Total
6720 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-13381 | 2 Ays-pro, Wordpress | 2 Ai Chatbot With Chatgpt, Wordpress | 2025-12-03 | 5.3 Medium |
| The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'ays_chatgpt_save_wp_media' function in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to upload media files. | ||||
| CVE-2025-65669 | 1 Classroomio | 1 Classroomio | 2025-12-03 | 9.1 Critical |
| An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing the expected admin-only deletion restriction. | ||||
| CVE-2025-9954 | 2 Acquia, Drupal | 3 Dam, Acquia Dam, Drupal | 2025-12-03 | 7.5 High |
| Missing Authorization vulnerability in Drupal Acquia DAM allows Forceful Browsing.This issue affects Acquia DAM: from 0.0.0 before 1.1.5. | ||||
| CVE-2025-41012 | 1 Tcman | 1 Gim | 2025-12-03 | 5.3 Medium |
| Unauthorized access vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system by using the 'pda:userId' and 'pda:newPassword' parameters with 'soapaction UnlockUser’ in '/WS/PDAWebService.asmx'. | ||||
| CVE-2025-12169 | 3 Elextensions, Elula, Wordpress | 3 Elex Wordpress Plugin, Wsdesk, Wordpress | 2025-12-03 | 4.3 Medium |
| The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_eh_crm_settings_empty_scheduled_actions' AJAX Action in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the scheduled triggers option. | ||||
| CVE-2025-12085 | 3 Elextensions, Elula, Wordpress | 3 Elex Wordpress Plugin, Wsdesk, Wordpress | 2025-12-03 | 4.3 Medium |
| The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_empty_trash' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to empty the ticket trash. | ||||
| CVE-2025-12023 | 3 Elextensions, Elula, Wordpress | 3 Elex Wordpress Plugin, Wsdesk, Wordpress | 2025-12-03 | 4.3 Medium |
| The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eh_crm_restore_data() function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to restore tickets. | ||||
| CVE-2025-12022 | 3 Elextensions, Elula, Wordpress | 3 Elex Wordpress Plugin, Wsdesk, Wordpress | 2025-12-03 | 4.3 Medium |
| The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_restore_trash' AJAX endpoint in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to restore all deleted tickets. | ||||
| CVE-2025-13828 | 1 Mautic | 1 Mautic | 2025-12-03 | N/A |
| SummaryA non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. ImpactA low-privileged user of the platform can install malicious code to obtain higher privileges. | ||||
| CVE-2023-52177 | 1 Softlabbd | 1 Integrate Google Drive | 2025-12-02 | 5.4 Medium |
| Missing Authorization vulnerability in SoftLab Integrate Google Drive.This issue affects Integrate Google Drive: from n/a through 1.3.3. | ||||
| CVE-2025-9825 | 1 Gitlab | 1 Gitlab | 2025-12-02 | 5 Medium |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 to 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2 that could have allowed authenticated users without project membership to view sensitive manual CI/CD variables by querying the GraphQL API. | ||||
| CVE-2025-52670 | 2 Revive, Revive-adserver | 2 Adserver, Revive Adserver | 2025-12-02 | 6.5 Medium |
| Missing authorization check in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes users on the system to delete banners owned by other accounts | ||||
| CVE-2025-64349 | 2 Elog, Elog Project | 2 Elog, Elog | 2025-12-02 | 8.8 High |
| ELOG allows an authenticated user to modify another user's profile. An attacker can edit a target user's email address, then request a password reset, and take control of the target account. By default, ELOG is not configured to allow self-registration. | ||||
| CVE-2025-12579 | 1 Wordpress | 1 Wordpress | 2025-12-01 | 5.3 Medium |
| The Reuters Direct plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'logoff' action in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to reset the plugin's settings. | ||||
| CVE-2025-13441 | 3 Themesupport, Woocommerce, Wordpress | 3 Hide Category By User Role For Woocommerce, Woocommerce, Wordpress | 2025-12-01 | 5.3 Medium |
| The Hide Category by User Role for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.1. This is due to a missing capability check on the admin_init hook that executes wp_cache_flush(). This makes it possible for unauthenticated attackers to flush the site's object cache via forged requests, potentially degrading site performance. | ||||
| CVE-2025-41017 | 1 Davantis | 1 Dfusion | 2025-12-01 | N/A |
| Inadequate access control vulnerability in Davantis DDFUSION v6.177.7, which allows unauthorised actors to retrieve perspective parameters from security camera settings by accessing “/cameras/<CAMERA_ID>/perspective”. | ||||
| CVE-2025-13405 | 1 Wordpress | 1 Wordpress | 2025-12-01 | 5.3 Medium |
| The Ace Post Type Builder plugin for WordPress is vulnerable to unauthorized custom taxonomy deletion due to missing authorization validation on the cptb_delete_custom_taxonomy() function in all versions up to, and including, 1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary custom taxonomies. | ||||
| CVE-2025-12634 | 3 Sunarc, Woocommerce, Wordpress | 3 Refund Request For Woocommerce, Woocommerce, Wordpress | 2025-12-01 | 4.3 Medium |
| The Refund Request for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_refund_status' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update refund statuses to approved or rejected. | ||||
| CVE-2025-13404 | 2 Atec, Wordpress | 2 Duplicate Page Post, Wordpress | 2025-11-27 | 5.3 Medium |
| The atec Duplicate Page & Post plugin for WordPress is vulnerable to unauthorized post duplication due to missing authorization validation on the duplicate_post() function in all versions up to, and including, 1.2.20. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate arbitrary posts, including private and password-protected posts, leading to data exposure. | ||||
| CVE-2025-13386 | 1 Wordpress | 1 Wordpress | 2025-11-27 | 5.3 Medium |
| The Social Images Widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'options_update' function in all versions up to, and including, 2.1. This makes it possible for unauthenticated attackers to delete the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||