Skip to main content
CVE-2025-66139 MEDIUM This Month

Missing Authorization vulnerability in merkulove Audier For Elementor audier-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Audier For Elementor: from n/a through <= 1.0.9. [CVSS 5.4 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-62741 MEDIUM This Month

Pool Services WordPress plugin has a Server-Side Request Forgery vulnerability allowing attackers to make the server perform arbitrary HTTP requests to internal and external targets.

SSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-22358 MEDIUM This Month

SmartDataSoft Electrician - Electrical Service WordPress electrician is affected by server-side request forgery (ssrf) (CVSS 5.4).

WordPress SSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-22430 MEDIUM This Month

Mikado-Themes Verdure verdure is affected by authorization bypass through user-controlled key (CVSS 5.4).

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-22426 MEDIUM This Month

Elated-Themes Sweet Jane sweetjane is affected by authorization bypass through user-controlled key (CVSS 5.4).

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-22400 MEDIUM This Month

Mikado-Themes Holmes holmes is affected by authorization bypass through user-controlled key (CVSS 5.4).

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-22398 MEDIUM This Month

Mikado-Themes Fleur fleur is affected by authorization bypass through user-controlled key (CVSS 5.4).

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-22396 MEDIUM This Month

Mikado-Themes Fiorello fiorello is affected by authorization bypass through user-controlled key (CVSS 5.4).

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-22393 MEDIUM This Month

Mikado-Themes Curly curly is affected by authorization bypass through user-controlled key (CVSS 5.4).

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-22391 MEDIUM This Month

Mikado-Themes Cocco cocco is affected by authorization bypass through user-controlled key (CVSS 5.4).

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-69300 MEDIUM This Month

Leap13 Premium Addons for Elementor premium-addons-for-elementor is affected by missing authorization (CVSS 5.4).

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-66140 MEDIUM This Month

Missing Authorization vulnerability in merkulove Uper for Elementor uper-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uper for Elementor: from n/a through <= 1.0.5. [CVSS 5.4 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24381 MEDIUM This Month

ThemeGoods PhotoMe versions below 5.7.2 contain a server-side request forgery vulnerability that allows unauthenticated attackers to perform arbitrary HTTP requests on behalf of the affected server. The vulnerability requires user interaction to exploit and can lead to information disclosure or unintended modifications on the target system. No patch is currently available.

SSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-22382 MEDIUM This Month

Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by cross-site request forgery (csrf) (CVSS 5.4).

WordPress CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24384 MEDIUM This Month

The Merge + Minify + Refresh WordPress plugin through version 2.14 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. An attacker can craft malicious requests to trick site administrators into executing unintended operations, potentially compromising website functionality or configuration. No patch is currently available for this vulnerability.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24374 MEDIUM This Month

Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager is affected by cross-site request forgery (csrf) (CVSS 5.4).

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24365 MEDIUM This Month

storeapps Stock Manager for WooCommerce woocommerce-stock-manager is affected by cross-site request forgery (csrf) (CVSS 5.4).

WordPress CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-22483 MEDIUM This Month

teachPress through version 9.0.12 is vulnerable to Cross-Site Request Forgery attacks that enable unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. The vulnerability requires user interaction and can result in data integrity compromise or service disruption, though confidentiality is not affected. No patch is currently available for this vulnerability.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1036 MEDIUM This Month

The Photo Gallery by 10Web plugin for WordPress versions up to 1.8.36 lacks proper authentication checks on its comment deletion function, allowing unauthenticated attackers to delete arbitrary image comments from the Pro version. This integrity vulnerability (CVSS 5.3) requires no user interaction and can be exploited remotely, though no patch is currently available. The impact is limited to comment data manipulation, but affects all unpatched installations of the plugin.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-23961 MEDIUM This Month

Suspended remote users in Mastodon can bypass suspension restrictions and have their posts appear in timelines through boosting and post processing logic errors. This affects all Mastodon versions for older posts, with additional bypass capabilities in versions 4.5.0-4.5.4, 4.4.5-4.4.11, 4.3.13-4.3.17, and 4.2.26-4.2.29, allowing suspended users to inject new content into the system. No patch is currently available for this integrity issue.

