Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-56276 | 1 Wpforms | 1 Wpforms | 2025-08-12 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in WPForms Contact Form by WPForms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through 1.9.2.2.
|
|||||
| CVE-2025-3604 | 1 Flynax | 1 Flynax Bridge | 2025-08-12 | N/A | 9.8 CRITICAL |
|
The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
|
|||||
| CVE-2024-29241 | 1 Synology | 2 Diskstation Manager, Surveillance Station | 2025-08-12 | N/A | 9.9 CRITICAL |
|
Missing authorization vulnerability in System webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain non-sensitive information, write sensitive configurations in DSM, and reboot or shutdown NAS via unspecified vectors.
|
|||||
| CVE-2024-13526 | 1 Metagauss | 1 Eventprime | 2025-08-12 | N/A | 4.3 MEDIUM |
|
The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability checks on the export_submittion_attendees function in all versions up to, and including, 4.0.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download list of attendees for any event.
|
|||||
| CVE-2024-12855 | 1 Scriptsbundle | 1 Adforest | 2025-08-12 | N/A | 4.3 MEDIUM |
|
The AdForest theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX actions like 'sb_remove_ad' in all versions up to, and including, 5.1.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete posts, attachments and deactivate a license.
|
|||||
| CVE-2023-5600 | 1 Gitlab | 1 Gitlab | 2025-08-12 | N/A | 3.1 LOW |
|
An issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. Arbitrary access to the titles of an private specific references could be leaked through the service-desk custom email template.
|
|||||
| CVE-2025-5121 | 1 Gitlab | 1 Gitlab | 2025-08-12 | N/A | 8.5 HIGH |
|
An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.4 and 18.0 before 18.0.2. A missing authorization check may have allowed compliance frameworks to be applied to projects outside the compliance framework's group.
|
|||||
| CVE-2025-5846 | 1 Gitlab | 1 Gitlab | 2025-08-12 | N/A | 2.7 LOW |
|
An issue has been discovered in GitLab EE affecting all versions from 16.10 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypassed framework-specific permission checks.
|
|||||
| CVE-2025-5315 | 1 Gitlab | 1 Gitlab | 2025-08-12 | N/A | 4.3 MEDIUM |
|
An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypassed UI-enforced role restrictions.
|
|||||
| CVE-2025-8418 | 2025-08-12 | N/A | 8.8 HIGH | ||
|
The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Arbitrary Plugin Installation in all versions up to, and including, 1.1.30. This is due to missing capability checks on the activated_plugin function. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the server which can make remote code execution possible.
|
|||||
| CVE-2025-42949 | 2025-08-12 | N/A | 4.9 MEDIUM | ||
|
Due to a missing authorization check in the ABAP Platform, an authenticated user with elevated privileges could bypass authorization restrictions for common transactions by leveraging the SQL Console. This could enable an attacker to access and read the contents of database tables without proper authorization, leading to a significant compromise of data confidentiality. However, the integrity and availability of the system remain unaffected.
|
|||||
| CVE-2025-6253 | 2025-08-12 | N/A | 7.5 HIGH | ||
|
The UiCore Elements – Free Elementor widgets and templates plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.3.0 via the prepare_template() function due to a missing capability check and insufficient controls on the filename specified. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
|
|||||
| CVE-2025-42955 | 2025-08-12 | N/A | 3.5 LOW | ||
|
Due to a missing authorization check in SAP Cloud Connector, an attacker on an adjacent network with low privileges could send a crafted request to the endpoint responsible for testing LDAP connections. A successful exploit could lead to reduced performance, hence a low-impact on availability of the service. Confidentiality and integrity of the data are not affected.
|
|||||
| CVE-2025-8482 | 2025-08-12 | N/A | 4.3 MEDIUM | ||
|
The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of data in version 2.8.4. This is due to a missing capability check on the migrate_from_wp_user_avatar() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to migrate avatar metadata for all users.
