Total
7706 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-33558 | 1 8theme | 1 Xstore Core | 2025-02-21 | 6.5 Medium |
| Missing Authorization vulnerability in 8theme XStore Core.This issue affects XStore Core: from n/a through 5.3.5. | ||||
| CVE-2024-45461 | 1 Apache | 1 Cloudstack | 2025-02-21 | 5.7 Medium |
| The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. Alternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting "quota.enable.service" to "false". | ||||
| CVE-2023-20959 | 1 Google | 1 Android | 2025-02-21 | 7.8 High |
| In AddSupervisedUserActivity, guest users are not prevented from starting the activity due to missing permissions checks. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-249057848 | ||||
| CVE-2024-13677 | 1 Istmoplugins | 1 Get Bookings Wp | 2025-02-21 | 8.8 High |
| The GetBookingsWP – Appointments Booking Calendar Plugin For WordPress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.27. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | ||||
| CVE-2025-0939 | 1 Dcooperman | 1 Magicform | 2025-02-21 | 6.3 Medium |
| The MagicForm plugin for WordPress is vulnerable to access and modification of data due to a missing capability check on the plugin's AJAX actions in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke those actions in order to delete or view logs, modify forms or modify plugin settings. | ||||
| CVE-2024-13783 | 1 Ncrafts | 1 Formcraft | 2025-02-21 | 4.3 Medium |
| The FormCraft plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in formcraft-main.php in all versions up to, and including, 3.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export all plugin data which may contain sensitive information from form submissions. | ||||
| CVE-2022-36340 | 1 Mailoptin | 1 Mailoptin | 2025-02-20 | 6.5 Medium |
| Unauthenticated Optin Campaign Cache Deletion vulnerability in MailOptin plugin <= 1.2.49.0 at WordPress. | ||||
| CVE-2022-36404 | 1 Coleds | 1 Simple Seo | 2025-02-20 | 5.4 Medium |
| Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in David Cole Simple SEO (WordPress plugin) plugin <= 1.8.12 versions. | ||||
| CVE-2022-40223 | 1 Searchwp | 1 Searchwp | 2025-02-20 | 5.4 Medium |
| Nonce token leakage and missing authorization in SearchWP premium plugin <= 4.2.5 on WordPress leading to plugin settings change. | ||||
| CVE-2022-41692 | 1 Dwbooster | 1 Appointment Hour Booking | 2025-02-20 | 4.3 Medium |
| Missing Authorization vulnerability in Appointment Hour Booking plugin <= 1.3.71 on WordPress. | ||||
| CVE-2022-43482 | 1 Codepeople | 1 Appointment Booking Calendar | 2025-02-20 | 4.3 Medium |
| Missing Authorization vulnerability in Appointment Booking Calendar plugin <= 1.3.69 on WordPress. | ||||
| CVE-2023-35093 | 1 Stylemixthemes | 1 Masterstudy Lms | 2025-02-19 | 6.5 Medium |
| Broken Access Control vulnerability in StylemixThemes MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin <= 3.0.8 versions allows any logged-in users, such as subscribers to view the "Orders" of the plugin and get the data related to the order like email, username, and more. | ||||
| CVE-2023-0335 | 1 Wpvar | 1 Wp Shamsi | 2025-02-19 | 6.5 Medium |
| The WP Shamsi WordPress plugin through 4.3.3 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber delete attachment. | ||||
| CVE-2023-0336 | 1 Ooohboi Steroids For Elementor Project | 1 Ooohboi Steroids For Elementor | 2025-02-19 | 6.5 Medium |
| The OoohBoi Steroids for Elementor WordPress plugin before 2.1.5 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber to delete attachment. | ||||
| CVE-2023-28640 | 1 Apiman | 1 Apiman | 2025-02-19 | 6.4 Medium |
| Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes Organisation ID, Client ID, and Client Version of the targeted non-permitted resource. While not trivial to exploit, it could be achieved by brute-forcing or guessing common names. Access to the non-permitted API Keys could allow use of other users' resources without their permission (depending on the specifics of configuration, such as whether an API key is the only form of security). Apiman 3.1.0.Final resolved this issue. Users are advised to upgrade. The only known workaround is to restrict account access. | ||||
| CVE-2023-27701 | 1 Muyucms | 1 Muyucms | 2025-02-18 | 8.1 High |
| MuYuCMS v2.2 was discovered to contain an arbitrary file deletion vulnerability via the component /database/sqldel.html. | ||||
| CVE-2021-42359 | 1 Legalweb | 1 Wp Dsgvo Tools | 2025-02-14 | 7.5 High |
| WP DSGVO Tools (GDPR) <= 3.1.23 had an AJAX action, ‘admin-dismiss-unsubscribe‘, which lacked a capability check and a nonce check and was available to unauthenticated users, and did not check the post type when deleting unsubscription requests. As such, it was possible for an attacker to permanently delete an arbitrary post or page on the site by sending an AJAX request with the “action” parameter set to “admin-dismiss-unsubscribe” and the “id” parameter set to the post to be deleted. Sending such a request would move the post to the trash, and repeating the request would permanently delete the post in question. | ||||
| CVE-2021-4074 | 1 I-plugins | 1 Whmcs Bridge | 2025-02-14 | 6.4 Medium |
| The WHMCS Bridge WordPress plugin is vulnerable to Stored Cross-Site Scripting via the cc_whmcs_bridge_url parameter found in the ~/whmcs-bridge/bridge_cp.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 6.1. Due to missing authorization checks on the cc_whmcs_bridge_add_admin function, low-level authenticated users such as subscribers can exploit this vulnerability. | ||||
| CVE-2024-27190 | 1 Jeandaviddaviet | 1 Download Media | 2025-02-14 | 4.3 Medium |
| Missing Authorization vulnerability in Jean-David Daviet Download Media.This issue affects Download Media: from n/a through 1.4.2. | ||||
| CVE-2021-42367 | 1 Variation Swatches For Woocommerce Project | 1 Variation Swatches For Woocommerce | 2025-02-13 | 6.4 Medium |
| The Variation Swatches for WooCommerce WordPress plugin is vulnerable to Stored Cross-Site Scripting via several parameters found in the ~/includes/class-menu-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1. Due to missing authorization checks on the tawcvs_save_settings function, low-level authenticated users such as subscribers can exploit this vulnerability. | ||||