Total
4572 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-23515 | 2025-03-03 | N/A | N/A | ||
| Missing Authorization vulnerability in tsecher ts-tree allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ts-tree: from n/a through 0.1.1. | |||||
| CVE-2025-1404 | 2025-03-01 | N/A | 5.3 MEDIUM | ||
| The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_sccp_reports_user_search() function in all versions up to, and including, 4.4.7. This makes it possible for unauthenticated attackers to retrieve a list of registered user emails. | |||||
| CVE-2024-12544 | 2025-03-01 | N/A | 8.8 HIGH | ||
| The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to arbitrary file deletion due to a missing capability check on the callback function of the SurveyJS_DeleteFile class in all versions up to, and including, 1.12.17. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This function is still vulnerable to Cross-Site Request Forgery as of 1.12.20. | |||||
| CVE-2025-1502 | 2025-03-01 | N/A | 5.3 MEDIUM | ||
| The IP2Location Redirection plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'download_ip2location_redirection_backup' AJAX action in all versions up to, and including, 1.33.3. This makes it possible for unauthenticated attackers to download the plugin's settings. | |||||
| CVE-2024-13746 | 2025-03-01 | N/A | 6.5 MEDIUM | ||
| The Booking Calendar and Notification plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on the wpcb_all_bookings(), wpcb_update_booking_post(), and wpcb_delete_posts() functions in all versions up to, and including, 4.0.3. This makes it possible for unauthenticated attackers to extract data, create or update bookings, or delete arbitrary posts. | |||||
| CVE-2023-23834 | 1 Brainstormforce | 1 Spectra | 2025-03-01 | N/A | 9.8 CRITICAL |
| Missing Authorization vulnerability in Brainstorm Force Spectra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through 2.3.0. | |||||
| CVE-2023-23825 | 1 Brainstormforce | 1 Spectra | 2025-03-01 | N/A | 8.8 HIGH |
| Missing Authorization vulnerability in Brainstorm Force Spectra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through 2.3.0. | |||||
| CVE-2024-38810 | 1 Vmware | 1 Spring Security | 2025-02-28 | N/A | 7.5 HIGH |
| Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective. | |||||
| CVE-2024-12822 | 1 Userproplugin | 1 Media Manager | 2025-02-28 | N/A | 9.8 CRITICAL |
| The Media Manager for UserPro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the add_capto_img() function in all versions up to, and including, 3.11.0. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | |||||
| CVE-2024-12821 | 1 Userproplugin | 1 Media Manager | 2025-02-28 | N/A | 6.5 MEDIUM |
| The Media Manager for UserPro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the upm_upload_media() function in all versions up to, and including, 3.12.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | |||||
| CVE-2023-20926 | 1 Google | 1 Android | 2025-02-28 | N/A | 6.8 MEDIUM |
| In onParentVisible of HeaderPrivacyIconsController.kt, there is a possible way to bypass factory reset protections due to a missing permission check. This could lead to local escalation of privilege with physical access to a device that's been factory reset with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12L Android-13Android ID: A-253043058 | |||||
| CVE-2025-1644 | 1 Modernasistemas | 1 Modernanet | 2025-02-28 | N/A | 6.5 MEDIUM |
| A vulnerability classified as problematic has been found in Benner ModernaNet up to 1.2.0. Affected is an unknown function of the file /DadosPessoais/SG_Gravar. The manipulation of the argument idItAg leads to cross-site request forgery. It is possible to launch the attack remotely. Upgrading to version 1.2.1 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2025-1643 | 1 Modernasistemas | 1 Modernanet | 2025-02-28 | N/A | 8.8 HIGH |
| A vulnerability was found in Benner ModernaNet up to 1.1.0. It has been rated as problematic. This issue affects some unknown processing of the file /DadosPessoais/SG_AlterarSenha. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. Upgrading to version 1.1.1 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2025-1681 | 2025-02-28 | N/A | 5.4 MEDIUM | ||
| The Cardealer theme for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check and missing filename sanitization on the demo theme scheme AJAX functions in versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to change or delete arbitrary css and js files. | |||||
| CVE-2025-1682 | 2025-02-28 | N/A | 8.8 HIGH | ||
| The Cardealer theme for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.4 due to missing capability check on the 'save_settings' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the default user role. | |||||
| CVE-2023-30873 | 1 Androidbubble | 1 Wp Docs | 2025-02-27 | N/A | 8.8 HIGH |
| Missing Authorization vulnerability in Fahad Mahmood WP Docs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Docs: from n/a through 1.9.8. | |||||
| CVE-2022-25768 | 1 Acquia | 1 Mautic | 2025-02-27 | N/A | 6.5 MEDIUM |
| The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform the tasks. Prior to this patch being applied it might be possible for an attacker to access the Mautic version number or to execute parts of the upgrade process without permission. As upgrading in the user interface is deprecated, this functionality is no longer required. | |||||
| CVE-2020-36835 | 1 Wpvivid | 1 Migration\, Backup\, Staging | 2025-02-27 | N/A | 6.5 MEDIUM |
| The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to sensitive information disclosure of a WordPress site's database due to missing capability checks on the wp_ajax_wpvivid_add_remote AJAX action that allows low-level authenticated attackers to send back-ups to a remote location of their choice for review. This affects versions up to, and including 0.9.35. | |||||
| CVE-2025-1745 | 2025-02-27 | N/A | 4.3 MEDIUM | ||
| A vulnerability has been found in LinZhaoguan pb-cms 2.0 and classified as problematic. This vulnerability affects unknown code of the component Logout. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-3895 | 1 Androidbubbles | 1 Wp Datepicker | 2025-02-27 | N/A | N/A |
| The WP Datepicker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpdp_add_new_datepicker_ajax() function in all versions up to, and including, 2.1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options that can be used for privilege escalation. This was partially patched in 2.0.9 and 2.1.0, and fully patched in 2.1.1. | |||||