Missing Authorization vulnerability in merkulove Audier For Elementor audier-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Audier For Elementor: from n/a through <= 1.0.9. [CVSS 5.4 MEDIUM]
Pool Services WordPress plugin has a Server-Side Request Forgery vulnerability allowing attackers to make the server perform arbitrary HTTP requests to internal and external targets.
SmartDataSoft Electrician - Electrical Service WordPress electrician is affected by server-side request forgery (ssrf) (CVSS 5.4).
Mikado-Themes Verdure verdure is affected by authorization bypass through user-controlled key (CVSS 5.4).
Elated-Themes Sweet Jane sweetjane is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Holmes holmes is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Fleur fleur is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Fiorello fiorello is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Curly curly is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Cocco cocco is affected by authorization bypass through user-controlled key (CVSS 5.4).
Leap13 Premium Addons for Elementor premium-addons-for-elementor is affected by missing authorization (CVSS 5.4).
Missing Authorization vulnerability in merkulove Uper for Elementor uper-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uper for Elementor: from n/a through <= 1.0.5. [CVSS 5.4 MEDIUM]
ThemeGoods PhotoMe versions below 5.7.2 contain a server-side request forgery vulnerability that allows unauthenticated attackers to perform arbitrary HTTP requests on behalf of the affected server. The vulnerability requires user interaction to exploit and can lead to information disclosure or unintended modifications on the target system. No patch is currently available.
Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by cross-site request forgery (csrf) (CVSS 5.4).
The Merge + Minify + Refresh WordPress plugin through version 2.14 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. An attacker can craft malicious requests to trick site administrators into executing unintended operations, potentially compromising website functionality or configuration. No patch is currently available for this vulnerability.
Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager is affected by cross-site request forgery (csrf) (CVSS 5.4).
storeapps Stock Manager for WooCommerce woocommerce-stock-manager is affected by cross-site request forgery (csrf) (CVSS 5.4).
teachPress through version 9.0.12 is vulnerable to Cross-Site Request Forgery attacks that enable unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. The vulnerability requires user interaction and can result in data integrity compromise or service disruption, though confidentiality is not affected. No patch is currently available for this vulnerability.
The Photo Gallery by 10Web plugin for WordPress versions up to 1.8.36 lacks proper authentication checks on its comment deletion function, allowing unauthenticated attackers to delete arbitrary image comments from the Pro version. This integrity vulnerability (CVSS 5.3) requires no user interaction and can be exploited remotely, though no patch is currently available. The impact is limited to comment data manipulation, but affects all unpatched installations of the plugin.
Suspended remote users in Mastodon can bypass suspension restrictions and have their posts appear in timelines through boosting and post processing logic errors. This affects all Mastodon versions for older posts, with additional bypass capabilities in versions 4.5.0-4.5.4, 4.4.5-4.4.11, 4.3.13-4.3.17, and 4.2.26-4.2.29, allowing suspended users to inject new content into the system. No patch is currently available for this integrity issue.
Improper Control of Generation of Code ('Code Injection') vulnerability in Shahjahan Jewel FluentForm fluentform allows Code Injection.This issue affects FluentForm: from n/a through <= 6.1.11. [CVSS 5.3 MEDIUM]
Metagauss EventPrime eventprime-event-calendar-management is affected by missing authorization (CVSS 8.8).
Improper access control in Theme-one The Grid versions prior to 2.8.0 enables authenticated users to bypass authorization checks and gain unauthorized access to sensitive functionality. An attacker with valid credentials could exploit misconfigured security levels to read, modify, or delete data without proper permissions. No patch is currently available.
Uxper Golo versions prior to 1.7.5 contain an access control bypass that allows authenticated attackers to exploit improperly configured security levels to gain unauthorized access to sensitive functions and data. An attacker with valid credentials can leverage this missing authorization check to escalate privileges and perform administrative actions without proper permission validation. No patch is currently available for this high-severity vulnerability (CVSS 8.8).
Rekor versions 1.4.3 and below are vulnerable to denial of service through a null pointer dereference when processing malformed cose/v0.0.1 entries with empty spec.message fields. An unauthenticated remote attacker can trigger a panic in the Rekor process by sending a specially crafted entry, resulting in a 500 error response and temporary service disruption, though the thread recovery mechanism limits availability impact. The vulnerability has been patched in version 1.5.0.
Johan Jonk Stenström Cookies and Content Security Policy cookies-and-content-security-policy contains a security vulnerability (CVSS 7.5).
