Total
5923 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-66079 | 2 Jegstudio, Wordpress | 2 Gutenverse, Wordpress | 2025-11-24 | 7.3 High |
| Missing Authorization vulnerability in Jegstudio Gutenverse Form gutenverse-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gutenverse Form: from n/a through <= 2.2.0. | ||||
| CVE-2025-66113 | 1 Wordpress | 1 Wordpress | 2025-11-24 | 5.4 Medium |
| Missing Authorization vulnerability in ThemeAtelier Better Chat Support for Messenger better-chat-support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Better Chat Support for Messenger: from n/a through <= 1.2.18. | ||||
| CVE-2025-66072 | 1 Wordpress | 1 Wordpress | 2025-11-24 | 9.8 Critical |
| Missing Authorization vulnerability in Stiofan UsersWP userswp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UsersWP: from n/a through <= 1.2.47. | ||||
| CVE-2025-66071 | 2 Tychesoftwares, Wordpress | 2 Custom Order Numbers For Woocommerce, Wordpress | 2025-11-24 | 9.8 Critical |
| Missing Authorization vulnerability in tychesoftwares Custom Order Numbers for WooCommerce custom-order-numbers-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom Order Numbers for WooCommerce: from n/a through <= 1.11.0. | ||||
| CVE-2025-13177 | 2 Bdtask, Codecanyon | 2 Saleserp, Saleserp | 2025-11-24 | 4.3 Medium |
| A vulnerability was detected in Bdtask/CodeCanyon SalesERP up to 20250728. This affects an unknown part. The manipulation results in cross-site request forgery. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-13179 | 1 Bdtask | 2 Wholesale, Wholesale Inventory Control And Inventory Management System | 2025-11-24 | 4.3 Medium |
| A vulnerability has been found in Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System up to 20250320. This issue affects some unknown processing. Such manipulation leads to cross-site request forgery. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-62293 | 1 Soplanning | 1 Soplanning | 2025-11-24 | 5.4 Medium |
| SOPlanning is vulnerable to Broken Access Control in /status endpoint. Due to lack of permission checks in Project Status functionality an authenticated attacker is able to add, edit and delete any status. This issue was fixed in version 1.55. | ||||
| CVE-2025-11003 | 2 Uipress, Wordpress | 2 Uipress Lite, Wordpress | 2025-11-24 | 6.4 Medium |
| The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'uip_save_ui_template' function in all versions up to, and including, 3.5.08. This makes it possible for authenticated attackers, with Subscriber-level access and above, to save templates that contain custom JavaScript. | ||||
| CVE-2025-10938 | 2 Uipress, Wordpress | 2 Uipress Lite, Wordpress | 2025-11-24 | 6.5 Medium |
| The UiPress lite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.08. This is due to missing capability checks in the 'uip_process_block_query' AJAX function. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive user data including password hashes, emails, and other user information that could be used for account takeover attacks. | ||||
| CVE-2025-12170 | 1 Wordpress | 1 Wordpress | 2025-11-24 | 5.3 Medium |
| The Checkbox plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wp_ajax_nopriv_checkbox_clean_log' AJAX endpoint in all versions up to, and including, 2.8.10. This makes it possible for unauthenticated attackers to clear log files. | ||||
| CVE-2025-13149 | 1 Wordpress | 1 Wordpress | 2025-11-24 | 4.3 Medium |
| The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the "saveFutureActionData" function in all versions up to, and including, 4.9.1. This makes it possible for authenticated attackers, with author level access and above, to change the status of arbitrary posts and pages via the REST API endpoint. | ||||
| CVE-2025-11773 | 1 Wordpress | 1 Wordpress | 2025-11-24 | 4.3 Medium |
| The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saveDeployedContract' function in all versions up to, and including, 2.4.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the WordPress option `tokenico_deployed_contracts`, poisoning the smart contract addresses displayed. | ||||
| CVE-2025-11985 | 1 Wordpress | 1 Wordpress | 2025-11-24 | 8.8 High |
| The Realty Portal plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'rp_save_property_settings' function in versions 0.1 to 0.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | ||||
| CVE-2025-66082 | 1 Wordpress | 1 Wordpress | 2025-11-24 | 4.3 Medium |
| Missing Authorization vulnerability in magepeopleteam WpEvently mage-eventpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpEvently: from n/a through <= 5.0.4. | ||||
| CVE-2025-66063 | 2 Jgwhite33, Wordpress | 2 Wp Google Review Slider, Wordpress | 2025-11-24 | 5.4 Medium |
| Missing Authorization vulnerability in jgwhite33 WP Google Review Slider wp-google-places-review-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Google Review Slider: from n/a through <= 17.4. | ||||
| CVE-2025-66085 | 2 Tychesoftwares, Wordpress | 2 Arconix Shortcodes, Wordpress | 2025-11-24 | 4.3 Medium |
| Missing Authorization vulnerability in tychesoftwares Arconix Shortcodes arconix-shortcodes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Arconix Shortcodes: from n/a through <= 2.1.18. | ||||
| CVE-2025-66065 | 2 Jegstudio, Wordpress | 2 Gutenverse, Wordpress | 2025-11-24 | 5.3 Medium |
| Missing Authorization vulnerability in Jegstudio Gutenverse gutenverse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gutenverse: from n/a through <= 3.2.1. | ||||
| CVE-2025-66084 | 1 Wordpress | 1 Wordpress | 2025-11-24 | 4.3 Medium |
| Missing Authorization vulnerability in Shahjahan Jewel FluentCommunity fluent-community allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentCommunity: from n/a through <= 2.0.0. | ||||
| CVE-2025-66087 | 2 Propertyhive, Wordpress | 2 Propertyhive, Wordpress | 2025-11-24 | 5.3 Medium |
| Missing Authorization vulnerability in Property Hive PropertyHive propertyhive allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PropertyHive: from n/a through <= 2.1.12. | ||||
| CVE-2025-66083 | 1 Wordpress | 1 Wordpress | 2025-11-24 | 4.3 Medium |
| Missing Authorization vulnerability in magepeopleteam WpEvently mage-eventpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpEvently: from n/a through <= 5.0.4. | ||||