Total
6720 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12847 | 2 Smub, Wordpress | 2 All In One Seo, Wordpress | 2025-11-18 | 4.3 Medium |
| The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized arbitrary media attachment deletion due to a missing authorization check in all versions up to, and including, 4.8.9. This is due to the REST API endpoint `/wp-json/aioseo/v1/ai/image-generator` only verifying that users have the `edit_posts` capability (Contributors and above) without checking if they own or have permission to delete the specific media attachments. This makes it possible for authenticated attackers, with Contributor-level access and above, to permanently delete arbitrary media attachments by ID via the REST API, granted they can determine valid attachment IDs. | ||||
| CVE-2025-12849 | 2 Contest-gallery, Wordpress | 2 Contest Gallery, Wordpress | 2025-11-18 | 5.3 Medium |
| The Contest Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 28.0.2. This is due to the plugin registering the `cg_check_wp_admin_upload_v10` AJAX action for both authenticated and unauthenticated users without implementing capability checks or nonce verification. This makes it possible for unauthenticated attackers to inject arbitrary WordPress media attachments into galleries and manipulate gallery metadata via the `cg_check_wp_admin_upload_v10` action. It does not enable an attacker to move or upload files. | ||||
| CVE-2024-13994 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-17 | 9.8 Critical |
| Nagios XI versions prior to 2024R1.1.2 contain a missing authorization control when the 'Allow Insecure Logins' option is enabled. Under this configuration, any user can create valid login credentials for other users without proper authorization. This can lead to unauthorized account creation, privilege escalation, or full compromise of the Nagios XI web interface depending on the target account. | ||||
| CVE-2023-7317 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-17 | 8.8 High |
| Nagios XI versions prior to 2024R1 contain a missing access control vulnerability via the Web SSH Terminal. A remote, low-privileged attacker could access or interact with the terminal interface without sufficient authorization, potentially allowing unauthorized command execution or disclosure of sensitive information. | ||||
| CVE-2013-10072 | 1 Nagios | 2 Nagios Xi, Xi | 2025-11-17 | 6.5 Medium |
| Nagios XI versions prior to 2012R1.6 contain an authorization flaw in the Auto-Discovery functionality. Users with read-only roles could directly reach Auto-Discovery endpoints and pages that should require elevated permissions, exposing discovery results and allowing unintended access to discovery operations. | ||||
| CVE-2025-1021 | 1 Synology | 1 Diskstation Manager | 2025-11-17 | 7.5 High |
| Missing authorization vulnerability in synocopy in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3 allows remote attackers to read arbitrary files via unspecified vectors. | ||||
| CVE-2025-13119 | 3 Fabian, Fabianros, Sourcecodester | 3 Simple E-banking System, Simple E-banking System, Simple Cafe Billing System | 2025-11-17 | 4.3 Medium |
| A flaw has been found in Fabian Ros/SourceCodester Simple E-Banking System 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been published and may be used. | ||||
| CVE-2025-63293 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-14 | 6.5 Medium |
| FairSketch Rise Ultimate Project Manager & CRM 3.9.4 is vulnerable to Insecure Permissions. A remote authenticated user can append comments or upload attachments to tickets for which they lack view or edit authorization, due to missing authorization checks in the ticketing/commenting API. | ||||
| CVE-2025-33185 | 1 Nvidia | 1 Aistore | 2025-11-14 | 5.3 Medium |
| NVIDIA AIStore contains a vulnerability in AuthN where an unauthenticated user may cause information disclosure. A successful exploit of this vulnerability may lead to information disclosure. | ||||
| CVE-2025-12891 | 2 Ays-pro, Wordpress | 2 Survey Maker, Wordpress | 2025-11-14 | 5.3 Medium |
| The Survey Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ays_survey_show_results' AJAX endpoint in all versions up to, and including, 5.1.9.4. This makes it possible for unauthenticated attackers to view all survey submissions. | ||||
| CVE-2025-13063 | 1 Dinukanavaratna | 1 Dee Store | 2025-11-14 | 7.3 High |
| A flaw has been found in DinukaNavaratna Dee Store 1.0. Affected is an unknown function. Executing manipulation can lead to missing authorization. The attack may be performed from remote. The exploit has been published and may be used. Multiple endpoints are affected. | ||||
| CVE-2025-12015 | 2 Sanderkah, Wordpress | 2 Convert Webp & Avif, Wordpress | 2025-11-14 | 4.3 Medium |
| The Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_wpqai_disconnect_quicq_afosto' AJAX endpoint in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect Afosto | ||||
| CVE-2025-12979 | 2 Uscnanbu, Wordpress | 2 Welcart E-commerce, Wordpress | 2025-11-14 | 5.3 Medium |
| The Welcart e-Commerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'usces_export' action in all versions up to, and including, 2.11.24. This makes it possible for unauthenticated attackers to access configured payment credentials (ex. PayPal api secret) , as well as business contact details, mail templates, and other operational settings tied to the store. | ||||
| CVE-2025-12892 | 2 Ays-pro, Wordpress | 2 Survey Maker, Wordpress | 2025-11-14 | 5.3 Medium |
| The Survey Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_plugin_option() function in all versions up to, and including, 5.1.9.4. This makes it possible for unauthenticated attackers to update the ays_survey_maker_upgrade_plugin option. | ||||
| CVE-2025-12817 | 1 Postgresql | 1 Postgresql | 2025-11-14 | 3.1 Low |
| Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected. | ||||
| CVE-2025-12953 | 2 Techlabpro1, Wordpress | 2 Classified Listing Plugin, Wordpress | 2025-11-14 | 4.3 Medium |
| The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "rtcl_ajax_add_listing_type", "rtcl_ajax_update_listing_type", and "rtcl_ajax_delete_listing_type" function in all versions up to, and including, 5.2.0. This makes it possible for authenticated attackers, with subscriber level access and above, to add, update, or delete listing types. | ||||
| CVE-2025-12633 | 2 Stellarwp, Wordpress | 2 Booking Calendar, Wordpress | 2025-11-14 | 7.5 High |
| The Booking Calendar | Appointment Booking | Bookit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bookit/v1/commerce/stripe/return' REST API Endpoint in all versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to connect their Stripe account and receive payments. | ||||
| CVE-2025-12113 | 1 Wordpress | 1 Wordpress | 2025-11-14 | 4.3 Medium |
| The Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the atgai_delete_api_key() function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the API key connected to the site. | ||||
| CVE-2025-7663 | 2 Ovatheme, Wordpress | 2 Events Manager Plugin, Wordpress | 2025-11-13 | 6.5 Medium |
| The Ovatheme Events Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the /class-ovaem-ajax.php file in all versions up to, and including, 1.8.6. This makes it possible for unauthenticated attackers to delete ticket files, download tickets, and more. | ||||
| CVE-2024-43968 | 1 Automattic | 1 Newspack | 2025-11-13 | 4.3 Medium |
| Broken Access Control vulnerability in Automattic Newspack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Newspack: from n/a through 3.8.6. | ||||