Export limit exceeded: 11877 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11877 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-69010 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| Missing Authorization vulnerability in themebeez Themebeez Toolkit themebeez-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Themebeez Toolkit: from n/a through <= 1.3.5. | ||||
| CVE-2025-69016 | 2 Averta, Wordpress | 2 Shortcodes And Extra Features For Phlox Theme, Wordpress | 2026-04-15 | 4.3 Medium |
| Missing Authorization vulnerability in averta Shortcodes and extra features for Phlox theme auxin-elements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shortcodes and extra features for Phlox theme: from n/a through <= 2.17.15. | ||||
| CVE-2025-69023 | 2 Marketingfire, Wordpress | 2 Discussion Board, Wordpress | 2026-04-15 | 4.3 Medium |
| Missing Authorization vulnerability in Marketing Fire Discussion Board wp-discussion-board allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Discussion Board: from n/a through <= 2.5.7. | ||||
| CVE-2025-69028 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| Missing Authorization vulnerability in BoldGrid weForms weforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects weForms: from n/a through <= 1.6.25. | ||||
| CVE-2025-69052 | 2 Fmeaddons, Wordpress | 2 Registration And Login With Mobile Phone Number For Woocommerce, Wordpress | 2026-04-15 | 9.8 Critical |
| Missing Authorization vulnerability in FmeAddons Registration & Login with Mobile Phone Number for WooCommerce registration-login-with-mobile-phone-number allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Registration & Login with Mobile Phone Number for WooCommerce: from n/a through <= 1.3.1. | ||||
| CVE-2025-69091 | 2 Kraftplugins, Wordpress | 2 Demo Importer Plus, Wordpress | 2026-04-15 | 4.3 Medium |
| Missing Authorization vulnerability in Kraft Plugins Demo Importer Plus demo-importer-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Demo Importer Plus: from n/a through <= 2.0.8. | ||||
| CVE-2025-69093 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| Missing Authorization vulnerability in wpdesk ShopMagic shopmagic-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ShopMagic: from n/a through <= 4.7.2. | ||||
| CVE-2024-43662 | 2026-04-15 | N/A | ||
| The <redacted>.exe or <redacted>.exe CGI binary can be used to upload arbitrary files to /tmp/upload/ or /tmp/ respectively as any user, although the user interface for uploading files is only shown to the iocadmin user. This issue affects Iocharger firmware for AC models before version 24120701. Likelihood: Moderate – An attacker will need to have knowledge of this CGI binary, e.g. by finding it in firmware. Furthermore, the attacker will need a (low privilege) account to gain access to the <redacted>.exe or <redacted>.exe CGI binary and upload the file, or convince a user with such access to upload it. Impact: Low – The attacker can upload arbitrary files to /tmp/upload/ or /tmp/. However, the attacker is unable to access or use these files without other vulnerabilities. CVSS clarification. The attack can be executed over any network connection the station is listening to and serves the web interface (AV:N), and there are no additional security measure sin place that need to be circumvented (AC:L), the attack does not rely on preconditions (AT:N). The attack does require authentication, but the level of authentication is irrelevant (PR:L), it does not require user interaction (UI:N). Artitrary files can be uploaded, be these files will not be in a location where they can influence confidentiality or availability and have a minimal impact on device integrity (VC:N/VI:L/VA:N). There is no impact on subsequent systems. (SC:N/SI:N/SA:N). While this device is an EV charger handing significant amounts of power, we do not expect this vulnerability to have a safety impact. The attack can be automated (AU:Y). | ||||
| CVE-2025-66071 | 2 Tychesoftwares, Wordpress | 2 Custom Order Numbers For Woocommerce, Wordpress | 2026-04-15 | 5.3 Medium |
| Missing Authorization vulnerability in tychesoftwares Custom Order Numbers for WooCommerce custom-order-numbers-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom Order Numbers for WooCommerce: from n/a through <= 1.11.0. | ||||
| CVE-2024-12027 | 2 Kofimokome, Wordpress | 2 Message Filter For Contact Form 7, Wordpress | 2026-04-15 | 4.3 Medium |
