Total
7134 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-14757 | 1 Stylemixthemes | 1 Cost Calculator Builder | 2026-01-23 | N/A | 5.3 MEDIUM |
| The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the complete() function only verifying a nonce without checking user capabilities or order ownership. Since nonces are exposed to all visitors via window.ccb_nonces in the page source, any unauthenticated attacker can mark any order's payment status as "completed" without actual payment. | |||||
| CVE-2025-14457 | 1 Codedropz | 1 Contact Form 7 | 2026-01-23 | N/A | 3.7 LOW |
| The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.9.2. This makes it possible for unauthenticated attackers to delete arbitrary uploaded files when the "Send attachments as links" setting is enabled. | |||||
| CVE-2025-13781 | 1 Gitlab | 1 Gitlab | 2026-01-22 | N/A | 6.5 MEDIUM |
| GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to modify instance-wide AI feature provider settings by exploiting missing authorization checks in GraphQL mutations. | |||||
| CVE-2023-47180 | 1 Xlplugins | 1 Finale | 2026-01-22 | N/A | 6.5 MEDIUM |
| Missing Authorization vulnerability in XLPlugins Finale Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Finale Lite: from n/a through 2.16.0. | |||||
| CVE-2026-0506 | 1 Sap | 1 Netweaver Application Server Abap | 2026-01-22 | N/A | 8.1 HIGH |
| Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an RFC function to execute form routines (FORMs) in the ABAP system. Successful exploitation could allow the attacker to write or modify data accessible via FORMs and invoke system functionality exposed via FORMs, resulting in a high impact on integrity and availability, while confidentiality remains unaffected. | |||||
| CVE-2025-13772 | 1 Gitlab | 1 Gitlab | 2026-01-22 | N/A | 7.1 HIGH |
| GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to access and utilize AI model settings from unauthorized namespaces by manipulating namespace identifiers in API requests. | |||||
| CVE-2025-64729 | 1 Aveva | 1 Process Optimization | 2026-01-22 | N/A | 8.1 HIGH |
| The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to tamper with Process Optimization project files, embed code, and escalate their privileges to the identity of a victim user who subsequently interacts with the project files. | |||||
| CVE-2025-8944 | 1 Oceanwp | 1 Oceanwp | 2026-01-20 | N/A | 4.3 MEDIUM |
| The OceanWP WordPress theme before 4.1.2 is vulnerable to an option update due to a missing capability check on one of its AJAX request handler, allowing any authenticated users, such as subscriber to update the darkMod` setting. | |||||
| CVE-2025-15235 | 1 Quantatw | 1 Qoca Aim | 2026-01-20 | N/A | 6.5 MEDIUM |
| QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Missing Authorization vulnerability, allowing authenticated remote attackers to modify specific network packet parameters, enabling certain system functions to access other users' files. | |||||
| CVE-2024-6845 | 1 Webdigit | 1 Chatbot With Chatgpt | 2026-01-20 | N/A | 5.3 MEDIUM |
| The Chatbot with ChatGPT WordPress plugin before 2.4.6 does not have proper authorization in one of its REST endpoint, allowing unauthenticated users to retrieve the encoded key and then decode it, thereby leaking the OpenAI API key | |||||
| CVE-2026-0676 | 2026-01-20 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in G5Theme Zorka zorka allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zorka: from n/a through <= 1.5.7. | |||||
| CVE-2026-0674 | 2026-01-20 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in Campaign Monitor Campaign Monitor for WordPress forms-for-campaign-monitor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Campaign Monitor for WordPress: from n/a through <= 2.9.0. | |||||
| CVE-2025-69364 | 2026-01-20 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in Cloudways Breeze breeze allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze: from n/a through <= 2.2.21. | |||||
| CVE-2025-69363 | 2026-01-20 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in CyberChimps Responsive Addons for Elementor responsive-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Addons for Elementor: from n/a through <= 2.0.8. | |||||
| CVE-2025-69361 | 2026-01-20 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in PublishPress Post Expirator post-expirator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Expirator: from n/a through <= 4.9.3. | |||||
| CVE-2025-69359 | 2026-01-20 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in WPFunnels Creator LMS creatorlms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Creator LMS: from n/a through <= 1.1.12. | |||||
| CVE-2025-69355 | 2026-01-20 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tickera: from n/a through <= 3.5.6.4. | |||||
| CVE-2025-69354 | 2026-01-20 | N/A | 5.4 MEDIUM | ||
| Missing Authorization vulnerability in BBR Plugins Better Business Reviews better-business-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Better Business Reviews: from n/a through <= 0.1.1. | |||||
| CVE-2025-69353 | 2026-01-20 | N/A | 5.4 MEDIUM | ||
| Missing Authorization vulnerability in Proxy & VPN Blocker Proxy & VPN Blocker proxy-vpn-blocker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Proxy & VPN Blocker: from n/a through <= 3.5.3. | |||||
| CVE-2025-69352 | 2026-01-20 | N/A | 5.4 MEDIUM | ||
| Missing Authorization vulnerability in StellarWP The Events Calendar the-events-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar: from n/a through <= 6.15.12.2. | |||||