Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-0377 | 1 Lifterlms | 1 Lifterlms | 2025-01-23 | N/A | 5.3 MEDIUM |
|
The LifterLMS – WordPress LMS Plugin for eLearning plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_review' function in all versions up to, and including, 7.5.1. This makes it possible for unauthenticated attackers to publish an unrestricted number of reviews on the site.
|
|||||
| CVE-2024-11069 | 1 Welaunch | 1 Wordpress Gdpr | 2025-01-23 | N/A | 6.5 MEDIUM |
|
The WordPress GDPR plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'WordPress_GDPR_Data_Delete::check_action' function in all versions up to, and including, 2.0.2. This makes it possible for unauthenticated attackers to delete arbitrary users.
|
|||||
| CVE-2024-10393 | 1 Themeum | 1 Tutor Lms | 2025-01-23 | N/A | 5.3 MEDIUM |
|
The Tutor LMS plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 2.7.6. This is due to a missing check for the 'users_can_register' option in the 'register_instructor' function. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled.
|
|||||
| CVE-2023-37869 | 1 Leap13 | 1 Premium Addons | 2025-01-23 | N/A | 6.5 MEDIUM |
|
Missing Authorization vulnerability in Premium Addons Premium Addons PRO.This issue affects Premium Addons PRO: from n/a through 2.9.0.
|
|||||
| CVE-2024-37094 | 1 Stylemixthemes | 1 Masterstudy Lms | 2025-01-22 | N/A | 8.2 HIGH |
|
Missing Authorization vulnerability in StylemixThemes MasterStudy LMS allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects MasterStudy LMS: from n/a through 3.2.12.
|
|||||
| CVE-2024-4352 | 1 Themeum | 1 Tutor Lms | 2025-01-22 | N/A | 8.8 HIGH |
|
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on the 'get_calendar_materials' function. The plugin is also vulnerable to SQL Injection via the ‘year’ parameter of that function due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level permissions and ab ...
Show More |
|||||
| CVE-2024-4351 | 1 Themeum | 1 Tutor Lms | 2025-01-22 | N/A | 8.8 HIGH |
|
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on the 'authenticate' function in all versions up to, and including, 2.7.0. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to gain control of an existing administrator account.
|
|||||
| CVE-2024-4222 | 1 Themeum | 1 Tutor Lms | 2025-01-22 | N/A | 7.3 HIGH |
|
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options.
|
|||||
| CVE-2023-51359 | 1 Wpdeveloper | 1 Essential Blocks | 2025-01-22 | N/A | 5.4 MEDIUM |
|
Missing Authorization vulnerability in WPDeveloper Essential Blocks for Gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Blocks for Gutenberg: from n/a through 4.2.0.
|
|||||
| CVE-2023-47822 | 1 Sonaar | 1 Mp3 Audio Player For Music\, Radio \& Podcast | 2025-01-22 | N/A | 5.4 MEDIUM |
|
Missing Authorization vulnerability in Sonaar Music MP3 Audio Player for Music, Radio & Podcast by Sonaar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through 4.10.
|
|||||
| CVE-2023-47760 | 1 Wpdeveloper | 1 Essential Blocks | 2025-01-22 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in WPDeveloper Essential Blocks for Gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Blocks for Gutenberg: from n/a through 4.2.0.
|
|||||
| CVE-2024-56266 | 1 Sonaar | 1 Mp3 Audio Player For Music\, Radio \& Podcast | 2025-01-22 | N/A | 6.3 MEDIUM |
|
Missing Authorization vulnerability in Sonaar Music MP3 Audio Player for Music, Radio & Podcast by Sonaar allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through 5.8.
|
|||||
| CVE-2023-6965 | 1 Podsfoundation | 1 Pods | 2025-01-22 | N/A | 4.3 MEDIUM |
|
The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.0.10 (with the exception of 2.7.31.2, 2.8.23.2, 2.9.19.2). This is due to the fact that the plugin allows the use of a file inclusion feature via shortcode. This makes it possible for authenticated attackers, with contributor access or higher, to create pods and users (with default role).