| The Message Filter for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updateFilter() and deleteFilter() functions in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to update and delete filters. | ||||
| CVE-2024-12028 | 1 Alex Kirk | 1 Friends | 2026-04-15 | 5.3 Medium |
| The Friends plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to send arbitrary friend requests on behalf of another website, accept the friend request for the targeted website, and then communicate with the site as an accepted friend. | ||||
| CVE-2024-12110 | 2026-04-15 | 4.3 Medium | ||
| The Gold Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate() and deactivate() functions in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate and deactivate licenses. | ||||
| CVE-2024-12155 | 1 Straightvisions | 1 Sv100 Companion | 2026-04-15 | 9.8 Critical |
| The SV100 Companion plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the settings_import() function in all versions up to, and including, 2.0.02. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. CVE-2024-54229 may be a duplicate of this issue. | ||||
| CVE-2025-2719 | 2 Hasthemes, Wordpress | 2 Swatchly, Wordpress | 2026-04-15 | 6.5 Medium |
| The Swatchly – WooCommerce Variation Swatches for Products (product attributes: Image swatch, Color swatches, Label swatches) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_dismiss function in versions 1.2.8 to 1.4.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 1/true on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny access to legitimate users or be used to set some values to true, such as registration. | ||||
| CVE-2025-29756 | 2026-04-15 | N/A | ||
| SunGrow's back end users system iSolarCloud https://isolarcloud.com uses an MQTT service to transport data from the user's connected devices to the user's web browser. The MQTT server however did not have sufficient restrictions in place to limit the topics that a user could subscribe to. While the data that is transmitted through the MQTT server is encrypted and the credentials for the MQTT server are obtained though an API call, the credentials could be used to subscribe to any topic and the encryption key can be used to decrypt all messages received. An attack with an account on iSolarCloud.com could extract MQTT credentials and the decryption key from the browser and then use an external program to subscribe to the topic '#' and thus recieve all messages from all connected devices. | ||||
| CVE-2025-48881 | 2026-04-15 | 8.3 High | ||
| Valtimo is a platform for Business Process Automation. In versions starting from 11.0.0.RELEASE to 11.3.3.RELEASE and 12.0.0.RELEASE to 12.12.0.RELEASE, all objects for which an object-management configuration exists can be listed, viewed, edited, created or deleted by unauthorised users. If object-urls are exposed via other channels, the contents of these objects can be viewed independent of object-management configurations. This issue has been patched in version 12.13.0.RELEASE. A workaround for this issue involves overriding the endpoint security as defined in ObjectenApiHttpSecurityConfigurer and ObjectManagementHttpSecurityConfigurer. Depending on the implementation, this could result in loss of functionality. | ||||
| CVE-2023-40327 | 2026-04-15 | 6.5 Medium | ||
| Missing Authorization vulnerability in Putler / Storeapps Putler Connector for WooCommerce.This issue affects Putler Connector for WooCommerce: from n/a through 2.12.0. | ||||
| CVE-2025-8322 | 1 Ventem | 1 E-school | 2026-04-15 | 8.8 High |
| The e-School from Ventem has a Missing Authorization vulnerability, allowing remote attackers with regular privilege to access administrator functions, including creating, modifying, and deleting accounts. They can even escalate any account to system administrator privilege. | ||||
| CVE-2025-66107 | 2 Scott Paterson, Wordpress | 2 Subscriptions & Memberships For Paypal, Wordpress | 2026-04-15 | 5.3 Medium |
| Missing Authorization vulnerability in Scott Paterson Subscriptions & Memberships for PayPal subscriptions-memberships-for-paypal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscriptions & Memberships for PayPal: from n/a through <= 1.1.7. | ||||
| CVE-2024-48787 | 1 Revic Optics | 1 Revic Ops Firmware | 2026-04-15 | 9.1 Critical |
| An issue in Revic Optics Revic Ops (us.revic.revicops) 1.12.5 allows a remote attacker to obtain sensitive information via the firmware update process. | ||||