Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-58003 | 2025-09-22 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in javothemes Javo Core allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Javo Core: from n/a through 3.0.0.266.
|
|||||
| CVE-2025-58969 | 2025-09-22 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in Greg Winiarski Custom Login URL allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Custom Login URL: from n/a through 1.0.2.
|
|||||
| CVE-2025-58672 | 2025-09-22 | N/A | 5.4 MEDIUM | ||
|
Missing Authorization vulnerability in Tareq Hasan WP User Frontend allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP User Frontend: from n/a through 4.1.11.
|
|||||
| CVE-2025-59591 | 2025-09-22 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in AdvancedCoding wpDiscuz allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects wpDiscuz: from n/a through 7.6.33.
|
|||||
| CVE-2025-58650 | 2025-09-22 | N/A | 5.4 MEDIUM | ||
|
Missing Authorization vulnerability in Syed Balkhi All In One SEO Pack allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects All In One SEO Pack: from n/a through 4.8.7.
|
|||||
| CVE-2025-58660 | 2025-09-22 | N/A | 5.4 MEDIUM | ||
|
Missing Authorization vulnerability in brandexponents Oshine Core allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Oshine Core: from n/a through 1.5.5.
|
|||||
| CVE-2025-58667 | 2025-09-22 | N/A | 5.4 MEDIUM | ||
|
Missing Authorization vulnerability in CridioStudio ListingPro Reviews allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ListingPro Reviews: from n/a through 1.6.
|
|||||
| CVE-2025-58968 | 2025-09-22 | N/A | 5.0 MEDIUM | ||
|
Missing Authorization vulnerability in Christiaan Pieterse MaxiBlocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MaxiBlocks: from n/a through 2.1.3.
|
|||||
| CVE-2025-59576 | 2025-09-22 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in Stylemix MasterStudy LMS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MasterStudy LMS: from n/a through 3.6.20.
|
|||||
| CVE-2025-58222 | 2025-09-22 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in Maidul Team Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Team Manager: from n/a through 2.3.14.
|
|||||
| CVE-2025-58664 | 2025-09-22 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in Azizul Hasan Text To Speech TTS Accessibility allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Text To Speech TTS Accessibility: from n/a through 1.9.20.
|
|||||
| CVE-2025-58247 | 2025-09-22 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in templateinvaders TI WooCommerce Wishlist allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects TI WooCommerce Wishlist: from n/a through 2.10.0.
|
|||||
| CVE-2025-59581 | 2025-09-22 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in VW THEMES Ibtana allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ibtana: from n/a through 1.2.5.3.
|
|||||
| CVE-2025-58016 | 2025-09-22 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in Codexpert, Inc CF7 Submissions allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CF7 Submissions: from n/a through 0.26.
|
|||||
| CVE-2025-58000 | 2025-09-22 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in memberful Memberful allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Memberful: from n/a through 1.75.0.
|
|||||
| CVE-2025-58004 | 2025-09-22 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in SmartDataSoft DriCub allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects DriCub: from n/a through 2.9.
|
|||||
| CVE-2025-59559 | 2025-09-22 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in payrexx Payrexx Payment Gateway for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Payrexx Payment Gateway for WooCommerce: from n/a through 3.1.5.
|
|||||
| CVE-2025-58681 | 2025-09-22 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in Jürgen Müller Easy Quotes allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Easy Quotes: from n/a through 1.2.4.
|
|||||
| CVE-2025-58680 | 2025-09-22 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in gutentor Gutentor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Gutentor: from n/a through 3.5.2.
|
|||||
| CVE-2025-58678 | 2025-09-22 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in PickPlugins Accordion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Accordion: from n/a through 2.3.14.
|
|||||
| CVE-2025-59551 | 2025-09-22 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in WP Chill Revive.so allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Revive.so: from n/a through 2.0.6.
|
|||||
| CVE-2025-58957 | 2025-09-22 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in Vikas Ratudi VPSUForm allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects VPSUForm: from n/a through 3.2.20.
