Total
1112 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12427 | 2 Wordpress, Yithemes | 2 Wordpress, Yith Woocommerce Wishlist | 2025-11-20 | 5.3 Medium |
| The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.10.0 via the REST API endpoint and AJAX handler due to missing validation on user-controlled keys. This makes it possible for unauthenticated attackers to discover any user's wishlist token ID, and subsequently rename the victim's wishlist without authorization (integrity impact). This can be exploited to target multi-user stores for defacement, social engineering attacks, mass tampering, and profiling at scale. | ||||
| CVE-2025-12524 | 1 Wordpress | 1 Wordpress | 2025-11-18 | 5.4 Medium |
| The Post Type Switcher plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.0.0 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to modify the post type of arbitrary posts and pages they do not own, including those created by administrators, which can lead to site disruption, broken navigation, and SEO impact. | ||||
| CVE-2025-58627 | 1 Wordpress | 1 Wordpress | 2025-11-17 | 9.8 Critical |
| Authorization Bypass Through User-Controlled Key vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous Core Plugin: from n/a through < 2.0.9. | ||||
| CVE-2025-8855 | 1 Optimus Software | 1 Brokerage Automation | 2025-11-15 | 8.1 High |
| Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate Registry Information.This issue affects Brokerage Automation: before 1.1.71. | ||||
| CVE-2025-31357 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An unauthenticated attacker can obtain a user's plant list by knowing the username. | ||||
| CVE-2025-31933 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An unauthenticated attacker can check the existence of usernames in the system by querying an API. | ||||
| CVE-2025-31941 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An unauthenticated attacker can obtain a list of smart devices by knowing a valid username. | ||||
| CVE-2025-31949 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An authenticated attacker can obtain any plant name by knowing the plant ID. | ||||
| CVE-2025-24315 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users). | ||||
| CVE-2025-24850 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An attacker can export other users' plant information. | ||||
| CVE-2025-25276 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An unauthenticated attacker can hijack other users' devices and potentially control them. | ||||
| CVE-2025-26857 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers). | ||||
| CVE-2025-27561 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| Unauthenticated attackers can rename "rooms" of arbitrary users. | ||||
| CVE-2025-27565 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs. | ||||
| CVE-2025-27575 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID. | ||||
| CVE-2025-27719 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| Unauthenticated attackers can query an API endpoint and get device details. | ||||
| CVE-2025-27927 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API. | ||||
| CVE-2025-27929 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts. | ||||
| CVE-2025-30257 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account. | ||||
| CVE-2025-31147 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users. | ||||