Total
833 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-4097 | 1 Updraftplus | 1 All-in-one Security | 2025-04-14 | N/A | 5.3 MEDIUM |
| The All-In-One Security (AIOS) WordPress plugin before 5.0.8 is susceptible to IP Spoofing attacks, which can lead to bypassed security features (like IP blocks, rate limiting, brute force protection, and more). | |||||
| CVE-2024-12335 | 1 Theme-fusion | 1 Avada Builder | 2025-04-14 | N/A | 4.3 MEDIUM |
| The Avada (Fusion) Builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.11.12 via the handle_clone_post() function and the 'fusion_blog' shortcode and due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to. | |||||
| CVE-2023-36238 | 1 Webkul | 1 Bagisto | 2025-04-14 | N/A | 6.5 MEDIUM |
| Insecure Direct Object Reference (IDOR) in Bagisto v.1.5.1 allows an attacker to obtain sensitive information via the invoice ID parameter. | |||||
| CVE-2024-47316 | 1 Salonbookingsystem | 1 Salon Booking System | 2025-04-11 | N/A | 4.3 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in Salon Booking System Salon booking system.This issue affects Salon booking system: from n/a through 10.9. | |||||
| CVE-2024-10670 | 1 Nicheaddons | 1 Primary Addon For Elementor | 2025-04-11 | N/A | 4.3 MEDIUM |
| The Primary Addon for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.6.2 via the [prim_elementor_template] shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created with Elementor that they should not have access to. | |||||
| CVE-2025-32373 | 2025-04-09 | N/A | 6.5 MEDIUM | ||
| DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In limited configurations, registered users may be able to craft a request to enumerate/access some portal files they should not have access to. This vulnerability is fixed in 9.13.8. | |||||
| CVE-2025-28874 | 1 Shanebp | 1 Bp Email Assign Templates | 2025-04-09 | N/A | 6.5 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in shanebp BP Email Assign Templates allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BP Email Assign Templates: from n/a through 1.6. | |||||
| CVE-2025-2526 | 2025-04-08 | N/A | 8.8 HIGH | ||
| The Streamit theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like email in the 'st_Authentication_Controller::edit_profile' function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | |||||
| CVE-2024-50685 | 1 Sungrowpower | 1 Isolarcloud | 2025-04-07 | N/A | 9.1 CRITICAL |
| SunGrow iSolarCloud before the October 31, 2024 remediation, is vulnerable to insecure direct object references (IDOR) via the powerStationService API model. | |||||
| CVE-2024-50686 | 1 Sungrowpower | 1 Isolarcloud | 2025-04-07 | N/A | 9.1 CRITICAL |
| SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the commonService API model. | |||||
| CVE-2024-50687 | 1 Sungrowpower | 1 Isolarcloud | 2025-04-07 | N/A | 9.1 CRITICAL |
| SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the devService API model. | |||||
| CVE-2024-50689 | 1 Sungrowpower | 1 Isolarcloud | 2025-04-07 | N/A | 9.1 CRITICAL |
| SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the orgService API model. | |||||
| CVE-2024-50693 | 1 Sungrowpower | 1 Isolarcloud | 2025-04-07 | N/A | 9.1 CRITICAL |
| SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the userService API model. | |||||
| CVE-2024-0872 | 1 Kibokolabs | 1 Watu Quiz | 2025-04-07 | N/A | 4.3 MEDIUM |
| The Watu Quiz plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.1 via the watu-userinfo shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive user meta data which can include session tokens and user emails. | |||||
| CVE-2022-40319 | 1 Lsoft | 1 Listserv | 2025-04-04 | N/A | 7.5 HIGH |
| The LISTSERV 17 web interface allows remote attackers to conduct Insecure Direct Object References (IDOR) attacks via a modified email address in a wa.exe URL. The impact is unauthorized modification of a victim's LISTSERV account. | |||||
| CVE-2022-45927 | 1 Opentext | 1 Opentext Extended Ecm | 2025-04-04 | N/A | 8.8 HIGH |
| An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The Java application server can be used to bypass the authentication of the QDS endpoints of the Content Server. These endpoints can be used to create objects and execute arbitrary code. | |||||
| CVE-2024-51066 | 1 Phpgurukul | 1 Beauty Parlour Management System | 2025-04-04 | N/A | 7.5 HIGH |
| An Insecure Direct Object Reference (IDOR) vulnerability in appointment-detail.php in Phpgurukul's Beauty Parlour Management System v1.1 allows unauthorized access to the Personally Identifiable Information (PII) of other customers. | |||||
| CVE-2024-53406 | 1 Espressif | 1 Esp-idf | 2025-04-03 | N/A | 8.8 HIGH |
| Espressif Esp idf v5.3.0 is vulnerable to Insecure Permissions resulting in Authentication bypass. In the reconnection phase, the device reuses the session key from a previous connection session, creating an opportunity for attackers to execute security bypass attacks. | |||||
| CVE-2024-55506 | 1 Codeastro | 1 Complaint Management System | 2025-04-03 | N/A | 8.8 HIGH |
| An IDOR vulnerability in CodeAstro's Complaint Management System v1.0 (version with 0 updates) enables an attacker to execute arbitrary code and obtain sensitive information via the delete.php file and modifying the id parameter. | |||||
| CVE-2023-4836 | 1 Userprivatefiles | 1 Wordpress File Sharing Plugin | 2025-04-03 | N/A | 4.3 MEDIUM |
| The WordPress File Sharing Plugin WordPress plugin before 2.0.5 does not check authorization before displaying files and folders, allowing users to gain access to those filed by manipulating IDs which can easily be brute forced | |||||