|
|||||
| CVE-2025-59561 | 2025-09-22 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in hashthemes Smart Blocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Smart Blocks: from n/a through 2.4.
|
|||||
| CVE-2025-58221 | 2025-09-22 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in ONTRAPORT PilotPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PilotPress: from n/a through 2.0.35.
|
|||||
| CVE-2025-58666 | 2025-09-22 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in Kommo Website Chat Button: Kommo integration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Website Chat Button: Kommo integration: from n/a through 1.3.1.
|
|||||
| CVE-2025-58029 | 2025-09-22 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in Sumit Singh Classic Widgets with Block-based Widgets allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Classic Widgets with Block-based Widgets: from n/a through 1.0.1.
|
|||||
| CVE-2025-58663 | 2025-09-22 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in Themeum Qubely allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Qubely: from n/a through 1.8.14.
|
|||||
| CVE-2025-58685 | 2025-09-22 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in cecabank Cecabank WooCommerce Plugin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cecabank WooCommerce Plugin: from n/a through 0.3.4.
|
|||||
| CVE-2025-57995 | 2025-09-22 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in Detheme DethemeKit For Elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects DethemeKit For Elementor: from n/a through 2.1.10.
|
|||||
| CVE-2025-57997 | 2025-09-22 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in Trustpilot Trustpilot Reviews allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Trustpilot Reviews: from n/a through 2.5.925.
|
|||||
| CVE-2025-58258 | 2025-09-22 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in nK Lazy Blocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Lazy Blocks: from n/a through 4.1.0.
|
|||||
| CVE-2025-58679 | 2025-09-22 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in AppMySite AppMySite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects AppMySite: from n/a through 3.14.0.
|
|||||
| CVE-2025-58251 | 2025-09-22 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in POSIMYTH Sticky Header Effects for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sticky Header Effects for Elementor: from n/a through 2.1.2.
|
|||||
| CVE-2024-49357 | 1 Zimaspace | 1 Zimaos | 2025-09-22 | N/A | 7.5 HIGH |
|
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as `http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/app_order.json` and `http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/system.json`, expose sensitive data like installed applications and system information without requiring any authentication or authorization. This sensitive data leak can be exploited by atta ...
Show More |
|||||
| CVE-2025-9076 | 1 Mattermost | 1 Mattermost Server | 2025-09-20 | N/A | 6.5 MEDIUM |
|
Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled.
|
|||||
| CVE-2025-10690 | 2025-09-19 | N/A | 9.8 CRITICAL | ||
|
The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to unauthorized arbitrary file uploads due to a missing capability check on the 'beplus_import_pack_install_plugin' function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.
|
|||||
| CVE-2025-8487 | 2025-09-19 | N/A | 5.4 MEDIUM | ||
|
The Kubio AI Page Builder plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the kubio-image-hub-install-plugin AJAX action in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the Image Hub plugin.
|
|||||
| CVE-2025-7665 | 2025-09-19 | N/A | 8.1 HIGH | ||
|
The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'handle_mofirebase_form_options' function in versions 3.1.0 to 3.6.2. This makes it possible for unauthenticated attackers to update the default role to Administrator. Premium features must be enabled in order to exploit the vulnerability.
|
|||||
| CVE-2025-22612 | 1 Coollabs | 1 Coolify | 2025-09-19 | N/A | 10.0 CRITICAL |
|
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.374, the missing authorization allows an authenticated user to retrieve any existing private keys on a coolify instance in plain text. If the server configuration of IP / domain, port (most likely 22) and user (root) matches with the victim's server configuration, then the attacker can execute arbitrary commands on the remote server. Version 4.0.0-beta.374 fixes the iss ...
Show More |
|||||
| CVE-2025-22611 | 1 Coollabs | 1 Coolify | 2025-09-19 | N/A | 9.9 CRITICAL |
|
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to escalate his or any other team members privileges to any role, including the owner role. He's also able to kick every other member out of the team, including admins and owners. This allows the attacker to access the `Terminal` feature and execute remote commands. Version 4.0.0-beta.361 fixes the issue.
|
|||||