|
|||||
| CVE-2025-8059 | 2025-08-12 | N/A | 9.8 CRITICAL | ||
|
The B Blocks plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization and improper input validation within the rgfr_registration() function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to create a new account and assign it the administrator role.
|
|||||
| CVE-2025-47580 | 1 Etoilewebdesign | 1 Front End Users | 2025-08-12 | N/A | 5.4 MEDIUM |
|
Missing Authorization vulnerability in Rustaurius Front End Users allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Front End Users: from n/a through 3.2.32.
|
|||||
| CVE-2025-4520 | 1 Uncannyowl | 1 Uncanny Automator | 2025-08-12 | N/A | 5.4 MEDIUM |
|
The Uncanny Automator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in versions up to, and including, 6.4.0.2. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update plugin settings.
|
|||||
| CVE-2024-43223 | 1 Metagauss | 1 Eventprime | 2025-08-12 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in EventPrime Events EventPrime allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through 4.0.3.2.
|
|||||
| CVE-2025-4370 | 1 Brizy | 1 Brizy | 2025-08-11 | N/A | 5.3 MEDIUM |
|
The Brizy – Page Builder plugin for WordPress is vulnerable to limited file uploads due to missing authorization on process_external_asset_urls function as well as missing path validation in store_file function in all versions up to, and including, 2.6.20. This makes it possible for unauthenticated attackers to upload .TXT files on the affected site's server.
|
|||||
| CVE-2025-1766 | 1 Themewinter | 1 Eventin | 2025-08-11 | N/A | 5.3 MEDIUM |
|
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'payment_complete' function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated attackers to update the status of ticket payments to 'completed', possibly resulting in financial loss.
|
|||||
| CVE-2025-2110 | 1 Wpcompress | 1 Wp Compress | 2025-08-11 | N/A | 8.8 HIGH |
|
The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on its on its AJAX functions in all versions up to, and including, 6.30.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to compromise the site in various ways depending on the specific function exploited - for example, by retrieving sensitive settings and configuration ...
Show More |
|||||
| CVE-2023-49756 | 1 Themewinter | 1 Eventin | 2025-08-11 | N/A | 5.4 MEDIUM |
|
Missing Authorization vulnerability in Themewinter Eventin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eventin: from n/a through 3.3.52.
|
|||||
| CVE-2024-37119 | 1 Uncannyowl | 1 Uncanny Automator | 2025-08-11 | N/A | 5.3 MEDIUM |
|
Missing Authorization vulnerability in Uncanny Owl Uncanny Automator Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uncanny Automator Pro: from n/a through 5.3.0.0.
|
|||||
| CVE-2024-37470 | 1 Xtendify | 1 Woffice | 2025-08-11 | N/A | 8.2 HIGH |
|
Missing Authorization vulnerability in WofficeIO Woffice Core allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Woffice Core: from n/a through 5.4.8.
|
|||||
| CVE-2024-1934 | 1 Wpcompress | 1 Wp Compress | 2025-08-09 | N/A | 7.5 HIGH |
|
The WP Compress – Image Optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wps_local_compress::__construct' function in all versions up to, and including, 6.11.10. This makes it possible for unauthenticated attackers to reset the CDN region and set a malicious URL to deliver images.
|
|||||
| CVE-2025-2075 | 1 Uncannyowl | 1 Uncanny Automator | 2025-08-08 | N/A | 8.8 HIGH |
|
The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.3.0.2. This is due to add_role() and user_role() functions missing proper capability checks performed through the validate_rest_call() function. This makes it possible for unauthenticated attackers to set the role of arbitrary users to administrator granting full access to the site, though privilege escalation require ...