Authentication Bypass Mastodon
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-69001 MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in Shahjahan Jewel FluentForm fluentform allows Code Injection.This issue affects FluentForm: from n/a through <= 6.1.11. [CVSS 5.3 MEDIUM]

Code Injection
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-24380 MEDIUM This Month

Metagauss EventPrime eventprime-event-calendar-management is affected by missing authorization (CVSS 8.8).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-24368 MEDIUM This Month

Improper access control in Theme-one The Grid versions prior to 2.8.0 enables authenticated users to bypass authorization checks and gain unauthorized access to sensitive functionality. An attacker with valid credentials could exploit misconfigured security levels to read, modify, or delete data without proper permissions. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-23974 MEDIUM This Month

Uxper Golo versions prior to 1.7.5 contain an access control bypass that allows authenticated attackers to exploit improperly configured security levels to gain unauthorized access to sensitive functions and data. An attacker with valid credentials can leverage this missing authorization check to escalate privileges and perform administrative actions without proper permission validation. No patch is currently available for this high-severity vulnerability (CVSS 8.8).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-23831 MEDIUM PATCH This Month

Rekor versions 1.4.3 and below are vulnerable to denial of service through a null pointer dereference when processing malformed cose/v0.0.1 entries with empty spec.message fields. An unauthenticated remote attacker can trigger a panic in the Rekor process by sending a specially crafted entry, resulting in a 500 error response and temporary service disruption, though the thread recovery mechanism limits availability impact. The vulnerability has been patched in version 1.5.0.

Denial Of Service Rekor Red Hat Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-63019 MEDIUM This Month

Johan Jonk Stenström Cookies and Content Security Policy cookies-and-content-security-policy contains a security vulnerability (CVSS 7.5).

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62754 MEDIUM This Month

Payment Gateway bKash for WooCommerce has a missing authorization vulnerability allowing attackers to exploit incorrect access controls for privilege escalation.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24366 MEDIUM This Month

YITHEMES YITH WooCommerce Request A Quote yith-woocommerce-request-a-quote is affected by missing authorization (CVSS 5.3).

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22445 MEDIUM This Month

The Apimo Connector plugin for WordPress versions 2.6.4 and earlier contains an authorization bypass that allows unauthenticated attackers to access sensitive information through improperly configured access controls. An attacker can exploit this vulnerability over the network without user interaction to read confidential data from the affected application. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22348 MEDIUM This Month

Tasos Fel Civic Cookie Control civic-cookie-control-8 is affected by missing authorization (CVSS 5.3).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-47600 MEDIUM This Month

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in xtemos WoodMart woodmart allows Code Injection.This issue affects WoodMart: from n/a through <= 8.3.7. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1332 MEDIUM This Month

Meetinghub Paperless Meetings is affected by missing authentication for critical function (CVSS 5.3).

Authentication Bypass Meetinghub Paperless Meetings
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1102 MEDIUM This Month

Gitlab versions up to 18.6.4 is affected by allocation of resources without limits or throttling (CVSS 5.3).

Gitlab SSH Denial Of Service
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-27377 MEDIUM This Month

Altium Designer version 24.9.0 does not validate self-signed server certificates for cloud connections. [CVSS 5.3 MEDIUM]

Authentication Bypass Designer
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24130 MEDIUM PATCH This Month

Moonraker versions 0.9.3 and below with LDAP authentication enabled are susceptible to LDAP injection attacks through the login endpoint, enabling attackers to enumerate valid user IDs and attributes via response analysis. An unauthenticated remote attacker can exploit this vulnerability to discover LDAP directory information without requiring valid credentials. A patch is available in version 0.10.0 and later.

