Total
6619 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-15066 | 2025-12-29 | N/A | 6.2 MEDIUM | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Missing Authorization vulnerability in Innorix WP allows Path Traversal.This issue affects Innorix WP from All versions If the "exam" directory exists under the directory where the product is installed (ex: innorix/exam) | |||||
| CVE-2025-14913 | 2025-12-29 | N/A | 5.3 MEDIUM | ||
| The Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to an incorrect authorization check on the 'media_delete_action' function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to delete arbitrary attachments. | |||||
| CVE-2020-36890 | 1 Kentico | 1 Xperience | 2025-12-24 | N/A | 7.2 HIGH |
| An access control bypass vulnerability in Kentico Xperience allows administrators to modify global administrator user privileges via unauthorized requests. Attackers could potentially compromise global administrator accounts and invalidate security-sensitive macros by manipulating user privilege levels. | |||||
| CVE-2023-52163 | 1 Digiever | 4 Ds-2105 Pro, Ds-2105 Pro\+, Ds-2105 Pro\+ Firmware and 1 more | 2025-12-24 | N/A | 8.8 HIGH |
| Digiever DS-2105 Pro 3.1.0.71-11 devices allow time_tzsetup.cgi Command Injection. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2019-25215 | 1 Ari-soft | 1 Ari Adminer | 2025-12-23 | N/A | 7.3 HIGH |
| The ARI-Adminer plugin for WordPress is vulnerable to authorization bypass due to a lack of file access controls in nearly every file of the plugin in versions up to, and including, 1.1.14. This makes it possible for unauthenticated attackers to call the files directly and perform a wide variety of unauthorized actions such as accessing a site's database and making changes. | |||||
| CVE-2019-25217 | 1 Siteground | 1 Speed Optimizer | 2025-12-23 | N/A | 9.8 CRITICAL |
| The SiteGround Optimizer plugin for WordPress is vulnerable to authorization bypass leading to Remote Code Execution and Local File Inclusion in versions up to, and including, 5.0.12 due to incorrect use of an access control attribute on the switch_php function called via the /switch-php REST API route. This allows attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | |||||
| CVE-2025-65742 | 1 Newgensoft | 1 Omnidocs | 2025-12-23 | N/A | 8.2 HIGH |
| An unauthenticated Broken Function Level Authorization (BFLA) vulnerability in Newgen OmniDocs v11.0 allows attackers to obtain sensitive information and execute a full account takeover via a crafted API request. | |||||
| CVE-2025-14043 | 2025-12-23 | N/A | 5.3 MEDIUM | ||
| The Tainacan plugin for WordPress is vulnerable to unauthorized metadata section creation due to missing authorization checks in all versions up to, and including, 1.0.1. This is due to the `create_item_permissions_check()` function unconditionally returning true, which bypasses authentication and authorization validation. This makes it possible for unauthenticated attackers to create arbitrary metadata sections for any collection via the public REST API granted they can access the WordPress site. | |||||
| CVE-2025-12980 | 2025-12-23 | N/A | 7.5 HIGH | ||
| The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the '/ultp/v2/get_dynamic_content/' REST API endpoint in all versions up to, and including, 5.0.3. This makes it possible for unauthenticated attackers to retrieve sensitive user metadata, including password hashes. | |||||
| CVE-2023-25445 | 2025-12-23 | N/A | 5.4 MEDIUM | ||
| Missing Authorization vulnerability in HappyFiles HappyFiles Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HappyFiles Pro: from n/a through 1.8.1. | |||||
| CVE-2025-12898 | 2025-12-23 | N/A | 5.3 MEDIUM | ||
| The Pretty Google Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the pgcal_ajax_handler() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to retrieve the Google API key set in the plugin's settings. | |||||
| CVE-2025-14633 | 2025-12-23 | N/A | 5.3 MEDIUM | ||
| The F70 Lead Document Download plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'file_download' function in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to download any file from the WordPress media library by guessing or enumerating WordPress attachment IDs. | |||||
| CVE-2023-25446 | 2025-12-23 | N/A | 7.7 HIGH | ||
| Missing Authorization vulnerability in HappyFiles HappyFiles Pro happyfiles-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HappyFiles Pro: from n/a through 1.8.1. | |||||
| CVE-2025-14080 | 2025-12-23 | N/A | 5.3 MEDIUM | ||
| The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.5. This is due to missing authorization checks on the post update functionality in the fpsml_form_process AJAX action. This makes it possible for unauthenticated attackers to modify arbitrary posts by providing a post_id parameter via the guest posting form, allowing them to change post titles, content, excerpts, and remove post authors. | |||||
| CVE-2025-7782 | 2025-12-23 | N/A | 7.6 HIGH | ||
| The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to unauthorized modification of data due to a missing capability check on the 'cs_update_application_status_callback' function in all versions up to, and including, 7.7. This makes it possible for authenticated attackers, with Candidate-level access and above, to inject cross-site scripting into the 'status' parameter of applied jobs for any user. | |||||
| CVE-2023-25068 | 2025-12-23 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in Mapro Collins Magazine Edge allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Magazine Edge: from n/a through 1.13. | |||||
| CVE-2025-12934 | 2025-12-23 | N/A | 8.1 HIGH | ||
| The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'duplicate_wpml_layout' function in all versions up to, and including, 2.9.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary posts with the content of other existing posts, potentially exposing private and password-protected content and deleting any content that is not saved in revisions or backups. Posts must have been created with Beaver Builder to be copied or updated. | |||||
| CVE-2019-10648 | 1 Robocode | 1 Robocode | 2025-12-22 | 7.5 HIGH | 9.8 CRITICAL |
| Robocode through 1.9.3.5 allows remote attackers to cause external service interaction (DNS), as demonstrated by a query for a unique subdomain name within an attacker-controlled DNS zone, because of a .openStream call within java.net.URL. | |||||
| CVE-2025-64132 | 1 Jenkins | 1 Mcp Server | 2025-12-22 | N/A | 5.4 MEDIUM |
| Jenkins MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in multiple MCP tools, allowing attackers to trigger builds and obtain information about job and cloud configuration they should not be able to access. | |||||
| CVE-2025-11996 | 1 Toastwebsites | 1 Find Unused Images | 2025-12-22 | N/A | 5.3 MEDIUM |
| The Find Unused Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the fui_delete_image() and fui_delete_all_images() functiosn in all versions up to, and including, 1.0.7. This makes it possible for unauthenticated attackers to delete all of a site's attachments. | |||||