Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-26372 | 2025-02-12 | N/A | 7.1 HIGH | ||
|
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users from groups via crafted HTTP requests.
|
|||||
| CVE-2024-45461 | 1 Apache | 1 Cloudstack | 2025-02-12 | N/A | 5.7 MEDIUM |
|
The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled.
Users ar ...
Show More |
|||||
| CVE-2024-12370 | 1 Thimpress | 1 Wp Hotel Booking | 2025-02-11 | N/A | 5.3 MEDIUM |
|
The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check when adding rooms in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to add rooms with custom prices.
|
|||||
| CVE-2023-40203 | 1 Mailmunch | 1 Mailchimp Forms | 2025-02-11 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in MailMunch MailChimp Forms by MailMunch allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MailChimp Forms by MailMunch: from n/a through 3.1.4.
|
|||||
| CVE-2024-1860 | 1 Billminozzi | 1 Anti Hacker | 2025-02-11 | N/A | 6.5 MEDIUM |
|
The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the antihacker_add_whitelist() function in all versions up to, and including, 4.51. This makes it possible for unauthenticated attackers to add their IP Address to the whitelist circumventing protection
|
|||||
| CVE-2024-1516 | 1 Zao | 1 Wp Ecommerce | 2025-02-11 | N/A | 5.3 MEDIUM |
|
The WP eCommerce plugin for WordPress is vulnerable to unauthorized arbitrary post creation due to a missing capability check on the check_for_saas_push() function in all versions up to, and including, 3.15.1. This makes it possible for unauthenticated attackers to create arbitrary posts with arbitrary content.
|
|||||
| CVE-2025-24596 | 1 Wcproducttable | 1 Woocommerce Product Table | 2025-02-11 | N/A | 5.3 MEDIUM |
|
Missing Authorization vulnerability in WC Product Table WooCommerce Product Table Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WooCommerce Product Table Lite: from n/a through 3.8.7.
|
|||||
| CVE-2024-1368 | 1 Samuelkwle | 1 Page Duplicator | 2025-02-11 | N/A | 5.3 MEDIUM |
|
The Page Duplicator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the duplicate_dat_page() function in all versions up to, and including, 0.1.1. This makes it possible for unauthenticated attackers to duplicate arbitrary posts and pages.
|
|||||
| CVE-2025-25167 | 1 Blackandwhitedigital | 1 Bookpress | 2025-02-11 | N/A | 8.2 HIGH |
|
Missing Authorization vulnerability in blackandwhitedigital BookPress – For Book Authors allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BookPress – For Book Authors: from n/a through 1.2.7.
|
|||||
| CVE-2020-9009 | 1 Shipstation | 1 Shipstation | 2025-02-11 | N/A | 3.7 LOW |
|
The ShipStation.com plugin 1.1 and earlier for CS-Cart allows remote attackers to insert arbitrary information into the database (via action=shipnotify) because access to this endpoint is completely unchecked. The attacker must guess an order number.
|
|||||
| CVE-2024-10606 | 1 Wptravelengine | 1 Wp Travel Engine | 2025-02-11 | N/A | 4.3 MEDIUM |
|
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpte_onboard_save_function_callback() function in all versions up to, and including, 6.2.1. This makes it possible for authenticated attackers, with contributor-level access and above, to modify several settings that could have an impact such as lost revenue and page updates.
|
|||||
| CVE-2024-53805 | 1 Wpmailster | 1 Wp Mailster | 2025-02-11 | N/A | 7.5 HIGH |
|
Missing Authorization vulnerability in brandtoss WP Mailster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Mailster: from n/a through 1.8.16.0.
|
|||||
| CVE-2024-3216 | 1 Webtoffee | 1 Woocommerce Pdf Invoices\, Packing Slips\, Delivery Notes And Shipping Labels | 2025-02-11 | N/A | 5.3 MEDIUM |
|
The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wt_pklist_reset_settings() function in all versions up to, and including, 4.4.2. This makes it possible for unauthenticated attackers to reset all of the plugin's settings.
|
|||||
| CVE-2024-56512 | 1 Apache | 1 Nifi | 2025-02-11 | N/A | 5.4 MEDIUM |
|
Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups.
