checkСonnection' function in versions up to, and including, 4.6.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the Telegram Bot API endpoint and communicate with it. | ||||
| CVE-2024-9587 | 1 Linkz.ai | 1 Linkz.ai | 2026-04-08 | 5.4 Medium |
| The Linkz.ai plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_linkz' function in versions up to, and including, 1.1.8. This makes it possible for authenticated attackers with contributor-level privileges or above, to update plugin settings. | ||||
| CVE-2024-9586 | 1 Linkz.ai | 1 Linkz.ai | 2026-04-08 | 6.5 Medium |
| The Linkz.ai plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'check_auth' and 'check_logout' functions in versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to update plugin settings. | ||||
| CVE-2024-9067 | 1 Kainelabs | 1 Youzify | 2026-04-08 | 4.3 Medium |
| The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'delete_attachment' function in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments. | ||||
| CVE-2024-6590 | 1 Javmah | 1 Spreadsheet Integration | 2026-04-08 | 6.3 Medium |
| The Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table. plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 3.8.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit post status, edit Google sheet integrations, and create Google sheet integrations. | ||||
| CVE-2024-6012 | 1 Stylemixthemes | 1 Cost Calculator Builder | 2026-04-08 | 4.3 Medium |
| The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'embed-create-page' and 'embed-insert-pages' functions in all versions up to, and including, 3.2.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary posts and append arbitrary content to existing posts. | ||||
| CVE-2024-5860 | 1 Tickera | 1 Tickera | 2026-04-08 | 4.3 Medium |
| The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tc_dl_delete_tickets AJAX action in all versions up to, and including, 3.5.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all tickets associated with events. | ||||
| CVE-2024-5770 | 1 Webfactoryltd | 1 Wp Force Ssl | 2026-04-08 | 4.2 Medium |
| The WP Force SSL & HTTPS SSL Redirect plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_setting' function in versions up to, and including, 1.66. This makes it possible for authenticated attackers, subscriber-level permissions and above, to update the plugin settings. | ||||
| CVE-2024-5674 | 1 Newsletter | 1 Newsletter | 2026-04-08 | 6.5 Medium |
| The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete newsletter subscribers. This issue affects only sites running the PHP version below 8.0 | ||||
| CVE-2024-5654 | 1 Gsheetconnector | 1 Cf7 Google Sheets Connector | 2026-04-08 | 6.5 Medium |
| The CF7 Google Sheets Connector plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'execute_post_data_cg7_free' function in all versions up to, and including, 5.0.9. This makes it possible for unauthenticated attackers to toggle site configuration settings, including WP_DEBUG, WP_DEBUG_LOG, SCRIPT_DEBUG, and SAVEQUERIES. | ||||
| CVE-2024-5637 | 2 Anton Vanyukov, Vanyukov | 2 Market Exporter, Market Exporter | 2026-04-08 | 7.5 High |
| The Market Exporter plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'remove_files' function in all versions up to, and including, 2.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to use path traversal to delete arbitrary files on the server. | ||||
| CVE-2024-5607 | 1 Ninjateam | 1 Gdpr Ccpa Compliance \& Cookie Consent Banner | 2026-04-08 | 5.4 Medium |
| The GDPR CCPA Compliance & Cookie Consent Banner plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions named ajaxUpdateSettings() in all versions up to, and including, 2.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's settings, update page content, send arbitrary emails and inject malicious web scripts. | ||||