Skip to main content
CVE-2025-66144 MEDIUM This Month

Missing authorization controls in the merkulove Worker for Elementor WordPress plugin (versions through 1.0.10) allow unauthenticated or low-privileged users to exploit incorrectly configured access control mechanisms. The vulnerability stems from CWE-862 (Missing Authorization) and enables attackers to perform unauthorized actions without proper privilege verification, potentially affecting sites running vulnerable plugin versions.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-66153 MEDIUM This Month

Missing authorization controls in Headinger for Elementor plugin (versions up to 1.1.4) permit unauthenticated or insufficiently privileged attackers to bypass access control restrictions and perform unauthorized actions. The vulnerability stems from incorrectly configured security levels that fail to validate user permissions before granting access to sensitive functionality, enabling attackers to exploit the plugin's features beyond their intended authorization scope.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-66152 MEDIUM This Month

Criptopayer for Elementor WordPress plugin through version 1.0.1 contains a missing authorization vulnerability allowing unauthenticated attackers to exploit incorrectly configured access control security levels and bypass authentication mechanisms. The vulnerability stems from insufficient validation of user permissions, enabling unauthorized access to sensitive plugin functionality. With an EPSS score of 0.05% (17th percentile), real-world exploitation probability is currently low, and no active exploitation or public proof-of-concept code has been reported.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-66151 MEDIUM This Month

Missing authorization in merkulove Countdowner for Elementor plugin (versions up to 1.0.4) allows unauthenticated attackers to exploit incorrectly configured access control security levels, potentially enabling unauthorized access to plugin functionality. With an EPSS score of 0.05% (17th percentile), this vulnerability represents low real-world exploitation probability despite the authorization bypass classification.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-66150 MEDIUM This Month

Missing authorization in the merkulove Appender WordPress plugin versions through 1.1.1 allows authenticated attackers to bypass access control checks and exploit incorrectly configured security levels, potentially gaining unauthorized access to restricted functionality or data. EPSS probability is minimal at 0.05%, and no public exploit code or active exploitation has been reported.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-66149 MEDIUM This Month

Missing authorization in merkulove UnGrabber WordPress plugin version 3.1.3 and earlier allows unauthenticated attackers to exploit incorrectly configured access control to bypass security restrictions. The vulnerability stems from CWE-862 (Missing Authorization) and has been identified in the plugin's access control implementation, potentially enabling attackers to perform unauthorized actions without proper privilege verification.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-62888 MEDIUM This Month

Missing authorization in Marco Milesi WP Attachments WordPress plugin through version 5.2 allows unauthenticated or low-privileged attackers to bypass access control restrictions and exploit incorrectly configured security levels to access protected attachments. The vulnerability stems from broken access control validation (CWE-862) and carries a low exploitation probability (EPSS 0.05%, 17th percentile), with no confirmed public exploit code or active exploitation documented at analysis time.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-62108 MEDIUM This Month

Missing authorization in SaifuMak Add Custom Codes WordPress plugin through version 4.80 allows unauthenticated or low-privileged attackers to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from broken access control mechanisms (CWE-862) that fail to properly validate user permissions before granting access to sensitive functionality. Despite a low EPSS score (0.05%, percentile 17%), the authentication bypass tag indicates potential for account takeover or privilege escalation.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-62098 MEDIUM This Month

Missing authorization controls in totalsoft Portfolio Gallery WordPress plugin versions through 1.4.8 allow unauthenticated attackers to exploit incorrectly configured access control security levels, potentially exposing sensitive gallery content and administrative functionality to unauthorized access. The vulnerability stems from broken access control mechanisms rather than authentication bypass, meaning authenticated users may also access resources beyond their privilege level. With an EPSS score of 0.05% (17th percentile) and no CVSS severity data, real-world exploitation appears limited despite the theoretical exposure.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-62091 MEDIUM This Month

Broken access control in Vollstart Serial Codes Generator and Validator with WooCommerce Support plugin through version 2.8.2 allows unauthenticated attackers to exploit misconfigured security levels and bypass authorization checks to access or manipulate serial code functionality. The vulnerability stems from missing authorization validation on security-sensitive operations, enabling attackers to perform actions without proper privilege verification. No public exploit code or active exploitation has been identified at time of analysis, though the low EPSS score (0.05%) suggests limited real-world exploitation probability despite the access control weakness.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-62144 MEDIUM This Month

