Total
5080 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-5877 | 1 Servit | 1 Affiliate-toolkit | 2025-06-03 | 9.8 Critical |
| The affiliate-toolkit WordPress plugin before 3.4.3 lacks authorization and authentication for requests to it's affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URL's, including RFC1918 private addresses, leading to a Server Side Request Forgery (SSRF) issue. | ||||
| CVE-2023-7019 | 1 Themeisle | 1 Lightstart | 2025-06-03 | 4.3 Medium |
| The LightStart – Maintenance Mode, Coming Soon and Landing Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the insert_template function in all versions up to, and including, 2.6.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to change page designs. | ||||
| CVE-2023-6855 | 1 Strangerstudios | 1 Paid Memberships Pro | 2025-06-03 | 5.3 Medium |
| The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to unauthorized modification of membership levels created by the plugin due to an incorrectly implemented capability check in the pmpro_rest_api_get_permissions_check function in all versions up to 2.12.5 (inclusive). This makes it possible for unauthenticated attackers to change membership levels including prices. | ||||
| CVE-2023-6638 | 1 Gutengeek | 1 Gg Woo Feed | 2025-06-03 | 6.5 Medium |
| The GTG Product Feed for Shopping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_settings' function in versions up to, and including, 1.2.4. This makes it possible for unauthenticated attackers to update plugin settings. | ||||
| CVE-2023-6637 | 1 Daan | 1 Complete Analytics Optimization Suite | 2025-06-03 | 6.5 Medium |
| The CAOS | Host Google Analytics Locally plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_settings' function in versions up to, and including, 4.7.14. This makes it possible for unauthenticated attackers to update plugin settings. | ||||
| CVE-2023-6504 | 1 Cozmoslabs | 1 Profile Builder | 2025-06-03 | 4.3 Medium |
| The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wppb_toolbox_usermeta_handler function in all versions up to, and including, 3.10.7. This makes it possible for authenticated attackers, with contributor-level access and above, to expose sensitive information within user metadata. | ||||
| CVE-2023-6369 | 1 Myrecorp | 1 Export Wp Page To Static Html\/css | 2025-06-03 | 5.4 Medium |
| The Export WP Page to Static HTML/CSS plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 2.1.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to disclose sensitive information or perform unauthorized actions, such as saving advanced plugin settings. | ||||
| CVE-2023-6048 | 1 Estatik | 1 Estatik | 2025-06-03 | 6.5 Medium |
| The Estatik Real Estate Plugin WordPress plugin before 4.1.1 does not prevent user with low privileges on the site, like subscribers, from setting any of the site's options to 1, which could be used to break sites and lead to DoS when certain options are reset | ||||
| CVE-2023-6279 | 1 Wootsify | 1 Sites Library | 2025-06-02 | 7.1 High |
| The Woostify Sites Library WordPress plugin before 1.4.8 does not have authorisation in an AJAX action, allowing any authenticated users, such as subscriber to update arbitrary blog options and set them to 'activated' which could lead to DoS when using a specific option name | ||||
| CVE-2025-31681 | 1 Authenticator Login Project | 1 Authenticator Login | 2025-06-02 | 9.8 Critical |
| Missing Authorization vulnerability in Drupal Authenticator Login allows Forceful Browsing.This issue affects Authenticator Login: from 0.0.0 before 2.0.6. | ||||
| CVE-2025-5410 | 2025-06-02 | 4.3 Medium | ||
| A vulnerability was found in Mist Community Edition up to 4.7.1. It has been declared as problematic. This vulnerability affects the function session_start_response of the file src/mist/api/auth/middleware.py. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.7.2 is able to address this issue. The patch is identified as db10ecb62ac832c1ed4924556d167efb9bc07fad. It is recommended to upgrade the affected component. | ||||
| CVE-2023-48926 | 1 Prestashop | 1 Advanced Loyalty Program | 2025-06-02 | 5.3 Medium |
| An issue in 202 ecommerce Advanced Loyalty Program: Loyalty Points before v2.3.4 for PrestaShop allows unauthenticated attackers to arbitrarily change an order status. | ||||
| CVE-2024-45689 | 1 Moodle | 1 Moodle | 2025-06-02 | 6.5 Medium |
| A flaw was found in Moodle. Dynamic tables did not enforce capability checks, which resulted in users having the ability to retrieve information they did not have permission to access. | ||||
| CVE-2024-0238 | 1 Myeventon | 1 Eventon | 2025-06-02 | 6.1 Medium |
| The EventON Premium WordPress plugin before 4.5.6, EventON WordPress plugin before 2.2.8 do not have authorisation in an AJAX action, and does not ensure that the post to be updated belong to the plugin, allowing unauthenticated users to update arbitrary post metadata. | ||||
| CVE-2024-0237 | 1 Myeventon | 1 Eventon | 2025-06-02 | 5.3 Medium |
| The EventON WordPress plugin through 4.5.8, EventON WordPress plugin before 2.2.7 do not have authorisation in some AJAX actions, allowing unauthenticated users to update virtual events settings, such as meeting URL, moderator, access details etc | ||||
| CVE-2024-0569 | 1 Totolink | 2 T8, T8 Firmware | 2025-06-02 | 4.3 Medium |
| A vulnerability classified as problematic has been found in Totolink T8 4.1.5cu.833_20220905. This affects the function getSysStatusCfg of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. The manipulation of the argument ssid/key leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.5cu.862_B20230228 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-250785 was assigned to this vulnerability. | ||||
| CVE-2025-46823 | 2025-05-30 | N/A | ||
| openmrs-module-fhir2 provides the FHIR REST API and related services for OpenMRS, an open medical records system. In versions of the FHIR2 module prior to 2.5.0, privileges were not always correctly checked, which means that unauthorized users may have been able to add or edit data they were not supposed to be able to. All implementers should update to FHIR2 2.5.0 or newer as soon as is feasible to receive a patch. | ||||
| CVE-2025-4597 | 2025-05-30 | 6.5 Medium | ||
| The Woo Slider Pro – Drag Drop Slider Builder For WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woo_slide_pro_delete_draft_preview AJAX action in all versions up to, and including, 1.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts. | ||||
| CVE-2023-43846 | 1 Aten | 2 Pe6208, Pe6208 Firmware | 2025-05-30 | 5.3 Medium |
| Incorrect access control in logs management function of web interface in Aten PE6208 2.3.228 and 2.4.232 allows remote attackers to get the device logs via HTTP GET request. The logs contain such information as user names and IP addresses used in the infrastructure. This information may help the attackers to conduct further attacks in the infrastructure. | ||||
| CVE-2018-10207 | 1 Vaultize | 1 Enterprise File Sharing | 2025-05-30 | N/A |
| An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. An attacker can exploit Missing Authorization on the FlexPaperViewer SWF reader, and export files that should have been restricted, via vectors involving page-by-page access to a document in SWF format. | ||||