Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-14428 | 2026-01-02 | N/A | 4.3 MEDIUM | ||
|
The All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'my_sticky_elements_bulks' function in all versions up to, and including, 2.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all contact form leads stored by the plugin.
|
|||||
| CVE-2023-22699 | 1 Mainwp | 1 Mainwp Wordfence Extension | 2025-12-31 | N/A | 5.4 MEDIUM |
|
Missing Authorization vulnerability in MainWP MainWP Wordfence Extension.This issue affects MainWP Wordfence Extension: from n/a through 4.0.7.
|
|||||
| CVE-2023-23985 | 1 Ays-pro | 1 Quiz Maker | 2025-12-31 | N/A | 3.7 LOW |
|
Missing Authorization vulnerability in Quiz Maker team Quiz Maker.This issue affects Quiz Maker: from n/a through 6.3.9.4.
|
|||||
| CVE-2023-41656 | 2025-12-31 | N/A | 5.4 MEDIUM | ||
|
Missing Authorization vulnerability in wpdive Better Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Better Elementor Addons: from n/a through 1.3.7.
|
|||||
| CVE-2025-14426 | 2025-12-31 | N/A | 4.3 MEDIUM | ||
|
The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'edit_rating' function in all versions up to, and including, 3.2.18. This makes it possible for authenticated attackers with Contributor-level access and above to modify or delete the rating meta on any testimonial post, including those created by other users, by reusing a valid nonce obtained from their own testimonial edit screen.
|
|||||
| CVE-2020-36902 | 1 Medivision | 2 Medivision Digital Signage, Medivision Digital Signage Firmware | 2025-12-30 | N/A | 9.8 CRITICAL |
|
UBICOD Medivision Digital Signage 1.5.1 contains an authorization bypass vulnerability that allows normal users to escalate privileges by manipulating the 'ft[grp]' parameter. Attackers can send a GET request to /html/user with 'ft[grp]' set to integer value '3' to gain super admin rights without authentication.
|
|||||
| CVE-2023-40679 | 2025-12-29 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in Jewel Theme Master Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Master Addons for Elementor: from n/a through 2.0.5.3.
|
|||||
| CVE-2023-28619 | 2025-12-29 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in bnayawpguy Resoto allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Resoto: from n/a through 1.0.8.
|
|||||
| CVE-2025-68920 | 2025-12-29 | N/A | 8.9 HIGH | ||
|
C-Kermit (aka ckermit) through 10.0 Beta.12 (aka 416-beta12) before 244644d allows a remote Kermit system to overwrite files on the local system, or retrieve arbitrary files from the local system.
|
|||||
| CVE-2025-15066 | 2025-12-29 | N/A | 6.2 MEDIUM | ||
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Missing Authorization vulnerability in Innorix WP allows Path Traversal.This issue affects Innorix WP from All versions If the "exam" directory exists under the directory where the product is installed (ex: innorix/exam)
|
|||||
| CVE-2025-14913 | 2025-12-29 | N/A | 5.3 MEDIUM | ||
|
The Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to an incorrect authorization check on the 'media_delete_action' function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to delete arbitrary attachments.
|
|||||
| CVE-2020-36890 | 1 Kentico | 1 Xperience | 2025-12-24 | N/A | 7.2 HIGH |
|
An access control bypass vulnerability in Kentico Xperience allows administrators to modify global administrator user privileges via unauthorized requests. Attackers could potentially compromise global administrator accounts and invalidate security-sensitive macros by manipulating user privilege levels.
|
|||||
| CVE-2023-52163 | 1 Digiever | 4 Ds-2105 Pro, Ds-2105 Pro\+, Ds-2105 Pro\+ Firmware and 1 more | 2025-12-24 | N/A | 8.8 HIGH |
|
Digiever DS-2105 Pro 3.1.0.71-11 devices allow time_tzsetup.cgi Command Injection. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
|
|||||
| CVE-2019-25215 | 1 Ari-soft | 1 Ari Adminer | 2025-12-23 | N/A | 7.3 HIGH |
|
The ARI-Adminer plugin for WordPress is vulnerable to authorization bypass due to a lack of file access controls in nearly every file of the plugin in versions up to, and including, 1.1.14. This makes it possible for unauthenticated attackers to call the files directly and perform a wide variety of unauthorized actions such as accessing a site's database and making changes.
|
|||||
| CVE-2019-25217 | 1 Siteground | 1 Speed Optimizer | 2025-12-23 | N/A | 9.8 CRITICAL |
|
The SiteGround Optimizer plugin for WordPress is vulnerable to authorization bypass leading to Remote Code Execution and Local File Inclusion in versions up to, and including, 5.0.12 due to incorrect use of an access control attribute on the switch_php function called via the /switch-php REST API route. This allows attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive dat ...
