Total
4572 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-32684 | 2025-04-09 | N/A | N/A | ||
| Missing Authorization vulnerability in RomanCode MapSVG Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MapSVG Lite: from n/a through 8.5.32. | |||||
| CVE-2025-31012 | 2025-04-09 | N/A | N/A | ||
| Missing Authorization vulnerability in Phil Age Gate allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Age Gate: from n/a through 3.5.4. | |||||
| CVE-2025-32624 | 2025-04-09 | N/A | N/A | ||
| Missing Authorization vulnerability in czater Czater.pl – live chat i telefon allows Cross Site Request Forgery. This issue affects Czater.pl – live chat i telefon: from n/a through 1.0.5. | |||||
| CVE-2022-3923 | 1 Activecampaign | 1 Activecampaign For Woocommerce | 2025-04-09 | N/A | 4.3 MEDIUM |
| The ActiveCampaign for WooCommerce WordPress plugin before 1.9.8 does not have authorisation check when cleaning up its error logs via an AJAX action, which could allow any authenticated users, such as subscriber to call it and remove error logs. | |||||
| CVE-2022-4102 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2025-04-09 | N/A | 3.1 LOW |
| The Royal Elementor Addons WordPress plugin before 1.3.56 does not have authorization and CSRF checks when deleting a template and does not ensure that the post to be deleted is a template. This could allow any authenticated users, such as subscribers, to delete arbitrary posts assuming they know the related slug. | |||||
| CVE-2022-4103 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2025-04-09 | N/A | 4.3 MEDIUM |
| The Royal Elementor Addons WordPress plugin before 1.3.56 does not have authorisation and CSRF checks when creating a template, and does not ensure that the post created is a template. This could allow any authenticated users, such as subscriber to create a post (as well as any post type) with an arbitrary title | |||||
| CVE-2025-28872 | 1 Jwpegram | 1 Block Spam By Math Reloaded | 2025-04-09 | N/A | 9.8 CRITICAL |
| Missing Authorization vulnerability in jwpegram Block Spam By Math Reloaded allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Block Spam By Math Reloaded: from n/a through 2.2.4. | |||||
| CVE-2023-49856 | 1 Rednao | 1 Smart Forms | 2025-04-08 | N/A | 8.8 HIGH |
| Missing Authorization vulnerability in RedNao Smart Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smart Forms: from n/a through 2.6.84. | |||||
| CVE-2025-2568 | 2025-04-08 | N/A | 5.3 MEDIUM | ||
| The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the 'vayu_blocks_get_toggle_switch_values_callback' and 'vayu_blocks_save_toggle_switch_callback' function in versions 1.0.4 to 1.2.1. This makes it possible for unauthenticated attackers to read plugin options and update any option with a key name ending in '_value'. | |||||
| CVE-2025-32279 | 2025-04-08 | N/A | N/A | ||
| Missing Authorization vulnerability in Shahjada Live Forms. This issue affects Live Forms: from n/a through 4.8.5. | |||||
| CVE-2025-27437 | 2025-04-08 | N/A | 4.3 MEDIUM | ||
| A Missing Authorization Check vulnerability exists in the Virus Scanner Interface of SAP NetWeaver Application Server ABAP. Because of this, an attacker authenticated as a non-administrative user can initiate a transaction, allowing them to access but not modify non-sensitive data without further authorization and with no effect on availability. | |||||
| CVE-2025-27435 | 2025-04-08 | N/A | 4.2 MEDIUM | ||
| Under specific conditions and prerequisites, an unauthenticated attacker could access customer coupon codes exposed in the URL parameters of the Coupon Campaign URL in SAP Commerce. This could allow the attacker to use the disclosed coupon code, hence posing a low impact on confidentiality and integrity of the application. | |||||
| CVE-2025-30017 | 2025-04-08 | N/A | 4.4 MEDIUM | ||
| Due to a missing authorization check, an authenticated attacker could upload a file as a template for solution documentation in SAP Solution Manager 7.1. After successful exploitation, an attacker can cause limited impact on the integrity and availability of the application. | |||||
| CVE-2025-26657 | 2025-04-08 | N/A | 5.3 MEDIUM | ||
| SAP KMC WPC allows an unauthenticated attacker to remotely retrieve usernames by a simple parameter query which could expose sensitive information causing low impact on confidentiality of the application. This has no effect on integrity and availability. | |||||
| CVE-2025-27428 | 2025-04-08 | N/A | 7.7 HIGH | ||
| Due to directory traversal vulnerability, an authorized attacker could gain access to some critical information by using RFC enabled function module. Upon successful exploitation, they could read files from any managed system connected to SAP Solution Manager, leading to high impact on confidentiality. There is no impact on integrity or availability. | |||||
| CVE-2024-36246 | 2025-04-08 | N/A | N/A | ||
| Missing authorization vulnerability exists in Unifier and Unifier Cast. If this vulnerability is exploited, arbitrary code may be executed with LocalSystem privilege. As a result, a malicious program may be installed, data may be altered or deleted. | |||||
| CVE-2024-53258 | 1 Autolabproject | 1 Autolab | 2025-04-07 | N/A | 5.3 MEDIUM |
| Autolab is a course management service that enables auto-graded programming assignments. From Autolab versions v.3.0.0 onward students can download all assignments from another student, as long as they are logged in, using the download_all_submissions feature. This can allow for leakage of submissions to unauthorized users, such as downloading submissions from other students in the class, or even instructor test submissions, given they know their user IDs. This issue has been patched in commit `1aa4c769` which is not yet in a release version, but is expected to be included in version 3.0.3. Users are advised to either manually patch or to wait for version 3.0.3. As a workaround administrators can disable the feature. | |||||
| CVE-2025-1233 | 2025-04-05 | N/A | 4.3 MEDIUM | ||
| The Lafka Plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'lafka_options_upload' AJAX function in all versions up to, and including, 7.1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the theme option that overrides the site. | |||||
| CVE-2025-2933 | 2025-04-05 | N/A | 8.8 HIGH | ||
| The Email Notifications for Updates plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the awun_import_settings() function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | |||||
| CVE-2024-0893 | 1 Schemaapp | 1 Schema App Structured Data | 2025-04-04 | N/A | 4.3 MEDIUM |
| The Schema App Structured Data plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the MarkupUpdate function in all versions up to, and including, 2.1.0. This makes it possible for authenticated attackers, with subscriber access or higher, to update or delete post metadata. | |||||