Total
6630 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-13719 | 1 Pepro | 1 Peprodev Ultimate Invoice | 2025-03-06 | N/A | 5.3 MEDIUM |
| The PeproDev Ultimate Invoice plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.8 via the invoicing viewer due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view invoices for completed orders which can contain PII of users. | |||||
| CVE-2025-1666 | 2025-03-06 | N/A | 4.3 MEDIUM | ||
| The Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the send_uninstall_survey() function in all versions up to, and including, 4.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit the uninstall survey on behalf of a website. | |||||
| CVE-2022-47483 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-03-05 | N/A | 5.5 MEDIUM |
| In telephony service, there is a missing permission check. This could lead to local denial of service in telephone service with no additional execution privileges needed. | |||||
| CVE-2022-47482 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-03-05 | N/A | 5.5 MEDIUM |
| In telephony service, there is a missing permission check. This could lead to local denial of service in telephone service with no additional execution privileges needed. | |||||
| CVE-2022-47481 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-03-05 | N/A | 5.5 MEDIUM |
| In telephony service, there is a missing permission check. This could lead to local denial of service in telephone service with no additional execution privileges needed. | |||||
| CVE-2022-47480 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-03-05 | N/A | 5.5 MEDIUM |
| In telephony service, there is a missing permission check. This could lead to local denial of service in telephone service with no additional execution privileges needed. | |||||
| CVE-2024-12331 | 1 Ninjateam | 1 Filester | 2025-03-05 | N/A | 4.3 MEDIUM |
| The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_install_plugin' function in all versions up to, and including, 1.8.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the Filebird plugin. | |||||
| CVE-2023-26957 | 1 Onekeyadmin | 1 Onekeyadmin | 2025-03-05 | N/A | 9.1 CRITICAL |
| onekeyadmin v1.3.9 was discovered to contain an arbitrary file delete vulnerability via the component \admin\controller\plugins. | |||||
| CVE-2023-49981 | 1 Oretnom23 | 1 School Fees Management System | 2025-03-05 | N/A | 7.5 HIGH |
| A directory listing vulnerability in School Fees Management System v1.0 allows attackers to list directories and sensitive files within the application without requiring authorization. | |||||
| CVE-2023-49980 | 1 Mayurik | 1 Best Student Result Management System | 2025-03-05 | N/A | 7.5 HIGH |
| A directory listing vulnerability in Best Student Result Management System v1.0 allows attackers to list directories and sensitive files within the application without requiring authorization. | |||||
| CVE-2023-49979 | 1 Mayurik | 1 Best Student Management System | 2025-03-05 | N/A | 7.5 HIGH |
| A directory listing vulnerability in Customer Support System v1 allows attackers to list directories and sensitive files within the application without requiring authorization. | |||||
| CVE-2024-13686 | 1 Vwthemes | 1 Vw Storefront | 2025-03-05 | N/A | 4.3 MEDIUM |
| The VW Storefront theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vw_storefront_reset_all_settings() function in all versions up to, and including, 0.9.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the themes settings. | |||||
| CVE-2022-47471 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-03-05 | N/A | 5.5 MEDIUM |
| In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. | |||||
| CVE-2024-1370 | 1 Themegrill | 1 Maintenance Page | 2025-03-05 | N/A | 5.3 MEDIUM |
| The Maintenance Page plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the subscribe_download function hooked via AJAX action in all versions up to, and including, 1.0.8. This makes it possible for authenticated attackers, with subscriber access or higher, to download a csv containing subscriber emails. | |||||
| CVE-2025-1639 | 1 Crowdytheme | 1 Arolax | 2025-03-05 | N/A | 8.8 HIGH |
| The Animation Addons for Elementor Pro plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_elementor_plugin_handler() function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins which can be leveraged to further infect a victim when Elementor is not activated on a vulnerable site. | |||||
| CVE-2024-1492 | 1 Wpify | 1 Woo Czech | 2025-03-05 | N/A | 5.3 MEDIUM |
| The WPify Woo Czech plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the maybe_send_to_packeta function in all versions up to, and including, 4.0.8. This makes it possible for unauthenticated attackers to obtain shipping details for orders as long as the order number is known. | |||||
| CVE-2023-6731 | 1 Generatepress | 1 Wp Show Posts | 2025-03-05 | N/A | 4.3 MEDIUM |
| The WP Show Posts plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple AJAX functions in all versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with subscriber access and above, to view arbitrary post metadata, list posts, and view terms and taxonomies. | |||||
| CVE-2025-1307 | 1 Spicethemes | 1 Newscrunch | 2025-03-05 | N/A | 9.8 CRITICAL |
| The Newscrunch theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check in the newscrunch_install_and_activate_plugin() function in all versions up to, and including, 1.8.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2024-13423 | 2025-03-05 | N/A | 5.3 MEDIUM | ||
| The Sparkling theme for WordPress is vulnerable to unauthorized plugin activation/deactivation due to a missing capability check on the 'sparkling_activate_plugin' and 'sparkling_deactivate_plugin' functions in versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers to activate/deactivate arbitrary plugins. | |||||
| CVE-2025-0954 | 2025-03-05 | N/A | 6.5 MEDIUM | ||
| The WP Online Contract plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the json_import() and json_export() functions in all versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to import and export the plugin's settings. | |||||