Total
5561 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-59551 | 2025-09-22 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in WP Chill Revive.so allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Revive.so: from n/a through 2.0.6. | |||||
| CVE-2025-58222 | 2025-09-22 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in Maidul Team Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Team Manager: from n/a through 2.3.14. | |||||
| CVE-2025-58969 | 2025-09-22 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in Greg Winiarski Custom Login URL allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Custom Login URL: from n/a through 1.0.2. | |||||
| CVE-2025-58251 | 2025-09-22 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in POSIMYTH Sticky Header Effects for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sticky Header Effects for Elementor: from n/a through 2.1.2. | |||||
| CVE-2025-58680 | 2025-09-22 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in gutentor Gutentor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Gutentor: from n/a through 3.5.2. | |||||
| CVE-2025-58029 | 2025-09-22 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in Sumit Singh Classic Widgets with Block-based Widgets allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Classic Widgets with Block-based Widgets: from n/a through 1.0.1. | |||||
| CVE-2025-58003 | 2025-09-22 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in javothemes Javo Core allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Javo Core: from n/a through 3.0.0.266. | |||||
| CVE-2025-58664 | 2025-09-22 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in Azizul Hasan Text To Speech TTS Accessibility allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Text To Speech TTS Accessibility: from n/a through 1.9.20. | |||||
| CVE-2025-58650 | 2025-09-22 | N/A | 5.4 MEDIUM | ||
| Missing Authorization vulnerability in Syed Balkhi All In One SEO Pack allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects All In One SEO Pack: from n/a through 4.8.7. | |||||
| CVE-2025-58667 | 2025-09-22 | N/A | 5.4 MEDIUM | ||
| Missing Authorization vulnerability in CridioStudio ListingPro Reviews allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ListingPro Reviews: from n/a through 1.6. | |||||
| CVE-2025-58258 | 2025-09-22 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in nK Lazy Blocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Lazy Blocks: from n/a through 4.1.0. | |||||
| CVE-2025-59561 | 2025-09-22 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in hashthemes Smart Blocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Smart Blocks: from n/a through 2.4. | |||||
| CVE-2024-49357 | 1 Zimaspace | 1 Zimaos | 2025-09-22 | N/A | 7.5 HIGH |
| ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as `http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/app_order.json` and `http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/system.json`, expose sensitive data like installed applications and system information without requiring any authentication or authorization. This sensitive data leak can be exploited by attackers to gain detailed knowledge about the system setup, installed applications, and other critical information. As of time of publication, no known patched versions are available. | |||||
| CVE-2025-9076 | 1 Mattermost | 1 Mattermost Server | 2025-09-20 | N/A | 6.5 MEDIUM |
| Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled. | |||||
| CVE-2025-7665 | 2025-09-19 | N/A | 8.1 HIGH | ||
| The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'handle_mofirebase_form_options' function in versions 3.1.0 to 3.6.2. This makes it possible for unauthenticated attackers to update the default role to Administrator. Premium features must be enabled in order to exploit the vulnerability. | |||||
| CVE-2025-10690 | 2025-09-19 | N/A | 9.8 CRITICAL | ||
| The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to unauthorized arbitrary file uploads due to a missing capability check on the 'beplus_import_pack_install_plugin' function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution. | |||||
| CVE-2025-8487 | 2025-09-19 | N/A | 5.4 MEDIUM | ||
| The Kubio AI Page Builder plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the kubio-image-hub-install-plugin AJAX action in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the Image Hub plugin. | |||||
| CVE-2025-22612 | 1 Coollabs | 1 Coolify | 2025-09-19 | N/A | 10.0 CRITICAL |
| Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.374, the missing authorization allows an authenticated user to retrieve any existing private keys on a coolify instance in plain text. If the server configuration of IP / domain, port (most likely 22) and user (root) matches with the victim's server configuration, then the attacker can execute arbitrary commands on the remote server. Version 4.0.0-beta.374 fixes the issue. | |||||
| CVE-2025-22611 | 1 Coollabs | 1 Coolify | 2025-09-19 | N/A | 9.9 CRITICAL |
| Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to escalate his or any other team members privileges to any role, including the owner role. He's also able to kick every other member out of the team, including admins and owners. This allows the attacker to access the `Terminal` feature and execute remote commands. Version 4.0.0-beta.361 fixes the issue. | |||||
| CVE-2025-22610 | 1 Coollabs | 1 Coolify | 2025-09-19 | N/A | 6.5 MEDIUM |
| Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to fetch the global coolify instance OAuth configuration. This exposes the "client id" and "client secret" for every custom OAuth provider. The attacker can also modify the global OAuth configuration. Version 4.0.0-beta.361 fixes the issue. | |||||