Show More |
|||||
| CVE-2025-2807 | 1 Stylemixthemes | 1 Motors - Car Dealer\, Classifieds \& Listing | 2025-08-08 | N/A | 8.8 HIGH |
|
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary plugin installations due to a missing capability check in the mvl_setup_wizard_install_plugin() function in all versions up to, and including, 1.4.64. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2025-3437 | 1 Stylemixthemes | 1 Motors - Car Dealer\, Classifieds \& Listing | 2025-08-08 | N/A | 4.3 MEDIUM |
|
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in the ajax_actions.php file in all versions up to, and including, 1.4.66. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute several initial set-up actions.
|
|||||
| CVE-2024-12244 | 1 Gitlab | 1 Gitlab | 2025-08-08 | N/A | 4.3 MEDIUM |
|
An issue has been discovered in access controls could allow users to view certain restricted project information even when related features are disabled in GitLab EE, affecting all versions from 17.7 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1.
|
|||||
| CVE-2024-39546 | 1 Juniper | 1 Junos Os Evolved | 2025-08-08 | N/A | 7.3 HIGH |
|
A Missing Authorization vulnerability in the Socket Intercept (SI) command file interface of Juniper Networks Junos OS Evolved allows an authenticated, low-privilege local attacker to modify certain files, allowing the attacker to cause any command to execute with root privileges leading to privilege escalation ultimately compromising the system.
This issue affects Junos OS Evolved:
* All versions prior to 21.2R3-S8-EVO,
* 21.4 versions prior to 21.4R3-S6-EVO,
* 22.1 versions p ...
Show More |
|||||
| CVE-2025-43720 | 1 H-mdm | 1 Headwind Mdm | 2025-08-07 | N/A | 6.5 MEDIUM |
|
Headwind MDM before 5.33.1 makes configuration details accessible to unauthorized users. The Configuration profile is exposed to the Observer user role, revealing the password requires to escape out of the MDM controlled device's profile.
|
|||||
| CVE-2025-43977 | 1 Sktelecom | 1 Com.skt.prod.dialer | 2025-08-07 | N/A | 5.5 MEDIUM |
|
The com.skt.prod.dialer application through 12.5.0 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.skt.prod.dialer.activities.outgoingcall.OutgoingCallInternalBroadcaster component.
|
|||||
| CVE-2025-43976 | 1 Textnow | 1 2ndline | 2025-08-07 | N/A | 5.5 MEDIUM |
|
The com.enflick.android.tn2ndLine application through 24.17.1.0 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.enflick.android.TextNow.activities.DialerActivity component.
|
|||||
| CVE-2025-26901 | 1 Brizy | 1 Brizy | 2025-08-07 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in Brizy Brizy Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Brizy Pro: from n/a through 2.6.1.
|
|||||
| CVE-2025-8595 | 2025-08-06 | N/A | 4.3 MEDIUM | ||
|
The Zakra theme for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the welcome_notice_import_handler() function in all versions up to, and including, 4.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo settings.
|
|||||
| CVE-2024-3976 | 1 Gitlab | 1 Gitlab | 2025-08-06 | N/A | 6.5 MEDIUM |
|
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible to disclose via the UI the confidential issues title and description from a public project to unauthorised instance users.
|
|||||
| CVE-2024-1539 | 1 Gitlab | 1 Gitlab | 2025-08-06 | N/A | 4.3 MEDIUM |
|
An issue has been discovered in GitLab EE affecting all versions starting from 15.2 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible to disclose updates to issues to a banned group member using the API.
|
|||||
| CVE-2025-8335 | 1 Code-projects | 1 Simple Car Rental System | 2025-08-05 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability classified as problematic has been found in code-projects Simple Car Rental System 1.0. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-8434 | 1 Anisha | 1 Online Movie Streaming | 2025-08-05 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability was found in code-projects Online Movie Streaming 1.0. It has been classified as critical. Affected is an unknown function of the file /admin.php. The manipulation of the argument ID leads to missing authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-8435 | 1 Anisha | 1 Online Movie Streaming | 2025-08-05 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability was found in code-projects Online Movie Streaming 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin-control.php. The manipulation of the argument ID leads to missing authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||