Total
5132 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-42974 | 2025-07-08 | N/A | 4.3 MEDIUM | ||
| Due to missing authorization check, an attacker authenticated as a non-administrative user could call a remote-enabled function module. This could enable access to information normally restricted, resulting in low impact on confidentiality. There is no impact on integrity or availability. | |||||
| CVE-2025-5957 | 2025-07-08 | N/A | 5.3 MEDIUM | ||
| The Guest Support – Complete customer support ticket system for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'deleteMassTickets' function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to delete arbitrary support tickets. | |||||
| CVE-2025-42953 | 2025-07-08 | N/A | 8.1 HIGH | ||
| SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confidentiality of the system. | |||||
| CVE-2025-42961 | 2025-07-08 | N/A | 4.9 MEDIUM | ||
| Due to a missing authorization check in SAP NetWeaver Application server for ABAP, an authenticated user with high privileges could exploit the insufficient validation of user permissions to access sensitive database tables. By leveraging overly permissive access configurations, unauthorized reading of critical data is possible, resulting in a significant impact on the confidentiality of the information stored. However, the integrity and availability of the system remain unaffected. | |||||
| CVE-2024-12610 | 1 Dasinfomedia | 1 School Management System | 2025-07-07 | N/A | 5.3 MEDIUM |
| The School Management System for Wordpress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'mj_smgt_remove_feetype' and 'mj_smgt_remove_category_new' AJAX actions in all versions up to, and including, 93.0.0. This makes it possible for unauthenticated attackers to delete arbitrary posts. | |||||
| CVE-2024-12611 | 1 Dasinfomedia | 1 School Management System | 2025-07-07 | N/A | 5.3 MEDIUM |
| The School Management System for Wordpress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'title' parameter in all versions up to, and including, 93.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-46450 | 1 Tenda | 2 Ac6, Ac6 Firmware | 2025-07-07 | N/A | 8.1 HIGH |
| Incorrect access control in Tenda AC1200 Smart Dual-Band WiFi Router Model AC6 v2.0 Firmware v15.03.06.50 allows attackers to bypass authentication via a crafted web request. | |||||
| CVE-2025-5813 | 1 Suhailahmad64 | 1 Amazon Products To Woocommerce | 2025-07-07 | N/A | 5.3 MEDIUM |
| The Amazon Products to WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcta2w_get_amazon_product_callback() function in all versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to create new produces. | |||||
| CVE-2025-4683 | 1 Inspireui | 1 Mstore Api | 2025-07-07 | N/A | 4.3 MEDIUM |
| The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_blog function in all versions up to, and including, 4.17.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new posts. | |||||
| CVE-2025-5304 | 1 Ptoffice | 1 Pt Project Notebooks | 2025-07-07 | N/A | 9.8 CRITICAL |
| The PT Project Notebooks plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the wpnb_pto_new_users_add() function in versions 1.0.0 through 1.1.3. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator. | |||||
| CVE-2025-3863 | 1 Plugin-devs | 1 Post Carousel Slider For Elementor | 2025-07-03 | N/A | 4.3 MEDIUM |
| The Post Carousel Slider for Elementor plugin for WordPress is vulnerable to improper authorization due to a missing capability check on the process_wbelps_promo_form() function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the plugin’s support‐form handler to send arbitrary emails to the site’s support address. | |||||
| CVE-2024-23944 | 1 Apache | 1 Zookeeper | 2025-07-03 | N/A | 5.3 MEDIUM |
| Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical. Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue. | |||||
| CVE-2025-46259 | 2025-07-03 | N/A | 5.4 MEDIUM | ||
| Missing Authorization vulnerability in POSIMYTH Innovation The Plus Addons for Elementor Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Plus Addons for Elementor Pro: from n/a before 6.3.7. | |||||
| CVE-2025-53108 | 2025-07-03 | N/A | N/A | ||
| HomeBox is a home inventory and organization system. Prior to 0.20.1, HomeBox contains a missing authorization check in the API endpoints responsible for updating and deleting inventory item attachments. This flaw allows authenticated users to perform unauthorized actions on inventory item attachments that they do not own. This issue could lead to unauthorized data manipulation or loss of critical inventory data. This issue has been patched in version 0.20.1. There are no workarounds, users must upgrade. | |||||
| CVE-2025-27461 | 2025-07-03 | N/A | 7.6 HIGH | ||
| During startup, the device automatically logs in the EPC2 Windows user without requesting a password. | |||||
| CVE-2025-39362 | 2025-07-03 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in Mollie Mollie Payments for WooCommerce.This issue affects Mollie Payments for WooCommerce: from n/a through 8.0.2. | |||||
| CVE-2023-4104 | 1 Mozilla | 1 Vpn | 2025-07-03 | N/A | 5.5 MEDIUM |
| An invalid Polkit Authentication check and missing authentication requirements for D-Bus methods allowed any local user to configure arbitrary VPN setups. *This bug only affects Mozilla VPN on Linux. Other operating systems are unaffected.* This vulnerability affects Mozilla VPN 2.16.1 < (Linux). | |||||
| CVE-2025-47560 | 2025-07-03 | N/A | 5.0 MEDIUM | ||
| Missing Authorization vulnerability in PT Norther Lights Production MapSVG allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MapSVG: from n/a before 8.6.13. | |||||
| CVE-2025-47558 | 2025-07-03 | N/A | 7.5 HIGH | ||
| Missing Authorization vulnerability in PT Norther Lights Production MapSVG allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects MapSVG: from n/a before 8.6.13. | |||||
| CVE-2024-10762 | 1 Lunary | 1 Lunary | 2025-07-02 | N/A | 8.1 HIGH |
| In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can delete evaluator data. This vulnerability allows low-privilege users to delete evaluators data, causing permanent data loss and potentially hindering operations. | |||||