Total
5235 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-1307 | 2025-03-04 | N/A | 9.8 CRITICAL | ||
| The Newscrunch theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check in the newscrunch_install_and_activate_plugin() function in all versions up to, and including, 1.8.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2024-13686 | 2025-03-04 | N/A | 4.3 MEDIUM | ||
| The VW Storefront theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vw_storefront_reset_all_settings() function in all versions up to, and including, 0.9.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the themes settings. | |||||
| CVE-2025-27270 | 2025-03-03 | N/A | 9.8 CRITICAL | ||
| Missing Authorization vulnerability in NotFound Residential Address Detection allows Privilege Escalation. This issue affects Residential Address Detection: from n/a through 2.5.4. | |||||
| CVE-2025-23763 | 2025-03-03 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in Alex Volkov WAH Forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WAH Forms: from n/a through 1.0. | |||||
| CVE-2025-23615 | 2025-03-03 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in NotFound Interactive Page Hierarchy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Interactive Page Hierarchy: from n/a through 1.0.1. | |||||
| CVE-2025-23613 | 2025-03-03 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in NotFound WP Journal allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Journal: from n/a through 1.1. | |||||
| CVE-2025-23515 | 2025-03-03 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in tsecher ts-tree allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ts-tree: from n/a through 0.1.1. | |||||
| CVE-2025-23440 | 2025-03-03 | N/A | 6.3 MEDIUM | ||
| Missing Authorization vulnerability in radicaldesigns radSLIDE allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects radSLIDE: from n/a through 2.1. | |||||
| CVE-2025-24633 | 2025-03-03 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in silverplugins217 Build Private Store For Woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Build Private Store For Woocommerce: from n/a through 1.0. | |||||
| CVE-2025-1404 | 2025-03-01 | N/A | 5.3 MEDIUM | ||
| The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_sccp_reports_user_search() function in all versions up to, and including, 4.4.7. This makes it possible for unauthenticated attackers to retrieve a list of registered user emails. | |||||
| CVE-2024-12544 | 2025-03-01 | N/A | 8.8 HIGH | ||
| The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to arbitrary file deletion due to a missing capability check on the callback function of the SurveyJS_DeleteFile class in all versions up to, and including, 1.12.17. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This function is still vulnerable to Cross-Site Request Forgery as of 1.12.20. | |||||
| CVE-2025-1502 | 2025-03-01 | N/A | 5.3 MEDIUM | ||
| The IP2Location Redirection plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'download_ip2location_redirection_backup' AJAX action in all versions up to, and including, 1.33.3. This makes it possible for unauthenticated attackers to download the plugin's settings. | |||||
| CVE-2024-13746 | 2025-03-01 | N/A | 6.5 MEDIUM | ||
| The Booking Calendar and Notification plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on the wpcb_all_bookings(), wpcb_update_booking_post(), and wpcb_delete_posts() functions in all versions up to, and including, 4.0.3. This makes it possible for unauthenticated attackers to extract data, create or update bookings, or delete arbitrary posts. | |||||
| CVE-2023-23825 | 1 Brainstormforce | 1 Spectra | 2025-03-01 | N/A | 3.1 LOW |
| Missing Authorization vulnerability in Brainstorm Force Spectra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through 2.3.0. | |||||
| CVE-2023-23834 | 1 Brainstormforce | 1 Spectra | 2025-03-01 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in Brainstorm Force Spectra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through 2.3.0. | |||||
| CVE-2023-50903 | 1 Wpmet | 1 Metform Elementor Contact Form Builder | 2025-03-01 | N/A | 5.3 MEDIUM |
| Missing Authorization vulnerability in Wpmet Metform Elementor Contact Form Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Metform Elementor Contact Form Builder: from n/a through 3.4.0. | |||||
| CVE-2024-6987 | 1 Themebeez | 1 Orchid Store | 2025-03-01 | N/A | 4.3 MEDIUM |
| The Orchid Store theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'orchid_store_activate_plugin' function in all versions up to, and including, 1.5.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate the Addonify Floating Cart For WooCommerce plugin if it is installed. | |||||
| CVE-2024-6869 | 1 Faboba | 1 Falang | 2025-03-01 | N/A | 5.4 MEDIUM |
| The Falang multilanguage for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.3.52. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update and delete translations and expose the administrator email address. | |||||
| CVE-2024-6709 | 1 Syncpostwithothersite | 1 Sync Post With Other Site | 2025-03-01 | N/A | 4.3 MEDIUM |
| The Sync Post With Other Site plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'sps_add_update_post' function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new draft posts and update existing posts. | |||||
| CVE-2024-6872 | 1 Templatespare | 1 Templatespare | 2025-03-01 | N/A | 4.3 MEDIUM |
| The Build Your Dream Website Fast with 400+ Starter Templates and Landing Pages, No Coding Needed, One-Click Import for Elementor & Gutenberg Blocks! – TemplateSpare plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'templatespare_activate_required_theme' and 'templatespare_get_theme_status' functions in all versions up to, and including, 2.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate any installed theme and read any theme status. If the attacker attempts to activate a theme that is not installed, a non-existent theme with the slug chosen by the attacker will be considered the active theme, leaving the site with no theme functionality. | |||||