Total
5500 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-52801 | 1 Wordpress | 1 Wordpress | 2025-08-14 | 7.3 High |
| Missing Authorization vulnerability in VonStroheim TheBooking allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects TheBooking: from n/a through 1.4.4. | ||||
| CVE-2025-52800 | 1 Wordpress | 1 Wordpress | 2025-08-14 | 7.3 High |
| Missing Authorization vulnerability in Unity Business Technology Pty Ltd The E-Commerce ERP allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects The E-Commerce ERP: from n/a through 2.1.1.3. | ||||
| CVE-2025-52785 | 1 Wordpress | 1 Wordpress | 2025-08-14 | 7.1 High |
| Missing Authorization vulnerability in softnwords SMM API allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SMM API: from n/a through 6.0.30. | ||||
| CVE-2025-52721 | 2 Lcweb, Wordpress | 2 Global Gallery, Wordpress | 2025-08-14 | 6.5 Medium |
| Missing Authorization vulnerability in LCweb Global Gallery allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Global Gallery: from n/a through 9.2.3. | ||||
| CVE-2025-49052 | 1 Wordpress | 1 Wordpress | 2025-08-14 | 4.3 Medium |
| Missing Authorization vulnerability in Dariolee Netease Music allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Netease Music: from n/a through 3.2.1. | ||||
| CVE-2025-54695 | 1 Wordpress | 1 Wordpress | 2025-08-14 | 5.4 Medium |
| Missing Authorization vulnerability in HasTech HT Mega allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HT Mega: from n/a through 2.9.0. | ||||
| CVE-2025-54705 | 1 Wordpress | 1 Wordpress | 2025-08-14 | 4.3 Medium |
| Missing Authorization vulnerability in magepeopleteam WpEvently allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpEvently: from n/a through 4.4.6. | ||||
| CVE-2025-42949 | 1 Sap | 1 Abap Platform | 2025-08-13 | 4.9 Medium |
| Due to a missing authorization check in the ABAP Platform, an authenticated user with elevated privileges could bypass authorization restrictions for common transactions by leveraging the SQL Console. This could enable an attacker to access and read the contents of database tables without proper authorization, leading to a significant compromise of data confidentiality. However, the integrity and availability of the system remain unaffected. | ||||
| CVE-2025-42955 | 1 Sap | 1 Cloud Connector | 2025-08-13 | 3.5 Low |
| Due to a missing authorization check in SAP Cloud Connector, an attacker on an adjacent network with low privileges could send a crafted request to the endpoint responsible for testing LDAP connections. A successful exploit could lead to reduced performance, hence a low-impact on availability of the service. Confidentiality and integrity of the data are not affected. | ||||
| CVE-2025-5953 | 1 Mishubd | 1 Wp Human Resource Management | 2025-08-13 | 8.8 High |
| The WP Human Resource Management plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the ajax_insert_employee() and update_empoyee() functions in versions 2.0.0 through 2.2.17. The AJAX handler reads the client-supplied $_POST['role'] and, after basic cleaning via hrm_clean(), passes it directly to wp_insert_user() and later to $user->set_role() without verifying that the current user is allowed to assign that role. This makes it possible for authenticated attackers, with Employee-level access and above, to elevate their privileges to administrator. | ||||
| CVE-2025-5956 | 1 Mishubd | 1 Wp Human Resource Management | 2025-08-13 | 6.5 Medium |
| The WP Human Resource Management plugin for WordPress is vulnerable to Arbitrary User Deletion due to a missing authorization within the ajax_delete_employee() function in versions 2.0.0 through 2.2.17. The plugin’s deletion handler reads the client-supplied $_POST['delete'] array and passes each ID directly to wp_delete_user() without verifying that the caller has the delete_users capability or limiting which user IDs may be removed. This makes it possible for authenticated attackers, with Employee-level access and above, to delete arbitrary accounts, including administrators. | ||||
| CVE-2025-8310 | 1 Ivanti | 1 Virtual Application Delivery Controller | 2025-08-13 | 6.5 Medium |
| Missing authorization in the admin console of Ivanti Virtual Application Delivery Controller before version 22.9 allows a remote authenticated attacker to take over admin accounts by resetting the password | ||||
| CVE-2025-48133 | 1 Uncannyowl | 1 Uncanny Automator | 2025-08-13 | 6.5 Medium |
| Missing Authorization vulnerability in Uncanny Owl Uncanny Automator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uncanny Automator: from n/a through 6.4.0.2. | ||||
| CVE-2025-30974 | 2 Addonmaster, Wordpress | 2 Post Grid Master, Wordpress | 2025-08-13 | 4.3 Medium |
| Missing Authorization vulnerability in Akhtarujjaman Shuvo Post Grid Master allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Post Grid Master: from n/a through 3.4.13. | ||||
| CVE-2025-3150 | 1 Itning | 1 Student-homework-management-system | 2025-08-13 | 4.3 Medium |
| A vulnerability was found in itning Student Homework Management System up to 1.2.7. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Multiple endpoints might be affected. | ||||
| CVE-2025-8418 | 1 Wordpress | 1 Wordpress | 2025-08-12 | 8.8 High |
| The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Arbitrary Plugin Installation in all versions up to, and including, 1.1.30. This is due to missing capability checks on the activated_plugin function. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the server which can make remote code execution possible. | ||||
| CVE-2025-8482 | 2 10up, Wordpress | 2 Simple Local Avatars, Wordpress | 2025-08-12 | 4.3 Medium |
| The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of data in version 2.8.4. This is due to a missing capability check on the migrate_from_wp_user_avatar() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to migrate avatar metadata for all users. | ||||
| CVE-2024-11205 | 2 Wordpress, Wpforms | 2 Wordpress, Wpforms | 2025-08-12 | 8.5 High |
| The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpforms_is_admin_page' function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions. | ||||
| CVE-2024-56276 | 1 Wpforms | 1 Wpforms | 2025-08-12 | 4.3 Medium |
| Missing Authorization vulnerability in WPForms Contact Form by WPForms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through 1.9.2.2. | ||||
| CVE-2025-3604 | 1 Flynax | 1 Flynax Bridge | 2025-08-12 | 9.8 Critical |
| The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | ||||