Python LDAP Moonraker
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22469 MEDIUM This Month

DeepDigital versions 1.0.2 and earlier fail to properly sanitize HTML script tags, enabling stored or reflected cross-site scripting (XSS) attacks that allow code injection. An unauthenticated attacker can exploit this vulnerability over the network to inject malicious scripts that execute in users' browsers, potentially compromising session data or performing unauthorized actions. No patch is currently available for affected installations.

XSS
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24117 MEDIUM PATCH This Month

Rekor versions 1.4.3 and earlier contain a server-side request forgery (SSRF) vulnerability in the /api/v1/index/retrieve endpoint that allows unauthenticated remote attackers to probe internal networks through blind SSRF attacks by supplying arbitrary URLs for public key retrieval. While the vulnerability cannot directly exfiltrate data or modify state since responses are not returned and only GET requests are supported, it enables reconnaissance of internal infrastructure. The issue is patched in version 1.5.0, or can be mitigated by disabling the retrieve API with --enable_retrieve_api=false.

SSRF Rekor Red Hat Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22461 MEDIUM This Month

WebAppick CTX Feed webappick-product-feed-for-woocommerce is affected by missing authorization (CVSS 5.3).

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22447 MEDIUM This Month

Select-Themes Prowess through version 1.8.1 contains an authorization bypass vulnerability that allows unauthenticated remote attackers to access sensitive information due to improperly configured access controls. An attacker can exploit this flaw to read confidential data without requiring authentication or user interaction. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-22234 MEDIUM PATCH This Month

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations. [CVSS 5.3 MEDIUM]

Information Disclosure Red Hat
NVD HeroDevs
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22280 MEDIUM This Month

Powerscale Onefs versions up to 9.5.1.5 is affected by incorrect permission assignment for critical resource (CVSS 5.0).

Denial Of Service Powerscale Onefs
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-24356 MEDIUM This Month

Roxnor GetGenie versions up to 4.3.0 contain an authorization bypass vulnerability that allows authenticated users to exploit misconfigured access controls and gain unauthorized access to sensitive functionality. An attacker with low-level credentials can escalate privileges to perform confidential data theft, modify critical information, or disrupt service availability. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2026-22482 MEDIUM This Month

IMGspider WordPress plugin has a Server-Side Request Forgery vulnerability enabling attackers to make the server perform requests to internal network resources.

SSRF
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-23959 MEDIUM PATCH This Month

Improper input sanitization in CoreShop's CustomerTransformerController prior to version 4.1.9 allows authenticated administrators to inject SQL commands through the admin panel, enabling database error-based information disclosure. An attacker with high-privilege access can exploit this to extract sensitive data from the underlying database without modifying or deleting records. A patch is available in version 4.1.9 and later.

SQLi Coreshop
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-64252 MEDIUM This Month

Marco Milesi ANAC XML Viewer anac-xml-viewer is affected by server-side request forgery (ssrf) (CVSS 4.9).

SSRF
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-9289 MEDIUM This Month

A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator.

XSS Oc200 Firmware Oc400 Firmware Oc300 Firmware Oc220 Firmware +1
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-24360 MEDIUM This Month

Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting is affected by server-side request forgery (ssrf) (CVSS 4.6).

SSRF
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-24371 MEDIUM This Month

BA Book Everything WordPress plugin has a missing authorization vulnerability allowing unauthenticated users to access and modify booking data.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-23963 MEDIUM This Month

Mastodon prior to versions 4.5.5, 4.4.12, and 4.3.18 lacks input validation on list and filter names, allowing authenticated users to create arbitrarily long strings that consume excessive server resources and storage. A local attacker can exploit this to degrade system performance or render their own web interface unusable, though no patch is currently available for affected versions.

Denial Of Service Mastodon
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-24358 MEDIUM This Month

ExpressTech Systems Quiz And Survey Master quiz-master-next is affected by missing authorization (CVSS 8.8).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
Prev Page 8 of 10 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy