Total
6631 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-0683 | 1 Autopolis | 1 Bulgarisation For Woocommerce | 2025-02-28 | N/A | 7.3 HIGH |
| The Bulgarisation for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions in all versions up to, and including, 3.0.14. This makes it possible for unauthenticated and authenticated attackers, with subscriber-level access and above, to generate and delete labels. | |||||
| CVE-2024-1566 | 1 Declaire | 1 Redirects | 2025-02-28 | N/A | 6.5 MEDIUM |
| The Redirects plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save function in all versions up to, and including, 1.2.1. This makes it possible for unauthenticated attackers to change redirects created with this plugin. This could lead to undesired redirection to phishing sites or malicious web pages. | |||||
| CVE-2024-1322 | 1 Wpwax | 1 Directorist | 2025-02-28 | N/A | 5.3 MEDIUM |
| The Directorist – WordPress Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'setup_wizard' function in all versions up to, and including, 7.8.4. This makes it possible for unauthenticated attackers to recreate default pages and enable or disable monetization and change map provider. | |||||
| CVE-2024-1337 | 1 Sktthemes | 1 Skt Templates | 2025-02-28 | N/A | 4.3 MEDIUM |
| The SKT Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saveSktbuilderPageData' function in all versions up to, and including, 4.1. This makes it possible for authenticated attackers, with subscriber access and above, to inject arbitrary content into pages. | |||||
| CVE-2024-1340 | 1 Webfactoryltd | 1 Wp Login Lockdown | 2025-02-28 | N/A | 5.4 MEDIUM |
| The Login Lockdown – Protect Login Form plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the generate_export_file function in all versions up to, and including, 2.08. This makes it possible for authenticated attackers, with subscriber access and higher, to export this plugin's settings that include whitelisted IP addresses as well as a global unlock key. With the global unlock key an attacker can add their IP address to the whitelist. | |||||
| CVE-2024-13693 | 1 Kriesi | 1 Enfold | 2025-02-28 | N/A | 5.3 MEDIUM |
| The Enfold theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check in avia-export-class.php in all versions up to, and including, 6.0.9. This makes it possible for unauthenticated attackers to export all avia settings which may included sensitive information such as the Mailchimp API Key, reCAPTCHA Secret Key, or Envato private token if they are set. | |||||
| CVE-2025-1682 | 2025-02-28 | N/A | 8.8 HIGH | ||
| The Cardealer theme for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.4 due to missing capability check on the 'save_settings' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the default user role. | |||||
| CVE-2025-1681 | 2025-02-28 | N/A | 5.4 MEDIUM | ||
| The Cardealer theme for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check and missing filename sanitization on the demo theme scheme AJAX functions in versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to change or delete arbitrary css and js files. | |||||
| CVE-2024-1710 | 1 Unlimited-elements | 1 Addon Library | 2025-02-27 | N/A | 8.8 HIGH |
| The Addon Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the onAjaxAction function action in all versions up to, and including, 1.3.76. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several unauthorized actions including uploading arbitrary files. | |||||
| CVE-2024-10528 | 1 Ultimatemember | 1 Ultimate Member | 2025-02-27 | N/A | 4.3 MEDIUM |
| The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to unauthorized profile picture updates due to a missing capability check on the wp_ajax_um_resize_image() and ajax_resize_image() functions in all versions up to, and including, 2.8.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the profile pictures of other users. | |||||
| CVE-2023-30873 | 1 Androidbubble | 1 Wp Docs | 2025-02-27 | N/A | 5.4 MEDIUM |
| Missing Authorization vulnerability in Fahad Mahmood WP Docs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Docs: from n/a through 1.9.8. | |||||
| CVE-2024-10533 | 1 Ninjateam | 1 Wp Chat App | 2025-02-27 | N/A | 4.3 MEDIUM |
| The WP Chat App plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the ajax_install_plugin() function in all versions up to, and including, 3.6.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the filebird plugin. | |||||
| CVE-2024-50428 | 1 Mondula | 1 Multi Step Form | 2025-02-27 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in Mondula GmbH Multi Step Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Multi Step Form: from n/a through 1.7.21. | |||||
| CVE-2022-25768 | 1 Acquia | 1 Mautic | 2025-02-27 | N/A | 7.0 HIGH |
| The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform the tasks. Prior to this patch being applied it might be possible for an attacker to access the Mautic version number or to execute parts of the upgrade process without permission. As upgrading in the user interface is deprecated, this functionality is no longer required. | |||||
| CVE-2020-36835 | 1 Wpvivid | 1 Migration\, Backup\, Staging | 2025-02-27 | N/A | 4.9 MEDIUM |
| The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to sensitive information disclosure of a WordPress site's database due to missing capability checks on the wp_ajax_wpvivid_add_remote AJAX action that allows low-level authenticated attackers to send back-ups to a remote location of their choice for review. This affects versions up to, and including 0.9.35. | |||||
| CVE-2024-3895 | 1 Androidbubbles | 1 Wp Datepicker | 2025-02-27 | N/A | 8.8 HIGH |
| The WP Datepicker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpdp_add_new_datepicker_ajax() function in all versions up to, and including, 2.1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options that can be used for privilege escalation. This was partially patched in 2.0.9 and 2.1.0, and fully patched in 2.1.1. | |||||
| CVE-2025-22280 | 2025-02-27 | N/A | 7.6 HIGH | ||
| Missing Authorization vulnerability in revmakx DefendWP Firewall allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DefendWP Firewall: from n/a through 1.1.0. | |||||
| CVE-2024-12201 | 1 Hashthemes | 1 Hash Form | 2025-02-27 | N/A | 4.3 MEDIUM |
| The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check when creating form styles in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to create new form styles. | |||||
| CVE-2023-37967 | 1 Designinvento | 1 Directorypress | 2025-02-27 | N/A | 6.5 MEDIUM |
| Missing Authorization vulnerability in Designinvento DirectoryPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DirectoryPress: from n/a through 3.6.2. | |||||
| CVE-2023-41875 | 1 Wpdirectorykit | 1 Wp Directory Kit | 2025-02-27 | N/A | 5.3 MEDIUM |
| Missing Authorization vulnerability in wpdirectorykit.com WP Directory Kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Directory Kit: from n/a through 1.2.6. | |||||