Total
6399 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-15068 | 1 Gmission | 1 Web Fax | 2026-01-09 | 7.7 High |
| Missing Authorization vulnerability in Gmission Web Fax allows Privilege Abuse, Session Credential Falsification through Manipulation.This issue affects Web Fax: 3.0 | ||||
| CVE-2025-68850 | 2 Codepeople, Wordpress | 2 Sell Downloads, Wordpress | 2026-01-08 | 7.5 High |
| Missing Authorization vulnerability in Codepeople Sell Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sell Downloads: from n/a through 1.1.12. | ||||
| CVE-2025-68547 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 7.5 High |
| Missing Authorization vulnerability in WPweb Follow My Blog Post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Follow My Blog Post: from n/a through 2.4.0. | ||||
| CVE-2025-15235 | 1 Quanta Computer | 1 Qoca Aim Ai Medical Cloud Platform | 2026-01-08 | 6.5 Medium |
| QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Missing Authorization vulnerability, allowing authenticated remote attackers to modify specific network packet parameters, enabling certain system functions to access other users' files. | ||||
| CVE-2025-15115 | 1 Petlibro | 1 Smart Pet Feeder Platform | 2026-01-08 | 6.5 Medium |
| Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authentication bypass vulnerability that allows unauthenticated attackers to access any user account by exploiting OAuth token validation flaws in the social login system. Attackers can send requests to /member/auth/thirdLogin with arbitrary Google IDs and phoneBrand parameters to obtain full session tokens and account access without proper OAuth verification. | ||||
| CVE-2026-21429 | 1 Emlog | 1 Emlog | 2026-01-08 | N/A |
| Emlog is an open source website building system. In version 2.5.23, the admin can set controls which makes users unable to edit or delete their articles after publishing them. As of time of publication, no known patched versions are available. | ||||
| CVE-2025-31046 | 2 Wordpress, Wpvibes | 2 Wordpress, Anywhere Elementor | 2026-01-08 | 4.3 Medium |
| Missing Authorization vulnerability in WPvibes AnyWhere Elementor Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyWhere Elementor Pro: from n/a through 2.29. | ||||
| CVE-2025-39561 | 2 Marketing Fire, Wordpress | 2 Loginwp, Wordpress | 2026-01-08 | 6.5 Medium |
| Missing Authorization vulnerability in Marketing Fire, LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5. | ||||
| CVE-2025-46255 | 2 Marketing Fire, Wordpress | 2 Loginwp, Wordpress | 2026-01-08 | 7.5 High |
| Missing Authorization vulnerability in Marketing Fire LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5. | ||||
| CVE-2025-34171 | 1 Icewhale | 1 Casaos | 2026-01-08 | N/A |
| CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user-controlled path parameter to access files under /var/lib/casaos/1/, which reveals installed applications and configuration details. Additionally, /v1/sys/debug discloses host operating system, kernel, hardware, and storage information. The endpoints also return distinct error messages, enabling file existence enumeration of arbitrary paths on the underlying host filesystem. This information disclosure can be used for reconnaissance and to facilitate targeted follow-up attacks against services deployed on the host. | ||||
| CVE-2025-12519 | 1 Centreon | 1 Centreon | 2026-01-08 | 5.3 Medium |
| Missing Authorization vulnerability in Centreon Infra Monitoring (Administration parameters API endpoint modules) allows Accessing Functionality Not Properly Constrained by ACLs, resulting in Information Disclosure like downtime or acknowledgement configurations. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. | ||||
| CVE-2025-11370 | 2 Averta, Wordpress | 3 Depicter Slider, Slider And Popup Builder By Depicter, Wordpress | 2026-01-08 | 5.3 Medium |
| The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'store' function of the RulesAjaxController class in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to update pop-up display settings. | ||||
| CVE-2025-14441 | 2 Roxnor, Wordpress | 2 Popup Builder, Wordpress | 2026-01-08 | 5.3 Medium |
| The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE `/subscribers` REST API endpoint in all versions up to, and including, 2.2.0. This is due to the `permission_callback` only validating wp_rest nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary subscriber records. | ||||
| CVE-2025-39477 | 2 Sfwebservice, Wordpress | 2 Injob, Wordpress | 2026-01-08 | 9.8 Critical |
| Missing Authorization vulnerability in Sfwebservice InWave Jobs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InWave Jobs: from n/a through 3.5.8. | ||||
| CVE-2025-69359 | 2 Wordpress, Wpfunnels | 2 Wordpress, Creator Lms | 2026-01-08 | N/A |
| Missing Authorization vulnerability in WPFunnels Creator LMS creatorlms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Creator LMS: from n/a through <= 1.1.12. | ||||
| CVE-2025-69352 | 2 Stellarwp, Wordpress | 2 The Events Calendar, Wordpress | 2026-01-08 | 5.4 Medium |
| Missing Authorization vulnerability in StellarWP The Events Calendar the-events-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar: from n/a through <= 6.15.12.2. | ||||
| CVE-2025-69355 | 2 Tickera, Wordpress | 2 Tickera, Wordpress | 2026-01-08 | N/A |
| Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tickera: from n/a through <= 3.5.6.4. | ||||
| CVE-2025-69364 | 2 Cloudways, Wordpress | 2 Breeze, Wordpress | 2026-01-08 | N/A |
| Missing Authorization vulnerability in Cloudways Breeze breeze allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze: from n/a through <= 2.2.21. | ||||
| CVE-2025-12449 | 2 Kodezen, Wordpress | 2 Ablocks, Wordpress | 2026-01-08 | 5.4 Medium |
| The aBlocks – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJAX actions in all versions up to, and including, 2.4.0. This makes it possible for authenticated attackers, with subscriber level access and above, to read plugin settings including block visibility, maintenance mode configuration, and third-party email marketing API keys, as well as read sensitive configuration data including API keys for email marketing services. | ||||
| CVE-2025-69345 | 2 Boldgrid, Wordpress | 2 Post And Page Builder, Wordpress | 2026-01-08 | 5.4 Medium |
| Missing Authorization vulnerability in BoldGrid Post and Page Builder by BoldGrid post-and-page-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post and Page Builder by BoldGrid: from n/a through <= 1.27.9. | ||||