Total
6614 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-24636 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in Syed Balkhi Sugar Calendar (Lite) sugar-calendar-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sugar Calendar (Lite): from n/a through <= 3.10.1. | |||||
| CVE-2026-24607 | 2026-01-26 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in wptravelengine Travel Monster travel-monster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Monster: from n/a through <= 1.3.3. | |||||
| CVE-2025-15516 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
| The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary string-based user meta keys for their own account. | |||||
| CVE-2025-14947 | 2026-01-26 | N/A | 6.5 MEDIUM | ||
| The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` functions in all versions up to, and including, 4.6.4. This makes it possible for unauthenticated attackers to create and delete videos on the Bunny Stream CDN associated with the victim's account, provided they can obtain a valid nonce which is exposed in public player templates. | |||||
| CVE-2025-14843 | 2026-01-26 | N/A | 5.3 MEDIUM | ||
| The Wizit Gateway for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Order Cancellation in all versions up to, and including, 1.2.9. This is due to a lack of authentication and authorization checks in the 'handle_checkout_redirecturl_response' function. This makes it possible for unauthenticated attackers to cancel arbitrary WooCommerce orders by sending a crafted request with a valid order ID. | |||||
| CVE-2025-14629 | 2026-01-26 | N/A | 5.3 MEDIUM | ||
| The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments. | |||||
| CVE-2025-14609 | 2026-01-26 | N/A | 5.3 MEDIUM | ||
| The Wise Analytics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.9. This is due to missing capability checks on the REST API endpoint '/wise-analytics/v1/report'. This makes it possible for unauthenticated attackers to access sensitive analytics data including administrator usernames, login timestamps, visitor tracking information, and business intelligence data via the 'name' parameter granted they can send unauthenticated requests. | |||||
| CVE-2026-0593 | 2026-01-26 | N/A | 5.3 MEDIUM | ||
| The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the processBackgroundAction() function in all versions up to, and including, 10.0.04. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global map engine settings. | |||||
| CVE-2026-1103 | 2026-01-26 | N/A | 5.4 MEDIUM | ||
| The AIKTP plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the /aiktp/getToken REST API endpoint in all versions up to, and including, 5.0.04. The endpoint uses the 'verify_user_logged_in' as a permission callback, which only checks if a user is logged in, but fails to verify if the user has administrative capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to retrieve the administrator's 'aiktpz_token' access token, which can then be used to create posts, upload media library files, and access private content as the administrator. | |||||
| CVE-2025-70983 | 2026-01-26 | N/A | 9.9 CRITICAL | ||
| Incorrect access control in the authRoutes function of SpringBlade v4.5.0 allows attackers with low-level privileges to escalate privileges. | |||||
| CVE-2026-0687 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
| The Meta-box GalleryMeta plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mb_gallery' custom post type in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Author-level access and above, to create and publish galleries. | |||||
| CVE-2023-47762 | 1 Wpdeveloper | 1 Betterdocs | 2026-01-23 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in WPDeveloper BetterDocs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BetterDocs: from n/a through 2.5.2. | |||||
| CVE-2025-30880 | 1 Joomsky | 1 Js Help Desk | 2026-01-23 | N/A | 7.5 HIGH |
| Missing Authorization vulnerability in JoomSky JS Help Desk allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JS Help Desk: from n/a through 2.9.2. | |||||
| CVE-2025-31868 | 1 Joomsky | 1 Js Job Manager | 2026-01-23 | N/A | 5.3 MEDIUM |
| Missing Authorization vulnerability in JoomSky JS Job Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JS Job Manager: from n/a through 2.0.2. | |||||
| CVE-2022-46838 | 1 Joomsky | 1 Js Help Desk | 2026-01-23 | N/A | 9.1 CRITICAL |
| Missing Authorization vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.7.1. | |||||
| CVE-2022-46840 | 1 Joomsky | 1 Js Help Desk | 2026-01-23 | N/A | 5.4 MEDIUM |
| Missing Authorization vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.7.1. | |||||
| CVE-2022-47176 | 1 Averta | 1 Depicter Slider | 2026-01-23 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in Depicter Slider and Popup by Averta Depicter Slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Depicter Slider: from n/a through 1.9.0. | |||||
| CVE-2023-44258 | 1 Schemaapp | 1 Schema App Structured Data | 2026-01-23 | N/A | 5.3 MEDIUM |
| Missing Authorization vulnerability in Schema App Schema App Structured Data allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Schema App Structured Data: from n/a through 1.23.1. | |||||
| CVE-2023-45104 | 1 Wpdeveloper | 1 Betterlinks | 2026-01-23 | N/A | 7.3 HIGH |
| Missing Authorization vulnerability in WPDeveloper BetterLinks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BetterLinks: from n/a through 1.6.0. | |||||
| CVE-2023-47179 | 1 Byconsole | 1 Wooodt Lite | 2026-01-23 | N/A | 8.8 HIGH |
| Missing Authorization vulnerability in ByConsole WooODT Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooODT Lite: from n/a through 2.4.6. | |||||