Creating a new Process Group can include binding to a Parameter Context, but in cases where the Process Group did not reference any Parameter values, the framework did not check user authorization for the bound Parameter Context. Missing authorization for a bound Parameter Context enabled cl ...
Show More |
|||||
| CVE-2024-30508 | 1 Thimpress | 1 Wp Hotel Booking | 2025-02-11 | N/A | 6.5 MEDIUM |
|
Missing Authorization vulnerability in ThimPress WP Hotel Booking.This issue affects WP Hotel Booking: from n/a through 2.0.9.2.
|
|||||
| CVE-2024-6636 | 1 Wpwebelite | 1 Woocommerce Social Login | 2025-02-11 | N/A | 9.8 CRITICAL |
|
The WooCommerce - Social Login plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'woo_slg_login_email' function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to change the default role to Administrator while registering for an account.
|
|||||
| CVE-2024-11911 | 1 Themeum | 1 Wp Crowdfunding | 2025-02-11 | N/A | 4.3 MEDIUM |
|
The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the install_woocommerce_plugin() function action in all versions up to, and including, 2.1.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install WooCommerce. This has a limited impact on most sites because WooCommerce is a requirement.
|
|||||
| CVE-2023-41870 | 1 Themeum | 1 Wp Crowdfunding | 2025-02-11 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in Themeum WP Crowdfunding allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Crowdfunding: from n/a through 2.1.5.
|
|||||
| CVE-2023-37890 | 1 Logon | 1 Kb Support | 2025-02-11 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in WPOmnia KB Support – WordPress Help Desk and Knowledge Base allows Accessing Functionality Not Properly Constrained by ACLs. Users with a role as low as a subscriber can view other customers.This issue affects KB Support – WordPress Help Desk and Knowledge Base: from n/a through 1.5.88.
|
|||||
| CVE-2024-13643 | 2025-02-11 | N/A | 8.8 HIGH | ||
|
The Zox News - Professional WordPress News & Magazine Theme plugin for WordPress is vulnerable to unauthorized data modification. This vulnerability can lead to privilege escalation and denial of service conditions due to missing capability checks on the backup_options() and reset_options() functions in all versions up to and including 3.17.0. This vulnerability allows authenticated attackers with Subscriber-level access and above to update and delete arbitrary option values on the WordPress sit ...
Show More |
|||||
| CVE-2025-23190 | 2025-02-11 | N/A | 4.3 MEDIUM | ||
|
Due to missing authorization check, an authenticated attacker could call a remote-enabled function module which allows them to access data that they would otherwise not have access to. The attacker cannot modify data or impact the availability of the system.
|
|||||
| CVE-2025-23189 | 2025-02-11 | N/A | 4.3 MEDIUM | ||
|
Due to missing authorization check in an RFC enabled function module in transaction SDCCN, an authenticated attacker could generate technical meta-data. This leads to a low impact on integrity. There is no impact on confidentiality or availability
|
|||||
| CVE-2024-55408 | 2025-02-11 | N/A | 5.3 MEDIUM | ||
|
An improper access control vulnerability in the AsusSAIO.sys driver may lead to the misuse of software functionality utilizing the driver when crafted IOCTL requests are supplied.
|
|||||
| CVE-2024-3606 | 1 Metagauss | 1 Profilegrid | 2025-02-10 | N/A | 4.3 MEDIUM |
|
The ProfileGrid – User Profiles, Memberships, Groups and Communities plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the pm_upload_cover_image function in all versions up to, and including, 5.8.3. This makes it possible for authenticated attackers, with subscriber access or higher, to delete attachments.
|
|||||
| CVE-2023-1167 | 1 Gitlab | 1 Gitlab | 2025-02-10 | N/A | 5.3 MEDIUM |
|
Improper authorization in Gitlab EE affecting all versions from 12.3.0 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1 allows an unauthorized access to security reports in MR.
|
|||||
| CVE-2024-43254 | 1 Zaytech | 1 Smart Online Order For Clover | 2025-02-10 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in Zaytech Smart Online Order for Clover allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smart Online Order for Clover: from n/a through 1.5.6.
|
|||||
| CVE-2024-43253 | 1 Zaytech | 1 Smart Online Order For Clover | 2025-02-10 | N/A | 5.3 MEDIUM |
|
Missing Authorization vulnerability in Zaytech Smart Online Order for Clover allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Smart Online Order for Clover: from n/a through 1.5.6.
