| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions. |
| Unauthenticated Insecure Direct Object References (IDOR) in Simple Shopping Cart <= 5.2.9 versions. |
| Unauthenticated Cross Site Scripting (XSS) in MW WP Form <= 5.1.3 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Stop Spammers <= 2026.3 versions. |
| Unauthenticated SQL Injection in JS Help Desk <= 3.0.9 versions. |
| Unauthenticated Broken Access Control in JS Help Desk <= 3.0.9 versions. |
| Subscriber Privilege Escalation in Amelia <= 2.3 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Funnel Builder by FunnelKit <= 3.15.0.2 versions. |
| Unauthenticated Privilege Escalation in Listdom <= 5.5.0 versions. |
| Unauthenticated Sensitive Data Exposure in Conekta Payment Gateway <= 6.0.0 versions. |
| Unauthenticated SQL Injection in Advanced 301 and 302 Redirect <= 1.6.9 versions. |
| Unauthenticated Broken Access Control in Knit Pay <= 9.4.0.0 versions. |
| Subscriber Sensitive Data Exposure in Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons <= 1.4.8 versions. |
| Customer Privilege Escalation in Dokan <= 5.0.2 versions. |
| Unauthenticated Sensitive Data Exposure in Affiliates Manager <= 2.9.50 versions. |
| Unauthenticated Sensitive Data Exposure in Signature Add-On for WooCommerce <= 2.0 versions. |
| Unauthenticated Sensitive Data Exposure in ABC Crypto Checkout <= 1.8.2 versions. |
| Subscriber SQL Injection in WCMultiShipping <= 3.0.2 versions. |
| Unauthenticated Cross Site Scripting (XSS) in SEO Redirection <= 9.17 versions. |
| The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action__remove_abandoned() function, which is registered to both the wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned hooks. The handler takes a user-supplied recover_id parameter from $_POST and passes it directly to wp_delete_post() with the force-delete flag set to true, without verifying that the ID belongs to the plugin's own cf7af_data post type. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, or other content on the affected site by sending a single admin-ajax. |