Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-0052 | 1 Google | 1 Android | 2025-03-13 | N/A | 3.3 LOW |
|
In multiple functions of healthconnect, there is a possible leakage of exercise route data due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-12876 | 1 Uxper | 1 Golo | 2025-03-13 | N/A | 9.8 CRITICAL |
|
The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.10. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
|
|||||
| CVE-2024-12719 | 1 Iptanus | 1 Wordpress File Upload | 2025-03-13 | N/A | 4.3 MEDIUM |
|
The WordPress File Upload plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wfu_ajax_action_read_subfolders' function in all versions up to, and including, 4.24.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform limited path traversal to view directories and subdirectories in WordPress. Files cannot be viewed.
|
|||||
| CVE-2024-31332 | 1 Google | 1 Android | 2025-03-13 | N/A | 7.8 HIGH |
|
In multiple locations, there is a possible way to bypass a restriction on adding new Wi-Fi connections due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2023-52541 | 1 Huawei | 2 Emui, Harmonyos | 2025-03-13 | N/A | 7.5 HIGH |
|
Authentication vulnerability in the API for app pre-loading.
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
|
|||||
| CVE-2023-52713 | 1 Huawei | 2 Emui, Harmonyos | 2025-03-13 | N/A | 7.7 HIGH |
|
Vulnerability of improper permission control in the window management module.
Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.
|
|||||
| CVE-2024-30463 | 1 Pluginus | 1 Bear - Woocommerce Bulk Editor And Products Manager Professional | 2025-03-13 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in realmag777 BEAR.This issue affects BEAR: from n/a through 1.1.4.3.
|
|||||
| CVE-2024-7491 | 1 Pluginus | 1 Husky - Products Filter Professional For Woocommerce | 2025-03-12 | N/A | 5.3 MEDIUM |
|
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.6.1 via the woof_messenger_remove_subscr AJAX action due to missing validation on the 'key' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to unsubscribe users from a product notification sign-ups, if they can successfully obtain or brute force the key value for u ...
Show More |
|||||
| CVE-2023-40334 | 1 Pluginus | 1 Husky - Products Filter Professional For Woocommerce | 2025-03-12 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in realmag777 HUSKY allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HUSKY: from n/a through 1.3.4.2.
|
|||||
| CVE-2024-54268 | 1 Siteorigin | 1 Siteorigin Widgets Bundle | 2025-03-12 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in SiteOrigin SiteOrigin Widgets Bundle allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteOrigin Widgets Bundle: from n/a through 1.64.0.
|
|||||
| CVE-2022-4385 | 1 Intuitive Custom Post Order Project | 1 Intuitive Custom Post Order | 2025-03-12 | N/A | 4.3 MEDIUM |
|
The Intuitive Custom Post Order WordPress plugin before 3.1.4 does not check for authorization in the update-menu-order ajax action, allowing any logged in user (with roles as low as Subscriber) to update the menu order
|
|||||
| CVE-2025-1481 | 1 Jozoor | 1 Shortcode Cleaner Lite | 2025-03-12 | N/A | 6.5 MEDIUM |
|
The Shortcode Cleaner Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_backup() function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export arbitrary options.
|
|||||
| CVE-2024-10326 | 1 Rometheme | 1 Romethemekit For Elementor | 2025-03-12 | N/A | 4.3 MEDIUM |
|
The RomethemeKit For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_options and reset_widgets functions in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings or reset plugin widgets to their default state (all enabled). NOTE: This vulnerability was partially fixed in version 1.5.3.
|
|||||
| CVE-2025-28938 | 2025-03-11 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in Bjoern WP Performance Pack allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Performance Pack: from n/a through 2.5.3.
|
|||||
| CVE-2025-28920 | 2025-03-11 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in Jogesh Responsive Google Map allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Responsive Google Map: from n/a through 3.1.5.
