Total
6618 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-68947 | 2026-01-14 | N/A | 4.7 MEDIUM | ||
| NSecsoft 'NSecKrnl' is a Windows driver that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes by issuing crafted IOCTL requests to the driver. | |||||
| CVE-2025-14482 | 2026-01-14 | N/A | 4.3 MEDIUM | ||
| The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings including disabling auto-compression and changing image quality settings. | |||||
| CVE-2025-14880 | 2026-01-14 | N/A | 5.3 MEDIUM | ||
| The Netcash WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_return_url function in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processing/completed. | |||||
| CVE-2025-15475 | 2026-01-14 | N/A | 5.3 MEDIUM | ||
| The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the check_payhere_response function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to change the status of pending WooCommerce orders to paid/completed/on hold. | |||||
| CVE-2025-15512 | 2026-01-14 | N/A | 5.3 MEDIUM | ||
| The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_success_response() function in all versions up to, and including, 1.4.2. This makes it possible for unauthenticated attackers to set any WooCommerce order to `pending payment` status. | |||||
| CVE-2025-14854 | 2026-01-14 | N/A | 5.4 MEDIUM | ||
| The WP-CRM System plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on the wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status AJAX functions in all versions up to, and including, 3.4.5. This makes it possible for authenticated attackers, with subscriber level access and above, to enumerate CRM contact email addresses (PII disclosure) and modify CRM task statuses. | |||||
| CVE-2025-14173 | 2026-01-14 | N/A | 5.3 MEDIUM | ||
| The Perfit WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. This is due to missing authorization checks on the `logout` function called via the `actions` function hooked to `admin_init`. This makes it possible for unauthenticated attackers to delete arbitrary plugin settings via the `action` parameter. | |||||
| CVE-2026-0635 | 2026-01-14 | N/A | 4.3 MEDIUM | ||
| The Responsive Accordion Slider plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'resp_accordion_silder_save_images' function in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify any slider's image metadata including titles, descriptions, alt text, and links. | |||||
| CVE-2025-15390 | 1 Phpgurukul | 1 Small Crm | 2026-01-13 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in PHPGurukul Small CRM 4.0. This impacts an unknown function of the file /admin/edit-user.php. The manipulation results in missing authorization. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | |||||
| CVE-2025-15405 | 1 Phpems | 1 Phpems | 2026-01-13 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was detected in PHPEMS up to 11.0. The impacted element is an unknown function. The manipulation results in cross-site request forgery. The attack may be launched remotely. | |||||
| CVE-2021-24977 | 1 Dineshkarki | 1 Use Any Font | 2026-01-13 | 5.8 MEDIUM | 6.1 MEDIUM |
| The Use Any Font | Custom Font Uploader WordPress plugin before 6.2.1 does not have any authorisation checks when assigning a font, allowing unauthenticated users to sent arbitrary CSS which will then be processed by the frontend for all users. Due to the lack of sanitisation and escaping in the backend, it could also lead to Stored XSS issues | |||||
| CVE-2023-37885 | 1 Inspirythemes | 1 Realhomes | 2026-01-13 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in InspiryThemes RealHomes.This issue affects RealHomes: from n/a through 4.0.2. | |||||
| CVE-2023-37886 | 1 Inspirythemes | 1 Realhomes | 2026-01-13 | N/A | 5.4 MEDIUM |
| Missing Authorization vulnerability in InspiryThemes RealHomes.This issue affects RealHomes: from n/a through 4.0.2. | |||||
| CVE-2025-13717 | 2026-01-13 | N/A | 5.3 MEDIUM | ||
| The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_gvccf_check_download_request' function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive Contact Form 7 submission data via the 'wp-gvc-cf-download-id' parameter, including names, phone numbers, email addresses, and messages. | |||||
| CVE-2025-14741 | 2026-01-13 | N/A | 9.1 CRITICAL | ||
| The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts. | |||||
| CVE-2025-14720 | 2026-01-13 | N/A | 5.3 MEDIUM | ||
| The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. This makes it possible for unauthenticated attackers to mark payments as refunded, trigger sending of queued notifications (emails/SMS/WhatsApp), and access debug information among other things. | |||||
| CVE-2025-13628 | 2026-01-13 | N/A | 4.3 MEDIUM | ||
| The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons. | |||||
| CVE-2025-13934 | 2026-01-13 | N/A | 4.3 MEDIUM | ||
| The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_enrollment()` AJAX handler. This makes it possible for authenticated attackers, with subscriber level access and above, to enroll themselves in any course without going through the proper purchase flow. | |||||
| CVE-2025-14782 | 2026-01-13 | N/A | 5.3 MEDIUM | ||
| The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_export' function. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with access to the Forminator dashboard, to export sensitive form submission data including personally identifiable information. | |||||
| CVE-2026-0817 | 2026-01-13 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in Wikimedia Foundation MediaWiki - CampaignEvents extension allows Privilege Abuse.This issue affects MediaWiki - CampaignEvents extension: 1.45, 1.44, 1.43, 1.39. | |||||