Export limit exceeded: 361620 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (8399 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-55038 | 1 Automationdirect | 1 Click Plus | 2026-04-15 | 6.8 Medium |
| An authorization bypass vulnerability has been discovered in the Click Plus C2-03CPU2 device firmware version 3.60. Through the KOPR protocol utilized by the Remote PLC application, authenticated users with low-level access permissions can exploit this vulnerability to read and modify PLC variables beyond their intended authorization level. | ||||
| CVE-2025-4046 | 1 Lexmark | 1 Cloud Services | 2026-04-15 | 8.5 High |
| A missing authorization vulnerability in Lexmark Cloud Services badge management allows attacker to reassign badges within their organization | ||||
| CVE-2024-13801 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.1 High |
| The BWL Advanced FAQ Manager plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'baf_set_notice_status' AJAX action in all versions up to, and including, 2.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to '1' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration. | ||||
| CVE-2024-1229 | 2 Redbit Sro, Wordpress | 2 Simple Shop, Wordpress | 2026-04-15 | 5.3 Medium |
| The SimpleShop plugin for WordPress is vulnerable to unauthorized disconnection from SimpleShop due to a missing capability check on the maybe_disconnect_simpleshop function in all versions up to, and including, 2.10.2. This makes it possible for unauthenticated attackers to disconnect the SimpleShop. | ||||
| CVE-2024-6688 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Oxygen Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the oxy_save_css_from_admin AJAX action in all versions up to, and including, 4.8.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update stylesheets. | ||||
| CVE-2024-2508 | 1 Freshlight | 1 Wp Mobile Menu | 2026-04-15 | 5.3 Medium |
| The WP Mobile Menu plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_menu_item_icon function in all versions up to, and including, 2.8.4.4. This makes it possible for unauthenticated attackers to add the '_mobmenu_icon' post meta to arbitrary posts with an arbitrary (but sanitized) value. NOTE: Version 2.8.4.4 contains a partial fix for this vulnerability. | ||||
| CVE-2024-6599 | 2 Mekshq, Wordpress | 2 Meks Video Importer, Wordpress | 2026-04-15 | 4.3 Medium |
| The Meks Video Importer plugin for WordPress is vulnerable to unauthorized API key modification due to a missing capability check on the ajax_save_settings function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's API keys. CVE-2024-38733 may be a duplicate of this issue. | ||||
| CVE-2024-6591 | 1 Nitesh Singh | 1 Ultimate Wordpress Auction Plugin | 2026-04-15 | 5.8 Medium |
| The Ultimate WordPress Auction Plugin plugin for WordPress is vulnerable to unauthorized email creation and sending due to a missing capability check on the 'send_auction_email_callback' and 'resend_auction_email_callback' functions in all versions up to, and including, 4.2.7. This makes it possible for unauthenticated attackers to craft emails that include links and send to any email address. | ||||
| CVE-2025-26657 | 2026-04-15 | 5.3 Medium | ||
| SAP KMC WPC allows an unauthenticated attacker to remotely retrieve usernames by a simple parameter query which could expose sensitive information causing low impact on confidentiality of the application. This has no effect on integrity and availability. | ||||
| CVE-2024-30217 | 2026-04-15 | 4.3 Medium | ||
| Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can approve or reject a bank account application affecting the integrity of the application. Confidentiality and Availability are not impacted. | ||||
| CVE-2020-36852 | 2 Custom Searchable Data Entry System Project, Wordpress | 2 Custom Searchable Data Entry System, Wordpress | 2026-04-15 | 9.1 Critical |
| The Custom Searchable Data Entry System plugin for WordPress is vulnerable to unauthenticated database wiping in versions up to, and including 1.7.1, due to a missing capability check and lack of sufficient validation on the ghazale_sds_delete_entries_table_row() function. This makes it possible for unauthenticated attackers to completely wipe database tables such as wp_users. | ||||
| CVE-2024-12190 | 2026-04-15 | 4.3 Medium | ||
| The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the bitform-form-entry-edit endpoint in all versions up to, and including, 2.17.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all form submissions from other users. | ||||
| CVE-2025-30107 | 2026-04-15 | 7.5 High | ||
| On IROAD V9 devices, Managing Settings and Obtaining Sensitive Data and Sabotaging the Car Battery can be performed by unauthorized parties. A vulnerability in the dashcam's configuration management allows unauthorized users to modify settings, disable critical functions, and turn off battery protection, potentially causing physical damage to the vehicle. | ||||
| CVE-2024-6465 | 2026-04-15 | 4.3 Medium | ||
| The WP Links Page plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wplf_ajax_update_screenshots' function in all versions up to, and including, 4.9.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to regenerate the link's thumbnail image. | ||||
| CVE-2024-37443 | 2026-04-15 | 4.3 Medium | ||
| Missing Authorization vulnerability in Automattic WP Job Manager - Resume Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager - Resume Manager: from n/a through 2.1.0. | ||||
| CVE-2024-37439 | 1 Uncannyowl | 1 Uncanny Toolkit Pro For Learndash | 2026-04-15 | 5.4 Medium |
| Missing Authorization vulnerability in Uncanny Owl Uncanny Toolkit Pro for LearnDash allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uncanny Toolkit Pro for LearnDash: from n/a through 4.1.4.0 | ||||
| CVE-2024-37269 | 1 Stylemixthemes | 1 Masterstudy Elementor Widgets | 2026-04-15 | 5.3 Medium |
| Missing Authorization vulnerability in StylemixThemes Masterstudy Elementor Widgets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Masterstudy Elementor Widgets: from n/a through 1.2.2. | ||||
| CVE-2023-37872 | 2026-04-15 | 6.5 Medium | ||
| Missing Authorization vulnerability in Woo WooCommerce Ship to Multiple Addresses.This issue affects WooCommerce Ship to Multiple Addresses: from n/a through 3.8.5. | ||||
| CVE-2024-38733 | 2026-04-15 | 5.4 Medium | ||
| Missing Authorization vulnerability in Meks Meks Video Importer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Meks Video Importer: from n/a through 1.0.12. | ||||
| CVE-2024-37249 | 2026-04-15 | 4.3 Medium | ||
| Missing Authorization vulnerability in WPEngine Inc. Advanced Custom Fields PRO allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Custom Fields PRO: from n/a through 6.3.1. | ||||