Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-36831 | 1 Nextscripts | 1 Social Networks Auto Poster | 2025-02-07 | N/A | 5.0 MEDIUM |
|
The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on multiple user privilege/security functions provided in versions up to, and including 4.3.17. This makes it possible for low-privileged attackers, like subscribers, to perform restricted actions that would be otherwise locked to a administrative-level user.
|
|||||
| CVE-2024-10537 | 1 Wpusermanager | 1 Wp User Manager | 2025-02-07 | N/A | 4.3 MEDIUM |
|
The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the validate_user_meta_key() function in all versions up to, and including, 2.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate user meta keys.
|
|||||
| CVE-2024-10216 | 1 Wpusermanager | 1 Wp User Manager | 2025-02-07 | N/A | 4.3 MEDIUM |
|
The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'add_sidebar' and 'remove_sidebar' functions in all versions up to, and including, 2.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add or remove a Carbon Fields custom sidebar if the Carbon Fields (carbon-fields) plugin is installed.
|
|||||
| CVE-2023-30532 | 1 Jenkins | 1 Turboscript | 2025-02-07 | N/A | 6.5 MEDIUM |
|
A missing permission check in Jenkins TurboScript Plugin 1.3 and earlier allows attackers with Item/Read permission to trigger builds of jobs corresponding to the attacker-specified repository.
|
|||||
| CVE-2023-30526 | 1 Jenkins | 1 Report Portal | 2025-02-07 | N/A | 6.5 MEDIUM |
|
A missing permission check in Jenkins Report Portal Plugin 0.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified bearer token authentication.
|
|||||
| CVE-2023-30522 | 1 Jenkins | 1 Fogbugz | 2025-02-07 | N/A | 4.3 MEDIUM |
|
A missing permission check in Jenkins Fogbugz Plugin 2.2.17 and earlier allows attackers with Item/Read permission to trigger builds of jobs specified in a 'jobname' request parameter.
|
|||||
| CVE-2023-30519 | 1 Jenkins | 1 Quay.io Trigger | 2025-02-07 | N/A | 5.3 MEDIUM |
|
A missing permission check in Jenkins Quay.io trigger Plugin 0.1 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.
|
|||||
| CVE-2024-30235 | 1 Themeisle | 1 Multiple Page Generator | 2025-02-07 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in Themeisle Multiple Page Generator Plugin – MPG.This issue affects Multiple Page Generator Plugin – MPG: from n/a through 3.4.0.
|
|||||
| CVE-2024-43162 | 1 Awesomemotive | 1 Easy Digital Downloads | 2025-02-07 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in Easy Digital Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Digital Downloads: from n/a through 3.2.12.
|
|||||
| CVE-2023-40005 | 1 Awesomemotive | 1 Easy Digital Downloads | 2025-02-07 | N/A | 5.3 MEDIUM |
|
Missing Authorization vulnerability in Easy Digital Downloads Easy Digital Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Digital Downloads: from n/a through 3.1.5.
|
|||||
| CVE-2024-1053 | 1 Liquidweb | 1 Event Tickets | 2025-02-07 | N/A | 4.3 MEDIUM |
|
The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'email' action in all versions up to, and including, 5.8.1. This makes it possible for authenticated attackers, with contributor-level access and above, to email the attendees list to themselves.
|
|||||
| CVE-2024-37463 | 1 Crmperks | 1 Crm Perks Forms | 2025-02-07 | N/A | 5.3 MEDIUM |
|
Missing Authorization vulnerability in CRM Perks CRM Perks Forms allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects CRM Perks Forms: from n/a through 1.1.5.
|
|||||
| CVE-2025-24753 | 1 Kadencewp | 1 Gutenberg Blocks With Ai | 2025-02-07 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in Kadence WP Gutenberg Blocks by Kadence Blocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Gutenberg Blocks by Kadence Blocks: from n/a through 3.3.1.
|
|||||
| CVE-2025-25120 | 2025-02-07 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in Melodic Media Slide Banners allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Slide Banners: from n/a through 1.3.
