Total
6628 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-8999 | 2025-09-17 | N/A | 5.3 MEDIUM | ||
| The Sydney theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activate_modules' function in all versions up to, and including, 2.56. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or deactivate various theme modules. | |||||
| CVE-2025-8807 | 1 Tianti Project | 1 Tianti | 2025-09-16 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in xujeff tianti 天梯 up to 2.3. It has been declared as critical. This vulnerability affects unknown code of the file /tianti-module-admin/user/ajax/save. The manipulation leads to missing authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-8446 | 2025-09-16 | N/A | 4.3 MEDIUM | ||
| The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized limited plugin install due to a missing capability check on the 'blaze_demo_importer_install_plugin' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate a limited number of specific plugins. The News Kit Elementor Addons plugin and a BlazeThemes theme must be installed and activated in order to exploit the vulnerability. | |||||
| CVE-2025-53640 | 1 Cern | 1 Indico | 2025-09-15 | N/A | 6.5 MEDIUM |
| Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Starting in version 2.2 and prior to version 3.3.7, an endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic user details (such as name, affiliation and email) in bulk. Version 3.3.7 fixes the issue. Owners of instances that allow everyone to create a user account, who wish to truly restrict access to these user details, should consider restricting user search to managers. As a workaround, it is possible to restrict access to the affected endpoints (e.g. in the webserver config), but doing so would break certain form fields which could no longer show the details of the users listed in those fields, so upgrading instead is highly recommended. | |||||
| CVE-2025-58795 | 2025-09-15 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in Payoneer Inc. Payoneer Checkout allows Content Spoofing.This issue affects Payoneer Checkout: from n/a through 3.4.0. | |||||
| CVE-2024-32466 | 1 Tolgee | 1 Tolgee | 2025-09-11 | N/A | 2.7 LOW |
| Tolgee is an open-source localization platform. For the `/v2/projects/translations` and `/v2/projects/{projectId}/translations` endpoints, translation data was returned even when API key was missing `translation.view` scope. However, it was impossible to fetch the data when user was missing this scope. So this is only relevant for API keys generated by users permitted to `translation.view`. This vulnerability is fixed in v3.57.2 | |||||
| CVE-2025-53825 | 1 Dokploy | 1 Dokploy | 2025-09-11 | N/A | 9.4 CRITICAL |
| Dokploy is a free, self-hostable Platform as a Service (PaaS). Prior to version 0.24.3, an unauthenticated preview deployment vulnerability in Dokploy allows any user to execute arbitrary code and access sensitive environment variables by simply opening a pull request on a public repository. This exposes secrets and potentially enables remote code execution, putting all public Dokploy users using these preview deployments at risk. Version 0.24.3 contains a fix for the issue. | |||||
| CVE-2025-53291 | 2025-09-11 | N/A | 5.4 MEDIUM | ||
| Missing Authorization vulnerability in spoddev2021 Spreadconnect. This issue affects Spreadconnect: from n/a through 2.1.5. | |||||
| CVE-2025-49860 | 2025-09-11 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in Majestic Support Majestic Support. This issue affects Majestic Support: from n/a through 1.1.0. | |||||
| CVE-2025-53340 | 2025-09-11 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in awesomesupport Awesome Support. This issue affects Awesome Support: from n/a through 6.3.4. | |||||
| CVE-2025-39553 | 2025-09-11 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in andy_moyle Church Admin. This issue affects Church Admin: from n/a through 5.0.9. | |||||
| CVE-2025-53348 | 2025-09-11 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in Laborator Kalium. This issue affects Kalium: from n/a through 3.18.3. | |||||
| CVE-2025-39541 | 2025-09-11 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in Roland Murg WP Simple Booking Calendar. This issue affects WP Simple Booking Calendar: from n/a through 2.0.13. | |||||
| CVE-2025-58978 | 2025-09-11 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in WP Swings PDF Generator for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDF Generator for WordPress: from n/a through 1.5.4. | |||||
| CVE-2025-59005 | 2025-09-11 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in frenify Categorify allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Categorify: from n/a through 1.0.7.5. | |||||
| CVE-2025-58979 | 2025-09-11 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in BerqWP BerqWP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BerqWP: from n/a through 2.2.53. | |||||
| CVE-2025-58981 | 2025-09-11 | N/A | 5.4 MEDIUM | ||
| Missing Authorization vulnerability in Equalize Digital Accessibility Checker by Equalize Digital allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Accessibility Checker by Equalize Digital: from n/a through 1.31.0. | |||||
| CVE-2025-58980 | 2025-09-11 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in recorp Export WP Page to Static HTML/CSS allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Export WP Page to Static HTML/CSS: from n/a through 4.1.0. | |||||
| CVE-2025-58976 | 2025-09-11 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in Equalize Digital Accessibility Checker by Equalize Digital allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Accessibility Checker by Equalize Digital: from n/a through 1.31.0. | |||||
| CVE-2025-8423 | 2025-09-11 | N/A | 5.4 MEDIUM | ||
| The My WP Translate plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mtswpt_remove_plugin() and ajax_update_export_code() functions in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and delete arbitrary WordPress options which can cause a denial of service. | |||||