Total
4572 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-47692 | 2025-05-07 | N/A | N/A | ||
| Missing Authorization vulnerability in contentstudio ContentStudio allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ContentStudio: from n/a through 1.3.3. | |||||
| CVE-2025-47602 | 2025-05-07 | N/A | N/A | ||
| Missing Authorization vulnerability in ammarahmad786 Calculate Prices based on Distance For WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Calculate Prices based on Distance For WooCommerce: from n/a through 1.3.5. | |||||
| CVE-2025-47485 | 2025-05-07 | N/A | N/A | ||
| Missing Authorization vulnerability in CozyThemes Cozy Blocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cozy Blocks: from n/a through 2.1.22. | |||||
| CVE-2025-47469 | 2025-05-07 | N/A | N/A | ||
| Missing Authorization vulnerability in slui Media Hygiene allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Media Hygiene: from n/a through 4.0.0. | |||||
| CVE-2025-47526 | 2025-05-07 | N/A | N/A | ||
| Missing Authorization vulnerability in GS Plugins GS Variation Swatches for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GS Variation Swatches for WooCommerce: from n/a through 3.0.4. | |||||
| CVE-2025-47528 | 2025-05-07 | N/A | N/A | ||
| Missing Authorization vulnerability in pewilliams Ovation Elements allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ovation Elements: from n/a through 1.1.2. | |||||
| CVE-2025-47457 | 2025-05-07 | N/A | N/A | ||
| Missing Authorization vulnerability in dgamoni LocateAndFilter allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects LocateAndFilter: from n/a through 1.6.16. | |||||
| CVE-2025-47450 | 2025-05-07 | N/A | N/A | ||
| Missing Authorization vulnerability in Mitchell Bennis Simple File List allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple File List: from n/a through 6.1.13. | |||||
| CVE-2025-3766 | 2025-05-07 | N/A | 5.4 MEDIUM | ||
| The Login Lockdown & Protection plugin for WordPress is vulnerable to unauthorized nonce access due to a missing capability check on the ajax_run_tool function in all versions up to, and including, 2.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain a valid nonce that can be used to generate a global unlock key, which can in turn be used to add arbitrary IP address to the plugin allowlist. This can only by exploited on new installations where the site administrator hasn't visited the loginlockdown page yet. | |||||
| CVE-2025-2821 | 2025-05-07 | N/A | 5.3 MEDIUM | ||
| The Search Exclude plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the get_rest_permission function in all versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers to modify plugin settings, excluding content from search results. | |||||
| CVE-2024-2702 | 1 Olivethemes | 1 Olive One Click Demo Import | 2025-05-07 | N/A | 9.8 CRITICAL |
| Missing Authorization vulnerability in Olive Themes Olive One Click Demo Import allows importing settings and data, ultimately leading to XSS.This issue affects Olive One Click Demo Import: from n/a through 1.1.1. | |||||
| CVE-2025-0856 | 2025-05-06 | N/A | 7.3 HIGH | ||
| The PGS Core plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.8.0. This makes it possible for unauthenticated attackers to add, modify, or plugin options. | |||||
| CVE-2025-3915 | 1 Aeropage | 1 Aeropage Sync For Airtable | 2025-05-06 | N/A | 4.3 MEDIUM |
| The Aeropage Sync for Airtable plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'aeropageDeletePost' function in all versions up to, and including, 3.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts. | |||||
| CVE-2024-1385 | 1 Udx | 1 Wp-stateless | 2025-05-06 | N/A | 7.1 HIGH |
| The WP-Stateless – Google Cloud Storage plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the dismiss_notices() function in all versions up to, and including, 3.4.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary option values to the current time, which may completely take a site offline. | |||||
| CVE-2025-4179 | 1 Flynax | 1 Flynax Bridge | 2025-05-06 | N/A | N/A |
| The Flynax Bridge plugin for WordPress is vulnerable to limited Privilege Escalation due to a missing capability check on the registerUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to register new user accounts as authors. | |||||
| CVE-2025-4177 | 1 Flynax | 1 Flynax Bridge | 2025-05-06 | N/A | 5.3 MEDIUM |
| The Flynax Bridge plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to delete arbitrary users. | |||||
| CVE-2025-1304 | 1 Spicethemes | 1 Newsblogger | 2025-05-06 | N/A | 8.8 HIGH |
| The NewsBlogger theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the newsblogger_install_and_activate_plugin() function in all versions up to, and including, 0.2.5.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-3452 | 1 Secupress | 1 Secupress | 2025-05-06 | N/A | 4.3 MEDIUM |
| The SecuPress Free — WordPress Security plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'secupress_reinstall_plugins_admin_ajax_cb' function in all versions up to, and including, 2.3.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins. | |||||
| CVE-2025-1326 | 1 Favethemes | 1 Homey | 2025-05-06 | N/A | 4.3 MEDIUM |
| The Homey theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the homey_reservation_del() function in all versions up to, and including, 2.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary reservations and posts. | |||||
| CVE-2024-13420 | 1 G5plus | 4 April, Auteur, Benaa and 1 more | 2025-05-06 | N/A | 4.3 MEDIUM |
| Multiple plugins and/or themes for WordPress are vulnerable to unauthorized access due to a missing capability check on several AJAX actions like 'gsf_reset_section_options', 'gsf_reset_section_options', 'gsf_create_preset_options' and more in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset and modify some of the plugin/theme settings. This issue was escalated to Envato over two months from the date of this disclosure and the issues, while partially patched, are still vulnerable. | |||||