|
|||||
| CVE-2025-25110 | 2025-02-07 | N/A | 5.4 MEDIUM | ||
|
Missing Authorization vulnerability in Metagauss Event Kikfyre allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Event Kikfyre: from n/a through 2.1.8.
|
|||||
| CVE-2025-25081 | 2025-02-07 | N/A | 4.2 MEDIUM | ||
|
Missing Authorization vulnerability in DeannaS Embed RSS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Embed RSS: from n/a through 3.1.
|
|||||
| CVE-2024-34389 | 1 Afthemes | 1 Wp Post Author | 2025-02-07 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in AF themes WP Post Author.This issue affects WP Post Author: from n/a through 3.6.4.
|
|||||
| CVE-2024-24883 | 1 Bdthemes | 1 Prime Slider | 2025-02-07 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in BdThemes Prime Slider – Addons For Elementor.This issue affects Prime Slider – Addons For Elementor: from n/a through 3.11.10.
|
|||||
| CVE-2024-2782 | 1 Fluentforms | 1 Contact Form | 2025-02-06 | N/A | 7.5 HIGH |
|
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wp-json/fluentform/v1/global-settings REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to modify all of the plugin's settings.
|
|||||
| CVE-2024-2771 | 1 Fluentforms | 1 Contact Form | 2025-02-06 | N/A | 9.8 CRITICAL |
|
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin's settings and features. This also makes it possible for unau ...
Show More |
|||||
| CVE-2024-27939 | 1 Siemens | 1 Ruggedcom Crossbow | 2025-02-06 | N/A | 9.8 CRITICAL |
|
A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow the upload of arbitrary files of any unauthenticated user. An attacker could leverage this vulnerability and achieve arbitrary code execution with system privileges.
|
|||||
| CVE-2023-38102 | 1 Netgear | 1 Prosafe Network Management System | 2025-02-06 | N/A | 8.8 HIGH |
|
NETGEAR ProSAFE Network Management System createUser Missing Authorization Privilege Escalation Vulnerability. This vulnerability allows remote attackers to escalate privileges on affected installations of NETGEAR ProSAFE Network Management System. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
The specific flaw exists within the createUser function. The issue results from the lack of authorization prior to allowing acce ...
Show More |
|||||
| CVE-2024-34387 | 1 Afthemes | 1 Wp Post Author | 2025-02-06 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in AF themes WP Post Author.This issue affects WP Post Author: from n/a through 3.6.4.
|
|||||
| CVE-2023-1371 | 1 W4 Post List Project | 1 W4 Post List | 2025-02-06 | N/A | 6.5 MEDIUM |
|
The W4 Post List WordPress plugin before 2.4.6 does not ensure that password protected posts can be accessed before displaying their content, which could allow any authenticated users to access them
|
|||||
| CVE-2024-11715 | 1 Wpjobportal | 1 Wp Job Portal | 2025-02-06 | N/A | 4.8 MEDIUM |
|
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the assignUserRole() function in all versions up to, and including, 2.2.2. This makes it possible for unauthenticated attackers to elevate their privileges to that of an employer.
|
|||||
| CVE-2024-26138 | 1 Xwiki | 1 Application Licensing | 2025-02-05 | N/A | 5.3 MEDIUM |
|
The XWiki licensor application, which manages and enforce application licenses for paid extensions, includes the document `Licenses.Code.LicenseJSON` that provides information for admins regarding active licenses. This document is public and thus exposes this information publicly. The information includes the instance's id as well as first and last name and email of the license owner. This is a leak of information that isn't supposed to be public. The instance id allows associating data on the a ...
