Search Results (8426 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-12432 2 Themeisle, Wordpress 2 Stripe Payment Forms By Wp Full Pay – Accept Credit Card Payments, Donations & Subscriptions, Wordpress 2026-06-29 5.3 Medium
The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed_payment_status AJAX action. The handler is registered through both wp_ajax_ and wp_ajax_nopriv_ hooks and the underlying update_failed_payment_status() function performs no capability check, no nonce verification, and no logged-in check before calling $this->db->updatePaymentByEventId() with attacker-controlled POST parameters. This makes it possible for unauthenticated attackers who can obtain a valid Stripe Payment Intent ID for the target site (Payment Intent IDs are exposed to the customer browser during normal Stripe.js checkout flows) to manipulate payment records in the site's database, marking previously successful payments as failed and overwriting failure codes and messages with attacker-supplied values.
CVE-2026-3462 2 Reepaydenmark, Wordpress 2 Frisbii Pay, Wordpress 2026-06-29 6.5 Medium
The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'process_batch' functions in all versions up to, and including, 1.8.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary CSV data and overwrite WooCommerce payment tokens, postmeta, and order meta records.
CVE-2026-24547 2 Siteground, Wordpress 2 Email-marketing, Wordpress 2026-06-29 5.3 Medium
Unauthenticated Broken Access Control in SiteGround Email Marketing <= 1.7.5 versions.
CVE-2026-54832 2 Jegstudio, Wordpress 2 Gutenverse, Wordpress 2026-06-29 7.5 High
Unauthenticated Broken Access Control in Gutenverse Companion <= 2.5.0 versions.
CVE-2026-54840 2 Tribulant, Wordpress 2 Newsletters, Wordpress 2026-06-29 7.3 High
Unauthenticated Broken Access Control in Newsletters <= 4.13 versions.
CVE-2026-57632 2 Omnisend, Wordpress 2 Email Marketing For Woocommerce, Wordpress 2026-06-29 5.4 Medium
Subscriber Broken Access Control in Email Marketing for WooCommerce by Omnisend <= 1.19.0 versions.
CVE-2026-57640 2 Stylemixthemes, Wordpress 2 Masterstudy Lms, Wordpress 2026-06-29 4.3 Medium
Subscriber Broken Access Control in MasterStudy LMS <= 3.7.30 versions.
CVE-2026-57645 2 Tribulant, Wordpress 2 Newsletters, Wordpress 2026-06-29 8.1 High
newsletters_subscribers Broken Access Control in Newsletters <= 4.13 versions.
CVE-2026-57649 2 Studiowombat, Wordpress 2 Shoppable Images, Wordpress 2026-06-29 4.3 Medium
Subscriber Broken Access Control in Shoppable Images Lite <= 1.3 versions.
CVE-2026-57660 2 Magepeople, Wordpress 2 Booking & Rental Manager, Wordpress 2026-06-29 5.3 Medium
Unauthenticated Broken Access Control in Booking and Rental Manager <= 2.7.1 versions.
CVE-2026-12404 2 Webaways, Wordpress 2 Nex-forms-ultimate-forms-plugin, Wordpress 2026-06-29 5.3 Medium
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to enumerate sequential report IDs and download complete form submission data — including names, email addresses, phone numbers, postal addresses, payment details, and uploaded file paths — for any saved report on the site.
CVE-2026-9233 2 Expresstech, Wordpress 2 Quiz And Survey Master (qsm) – Easy Quiz And Survey Maker, Wordpress 2026-06-29 4.3 Medium
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create, modify, and delete quiz output templates stored in the mlw_quiz_output_templates database table, including storing unsanitized HTML content such as arbitrary script tags.
CVE-2026-57949 2026-06-29 6.5 Medium
ruoyi-vue-pro through 2026.05, fixed in commit c779a47, contains a missing authorization vulnerability in the CRM module's GET /admin-api/crm/follow-up-record/get endpoint that allows authenticated users to read any follow-up record by iterating sequential numeric IDs. Attackers can exploit this by sending requests with arbitrary ID parameters to access other users' follow-up notes, file attachments, scheduling information, and business entity references without proper authorization checks.
CVE-2026-57946 2026-06-29 3.7 Low
Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist endpoint without authentication. Attackers can supply a playlist ID to the feed endpoint to obtain the full playlist contents, owner email address, and associated video entries without any authentication.
CVE-2026-57952 2026-06-29 5.3 Medium
Mythic before 3.4.0.60 contains an authorization bypass vulnerability in four REST endpoints (c2profile_config_check_webhook, c2profile_redirect_rules_webhook, c2profile_get_ioc_webhook, c2profile_sample_message_webhook) that fail to verify payload ownership. An operator in one operation can invoke these endpoints with a known payload UUID from another operation to access that operation's C2 profile configuration including encryption keys and callback parameters.
CVE-2026-27366 2 Mainwp, Wordpress 2 Mainwp Child, Wordpress 2026-06-29 7.5 High
Unauthenticated Broken Access Control in MainWP Child <= 6.1.1 versions.
CVE-2026-54830 2 Etoile Web Design Incorporated, Wordpress 2 Five Star Restaurant Reservations, Wordpress 2026-06-29 7.5 High
Unauthenticated Broken Access Control in Five Star Restaurant Reservations <= 2.7.19 versions.
CVE-2026-54844 2 Checkview, Wordpress 2 Checkview Automated Testing, Wordpress 2026-06-29 7.5 High
Unauthenticated Broken Access Control in CheckView Automated Testing <= 2.1.0 versions.
CVE-2026-57339 2026-06-29 6.6 Medium
Unauthenticated Broken Access Control in Business Directory <= 6.4.23 versions.
CVE-2026-55189 1 Rustfs 1 Rustfs 2026-06-29 7.7 High
RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, when the FTP frontend is enabled, the FTP read and probe handlers dispatch directly to the storage backend without ever calling the IAM authorization function that the FTP write/list handlers (and the entire HTTP S3 path) use. As a result, any user who can authenticate to the FTP listener — including a user whose IAM policy contains an explicit Deny on s3:GetObject — can read (RETR) and stat (SIZE/MDTM) any object in any bucket, and probe any bucket (CWD), completely regardless of their IAM policy. This vulnerability is fixed in 1.0.0-beta.9.