Total
7711 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-3567 | 2 Sweetdaisy86, Wordpress | 2 Repairbuddy – Repair Shop Crm & Booking Plugin For Wordpress, Wordpress | 2026-04-08 | 5.3 Medium |
| The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 4.1132. The plugin exposes two AJAX handlers that, when combined, allow any authenticated user to modify admin-level plugin settings. First, the wc_rb_get_fresh_nonce() function (registered via wp_ajax and wp_ajax_nopriv hooks) allows any user to generate a valid WordPress nonce for any arbitrary action name by simply providing the nonce_name parameter, with no capability checks. Second, the wc_rep_shop_settings_submission() function only verifies the nonce (wcrb_main_setting_nonce) but performs no current_user_can() capability check before updating 15+ plugin options via update_option(). This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin configuration settings including business name, email, logo, menu label, GDPR settings, and more by first minting a valid nonce via the wc_rb_get_fresh_nonce endpoint and then calling the settings submission handler. | ||||
| CVE-2024-1904 | 1 Stylemixthemes | 1 Masterstudy Lms | 2026-04-08 | 4.3 Medium |
| The MasterStudy LMS plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the search_posts function in all versions up to, and including, 3.2.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to expose draft post titles and excerpts. | ||||
| CVE-2024-1870 | 1 Extendthemes | 1 Colibri Page Builder | 2026-04-08 | 4.3 Medium |
| The Colibri Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callActivateLicenseEndpoint function in all versions up to, and including, 1.0.260. This makes it possible for authenticated attackers, with subscriber access or higher, to update the license key. | ||||
| CVE-2024-1843 | 1 Flamescorpion | 1 Auto Affiliate Links | 2026-04-08 | 4.3 Medium |
| The Auto Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the aalAddLink function in all versions up to, and including, 6.4.3. This makes it possible for authenticated attackers, with subscriber access or higher, to add arbitrary links to posts. | ||||
| CVE-2024-1804 | 1 Themeum | 1 Tutor Lms - Migration Tool | 2026-04-08 | 4.3 Medium |
| The Tutor LMS – Migration Tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tutor_import_from_xml function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to import courses. | ||||
| CVE-2024-1798 | 1 Themeum | 2 Tutor Lms - Migration Tool, Tutorlms-migrationtool | 2026-04-08 | 5.3 Medium |
| The Tutor LMS – Migration Tool plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the tutor_lp_export_xml function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to export courses, including private and password protected courses. | ||||
| CVE-2024-1771 | 1 Hashthemes | 1 Total | 2026-04-08 | 4.3 Medium |
| The Total theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the total_order_sections() function in all versions up to, and including, 2.1.59. This makes it possible for authenticated attackers, with subscriber-level access and above, to repeat sections on the homepage. | ||||
| CVE-2024-1733 | 2 Charlestsmith, Pdfcrowd | 2 Word Replacer Pro, Word Replacer Pro | 2026-04-08 | 5.3 Medium |
| The Word Replacer Pro plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the word_replacer_ultra() function in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to update arbitrary content on the affected WordPress site. | ||||
| CVE-2024-1710 | 2 Unitecms, Unlimited-elements | 2 Addon Library, Addon Library | 2026-04-08 | 8.8 High |
| The Addon Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the onAjaxAction function action in all versions up to, and including, 1.3.76. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several unauthorized actions including uploading arbitrary files. | ||||
| CVE-2024-1690 | 1 Standalonetech | 1 Terawallet | 2026-04-08 | 4.3 Medium |
| The TeraWallet – Best WooCommerce Wallet System With Cashback Rewards, Partial Payment, Wallet Refunds plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the terawallet_export_user_search() function in all versions up to, and including, 1.4.10. This makes it possible for authenticated attackers, with subscriber-level access and above, to export a list of registered users and their emails. | ||||
| CVE-2024-1687 | 1 Villatheme | 1 Woocommerce Thank You Page Customizer | 2026-04-08 | 5.4 Medium |
| The Thank You Page Customizer for WooCommerce – Increase Your Sales plugin for WordPress is vulnerable to unauthorized execution of shortcodes due to a missing capability check on the get_text_editor_content() function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute arbitrary shortcodes. | ||||
| CVE-2024-1686 | 1 Villatheme | 1 Woocommerce Thank You Page Customizer | 2026-04-08 | 4.3 Medium |
| The Thank You Page Customizer for WooCommerce – Increase Your Sales plugin for WordPress is vulnerable to missing authorization e in all versions up to, and including, 1.1.2 via the apply_layout function due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve arbitrary order data which may contain PII. | ||||
| CVE-2024-1584 | 1 Analytify | 1 Analytify - Google Analytics Dashboard | 2026-04-08 | 5.3 Medium |
| The Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpa_check_authentication' function in all versions up to, and including, 5.2.1. This makes it possible for unauthenticated attackers to modify the site's Google Analytics tracking ID. | ||||
| CVE-2024-1390 | 1 Cozmoslabs | 1 Membership \& Content Restriction - Paid Member Subscriptions | 2026-04-08 | 4.3 Medium |
| The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the creating_pricing_table_page function in all versions up to, and including, 2.11.1. This makes it possible for authenticated attackers, with subscriber access or higher, to create pricing tables. | ||||
| CVE-2024-1370 | 2 Themegrill, Wordpress | 2 Maintenance Page, Wordpress | 2026-04-08 | 5.3 Medium |
| The Maintenance Page plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the subscribe_download function hooked via AJAX action in all versions up to, and including, 1.0.8. This makes it possible for authenticated attackers, with subscriber access or higher, to download a csv containing subscriber emails. | ||||
| CVE-2024-1337 | 2 Sktthemes, Wordpress | 2 Skt Templates, Wordpress | 2026-04-08 | 4.3 Medium |
| The SKT Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saveSktbuilderPageData' function in all versions up to, and including, 4.1. This makes it possible for authenticated attackers, with subscriber access and above, to inject arbitrary content into pages. | ||||
| CVE-2024-1318 | 1 Themeisle | 1 Rss Aggregator By Feedzy | 2026-04-08 | 6.5 Medium |
| The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'feedzy_wizard_step_process' and 'import_status' functions in all versions up to, and including, 4.4.2. This makes it possible for authenticated attackers, with Contributor access and above, who are normally restricted to only being able to create posts rather than pages, to draft and publish posts with arbitrary content. | ||||
| CVE-2024-1178 | 1 Themeboy | 1 Sportspress | 2026-04-08 | 5.3 Medium |
| The SportsPress – Sports Club & League Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the settings_save() function in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to update the permalink structure for the clubs | ||||
| CVE-2024-1176 | 1 Hasthemes | 2 Ht Easy Ga4, Ht Easy Ga4 \(google Analytics 4\) | 2026-04-08 | 5.3 Medium |
| The HT Easy GA4 – Google Analytics WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the login() function in all versions up to, and including, 1.1.5. This makes it possible for unauthenticated attackers to update the email associated through the plugin with GA4. | ||||
| CVE-2024-1158 | 1 Themekraft | 1 Buddyforms | 2026-04-08 | 4.3 Medium |
| The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the buddyforms_new_page function in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber access or higher, to create pages with arbitrary titles. These pages are published. | ||||