Total
5234 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-49221 | 1 Mattermost | 1 Mattermost | 2025-08-12 | 3.7 Low |
| Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to access subscription details without via API call to GET subscription endpoint. | ||||
| CVE-2025-48731 | 1 Mattermost | 1 Mattermost | 2025-08-12 | 6.4 Medium |
| Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to edit a subscription for a Confluence space the user does not have access for via edit subscription endpoint. | ||||
| CVE-2025-47580 | 1 Etoilewebdesign | 1 Front End Users | 2025-08-12 | 5.4 Medium |
| Missing Authorization vulnerability in Rustaurius Front End Users allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Front End Users: from n/a through 3.2.32. | ||||
| CVE-2025-4520 | 1 Uncannyowl | 1 Uncanny Automator | 2025-08-12 | 5.4 Medium |
| The Uncanny Automator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in versions up to, and including, 6.4.0.2. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update plugin settings. | ||||
| CVE-2024-43223 | 1 Metagauss | 1 Eventprime | 2025-08-12 | 4.3 Medium |
| Missing Authorization vulnerability in EventPrime Events EventPrime allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through 4.0.3.2. | ||||
| CVE-2025-4370 | 2 Brizy, Wordpress | 3 Brizy, Brizy-page Builder, Wordpress | 2025-08-11 | 5.3 Medium |
| The Brizy – Page Builder plugin for WordPress is vulnerable to limited file uploads due to missing authorization on process_external_asset_urls function as well as missing path validation in store_file function in all versions up to, and including, 2.6.20. This makes it possible for unauthenticated attackers to upload .TXT files on the affected site's server. | ||||
| CVE-2025-1766 | 1 Themewinter | 1 Eventin | 2025-08-11 | 5.3 Medium |
| The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'payment_complete' function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated attackers to update the status of ticket payments to 'completed', possibly resulting in financial loss. | ||||
| CVE-2025-2110 | 1 Wpcompress | 1 Wp Compress | 2025-08-11 | 8.8 High |
| The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on its on its AJAX functions in all versions up to, and including, 6.30.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to compromise the site in various ways depending on the specific function exploited - for example, by retrieving sensitive settings and configuration details, or by altering and deleting them, thereby disclosing sensitive information, disrupting the plugin’s functionality, and potentially impacting overall site performance. | ||||
| CVE-2023-49756 | 2 Themewinter, Wordpress | 2 Eventin, Wordpress | 2025-08-11 | 5.4 Medium |
| Missing Authorization vulnerability in Themewinter Eventin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eventin: from n/a through 3.3.52. | ||||
| CVE-2024-37119 | 1 Uncannyowl | 1 Uncanny Automator | 2025-08-11 | 5.3 Medium |
| Missing Authorization vulnerability in Uncanny Owl Uncanny Automator Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uncanny Automator Pro: from n/a through 5.3.0.0. | ||||
| CVE-2024-37470 | 2 Wofficeio, Xtendify | 2 Woffice Core, Woffice | 2025-08-11 | 8.2 High |
| Missing Authorization vulnerability in WofficeIO Woffice Core allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Woffice Core: from n/a through 5.4.8. | ||||
| CVE-2024-1934 | 1 Wpcompress | 1 Wp Compress | 2025-08-09 | 7.5 High |
| The WP Compress – Image Optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wps_local_compress::__construct' function in all versions up to, and including, 6.11.10. This makes it possible for unauthenticated attackers to reset the CDN region and set a malicious URL to deliver images. | ||||
| CVE-2025-2075 | 1 Uncannyowl | 1 Uncanny Automator | 2025-08-08 | 8.8 High |
| The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.3.0.2. This is due to add_role() and user_role() functions missing proper capability checks performed through the validate_rest_call() function. This makes it possible for unauthenticated attackers to set the role of arbitrary users to administrator granting full access to the site, though privilege escalation requires an active account on the site so this is considered an authenticated privilege escalation. | ||||
| CVE-2025-2807 | 2 Stylemixthemes, Wordpress | 2 Motors - Car Dealer\, Classifieds \& Listing, Wordpress | 2025-08-08 | 8.8 High |
| The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary plugin installations due to a missing capability check in the mvl_setup_wizard_install_plugin() function in all versions up to, and including, 1.4.64. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-3437 | 2 Stylemixthemes, Wordpress | 2 Motors - Car Dealer\, Classifieds \& Listing, Wordpress | 2025-08-08 | 4.3 Medium |
| The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in the ajax_actions.php file in all versions up to, and including, 1.4.66. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute several initial set-up actions. | ||||
| CVE-2024-12244 | 1 Gitlab | 1 Gitlab | 2025-08-08 | 4.3 Medium |
| An issue has been discovered in access controls could allow users to view certain restricted project information even when related features are disabled in GitLab EE, affecting all versions from 17.7 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1. | ||||
| CVE-2024-39546 | 1 Juniper | 1 Junos Os Evolved | 2025-08-08 | 7.3 High |
| A Missing Authorization vulnerability in the Socket Intercept (SI) command file interface of Juniper Networks Junos OS Evolved allows an authenticated, low-privilege local attacker to modify certain files, allowing the attacker to cause any command to execute with root privileges leading to privilege escalation ultimately compromising the system. This issue affects Junos OS Evolved: * All versions prior to 21.2R3-S8-EVO, * 21.4 versions prior to 21.4R3-S6-EVO, * 22.1 versions prior to 22.1R3-S5-EVO, * 22.2 versions prior to 22.2R3-S3-EVO, * 22.3 versions prior to 22.3R3-S3-EVO, * 22.4 versions prior to 22.4R3-EVO, * 23.2 versions prior to 23.2R2-EVO. | ||||
| CVE-2025-43720 | 1 H-mdm | 1 Headwind Mdm | 2025-08-07 | 6.5 Medium |
| Headwind MDM before 5.33.1 makes configuration details accessible to unauthorized users. The Configuration profile is exposed to the Observer user role, revealing the password requires to escape out of the MDM controlled device's profile. | ||||
| CVE-2025-43977 | 1 Sktelecom | 1 Com.skt.prod.dialer | 2025-08-07 | 4.3 Medium |
| The com.skt.prod.dialer application through 12.5.0 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.skt.prod.dialer.activities.outgoingcall.OutgoingCallInternalBroadcaster component. | ||||
| CVE-2025-43976 | 1 Textnow | 1 2ndline | 2025-08-07 | 4.3 Medium |
| The com.enflick.android.tn2ndLine application through 24.17.1.0 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.enflick.android.TextNow.activities.DialerActivity component. | ||||