Total
4661 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-47481 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-03-05 | N/A | 5.5 MEDIUM |
In telephony service, there is a missing permission check. This could lead to local denial of service in telephone service with no additional execution privileges needed. | |||||
CVE-2022-47480 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-03-05 | N/A | 5.5 MEDIUM |
In telephony service, there is a missing permission check. This could lead to local denial of service in telephone service with no additional execution privileges needed. | |||||
CVE-2025-1891 | 1 Qzw1210 | 1 Shishuocms | 2025-03-05 | 5.0 MEDIUM | 4.3 MEDIUM |
A vulnerability was found in shishuocms 1.1 and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
CVE-2023-26957 | 1 Onekeyadmin | 1 Onekeyadmin | 2025-03-05 | N/A | 9.1 CRITICAL |
onekeyadmin v1.3.9 was discovered to contain an arbitrary file delete vulnerability via the component \admin\controller\plugins. | |||||
CVE-2022-47471 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-03-05 | N/A | 5.5 MEDIUM |
In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | |||||
CVE-2025-27583 | 2025-03-05 | N/A | 9.1 CRITICAL | ||
Incorrect access control in the component /rest/staffResource/findAllUsersAcrossOrg of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows create and modify user accounts, including an Administrator account. | |||||
CVE-2025-1639 | 1 Crowdytheme | 1 Arolax | 2025-03-05 | N/A | 8.8 HIGH |
The Animation Addons for Elementor Pro plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_elementor_plugin_handler() function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins which can be leveraged to further infect a victim when Elementor is not activated on a vulnerable site. | |||||
CVE-2023-6731 | 1 Generatepress | 1 Wp Show Posts | 2025-03-05 | N/A | 4.3 MEDIUM |
The WP Show Posts plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple AJAX functions in all versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with subscriber access and above, to view arbitrary post metadata, list posts, and view terms and taxonomies. | |||||
CVE-2024-13423 | 2025-03-05 | N/A | 5.3 MEDIUM | ||
The Sparkling theme for WordPress is vulnerable to unauthorized plugin activation/deactivation due to a missing capability check on the 'sparkling_activate_plugin' and 'sparkling_deactivate_plugin' functions in versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers to activate/deactivate arbitrary plugins. | |||||
CVE-2025-0954 | 2025-03-05 | N/A | 6.5 MEDIUM | ||
The WP Online Contract plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the json_import() and json_export() functions in all versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to import and export the plugin's settings. | |||||
CVE-2024-13811 | 2025-03-05 | N/A | 4.3 MEDIUM | ||
The Lafka - Multi Store Burger - Pizza & Food Delivery WooCommerce Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'lafka_import_lafka' AJAX actions in all versions up to, and including, 4.5.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo data that overrides the site. | |||||
CVE-2024-13810 | 2025-03-05 | N/A | 4.3 MEDIUM | ||
The Zass - WooCommerce Theme for Handmade Artists and Artisans theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'zass_import_zass' AJAX actions in all versions up to, and including, 3.9.9.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo content and overwrite the site. | |||||
CVE-2024-13780 | 2025-03-05 | N/A | 6.5 MEDIUM | ||
The Hero Mega Menu - Responsive WordPress Menu Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the hmenu_delete_menu() function in all versions up to, and including, 1.16.5. This makes it possible for unauthenticated attackers to delete arbitrary directories on the server. | |||||
CVE-2024-13747 | 2025-03-05 | N/A | 4.3 MEDIUM | ||
The WooMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'template_delete_saved' function in all versions up to, and including, 3.0.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject SQL into an existing post deletion query. | |||||
CVE-2024-13232 | 2025-03-05 | N/A | 8.8 HIGH | ||
The WordPress Awesome Import & Export Plugin - Import & Export WordPress Data plugin for WordPress is vulnerable arbitrary SQL Execution and privilege escalation due to a missing capability check on the renderImport() function in all versions up to, and including, 4.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary SQL statements that can leveraged to create a new administrative user account. | |||||
CVE-2024-8682 | 2025-03-05 | N/A | 5.3 MEDIUM | ||
The JNews - WordPress Newspaper Magazine Blog AMP Theme theme for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 11.6.6. This is due to the plugin not properly validate if the user can register option is enabled prior to creating a user though the register_handler() function. This makes it possible for unauthenticated attackers to register as a user even when user registration is disabled. | |||||
CVE-2022-48367 | 1 Ibexa | 5 Digital Experience Platform, Ez Platform Kernel, Ezplatform-http-cache-fastly and 2 more | 2025-03-04 | N/A | 9.8 CRITICAL |
An issue was discovered in eZ Publish Ibexa Kernel before 7.5.28. Access control based on object state is mishandled. | |||||
CVE-2025-1307 | 2025-03-04 | N/A | 9.8 CRITICAL | ||
The Newscrunch theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check in the newscrunch_install_and_activate_plugin() function in all versions up to, and including, 1.8.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
CVE-2024-13686 | 2025-03-04 | N/A | 4.3 MEDIUM | ||
The VW Storefront theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vw_storefront_reset_all_settings() function in all versions up to, and including, 0.9.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the themes settings. | |||||
CVE-2025-1813 | 2025-03-03 | 5.0 MEDIUM | 4.3 MEDIUM | ||
A vulnerability classified as problematic was found in zj1983 zz up to 2024-08. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |