5.4
CVE-2026-2879 - GetGenie <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Post Overβ¦
The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2. This is due to missing validation on the `id` parameter in the `create()` method of the `GetGenieChat` REST API endpoint. The method accepts a user-controlled post ID andβ¦
6.4
CVE-2026-2257 - GetGenie <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Stored Cross-Site Sβ¦
The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authenticated attackers, with Author-level access and above, to updβ¦
7.2
CVE-2026-3873 - Legacy built-in user account
Use of Hard-coded Credentials vulnerability in Avnatra Avantra allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Avantra: before 25.3.0.
7.5
CVE-2026-2890 - Formidable Forms <= 6.28 - Missing Authorization to Unauthenticated Payment Integrity Bypass via Paβ¦
The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all versions up to, and including, 6.28. This is due to the Stripe Link return handler (`handle_one_time_stripe_link_return_url`) marking payment records as complete based solely on the Stripe PaymentIntent staβ¦
4.3
CVE-2026-1704 - Appointment Booking Calendar <= 1.6.9.29 - Insecure Direct Object Reference to Authenticated (Staffβ¦
The Appointment Booking Calendar β Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.9.29. This is due to the `get_item_permissions_check` method granting access to users with the `ssa_manage_β¦
7.5
CVE-2026-3045 - Appointment Booking Calendar <= 1.6.9.29 - Missing Authorization to Unauthenticated Sensitive Inforβ¦
The Appointment Booking Calendar β Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: (1) a non-user-bound `public_nonce` is exposed to unauthenticated userβ¦
9.8
CVE-2026-3891 - Pix for WooCommerce <= 1.5.0 - Unauthenticated Arbitrary File Upload
The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file type validation in the 'lkn_pix_for_woocommerce_c6_save_settings' function in all versions up to, and including, 1.5.0. This makes it possible for unauthenticated atβ¦
6.9
CVE-2025-15515 -
The authentication mechanism for a specific feature in the EasyShare module contains a vulnerability. If specific conditions are met on a local network, it can cause data leakage
6.4
CVE-2025-57849 - Fuse: privilege escalation via excessive /etc/passwd permissions
A container privilege escalation flaw was found in certain Fuse images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can β¦
6.4
CVE-2025-8766 - Noobaa-core: excessive permissions of /etc could lead to escalation of privilege in the noobaa-coreβ¦
A container privilege escalation flaw was found in certain Multi-Cloud Object Gateway Core images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, evβ¦