Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-14173 | 2026-01-14 | N/A | 5.3 MEDIUM | ||
|
The Perfit WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. This is due to missing authorization checks on the `logout` function called via the `actions` function hooked to `admin_init`. This makes it possible for unauthenticated attackers to delete arbitrary plugin settings via the `action` parameter.
|
|||||
| CVE-2025-15405 | 1 Phpems | 1 Phpems | 2026-01-13 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was detected in PHPEMS up to 11.0. The impacted element is an unknown function. The manipulation results in cross-site request forgery. The attack may be launched remotely.
|
|||||
| CVE-2021-24977 | 1 Dineshkarki | 1 Use Any Font | 2026-01-13 | 5.8 MEDIUM | 6.1 MEDIUM |
|
The Use Any Font | Custom Font Uploader WordPress plugin before 6.2.1 does not have any authorisation checks when assigning a font, allowing unauthenticated users to sent arbitrary CSS which will then be processed by the frontend for all users. Due to the lack of sanitisation and escaping in the backend, it could also lead to Stored XSS issues
|
|||||
| CVE-2023-37885 | 1 Inspirythemes | 1 Realhomes | 2026-01-13 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in InspiryThemes RealHomes.This issue affects RealHomes: from n/a through 4.0.2.
|
|||||
| CVE-2023-37886 | 1 Inspirythemes | 1 Realhomes | 2026-01-13 | N/A | 5.4 MEDIUM |
|
Missing Authorization vulnerability in InspiryThemes RealHomes.This issue affects RealHomes: from n/a through 4.0.2.
|
|||||
| CVE-2025-14718 | 2026-01-13 | N/A | 5.4 MEDIUM | ||
|
The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Contributor-level access and above, to create, update, delete, and publish malicious workflows that may automatically delete any post upon publication or update, including posts created by ad ...
Show More |
|||||
| CVE-2025-14720 | 2026-01-13 | N/A | 5.3 MEDIUM | ||
|
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. This makes it possible for unauthenticated attackers to mark payments as refunded, trigger sending of queued notifications (emails/SMS/WhatsApp), and access debug information among other things.
|
|||||
| CVE-2025-14657 | 2026-01-13 | N/A | 7.2 HIGH | ||
|
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject a ...
Show More |
|||||
| CVE-2025-13934 | 2026-01-13 | N/A | 4.3 MEDIUM | ||
|
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_enrollment()` AJAX handler. This makes it possible for authenticated attackers, with subscriber level access and above, to enroll themselves in any course without going through the proper purchase flow.
|
|||||
| CVE-2025-14172 | 2026-01-13 | N/A | 6.5 MEDIUM | ||
|
The WP Page Permalink Extension plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.4. This is due to missing authorization checks on the `cwpp_trigger_flush_rewrite_rules` function hooked to `wp_ajax_cwpp_trigger_flush_rewrite_rules`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to flush the site's rewrite rules via the `action` parameter.
|
|||||
| CVE-2025-13717 | 2026-01-13 | N/A | 5.3 MEDIUM | ||
|
The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_gvccf_check_download_request' function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive Contact Form 7 submission data via the 'wp-gvc-cf-download-id' parameter, including names, phone numbers, email addresses, and messages.
|
|||||
| CVE-2025-14146 | 2026-01-13 | N/A | 5.3 MEDIUM | ||
|
The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally disabled by default (`booking_is_nonce_at_front_end` option is `'Off'` by default). When the `booking_is_show_popover_in_timeline_front_end` option is enabled (which is the default in demo installations and can be enabled by administrators), it is possible for ...
Show More |
|||||
| CVE-2025-14782 | 2026-01-13 | N/A | 5.3 MEDIUM | ||
|
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_export' function. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with access to the Forminator dashboard, to export sensitive form submission data including personally identifiable information.
|
|||||
| CVE-2025-14741 | 2026-01-13 | N/A | 9.1 CRITICAL | ||
|
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts.
|
|||||
| CVE-2025-13628 | 2026-01-13 | N/A | 4.3 MEDIUM | ||
|
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons.
|
|||||
| CVE-2025-13935 | 2026-01-13 | N/A | 4.3 MEDIUM | ||
|
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_complete' function. This makes it possible for authenticated attackers, with subscriber level access and above, to mark any course as completed.
|
|||||
| CVE-2025-14886 | 2026-01-13 | N/A | 5.3 MEDIUM | ||
|
The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `order` REST API endpoint in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processed/completed.
|
|||||
| CVE-2025-14948 | 2026-01-13 | N/A | 5.3 MEDIUM | ||
|
The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `enable_wc_sms_notification` AJAX action in all versions up to, and including, 4.3.8. This makes it possible for unauthenticated attackers to enable or disable SMS notification settings for WooCommerce orders.
|
|||||
| CVE-2026-0503 | 2026-01-13 | N/A | 6.4 MEDIUM | ||
|
Due to missing authorization check in the SAP ERP Central Component (SAP ECC) and SAP S/4HANA (SAP EHS Management), an attacker could extract hardcoded clear-text credentials and bypass the password authentication check by manipulating user parameters. Upon successful exploitation, the attacker can access, modify or delete certain change pointer information within EHS objects in the application which might further affect the subsequent systems. This vulnerability leads to a low impact on confide ...