|
|||||
| CVE-2023-51360 | 1 Wpdeveloper | 1 Essential Blocks | 2025-01-22 | N/A | 6.5 MEDIUM |
|
Missing Authorization vulnerability in WPDeveloper Essential Blocks for Gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Blocks for Gutenberg: from n/a through 4.2.0.
|
|||||
| CVE-2024-12033 | 1 Artbees | 1 Jupiter X Core | 2025-01-22 | N/A | 4.3 MEDIUM |
|
The Jupiter X Core plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the sync_libraries() function in all versions up to, and including, 4.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to sync libraries
|
|||||
| CVE-2024-12316 | 1 Artbees | 1 Jupiter X Core | 2025-01-22 | N/A | 5.3 MEDIUM |
|
The Jupiter X Core plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_popup_action() function in all versions up to, and including, 4.8.5. This makes it possible for unauthenticated attackers to export popup templates.
|
|||||
| CVE-2024-1390 | 1 Cozmoslabs | 1 Membership \& Content Restriction - Paid Member Subscriptions | 2025-01-22 | N/A | 4.3 MEDIUM |
|
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the creating_pricing_table_page function in all versions up to, and including, 2.11.1. This makes it possible for authenticated attackers, with subscriber access or higher, to create pricing tables.
|
|||||
| CVE-2018-14628 | 2 Fedoraproject, Samba | 2 Fedora, Samba | 2025-01-22 | N/A | 4.3 MEDIUM |
|
An information leak vulnerability was discovered in Samba's LDAP server. Due to missing access control checks, an authenticated but unprivileged attacker could discover the names and preserved attributes of deleted objects in the LDAP store.
|
|||||
| CVE-2025-23512 | 2025-01-22 | N/A | 7.5 HIGH | ||
|
Missing Authorization vulnerability in Team118GROUP Team 118GROUP Agent allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Team 118GROUP Agent: from n/a through 1.6.0.
|
|||||
| CVE-2025-23486 | 2025-01-22 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in NotFound Database Sync allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Database Sync: from n/a through 0.5.1.
|
|||||
| CVE-2024-3942 | 1 Stylemixthemes | 1 Masterstudy Lms | 2025-01-21 | N/A | 6.3 MEDIUM |
|
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on several functions in versions up to, and including, 3.3.8. This makes it possible for authenticated attackers, with subscriber level permissions and above, to read and modify content such as course questions, post titles, and taxonomies.
|
|||||
| CVE-2025-23477 | 2025-01-21 | N/A | 8.2 HIGH | ||
|
Missing Authorization vulnerability in Realty Workstation Realty Workstation allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Realty Workstation: from n/a through 1.0.45.
|
|||||
| CVE-2025-22722 | 2025-01-21 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in Widget Options Team Widget Options allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Widget Options: from n/a through 4.0.8.
|
|||||
| CVE-2025-22721 | 2025-01-21 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in Farhan Noor ApplyOnline – Application Form Builder and Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ApplyOnline – Application Form Builder and Manager: from n/a through 2.6.7.1.
|
|||||
| CVE-2023-33252 | 1 0kims | 1 Snarkjs | 2025-01-21 | N/A | 7.5 HIGH |
|
iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.
|
|||||
| CVE-2024-31981 | 1 Xwiki | 1 Xwiki | 2025-01-21 | N/A | 9.9 CRITICAL |
|
XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, remote code execution is possible via PDF export templates. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10-rc-1. If PDF templates are not typically used on the instance, an administrator can create the document `XWiki.PDFClass` and block its edition, after making sure that it does not contain a `style` attribute. Otherwise, there are no known workar ...
Show More |
|||||
| CVE-2024-31983 | 1 Xwiki | 1 Xwiki | 2025-01-21 | N/A | 9.9 CRITICAL |
|
XWiki Platform is a generic wiki platform. In multilingual wikis, translations can be edited by any user who has edit right, circumventing the rights that are normally required for authoring translations (script right for user-scope translations, wiki admin for translations on the wiki). Starting in version 4.3-milestone-2 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, this can be exploited for remote code execution if the translation value is not properly escaped where it is used. This ...
