Total
5188 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-0907 | 1 Basixonline | 1 Nex-forms | 2025-01-15 | N/A | 5.3 MEDIUM |
| The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the restore_records() function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to restore records. | |||||
| CVE-2023-4627 | 1 Ladipage | 1 Ladipage | 2025-01-15 | N/A | 4.3 MEDIUM |
| The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_config() function in versions up to, and including, 4.4. This makes it possible for authenticated attackers with subscriber-level access and above to update the 'ladipage_config' option. | |||||
| CVE-2025-22779 | 2025-01-15 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in Ugur CELIK WP News Sliders allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP News Sliders: from n/a through 1.0. | |||||
| CVE-2025-22737 | 2025-01-15 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in MagePeople Team WpTravelly allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WpTravelly: from n/a through 1.8.5. | |||||
| CVE-2025-22729 | 2025-01-15 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in Infomaniak Staff VOD Infomaniak allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VOD Infomaniak: from n/a through 1.5.9. | |||||
| CVE-2024-11851 | 2025-01-15 | N/A | 4.3 MEDIUM | ||
| The NitroPack plugin for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the nitropack_rml_notification function in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber access or higher, to update arbitrary transients. Note, that these transients can only be updated to integers and not arbitrary values. | |||||
| CVE-2024-11848 | 2025-01-15 | N/A | 8.1 HIGH | ||
| The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'nitropack_dismiss_notice_forever' AJAX action in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options to a fixed value of '1' which can activate certain options (e.g., enable user registration) or modify certain options in a way that leads to a denial of service condition. | |||||
| CVE-2024-4444 | 1 Thimpress | 1 Learnpress | 2025-01-14 | N/A | 5.3 MEDIUM |
| The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 4.2.6.5. This is due to missing checks in the 'create_account' function in the checkout. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled. | |||||
| CVE-2023-32316 | 1 Fit2cloud | 1 Cloudexplorer | 2025-01-14 | N/A | 7.1 HIGH |
| CloudExplorer Lite is an open source cloud management tool. In affected versions users can add themselves to any organization in CloudExplorer Lite. This is due to a missing permission check on the user profile. It is recommended to upgrade the version to v1.1.0. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-32311 | 1 Fit2cloud | 1 Cloudexplorer | 2025-01-14 | N/A | 7.1 HIGH |
| CloudExplorer Lite is an open source cloud management platform. In CloudExplorer Lite prior to version 1.1.0 users organization/workspace permissions are not properly checked. This allows users to add themselves to any organization. This vulnerability has been fixed in v1.1.0. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2024-29229 | 1 Synology | 2 Diskstation Manager, Surveillance Station | 2025-01-14 | N/A | 7.7 HIGH |
| Missing authorization vulnerability in GetLiveViewPath webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain sensitive information via unspecified vectors. | |||||
| CVE-2024-29228 | 1 Synology | 2 Diskstation Manager, Surveillance Station | 2025-01-14 | N/A | 7.7 HIGH |
| Missing authorization vulnerability in GetStmUrlPath webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain sensitive information via unspecified vectors. | |||||
| CVE-2023-24605 | 1 Open-xchange | 1 Ox App Suite | 2025-01-14 | N/A | 4.2 MEDIUM |
| OX App Suite before backend 7.10.6-rev37 does not enforce 2FA for all endpoints, e.g., reading from a drive, reading contact data, and renaming tokens. | |||||
| CVE-2025-0068 | 2025-01-14 | N/A | 4.3 MEDIUM | ||
| An obsolete functionality in SAP NetWeaver Application Server ABAP did not perform necessary authorization checks. Because of this, an authenticated attacker could obtain information that would otherwise be restricted. It has no impact on integrity or availability on the application. | |||||
| CVE-2025-0067 | 2025-01-14 | N/A | 6.3 MEDIUM | ||
| Due to a missing authorization check on service endpoints in the SAP NetWeaver Application Server Java, an attacker with standard user role can create JCo connection entries, which are used for remote function calls from or to the application server. This could lead to low impact on confidentiality, integrity, and availability of the application. | |||||
| CVE-2024-12204 | 2025-01-11 | N/A | 5.4 MEDIUM | ||
| The Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions in the class-cx-rest.php file in all versions up to, and including, 1.3.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create 100% off coupons, delete posts, delete leads, and update coupon statuses. | |||||
| CVE-2024-13303 | 2025-01-10 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in Drupal Download All Files allows Forceful Browsing.This issue affects Download All Files: from 0.0.0 before 2.0.2. | |||||
| CVE-2024-23493 | 1 Mattermost | 1 Mattermost Server | 2025-01-10 | N/A | 4.3 MEDIUM |
| Mattermost fails to properly authorize the requests fetching team associated AD/LDAP groups, allowing a user to fetch details of AD/LDAP groups of a team that they are not a member of. | |||||
| CVE-2021-4446 | 1 Wpdeveloper | 1 Essential Addons For Elementor | 2025-01-10 | N/A | 6.3 MEDIUM |
| The Essential Addons for Elementor plugin for WordPress is vulnerable to authorization bypass in versions up to and including 4.6.4 due to missing capability checks and nonce disclosure. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to perform many unauthorized actions such as changing settings and installing arbitrary plugins. | |||||
| CVE-2021-4447 | 1 Wpdeveloper | 1 Essential Addons For Elementor | 2025-01-10 | N/A | 8.8 HIGH |
| The Essential Addons for Elementor plugin for WordPress is vulnerable to privilege escalation in versions up to and including 4.6.4 due to a lack of restrictions on who can add a registration form and a custom registration role to an Elementor created page. This makes it possible for attackers with access to the Elementor page builder to create a new registration form that defaults to the user role being set to administrator and subsequently register as an administrative user. | |||||