Total
970 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-2913 | 1 Login No Captcha Recaptcha Project | 1 Login No Captcha Recaptcha | 2025-06-03 | N/A | 4.3 MEDIUM |
| The Login No Captcha reCAPTCHA WordPress plugin before 1.7 doesn't check the proper IP address allowing attackers to spoof IP addresses on the allow list and bypass the need for captcha on the login screen. | |||||
| CVE-2025-5182 | 1 Summerpearlgroup | 1 Vacation Rental Management Platform | 2025-06-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1 and classified as critical. This vulnerability affects unknown code of the component Listing Handler. The manipulation leads to authorization bypass. The attack can be initiated remotely. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2025-5181 | 1 Summerpearlgroup | 1 Vacation Rental Management Platform | 2025-06-03 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability, which was classified as problematic, was found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1. This affects an unknown part of the file /spgpm/updateListing. The manipulation of the argument spgLsTitle leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2023-6223 | 1 Thimpress | 1 Learnpress | 2025-06-03 | N/A | 4.3 MEDIUM |
| The LearnPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.5.7 via the /wp-json/lp/v1/profile/course-tab REST API due to missing validation on the 'userID' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve the details of another user's course progress. | |||||
| CVE-2025-47226 | 1 Snipeitapp | 1 Snipe-it | 2025-06-03 | N/A | 5.0 MEDIUM |
| Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information. | |||||
| CVE-2024-32166 | 1 Webidsupport | 1 Webid | 2025-06-03 | N/A | 8.8 HIGH |
| Webid v1.2.1 suffers from an Insecure Direct Object Reference (IDOR) - Broken Access Control vulnerability, allowing attackers to buy now an auction that is suspended (horizontal privilege escalation). | |||||
| CVE-2024-48899 | 1 Moodle | 1 Moodle | 2025-06-02 | N/A | 4.3 MEDIUM |
| A vulnerability was found in Moodle. Additional checks are required to ensure users can only fetch the list of course badges for courses that they are intended to have access to. | |||||
| CVE-2018-10211 | 1 Vaultize | 1 Enterprise File Sharing | 2025-05-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is improper authorization when listing the history of another user via a modified "vaultize_session_id" value in a cookie. | |||||
| CVE-2023-7199 | 1 Relevanssi | 1 Relevanssi | 2025-05-29 | N/A | 5.3 MEDIUM |
| The Relevanssi WordPress plugin before 4.22.0, Relevanssi Premium WordPress plugin before 2.25.0 allows any unauthenticated user to read draft and private posts via a crafted request | |||||
| CVE-2025-40650 | 2025-05-28 | N/A | N/A | ||
| Insecure Direct Object Reference (IDOR) vulnerability in Clickedu. This vulnerability could allow an attacker to retrieve information about student report cards. | |||||
| CVE-2025-25777 | 1 Codeastro | 1 Bus Ticket Booking System | 2025-05-28 | N/A | 8.0 HIGH |
| Insecure Direct Object Reference (IDOR) in Codeastro Bus Ticket Booking System v1.0 allows unauthorized access to user profiles. By manipulating the user ID in the URL, an attacker can access another user's profile without proper authentication or authorization checks. | |||||
| CVE-2022-40186 | 1 Hashicorp | 1 Vault | 2025-05-27 | N/A | 9.1 CRITICAL |
| An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault. | |||||
| CVE-2024-43239 | 1 Masteriyo | 1 Masteriyo | 2025-05-27 | N/A | 4.3 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in Masteriyo Masteriyo - LMS.This issue affects Masteriyo - LMS: from n/a through 1.11.4. | |||||
| CVE-2022-1613 | 1 10up | 1 Restricted Site Access | 2025-05-21 | N/A | 5.3 MEDIUM |
| The Restricted Site Access WordPress plugin before 7.3.2 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations in certain situations. | |||||
| CVE-2024-6534 | 1 Monospace | 1 Directus | 2025-05-19 | N/A | 4.3 MEDIUM |
| Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover. | |||||
| CVE-2023-28656 | 2 F5, Netapp | 5 Nginx Api Connectivity Manager, Nginx Instance Manager, Nginx Security Monitoring and 2 more | 2025-05-19 | N/A | 8.1 HIGH |
| NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2025-39537 | 2025-05-19 | N/A | 5.3 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Chimpstudio WP JobHunt allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP JobHunt: from n/a through 7.1. | |||||
| CVE-2025-4119 | 1 Weitong | 1 Mall | 2025-05-16 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability classified as critical was found in Weitong Mall 1.0.0. This vulnerability affects unknown code of the file /queryTotal of the component Product Statistics Handler. The manipulation of the argument isDelete with the input 1 leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3769 | 2025-05-16 | N/A | 5.3 MEDIUM | ||
| The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.92 via the 'view_booking_summary_in_lightbox' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to retrieve appointment details such as customer names and email addresses. | |||||
| CVE-2024-8988 | 2025-05-16 | N/A | 5.3 MEDIUM | ||
| The PeepSo Core: File Uploads plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.6.0 via the file_download REST API endpoint due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to download files uploaded by others users and expose potentially sensitive information. | |||||