Total
4661 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-22299 | 2025-01-07 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in spacecodes AI for SEO allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI for SEO: from n/a through 1.2.9. | |||||
| CVE-2025-22298 | 2025-01-07 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in Hive Support Hive Support – WordPress Help Desk allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hive Support – WordPress Help Desk: from n/a through 1.1.6. | |||||
| CVE-2024-56294 | 2025-01-07 | N/A | 6.4 MEDIUM | ||
| Missing Authorization vulnerability in POSIMYTH Nexter Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Nexter Blocks: from n/a through 4.0.7. | |||||
| CVE-2024-56276 | 2025-01-07 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in WPForms Contact Form by WPForms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through 1.9.2.2. | |||||
| CVE-2024-56271 | 2025-01-07 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in SecureSubmit WP SecureSubmit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP SecureSubmit: from n/a through 1.5.16. | |||||
| CVE-2024-51651 | 2025-01-07 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in CubeWP CubeWP Forms – All-in-One Form Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CubeWP Forms – All-in-One Form Builder: from n/a through 1.1.5. | |||||
| CVE-2024-12202 | 2025-01-07 | N/A | 8.8 HIGH | ||
| The Croma Music plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'ironMusic_ajax' function in all versions up to, and including, 3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | |||||
| CVE-2024-10866 | 2025-01-07 | N/A | 5.3 MEDIUM | ||
| The Export Import Menus plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the dsp_export_import_menus() function in all versions up to, and including, 1.9.1. This makes it possible for unauthenticated attackers to export menu data and settings. | |||||
| CVE-2024-12781 | 2025-01-07 | N/A | 4.3 MEDIUM | ||
| The Aurum - WordPress & WooCommerce Shopping Theme theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'lab_1cl_demo_install_package_content' function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite content with imported demo content. | |||||
| CVE-2024-11725 | 2025-01-07 | N/A | 8.8 HIGH | ||
| The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the updateWcWarrantySettings() function in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. Please note this requires the woocommerce-warranty plugin to be installed in order to be exploited. | |||||
| CVE-2024-12535 | 2025-01-07 | N/A | 8.6 HIGH | ||
| The Host PHP Info plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when including the 'phpinfo' function in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to read configuration settings and predefined variables on the site's server. The plugin does not need to be activated for the vulnerability to be exploited. | |||||
| CVE-2024-10536 | 2025-01-07 | N/A | 4.3 MEDIUM | ||
| The FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_block_shortcode_export() function in all versions up to, and including, 6.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export shortcodes. | |||||
| CVE-2024-12327 | 2025-01-07 | N/A | 4.3 MEDIUM | ||
| The LazyLoad Background Images plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pblzbg_save_settings() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings. | |||||
| CVE-2024-12176 | 2025-01-07 | N/A | 5.3 MEDIUM | ||
| The WordLift – AI powered SEO – Schema plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'wl_config_plugin' AJAX action in all versions up to, and including, 3.54.0. This makes it possible for unauthenticated attackers to update the plugin's settings. | |||||
| CVE-2024-12158 | 2025-01-07 | N/A | 5.3 MEDIUM | ||
| The Popup – MailChimp, GetResponse and ActiveCampaign Intergrations plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'upc_delete_db_data' AJAX action in all versions up to, and including, 3.2.6. This makes it possible for unauthenticated attackers to delete the DB data for the plugin. | |||||
| CVE-2024-11496 | 2025-01-07 | N/A | 6.5 MEDIUM | ||
| The Infility Global plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the infility_global_ajax function in all versions up to, and including, 2.9.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin options and potentially break the site. | |||||
| CVE-2024-10527 | 2025-01-07 | N/A | 3.1 LOW | ||
| The Spacer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the motech_spacer_callback() function in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view limited setting information. | |||||
| CVE-2024-12559 | 2025-01-07 | N/A | 5.3 MEDIUM | ||
| The ClickDesigns plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'clickdesigns_add_api' and the 'clickdesigns_remove_api' functions in all versions up to, and including, 1.8.0. This makes it possible for unauthenticated attackers to modify or remove the plugin's API key. | |||||
| CVE-2025-22385 | 2025-01-06 | N/A | 5.9 MEDIUM | ||
| An issue was discovered in Optimizely Configured Commerce before 5.2.2408. For newly created accounts, the Commerce B2B application does not require email confirmation. This medium-severity issue allows the mass creation of accounts. This could affect database storage; also, non-requested storefront accounts can be created on behalf of visitors. | |||||
| CVE-2024-56349 | 1 Jetbrains | 1 Teamcity | 2025-01-02 | N/A | 5.3 MEDIUM |
| In JetBrains TeamCity before 2024.12 improper access control allowed unauthorized users to modify build logs | |||||