Export limit exceeded: 11864 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11864 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-62506 | 1 Minio | 1 Minio | 2026-04-15 | 8.1 High |
| MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy restrictions when performing operations on their own account, specifically when creating new service accounts for the same user. The vulnerability exists in the IAM policy validation logic where the code incorrectly relied on the DenyOnly argument when validating session policies for restricted accounts. When a session policy is present, the system should validate that the action is allowed by the session policy, not just that it is not denied. An attacker with valid credentials for a restricted service or STS account can create a new service account for itself without policy restrictions, resulting in a new service account with full parent privileges instead of being restricted by the inline policy. This allows the attacker to access buckets and objects beyond their intended restrictions and modify, delete, or create objects outside their authorized scope. The vulnerability is fixed in version RELEASE.2025-10-15T17-29-55Z. | ||||
| CVE-2025-69193 | 2 E-plugins, Wordpress | 2 Wp Membership, Wordpress | 2026-04-15 | 7.3 High |
| Missing Authorization vulnerability in e-plugins WP Membership wp-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Membership: from n/a through <= 1.6.4. | ||||
| CVE-2025-69192 | 2 E-plugins, Wordpress | 2 Real Estate Pro, Wordpress | 2026-04-15 | 7.3 High |
| Missing Authorization vulnerability in e-plugins Real Estate Pro real-estate-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Real Estate Pro: from n/a through <= 2.1.5. | ||||
| CVE-2025-69191 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.3 High |
| Missing Authorization vulnerability in e-plugins ListingHub listinghub allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingHub: from n/a through <= 1.2.7. | ||||
| CVE-2025-69190 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.3 High |
| Missing Authorization vulnerability in e-plugins Listihub listihub allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Listihub: from n/a through <= 1.0.6. | ||||
| CVE-2025-69188 | 2 E-plugins, Wordpress | 2 Fitness Trainer, Wordpress | 2026-04-15 | 7.3 High |
| Missing Authorization vulnerability in e-plugins fitness-trainer fitness-trainer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects fitness-trainer: from n/a through <= 1.7.1. | ||||
| CVE-2025-69187 | 2 E-plugins, Wordpress | 2 Final User, Wordpress | 2026-04-15 | 7.3 High |
| Missing Authorization vulnerability in e-plugins Final User final-user allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Final User: from n/a through <= 1.2.5. | ||||
| CVE-2025-69186 | 2 E-plugins, Wordpress | 2 Hospital & Doctor Directory, Wordpress | 2026-04-15 | 7.3 High |
| Missing Authorization vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9. | ||||
| CVE-2025-69185 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.3 High |
| Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Listing: from n/a through <= 1.4.2. | ||||
| CVE-2025-69184 | 2 E-plugins, Wordpress | 2 Institutions Directory, Wordpress | 2026-04-15 | 7.3 High |
| Missing Authorization vulnerability in e-plugins Institutions Directory institutions-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Institutions Directory: from n/a through <= 1.3.4. | ||||
| CVE-2025-69181 | 2 E-plugins, Wordpress | 2 Lawyer Directory, Wordpress | 2026-04-15 | 7.3 High |
| Missing Authorization vulnerability in e-plugins Lawyer Directory lawyer-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lawyer Directory: from n/a through <= 1.3.4. | ||||
| CVE-2025-68896 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| Missing Authorization vulnerability in vrpr WDV One Page Docs wdv-one-page-docs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WDV One Page Docs: from n/a through <= 1.2.4. | ||||
| CVE-2025-62740 | 2 Mario Peshev, Wordpress | 2 Wp-crm-system, Wordpress | 2026-04-15 | 5.3 Medium |
| Missing Authorization vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CRM System: from n/a through <= 3.4.6. | ||||
| CVE-2025-26661 | 2026-04-15 | 8.8 High | ||
| Due to missing authorization check, SAP NetWeaver (ABAP Class Builder) allows an attacker to gain higher access levels than they should have, resulting in escalation of privileges. On successful exploitation, this could result in disclosure of highly sensitive information. It could also have a high impact on the integrity and availability of the application. | ||||
| CVE-2025-6814 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.5 High |
| The Booking X plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_now() function in versions 1.0 to 1.1.2. This makes it possible for unauthenticated attackers to download all plugin data, including user accounts, user meta, and PayPal credentials, by issuing a crafted POST request. | ||||
| CVE-2025-6813 | 2026-04-15 | 8.8 High | ||
| The aapanel WP Toolkit plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks within the auto_login() function in versions 1.0 to 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to bypass all role checks and gain full admin privileges. | ||||
| CVE-2025-62883 | 2 Premmerce, Wordpress | 2 User Roles, Wordpress | 2026-04-15 | 4.3 Medium |
| Missing Authorization vulnerability in Premmerce Premmerce User Roles premmerce-user-roles allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Premmerce User Roles: from n/a through <= 1.0.13. | ||||
| CVE-2025-68088 | 2 Merkulove, Wordpress | 2 Huger For Elementor, Wordpress | 2026-04-15 | 5.4 Medium |
| Missing Authorization vulnerability in merkulove Huger for Elementor huger-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Huger for Elementor: from n/a through <= 1.1.5. | ||||
| CVE-2025-6380 | 2026-04-15 | 9.8 Critical | ||
| The ONLYOFFICE Docs plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its oo.callback REST endpoint in versions 1.1.0 to 2.2.0. The plugin’s permission callback only verifies that the supplied, encrypted attachment ID maps to an existing attachment post, but does not verify the requester’s identity or capabilities. This makes it possible for unauthenticated attackers to log in as an arbitrary user. | ||||
| CVE-2025-68086 | 2 Merkulove, Wordpress | 2 Reformer For Elementor, Wordpress | 2026-04-15 | 5.4 Medium |
| Missing Authorization vulnerability in merkulove Reformer for Elementor reformer-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reformer for Elementor: from n/a through <= 1.0.6. | ||||