Payment Gateway bKash for WooCommerce has a missing authorization vulnerability allowing attackers to exploit incorrect access controls for privilege escalation.
YITHEMES YITH WooCommerce Request A Quote yith-woocommerce-request-a-quote is affected by missing authorization (CVSS 5.3).
The Apimo Connector plugin for WordPress versions 2.6.4 and earlier contains an authorization bypass that allows unauthenticated attackers to access sensitive information through improperly configured access controls. An attacker can exploit this vulnerability over the network without user interaction to read confidential data from the affected application. No patch is currently available for this vulnerability.
Tasos Fel Civic Cookie Control civic-cookie-control-8 is affected by missing authorization (CVSS 5.3).
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in xtemos WoodMart woodmart allows Code Injection.This issue affects WoodMart: from n/a through <= 8.3.7. [CVSS 6.1 MEDIUM]
Meetinghub Paperless Meetings is affected by missing authentication for critical function (CVSS 5.3).
Gitlab versions up to 18.6.4 is affected by allocation of resources without limits or throttling (CVSS 5.3).
Altium Designer version 24.9.0 does not validate self-signed server certificates for cloud connections. [CVSS 5.3 MEDIUM]
Moonraker versions 0.9.3 and below with LDAP authentication enabled are susceptible to LDAP injection attacks through the login endpoint, enabling attackers to enumerate valid user IDs and attributes via response analysis. An unauthenticated remote attacker can exploit this vulnerability to discover LDAP directory information without requiring valid credentials. A patch is available in version 0.10.0 and later.
DeepDigital versions 1.0.2 and earlier fail to properly sanitize HTML script tags, enabling stored or reflected cross-site scripting (XSS) attacks that allow code injection. An unauthenticated attacker can exploit this vulnerability over the network to inject malicious scripts that execute in users' browsers, potentially compromising session data or performing unauthorized actions. No patch is currently available for affected installations.
Rekor versions 1.4.3 and earlier contain a server-side request forgery (SSRF) vulnerability in the /api/v1/index/retrieve endpoint that allows unauthenticated remote attackers to probe internal networks through blind SSRF attacks by supplying arbitrary URLs for public key retrieval. While the vulnerability cannot directly exfiltrate data or modify state since responses are not returned and only GET requests are supported, it enables reconnaissance of internal infrastructure. The issue is patched in version 1.5.0, or can be mitigated by disabling the retrieve API with --enable_retrieve_api=false.
WebAppick CTX Feed webappick-product-feed-for-woocommerce is affected by missing authorization (CVSS 5.3).
Select-Themes Prowess through version 1.8.1 contains an authorization bypass vulnerability that allows unauthenticated remote attackers to access sensitive information due to improperly configured access controls. An attacker can exploit this flaw to read confidential data without requiring authentication or user interaction. No patch is currently available for this vulnerability.
The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations. [CVSS 5.3 MEDIUM]
Powerscale Onefs versions up to 9.5.1.5 is affected by incorrect permission assignment for critical resource (CVSS 5.0).
Roxnor GetGenie versions up to 4.3.0 contain an authorization bypass vulnerability that allows authenticated users to exploit misconfigured access controls and gain unauthorized access to sensitive functionality. An attacker with low-level credentials can escalate privileges to perform confidential data theft, modify critical information, or disrupt service availability. No patch is currently available.
IMGspider WordPress plugin has a Server-Side Request Forgery vulnerability enabling attackers to make the server perform requests to internal network resources.
Improper input sanitization in CoreShop's CustomerTransformerController prior to version 4.1.9 allows authenticated administrators to inject SQL commands through the admin panel, enabling database error-based information disclosure. An attacker with high-privilege access can exploit this to extract sensitive data from the underlying database without modifying or deleting records. A patch is available in version 4.1.9 and later.
Marco Milesi ANAC XML Viewer anac-xml-viewer is affected by server-side request forgery (ssrf) (CVSS 4.9).
A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator.
Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting is affected by server-side request forgery (ssrf) (CVSS 4.6).
BA Book Everything WordPress plugin has a missing authorization vulnerability allowing unauthenticated users to access and modify booking data.
Mastodon prior to versions 4.5.5, 4.4.12, and 4.3.18 lacks input validation on list and filter names, allowing authenticated users to create arbitrarily long strings that consume excessive server resources and storage. A local attacker can exploit this to degrade system performance or render their own web interface unusable, though no patch is currently available for affected versions.
ExpressTech Systems Quiz And Survey Master quiz-master-next is affected by missing authorization (CVSS 8.8).