Total
6996 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-1153 | 1 Technical-laohu | 1 Mpay | 2026-02-06 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was detected in technical-laohu mpay up to 1.2.4. This affects an unknown function. Performing a manipulation results in cross-site request forgery. Remote exploitation of the attack is possible. The exploit is now public and may be used. | |||||
| CVE-2026-1499 | 2026-02-06 | N/A | 9.8 CRITICAL | ||
| The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on the `process_add_site()` AJAX action combined with path traversal in the file upload functionality. This makes it possible for authenticated (subscriber-level) attackers to set the internal `prod_key_random_id` option, which can then be used by an unauthenticated attacker to bypass authentication checks and write arbitrary files to the server via the `handle_upload_single_big_file()` function, ultimately leading to remote code execution. | |||||
| CVE-2025-10753 | 2026-02-06 | N/A | 5.3 MEDIUM | ||
| The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 6.26.14. This is due to missing capability checks and authentication verification on the OAuth redirect functionality accessible via the 'oauthredirect' option parameter. This makes it possible for unauthenticated attackers to set the global redirect URL option via the redirect_url parameter granted they can access the site directly. | |||||
| CVE-2025-27461 | 1 Endress | 2 Meac300-fnade4, Meac300-fnade4 Firmware | 2026-02-06 | N/A | 7.6 HIGH |
| During startup, the device automatically logs in the EPC2 Windows user without requesting a password. | |||||
| CVE-2026-23875 | 1 Crawlchat | 1 Crawlchat | 2026-02-05 | N/A | 5.4 MEDIUM |
| CrawlChat is an open-source, AI-powered platform that transforms technical documentation into intelligent chatbots. Prior to version 0.0.8, a non-existing permission check for the CrawlChat's Discord bot allows non-manage guild users to put malicious content onto the collection knowledge base. Usually, admin / mods of a Discord guild use the `jigsaw` emoji to save a specific message (chain) onto the collection's knowledge base of CrawlChat. Unfortunately an permission check (for e.g. MANAGE_SERVER; MANAGE_MESSAGES etc.) was not done, allowing normal users of the guild to information to the knowledge base. With targeting specific parts that are commonly asked, users can manipulate the content given out by the bot (on all integrations), to e.g. redirect users to a malicious site, or send information to a malicious user. Version 0.0.8 patches the issue. | |||||
| CVE-2026-25028 | 2026-02-05 | N/A | 5.4 MEDIUM | ||
| Missing Authorization vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ElementInvader Addons for Elementor: from n/a through <= 1.4.1. | |||||
| CVE-2025-14079 | 2026-02-05 | N/A | 5.3 MEDIUM | ||
| The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.5. This is due to missing capability checks on the eh_crm_ticket_general function combined with a shared nonce that is exposed to low-privileged users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global WSDesk settings via the `eh_crm_ticket_general` AJAX action. | |||||
| CVE-2025-13416 | 2026-02-05 | N/A | 4.3 MEDIUM | ||
| The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() function in all versions up to, and including, 5.9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to suspend arbitrary users from groups, including administrators, via the pm_deactivate_user_from_group AJAX action. | |||||
| CVE-2025-63294 | 1 Workdo | 1 Hrm Saas | 2026-02-04 | N/A | 6.5 MEDIUM |
| WorkDo HRM SaaS HR and Payroll Tool 8.1 is affected vulnerable to Insecure Permissions. An authenticated user can create leave or resignation records on behalf of other users. | |||||
| CVE-2025-15285 | 2026-02-04 | N/A | 7.5 HIGH | ||
| The SEO Flow by LupsOnline plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the checkBlogAuthentication() and checkCategoryAuthentication() functions in all versions up to, and including, 2.2.1. These authorization functions only implement basic API key authentication but fail to implement WordPress capability checks. This makes it possible for unauthenticated attackers to create, modify, and delete blog posts and categories. | |||||
| CVE-2025-15260 | 2026-02-04 | N/A | 6.5 MEDIUM | ||
| The MyRewards – Loyalty Points and Rewards for WooCommerce plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 5.6.0. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'ajax' function. This makes it possible for authenticated attackers, with subscriber level access and above, to modify, add, or delete loyalty program earning rules, including manipulating point multipliers to arbitrary values. | |||||
| CVE-2026-0572 | 2026-02-04 | N/A | 6.5 MEDIUM | ||
| The WebPurify Profanity Filter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webpurify_save_options' function in all versions up to, and including, 4.0.2. This makes it possible for unauthenticated attackers to change plugin settings. | |||||
| CVE-2026-0679 | 2026-02-04 | N/A | 5.3 MEDIUM | ||
| The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to an inverted nonce check in the 'check_fortis_notify_response' function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update arbitrary WooCommerce order statuses to paid/processing/completed, effectively allowing them to mark orders as paid without payment. | |||||
| CVE-2025-14461 | 2026-02-04 | N/A | 5.3 MEDIUM | ||
| The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint (`wc_xendit_callback`) that processes payment callbacks without any authentication or cryptographic verification that the requests originate from Xendit's payment gateway. This makes it possible for unauthenticated attackers to mark any WooCommerce order as paid by sending a crafted POST request to the callback URL with a JSON body containing an `external_id` matching the order ID pattern and a `status` of 'PAID' or 'SETTLED', granted they can enumerate order IDs (which are sequential integers). This leads to orders being fraudulently marked as completed without any actual payment, resulting in financial loss and inventory depletion. | |||||
| CVE-2025-15507 | 2026-02-04 | N/A | 5.3 MEDIUM | ||
| The Magic Import Document Extractor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_sync_usage() function in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to modify the plugin's license status and credit balance. | |||||
| CVE-2026-1835 | 2026-02-04 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. This affects an unknown part. The manipulation leads to cross-site request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. | |||||
| CVE-2025-54159 | 1 Synology | 1 Beedrive | 2026-02-04 | N/A | 7.5 HIGH |
| Missing authorization vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows remote attackers to delete arbitrary files via unspecified vectors. | |||||
| CVE-2026-1751 | 1 Gitlab | 1 Gitlab | 2026-02-04 | N/A | 3.1 LOW |
| A vulnerability has been discovered in GitLab CE/EE affecting all versions starting with 16.8 before 18.5.0 that could have allowed unauthorized edits to merge request approval rules under certain conditions. | |||||
| CVE-2025-48784 | 1 Scshr | 1 Hr Portal | 2026-02-04 | N/A | 7.5 HIGH |
| A missing authorization vulnerability in Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to modify system settings without prior authorization. | |||||
| CVE-2026-24951 | 2026-02-03 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects myCred: from n/a through <= 2.9.7.3. | |||||