Show More |
|||||
| CVE-2026-0497 | 2026-01-13 | N/A | 4.3 MEDIUM | ||
|
SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application.
|
|||||
| CVE-2026-0511 | 2026-01-13 | N/A | 8.1 HIGH | ||
|
SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has high impact on confidentiality and integrity of the application ,availability is not impacted.
|
|||||
| CVE-2025-14001 | 2026-01-13 | N/A | 5.4 MEDIUM | ||
|
The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate arbitrary posts, pages, and WooCommerce HPOS orders even when their role is explicitly excluded from the plugin's "Allowed User Roles" setting, potentially ...
Show More |
|||||
| CVE-2025-15070 | 1 Gmission | 1 Web Fax | 2026-01-13 | N/A | 5.5 MEDIUM |
|
Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization vulnerability in Gmission Web Fax allows Authentication Abuse.This issue affects Web Fax: from 3.0 before 3.0.1
|
|||||
| CVE-2025-15068 | 1 Gmission | 1 Web Fax | 2026-01-13 | N/A | 7.7 HIGH |
|
Missing Authorization vulnerability in Gmission Web Fax allows Authentication Abuse, Session Credential Falsification through Manipulation.This issue affects Web Fax: from 3.0 before 3.0.1
|
|||||
| CVE-2023-33948 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-13 | N/A | 5.3 MEDIUM |
|
The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL.
|
|||||
| CVE-2025-8310 | 1 Ivanti | 1 Virtual Application Delivery Controller | 2026-01-12 | N/A | 6.5 MEDIUM |
|
Missing authorization in the admin console of Ivanti Virtual Application Delivery Controller before version 22.9 allows a remote authenticated attacker to take over admin accounts by resetting the password
|
|||||
| CVE-2026-0628 | 1 Google | 1 Chrome | 2026-01-12 | N/A | 8.8 HIGH |
|
Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: High)
|
|||||
| CVE-2025-58192 | 1 Xylusthemes | 1 Wp Bulk Delete | 2026-01-12 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in Xylus Themes WP Bulk Delete allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Bulk Delete: from n/a through 1.3.6.
|
|||||
| CVE-2025-12061 | 2026-01-09 | N/A | 8.6 HIGH | ||
|
The TAX SERVICE Electronic HDM WordPress plugin before 1.2.1 does not authorization and CSRF checks in an AJAX action, allowing unauthenticated users to import and execute arbitrary SQL statements
|
|||||
| CVE-2025-11191 | 2026-01-09 | N/A | 5.3 MEDIUM | ||
|
The RealPress WordPress plugin before 1.1.0 registers the REST routes without proper permission checks, allowing the creation of pages and sending of emails from the site.
|
|||||
| CVE-2015-10140 | 1 Connekthq | 1 Ajax Load More | 2026-01-09 | N/A | 8.8 HIGH |
|
The Ajax Load More plugin before 2.8.1.2 does not have authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber, to upload and delete arbitrary files.
|
|||||
| CVE-2025-30881 | 1 Themehunk | 1 Big Store | 2026-01-09 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in ThemeHunk Big Store allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Big Store: from n/a through 2.0.8.
|
|||||
| CVE-2025-30990 | 1 Themehunk | 1 Mega Menu | 2026-01-09 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in ThemeHunk ThemeHunk allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ThemeHunk: from n/a through 1.1.1.
|
|||||
| CVE-2022-40218 | 1 Themehunk | 1 Advance Product Search | 2026-01-09 | N/A | 6.5 MEDIUM |
|
Missing Authorization vulnerability in ThemeHunk Advance WordPress Search Plugin.This issue affects Advance WordPress Search Plugin: from n/a through 1.1.4.
|
|||||
| CVE-2024-37505 | 1 Rarathemes | 1 Business One Page | 2026-01-09 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in Rara Themes Business One Page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Business One Page: from n/a through 1.2.9.
|
|||||
| CVE-2025-9637 | 1 Expresstech | 1 Quiz And Survey Master | 2026-01-09 | N/A | 6.5 MEDIUM |
|
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability and status checks on multiple functions in all versions up to, and including, 10.3.1. This makes it possible for unauthenticated attackers to view the details of unpublished, private, or password-protected quizzes, as well as submit file responses to questions from those quizzes, which allow file upload.
|
|||||
| CVE-2025-9294 | 1 Expresstech | 1 Quiz And Survey Master | 2026-01-09 | N/A | 4.3 MEDIUM |
|
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the qsm_dashboard_delete_result function in all versions up to, and including, 10.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete quiz results.
|
|||||
| CVE-2025-13812 | 2026-01-08 | N/A | 4.3 MEDIUM | ||
|
The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the gamipress_ajax_get_posts and gamipress_ajax_get_users functions in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate users, including their email addresses and to retrieve titles of private posts.
|
|||||
| CVE-2025-14034 | 2026-01-08 | N/A | 5.3 MEDIUM | ||
|
The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'delete_single_ticket_callback' and 'change_ticket_status_callback' functions in all versions up to, and including, 1.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary support tickets and modify their status.
|
|||||
| CVE-2025-13766 | 2026-01-08 | N/A | 5.4 MEDIUM | ||
|
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
|
|||||