Show More |
|||||
| CVE-2024-31987 | 1 Xwiki | 1 Xwiki | 2025-01-21 | N/A | 9.9 CRITICAL |
|
XWiki Platform is a generic wiki platform. Starting in version 6.4-milestone-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus allowing remote code execution. This has been patched in XWiki 14.10.19, 15.5.4 and 15.10RC1. No known workarounds are available except for upgrading.
|
|||||
| CVE-2024-45393 | 1 Cvat | 1 Computer Vision Annotation Tool | 2025-01-21 | N/A | 6.4 MEDIUM |
|
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with a CVAT account can access webhook delivery information for any webhook registered on the CVAT instance, including that of other users. For each delivery, this contains information about the event that caused the delivery, typically including full details about the object on which an action was performed (such as the task for an "update:task" event), and the user who perf ...
Show More |
|||||
| CVE-2025-22717 | 2025-01-21 | N/A | 7.5 HIGH | ||
|
Missing Authorization vulnerability in Joe Dolson My Tickets allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects My Tickets: from n/a through 2.0.9.
|
|||||
| CVE-2025-22318 | 2025-01-21 | N/A | 7.5 HIGH | ||
|
Missing Authorization vulnerability in Eniture Technology Standard Box Sizes – for WooCommerce. This issue affects Standard Box Sizes – for WooCommerce: from n/a through 1.6.13.
|
|||||
| CVE-2025-0515 | 2025-01-18 | N/A | 4.3 MEDIUM | ||
|
The Buzz Club – Night Club, DJ and Music Festival Event WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cmsmasters_hide_admin_notice' function in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'hide' on the WordPress site. This can be leveraged to update an option tha ...
Show More |
|||||
| CVE-2024-12614 | 1 Hirewebxperts | 1 Passwords Manager | 2025-01-17 | N/A | 7.5 HIGH |
|
The Passwords Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pms_save_setting' and 'post_new_pass' AJAX actions in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins settings and add passwords.
|
|||||
| CVE-2024-11816 | 1 Wpextended | 1 Ultimate Wordpress Toolkit | 2025-01-17 | N/A | 8.8 HIGH |
|
The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Remote Code Execution in version 3.0.11. This is due to a missing capability check on the 'wpext_handle_snippet_update' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute code on the server providing an admin has created at least one code snippet.
|
|||||
| CVE-2024-11270 | 1 Webinarpress | 1 Webinarpress | 2025-01-17 | N/A | 8.8 HIGH |
|
The WordPress Webinar Plugin – WebinarPress plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check on the 'sync-import-imgs' function and missing file type validation in all versions up to, and including, 1.33.24. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary files that can lead to remote code execution.
|
|||||
| CVE-2024-11271 | 1 Webinarpress | 1 Webinarpress | 2025-01-17 | N/A | 8.8 HIGH |
|
The WordPress Webinar Plugin – WebinarPress plugin for WordPress is vulnerable to modification of data due to a missing capability check on several functions in all versions up to, and including, 1.33.24. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify webinars.
|
|||||
| CVE-2024-10853 | 1 Zixn | 1 Buy One Click Woocommerce | 2025-01-17 | N/A | 4.3 MEDIUM |
|
The Buy one click WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the removeorder AJAX action in all versions up to, and including, 2.2.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete Buy one click WooCommerce orders.
|
|||||
| CVE-2024-10854 | 1 Zixn | 1 Buy One Click Woocommerce | 2025-01-17 | N/A | 4.3 MEDIUM |
|
The Buy one click WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the buy_one_click_import_options AJAX action in all versions up to, and including, 2.2.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import plugin settings.
|
|||||
| CVE-2024-31343 | 1 Sonaar | 1 Mp3 Audio Player For Music\, Radio \& Podcast | 2025-01-17 | N/A | 7.5 HIGH |
|
Missing Authorization vulnerability in Sonaar Music MP3 Audio Player for Music, Radio & Podcast by Sonaar.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through 4.10.1.
|
|||||
| CVE-2024-1904 | 1 Stylemixthemes | 1 Masterstudy Lms | 2025-01-17 | N/A | 4.3 MEDIUM |
|
The MasterStudy LMS plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the search_posts function in all versions up to, and including, 3.2.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to expose draft post titles and excerpts.
|
|||||