Total
6399 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-11877 | 2 Solwininfotech, Wordpress | 2 User Activity Log, Wordpress | 2026-01-08 | 7.5 High |
| The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for unauthenticated attackers to push select site options from 0 to a non-zero value, allowing them to reopen registration or corrupt options like 'wp_user_roles', breaking wp-admin access. | ||||
| CVE-2025-13766 | 2 Stylemix, Wordpress | 2 Masterstudy Lms Wordpress Plugin, Wordpress | 2026-01-08 | 5.4 Medium |
| The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates | ||||
| CVE-2025-13812 | 2 Gamipress, Wordpress | 2 Gamipress, Wordpress | 2026-01-08 | 4.3 Medium |
| The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the gamipress_ajax_get_posts and gamipress_ajax_get_users functions in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate users, including their email addresses and to retrieve titles of private posts. | ||||
| CVE-2025-13964 | 2 Thimpress, Wordpress | 2 Learnpress, Wordpress | 2026-01-08 | 5.3 Medium |
| The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the catch_lp_ajax function in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to modify course contents by adding/removing/updating/re-ordering sections or modifying section items. | ||||
| CVE-2025-14034 | 3 Ilghera, Woocommerce, Wordpress | 3 Woocommerce Support System, Woocommerce, Wordpress | 2026-01-08 | 5.3 Medium |
| The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'delete_single_ticket_callback' and 'change_ticket_status_callback' functions in all versions up to, and including, 1.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary support tickets and modify their status. | ||||
| CVE-2025-14371 | 2 Taxopress, Wordpress | 2 Taxopress, Wordpress | 2026-01-08 | 4.3 Medium |
| The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the taxopress_ai_add_post_term function in all versions up to, and including, 3.41.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to add or remove taxonomy terms (tags, categories) on any post, including ones they do not own. | ||||
| CVE-2025-5919 | 2 Arraytics, Wordpress | 2 Appointment Booking Calendar, Wordpress | 2026-01-08 | 6.5 Medium |
| The Appointment Booking and Scheduling Calendar Plugin – WP Timetics plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the update and register_routes functions in all versions up to, and including, 1.0.36. This makes it possible for unauthenticated attackers to view and modify booking details. | ||||
| CVE-2025-69327 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 4.3 Medium |
| Missing Authorization vulnerability in magepeopleteam Car Rental Manager car-rental-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Car Rental Manager: from n/a through <= 1.0.9. | ||||
| CVE-2025-69331 | 2 Jeroen Schmit, Wordpress | 2 Theater For Wordpress, Wordpress | 2026-01-08 | 4.3 Medium |
| Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.19. | ||||
| CVE-2025-69336 | 2 Bdthemes, Wordpress | 2 Utlimate Store Kit Elementor Addons, Wordpress | 2026-01-08 | 4.3 Medium |
| Missing Authorization vulnerability in bdthemes Ultimate Store Kit Elementor Addons ultimate-store-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Store Kit Elementor Addons: from n/a through <= 2.9.4. | ||||
| CVE-2025-69341 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 5.4 Medium |
| Missing Authorization vulnerability in BuddhaThemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.3. | ||||
| CVE-2025-69346 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 5.4 Medium |
| Missing Authorization vulnerability in WPCenter AffiliateX affiliatex allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AffiliateX: from n/a through <= 1.3.9.3. | ||||
| CVE-2025-69348 | 2 Coolhappy, Wordpress | 2 The Events Calendar Countdown Addon, Wordpress | 2026-01-08 | 5.4 Medium |
| Missing Authorization vulnerability in CoolHappy The Events Calendar Countdown Addon countdown-for-the-events-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar Countdown Addon: from n/a through <= 1.4.15. | ||||
| CVE-2025-69349 | 2 Fahadmahmood, Wordpress | 2 Rss Feed Widget, Wordpress | 2026-01-08 | 5.4 Medium |
| Missing Authorization vulnerability in Fahad Mahmood RSS Feed Widget rss-feed-widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RSS Feed Widget: from n/a through <= 3.0.2. | ||||
| CVE-2025-69353 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 5.4 Medium |
| Missing Authorization vulnerability in Proxy & VPN Blocker Proxy & VPN Blocker proxy-vpn-blocker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Proxy & VPN Blocker: from n/a through <= 3.5.3. | ||||
| CVE-2025-69354 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 5.4 Medium |
| Missing Authorization vulnerability in BBR Plugins Better Business Reviews better-business-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Better Business Reviews: from n/a through <= 0.1.1. | ||||
| CVE-2025-69361 | 2 Publishpress, Wordpress | 2 Post Expirator, Wordpress | 2026-01-08 | N/A |
| Missing Authorization vulnerability in PublishPress Post Expirator post-expirator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Expirator: from n/a through <= 4.9.3. | ||||
| CVE-2025-69363 | 2 Cyberchimps, Wordpress | 2 Responsive Addons For Elementor, Wordpress | 2026-01-08 | N/A |
| Missing Authorization vulnerability in CyberChimps Responsive Addons for Elementor responsive-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Addons for Elementor: from n/a through <= 2.0.8. | ||||
| CVE-2026-0656 | 2 Ipaymu, Wordpress | 2 Payment Gateway For Woocommerce, Wordpress | 2026-01-08 | 8.2 High |
| The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenticity through signature verification or origin checks. This makes it possible for unauthenticated attackers to mark WooCommerce orders as paid by sending crafted POST requests to the webhook endpoint without any payment occurring, as well as enumerate order IDs and obtain valid order keys via GET requests, exposing customer order PII including names, addresses, and purchased products. | ||||
| CVE-2026-0628 | 1 Google | 1 Chrome | 2026-01-08 | 8.8 High |
| Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: High) | ||||