Total
4842 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-2821 | 2025-05-07 | N/A | 5.3 MEDIUM | ||
| The Search Exclude plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the get_rest_permission function in all versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers to modify plugin settings, excluding content from search results. | |||||
| CVE-2024-2702 | 1 Olivethemes | 1 Olive One Click Demo Import | 2025-05-07 | N/A | 8.2 HIGH |
| Missing Authorization vulnerability in Olive Themes Olive One Click Demo Import allows importing settings and data, ultimately leading to XSS.This issue affects Olive One Click Demo Import: from n/a through 1.1.1. | |||||
| CVE-2025-3915 | 1 Aeropage | 1 Aeropage Sync For Airtable | 2025-05-06 | N/A | 4.3 MEDIUM |
| The Aeropage Sync for Airtable plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'aeropageDeletePost' function in all versions up to, and including, 3.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts. | |||||
| CVE-2022-3096 | 1 Wp Total Hacks Project | 1 Wp Total Hacks | 2025-05-06 | N/A | 5.4 MEDIUM |
| The WP Total Hacks WordPress plugin through 4.7.2 does not prevent low privilege users from modifying the plugin's settings. This could allow users such as subscribers to perform Stored Cross-Site Scripting attacks against other users, like administrators, due to the lack of sanitisation and escaping as well. | |||||
| CVE-2024-1385 | 1 Udx | 1 Wp-stateless | 2025-05-06 | N/A | 7.1 HIGH |
| The WP-Stateless – Google Cloud Storage plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the dismiss_notices() function in all versions up to, and including, 3.4.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary option values to the current time, which may completely take a site offline. | |||||
| CVE-2025-4179 | 1 Flynax | 1 Flynax Bridge | 2025-05-06 | N/A | 7.3 HIGH |
| The Flynax Bridge plugin for WordPress is vulnerable to limited Privilege Escalation due to a missing capability check on the registerUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to register new user accounts as authors. | |||||
| CVE-2025-4177 | 1 Flynax | 1 Flynax Bridge | 2025-05-06 | N/A | 5.3 MEDIUM |
| The Flynax Bridge plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to delete arbitrary users. | |||||
| CVE-2025-1304 | 1 Spicethemes | 1 Newsblogger | 2025-05-06 | N/A | 8.8 HIGH |
| The NewsBlogger theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the newsblogger_install_and_activate_plugin() function in all versions up to, and including, 0.2.5.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-3452 | 1 Secupress | 1 Secupress | 2025-05-06 | N/A | 4.3 MEDIUM |
| The SecuPress Free — WordPress Security plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'secupress_reinstall_plugins_admin_ajax_cb' function in all versions up to, and including, 2.3.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins. | |||||
| CVE-2025-1326 | 1 Favethemes | 1 Homey | 2025-05-06 | N/A | 4.3 MEDIUM |
| The Homey theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the homey_reservation_del() function in all versions up to, and including, 2.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary reservations and posts. | |||||
| CVE-2024-13420 | 1 G5plus | 4 April, Auteur, Benaa and 1 more | 2025-05-06 | N/A | 4.3 MEDIUM |
| Multiple plugins and/or themes for WordPress are vulnerable to unauthorized access due to a missing capability check on several AJAX actions like 'gsf_reset_section_options', 'gsf_reset_section_options', 'gsf_create_preset_options' and more in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset and modify some of the plugin/theme settings. This issue was escalated to Envato over two months from the date of this disclosure and the issues, while partially patched, are still vulnerable. | |||||
| CVE-2024-13419 | 1 G5plus | 4 April, Auteur, Benaa and 1 more | 2025-05-06 | N/A | 6.4 MEDIUM |
| Multiple plugins and/or themes for WordPress using Smart Framework are vulnerable to Stored Cross-Site Scripting due to a missing capability check on the saveOptions() and importThemeOptions() functions in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings which includes custom JavaScript that is enabled site-wide. This issue was escalated to Envato over two months from the date of this disclosure and the issue is still vulnerable. | |||||
| CVE-2024-27906 | 1 Apache | 1 Airflow | 2025-05-06 | N/A | 5.9 MEDIUM |
| Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability | |||||
| CVE-2022-2108 | 1 Wbcomdesigns | 1 Buddypress Group Reviews | 2025-05-05 | N/A | 6.5 MEDIUM |
| The plugin Wbcom Designs – BuddyPress Group Reviews for WordPress is vulnerable to unauthorized settings changes and review modification due to missing capability checks and improper nonce checks in several functions related to said actions in versions up to, and including, 2.8.3. This makes it possible for unauthenticated attackers to modify reviews and plugin settings on the affected site. | |||||
| CVE-2022-1442 | 1 Wpmet | 1 Metform Elementor Contact Form Builder | 2025-05-05 | 5.0 MEDIUM | 7.5 HIGH |
| The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3. | |||||
| CVE-2022-36912 | 1 Jenkins | 1 Openstack Heat | 2025-05-05 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins Openstack Heat Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | |||||
| CVE-2023-6955 | 1 Gitlab | 1 Gitlab | 2025-05-05 | N/A | 6.6 MEDIUM |
| A missing authorization check vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group. | |||||
| CVE-2024-57682 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2025-05-02 | N/A | 6.5 MEDIUM |
| An information disclosure vulnerability in the component d_status.asp of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to access sensitive information via a crafted POST request. | |||||
| CVE-2025-3953 | 2025-05-02 | N/A | 6.5 MEDIUM | ||
| The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'optionUpdater' function in all versions up to, and including, 14.13.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin settings. | |||||
| CVE-2025-4095 | 2025-05-02 | N/A | N/A | ||
| Registry Access Management (RAM) is a security feature allowing administrators to restrict access for their developers to only allowed registries. When a MacOS configuration profile is used to enforce organization sign-in, the RAM policies are not being applied, which would allow Docker Desktop users to pull down unapproved, and potentially malicious images from any registry. | |||||