Total
6996 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-13391 | 2026-02-11 | N/A | 5.8 MEDIUM | ||
| The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'uni_cpo_remove_file' function in all versions up to, and including, 4.9.60. This makes it possible for unauthenticated attackers to delete arbitrary attachments or files stored in Dropbox if the file path is known. The vulnerability was partially patched in version 4.9.60. | |||||
| CVE-2025-15400 | 2026-02-11 | N/A | 6.5 MEDIUM | ||
| The Pix para Woocommerce WordPress plugin through 2.13.3 allows any authenticated user to trigger AJAX actions that reset payment gateway configuration options without capability or nonce checks. This permits any authenticated users, such as subscribers to clear API credentials and webhook status, causing persistent disruption of OpenPix payment functionality. | |||||
| CVE-2025-15524 | 2026-02-11 | N/A | 4.3 MEDIUM | ||
| The Gallery by FooGallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax_get_gallery_info() function in all versions up to, and including, 3.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve metadata (name, image count, thumbnail URL) of private, draft, and password-protected galleries by enumerating gallery IDs. | |||||
| CVE-2026-1833 | 2026-02-11 | N/A | 5.3 MEDIUM | ||
| The WaMate Confirm – Order Confirmation plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to block and unblock phone numbers, which should be restricted to administrators. | |||||
| CVE-2026-1748 | 2026-02-11 | N/A | 4.3 MEDIUM | ||
| The Invoct – PDF Invoices & Billing for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve invoice clients, invoice items, and list of WordPress users along with their emails. | |||||
| CVE-2026-1786 | 2026-02-11 | N/A | 6.5 MEDIUM | ||
| The Twitter posts to Blog plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'dg_tw_options' function in all versions up to, and including, 1.11.25. This makes it possible for unauthenticated attackers to update plugin settings including Twitter API credentials, post author, post status, and the capability required to access the plugin's admin menu. | |||||
| CVE-2026-0817 | 1 Wikimedia | 1 Campaignevents | 2026-02-10 | N/A | 5.3 MEDIUM |
| Missing Authorization vulnerability in Wikimedia Foundation MediaWiki - CampaignEvents extension allows Privilege Abuse.This issue affects MediaWiki - CampaignEvents extension: 1.45, 1.44, 1.43, 1.39. | |||||
| CVE-2026-1897 | 1 Wekan Project | 1 Wekan | 2026-02-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in WeKan up to 8.20. Affected by this issue is some unknown functionality of the file server/methods/positionHistory.js of the component Position-History Tracking. The manipulation results in missing authorization. The attack may be performed from remote. Upgrading to version 8.21 can resolve this issue. The patch is identified as 55576ec17722db094835470b386162c9a662fb60. It is advisable to upgrade the affected component. | |||||
| CVE-2025-15289 | 1 Tanium | 1 Interact | 2026-02-10 | N/A | 3.1 LOW |
| Tanium addressed an improper access controls vulnerability in Interact. | |||||
| CVE-2025-15330 | 1 Tanium | 1 Deploy | 2026-02-10 | N/A | 8.8 HIGH |
| Tanium addressed an improper input validation vulnerability in Deploy. | |||||
| CVE-2025-15327 | 1 Tanium | 1 Deploy | 2026-02-10 | N/A | 4.3 MEDIUM |
| Tanium addressed an improper access controls vulnerability in Deploy. | |||||
| CVE-2025-15326 | 1 Tanium | 1 Patch | 2026-02-10 | N/A | 4.3 MEDIUM |
| Tanium addressed an improper access controls vulnerability in Patch. | |||||
| CVE-2026-0845 | 2026-02-10 | N/A | 7.2 HIGH | ||
| The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'WCFM_Settings_Controller::processing' function in all versions up to, and including, 6.7.24. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | |||||
| CVE-2025-14895 | 2026-02-10 | N/A | 5.4 MEDIUM | ||
| The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and delete analytics data including device types, browser information, countries, referrer URLs, and campaign metrics. | |||||
| CVE-2026-1722 | 2026-02-10 | N/A | 5.3 MEDIUM | ||
| The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0. This is due to the plugin not implementing authorization checks in the `wcfm-refund-requests-form` AJAX controller. This makes it possible for unauthenticated attackers to create arbitrary refund requests for any order ID and item ID, potentially leading to financial loss if automatic refund approval is enabled in the plugin settings. | |||||
| CVE-2026-1745 | 1 Oretnom23 | 1 Medical Certificate Generator App | 2026-02-10 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was determined in SourceCodester Medical Certificate Generator App 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2026-25752 | 1 Frangoteam | 1 Fuxa | 2026-02-10 | N/A | 9.1 CRITICAL |
| FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. Exploitation allows an unauthenticated, remote attacker to bypass role-based access controls and overwrite arbitrary device tags or disable communication drivers, exposing connected ICS/SCADA environments to follow-on actions. This may allow an attacker to manipulate physical processes and disconnected devices from the HMI. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10. | |||||
| CVE-2026-24095 | 2026-02-09 | N/A | N/A | ||
| Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p21, 2.3.0 before 2.3.0p43, and 2.2.0 (EOL) allows users with the "Use WATO" permission to access the "Analyze configuration" page by directly navigating to its URL, bypassing the intended "Access analyze configuration" permission check. If these users also have the "Make changes, perform actions" permission, they can perform unauthorized actions such as disabling checks or acknowledging results. | |||||
| CVE-2025-2848 | 1 Synology | 2 Diskstation Manager, Mail Server | 2026-02-09 | N/A | 6.3 MEDIUM |
| A vulnerability in Synology Mail Server allows remote authenticated attackers to read and write non-sensitive settings, and disable some non-critical functions. | |||||
| CVE-2025-15476 | 2026-02-09 | N/A | 4.3 MEDIUM | ||
| The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlister_do_admin_ajax() function in all versions up to, and including, 0.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add delete or modify arbitrary bucket list items. | |||||