Show More |
|||||
| CVE-2024-2844 | 1 Easy-appointments | 1 Easy Appointments | 2025-02-05 | N/A | 4.3 MEDIUM |
|
The Easy Appointments plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient user validation on the ajax_cancel_appointment() function in all versions up to, and including, 3.11.18. This makes it possible for unauthenticated attackers to cancel other users orders.
|
|||||
| CVE-2023-21091 | 1 Google | 1 Android | 2025-02-05 | N/A | 5.5 MEDIUM |
|
In canDisplayLocalUi of AppLocalePickerActivity.java, there is a possible way to change system app locales due to a missing permission check. This could lead to local denial of service across user boundaries with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-257954050
|
|||||
| CVE-2023-20909 | 1 Google | 1 Android | 2025-02-05 | N/A | 5.5 MEDIUM |
|
In multiple functions of RunningTasks.java, there is a possible privilege escalation due to a missing privilege check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-243130512
|
|||||
| CVE-2024-2538 | 1 Permalink Manager Lite Project | 1 Permalink Manager Lite | 2025-02-05 | N/A | 5.4 MEDIUM |
|
The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_permalink' function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and above, to modify the permalinks of arbitrary posts.
|
|||||
| CVE-2024-12129 | 1 Wp-royal-themes | 1 Royal Core | 2025-02-05 | N/A | 8.8 HIGH |
|
The Royal Core plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'royal_restore_backup' function in all versions up to, and including, 2.9.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration fo ...
Show More |
|||||
| CVE-2024-2543 | 1 Permalink Manager Lite Project | 1 Permalink Manager Lite | 2025-02-05 | N/A | 4.3 MEDIUM |
|
The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_uri_editor' function in all versions up to, and including, 2.4.3.1. This makes it possible for unauthenticated attackers to view the permalinks of all posts.
|
|||||
| CVE-2024-10520 | 1 Wedevs | 1 Wp Project Manager | 2025-02-05 | N/A | 5.3 MEDIUM |
|
The WP Project Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'check' method of the 'Create_Milestone', 'Create_Task_List', 'Create_Task', and 'Delete_Task' classes in version 2.6.14. This makes it possible for unauthenticated attackers to create milestones, create task lists, create tasks, or delete tasks in any project. NOTE: Version 2.6.14 implemented a partial fix for this vulnerability.
|
|||||
| CVE-2024-13371 | 1 Wpjobportal | 1 Wp Job Portal | 2025-02-05 | N/A | 5.3 MEDIUM |
|
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to unauthorized arbitrary emails sending due to a missing capability check on the sendEmailToJobSeeker() function in all versions up to, and including, 2.2.6. This makes it possible for unauthenticated attackers to send arbitrary emails with arbitrary content from the sites mail server.
|
|||||
| CVE-2023-21094 | 1 Google | 1 Android | 2025-02-05 | N/A | 7.8 HIGH |
|
In sanitize of LayerState.cpp, there is a possible way to take over the screen display and swap the display content due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-248031255
|
|||||
| CVE-2023-51479 | 1 Buildapp | 1 Build App Online | 2025-02-05 | N/A | 8.8 HIGH |
|
Improper Privilege Management vulnerability in Abdul Hakeem Build App Online allows Privilege Escalation.This issue affects Build App Online: from n/a through 1.0.19.
|
|||||
| CVE-2024-11712 | 1 Wpjobportal | 1 Wp Job Portal | 2025-02-05 | N/A | 5.3 MEDIUM |
|
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getResumeFileDownloadById() function in all versions up to, and including, 2.2.2. This makes it possible for unauthenticated attackers to download other users resumes.
|
|||||
| CVE-2024-1690 | 1 Standalonetech | 1 Terawallet | 2025-02-05 | N/A | 4.3 MEDIUM |
|
The TeraWallet – Best WooCommerce Wallet System With Cashback Rewards, Partial Payment, Wallet Refunds plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the terawallet_export_user_search() function in all versions up to, and including, 1.4.10. This makes it possible for authenticated attackers, with subscriber-level access and above, to export a list of registered users and their emails.
|
|||||
| CVE-2023-39922 | 1 Theme-fusion | 1 Avada | 2025-02-05 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in ThemeFusion Avada.This issue affects Avada: from n/a through 7.11.1.
|
|||||
| CVE-2024-32799 | 1 Realestateconnected | 1 Easy Property Listings | 2025-02-05 | N/A | 5.3 MEDIUM |
|
Missing Authorization vulnerability in Merv Barrett Easy Property Listings.This issue affects Easy Property Listings: from n/a through 3.5.3.
|
|||||