Skip to main content
CVE-2025-67563 MEDIUM This Month

Missing Authorization vulnerability in Saad Iqbal Post SMTP post-smtp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post SMTP: from n/a through <= 3.6.1.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-63063 MEDIUM This Month

Missing Authorization vulnerability in Yandex Metrika Yandex.Metrica wp-yandex-metrika allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Yandex.Metrica: from n/a through <= 1.2.2.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-63049 MEDIUM This Month

Missing Authorization vulnerability in CridioStudio ListingPro Lead Form listingpro-lead-form allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects ListingPro Lead Form: from n/a through <= 1.0.7.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-63028 MEDIUM This Month

Missing Authorization vulnerability in shinetheme Traveler traveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Traveler: from n/a through <= 3.2.6.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-63008 MEDIUM This Month

Missing Authorization vulnerability in weDevs WP ERP erp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP ERP: from n/a through <= 1.16.7.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-49348 MEDIUM This Month

Missing Authorization vulnerability in Hype Hype pico allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hype: from n/a through <= 1.0.5.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-67583 MEDIUM This Month

Missing authorization controls in IDonate WordPress plugin through version 2.1.15 allows unauthenticated remote attackers to access sensitive information due to incorrectly configured access control security levels. The vulnerability has a low EPSS score (0.04%, 13th percentile) and no public exploit code or active exploitation is documented, indicating limited real-world attack incentive despite network-accessible attack surface.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-67570 MEDIUM This Month

WPForms Google Sheet Connector plugin through version 4.0.0 allows unauthenticated remote attackers to modify data by exploiting missing authorization checks on access control mechanisms. The vulnerability enables unauthorized manipulation of form submissions and Google Sheet integrations without proper permission validation, affecting WordPress installations using this plugin.

WordPress PHP Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-63065 MEDIUM This Month

Media Library Assistant WordPress plugin through version 3.29 allows authenticated users to bypass authorization controls and access or modify content they should not have permission to reach via user-controlled keys in access control mechanisms. The vulnerability requires an authenticated user with limited privileges (PR:L) and affects confidentiality and integrity of stored media library data, though with relatively low exploitation probability (EPSS 0.04%) and no confirmed active exploitation at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-63054 MEDIUM This Month

Missing authorization in ExpressTech Systems Quiz And Survey Master WordPress plugin through version 10.3.2 allows unauthenticated remote attackers to read sensitive quiz and survey data by exploiting incorrectly configured access control security levels. The vulnerability is assigned CVSS 5.3 (moderate), affects the plugin across multiple versions, and enables unauthorized information disclosure without requiring authentication or user interaction.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-63023 MEDIUM This Month

Missing authorization in Easy Payment Payment Gateway for PayPal (woo-paypal-gateway) WordPress plugin versions up to 9.0.53 allows unauthenticated remote attackers to access sensitive payment gateway data through improper access control configuration. The vulnerability enables unauthorized information disclosure with low confidentiality impact. EPSS score of 0.04% indicates minimal observed exploitation probability despite network accessibility and no authentication requirement.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62870 MEDIUM This Month

Missing authorization in Eupago Gateway For Woocommerce allows unauthenticated remote attackers to modify data via incorrectly configured access control, affecting versions up to 4.7.1. The vulnerability enables integrity compromise without requiring authentication or user interaction, though with low attack complexity. EPSS scoring of 0.04% indicates minimal real-world exploitation probability despite moderate CVSS severity.

WordPress Woocommerce PHP Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62740 MEDIUM This Month

Missing authorization controls in Mario Peshev WP-CRM System plugin up to version 3.4.6 allow unauthenticated remote attackers to modify data through incorrectly configured access control security levels. The CVSS 5.3 score reflects low integrity impact with no confidentiality or availability consequences, but the vulnerability exposes the plugin to unauthorized data manipulation attacks without authentication.

WordPress PHP Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62085 MEDIUM This Month

Bertha AI WordPress plugin through version 1.13 allows unauthenticated attackers to modify content via incorrectly configured access control, enabling unauthorized changes to website data without authentication. The vulnerability stems from missing authorization checks on sensitive operations, classified as CWE-862 (Missing Authorization). While CVSS scores 5.3 (medium severity), EPSS exploitation probability is minimal at 0.04%, indicating low real-world attack likelihood despite the straightforward attack vector.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-63071 MEDIUM This Month

Insertion of sensitive information into sent data in auxin-elements WordPress plugin versions up to 2.17.15 allows unauthenticated remote attackers to retrieve embedded sensitive data through network-accessible responses. The vulnerability exposes information with low confidentiality impact and affects the Shortcodes and extra features for Phlox theme plugin across all versions through 2.17.15, with EPSS scoring indicating 0.04% likelihood of exploitation.