Missing authorization checks in Mohammed Kaludi Core Web Vitals & PageSpeed Booster WordPress plugin through version 1.0.28 allows unauthenticated attackers to exploit incorrectly configured access control to perform unauthorized actions. The vulnerability stems from broken access control (CWE-862), enabling attackers to bypass security restrictions and access sensitive functionality without proper authentication or privilege verification.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-62134 MEDIUM This Month

Cross-Site Request Forgery vulnerability in A WP Life Contact Form Widget plugin version 1.5.1 and earlier allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious requests. The vulnerability lacks a CVSS score and public exploit code, but is assigned low exploitation probability (EPSS 0.02%) and categorized under CWE-352 (CSRF). No active exploitation has been reported.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-62120 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in OpenHook WordPress plugin version 4.3.1 and earlier allows attackers to perform unauthorized actions on behalf of authenticated users by tricking them into visiting malicious web pages. The vulnerability affects the popular thesis-openhook plugin and could enable unauthorized configuration changes or administrative actions without explicit user consent. With an EPSS score of 0.02% (5th percentile) and no CVSS severity assigned, this represents a low probability of exploitation in practice, though CSRF vulnerabilities remain a concern in WordPress ecosystem plugins.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-62117 MEDIUM This Month

Cross-site request forgery (CSRF) in Jayce53 EasyIndex WordPress plugin versions up to 1.1.1704 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators by inducing them to visit malicious web pages. The vulnerability affects all versions from the earliest tracked through 1.1.1704. No public exploit code or confirmed active exploitation has been identified; EPSS probability is minimal at 0.02% (5th percentile), suggesting low real-world exploitation likelihood despite the CSRF vector.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-66159 MEDIUM This Month

Missing authorization in Walker for Elementor plugin (versions through 1.1.6) allows unauthenticated attackers to exploit improperly configured access controls to bypass intended security restrictions and access unauthorized functionality. The vulnerability stems from inadequate permission validation in the plugin's WordPress implementation, enabling attackers to interact with protected features without proper authentication or role-based authorization checks.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-66158 MEDIUM This Month

Gmaper for Elementor plugin versions up to 1.0.9 contains a missing authorization vulnerability (CWE-862) that allows attackers to exploit incorrectly configured access control security levels, potentially bypassing authentication mechanisms to access restricted functionality. The vulnerability carries a 0.02% EPSS score (percentile 4%), indicating minimal real-world exploitation risk at present, with no public exploit code or active exploitation currently identified.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-66157 MEDIUM This Month

Missing authorization in merkulove Sliper for Elementor plugin versions up to 1.0.10 allows attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from insufficient access control validation (CWE-862), enabling unauthenticated or low-privileged users to perform actions they should not be authorized to execute. With an EPSS score of 0.02% (4th percentile) indicating very low real-world exploitation likelihood, this issue represents a lower-priority authorization flaw compared to actively exploited vulnerabilities.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-66156 MEDIUM This Month

Missing authorization in merkulove Watcher for Elementor plugin (versions up to 1.0.9) allows unauthenticated attackers to bypass access controls and exploit incorrectly configured security levels, potentially enabling unauthorized access to sensitive functionality or data. The vulnerability carries an EPSS score of 0.02% (percentile 4%), indicating very low observed exploitation probability, with no public exploit code or active exploitation confirmed at the time of analysis.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-66155 MEDIUM This Month

Missing authorization controls in merkulove Questionar for Elementor plugin versions up to 1.1.7 allow attackers to exploit improperly configured access control mechanisms, potentially enabling unauthorized access to questionnaire data or administrative functions. The vulnerability stems from inadequate privilege validation and affects all users of the vulnerable plugin versions. With an EPSS score of 0.02% and no CVSS severity assigned, real-world exploitation likelihood is currently minimal, though the authentication bypass nature of the flaw warrants patching.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-66154 MEDIUM This Month

Missing authorization in Merkulove Couponer for Elementor plugin versions up to 1.1.7 allows unauthenticated attackers to bypass access controls and exploit incorrectly configured security levels, potentially gaining unauthorized access to sensitive coupon management functionality. The vulnerability carries low real-world exploitation probability (EPSS 0.02%) despite being classified as an authentication bypass, suggesting limited practical attack surface or requirement for specific configuration conditions.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-66160 MEDIUM This Month