Show More |
|||||
| CVE-2025-65742 | 1 Newgensoft | 1 Omnidocs | 2025-12-23 | N/A | 8.2 HIGH |
|
An unauthenticated Broken Function Level Authorization (BFLA) vulnerability in Newgen OmniDocs v11.0 allows attackers to obtain sensitive information and execute a full account takeover via a crafted API request.
|
|||||
| CVE-2025-14633 | 2025-12-23 | N/A | 5.3 MEDIUM | ||
|
The F70 Lead Document Download plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'file_download' function in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to download any file from the WordPress media library by guessing or enumerating WordPress attachment IDs.
|
|||||
| CVE-2025-12980 | 2025-12-23 | N/A | 7.5 HIGH | ||
|
The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the '/ultp/v2/get_dynamic_content/' REST API endpoint in all versions up to, and including, 5.0.3. This makes it possible for unauthenticated attackers to retrieve sensitive user metadata, including password hashes.
|
|||||
| CVE-2023-25446 | 2025-12-23 | N/A | 7.7 HIGH | ||
|
Missing Authorization vulnerability in HappyFiles HappyFiles Pro happyfiles-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HappyFiles Pro: from n/a through 1.8.1.
|
|||||
| CVE-2023-25068 | 2025-12-23 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in Mapro Collins Magazine Edge allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Magazine Edge: from n/a through 1.13.
|
|||||
| CVE-2025-12898 | 2025-12-23 | N/A | 5.3 MEDIUM | ||
|
The Pretty Google Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the pgcal_ajax_handler() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to retrieve the Google API key set in the plugin's settings.
|
|||||
| CVE-2023-25445 | 2025-12-23 | N/A | 5.4 MEDIUM | ||
|
Missing Authorization vulnerability in HappyFiles HappyFiles Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HappyFiles Pro: from n/a through 1.8.1.
|
|||||
| CVE-2025-14080 | 2025-12-23 | N/A | 5.3 MEDIUM | ||
|
The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.5. This is due to missing authorization checks on the post update functionality in the fpsml_form_process AJAX action. This makes it possible for unauthenticated attackers to modify arbitrary posts by providing a post_id parameter via the guest posting form, allowing them to change post titles, content, excerpts, and remove post authors.
|
|||||
| CVE-2025-14043 | 2025-12-23 | N/A | 5.3 MEDIUM | ||
|
The Tainacan plugin for WordPress is vulnerable to unauthorized metadata section creation due to missing authorization checks in all versions up to, and including, 1.0.1. This is due to the `create_item_permissions_check()` function unconditionally returning true, which bypasses authentication and authorization validation. This makes it possible for unauthenticated attackers to create arbitrary metadata sections for any collection via the public REST API granted they can access the WordPress sit ...
Show More |
|||||
| CVE-2025-7782 | 2025-12-23 | N/A | 7.6 HIGH | ||
|
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to unauthorized modification of data due to a missing capability check on the 'cs_update_application_status_callback' function in all versions up to, and including, 7.7. This makes it possible for authenticated attackers, with Candidate-level access and above, to inject cross-site scripting into the 'status' parameter of applied jobs for any user.
|
|||||
| CVE-2025-12934 | 2025-12-23 | N/A | 8.1 HIGH | ||
|
The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'duplicate_wpml_layout' function in all versions up to, and including, 2.9.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary posts with the content of other existing posts, potentially exposing private and password-protected content and deleting any content that is ...