WordPress PHP Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-66533 MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in StellarWP GiveWP give allows Code Injection.This issue affects GiveWP: from n/a through <= 4.13.1.

RCE Code Injection
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-10876 MEDIUM This Month

Cross-site scripting in Talent Software e-BAP Automation (versions 1.8.96 through pre-v.41815) allows unauthenticated remote attackers to inject arbitrary JavaScript into web pages served by the application. The CVSS vector assigns UI:N (no user interaction required), which is atypical for XSS and may suggest a stored or persistent injection variant that auto-executes rather than a reflected type requiring a victim to click a crafted link. No public exploit identified at time of analysis, and the EPSS score of 0.03% (10th percentile) signals very low current exploitation interest; however, the unauthenticated network exposure warrants patching in internet-facing deployments.

XSS
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-64667 MEDIUM This Month

Spoofing via UI misrepresentation in Microsoft Exchange Server 2016 and Exchange Server Subscription Edition allows unauthenticated network attackers to falsify critical sender or authentication information as rendered by the Exchange interface. Rooted in CWE-451 (UI Misrepresentation of Critical Information), the flaw enables an attacker to craft messages or interactions that Exchange presents deceptively, undermining trust signals recipients rely upon to distinguish legitimate from malicious communications. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, the PR:N/AC:L vector means exploitation requires no credentials and minimal attacker sophistication.

Microsoft Authentication Bypass Exchange Server Exchange Server Subscription Edition
NVD
CVSS 3.1
5.3
EPSS
0.8%
CVE-2025-63010 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in ThemesInflow Hercules Core hercules-core allows Server Side Request Forgery.This issue affects Hercules Core : from n/a through <= 7.4.

SSRF
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-67587 MEDIUM This Month

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks WP Gravity Forms FreshDesk Plugin gf-freshdesk allows Phishing.This issue affects WP Gravity Forms FreshDesk Plugin: from n/a through <= 1.3.5.

Open Redirect
NVD
CVSS 3.1
4.7
EPSS
0.1%
CVE-2025-66534 MEDIUM This Month

Missing Authorization vulnerability in Elated-Themes The Aisle theaisle allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Aisle: from n/a through <= 2.9.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-66532 MEDIUM This Month

Missing Authorization vulnerability in Mikado-Themes Powerlift powerlift allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Powerlift: from n/a through < 3.2.1.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-66530 MEDIUM This Month

Missing Authorization vulnerability in Webba Appointment Booking Webba Booking webba-booking-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Webba Booking: from n/a through <= 6.2.1.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-67594 MEDIUM This Month

Authorization Bypass Through User-Controlled Key vulnerability in ThimPress Thim Elementor Kit thim-elementor-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Thim Elementor Kit: from n/a through <= 1.3.3.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-67597 MEDIUM This Month

Missing Authorization vulnerability in Shahjahan Jewel Fluent Booking fluent-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fluent Booking: from n/a through <= 1.9.11.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-67466 MEDIUM This Month

Missing Authorization vulnerability in sergiotrinity Trinity Audio trinity-audio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Trinity Audio: from n/a through <= 5.23.3.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-66528 MEDIUM This Month

Missing Authorization vulnerability in VillaTheme Thank You Page Customizer for WooCommerce woo-thank-you-page-customizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Thank You Page Customizer for WooCommerce: from n/a through <= 1.1.8.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-63006 MEDIUM This Month

Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through <= 4.2.4.1.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-63013 MEDIUM This Month

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Retrieve Embedded Sensitive Data.This issue affects WP Hotel Booking: from n/a through <= 2.2.7.

Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-67468 MEDIUM This Month

Missing Authorization vulnerability in CRM Perks Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms cf7-salesforce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms: from n/a through <= 1.4.6.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-66527 MEDIUM This Month

Missing Authorization vulnerability in VanKarWai Lobo lobo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lobo: from n/a through <= 2.8.6.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-66525 MEDIUM This Month

Missing Authorization vulnerability in Elastic Email Elastic Email Sender elastic-email-sender allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elastic Email Sender: from n/a through <= 1.2.20.