Missing authorization in Select Graphist for Elementor WordPress plugin versions up to 1.2.10 allows unauthenticated attackers to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from broken access control mechanisms that fail to properly validate user permissions before granting access to sensitive functionality. With an EPSS score of 0.01% and no confirmed active exploitation, this represents a low-probability attack despite the authorization flaw.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-62088 MEDIUM This Month

Server-Side Request Forgery (SSRF) in the WordPress & WooCommerce Scraper Plugin (wp_scraper) versions up to 1.0.7 allows unauthenticated attackers to make arbitrary HTTP requests from the affected WordPress server. The vulnerability exists in the plugin's core scraping functionality, which fails to properly validate or restrict the target URLs that can be requested. An attacker can exploit this to scan internal networks, access internal services, exfiltrate data from backend systems, or perform reconnaissance against the hosting infrastructure. No public exploit code has been identified at time of analysis, and EPSS risk is minimal at 0.01%, but the vulnerability affects all installations of the vulnerable plugin versions.

WordPress SSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-62122 MEDIUM This Month

Missing authorization in the Trash Duplicate and 301 Redirect WordPress plugin through version 1.9.1 allows unauthenticated attackers to exploit incorrectly configured access control security levels, potentially bypassing authentication checks to access or modify restricted functionality. The vulnerability stems from improper enforcement of WordPress capability checks (CWE-862), and while no public exploit code has been identified, the low EPSS score (0.06%) suggests limited real-world exploitation likelihood despite the authorization flaw.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-62755 MEDIUM This Month

Missing authorization controls in GS Portfolio for Envato WordPress plugin versions up to 1.4.2 allow unauthenticated attackers to bypass access restrictions and exploit incorrectly configured security levels to access protected functionality or data. The vulnerability stems from inadequate access control validation, enabling attackers to manipulate requests to resources that should be restricted. No public exploit code has been identified, and the low EPSS score of 0.04% suggests limited real-world exploitation likelihood, though the missing CVSS vector prevents definitive severity assessment.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62747 MEDIUM This Month

Missing authorization checks in Aum Watcharapon Featured Image Generator WordPress plugin versions up to 1.3.4 allow unauthenticated or low-privileged attackers to bypass access controls and exploit incorrectly configured security levels, potentially enabling unauthorized access to sensitive plugin functionality. The EPSS score of 0.04% indicates low exploitation probability in practice despite the authorization flaw.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62129 MEDIUM This Month

Missing authorization controls in RestroPress WordPress plugin versions through 3.2.7 allow unauthenticated attackers to bypass access restrictions and access functionality intended to be restricted by security-configured access levels. The vulnerability stems from improper validation of user permissions, enabling attackers to exploit incorrectly configured access control mechanisms. No public exploit code or active exploitation has been confirmed, though the low EPSS score (0.04%) suggests minimal real-world exploitation likelihood despite the authorization bypass nature.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62116 MEDIUM This Month

Missing authorization checks in quadlayers AI Copilot WordPress plugin versions up to 1.5.2 allow unauthenticated or inadequately privileged users to bypass access control restrictions and perform unauthorized actions. The vulnerability stems from improperly configured security levels that fail to enforce proper permission validation, enabling attackers to exploit the authentication bypass to access or manipulate protected functionality without proper credentials.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62092 MEDIUM This Month

Missing authorization controls in the Wiremo woo-reviews-by-wiremo WordPress plugin through version 1.4.99 allow attackers to bypass access restrictions and exploit incorrectly configured security levels, potentially enabling unauthorized data access or modification of review functionality. The vulnerability stems from broken access control (CWE-862) and carries an EPSS score of 0.04% (13th percentile), indicating low real-world exploitation probability despite the authentication bypass tag.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62079 MEDIUM This Month

WP Export Categories & Taxonomies WordPress plugin through version 1.0.3 fails to enforce authorization checks on sensitive functionality, allowing unauthenticated or low-privileged users to exploit misconfigured access controls. The vulnerability stems from improper implementation of WordPress capabilities checks, potentially enabling unauthorized users to export or manipulate site taxonomy data. No public exploit code or active exploitation has been confirmed at the time of analysis.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-49338 MEDIUM This Month

