Total
6628 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-30993 | 2025-08-14 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in VillaTheme Thank You Page Customizer for WooCommerce – Increase Your Sales allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Thank You Page Customizer for WooCommerce – Increase Your Sales: from n/a through 1.1.7. | |||||
| CVE-2025-31425 | 2025-08-14 | N/A | 7.5 HIGH | ||
| Missing Authorization vulnerability in kamleshyadav WP Lead Capturing Pages allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Lead Capturing Pages: from n/a through 2.3. | |||||
| CVE-2025-54695 | 2025-08-14 | N/A | 5.4 MEDIUM | ||
| Missing Authorization vulnerability in HasTech HT Mega allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HT Mega: from n/a through 2.9.0. | |||||
| CVE-2025-5953 | 1 Mishubd | 1 Wp Human Resource Management | 2025-08-13 | N/A | 8.8 HIGH |
| The WP Human Resource Management plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the ajax_insert_employee() and update_empoyee() functions in versions 2.0.0 through 2.2.17. The AJAX handler reads the client-supplied $_POST['role'] and, after basic cleaning via hrm_clean(), passes it directly to wp_insert_user() and later to $user->set_role() without verifying that the current user is allowed to assign that role. This makes it possible for authenticated attackers, with Employee-level access and above, to elevate their privileges to administrator. | |||||
| CVE-2025-5956 | 1 Mishubd | 1 Wp Human Resource Management | 2025-08-13 | N/A | 6.5 MEDIUM |
| The WP Human Resource Management plugin for WordPress is vulnerable to Arbitrary User Deletion due to a missing authorization within the ajax_delete_employee() function in versions 2.0.0 through 2.2.17. The plugin’s deletion handler reads the client-supplied $_POST['delete'] array and passes each ID directly to wp_delete_user() without verifying that the caller has the delete_users capability or limiting which user IDs may be removed. This makes it possible for authenticated attackers, with Employee-level access and above, to delete arbitrary accounts, including administrators. | |||||
| CVE-2025-48133 | 1 Uncannyowl | 1 Uncanny Automator | 2025-08-13 | N/A | 6.5 MEDIUM |
| Missing Authorization vulnerability in Uncanny Owl Uncanny Automator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uncanny Automator: from n/a through 6.4.0.2. | |||||
| CVE-2025-30974 | 1 Addonmaster | 1 Post Grid Master | 2025-08-13 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in Akhtarujjaman Shuvo Post Grid Master allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Post Grid Master: from n/a through 3.4.13. | |||||
| CVE-2025-3150 | 1 Itning | 1 Student-homework-management-system | 2025-08-13 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in itning Student Homework Management System up to 1.2.7. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Multiple endpoints might be affected. | |||||
| CVE-2024-11205 | 1 Wpforms | 1 Wpforms | 2025-08-12 | N/A | 8.5 HIGH |
| The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpforms_is_admin_page' function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions. | |||||
| CVE-2024-56276 | 1 Wpforms | 1 Wpforms | 2025-08-12 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in WPForms Contact Form by WPForms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through 1.9.2.2. | |||||
| CVE-2025-3604 | 1 Flynax | 1 Flynax Bridge | 2025-08-12 | N/A | 9.8 CRITICAL |
| The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | |||||
| CVE-2024-29241 | 1 Synology | 2 Diskstation Manager, Surveillance Station | 2025-08-12 | N/A | 9.9 CRITICAL |
| Missing authorization vulnerability in System webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain non-sensitive information, write sensitive configurations in DSM, and reboot or shutdown NAS via unspecified vectors. | |||||
| CVE-2024-13526 | 1 Metagauss | 1 Eventprime | 2025-08-12 | N/A | 4.3 MEDIUM |
| The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability checks on the export_submittion_attendees function in all versions up to, and including, 4.0.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download list of attendees for any event. | |||||
| CVE-2024-12855 | 1 Scriptsbundle | 1 Adforest | 2025-08-12 | N/A | 4.3 MEDIUM |
| The AdForest theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX actions like 'sb_remove_ad' in all versions up to, and including, 5.1.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete posts, attachments and deactivate a license. | |||||
| CVE-2023-5600 | 1 Gitlab | 1 Gitlab | 2025-08-12 | N/A | 3.1 LOW |
| An issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. Arbitrary access to the titles of an private specific references could be leaked through the service-desk custom email template. | |||||
| CVE-2025-5121 | 1 Gitlab | 1 Gitlab | 2025-08-12 | N/A | 8.5 HIGH |
| An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.4 and 18.0 before 18.0.2. A missing authorization check may have allowed compliance frameworks to be applied to projects outside the compliance framework's group. | |||||
| CVE-2025-5846 | 1 Gitlab | 1 Gitlab | 2025-08-12 | N/A | 2.7 LOW |
| An issue has been discovered in GitLab EE affecting all versions from 16.10 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypassed framework-specific permission checks. | |||||
| CVE-2025-5315 | 1 Gitlab | 1 Gitlab | 2025-08-12 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypassed UI-enforced role restrictions. | |||||
| CVE-2025-6253 | 2025-08-12 | N/A | 7.5 HIGH | ||
| The UiCore Elements – Free Elementor widgets and templates plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.3.0 via the prepare_template() function due to a missing capability check and insufficient controls on the filename specified. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | |||||
| CVE-2025-8059 | 2025-08-12 | N/A | 9.8 CRITICAL | ||
| The B Blocks plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization and improper input validation within the rgfr_registration() function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to create a new account and assign it the administrator role. | |||||