Total
4572 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-13752 | 1 Wedevs | 1 Wp Project Manager | 2025-02-24 | N/A | 6.5 MEDIUM |
| The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check in the '/pm/v2/settings/notice' endpoint all versions up to, and including, 2.6.17. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cause a persistent denial of service condition. | |||||
| CVE-2025-0935 | 1 Maxfoundry | 1 Media Library Folders | 2025-02-24 | N/A | 4.3 MEDIUM |
| The Media Library Folders plugin for WordPress is vulnerable to unauthorized plugin settings change due to a missing capability check on several AJAX actions in all versions up to, and including, 8.3.0. This makes it possible for authenticated attackers, with Author-level access and above, to change plugin settings related to things such as IP-blocking. | |||||
| CVE-2025-26750 | 2025-02-22 | N/A | N/A | ||
| Missing Authorization vulnerability in appsbd Vitepos allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Vitepos: from n/a through 3.1.3. | |||||
| CVE-2025-26764 | 2025-02-22 | N/A | N/A | ||
| Missing Authorization vulnerability in enituretechnology Distance Based Shipping Calculator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Distance Based Shipping Calculator: from n/a through 2.0.22. | |||||
| CVE-2024-10528 | 1 Ultimatemember | 1 Ultimate Member | 2025-02-21 | N/A | 4.3 MEDIUM |
| The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to unauthorized profile picture updates due to a missing capability check on the wp_ajax_um_resize_image() and ajax_resize_image() functions in all versions up to, and including, 2.8.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the profile pictures of other users. | |||||
| CVE-2023-20959 | 1 Google | 1 Android | 2025-02-21 | N/A | 7.8 HIGH |
| In AddSupervisedUserActivity, guest users are not prevented from starting the activity due to missing permissions checks. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-249057848 | |||||
| CVE-2024-13677 | 1 Istmoplugins | 1 Get Bookings Wp | 2025-02-21 | N/A | 8.8 HIGH |
| The GetBookingsWP – Appointments Booking Calendar Plugin For WordPress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.27. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | |||||
| CVE-2024-13687 | 1 Webdevocean | 1 Team Builder | 2025-02-21 | N/A | 4.3 MEDIUM |
| The Team Builder – Meet the Team plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_team_builder_options() function in all versions up to, and including, 1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings. | |||||
| CVE-2024-13651 | 1 Rapidload | 1 Rapidload Power-up For Autoptimize | 2025-02-21 | N/A | 4.3 MEDIUM |
| The RapidLoad – Optimize Web Vitals Automatically plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_deactivate() function in all versions up to, and including, 2.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset some of the plugin's settings. | |||||
| CVE-2025-0939 | 1 Dcooperman | 1 Magicform | 2025-02-21 | N/A | 6.3 MEDIUM |
| The MagicForm plugin for WordPress is vulnerable to access and modification of data due to a missing capability check on the plugin's AJAX actions in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke those actions in order to delete or view logs, modify forms or modify plugin settings. | |||||
| CVE-2024-12825 | 1 Brechtvds | 1 Custom Related Posts | 2025-02-21 | N/A | 5.4 MEDIUM |
| The Custom Related Posts plugin for WordPress is vulnerable to unauthorized access & modification of data due to a missing capability check on three AJAX actions in all versions up to, and including, 1.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to search posts and link/unlink relations. | |||||
| CVE-2024-13783 | 1 Ncrafts | 1 Formcraft | 2025-02-21 | N/A | 4.3 MEDIUM |
| The FormCraft plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in formcraft-main.php in all versions up to, and including, 3.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export all plugin data which may contain sensitive information from form submissions. | |||||
| CVE-2022-31666 | 1 Linuxfoundation | 1 Harbor | 2025-02-20 | N/A | 5.4 MEDIUM |
| Harbor fails to validate user permissions while deleting Webhook policies, allowing malicious users to view, update and delete Webhook policies of other users. The attacker could modify Webhook policies configured in other projects. | |||||
| CVE-2021-4355 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | N/A | 5.3 MEDIUM |
| The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the download_orderdetail_list(), change_orderlist(), and download_member_list() functions called via admin_init hooks in versions up to, and including, 2.2.7. This makes it possible for unauthenticated attackers to download lists of members, products and orders. | |||||
| CVE-2021-4375 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | N/A | 4.3 MEDIUM |
| The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the usces_download_system_information() function in versions up to, and including, 2.2.7. This makes it possible for authenticated attackers to download information including WordPress settings, plugin settings, PHP settings and server settings. | |||||
| CVE-2021-37976 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2025-02-20 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in Memory in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |||||
| CVE-2024-12296 | 1 Apusthemes | 1 Superio | 2025-02-20 | N/A | 8.8 HIGH |
| The Apus Framework plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'import_page_options' function in all versions up to, and including, 2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | |||||
| CVE-2023-0335 | 1 Wpvar | 1 Wp Shamsi | 2025-02-19 | N/A | 6.5 MEDIUM |
| The WP Shamsi WordPress plugin through 4.3.3 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber delete attachment. | |||||
| CVE-2023-0336 | 1 Ooohboi Steroids For Elementor Project | 1 Ooohboi Steroids For Elementor | 2025-02-19 | N/A | 6.5 MEDIUM |
| The OoohBoi Steroids for Elementor WordPress plugin before 2.1.5 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber to delete attachment. | |||||
| CVE-2024-6458 | 1 Wcproducttable | 1 Woocommerce Product Table | 2025-02-19 | N/A | N/A |
| The WooCommerce Product Table Lite plugin for WordPress is vulnerable to unauthorized post title modification due to a missing capability check on the wcpt_presets__duplicate_preset_to_table function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers with subscriber access and above to change titles of arbitrary posts. Missing sanitization can lead to Stored Cross-Site Scripting when viewed by an admin via the WooCommerce Product Table. | |||||