| 2025-05-02 | CVE-2025-1327 | Authorization Bypass Through User-Controlled Key vulnerability in Favethemes Homey
The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the 'homey_delete_user_account' action due to missing validation on a user controlled key. | 4.3 |
| 2025-05-01 | CVE-2025-3874 | Authorization Bypass Through User-Controlled Key vulnerability in Tipsandtricks-Hq Wordpress Simple Paypal Shopping Cart
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. | 6.5 |
| 2025-05-01 | CVE-2025-3889 | Authorization Bypass Through User-Controlled Key vulnerability in Tipsandtricks-Hq Wordpress Simple Paypal Shopping Cart
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 via the 'process_payment_data' due to missing validation on a user controlled key. | 5.3 |
| 2025-04-24 | CVE-2025-1284 | The Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1 via the xc_woo_printer_preview AJAX action due to missing validation on a user controlled key. | 4.3 |
| 2025-04-12 | CVE-2025-3282 | The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_membership_register_member() due to missing validation on the 'membership_id' user controlled key. | 5.3 |
| 2025-04-12 | CVE-2025-3292 | The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_update_profile_details() due to missing validation on the 'user_id' user controlled key. | 4.3 |
| 2025-04-08 | CVE-2025-2526 | The Streamit theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.2. | 8.8 |
| 2025-03-20 | CVE-2024-13558 | Authorization Bypass Through User-Controlled Key vulnerability in Neahplugins NP Quote Request for Woocommerce
The NP Quote Request for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.179 due to missing validation on a user controlled key. | 5.3 |
| 2025-03-15 | CVE-2025-1667 | Authorization Bypass Through User-Controlled Key vulnerability in Igexsolutions Wpschoolpress
The School Management System – WPSchoolPress plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wpsp_UpdateTeacher() function in all versions up to, and including, 2.2.16. | 4.3 |
| 2025-03-14 | CVE-2024-13407 | Authorization Bypass Through User-Controlled Key vulnerability in Omnipressteam Omnipress
The Omnipress plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.5.4 via the megamenu block due to insufficient restrictions on which posts can be included. | 6.5 |