Total
6219 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-12296 | 1 Apusthemes | 1 Superio | 2025-02-20 | 8.8 High |
| The Apus Framework plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'import_page_options' function in all versions up to, and including, 2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | ||||
| CVE-2023-35093 | 1 Stylemixthemes | 1 Masterstudy Lms | 2025-02-19 | 6.5 Medium |
| Broken Access Control vulnerability in StylemixThemes MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin <= 3.0.8 versions allows any logged-in users, such as subscribers to view the "Orders" of the plugin and get the data related to the order like email, username, and more. | ||||
| CVE-2023-0335 | 1 Wpvar | 1 Wp Shamsi | 2025-02-19 | 6.5 Medium |
| The WP Shamsi WordPress plugin through 4.3.3 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber delete attachment. | ||||
| CVE-2023-0336 | 1 Ooohboi Steroids For Elementor Project | 1 Ooohboi Steroids For Elementor | 2025-02-19 | 6.5 Medium |
| The OoohBoi Steroids for Elementor WordPress plugin before 2.1.5 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber to delete attachment. | ||||
| CVE-2024-6458 | 1 Wcproducttable | 1 Woocommerce Product Table | 2025-02-19 | 6.4 Medium |
| The WooCommerce Product Table Lite plugin for WordPress is vulnerable to unauthorized post title modification due to a missing capability check on the wcpt_presets__duplicate_preset_to_table function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers with subscriber access and above to change titles of arbitrary posts. Missing sanitization can lead to Stored Cross-Site Scripting when viewed by an admin via the WooCommerce Product Table. | ||||
| CVE-2024-13231 | 2025-02-19 | 5.3 Medium | ||
| The WordPress Portfolio Builder – Portfolio Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'add_video' function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to add arbitrary videos to any portfolio gallery. | ||||
| CVE-2023-28640 | 1 Apiman | 1 Apiman | 2025-02-19 | 6.4 Medium |
| Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes Organisation ID, Client ID, and Client Version of the targeted non-permitted resource. While not trivial to exploit, it could be achieved by brute-forcing or guessing common names. Access to the non-permitted API Keys could allow use of other users' resources without their permission (depending on the specifics of configuration, such as whether an API key is the only form of security). Apiman 3.1.0.Final resolved this issue. Users are advised to upgrade. The only known workaround is to restrict account access. | ||||
| CVE-2023-27701 | 1 Muyucms | 1 Muyucms | 2025-02-18 | 8.1 High |
| MuYuCMS v2.2 was discovered to contain an arbitrary file deletion vulnerability via the component /database/sqldel.html. | ||||
| CVE-2025-27013 | 2025-02-18 | 5.3 Medium | ||
| Missing Authorization vulnerability in EPC MediCenter - Health Medical Clinic WordPress Theme allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MediCenter - Health Medical Clinic WordPress Theme: from n/a through n/a. | ||||
| CVE-2025-23684 | 2025-02-18 | 4.3 Medium | ||
| Missing Authorization vulnerability in Eugen Bobrowski Debug Tool allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Debug Tool: from n/a through 2.2. | ||||
| CVE-2025-22657 | 2025-02-18 | 7.5 High | ||
| Missing Authorization vulnerability in Vito Peleg Atarim allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Atarim: from n/a through 4.0.9. | ||||
| CVE-2025-26765 | 2025-02-18 | 5.4 Medium | ||
| Missing Authorization vulnerability in enituretechnology Distance Based Shipping Calculator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Distance Based Shipping Calculator: from n/a through 2.0.22. | ||||
| CVE-2025-22643 | 2025-02-18 | 4.3 Medium | ||
| Missing Authorization vulnerability in FameThemes OnePress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects OnePress: from n/a through 2.3.11. | ||||
| CVE-2024-13639 | 1 Edmonsoft | 1 Read More \& Accordion | 2025-02-18 | 4.3 Medium |
| The Read More & Accordion plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the expmDeleteData() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary 'read more' posts. | ||||
| CVE-2025-25241 | 2025-02-18 | 5.4 Medium | ||
| Due to a missing authorization check, an attacker who is logged in to application can view/ delete �My Overtime Requests� which could allow the attacker to access employee information. This leads to low impact on confidentiality, integrity of the application. There is no impact on availability. | ||||
| CVE-2025-23187 | 2025-02-18 | 5.3 Medium | ||
| Due to missing authorization check in an RFC enabled function module in transaction SDCCN, an unauthenticated attacker could generate technical meta-data. This leads to a low impact on integrity. There is no impact on confidentiality or availability. | ||||
| CVE-2025-1358 | 2025-02-18 | 4.3 Medium | ||
| A vulnerability classified as problematic was found in Pix Software Vivaz 6.0.10. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-22291 | 2025-02-18 | 5.3 Medium | ||
| Missing Authorization vulnerability in enituretechnology LTL Freight Quotes – Worldwide Express Edition allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects LTL Freight Quotes – Worldwide Express Edition: from n/a through 5.0.20. | ||||
| CVE-2021-42359 | 1 Legalweb | 1 Wp Dsgvo Tools | 2025-02-14 | 7.5 High |
| WP DSGVO Tools (GDPR) <= 3.1.23 had an AJAX action, ‘admin-dismiss-unsubscribe‘, which lacked a capability check and a nonce check and was available to unauthenticated users, and did not check the post type when deleting unsubscription requests. As such, it was possible for an attacker to permanently delete an arbitrary post or page on the site by sending an AJAX request with the “action” parameter set to “admin-dismiss-unsubscribe” and the “id” parameter set to the post to be deleted. Sending such a request would move the post to the trash, and repeating the request would permanently delete the post in question. | ||||
| CVE-2021-4074 | 1 I-plugins | 1 Whmcs Bridge | 2025-02-14 | 6.4 Medium |
| The WHMCS Bridge WordPress plugin is vulnerable to Stored Cross-Site Scripting via the cc_whmcs_bridge_url parameter found in the ~/whmcs-bridge/bridge_cp.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 6.1. Due to missing authorization checks on the cc_whmcs_bridge_add_admin function, low-level authenticated users such as subscribers can exploit this vulnerability. | ||||