Total
6630 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-13811 | 2025-03-05 | N/A | 4.3 MEDIUM | ||
| The Lafka - Multi Store Burger - Pizza & Food Delivery WooCommerce Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'lafka_import_lafka' AJAX actions in all versions up to, and including, 4.5.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo data that overrides the site. | |||||
| CVE-2024-13810 | 2025-03-05 | N/A | 4.3 MEDIUM | ||
| The Zass - WooCommerce Theme for Handmade Artists and Artisans theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'zass_import_zass' AJAX actions in all versions up to, and including, 3.9.9.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo content and overwrite the site. | |||||
| CVE-2024-13780 | 2025-03-05 | N/A | 6.5 MEDIUM | ||
| The Hero Mega Menu - Responsive WordPress Menu Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the hmenu_delete_menu() function in all versions up to, and including, 1.16.5. This makes it possible for unauthenticated attackers to delete arbitrary directories on the server. | |||||
| CVE-2024-13747 | 2025-03-05 | N/A | 4.3 MEDIUM | ||
| The WooMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'template_delete_saved' function in all versions up to, and including, 3.0.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject SQL into an existing post deletion query. | |||||
| CVE-2024-13232 | 2025-03-05 | N/A | 8.8 HIGH | ||
| The WordPress Awesome Import & Export Plugin - Import & Export WordPress Data plugin for WordPress is vulnerable arbitrary SQL Execution and privilege escalation due to a missing capability check on the renderImport() function in all versions up to, and including, 4.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary SQL statements that can leveraged to create a new administrative user account. | |||||
| CVE-2024-8682 | 2025-03-05 | N/A | 5.3 MEDIUM | ||
| The JNews - WordPress Newspaper Magazine Blog AMP Theme theme for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 11.6.6. This is due to the plugin not properly validate if the user can register option is enabled prior to creating a user though the register_handler() function. This makes it possible for unauthenticated attackers to register as a user even when user registration is disabled. | |||||
| CVE-2023-47805 | 1 Themewinter | 1 Wpcafe | 2025-03-04 | N/A | 5.3 MEDIUM |
| Missing Authorization vulnerability in Themewinter WPCafe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCafe: from n/a through 2.2.22. | |||||
| CVE-2024-12427 | 1 Mondula | 1 Multi Step Form | 2025-03-04 | N/A | 5.3 MEDIUM |
| The Multi Step Form plugin for WordPress is vulnerable to unauthorized limited file upload due to a missing capability check on the fw_upload_file AJAX action in all versions up to, and including, 1.7.23. This makes it possible for unauthenticated attackers to upload limited file types such as images. | |||||
| CVE-2022-48367 | 1 Ibexa | 5 Digital Experience Platform, Ez Platform Kernel, Ezplatform-http-cache-fastly and 2 more | 2025-03-04 | N/A | 9.8 CRITICAL |
| An issue was discovered in eZ Publish Ibexa Kernel before 7.5.28. Access control based on object state is mishandled. | |||||
| CVE-2024-11133 | 1 Imithemes | 1 Eventer | 2025-03-04 | N/A | 5.3 MEDIUM |
| The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'handle_pdf_download_request' function in all versions up to, and including, 3.9.9. This makes it possible for unauthenticated attackers to download event tickets. | |||||
| CVE-2024-11134 | 1 Imithemes | 1 Eventer | 2025-03-04 | N/A | 4.3 MEDIUM |
| The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'eventer_export_bookings_csv' function in all versions up to, and including, 3.9.9. This makes it possible for authenticated attackers with subscriber-level permissions or above, to download bookings, which contains customers' personal data. | |||||
| CVE-2024-0702 | 1 Oliverpos | 1 Oliver Pos | 2025-03-04 | N/A | 7.3 HIGH |
| The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions hooked via AJAX in the includes/class-pos-bridge-install.php file in all versions up to, and including, 2.4.1.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several unauthorized actions like deactivating the plugin, disconnecting the subscription, syncing the status and more. | |||||
| CVE-2025-26374 | 1 Q-free | 1 Maxtime | 2025-03-03 | N/A | 6.5 MEDIUM |
| A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua (users endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests. | |||||
| CVE-2025-26372 | 1 Q-free | 1 Maxtime | 2025-03-03 | N/A | 7.1 HIGH |
| A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users from groups via crafted HTTP requests. | |||||
| CVE-2025-27270 | 2025-03-03 | N/A | 9.8 CRITICAL | ||
| Missing Authorization vulnerability in NotFound Residential Address Detection allows Privilege Escalation. This issue affects Residential Address Detection: from n/a through 2.5.4. | |||||
| CVE-2025-23763 | 2025-03-03 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in Alex Volkov WAH Forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WAH Forms: from n/a through 1.0. | |||||
| CVE-2025-23615 | 2025-03-03 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in NotFound Interactive Page Hierarchy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Interactive Page Hierarchy: from n/a through 1.0.1. | |||||
| CVE-2025-23613 | 2025-03-03 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in NotFound WP Journal allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Journal: from n/a through 1.1. | |||||
| CVE-2025-23515 | 2025-03-03 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in tsecher ts-tree allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ts-tree: from n/a through 0.1.1. | |||||
| CVE-2025-23440 | 2025-03-03 | N/A | 6.3 MEDIUM | ||
| Missing Authorization vulnerability in radicaldesigns radSLIDE allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects radSLIDE: from n/a through 2.1. | |||||