Total
4572 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-52775 | 2025-08-14 | N/A | N/A | ||
| Missing Authorization vulnerability in Ronik@UnlimitedWP Project Cost Calculator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Project Cost Calculator: from n/a through 1.0.0. | |||||
| CVE-2025-52801 | 2025-08-14 | N/A | N/A | ||
| Missing Authorization vulnerability in VonStroheim TheBooking allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects TheBooking: from n/a through 1.4.4. | |||||
| CVE-2025-31425 | 2025-08-14 | N/A | N/A | ||
| Missing Authorization vulnerability in kamleshyadav WP Lead Capturing Pages allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Lead Capturing Pages: from n/a through 2.3. | |||||
| CVE-2025-5953 | 1 Mishubd | 1 Wp Human Resource Management | 2025-08-13 | N/A | 8.8 HIGH |
| The WP Human Resource Management plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the ajax_insert_employee() and update_empoyee() functions in versions 2.0.0 through 2.2.17. The AJAX handler reads the client-supplied $_POST['role'] and, after basic cleaning via hrm_clean(), passes it directly to wp_insert_user() and later to $user->set_role() without verifying that the current user is allowed to assign that role. This makes it possible for authenticated attackers, with Employee-level access and above, to elevate their privileges to administrator. | |||||
| CVE-2025-5956 | 1 Mishubd | 1 Wp Human Resource Management | 2025-08-13 | N/A | 8.1 HIGH |
| The WP Human Resource Management plugin for WordPress is vulnerable to Arbitrary User Deletion due to a missing authorization within the ajax_delete_employee() function in versions 2.0.0 through 2.2.17. The plugin’s deletion handler reads the client-supplied $_POST['delete'] array and passes each ID directly to wp_delete_user() without verifying that the caller has the delete_users capability or limiting which user IDs may be removed. This makes it possible for authenticated attackers, with Employee-level access and above, to delete arbitrary accounts, including administrators. | |||||
| CVE-2025-48133 | 1 Uncannyowl | 1 Uncanny Automator | 2025-08-13 | N/A | 9.8 CRITICAL |
| Missing Authorization vulnerability in Uncanny Owl Uncanny Automator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uncanny Automator: from n/a through 6.4.0.2. | |||||
| CVE-2025-30974 | 1 Addonmaster | 1 Post Grid Master | 2025-08-13 | N/A | 8.8 HIGH |
| Missing Authorization vulnerability in Akhtarujjaman Shuvo Post Grid Master allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Post Grid Master: from n/a through 3.4.13. | |||||
| CVE-2025-3150 | 1 Itning | 1 Student-homework-management-system | 2025-08-13 | N/A | 4.3 MEDIUM |
| A vulnerability was found in itning Student Homework Management System up to 1.2.7. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Multiple endpoints might be affected. | |||||
| CVE-2024-11205 | 1 Wpforms | 1 Wpforms | 2025-08-12 | N/A | 6.5 MEDIUM |
| The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpforms_is_admin_page' function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions. | |||||
| CVE-2024-56276 | 1 Wpforms | 1 Wpforms | 2025-08-12 | N/A | 8.8 HIGH |
| Missing Authorization vulnerability in WPForms Contact Form by WPForms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through 1.9.2.2. | |||||
| CVE-2025-3604 | 1 Flynax | 1 Flynax Bridge | 2025-08-12 | N/A | 9.8 CRITICAL |
| The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | |||||
| CVE-2024-13526 | 1 Metagauss | 1 Eventprime | 2025-08-12 | N/A | 4.3 MEDIUM |
| The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability checks on the export_submittion_attendees function in all versions up to, and including, 4.0.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download list of attendees for any event. | |||||
| CVE-2024-12855 | 1 Scriptsbundle | 1 Adforest | 2025-08-12 | N/A | 5.4 MEDIUM |
| The AdForest theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX actions like 'sb_remove_ad' in all versions up to, and including, 5.1.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete posts, attachments and deactivate a license. | |||||
| CVE-2025-8310 | 2025-08-12 | N/A | N/A | ||
| Missing authorization in the admin console of Ivanti Virtual Application Delivery Controller before version 22.9 allows a remote authenticated attacker to take over admin accounts by resetting the password | |||||
| CVE-2023-5600 | 1 Gitlab | 1 Gitlab | 2025-08-12 | N/A | N/A |
| An issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. Arbitrary access to the titles of an private specific references could be leaked through the service-desk custom email template. | |||||
| CVE-2025-5121 | 1 Gitlab | 1 Gitlab | 2025-08-12 | N/A | 9.9 CRITICAL |
| An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.4 and 18.0 before 18.0.2. A missing authorization check may have allowed compliance frameworks to be applied to projects outside the compliance framework's group. | |||||
| CVE-2025-5846 | 1 Gitlab | 1 Gitlab | 2025-08-12 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab EE affecting all versions from 16.10 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypassed framework-specific permission checks. | |||||
| CVE-2025-5315 | 1 Gitlab | 1 Gitlab | 2025-08-12 | N/A | N/A |
| An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypassed UI-enforced role restrictions. | |||||
| CVE-2025-8482 | 2025-08-12 | N/A | 4.3 MEDIUM | ||
| The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of data in version 2.8.4. This is due to a missing capability check on the migrate_from_wp_user_avatar() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to migrate avatar metadata for all users. | |||||
| CVE-2025-8418 | 2025-08-12 | N/A | 8.8 HIGH | ||
| The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Arbitrary Plugin Installation in all versions up to, and including, 1.1.30. This is due to missing capability checks on the activated_plugin function. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the server which can make remote code execution possible. | |||||