Search

Use the Query Builder to create your own search query, or check out the documentation to learn the search syntax.

Search Examples

CVEs in KEV CVEs with EPSS >= 80% Crit. Microsoft High Apache SQL Injection (CWE-89) Linux Kernel High (CVSS 3.1) Apache Struts RCE (Remote Code Execution) XSS (CWE-79) Critical (CVSS 4.0) CVEs to check

Search Results (7903 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-3358 2 Themeum, Wordpress 2 Tutor Lms – Elearning And Online Course Solution, Wordpress 2026-04-24 5.4 Medium
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endpoints verify the nonce, user authentication, and whether the course is purchasable, but fail to check if the course has a `private` post_status. This makes it possible for authenticated attackers with Subscriber-level access or above to enroll in private courses by sending a crafted POST request with the target course ID. The enrollment record is created in the database and the private course title and enrollment status are exposed in the subscriber's dashboard, though WordPress core access control prevents the subscriber from viewing the actual course content (returns 404). Enrollment in private courses should be restricted to users with the `read_private_posts` capability.
CVE-2025-68025 2 Addonify, Wordpress 2 Addonify Floating Cart For Woocommerce, Wordpress 2026-04-24 6.5 Medium
Missing Authorization vulnerability in Addonify Addonify Floating Cart For WooCommerce addonify-floating-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify Floating Cart For WooCommerce: from n/a through <= 1.2.17.
CVE-2025-68028 2 Passionate Brains, Wordpress 2 Ga4wp: Google Analytics For Wordpress, Wordpress 2026-04-24 6.5 Medium
Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through <= 2.10.0.
CVE-2025-68032 2 Passionate Brains, Wordpress 2 Advanced Wc Analytics, Wordpress 2026-04-24 6.5 Medium
Missing Authorization vulnerability in Passionate Brains Advanced WC Analytics advance-wc-analytics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced WC Analytics: from n/a through <= 3.19.0.
CVE-2025-68069 2 Wordpress, Wpwax 2 Wordpress, Directorist 2026-04-24 7.1 High
Missing Authorization vulnerability in wpWax Directorist directorist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directorist: from n/a through <= 8.6.6.
CVE-2025-68534 2 Add-ons.org, Wordpress 2 Pdf For Wpforms, Wordpress 2026-04-24 6.5 Medium
Missing Authorization vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF for WPForms: from n/a through <= 6.3.0.
CVE-2025-68837 2 Elextensions, Wordpress 2 Elex Wordpress Helpdesk & Customer Ticketing System, Wordpress 2026-04-24 6.5 Medium
Missing Authorization vulnerability in ELEXtensions ELEX WordPress HelpDesk & Customer Ticketing System elex-helpdesk-customer-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ELEX WordPress HelpDesk & Customer Ticketing System: from n/a through <= 3.3.5.
CVE-2025-69063 2 Saad Iqbal, Wordpress 2 New User Approve, Wordpress 2026-04-24 8.6 High
Missing Authorization vulnerability in Saad Iqbal New User Approve new-user-approve allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects New User Approve: from n/a through <= 3.2.0.
CVE-2025-69298 2 Ghostpool, Wordpress 2 Gauge, Wordpress 2026-04-24 7.5 High
Missing Authorization vulnerability in GhostPool Gauge gauge allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gauge: from n/a through <= 6.56.4.
CVE-2025-69303 2 Modeltheme, Wordpress 2 Modeltheme Framework, Wordpress 2026-04-24 7.5 High
Missing Authorization vulnerability in modeltheme ModelTheme Framework modeltheme-framework allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ModelTheme Framework: from n/a through < 2.0.0.
CVE-2025-69393 2 Jthemes, Wordpress 2 Exzo, Wordpress 2026-04-24 7.5 High
Missing Authorization vulnerability in Jthemes Exzo exzo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Exzo: from n/a through <= 1.2.4.
CVE-2026-22350 2 Add-ons.org, Wordpress 2 Pdf For Elementor Forms + Drag And Drop Template Builder, Wordpress 2026-04-24 6.5 Medium
Missing Authorization vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through <= 6.3.1.
CVE-2026-22351 2 Marcus (aka @msykes), Wordpress 2 Wp Fullcalendar, Wordpress 2026-04-24 7.5 High
Missing Authorization vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP FullCalendar: from n/a through <= 1.6.
CVE-2025-69340 2 Buddhathemes, Wordpress 2 Wedesigntech Ultimate Booking Addon, Wordpress 2026-04-24 7.5 High
Missing Authorization vulnerability in BuddhaThemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.3.
CVE-2026-22459 2 Blend Media, Wordpress 2 Wordpress Cta, Wordpress 2026-04-24 6.5 Medium
Missing Authorization vulnerability in Blend Media WordPress CTA easy-sticky-sidebar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress CTA: from n/a through <= 2.1.2.
CVE-2026-23799 2 Themeum, Wordpress 2 Tutor Lms, Wordpress 2026-04-24 6.5 Medium
Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.5.
CVE-2026-27344 2 Inseriswiss, Wordpress 2 Inseri Core, Wordpress 2026-04-24 5.9 Medium
Missing Authorization vulnerability in inseriswiss inseri core inseri-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects inseri core: from n/a through <= 1.0.5.
CVE-2026-27386 2 Designthemes, Wordpress 2 Designthemes Directory Addon, Wordpress 2026-04-24 7.5 High
Missing Authorization vulnerability in designthemes DesignThemes Directory Addon designthemes-directory-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DesignThemes Directory Addon: from n/a through <= 1.8.
CVE-2026-28038 2 Brainstormforce, Wordpress 2 Ultimate Addons For Wpbakery Page Builder, Wordpress 2026-04-24 6.5 Medium
Missing Authorization vulnerability in Brainstorm_Force Ultimate Addons for WPBakery Page Builder ultimate_vc_addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a through <= 3.21.1.
CVE-2026-22683 3 Nextcloud, Windmill, Windmill-labs 3 Flow, Windmill, Windmill 2026-04-24 8.8 High
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0.