Search
Search Results (6 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-23693 | 2 Roxnor, Wordpress | 2 Elementskit Lite, Wordpress | 2026-02-25 | 10 Critical |
| ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor (elementskit-lite) WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API credentials and insufficiently validates certain parameters, including the list parameter, when constructing upstream Mailchimp API requests. An unauthenticated attacker can abuse the endpoint as an open proxy to Mailchimp, potentially triggering unauthorized API calls, manipulating subscription data, exhausting API quotas, or causing resource consumption on the affected WordPress site. | ||||
| CVE-2026-1925 | 2 Roxnor, Wordpress | 2 Emailkit – Email Customizer For Woocommerce & Wp, Wordpress | 2026-02-18 | 4.3 Medium |
| The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'update_template_data' function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the title of any post on the site, including posts, pages, and custom post types. | ||||
| CVE-2026-0633 | 3 Elementor, Roxnor, Wordpress | 3 Elementor, Metform Contact Form Survey Quiz Custom Form Builder For Elementor, Wordpress | 2026-01-26 | 3.7 Low |
| The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and current user ID without a server-side secret. This makes it possible for unauthenticated attackers to access form submission entry data via MetForm shortcodes for entries created within the transient TTL (default is 15 minutes). | ||||
| CVE-2025-10861 | 4 Popup Builder, Roxnor, Woocommerce and 1 more | 4 Popup Builder, Popup Builder, Woocommerce and 1 more | 2025-10-27 | 7.5 High |
| The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.1.4. This is due to insufficient validation on the URLs supplied via the URL parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services, as well as conduct network reconnaissance. The vulnerability was partially patched in version 2.1.4. | ||||
| CVE-2025-11888 | 4 Elementor, Roxnor, Woocommerce and 1 more | 4 Elementor, Shopengine Elementor Woocommerce Builder Addon, Woocommerce and 1 more | 2025-10-27 | 2.7 Low |
| The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the post_deactive() function and post_activate() function in all versions up to, and including, 4.8.4. This makes it possible for authenticated attackers, with Editor-level access and above, to activate and deactivate licenses. | ||||
| CVE-2025-10173 | 4 Elementor, Roxnor, Woocommerce and 1 more | 4 Elementor, Shopengine Elementor Woocommerce Builder Addon, Woocommerce and 1 more | 2025-09-26 | 2.7 Low |
| The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized access due to an incorrect capability check on the post_save() function in all versions up to, and including, 4.8.3. This makes it possible for authenticated attackers, with Editor-level access and above, to update the plugin's settings. | ||||
Page 1 of 1.