|
|||||
| CVE-2024-1288 | 1 Magazine3 | 1 Schema \& Structured Data For Wp \& Amp | 2025-03-11 | N/A | 4.3 MEDIUM |
|
The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saswp_reviews_form_render' function in all versions up to, and including, 1.26. This makes it possible for authenticated attackers, with contributor access and above, to modify the plugin's stored reCaptcha site and secret keys, potentially breaking the reCaptcha functionality.
|
|||||
| CVE-2024-1120 | 1 Xlplugins | 2 Finale, Nextmove | 2025-03-11 | N/A | 5.3 MEDIUM |
|
The NextMove Lite – Thank You Page for WooCommerce and Finale Lite – Sales Countdown Timer & Discount for WooCommerce plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the download_tools_settings() function in all versions up to, and including, 2.17.0. This makes it possible for unauthenticated attackers to export system information that can aid attackers in an attack.
|
|||||
| CVE-2024-1771 | 1 Hashthemes | 1 Total | 2025-03-11 | N/A | 5.3 MEDIUM |
|
The Total theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the total_order_sections() function in all versions up to, and including, 2.1.59. This makes it possible for authenticated attackers, with subscriber-level access and above, to repeat sections on the homepage.
|
|||||
| CVE-2024-0369 | 1 Pawaryogesh1989 | 1 Bulk Edit Post Titles | 2025-03-11 | N/A | 4.3 MEDIUM |
|
The Bulk Edit Post Titles plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulkUpdatePostTitles function in all versions up to, and including, 5.0.0. This makes it possible for authenticated attackers, with subscriber access and above, to modify the titles of arbitrary posts.
|
|||||
| CVE-2024-0447 | 1 Artibot | 1 Artibot | 2025-03-11 | N/A | 5.0 MEDIUM |
|
The ArtiBot Free Chat Bot for WordPress WebSites plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the artibot_update function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to update plugin settings.
|
|||||
| CVE-2024-9195 | 1 Whmpress | 1 Whmcs Client Area | 2025-03-11 | N/A | 8.8 HIGH |
|
The WHMPress - WHMCS Client Area plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the update_settings case in the /admin/ajax.php file in all versions up to, and including, 4.3-revision-3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to a ...
Show More |
|||||
| CVE-2024-0828 | 1 Hammadh | 1 Play.ht | 2025-03-11 | N/A | 5.4 MEDIUM |
|
The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 3.6.4. This makes it possible for authenticated attackers, with subscriber access or higher, to delete, retrieve, or modify post metadata, retrieve posts contents of protected posts, modify conversion data and delete article audio.
|
|||||
| CVE-2024-0829 | 1 Najeebmedia | 1 Comments Extra Fields | 2025-03-11 | N/A | 4.3 MEDIUM |
|
The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.0. This is due to missing or incorrect capability checks on several ajax actions. This makes it possible for authenticated attackers, with subscriber access or higher, to invoke those actions. As a result, they may modify comment form fields and update plugin settings.
|
|||||
| CVE-2024-1158 | 1 Themekraft | 1 Buddyforms | 2025-03-11 | N/A | 4.3 MEDIUM |
|
The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the buddyforms_new_page function in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber access or higher, to create pages with arbitrary titles. These pages are published.
|
|||||
| CVE-2025-27432 | 2025-03-11 | N/A | 2.4 LOW | ||
|
The eDocument Cockpit (Inbound NF-e) in SAP Electronic Invoicing for Brazil allows an authenticated attacker with certain privileges to gain unauthorized access to each transaction. By executing the specific ABAP method within the ABAP system, an unauthorized attacker could call each transaction and view the inbound delivery details. This vulnerability has a low impact on the confidentiality with no effect on the integrity and the availability of the application.
|
|||||
| CVE-2025-26661 | 2025-03-11 | N/A | 8.8 HIGH | ||
|
Due to missing authorization check, SAP NetWeaver (ABAP Class Builder) allows an attacker to gain higher access levels than they should have, resulting in escalation of privileges. On successful exploitation, this could result in disclosure of highly sensitive information. It could also have a high impact on the integrity and availability of the application.
|
|||||
| CVE-2025-26656 | 2025-03-11 | N/A | 4.3 MEDIUM | ||
|
OData Service in Manage Purchasing Info Records does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on integrity of the application.