Show More |
|||||
| CVE-2019-10648 | 1 Robocode | 1 Robocode | 2025-12-22 | 7.5 HIGH | 9.8 CRITICAL |
|
Robocode through 1.9.3.5 allows remote attackers to cause external service interaction (DNS), as demonstrated by a query for a unique subdomain name within an attacker-controlled DNS zone, because of a .openStream call within java.net.URL.
|
|||||
| CVE-2025-64132 | 1 Jenkins | 1 Mcp Server | 2025-12-22 | N/A | 5.4 MEDIUM |
|
Jenkins MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in multiple MCP tools, allowing attackers to trigger builds and obtain information about job and cloud configuration they should not be able to access.
|
|||||
| CVE-2025-11996 | 1 Toastwebsites | 1 Find Unused Images | 2025-12-22 | N/A | 5.3 MEDIUM |
|
The Find Unused Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the fui_delete_image() and fui_delete_all_images() functiosn in all versions up to, and including, 1.0.7. This makes it possible for unauthenticated attackers to delete all of a site's attachments.
|
|||||
| CVE-2025-12361 | 2025-12-19 | N/A | 4.3 MEDIUM | ||
|
The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.9.7.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive information including user IDs, display names, and email addresses of all users on the site via ...
Show More |
|||||
| CVE-2025-14455 | 2025-12-19 | N/A | 5.4 MEDIUM | ||
|
The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.7. This is due to the plugin not properly verifying that a user is authorized to perform actions on gallery management functions. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete, modify, or clone galleries created by any user, including administrators.
|
|||||
| CVE-2025-13754 | 2025-12-19 | N/A | 5.3 MEDIUM | ||
|
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.16. This is due to the plugin exposing its admin embed endpoint at `/wp-json/ssa/v1/embed-inner-admin` without authentication, which leaks plugin settings including staff names, business names, and configuration data that are not publicly displayed on the booking form. This makes it possible for unauthenticated at ...
Show More |
|||||
| CVE-2025-11587 | 2025-12-19 | N/A | 4.3 MEDIUM | ||
|
The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate function in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to link the plugin to their nowbuttons.com account and add malicious buttons to the site. The vulnerability is only exploitable on fresh installs where the plugin has n ...
Show More |
|||||
| CVE-2025-40602 | 1 Sonicwall | 9 Sma6200, Sma6200 Firmware, Sma6210 and 6 more | 2025-12-19 | N/A | 6.6 MEDIUM |
|
A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).
|
|||||
| CVE-2023-53923 | 1 Ulicms | 1 Ulicms | 2025-12-18 | N/A | 9.8 CRITICAL |
|
UliCMS 2023.1 contains a privilege escalation vulnerability that allows unauthenticated attackers to create administrative accounts through the UserController endpoint. Attackers can send a crafted POST request to /dist/admin/index.php with specific parameters to generate a new admin user with full system access.
|
|||||
| CVE-2025-13880 | 2025-12-18 | N/A | 6.5 MEDIUM | ||
|
The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the getAdvanceSettings and saveAdvanceSettings functions in all versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to view and modify plugin's advanced settings.
|
|||||
| CVE-2025-14061 | 2025-12-18 | N/A | 5.3 MEDIUM | ||
|
The Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the gdpr_delete_policy_data function in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, attachments, and other post types by ID.
|
|||||
| CVE-2025-13750 | 2025-12-18 | N/A | 4.3 MEDIUM | ||
|
The Converter for Media – Optimize images | Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `/webp-converter/v1/regenerate-attachment` REST endpoint in all versions up to, and including, 6.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete optimized WebP/AVIF variants for arbitrary attachments.
|
|||||
| CVE-2025-68270 | 2025-12-18 | N/A | 9.9 CRITICAL | ||
|
The Open edX Platform is a learning management platform. Prior to commit 05d0d0936daf82c476617257aa6c35f0cd4ca060, CourseLimitedStaffRole users are able to access and edit courses in studio if they are granted the role on an org rather than on a course, and CourseLimitedStaffRole users are able to list courses they have the role on in studio even though they are not meant to have any access on the studio side for the course. Commit 05d0d0936daf82c476617257aa6c35f0cd4ca060 fixes the issue.
|
|||||
| CVE-2025-11369 | 2025-12-18 | N/A | 4.3 MEDIUM | ||
|
The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access of data due to a missing or incorrect capability checks on the get_instagram_access_token_callback, google_map_api_key_save_callback and get_siteinfo functions in all versions up to, and including, 5.7.2. This makes it possible for authenticated attackers, with Author-level access and above, to view API keys configured for the external services.
|
|||||