Authentication Bypass Elastic
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-64257 MEDIUM This Month

Missing Authorization vulnerability in Joe Dolson My Tickets my-tickets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Tickets: from n/a through <= 2.1.0.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-49350 MEDIUM This Month

Missing Authorization vulnerability in marcoingraiti Actionwear products sync actionwear-products-sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Actionwear products sync: from n/a through <= 2.3.3.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-67592 MEDIUM This Month

Missing Authorization vulnerability in Joe Dolson My Calendar my-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Calendar: from n/a through <= 3.6.16.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-67589 MEDIUM This Month

Missing Authorization vulnerability in WP Overnight WooCommerce PDF Invoices & Packing Slips woocommerce-pdf-invoices-packing-slips allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce PDF Invoices & Packing Slips: from n/a through <= 4.9.1.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-67588 MEDIUM This Month

Missing Authorization vulnerability in Elementor Elementor Website Builder elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elementor Website Builder: from n/a through <= 3.33.0.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-63025 MEDIUM This Month

Xagio SEO WordPress plugin through version 7.1.0.35 contains a missing authorization vulnerability that allows authenticated users to perform unauthorized actions due to incorrectly configured access control security levels. The vulnerability has a CVSS score of 4.3 with low real-world exploitation probability (EPSS 0.04%), affecting authenticated users who can bypass intended access restrictions to modify plugin functionality or settings.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62993 MEDIUM This Month

Missing authorization controls in the Notification for Telegram WordPress plugin through version 3.5 allow authenticated users to modify notification settings they should not have access to, resulting in limited integrity impact. The vulnerability requires valid user credentials (PR:L in CVSS vector) and affects the plugin's access control enforcement rather than authentication bypass. With an EPSS score of 0.04% and no confirmed active exploitation, this represents a low-probability real-world risk despite the authentication bypass tag.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62867 MEDIUM This Month

Ergonet Cache plugin versions up to 1.0.13 allows authenticated users to bypass access control checks and modify unauthorized data due to missing authorization validation. The vulnerability requires user authentication (PR:L) but has low real-world risk per EPSS (0.04%), though it can lead to unauthorized content modification in affected WordPress installations.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-63077 MEDIUM This Month

Happy Addons for Elementor through version 3.20.3 allows authenticated users to access functionality they should not have permission to use due to missing authorization checks on API endpoints or admin functions. The vulnerability requires valid user authentication and results in information disclosure, with a CVSS score of 4.3 and an extremely low EPSS exploitation probability of 0.04%, suggesting minimal real-world attack incentive despite the access control flaw.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-63067 MEDIUM This Month

Porto Theme - Functionality plugin for WordPress (versions before 3.7.3) allows authenticated users to access sensitive information through broken access control, enabling privilege escalation or information disclosure without proper authorization checks. While the vulnerability requires valid WordPress credentials and has low CVSS severity (4.3), the confirmed patch availability and authentication requirement reduce immediate risk. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-63056 MEDIUM This Month

Authenticated users can access sensitive contact form data and functionality they should not have permission to view or modify due to missing authorization checks in Contact Form by BestWebSoft plugin versions up to 4.3.6. The vulnerability allows logged-in attackers with low-level privileges to bypass access controls and view contact information or modify form settings with only network access and no additional user interaction required. This is not actively exploited according to available intelligence, though the access control bypass pattern is a common attack vector.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-63015 MEDIUM This Month

Paysera WooCommerce Payment Gateway plugin through version 3.10.0 contains a missing authorization flaw allowing authenticated users with lower privilege levels to access or perform actions intended for higher-privilege roles, resulting in limited information disclosure. The vulnerability stems from incorrectly configured access control checks and has an EPSS score of 0.04% (11th percentile), indicating low real-world exploitation probability despite the CVSS 4.3 rating and authenticated attack vector.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-67473 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in codeworkweb CWW Companion cww-companion allows Cross Site Request Forgery.This issue affects CWW Companion: from n/a through <= 1.3.2.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-67472 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Cross Site Request Forgery.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.5.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-67471 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal Quick Contact Form quick-contact-form allows Cross Site Request Forgery.This issue affects Quick Contact Form: from n/a through <= 8.2.5.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-67469 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in kubiq PDF Thumbnail Generator pdf-thumbnail-generator allows Cross Site Request Forgery.This issue affects PDF Thumbnail Generator: from n/a through <= 1.4.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-67465 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in QuantumCloud Simple Link Directory simple-link-directory allows Cross Site Request Forgery.This issue affects Simple Link Directory: from n/a through <= 8.8.3.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-66531 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Cross Site Request Forgery.This issue affects Salon booking system: from n/a through <= 10.30.3.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy