Total
7124 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3876 | 1 Cozyvision | 1 Sms Alert Order Notifications | 2025-05-21 | N/A | 8.8 HIGH |
| The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to insufficient user OTP validation in the handleWpLoginCreateUserAction() function in all versions up to, and including, 3.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate any account by supplying its username or email and elevate their privileges to that of an administrator. | |||||
| CVE-2025-22385 | 1 Optimizely | 1 Configured Commerce | 2025-05-20 | N/A | 5.9 MEDIUM |
| An issue was discovered in Optimizely Configured Commerce before 5.2.2408. For newly created accounts, the Commerce B2B application does not require email confirmation. This medium-severity issue allows the mass creation of accounts. This could affect database storage; also, non-requested storefront accounts can be created on behalf of visitors. | |||||
| CVE-2023-50976 | 1 Redpanda | 1 Redpanda | 2025-05-20 | N/A | 9.8 CRITICAL |
| Redpanda before 23.1.21 and 23.2.x before 23.2.18 has missing authorization checks in the Transactions API. | |||||
| CVE-2022-40316 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2025-05-20 | N/A | 4.3 MEDIUM |
| The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to. | |||||
| CVE-2024-5570 | 1 Zitscher | 1 Simple Photoswipe | 2025-05-19 | N/A | 6.5 MEDIUM |
| The Simple Photoswipe WordPress plugin through 0.1 does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them | |||||
| CVE-2025-31071 | 2025-05-19 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in themeton HotStar – Multi-Purpose Business Theme allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HotStar – Multi-Purpose Business Theme: from n/a through 1.4. | |||||
| CVE-2025-31630 | 2025-05-19 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in themeton The Business allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects The Business: from n/a through 1.6.1. | |||||
| CVE-2025-31065 | 2025-05-19 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in themeton Rozario allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Rozario: from n/a through 1.4. | |||||
| CVE-2025-4477 | 2025-05-19 | N/A | 7.2 HIGH | ||
| The ThreatSonar Anti-Ransomware from TeamT5 has a Privilege Escalation vulnerability, allowing remote attackers with intermediate privileges to escalate their privileges to highest administrator level through a specific API. | |||||
| CVE-2025-3952 | 1 Projectopia | 1 Projectopia | 2025-05-19 | N/A | 8.1 HIGH |
| The Projectopia – WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'pto_remove_logo' function in all versions up to, and including, 5.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users. | |||||
| CVE-2024-10008 | 1 Masteriyo | 1 Masteriyo | 2025-05-17 | N/A | 8.8 HIGH |
| The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to unauthorized user profile modification due to missing authorization checks on the /wp-json/masteriyo/v1/users/$id REST API endpoint in all versions up to, and including, 1.13.3. This makes it possible for authenticated attackers, with student-level access and above, to modify the roles of arbitrary users. As a result, attackers can escalate their privileges to the Administrator and demote existing administrators to students. | |||||
| CVE-2024-36036 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2025-05-16 | N/A | 4.2 MEDIUM |
| Zoho ManageEngine ADAudit Plus versions 7260 and below allows unauthorized local agent machine users to access sensitive information and modifying the agent configuration. | |||||
| CVE-2025-4430 | 2025-05-16 | N/A | N/A | ||
| Unauthorized access to "/api/Token/gettoken" endpoint in EZD RP allows file manipulation.This issue affects EZD RP in versions before 20.19 (published on 22nd August 2024). | |||||
| CVE-2024-58101 | 2025-05-16 | N/A | 8.1 HIGH | ||
| Samsung Galaxy Buds and Galaxy Buds 2 audio devices are Bluetooth pairable by default without user input nor a way to stop this mode. As a consequence, audio playback takeover or even microphone recording without user consent or notification is achieved. Note: This is considered a low severity vulnerability by the vendor. | |||||
| CVE-2024-56006 | 2025-05-16 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in Automattic Jetpack Debug Tools.This issue affects Jetpack Debug Tools: from n/a before 2.0.1. | |||||
| CVE-2025-3624 | 2025-05-16 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.4-00. | |||||
| CVE-2023-7268 | 1 Artplacer | 1 Artplacer Widget | 2025-05-16 | N/A | 6.5 MEDIUM |
| The ArtPlacer Widget WordPress plugin before 2.21.2 does not have authorisation check in place when deleting widgets, allowing ay authenticated users, such as subscriber, to delete arbitrary widgets | |||||
| CVE-2024-1110 | 1 Podlove | 1 Podlove Podcast Publisher | 2025-05-15 | N/A | 5.3 MEDIUM |
| The Podlove Podcast Publisher plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the init() function in all versions up to, and including, 4.0.11. This makes it possible for unauthenticated attackers to import the plugin's settings. | |||||
| CVE-2024-0797 | 1 Pluginus | 1 Woot | 2025-05-15 | N/A | 4.3 MEDIUM |
| The Active Products Tables for WooCommerce. Professional products tables for WooCommerce store plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 1.0.6.1. This makes it possible for subscribers and higher to execute functions intended for admin use. | |||||
| CVE-2024-0324 | 1 Cozmoslabs | 1 Profile Builder | 2025-05-15 | N/A | 8.2 HIGH |
| The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wppb_two_factor_authentication_settings_update' function in all versions up to, and including, 3.10.8. This makes it possible for unauthenticated attackers to enable or disable the 2FA functionality present in the Premium version of the plugin for arbitrary user roles. | |||||