Total
5224 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-12825 | 1 Brechtvds | 1 Custom Related Posts | 2025-02-21 | 5.4 Medium |
| The Custom Related Posts plugin for WordPress is vulnerable to unauthorized access & modification of data due to a missing capability check on three AJAX actions in all versions up to, and including, 1.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to search posts and link/unlink relations. | ||||
| CVE-2024-13783 | 1 Ncrafts | 1 Formcraft | 2025-02-21 | 4.3 Medium |
| The FormCraft plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in formcraft-main.php in all versions up to, and including, 3.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export all plugin data which may contain sensitive information from form submissions. | ||||
| CVE-2024-33570 | 1 Wpmet | 1 Metform Elementor Contact Form Builder | 2025-02-20 | 4.3 Medium |
| Missing Authorization vulnerability in Wpmet Metform Elementor Contact Form Builder.This issue affects Metform Elementor Contact Form Builder: from n/a through 3.8.3. | ||||
| CVE-2022-36340 | 1 Mailoptin | 1 Mailoptin | 2025-02-20 | 6.5 Medium |
| Unauthenticated Optin Campaign Cache Deletion vulnerability in MailOptin plugin <= 1.2.49.0 at WordPress. | ||||
| CVE-2022-36404 | 1 Coleds | 1 Simple Seo | 2025-02-20 | 5.4 Medium |
| Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in David Cole Simple SEO (WordPress plugin) plugin <= 1.8.12 versions. | ||||
| CVE-2022-40223 | 1 Searchwp | 1 Searchwp | 2025-02-20 | 5.4 Medium |
| Nonce token leakage and missing authorization in SearchWP premium plugin <= 4.2.5 on WordPress leading to plugin settings change. | ||||
| CVE-2022-41692 | 1 Dwbooster | 1 Appointment Hour Booking | 2025-02-20 | 4.3 Medium |
| Missing Authorization vulnerability in Appointment Hour Booking plugin <= 1.3.71 on WordPress. | ||||
| CVE-2022-43482 | 1 Codepeople | 1 Appointment Booking Calendar | 2025-02-20 | 4.3 Medium |
| Missing Authorization vulnerability in Appointment Booking Calendar plugin <= 1.3.69 on WordPress. | ||||
| CVE-2021-4375 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | 4.3 Medium |
| The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the usces_download_system_information() function in versions up to, and including, 2.2.7. This makes it possible for authenticated attackers to download information including WordPress settings, plugin settings, PHP settings and server settings. | ||||
| CVE-2021-4355 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | 7.5 High |
| The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the download_orderdetail_list(), change_orderlist(), and download_member_list() functions called via admin_init hooks in versions up to, and including, 2.2.7. This makes it possible for unauthenticated attackers to download lists of members, products and orders. | ||||
| CVE-2024-37363 | 2025-02-20 | 6.5 Medium | ||
| The product does not perform an authorization check when an actor attempts to access a resource or perform an action. (CWE-862) Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, do not correctly perform an authorization check in the data source management service. When access control checks are incorrectly applied, users can access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures and denial of service. | ||||
| CVE-2024-12296 | 1 Apusthemes | 1 Superio | 2025-02-20 | 8.8 High |
| The Apus Framework plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'import_page_options' function in all versions up to, and including, 2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | ||||
| CVE-2023-35093 | 1 Stylemixthemes | 1 Masterstudy Lms | 2025-02-19 | 6.5 Medium |
| Broken Access Control vulnerability in StylemixThemes MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin <= 3.0.8 versions allows any logged-in users, such as subscribers to view the "Orders" of the plugin and get the data related to the order like email, username, and more. | ||||
| CVE-2023-0335 | 1 Wpvar | 1 Wp Shamsi | 2025-02-19 | 6.5 Medium |
| The WP Shamsi WordPress plugin through 4.3.3 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber delete attachment. | ||||
| CVE-2023-0336 | 1 Ooohboi Steroids For Elementor Project | 1 Ooohboi Steroids For Elementor | 2025-02-19 | 6.5 Medium |
| The OoohBoi Steroids for Elementor WordPress plugin before 2.1.5 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber to delete attachment. | ||||
| CVE-2024-6458 | 1 Wcproducttable | 1 Woocommerce Product Table | 2025-02-19 | 6.4 Medium |
| The WooCommerce Product Table Lite plugin for WordPress is vulnerable to unauthorized post title modification due to a missing capability check on the wcpt_presets__duplicate_preset_to_table function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers with subscriber access and above to change titles of arbitrary posts. Missing sanitization can lead to Stored Cross-Site Scripting when viewed by an admin via the WooCommerce Product Table. | ||||
| CVE-2024-13231 | 2025-02-19 | 5.3 Medium | ||
| The WordPress Portfolio Builder – Portfolio Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'add_video' function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to add arbitrary videos to any portfolio gallery. | ||||
| CVE-2023-28640 | 1 Apiman | 1 Apiman | 2025-02-19 | 6.4 Medium |
| Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes Organisation ID, Client ID, and Client Version of the targeted non-permitted resource. While not trivial to exploit, it could be achieved by brute-forcing or guessing common names. Access to the non-permitted API Keys could allow use of other users' resources without their permission (depending on the specifics of configuration, such as whether an API key is the only form of security). Apiman 3.1.0.Final resolved this issue. Users are advised to upgrade. The only known workaround is to restrict account access. | ||||
| CVE-2023-27701 | 1 Muyucms | 1 Muyucms | 2025-02-18 | 8.1 High |
| MuYuCMS v2.2 was discovered to contain an arbitrary file deletion vulnerability via the component /database/sqldel.html. | ||||
| CVE-2025-27013 | 2025-02-18 | 5.3 Medium | ||
| Missing Authorization vulnerability in EPC MediCenter - Health Medical Clinic WordPress Theme allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MediCenter - Health Medical Clinic WordPress Theme: from n/a through n/a. | ||||