Total
6619 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-22517 | 2026-01-08 | N/A | 5.4 MEDIUM | ||
| Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through 2.10.0. | |||||
| CVE-2025-66402 | 1 Misskey | 1 Misskey | 2026-01-06 | N/A | 6.5 MEDIUM |
| Misskey is an open source, federated social media platform. Starting in version 13.0.0-beta.16 and prior to version 2025.12.0, an actor who does not have permission to view favorites or clips can can export the posts and view the contents. Version 2025.12.0 fixes the issue. | |||||
| CVE-2025-15406 | 1 Phpgurukul | 1 Online Course Registration | 2026-01-06 | 6.5 MEDIUM | 6.3 MEDIUM |
| A flaw has been found in PHPGurukul Online Course Registration up to 3.1. This affects an unknown function. This manipulation causes missing authorization. Remote exploitation of the attack is possible. The exploit has been published and may be used. | |||||
| CVE-2025-66735 | 1 Youlai | 1 Youlai-boot | 2026-01-06 | N/A | 7.5 HIGH |
| youlai-boot V2.21.1 is vulnerable to Incorrect Access Control. The getRoleForm function in SysRoleController.java does not perform permission checks, which may allow non-root users to directly access root roles. | |||||
| CVE-2025-66736 | 1 Youlai | 1 Youlai-boot | 2026-01-06 | N/A | 7.1 HIGH |
| youlai-boot V2.21.1 is vulnerable to Incorrect Access Control. The importUsers function in SysUserController.java does not perform a permission check on the current user's identity, which may allow regular users to import user data into the database, resulting in an authorization bypass vulnerability. | |||||
| CVE-2025-14155 | 1 Leap13 | 1 Premium Addons For Elementor | 2026-01-05 | N/A | 5.3 MEDIUM |
| The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_template_content' function in all versions up to, and including, 4.11.53. This makes it possible for unauthenticated attackers to view the content of private, draft, and pending templates. | |||||
| CVE-2025-9549 | 1 Facets Project | 1 Facets | 2026-01-05 | N/A | 6.5 MEDIUM |
| Missing Authorization vulnerability in Drupal Facets allows Forceful Browsing.This issue affects Facets: from 0.0.0 before 2.0.10, from 3.0.0 before 3.0.1. | |||||
| CVE-2025-14817 | 1 Transsion | 2 Hios, Tecno Pova6 Pro 5g | 2026-01-05 | N/A | 6.5 MEDIUM |
| The component com.transsion.tranfacmode.entrance.main.MainActivity in com.transsion.tranfacmode has no permission control and can be accessed by third-party apps which can construct intents to directly open adb debugging functionality without user interaction. | |||||
| CVE-2019-25214 | 1 Wpshop | 1 Shopwp | 2026-01-02 | N/A | 7.2 HIGH |
| The ShopWP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST API routes in versions up to, and including, 2.0.4. This makes it possible for unauthenticated attackers to call the endpoints and perform unauthorized actions such as updating the plugin's settings and injecting malicious scripts. | |||||
| CVE-2025-66022 | 1 Owasp | 1 Faction | 2026-01-02 | N/A | 9.6 CRITICAL |
| FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1. | |||||
| CVE-2025-14428 | 2026-01-02 | N/A | 4.3 MEDIUM | ||
| The All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'my_sticky_elements_bulks' function in all versions up to, and including, 2.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all contact form leads stored by the plugin. | |||||
| CVE-2025-14047 | 2026-01-02 | N/A | 5.3 MEDIUM | ||
| The Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'Frontend_Form_Ajax::submit_post' function in all versions up to, and including, 4.2.4. This makes it possible for unauthenticated attackers to delete attachment. | |||||
| CVE-2023-22699 | 1 Mainwp | 1 Mainwp Wordfence Extension | 2025-12-31 | N/A | 5.4 MEDIUM |
| Missing Authorization vulnerability in MainWP MainWP Wordfence Extension.This issue affects MainWP Wordfence Extension: from n/a through 4.0.7. | |||||
| CVE-2023-23985 | 1 Ays-pro | 1 Quiz Maker | 2025-12-31 | N/A | 3.7 LOW |
| Missing Authorization vulnerability in Quiz Maker team Quiz Maker.This issue affects Quiz Maker: from n/a through 6.3.9.4. | |||||
| CVE-2023-41656 | 2025-12-31 | N/A | 5.4 MEDIUM | ||
| Missing Authorization vulnerability in wpdive Better Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Better Elementor Addons: from n/a through 1.3.7. | |||||
| CVE-2025-14426 | 2025-12-31 | N/A | 4.3 MEDIUM | ||
| The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'edit_rating' function in all versions up to, and including, 3.2.18. This makes it possible for authenticated attackers with Contributor-level access and above to modify or delete the rating meta on any testimonial post, including those created by other users, by reusing a valid nonce obtained from their own testimonial edit screen. | |||||
| CVE-2020-36902 | 1 Medivision | 2 Medivision Digital Signage, Medivision Digital Signage Firmware | 2025-12-30 | N/A | 9.8 CRITICAL |
| UBICOD Medivision Digital Signage 1.5.1 contains an authorization bypass vulnerability that allows normal users to escalate privileges by manipulating the 'ft[grp]' parameter. Attackers can send a GET request to /html/user with 'ft[grp]' set to integer value '3' to gain super admin rights without authentication. | |||||
| CVE-2023-28619 | 2025-12-29 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in bnayawpguy Resoto allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Resoto: from n/a through 1.0.8. | |||||
| CVE-2023-40679 | 2025-12-29 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in Jewel Theme Master Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Master Addons for Elementor: from n/a through 2.0.5.3. | |||||
| CVE-2025-68920 | 2025-12-29 | N/A | 8.9 HIGH | ||
| C-Kermit (aka ckermit) through 10.0 Beta.12 (aka 416-beta12) before 244644d allows a remote Kermit system to overwrite files on the local system, or retrieve arbitrary files from the local system. | |||||