Total
6172 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-57939 | 3 Blocksera, Elementor, Wordpress | 3 Image Hover Effects, Elementor, Wordpress | 2025-09-23 | 5.3 Medium |
| Missing Authorization vulnerability in Blocksera Image Hover Effects – Elementor Addon allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Image Hover Effects – Elementor Addon: from n/a through 1.4.4. | ||||
| CVE-2025-57949 | 1 Wordpress | 1 Wordpress | 2025-09-23 | 5.4 Medium |
| Missing Authorization vulnerability in oggix Ongkoskirim.id allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ongkoskirim.id: from n/a through 1.0.6. | ||||
| CVE-2025-59559 | 2 Payrexx, Wordpress | 2 Payment Gateway For Woocommerce, Wordpress | 2025-09-23 | 4.3 Medium |
| Missing Authorization vulnerability in payrexx Payrexx Payment Gateway for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Payrexx Payment Gateway for WooCommerce: from n/a through 3.1.5. | ||||
| CVE-2025-57909 | 1 Wordpress | 1 Wordpress | 2025-09-23 | 6.5 Medium |
| Missing Authorization vulnerability in Rouergue Création Editor Custom Color Palette allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Editor Custom Color Palette: from n/a through 3.4.8. | ||||
| CVE-2025-57899 | 1 Wordpress | 1 Wordpress | 2025-09-23 | 5.3 Medium |
| Missing Authorization vulnerability in AresIT WP Compress allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WP Compress: from n/a through 6.50.54. | ||||
| CVE-2025-58969 | 1 Wordpress | 1 Wordpress | 2025-09-23 | 5.3 Medium |
| Missing Authorization vulnerability in Greg Winiarski Custom Login URL allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Custom Login URL: from n/a through 1.0.2. | ||||
| CVE-2025-8943 | 1 Flowiseai | 1 Flowise | 2025-09-23 | 9.8 Critical |
| The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise versions before 3.0.1 the default installation operates without authentication unless explicitly configured. This combination allows unauthenticated network attackers to execute unsandboxed OS commands. | ||||
| CVE-2025-10305 | 1 Wordpress | 1 Wordpress | 2025-09-22 | 5.3 Medium |
| The Secure Passkeys plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_passkey() and passkeys_list() function in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and delete passkeys. | ||||
| CVE-2025-10489 | 2 Brainstormforce, Wordpress | 2 Sureforms, Wordpress | 2025-09-22 | 4.3 Medium |
| The SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more plugin for WordPress is vulnerable to unauthorized creation of forms due to a missing capability check on the register_post_types() function in all versions up to, and including, 1.12.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to create forms when the user interface specifically prohibits it. | ||||
| CVE-2024-49357 | 2 Icewhaletech, Zimaspace | 2 Zimaos, Zimaos | 2025-09-22 | 7.5 High |
| ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as `http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/app_order.json` and `http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/system.json`, expose sensitive data like installed applications and system information without requiring any authentication or authorization. This sensitive data leak can be exploited by attackers to gain detailed knowledge about the system setup, installed applications, and other critical information. As of time of publication, no known patched versions are available. | ||||
| CVE-2025-7665 | 2 Miniorange, Wordpress | 2 Otp Verification With Firebase, Wordpress | 2025-09-22 | 8.1 High |
| The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'handle_mofirebase_form_options' function in versions 3.1.0 to 3.6.2. This makes it possible for unauthenticated attackers to update the default role to Administrator. Premium features must be enabled in order to exploit the vulnerability. | ||||
| CVE-2025-9076 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-20 | 6.5 Medium |
| Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled. | ||||
| CVE-2025-10690 | 2 Bearsthemes, Wordpress | 2 Goza Nonprofit Charity Wordpress Theme, Wordpress | 2025-09-19 | 9.8 Critical |
| The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to unauthorized arbitrary file uploads due to a missing capability check on the 'beplus_import_pack_install_plugin' function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution. | ||||
| CVE-2025-8487 | 2 Extendthemes, Wordpress | 2 Kubio Ai Page Builder, Wordpress | 2025-09-19 | 5.4 Medium |
| The Kubio AI Page Builder plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the kubio-image-hub-install-plugin AJAX action in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the Image Hub plugin. | ||||
| CVE-2025-22612 | 2 Coollabs, Coollabsio | 2 Coolify, Coolify | 2025-09-19 | 10 Critical |
| Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.374, the missing authorization allows an authenticated user to retrieve any existing private keys on a coolify instance in plain text. If the server configuration of IP / domain, port (most likely 22) and user (root) matches with the victim's server configuration, then the attacker can execute arbitrary commands on the remote server. Version 4.0.0-beta.374 fixes the issue. | ||||
| CVE-2025-22611 | 2 Coollabs, Coollabsio | 2 Coolify, Coolify | 2025-09-19 | 10 Critical |
| Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to escalate his or any other team members privileges to any role, including the owner role. He's also able to kick every other member out of the team, including admins and owners. This allows the attacker to access the `Terminal` feature and execute remote commands. Version 4.0.0-beta.361 fixes the issue. | ||||
| CVE-2025-22610 | 1 Coollabs | 1 Coolify | 2025-09-19 | 6.5 Medium |
| Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to fetch the global coolify instance OAuth configuration. This exposes the "client id" and "client secret" for every custom OAuth provider. The attacker can also modify the global OAuth configuration. Version 4.0.0-beta.361 fixes the issue. | ||||
| CVE-2025-22609 | 2 Coollabs, Coollabsio | 2 Coolify, Coolify | 2025-09-19 | 10 Critical |
| Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to attach any existing private key on a coolify instance to his own server. If the server configuration of IP / domain, port (most likely 22) and user (root) matches with the victim's server configuration, then the attacker can use the `Terminal` feature and execute arbitrary commands on the victim's server. Version 4.0.0-beta.361 fixes the issue. | ||||
| CVE-2025-22608 | 1 Coollabs | 1 Coolify | 2025-09-19 | 6.5 Medium |
| Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to revoke any team invitations on a Coolify instance by only providing a predictable and incrementing ID, resulting in a Denial-of-Service attack (DOS). Version 4.0.0-beta.361 fixes the issue. | ||||
| CVE-2025-22607 | 1 Coollabs | 1 Coolify | 2025-09-19 | 5.5 Medium |
| Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to fetch the details page for any GitHub / GitLab configuration on a Coolify instance by only knowing the UUID of the model. This exposes the "client id", "client secret" and "webhook secret." Version 4.0.0-beta.361 fixes this issue. | ||||