Search Results (8204 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-2381 2 Woocommerce, Wordpress 2 Stripe Payment Gateway, Wordpress 2026-06-16 6.5 Medium
The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_pay_for_order()` function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or order_key verification when processing payment for an order via the `wc_stripe_pay_for_order` WC-AJAX endpoint. The function only validates a nonce (which is publicly available on any WooCommerce page where Express Checkout is enabled), but does not verify that the requesting user owns the target order and is allowed to modify it. This makes it possible for unauthenticated attackers to force any pending order into a failed status by providing a fake payment method, causing a payment exception that updates the order status to "failed" via sequential order ID enumeration.
CVE-2026-42851 1 Kovidgoyal 1 Kitty 2026-06-16 7.8 High
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with `cat`, a log line, an email body rendered in `less`, an issue body in a TUI, etc. — can cause kitty to execute attacker-supplied Python inside the running kitty process, with the user's full privileges. There is no approval prompt, no remote-control permission requirement, no shell-integration interaction, no clipboard touch, and no editor interaction. Version 0.47.0 fixes the issue.
CVE-2026-39513 2 Easy-appointments, Wordpress 2 Easy Appointments, Wordpress 2026-06-16 7.5 High
Unauthenticated Broken Access Control in Easy Appointments <= 3.12.21 versions.
CVE-2026-39525 2026-06-16 6.5 Medium
Unauthenticated Broken Access Control in Booking Activities <= 1.16.48.1 versions.
CVE-2026-10831 2026-06-16 N/A
A denial-of-service vulnerability exists in NPort devices because of improper access control on the command port. The command interface does not properly validate whether a sender is associated with a valid data port session before accepting break signal commands. A remote attacker with network access can send crafted requests to disrupt serial communication for an active user session.
CVE-2026-48881 2 Themetechmount, Wordpress 2 Truebooker, Wordpress 2026-06-16 9.1 Critical
Unauthenticated Broken Access Control in TrueBooker <= 1.1.9 versions.
CVE-2025-14272 2026-06-16 N/A
A security issue was identified in Pavilion due to improper authorization enforcement in API endpoints. This vulnerability can allow an unauthorized actor to execute privileged operations, including user/role management and other administrative actions.
CVE-2026-39594 2026-06-16 6.4 Medium
Subscriber Broken Access Control in Ultra Addons for WPForms <= 1.0.11 versions.
CVE-2026-48835 2026-06-16 7.5 High
Unauthenticated Broken Access Control in Contact Form by WPForms <= 1.10.0.4 versions.
CVE-2026-40809 2026-06-16 6.5 Medium
Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Metro Magazine: from n/a through 1.4.1.
CVE-2026-54190 2026-06-16 6.5 Medium
Unauthenticated Broken Access Control in Envira Photo Gallery <= 1.12.5 versions.
CVE-2026-25440 2 Wordpress, Wpdeveloper 2 Wordpress, Essential Addons For Elementor 2026-06-16 5.3 Medium
Unauthenticated Broken Access Control in Essential Addons for Elementor < 6.6.0 versions.
CVE-2025-68045 2026-06-16 7.5 High
Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.12 versions.
CVE-2026-39534 2026-06-16 7.5 High
Unauthenticated Broken Access Control in WP Directory Kit <= 1.5.0 versions.
CVE-2026-39524 2026-06-16 7.5 High
Unauthenticated Broken Access Control in Masteriyo - LMS <= 2.1.5 versions.
CVE-2026-39503 2 Awesomemotive, Wordpress 2 Easy Digital Downloads, Wordpress 2026-06-16 7.5 High
Unauthenticated Broken Access Control in Easy Digital Downloads <= 3.6.5 versions.
CVE-2026-39515 2026-06-16 6.5 Medium
Subscriber Broken Access Control in Motors < 1.4.107 versions.
CVE-2026-48873 2 Montonio, Wordpress 2 Montonio For Woocommerce, Wordpress 2026-06-16 7.5 High
Unauthenticated Broken Access Control in Montonio for WooCommerce <= 10.1.2 versions.
CVE-2026-38329 2026-06-16 9.8 Critical
Bludit CMS before version 3.18.4 allows Remote Code Execution (RCE) via the API Plugin. The POST /api/files/{key} endpoint in bl-plugins/api/plugin.php fails to perform authorization checks and lacks file extension validation. An attacker with a valid API token can upload a malicious PHP script and execute arbitrary code on the server.
CVE-2026-40775 2026-06-16 7.3 High
Unauthenticated Broken Access Control in Royal MCP <= 1.4.2 versions.