Flowbox WordPress plugin through version 1.1.6 fails to enforce proper access control, allowing attackers to exploit misconfigured security levels and bypass authorization checks. The vulnerability enables unauthorized access to functionality that should require elevated permissions, affecting all installations of the vulnerable plugin versions without authentication requirements.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-49334 MEDIUM This Month

Authorization bypass in MyD Delivery WordPress plugin through version 1.7.1 allows unauthenticated attackers to manipulate user-controlled keys to access resources without proper permission validation, exploiting misconfigured access control security levels. The vulnerability carries low exploitation probability (EPSS 0.04%) but represents a fundamental authorization flaw affecting the plugin's core access control mechanism.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-63053 MEDIUM This Month

Authorization bypass in Master Addons for Elementor through version 2.0.9.9.4 allows attackers to exploit incorrectly configured access control via user-controlled keys, enabling unauthorized access to protected functionality without proper privilege validation. The vulnerability affects WordPress installations using the vulnerable plugin versions and carries low exploitation probability (EPSS 0.04%) with no confirmed active exploitation or public exploit code available.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-63031 MEDIUM This Month

Missing authorization controls in WP Grids EasyTest plugin versions up to 1.0.1 allow unauthenticated attackers to bypass access restrictions and perform unauthorized actions due to incorrectly configured access control security levels. The vulnerability enables exploitation of broken access control without authentication, though real-world exploitation probability remains low at 0.04% EPSS. No public exploit code or active exploitation has been identified.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-63022 MEDIUM This Month

Simple Like Page WordPress plugin versions 1.5.3 and earlier allows unauthenticated attackers to bypass access controls and perform unauthorized actions through incorrectly configured authentication checks, enabling exploitation of missing authorization enforcement in plugin functionality. The vulnerability affects the widely-deployed Simple Like Page plugin and has low estimated exploitation probability (EPSS 0.04%) but represents a classic access control weakness that could permit unauthorized modification of plugin data or settings.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-63016 MEDIUM This Month

Missing authorization in QuadLayers TikTok Feed WordPress plugin versions through 4.6.5 allows unauthenticated attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from improper validation of user permissions, enabling unauthorized access to protected functionality or data. While EPSS scoring indicates low exploitation probability (0.04th percentile), the authentication bypass classification suggests potential for privilege escalation or unauthorized administrative actions if discovered by an attacker.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-63001 MEDIUM This Month

Missing authorization controls in nicdark Hotel Booking WordPress plugin versions 3.8 and earlier allow unauthenticated attackers to bypass access restrictions through incorrectly configured security levels, potentially exposing sensitive booking and administrative functionality. The vulnerability has low exploitation probability (EPSS 0.04%) and no public exploit code has been identified, making it a lower-priority issue despite the high-impact CWE classification.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62147 MEDIUM This Month

Missing authorization controls in nikmelnik Realbig media WordPress plugin versions up to 1.1.3 allow unauthenticated attackers to bypass access control restrictions and exploit misconfigured security levels, potentially exposing restricted content or functionality. The vulnerability is classified as a broken access control issue (CWE-862) with low exploitation probability (EPSS 0.04%) and no public exploit code identified at the time of analysis.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62145 MEDIUM This Month

Missing authorization controls in NewClarity DMCA Protection Badge WordPress plugin versions up to 2.2.0 allow unauthenticated attackers to exploit incorrectly configured access control security levels, potentially exposing sensitive functionality or data protected by the badge mechanism. The vulnerability stems from insufficient permission validation (CWE-862) and presents an authentication bypass risk, though real-world exploitation likelihood is low based on EPSS scoring (0.04%, 13th percentile).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62141 MEDIUM This Month

Missing authorization in Wawp automation-web-platform through version 4.4 allows unauthenticated or low-privileged attackers to exploit incorrectly configured access control security levels, potentially bypassing intended access restrictions. The vulnerability is tracked as CWE-862 (Missing Authorization) and has an EPSS score of 0.04% (13th percentile), indicating very low real-world exploitation probability despite the access control nature of the flaw.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62081 MEDIUM This Month

Missing authorization in Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce plugin (versions up to 2.2.0) allows unauthenticated or low-privilege users to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from broken access control (CWE-862) where endpoint-level authorization checks are insufficient or absent, potentially allowing attackers to bypass intended security restrictions on sensitive functionality. No public exploit code or active exploitation has been confirmed; EPSS score of 0.04% indicates low real-world exploitation probability at time of analysis.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-49349 MEDIUM This Month

Reuters Direct WordPress plugin through version 3.0.0 contains a missing authorization vulnerability allowing attackers to bypass access control restrictions and access protected functionality without proper authentication. The vulnerability stems from incorrectly configured access control security levels in the plugin, potentially enabling unauthenticated users to interact with sensitive features intended for authorized administrators or subscribers. With an EPSS score of 0.04% and low real-world exploitation signals, this issue presents minimal immediate risk but should be addressed through plugin updates.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62138 MEDIUM This Month

Missing authorization controls in cedcommerce WP Advanced PDF plugin versions up to 1.1.7 allow attackers to bypass access restrictions and exploit incorrectly configured security levels. The vulnerability enables unauthenticated access to functionalities that should require proper authorization checks, potentially exposing sensitive PDF generation or management features to unauthorized users. No CVSS vector or active exploitation data is available, but the low EPSS score (0.04%) suggests minimal real-world attack activity.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62114 MEDIUM This Month

Download Media Library WordPress plugin through version 0.2.1 exposes sensitive system information to unauthorized users via embedded data retrieval. The vulnerability allows unauthenticated attackers to access restricted system details without proper access controls, though real-world exploitation probability remains low (EPSS 0.04%). No public exploit code or active exploitation has been confirmed.

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62139 MEDIUM This Month

The Terms descriptions WordPress plugin versions 3.4.10 and earlier expose sensitive data through embedded information in sent data, allowing unauthenticated attackers to retrieve embedded sensitive information. This information disclosure vulnerability (CWE-201) affects all installations of the plugin up to version 3.4.10. No public exploit code has been identified, and the EPSS score of 0.04% indicates minimal real-world exploitation probability, though the vulnerability remains a concern for sites storing sensitive term metadata.

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-34467 MEDIUM This Month

Resource lock poisoning in ZwiiCMS prior to 13.7.00 allows authenticated low-privilege users to deny administrators access to administrative functionality by exploiting a race between lock acquisition and authorization. The application incorrectly acquires and binds a temporary resource lock to the requesting session before completing the authorization check - meaning even a request that ultimately returns 404 holds the lock until the attacker's session is cleared. No public exploit has been identified and the vulnerability is not listed in CISA KEV; real-world risk is bounded by the requirement for a pre-existing authenticated session.

Information Disclosure Zwiicms
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-59138 MEDIUM This Month

Server-Side Request Forgery (SSRF) in Jthemes Genemy WordPress theme versions up to 1.6.6 allows unauthenticated remote attackers to make arbitrary HTTP requests from the affected server, potentially accessing internal resources, cloud metadata endpoints, or services restricted to localhost. No CVSS score is assigned in official databases; EPSS probability is extremely low at 0.01%, and no public exploit code or active exploitation has been identified. The vulnerability was reported by Patchstack's security audit team.

SSRF
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-62132 MEDIUM This Month

Missing authorization controls in Strategy11 Team Tasty Recipes Lite WordPress plugin through version 1.1.5 allow unauthenticated attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from insufficient validation of user permissions before executing sensitive operations, enabling unauthorized access to protected functionality. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-62751 MEDIUM This Month

Missing authorization in the Vireo WordPress theme (versions up to 1.0.24) enables authenticated attackers with low privileges to bypass access controls and execute high-impact operations including data exfiltration, integrity compromise, and availability disruption. The vulnerability affects a specific WordPress theme product from extendthemes with CVSS 8.8 severity. While EPSS probability is low (0.04%, 13th percentile), the low attack complexity and network attack vector warrant attention for sites using this theme. No public exploit identified at time of analysis, and not listed in CISA KEV.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62143 MEDIUM This Month

Post Video Players WordPress plugin through version 1.163 exposes sensitive embedded data to unauthorized users via improper information disclosure mechanisms. The vulnerability allows attackers to retrieve sensitive system information that should be restricted from public access, affecting the plugin's core video playlist and gallery functionality. With an extremely low EPSS score of 0.04%, active exploitation appears minimal despite the information disclosure risk.

Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-63004 MEDIUM This Month

Missing authorization controls in All in One Accessibility WordPress plugin versions 1.15 and earlier allow unauthenticated attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from CWE-862 (Missing Authorization) and enables attackers to access or modify functionality that should be restricted, though exploitation probability is low (EPSS 0.04%). No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy