Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-9706 | 1 Rstheme | 1 Ultimate Coming Soon \& Maintenance | 2025-06-05 | N/A | 5.3 MEDIUM |
|
The Ultimate Coming Soon & Maintenance plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ucsm_activate_lite_template_lite function in all versions up to, and including, 1.0.9. This makes it possible for unauthenticated attackers to change the template used for the coming soon / maintenance page.
|
|||||
| CVE-2024-9705 | 1 Rstheme | 1 Ultimate Coming Soon \& Maintenance | 2025-06-05 | N/A | 4.3 MEDIUM |
|
The Ultimate Coming Soon & Maintenance plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ucsm_update_template_name_lite' function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the name of the plugin's templates.
|
|||||
| CVE-2024-11844 | 1 Northernbeacheswebsites | 1 Ideapush | 2025-06-05 | N/A | 4.3 MEDIUM |
|
The IdeaPush plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the idea_push_taxonomy_save_routine function in all versions up to, and including, 8.71. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete terms for the "boards" taxonomy.
|
|||||
| CVE-2024-11496 | 1 Infility | 1 Infility Global | 2025-06-05 | N/A | 6.5 MEDIUM |
|
The Infility Global plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the infility_global_ajax function in all versions up to, and including, 2.9.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin options and potentially break the site.
|
|||||
| CVE-2024-6155 | 1 Greenshiftwp | 1 Greenshift - Animation And Page Builder Blocks | 2025-06-05 | N/A | 6.4 MEDIUM |
|
The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Authenticated (Subscriber+) Server-Side Request Forgery and Stored Cross Site Scripting in all versions up to, and including, 9.0.0 due to a missing capability check in the greenshift_download_file_localy function, along with no SSRF protection and sanitization on uploaded SVG files. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary ...
Show More |
|||||
| CVE-2024-11725 | 1 Cozyvision | 1 Sms Alert Order Notifications | 2025-06-05 | N/A | 8.8 HIGH |
|
The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the updateWcWarrantySettings() function in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administ ...
Show More |
|||||
| CVE-2025-2789 | 1 Multivendorx | 1 Multivendorx | 2025-06-04 | N/A | 5.3 MEDIUM |
|
The MultiVendorX – Empower Your WooCommerce Store with a Dynamic Multivendor Marketplace – Build the Next Amazon, eBay, Etsy plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_table_rate_shipping_row function in all versions up to, and including, 4.2.19. This makes it possible for unauthenticated attackers to delete Table Rates that can impact the shipping cost calculations.
|
|||||
| CVE-2024-13776 | 1 Digitalzoomstudio | 1 Zoomsounds | 2025-06-04 | N/A | 8.1 HIGH |
|
The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'dzsap_delete_notice' AJAX action in all versions up to, and including, 6.91. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'seen' on the WordPress site. This can be leveraged to update an option that would create an e ...
Show More |
|||||
| CVE-2025-3527 | 1 Myeventon | 1 Eventon | 2025-06-04 | N/A | 6.4 MEDIUM |
|
The EventON Pro plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'assets/lib/settings/settings.js' file in all versions up to, and including, 4.9.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.9.6.
|
|||||
| CVE-2025-1557 | 1 Ofcms Project | 1 Ofcms | 2025-06-04 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability, which was classified as problematic, was found in OFCMS 1.1.3. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-4431 | 1 Krasenslavov | 1 Featured Image Plus | 2025-06-04 | N/A | 4.3 MEDIUM |
|
The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fip_save_attach_featured function in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update featured image of any post.
|
|||||
| CVE-2025-48334 | 1 Binarycarpenter | 1 Woo Slider Pro | 2025-06-04 | N/A | 6.5 MEDIUM |
|
Missing Authorization vulnerability in BinaryCarpenter Woo Slider Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Woo Slider Pro: from n/a through 1.12. Affected action "woo_slide_pro_delete_slider".
|
|||||
| CVE-2024-13243 | 1 Entity Delete Log Project | 1 Entity Delete Log | 2025-06-04 | N/A | 6.5 MEDIUM |
|
Missing Authorization vulnerability in Drupal Entity Delete Log allows Forceful Browsing.This issue affects Entity Delete Log: from 0.0.0 before 1.1.1.
