Total
6161 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-64639 | 3 Mainwp, Wordpress, Wp Compress | 3 Mainwp, Wordpress, For Mainwp | 2025-12-16 | 5.3 Medium |
| Missing Authorization vulnerability in WP Compress WP Compress for MainWP wp-compress-mainwp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Compress for MainWP: from n/a through <= 6.50.07. | ||||
| CVE-2025-64244 | 3 Codexpert, Elementor, Wordpress | 3 Restrict Elementor Widgets Columns And Sections, Elementor, Wordpress | 2025-12-16 | 4.3 Medium |
| Missing Authorization vulnerability in Codexpert, Inc Restrict Elementor Widgets, Columns and Sections restrict-elementor-widgets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Restrict Elementor Widgets, Columns and Sections: from n/a through <= 1.12. | ||||
| CVE-2023-22858 | 1 Blogengine | 1 Blogengine.net | 2025-12-16 | 5.3 Medium |
| An Improper Access Control vulnerability in BlogEngine.NET 3.3.8.0, allows unauthenticated visitors to access the files of unpublished blogs. | ||||
| CVE-2025-13956 | 2 Thimpress, Wordpress | 2 Learnpress, Wordpress | 2025-12-16 | 5.3 Medium |
| The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to view the plugin's orders statistics, including total revenue summaries and order status counts | ||||
| CVE-2025-34411 | 1 Eqs | 1 Convercent Whistleblowing Platform | 2025-12-16 | N/A |
| The Convercent Whistleblowing Platform operated by EQS Group exposes an unauthenticated API endpoint at /GetLegalEntity that returns internal customer legal-entity names based on a supplied searchText fragment. A remote unauthenticated attacker can query the endpoint using common legal-suffix terms to enumerate Convercent tenants, identifying organizations using the platform. This disclosure can facilitate targeted phishing, extortion, or other attacks against whistleblowing programs and reveals sensitive business relationships and compliance infrastructure. | ||||
| CVE-2025-14038 | 1 Enterprisedb | 1 Hybrid Manager | 2025-12-16 | 7 High |
| EDB Hybrid Manager contains a flaw that allows an unauthenticated attacker to directly access certain gRPC endpoints. This could allow an attacker to read potentially sensitive data or possibly cause a denial-of-service by writing malformed data to certain gRPC endpoints. This flaw has been remediated in EDB Hybrid Manager 1.3.3, and customers should consider upgrading to 1.3.3 as soon as possible. The flaw is due to a misconfiguration in the Istio Gateway, which manages authentication and authorization for the affected endpoints. The security policy relies on an explicit definition of required permissions in the Istio Gateway configuration, and the affected endpoints were not defined in the configuration. This allowed requests to bypass both authentication and authorization within a Hybrid Manager service. All versions of Hybrid Manager - LTS should be upgraded to 1.3.3, and all versions of Hybrid Manager - Innovation should be upgraded to 2025.12. | ||||
| CVE-2025-12809 | 2 Wedevs, Wordpress | 2 Dokan, Wordpress | 2025-12-16 | 5.3 Medium |
| The Dokan Pro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/dokan/v1/wholesale/register` REST API endpoint in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to enumerate users and retrieve their email addresses via the REST API by providing a user ID, along with other information such as usernames, display names, user roles, and registration dates. | ||||
| CVE-2025-13794 | 2 Themeisle, Wordpress | 2 Auto Featured Image, Wordpress | 2025-12-16 | 4.3 Medium |
| The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulk_action_generate_handler function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete or generate featured images on posts they do not own. | ||||
| CVE-2025-64638 | 3 Onpay.io, Woocommerce, Wordpress | 3 For Woocommerce, Woocommerce, Wordpress | 2025-12-16 | 5.3 Medium |
| Missing Authorization vulnerability in OnPay.io OnPay.io for WooCommerce onpay-io-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects OnPay.io for WooCommerce: from n/a through <= 1.0.47. | ||||
| CVE-2025-54045 | 2 Cminds, Wordpress | 2 Cm On Demand Search And Replace, Wordpress | 2025-12-16 | 4.3 Medium |
| Missing Authorization vulnerability in CreativeMindsSolutions CM On Demand Search And Replace cm-on-demand-search-and-replace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CM On Demand Search And Replace: from n/a through <= 1.5.4. | ||||
| CVE-2025-64632 | 2 Auctollo, Wordpress | 2 Google-sitemap-generator, Wordpress | 2025-12-16 | 5.3 Medium |
| Missing Authorization vulnerability in Auctollo Google XML Sitemaps google-sitemap-generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Google XML Sitemaps: from n/a through <= 4.1.21. | ||||
| CVE-2025-66120 | 2 Catfolders, Wordpress | 2 Catfolders, Wordpress | 2025-12-16 | 5.3 Medium |
| Missing Authorization vulnerability in CatFolders CatFolders catfolders allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CatFolders: from n/a through <= 2.5.3. | ||||
| CVE-2025-64242 | 2 Merv Barrett, Wordpress | 2 Easy Property Listings, Wordpress | 2025-12-16 | 4.3 Medium |
| Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Property Listings: from n/a through <= 3.5.15. | ||||
| CVE-2025-68270 | 2025-12-16 | 9.9 Critical | ||
| The Open edX Platform is a learning management platform. Prior to commit 05d0d0936daf82c476617257aa6c35f0cd4ca060, CourseLimitedStaffRole users are able to access and edit courses in studio if they are granted the role on an org rather than on a course, and CourseLimitedStaffRole users are able to list courses they have the role on in studio even though they are not meant to have any access on the studio side for the course. Commit 05d0d0936daf82c476617257aa6c35f0cd4ca060 fixes the issue. | ||||
| CVE-2025-67965 | 2 Favethemes, Wordpress | 2 Homey, Wordpress | 2025-12-16 | 5.3 Medium |
| Missing Authorization vulnerability in favethemes Homey Core homey-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Homey Core: from n/a through <= 2.4.3. | ||||
| CVE-2025-64243 | 2 E-plugins, Wordpress | 2 Directory Pro, Wordpress | 2025-12-16 | 4.3 Medium |
| Missing Authorization vulnerability in e-plugins Directory Pro directory-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directory Pro: from n/a through <= 2.5.6. | ||||
| CVE-2025-59001 | 2 Themenectar, Wordpress | 2 Salient Core, Wordpress | 2025-12-16 | 4.3 Medium |
| Missing Authorization vulnerability in ThemeNectar Salient Core salient-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Salient Core: from n/a through <= 3.0.8. | ||||
| CVE-2025-43497 | 1 Apple | 1 Macos | 2025-12-16 | 5.2 Medium |
| An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to break out of its sandbox. | ||||
| CVE-2023-20252 | 1 Cisco | 1 Catalyst Sd-wan Manager | 2025-12-16 | 9.8 Critical |
| A vulnerability in the Security Assertion Markup Language (SAML) APIs of Cisco Catalyst SD-WAN Manager Software could allow an unauthenticated, remote attacker to gain unauthorized access to the application as an arbitrary user. This vulnerability is due to improper authentication checks for SAML APIs. An attacker could exploit this vulnerability by sending requests directly to the SAML API. A successful exploit could allow the attacker to generate an authorization token sufficient to gain access to the application. | ||||
| CVE-2025-67572 | 1 Wordpress | 1 Wordpress | 2025-12-16 | 5.3 Medium |
| Missing Authorization vulnerability in PenciDesign PenNews pennews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PenNews: from n/a through < 6.7.4. | ||||