|
|||||
| CVE-2025-26655 | 2025-03-11 | N/A | 3.1 LOW | ||
|
SAP Just In Time(JIT) does not perform necessary authorization checks for an authenticated user, allowing attacker to escalate privileges that would otherwise be restricted, potentially causing a low impact on the integrity of the application.Confidentiality and Availability are not impacted.
|
|||||
| CVE-2025-25244 | 2025-03-11 | N/A | 5.7 MEDIUM | ||
|
SAP Business Warehouse (Process Chains) allows an attacker to manipulate the process execution due to missing authorization check. An attacker with display authorization for the process chain object could set one or all processes to be skipped. This means corresponding activities, such as data loading, activation, or deletion, will not be executed as initially modeled. This could lead to unexpected results in business reporting leading to a significant impact on integrity. However, there is no i ...
Show More |
|||||
| CVE-2025-23188 | 2025-03-11 | N/A | 4.3 MEDIUM | ||
|
An authenticated user with low privileges can exploit a missing authorization check in an IBS module of FS-RBD, allowing unauthorized access to perform actions beyond their intended permissions. This causes a low impact on integrity with no impact on confidentiality and availability.
|
|||||
| CVE-2023-27460 | 1 Codepeople | 1 Cp Contact Form With Paypal | 2025-03-10 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in CodePeople, paypaldev CP Contact Form with Paypal allows Functionality Misuse.This issue affects CP Contact Form with Paypal: from n/a through 1.3.34.
|
|||||
| CVE-2023-35049 | 1 Woocommerce | 1 Stripe Payment Gateway | 2025-03-10 | N/A | 7.5 HIGH |
|
Missing Authorization vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.4.0.
|
|||||
| CVE-2025-24591 | 1 Ninjateam | 1 Gdpr Ccpa Compliance \& Cookie Consent Banner | 2025-03-10 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in NinjaTeam GDPR CCPA Compliance Support allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GDPR CCPA Compliance Support: from n/a through 2.7.1.
|
|||||
| CVE-2023-26523 | 1 Codepeople | 1 Calculated Fields Form | 2025-03-10 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in CodePeople Calculated Fields Form allows Functionality Misuse.This issue affects Calculated Fields Form: from n/a through 1.1.120.
|
|||||
| CVE-2023-28494 | 1 Codepeople | 1 Contact Form Email | 2025-03-10 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in CodePeople Contact Form Email allows Functionality Misuse.This issue affects Contact Form Email: from n/a through 1.3.31.
|
|||||
| CVE-2023-23895 | 1 Codepeople | 1 Wp Time Slots Booking Form | 2025-03-10 | N/A | 4.7 MEDIUM |
|
Missing Authorization vulnerability in CodePeople WP Time Slots Booking Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Time Slots Booking Form: from n/a through 1.1.82.
|
|||||
| CVE-2023-51353 | 1 Supsystic | 1 Popup | 2025-03-10 | N/A | 5.3 MEDIUM |
|
Missing Authorization vulnerability in supsystic.com Popup by Supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup by Supsystic: from n/a through 1.10.19.
|
|||||
| CVE-2024-24799 | 1 Woocommerce | 1 Box Office | 2025-03-10 | N/A | 6.5 MEDIUM |
|
Missing Authorization vulnerability in WooCommerce WooCommerce Box Office.This issue affects WooCommerce Box Office: from n/a through 1.2.2.
|
|||||
| CVE-2023-39997 | 1 Supsystic | 1 Popup | 2025-03-10 | N/A | 5.3 MEDIUM |
|
Missing Authorization vulnerability in supsystic.com Popup by Supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup by Supsystic: from n/a through 1.10.19.
|
|||||
| CVE-2024-13231 | 1 Portfoliohub | 1 Portfoliohub | 2025-03-10 | N/A | 5.3 MEDIUM |
|
The WordPress Portfolio Builder – Portfolio Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'add_video' function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to add arbitrary videos to any portfolio gallery.
|
|||||