Total
5092 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-47634 | 2025-07-08 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in Keylor Mendoza WC Pickup Store allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WC Pickup Store: from n/a through 1.8.9. | |||||
| CVE-2025-53374 | 2025-07-08 | N/A | N/A | ||
| Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated low-privileged account can retrieve detailed profile information about another users in the same organization by directly invoking user.one. The response discloses personally-identifiable information (PII) such as e-mail address, role, two-factor status, organization ID, and various account flags. The fix will be available in the v0.23.7. | |||||
| CVE-2025-7078 | 2025-07-08 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability classified as problematic was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.3.9. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-42986 | 2025-07-08 | N/A | 4.3 MEDIUM | ||
| Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality, with no impact on integrity or availability of the application. | |||||
| CVE-2025-42953 | 2025-07-08 | N/A | 8.1 HIGH | ||
| SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confidentiality of the system. | |||||
| CVE-2025-42960 | 2025-07-08 | N/A | 4.3 MEDIUM | ||
| SAP Business Warehouse and SAP BW/4HANA BEx Tools allow an authenticated attacker to gain higher access levels than intended by exploiting improper authorization checks. This could potentially impact data integrity by allowing deletion of user table entries.�It has no impact on the confidentiality and availability of the application. | |||||
| CVE-2025-42968 | 2025-07-08 | N/A | 5.0 MEDIUM | ||
| SAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to non-sensitive information about the SAP system and OS without requiring any specific knowledge or controlled conditions. This leads to a low impact on confidentiality with no effect on integrity or availability of the application. | |||||
| CVE-2025-42952 | 2025-07-08 | N/A | 7.7 HIGH | ||
| SAP Business Warehouse and SAP Plug-In Basis allows an authenticated attacker to add fields to arbitrary SAP database tables and/or structures, potentially rendering the system unusable. On successful exploitation, an attacker can render the system unusable by triggering short dumps on login. This could cause a high impact on availability. Data confidentiality and integrity are not affected. No data can be read, changed or deleted. | |||||
| CVE-2025-42961 | 2025-07-08 | N/A | 4.9 MEDIUM | ||
| Due to a missing authorization check in SAP NetWeaver Application server for ABAP, an authenticated user with high privileges could exploit the insufficient validation of user permissions to access sensitive database tables. By leveraging overly permissive access configurations, unauthorized reading of critical data is possible, resulting in a significant impact on the confidentiality of the information stored. However, the integrity and availability of the system remain unaffected. | |||||
| CVE-2025-5957 | 2025-07-08 | N/A | 5.3 MEDIUM | ||
| The Guest Support – Complete customer support ticket system for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'deleteMassTickets' function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to delete arbitrary support tickets. | |||||
| CVE-2025-42974 | 2025-07-08 | N/A | 4.3 MEDIUM | ||
| Due to missing authorization check, an attacker authenticated as a non-administrative user could call a remote-enabled function module. This could enable access to information normally restricted, resulting in low impact on confidentiality. There is no impact on integrity or availability. | |||||
| CVE-2024-12610 | 1 Dasinfomedia | 1 School Management System | 2025-07-07 | N/A | 5.3 MEDIUM |
| The School Management System for Wordpress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'mj_smgt_remove_feetype' and 'mj_smgt_remove_category_new' AJAX actions in all versions up to, and including, 93.0.0. This makes it possible for unauthenticated attackers to delete arbitrary posts. | |||||
| CVE-2024-12611 | 1 Dasinfomedia | 1 School Management System | 2025-07-07 | N/A | 5.3 MEDIUM |
| The School Management System for Wordpress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'title' parameter in all versions up to, and including, 93.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-46450 | 1 Tenda | 2 Ac6, Ac6 Firmware | 2025-07-07 | N/A | 8.1 HIGH |
| Incorrect access control in Tenda AC1200 Smart Dual-Band WiFi Router Model AC6 v2.0 Firmware v15.03.06.50 allows attackers to bypass authentication via a crafted web request. | |||||
| CVE-2025-5813 | 1 Suhailahmad64 | 1 Amazon Products To Woocommerce | 2025-07-07 | N/A | 5.3 MEDIUM |
| The Amazon Products to WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcta2w_get_amazon_product_callback() function in all versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to create new produces. | |||||
| CVE-2025-4683 | 1 Inspireui | 1 Mstore Api | 2025-07-07 | N/A | 4.3 MEDIUM |
| The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_blog function in all versions up to, and including, 4.17.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new posts. | |||||
| CVE-2025-5304 | 1 Ptoffice | 1 Pt Project Notebooks | 2025-07-07 | N/A | 9.8 CRITICAL |
| The PT Project Notebooks plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the wpnb_pto_new_users_add() function in versions 1.0.0 through 1.1.3. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator. | |||||
| CVE-2025-3863 | 1 Plugin-devs | 1 Post Carousel Slider For Elementor | 2025-07-03 | N/A | 4.3 MEDIUM |
| The Post Carousel Slider for Elementor plugin for WordPress is vulnerable to improper authorization due to a missing capability check on the process_wbelps_promo_form() function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the plugin’s support‐form handler to send arbitrary emails to the site’s support address. | |||||
| CVE-2024-23944 | 1 Apache | 1 Zookeeper | 2025-07-03 | N/A | 5.3 MEDIUM |
| Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical. Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue. | |||||
| CVE-2025-46259 | 2025-07-03 | N/A | 5.4 MEDIUM | ||
| Missing Authorization vulnerability in POSIMYTH Innovation The Plus Addons for Elementor Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Plus Addons for Elementor Pro: from n/a before 6.3.7. | |||||