Total
5132 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-5315 | 1 Gitlab | 1 Gitlab | 2025-08-12 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypassed UI-enforced role restrictions. | |||||
| CVE-2025-53910 | 2025-08-12 | N/A | 4.0 MEDIUM | ||
| Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to create a channel subscription without proper access to the channel via API call to the edit channel subscription endpoint. | |||||
| CVE-2025-44001 | 2025-08-12 | N/A | 4.0 MEDIUM | ||
| Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the Get Channel Subscriptions details endpoint. | |||||
| CVE-2025-54458 | 2025-08-12 | N/A | 5.0 MEDIUM | ||
| Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to create a subscription for a Confluence space the user does not have access to via the create subscription endpoint. | |||||
| CVE-2025-49221 | 2025-08-12 | N/A | 3.7 LOW | ||
| Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to access subscription details without via API call to GET subscription endpoint. | |||||
| CVE-2025-6253 | 2025-08-12 | N/A | 7.5 HIGH | ||
| The UiCore Elements – Free Elementor widgets and templates plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.3.0 via the prepare_template() function due to a missing capability check and insufficient controls on the filename specified. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | |||||
| CVE-2025-48731 | 2025-08-12 | N/A | 6.4 MEDIUM | ||
| Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to edit a subscription for a Confluence space the user does not have access for via edit subscription endpoint. | |||||
| CVE-2025-42955 | 2025-08-12 | N/A | 3.5 LOW | ||
| Due to a missing authorization check in SAP Cloud Connector, an attacker on an adjacent network with low privileges could send a crafted request to the endpoint responsible for testing LDAP connections. A successful exploit could lead to reduced performance, hence a low-impact on availability of the service. Confidentiality and integrity of the data are not affected. | |||||
| CVE-2025-53857 | 2025-08-12 | N/A | 3.7 LOW | ||
| Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the GET autocomplete/GetChannelSubscriptions endpoint. | |||||
| CVE-2025-8482 | 2025-08-12 | N/A | 4.3 MEDIUM | ||
| The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of data in version 2.8.4. This is due to a missing capability check on the migrate_from_wp_user_avatar() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to migrate avatar metadata for all users. | |||||
| CVE-2025-8285 | 2025-08-12 | N/A | 4.0 MEDIUM | ||
| Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to create channel subscription without proper access to the channel via API call to the create channel subscription endpoint. | |||||
| CVE-2025-42949 | 2025-08-12 | N/A | 4.9 MEDIUM | ||
| Due to a missing authorization check in the ABAP Platform, an authenticated user with elevated privileges could bypass authorization restrictions for common transactions by leveraging the SQL Console. This could enable an attacker to access and read the contents of database tables without proper authorization, leading to a significant compromise of data confidentiality. However, the integrity and availability of the system remain unaffected. | |||||
| CVE-2025-8418 | 2025-08-12 | N/A | 8.8 HIGH | ||
| The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Arbitrary Plugin Installation in all versions up to, and including, 1.1.30. This is due to missing capability checks on the activated_plugin function. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the server which can make remote code execution possible. | |||||
| CVE-2025-8059 | 2025-08-12 | N/A | 9.8 CRITICAL | ||
| The B Blocks plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization and improper input validation within the rgfr_registration() function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to create a new account and assign it the administrator role. | |||||
| CVE-2025-47580 | 1 Etoilewebdesign | 1 Front End Users | 2025-08-12 | N/A | 5.4 MEDIUM |
| Missing Authorization vulnerability in Rustaurius Front End Users allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Front End Users: from n/a through 3.2.32. | |||||
| CVE-2025-4520 | 1 Uncannyowl | 1 Uncanny Automator | 2025-08-12 | N/A | 5.4 MEDIUM |
| The Uncanny Automator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in versions up to, and including, 6.4.0.2. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update plugin settings. | |||||
| CVE-2024-43223 | 1 Metagauss | 1 Eventprime | 2025-08-12 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in EventPrime Events EventPrime allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through 4.0.3.2. | |||||
| CVE-2025-4370 | 1 Brizy | 1 Brizy | 2025-08-11 | N/A | 5.3 MEDIUM |
| The Brizy – Page Builder plugin for WordPress is vulnerable to limited file uploads due to missing authorization on process_external_asset_urls function as well as missing path validation in store_file function in all versions up to, and including, 2.6.20. This makes it possible for unauthenticated attackers to upload .TXT files on the affected site's server. | |||||
| CVE-2025-1766 | 1 Themewinter | 1 Eventin | 2025-08-11 | N/A | 5.3 MEDIUM |
| The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'payment_complete' function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated attackers to update the status of ticket payments to 'completed', possibly resulting in financial loss. | |||||
| CVE-2025-2110 | 1 Wpcompress | 1 Wp Compress | 2025-08-11 | N/A | 8.8 HIGH |
| The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on its on its AJAX functions in all versions up to, and including, 6.30.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to compromise the site in various ways depending on the specific function exploited - for example, by retrieving sensitive settings and configuration details, or by altering and deleting them, thereby disclosing sensitive information, disrupting the plugin’s functionality, and potentially impacting overall site performance. | |||||