Total
5245 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-46244 | 1 Multidots | 1 Advanced Linked Variations For Woocommerce | 2025-04-29 | 5.3 Medium |
| Missing Authorization vulnerability in Dotstore Advanced Linked Variations for Woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Advanced Linked Variations for Woocommerce: from n/a through 1.0.3. | ||||
| CVE-2025-46247 | 1 Codepeople | 1 Appointment Booking Calendar | 2025-04-29 | 5.3 Medium |
| Missing Authorization vulnerability in codepeople Appointment Booking Calendar allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Appointment Booking Calendar: from n/a through 1.3.92. | ||||
| CVE-2025-31691 | 2025-04-29 | 9.8 Critical | ||
| Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing.This issue affects OAuth2 Server: from 0.0.0 before 2.1.0. | ||||
| CVE-2025-31686 | 2025-04-29 | 8.1 High | ||
| Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.This issue affects Open Social: from 0.0.0 before 12.3.11, from 12.4.0 before 12.4.10. | ||||
| CVE-2025-31685 | 2025-04-29 | 9.1 Critical | ||
| Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.This issue affects Open Social: from 0.0.0 before 12.3.11, from 12.4.0 before 12.4.10. | ||||
| CVE-2022-41326 | 1 Mitel | 1 Micollab | 2025-04-29 | 9.8 Critical |
| The web conferencing component of Mitel MiCollab through 9.6.0.13 could allow an unauthenticated attacker to upload arbitrary scripts due to improper authorization controls. A successful exploit could allow remote code execution within the context of the application. | ||||
| CVE-2022-24190 | 1 Sz-fujia | 1 Ourphoto | 2025-04-29 | 7.5 High |
| The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The user_token header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to accept their own bind request, without the end-users approval or interaction. | ||||
| CVE-2025-31720 | 1 Jenkins | 1 Jenkins | 2025-04-29 | 4.3 Medium |
| A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Extended Read permission to copy an agent, gaining access to its configuration. | ||||
| CVE-2025-31721 | 1 Jenkins | 1 Jenkins | 2025-04-29 | 4.3 Medium |
| A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Configure permission to copy an agent, gaining access to encrypted secrets in its configuration. | ||||
| CVE-2024-13307 | 2025-04-29 | 5.3 Medium | ||
| The Reales WP - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'reales_delete_file', 'reales_delete_file_plans', 'reales_add_to_favourites', and 'reales_remove_from_favourites' functions in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to delete arbitrary attachments, and add or remove favorite property listings for any user. | ||||
| CVE-2021-47662 | 2025-04-29 | 7.5 High | ||
| Due to missing authorization an unauthenticated remote attacker can cause a DoS attack by connecting via HTTPS and triggering the shutdown button. | ||||
| CVE-2025-39385 | 2025-04-29 | 4.3 Medium | ||
| Missing Authorization vulnerability in VW Themes Sirat allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sirat: from n/a through 1.5.1. | ||||
| CVE-2025-39390 | 2025-04-29 | 5.3 Medium | ||
| Missing Authorization vulnerability in magepeopleteam Booking and Rental Manager allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Booking and Rental Manager: from n/a through 2.3.8. | ||||
| CVE-2025-3912 | 2025-04-29 | 5.3 Medium | ||
| The WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_config' function in all versions up to, and including, 1.10.35. This makes it possible for unauthenticated attackers to read the value of the plugin's settings, including API keys for integrated services. | ||||
| CVE-2025-1279 | 2025-04-29 | 8.8 High | ||
| The BM Content Builder plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ux_cb_tools_import_item_ajax AJAX action in all versions up to, and including, 3.16.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | ||||
| CVE-2025-46489 | 2025-04-29 | 5.3 Medium | ||
| Missing Authorization vulnerability in vinodvaswani9 Bulk Assign Linked Products For WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Bulk Assign Linked Products For WooCommerce: from n/a through 2.1. | ||||
| CVE-2025-46519 | 2025-04-29 | 4.3 Medium | ||
| Missing Authorization vulnerability in Michael Revellin-Clerc Media Library Downloader allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Media Library Downloader: from n/a through 1.3.1. | ||||
| CVE-2025-3997 | 2025-04-29 | 4.3 Medium | ||
| A vulnerability classified as problematic has been found in dazhouda lecms 3.0.3. This affects an unknown part of the file /index.php?my-profile-ajax-1 of the component Personal Information Page. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-39367 | 2025-04-29 | 5.3 Medium | ||
| Missing Authorization vulnerability in SeventhQueen Kleo.This issue affects Kleo: from n/a before 5.4.4. | ||||
| CVE-2025-3906 | 2025-04-29 | 8.8 High | ||
| The Integração entre Eduzz e Woocommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wep_opcoes' function in all versions up to, and including, 1.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the default registration role within the plugin's registration flow to Administrator, which allows any user to create an Administrator account. | ||||