|
|||||
| CVE-2025-4887 | 1 Senior-walter | 1 Online Student Clearance System | 2025-06-04 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability, which was classified as problematic, has been found in SourceCodester Online Student Clearance System 1.0. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-31678 | 1 Artificial Intelligence Project | 1 Artificial Intelligence | 2025-06-04 | N/A | 8.2 HIGH |
|
Missing Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Forceful Browsing.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.3.
|
|||||
| CVE-2023-52233 | 1 Wpexperts | 1 Post Smtp | 2025-06-04 | N/A | 8.6 HIGH |
|
Missing Authorization vulnerability in Post SMTP Post SMTP Mailer/Email Log.This issue affects Post SMTP Mailer/Email Log: from n/a through 2.8.6.
|
|||||
| CVE-2023-6875 | 1 Wpexperts | 1 Post Smtp | 2025-06-04 | N/A | 9.8 CRITICAL |
|
The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover.
|
|||||
| CVE-2025-4047 | 2025-06-04 | N/A | 4.3 MEDIUM | ||
|
The Broken Link Checker plugin for WordPress is vulnerable to unauthorized data access due to a missing capability check on the ajax_full_status and ajax_dashboard_status functions in all versions up to, and including, 2.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view the plugin's status.
|
|||||
| CVE-2025-47585 | 2025-06-04 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in Mage people team Booking and Rental Manager allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Booking and Rental Manager: from n/a through 2.3.8.
|
|||||
| CVE-2025-22800 | 1 Wpexperts | 1 Post Smtp | 2025-06-04 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in Post SMTP Post SMTP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post SMTP: from n/a through 2.9.11.
|
|||||
| CVE-2024-54020 | 1 Fortinet | 1 Fortimanager | 2025-06-04 | N/A | 2.3 LOW |
|
A missing authorization in Fortinet FortiManager versions 7.2.0 through 7.2.1, and versions 7.0.0 through 7.0.7 may allow an authenticated attacker to overwrite global threat feeds via crafted update requests.
|
|||||
| CVE-2024-23388 | 1 Mercari | 1 Mercari | 2025-06-03 | N/A | 6.1 MEDIUM |
|
Improper authorization in handler for custom URL scheme issue in "Mercari" App for Android prior to version 5.78.0 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.
|
|||||
| CVE-2023-6158 | 1 Myeventon | 2 Eventon, Eventon-lite | 2025-06-03 | N/A | 6.5 MEDIUM |
|
The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the evo_eventpost_update_meta function in all versions up to, and including, 4.5.4 (for Pro) and 2.2.7 (for free). This makes it possible for unauthenticated attackers to update and remove arbitrary post metadata. Note that certain parameters may allow for content injection.
|
|||||
| CVE-2023-5877 | 1 Servit | 1 Affiliate-toolkit | 2025-06-03 | N/A | 9.8 CRITICAL |
|
The affiliate-toolkit WordPress plugin before 3.4.3 lacks authorization and authentication for requests to it's affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URL's, including RFC1918 private addresses, leading to a Server Side Request Forgery (SSRF) issue.
|
|||||
| CVE-2023-7019 | 1 Themeisle | 1 Lightstart | 2025-06-03 | N/A | 4.3 MEDIUM |
|
The LightStart – Maintenance Mode, Coming Soon and Landing Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the insert_template function in all versions up to, and including, 2.6.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to change page designs.
|
|||||
| CVE-2023-6855 | 1 Strangerstudios | 1 Paid Memberships Pro | 2025-06-03 | N/A | 5.3 MEDIUM |
|
The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to unauthorized modification of membership levels created by the plugin due to an incorrectly implemented capability check in the pmpro_rest_api_get_permissions_check function in all versions up to 2.12.5 (inclusive). This makes it possible for unauthenticated attackers to change membership levels including prices.
|
|||||
| CVE-2023-6638 | 1 Gutengeek | 1 Gg Woo Feed | 2025-06-03 | N/A | 6.5 MEDIUM |
|
The GTG Product Feed for Shopping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_settings' function in versions up to, and including, 1.2.4. This makes it possible for unauthenticated attackers to update plugin settings.
|
|||||
| CVE-2023-6637 | 1 Daan | 1 Complete Analytics Optimization Suite | 2025-06-03 | N/A | 6.5 MEDIUM |
|
The CAOS | Host Google Analytics Locally plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_settings' function in versions up to, and including, 4.7.14. This makes it possible for unauthenticated attackers to update plugin settings.
