Total
4648 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-1502 | 1 Themeum | 1 Tutor Lms | 2025-01-15 | N/A | 5.4 MEDIUM |
| The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tutor_delete_announcement() function in all versions up to, and including, 2.6.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts. | |||||
| CVE-2024-1133 | 1 Themeum | 1 Tutor Lms | 2025-01-15 | N/A | 4.3 MEDIUM |
| The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of restricted Q&A content due to a missing capability check when interacting with questions in all versions up to, and including, 2.6.0. This makes it possible for authenticated attackers, with subscriber access or higher, to interact with questions in courses in which they are not enrolled including private courses. | |||||
| CVE-2024-1127 | 1 Metagauss | 1 Eventprime | 2025-01-15 | N/A | 4.3 MEDIUM |
| The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the booking_export_all() function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve all event booking which can contain PII. | |||||
| CVE-2024-1126 | 1 Metagauss | 1 Eventprime | 2025-01-15 | N/A | 5.3 MEDIUM |
| The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_attendees_email_by_event_id() function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to to retrieve the attendees list for any event. | |||||
| CVE-2024-4205 | 1 Leap13 | 1 Premium Addons For Elementor | 2025-01-15 | N/A | 4.3 MEDIUM |
| The Premium Addons for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_template_content() function in all versions up to, and including, 4.10.31. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve Elementor template data. | |||||
| CVE-2024-2298 | 1 Servit | 1 Affiliate-toolkit | 2025-01-15 | N/A | 4.3 MEDIUM |
| The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the atkp_import_product() function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to to perform unauthorized actions such as creating importing products. | |||||
| CVE-2024-1851 | 1 Servit | 1 Affiliate-toolkit | 2025-01-15 | N/A | 6.3 MEDIUM |
| The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the atkp_create_list() function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to to perform unauthorized actions such as creating product lists. | |||||
| CVE-2024-1130 | 1 Basixonline | 1 Nex-forms | 2025-01-15 | N/A | 5.3 MEDIUM |
| The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the set_read() function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to mark records as read. | |||||
| CVE-2024-1129 | 1 Basixonline | 1 Nex-forms | 2025-01-15 | N/A | 5.3 MEDIUM |
| The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the set_starred() function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to mark records as starred. | |||||
| CVE-2024-0907 | 1 Basixonline | 1 Nex-forms | 2025-01-15 | N/A | 5.3 MEDIUM |
| The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the restore_records() function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to restore records. | |||||
| CVE-2023-4627 | 1 Ladipage | 1 Ladipage | 2025-01-15 | N/A | 4.3 MEDIUM |
| The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_config() function in versions up to, and including, 4.4. This makes it possible for authenticated attackers with subscriber-level access and above to update the 'ladipage_config' option. | |||||
| CVE-2025-22779 | 2025-01-15 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in Ugur CELIK WP News Sliders allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP News Sliders: from n/a through 1.0. | |||||
| CVE-2025-22737 | 2025-01-15 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in MagePeople Team WpTravelly allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WpTravelly: from n/a through 1.8.5. | |||||
| CVE-2025-22729 | 2025-01-15 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in Infomaniak Staff VOD Infomaniak allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VOD Infomaniak: from n/a through 1.5.9. | |||||
| CVE-2024-56295 | 2025-01-15 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in Poll Maker Team Poll Maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Poll Maker: from n/a through 5.5.6. | |||||
| CVE-2024-11851 | 2025-01-15 | N/A | 4.3 MEDIUM | ||
| The NitroPack plugin for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the nitropack_rml_notification function in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber access or higher, to update arbitrary transients. Note, that these transients can only be updated to integers and not arbitrary values. | |||||
| CVE-2024-11848 | 2025-01-15 | N/A | 8.1 HIGH | ||
| The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'nitropack_dismiss_notice_forever' AJAX action in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options to a fixed value of '1' which can activate certain options (e.g., enable user registration) or modify certain options in a way that leads to a denial of service condition. | |||||
| CVE-2024-4444 | 1 Thimpress | 1 Learnpress | 2025-01-14 | N/A | 5.3 MEDIUM |
| The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 4.2.6.5. This is due to missing checks in the 'create_account' function in the checkout. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled. | |||||
| CVE-2024-29241 | 1 Synology | 2 Diskstation Manager, Surveillance Station | 2025-01-14 | N/A | 9.9 CRITICAL |
| Missing authorization vulnerability in System webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to bypass security constraints via unspecified vectors. | |||||
| CVE-2024-29240 | 1 Synology | 2 Diskstation Manager, Surveillance Station | 2025-01-14 | N/A | 4.3 MEDIUM |
| Missing authorization vulnerability in LayoutSave webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to conduct denial-of-service attacks via unspecified vectors. | |||||