| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions. |
| Unauthenticated Broken Access Control in Booking Activities <= 1.16.48.1 versions. |
| Subscriber Broken Access Control in Ultra Addons for WPForms <= 1.0.11 versions. |
| Unauthenticated Broken Access Control in Redsys for WooCommerce Light <= 7.0.0 versions. |
| Unauthenticated Broken Access Control in Royal MCP <= 1.4.2 versions. |
| Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.8 versions. |
| Subscriber Broken Access Control in Amelia <= 2.2 versions. |
| Unauthenticated Broken Access Control in AI Product Search for WooCommerce – Motive Commerce Search <= 1.38.2 versions. |
| Unauthenticated Broken Access Control in Salon booking system <= 10.30.25 versions. |
| Unauthenticated Broken Access Control in Contact Form by WPForms <= 1.10.0.4 versions. |
| Unauthenticated Broken Access Control in JS Help Desk <= 3.0.9 versions. |
| Unauthenticated Broken Access Control in Knit Pay <= 9.4.0.0 versions. |
| The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action__remove_abandoned() function, which is registered to both the wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned hooks. The handler takes a user-supplied recover_id parameter from $_POST and passes it directly to wp_delete_post() with the force-delete flag set to true, without verifying that the ID belongs to the plugin's own cf7af_data post type. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, or other content on the affected site by sending a single admin-ajax. |
| Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.12 versions. |
| Unauthenticated Broken Access Control in WooCommerce POS <= 1.8.14 versions. |
| Unauthenticated Broken Access Control in Envira Photo Gallery <= 1.12.5 versions. |
| Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Metro Magazine: from n/a through 1.4.1. |
| Subscriber Arbitrary Content Deletion in Brikk <= 3.0.0 versions. |
| Subscriber Broken Access Control in Genemy <= 1.6.6 versions. |
| A Missing Authorization vulnerability in a GraphQL private API operation of the Google App Engine section of the Cloud Console allows an unauthenticated remote attacker to leak sensitive App Engine request logs from other projects using a specially crafted request.
This vulnerability was patched on 7 April 2026, and no customer action is needed. |