|
|||||
| CVE-2023-6504 | 1 Cozmoslabs | 1 Profile Builder | 2025-06-03 | N/A | 4.3 MEDIUM |
|
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wppb_toolbox_usermeta_handler function in all versions up to, and including, 3.10.7. This makes it possible for authenticated attackers, with contributor-level access and above, to expose sensitive information within user metadata.
|
|||||
| CVE-2023-6369 | 1 Myrecorp | 1 Export Wp Page To Static Html\/css | 2025-06-03 | N/A | 5.4 MEDIUM |
|
The Export WP Page to Static HTML/CSS plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 2.1.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to disclose sensitive information or perform unauthorized actions, such as saving advanced plugin settings.
|
|||||
| CVE-2023-6048 | 1 Estatik | 1 Estatik | 2025-06-03 | N/A | 6.5 MEDIUM |
|
The Estatik Real Estate Plugin WordPress plugin before 4.1.1 does not prevent user with low privileges on the site, like subscribers, from setting any of the site's options to 1, which could be used to break sites and lead to DoS when certain options are reset
|
|||||
| CVE-2025-31681 | 1 Authenticator Login Project | 1 Authenticator Login | 2025-06-02 | N/A | 9.8 CRITICAL |
|
Missing Authorization vulnerability in Drupal Authenticator Login allows Forceful Browsing.This issue affects Authenticator Login: from 0.0.0 before 2.0.6.
|
|||||
| CVE-2023-48926 | 1 Prestashop | 1 Advanced Loyalty Program | 2025-06-02 | N/A | 5.3 MEDIUM |
|
An issue in 202 ecommerce Advanced Loyalty Program: Loyalty Points before v2.3.4 for PrestaShop allows unauthenticated attackers to arbitrarily change an order status.
|
|||||
| CVE-2024-45689 | 1 Moodle | 1 Moodle | 2025-06-02 | N/A | 6.5 MEDIUM |
|
A flaw was found in Moodle. Dynamic tables did not enforce capability checks, which resulted in users having the ability to retrieve information they did not have permission to access.
|
|||||
| CVE-2024-0238 | 1 Myeventon | 1 Eventon | 2025-06-02 | N/A | 6.1 MEDIUM |
|
The EventON Premium WordPress plugin before 4.5.6, EventON WordPress plugin before 2.2.8 do not have authorisation in an AJAX action, and does not ensure that the post to be updated belong to the plugin, allowing unauthenticated users to update arbitrary post metadata.
|
|||||
| CVE-2024-0237 | 1 Myeventon | 1 Eventon | 2025-06-02 | N/A | 5.3 MEDIUM |
|
The EventON WordPress plugin through 4.5.8, EventON WordPress plugin before 2.2.7 do not have authorisation in some AJAX actions, allowing unauthenticated users to update virtual events settings, such as meeting URL, moderator, access details etc
|
|||||
| CVE-2025-4597 | 2025-05-30 | N/A | 6.5 MEDIUM | ||
|
The Woo Slider Pro – Drag Drop Slider Builder For WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woo_slide_pro_delete_draft_preview AJAX action in all versions up to, and including, 1.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts.
|
|||||
| CVE-2025-46823 | 2025-05-30 | N/A | N/A | ||
|
openmrs-module-fhir2 provides the FHIR REST API and related services for OpenMRS, an open medical records system. In versions of the FHIR2 module prior to 2.5.0, privileges were not always correctly checked, which means that unauthorized users may have been able to add or edit data they were not supposed to be able to. All implementers should update to FHIR2 2.5.0 or newer as soon as is feasible to receive a patch.
|
|||||
| CVE-2023-43846 | 1 Aten | 2 Pe6208, Pe6208 Firmware | 2025-05-30 | N/A | 5.3 MEDIUM |
|
Incorrect access control in logs management function of web interface in Aten PE6208 2.3.228 and 2.4.232 allows remote attackers to get the device logs via HTTP GET request. The logs contain such information as user names and IP addresses used in the infrastructure. This information may help the attackers to conduct further attacks in the infrastructure.
|
|||||
| CVE-2018-10207 | 1 Vaultize | 1 Enterprise File Sharing | 2025-05-30 | 5.0 MEDIUM | 5.3 MEDIUM |
|
An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. An attacker can exploit Missing Authorization on the FlexPaperViewer SWF reader, and export files that should have been restricted, via vectors involving page-by-page access to a document in SWF format.
|
|||||