Export limit exceeded: 11246 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11246 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-3953 | 2026-04-15 | 5.4 Medium | ||
| The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'optionUpdater' function in all versions up to, and including, 14.13.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin settings. | ||||
| CVE-2025-10212 | 2 Sitealert, Wordpress | 2 Sitealert, Wordpress | 2026-04-15 | 5.3 Medium |
| The SiteAlert (Formerly WP Health) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.9.8. This makes it possible for unauthenticated attackers to view the site health information, including a list of installed and outdated plugins, PHP and Database version, etc. | ||||
| CVE-2025-23244 | 1 Nvidia | 1 Gpu Display Driver | 2026-04-15 | 7.8 High |
| NVIDIA GPU Display Driver for Linux contains a vulnerability which could allow an unprivileged attacker to escalate permissions. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. | ||||
| CVE-2024-3071 | 1 Wordpress | 2 Acf-on-the-go, Wordpress | 2026-04-15 | 4.3 Medium |
| The ACF On-The-Go plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the acfg_update_fields() function in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary post titles, descriptions, and ACF values. | ||||
| CVE-2024-35686 | 1 Automattic | 2 Sensei Lms, Sensei Pro | 2026-04-15 | 5.3 Medium |
| Missing Authorization vulnerability in Automattic Sensei LMS, Automattic Sensei Pro (WC Paid Courses).This issue affects Sensei LMS: from n/a through 4.23.1; Sensei Pro (WC Paid Courses): from n/a through 4.23.1.1.23.1. | ||||
| CVE-2024-3072 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The ACF Front End Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_texts() function in all versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary post title, content, and ACF data. | ||||
| CVE-2024-13746 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| The Booking Calendar and Notification plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on the wpcb_all_bookings(), wpcb_update_booking_post(), and wpcb_delete_posts() functions in all versions up to, and including, 4.0.3. This makes it possible for unauthenticated attackers to extract data, create or update bookings, or delete arbitrary posts. | ||||
| CVE-2023-3352 | 2026-04-15 | 4.3 Medium | ||
| The Smush plugin for WordPress is vulnerable to unauthorized deletion of the resmush list due to a missing capability check on the delete_resmush_list() function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to delete the resmush list for Nextgen or the Media Library. | ||||
| CVE-2024-11929 | 2026-04-15 | 6.4 Medium | ||
| The Responsive FlipBook Plugin Wordpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the rfbwp_save_settings() functionin all versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2023-28492 | 2026-04-15 | 4.3 Medium | ||
| Missing Authorization vulnerability in CodePeople CP Multi View Event Calendar allows Functionality Misuse.This issue affects CP Multi View Event Calendar: from n/a through 1.4.10. | ||||
| CVE-2024-0138 | 1 Nvidia | 1 Base Command Manager | 2026-04-15 | 9.8 Critical |
| NVIDIA Base Command Manager contains a missing authentication vulnerability in the CMDaemon component. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. | ||||
| CVE-2023-4617 | 2026-04-15 | 10 Critical | ||
| Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing "device", "sku" and "type" fields' values. This issue affects Govee Home applications on Android and iOS in versions before 5.9. | ||||
| CVE-2024-12155 | 1 Straightvisions | 1 Sv100 Companion | 2026-04-15 | 9.8 Critical |
| The SV100 Companion plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the settings_import() function in all versions up to, and including, 2.0.02. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. CVE-2024-54229 may be a duplicate of this issue. | ||||
| CVE-2025-0836 | 1 Milestone Systems | 1 Xprotect Vms | 2026-04-15 | 6.3 Medium |
| Missing Authorization vulnerability in Milestone Systems XProtect VMS allows users with read-only access to Management Server to have full read/write access to MIP Webhooks API. | ||||
| CVE-2024-12158 | 2026-04-15 | 5.3 Medium | ||
| The Popup – MailChimp, GetResponse and ActiveCampaign Intergrations plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'upc_delete_db_data' AJAX action in all versions up to, and including, 3.2.6. This makes it possible for unauthenticated attackers to delete the DB data for the plugin. | ||||
| CVE-2024-9234 | 1 Wpmet | 1 Gutenkit | 2026-04-15 | 9.8 Critical |
| The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins, or utilize the functionality to upload arbitrary files spoofed like plugins. | ||||
| CVE-2025-14986 | 1 Temporal | 1 Temporal | 2026-04-15 | N/A |
| When frontend.enableExecuteMultiOperation is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows a caller authorized for one namespace to bypass that namespace's limits/policies by setting the embedded start request's namespace to a different namespace. The workflow is still created in the outer (authorized) namespace; only validation/gating is performed under the wrong namespace context. This issue affects Temporal: from 1.24.0 through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2. | ||||
| CVE-2024-3581 | 2 Maxfoundry, Wordpress | 2 Maxgalleria, Wordpress | 2026-04-15 | 4.3 Medium |
| The MaxGalleria plugin for WordPress is vulnerable to unauthorized image upload due to a missing capability check on the add_media_library_images_to_gallery function in all versions up to, and including, 6.4.2. This makes it possible for authenticated attackers, with subscriber access or above, to upload arbitrary images to a gallery. | ||||
| CVE-2024-31118 | 2 Smartypantsplugins, Wordpress | 2 Sp Project & Document Manager, Wordpress | 2026-04-15 | 6.5 Medium |
| Missing Authorization vulnerability in Smartypants SP Project & Document Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SP Project & Document Manager: from n/a through 4.70. | ||||
| CVE-2024-12594 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| The Custom Login Page Styler – Login Protected Private Site , Change wp-admin login url , WordPress login logo , Temporary admin login access , Rename login , Login customizer, Hide wp-login – Limit Login Attempts – Locked Site plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'lps_generate_temp_access_url' AJAX action in all versions up to, and including, 7.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to login as other users such as subscribers. | ||||