Total
6163 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-30398 | 1 Microsoft | 3 Nuance Powerscribe, Nuance Powerscribe 360, Nuance Powerscribe One | 2025-12-09 | 8.1 High |
| Missing authorization in Nuance PowerScribe allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2025-42891 | 1 Sap | 1 Enterprise Search For Abap | 2025-12-09 | 5.5 Medium |
| Due to a missing authorization check in SAP Enterprise Search for ABAP, an attacker with high privileges may read and export the contents of database tables into an ABAP report. This could lead to a high impact on data confidentiality and a low impact on data integrity. There is no impact on application's availability. | ||||
| CVE-2025-48600 | 1 Google | 1 Android | 2025-12-09 | 5.5 Medium |
| In multiple files, there is a possible way to reveal information across users due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-12577 | 2 Passionui, Wordpress | 2 Listar, Wordpress | 2025-12-08 | 4.3 Medium |
| The Listar – Directory Listing & Classifieds WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/listar/v1/place/save' REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update listing details. | ||||
| CVE-2025-12091 | 3 Instantsearchplus, Woocommerce, Wordpress | 3 Search,filters&merchandising For Woocommerce, Woocommerce, Wordpress | 2025-12-08 | 4.3 Medium |
| The Search, Filters & Merchandising for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wcis_save_email' endpoint in all versions up to, and including, 3.0.63. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate the plugin. | ||||
| CVE-2025-13309 | 1 Wordpress | 1 Wordpress | 2025-12-08 | 4.3 Medium |
| The Accessiy By CodeConfig Accessibility – Easy One-Click Accessibility Toolbar That Truly Matters plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers with subscriber-level access and above to modify the plugin’s global accessibility settings. | ||||
| CVE-2025-13358 | 1 Wordpress | 1 Wordpress | 2025-12-08 | 5.3 Medium |
| The Accessiy By CodeConfig Accessibility plugin for WordPress is vulnerable to unauthorized page creation due to missing authorization checks in versions up to, and including, 1.0.0. This is due to the plugin not performing capability checks in the `Settings::createPage()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary published pages on the site via the `ccpcaCreatePage` AJAX action. | ||||
| CVE-2025-13666 | 2 Helloprint, Wordpress | 2 Helloprint, Wordpress | 2025-12-08 | 5.3 Medium |
| The Helloprint plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.2. This is due to the plugin registering a public REST API endpoint without implementing authorization checks to verify request authenticity. This makes it possible for unauthenticated attackers to arbitrarily modify WooCommerce order statuses via the /wp-json/helloprint/v1/complete_order_from_helloprint_callback endpoint by providing a valid order reference ID. | ||||
| CVE-2025-12574 | 2 Passionui, Wordpress | 2 Listar, Wordpress | 2025-12-08 | 4.3 Medium |
| The Listar – Directory Listing & Classifieds WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the '/wp-json/listar/v1/place/delete' REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts. | ||||
| CVE-2025-12721 | 1 Wordpress | 1 Wordpress | 2025-12-08 | 5.3 Medium |
| The g-FFL Cockpit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.1 via the /server_status REST API endpoint due to a lack of capability checks. This makes it possible for unauthenticated attackers to extract information about the server. | ||||
| CVE-2025-48608 | 1 Google | 1 Android | 2025-12-08 | 5.5 Medium |
| In isValidMediaUri of SettingsProvider.java, there is a possible cross user media read due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-5317 | 2 Apple, Bitdefender | 3 Macos, Endpoint Security, Endpoint Security Tools | 2025-12-08 | 5.5 Medium |
| An improper access restriction to a folder in Bitdefender Endpoint Security Tools for Mac (BEST) before 7.20.52.200087 allows local users with administrative privileges to bypass the configured uninstall password protection. An unauthorized user with sudo privileges can manually remove the application directory (/Applications/Endpoint Security for Mac.app/) and the related directories within /Library/Bitdefender/AVP without needing the uninstall password. | ||||
| CVE-2025-64379 | 3 Booster, Pluggabl, Wordpress | 3 Booster For Woocommerce, Booster For Woocommerce, Wordpress | 2025-12-08 | 4.3 Medium |
| Missing Authorization vulnerability in Pluggabl Booster for WooCommerce woocommerce-jetpack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booster for WooCommerce: from n/a through <= 7.4.0. | ||||
| CVE-2025-12355 | 1 Wordpress | 1 Wordpress | 2025-12-05 | 5.3 Medium |
| The Payaza plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_update_order_status' AJAX endpoint in all versions up to, and including, 0.3.8. This makes it possible for unauthenticated attackers to update order statuses. | ||||
| CVE-2025-12876 | 2 Projectopia, Wordpress | 2 Projectopia, Wordpress | 2025-12-05 | 5.3 Medium |
| The Projectopia – WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pto_delete_file AJAX action in all versions up to, and including, 5.1.19. This makes it possible for unauthenticated attackers to delete arbitrary attachments. | ||||
| CVE-2025-12093 | 1 Wordpress | 1 Wordpress | 2025-12-05 | 5.3 Medium |
| The Voidek Employee Portal plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX actions in all versions up to, and including, 1.0.6. This makes it possible for unauthenticated attackers to perform several actions like registering an account, deleting users, and modifying details within the employee portal. | ||||
| CVE-2025-13620 | 2 Roxnor, Wordpress | 2 Wp Social Login And Register Social Counter, Wordpress | 2025-12-05 | 5.3 Medium |
| The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to missing authorization in versions up to, and including, 3.1.3. This is due to the REST routes wslu/v1/check_cache/{type}, wslu/v1/save_cache/{type}, and wslu/v1/settings/clear_counter_cache being registered with permission_callback set to __return_true and lacking capability or nonce validation in their handlers. This makes it possible for unauthenticated attackers to clear or overwrite the social counter cache via crafted REST requests. | ||||
| CVE-2025-12354 | 1 Wordpress | 1 Wordpress | 2025-12-05 | 4.3 Medium |
| The Live CSS Preview plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_frontend_save' AJAX endpoint in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's css setting. | ||||
| CVE-2025-65036 | 1 Xwikisas | 1 Xwiki-pro-macros | 2025-12-05 | 8.3 High |
| XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to 1.27.1, the macro executes Velocity from the details pages without checking for permissions, which can lead to remote code execution. This vulnerability is fixed in 1.27.1. | ||||
| CVE-2025-12133 | 1 Wordpress | 1 Wordpress | 2025-12-05 | 4.3 Medium |
| The EPROLO Dropshipping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data AJAX endpoints in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify and delete tracking data. | ||||