|
|||||
| CVE-2024-37453 | 1 Metagauss | 1 Profilegrid | 2025-02-10 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in ProfileGrid User Profiles ProfileGrid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ProfileGrid: from n/a through 5.8.7.
|
|||||
| CVE-2024-53803 | 1 Wpmailster | 1 Wp Mailster | 2025-02-10 | N/A | 6.5 MEDIUM |
|
Missing Authorization vulnerability in brandtoss WP Mailster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Mailster: from n/a through 1.8.16.0.
|
|||||
| CVE-2024-8548 | 1 Logon | 1 Kb Support | 2025-02-10 | N/A | 8.1 HIGH |
|
The KB Support – WordPress Help Desk and Knowledge Base plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on several functions in all versions up to, and including, 1.6.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform multiple administrative actions, such as replying to arbitrary tickets, updating the status of any post, deleting any post, adding notes to tickets, flagging or ...
Show More |
|||||
| CVE-2024-8632 | 1 Logon | 1 Kb Support | 2025-02-10 | N/A | 6.5 MEDIUM |
|
The KB Support – WordPress Help Desk and Knowledge Base plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'kbs_ajax_load_front_end_replies' and 'kbs_ajax_mark_reply_as_read' functions in all versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to read replies of any ticket, and mark any reply as read.
|
|||||
| CVE-2024-32798 | 1 Wptravelengine | 1 Wp Travel Engine | 2025-02-10 | N/A | 7.5 HIGH |
|
Missing Authorization vulnerability in WP Travel Engine.This issue affects WP Travel Engine: from n/a through 5.8.0.
|
|||||
| CVE-2024-33589 | 1 Logon | 1 Kb Support | 2025-02-10 | N/A | 6.5 MEDIUM |
|
Missing Authorization vulnerability in WPOmnia KB Support.This issue affects KB Support: from n/a through 1.6.0.
|
|||||
| CVE-2024-32684 | 1 Wpmet | 1 Wp Ultimate Review | 2025-02-09 | N/A | 5.3 MEDIUM |
|
Missing Authorization vulnerability in Wpmet Wp Ultimate Review.This issue affects Wp Ultimate Review: from n/a through 2.2.5.
|
|||||
| CVE-2023-50898 | 1 Sirv | 1 Sirv | 2025-02-09 | N/A | 5.4 MEDIUM |
|
Missing Authorization vulnerability in sirv.Com Sirv.This issue affects Sirv: from n/a through 7.1.2.
|
|||||
| CVE-2024-52480 | 1 Astoundify | 1 Jobify | 2025-02-07 | N/A | 5.3 MEDIUM |
|
Missing Authorization vulnerability in Astoundify Jobify - Job Board WordPress Theme.This issue affects Jobify - Job Board WordPress Theme: from n/a through 4.2.3.
|
|||||
| CVE-2024-13698 | 1 Astoundify | 1 Jobify | 2025-02-07 | N/A | 6.5 MEDIUM |
|
The Jobify - Job Board WordPress Theme for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'download_image_via_ai' and 'generate_image_via_ai' functions in all versions up to, and including, 4.2.7. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application to upload files in an image format, and to generate AI images using the site's OpenAI key.
|
|||||
| CVE-2024-3268 | 1 Emarketdesign | 1 Youtube Video Gallery | 2025-02-07 | N/A | 5.3 MEDIUM |
|
The YouTube Video Gallery by YouTube Showcase – Video Gallery Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the emd_form_builder_lite_submit_form function in all versions up to, and including, 3.3.6. This makes it possible for unauthenticated attackers to create arbitrary posts or pages.
|
|||||
| CVE-2023-30521 | 1 Jenkins | 1 Assembla Merge Request Builder | 2025-02-07 | N/A | 5.3 MEDIUM |
|
A missing permission check in Jenkins Assembla merge request builder Plugin 1.1.13 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.
|
|||||
| CVE-2023-30518 | 1 Jenkins | 1 Thycotic Secret Server | 2025-02-07 | N/A | 4.3 MEDIUM |
|
A missing permission check in Jenkins Thycotic Secret Server Plugin 1.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
|
|||||