Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin contains a security vulnerability (CVSS 5.3).
Cargus eCommerce versions 1.5.8 and earlier expose sensitive data in outbound communications due to improper information handling, allowing remote unauthenticated attackers to retrieve embedded sensitive information. The vulnerability requires no user interaction and carries a CVSS score of 5.3, though no patch is currently available.
The Ryviu product reviews plugin for WordPress versions 3.1.26 and earlier contains an authorization bypass vulnerability that allows unauthenticated attackers to modify data due to improperly configured access controls. This could enable attackers to manipulate product reviews or other protected functionality without proper authentication. No patch is currently available for this vulnerability.
ABCdatos Protección de datos – RGPD plugin version 0.68 and earlier contains a missing authorization vulnerability that allows unauthenticated remote attackers to bypass access controls and gain unauthorized information disclosure. The misconfigured access control security levels permit exploitation without authentication or user interaction, affecting all users of the vulnerable plugin versions. No patch is currently available for this vulnerability.
sheepfish WebP Conversion version 2.1 and earlier contains an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data through improperly configured access controls. The vulnerability affects the webp-conversion component and has a low exploitability score with no patch currently available.
Alejandro Quick Restaurant Reservations quick-restaurant-reservations is affected by missing authorization (CVSS 5.3).
CloudPanel CLP Varnish Cache versions 1.0.2 and earlier contain a missing authorization vulnerability that allows unauthenticated remote attackers to modify cache content through improperly configured access controls. This could enable cache poisoning attacks or manipulation of cached responses affecting all users accessing the affected service.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tapandsign Technologies Software Inc. Tap&Sign allows Cross-Site Scripting (XSS).This issue affects Tap&Sign: through 23012026. [CVSS 4.7 MEDIUM]
A race condition in the Linux kernel's gpiolib subsystem allows local attackers with privileges to cause a kernel crash by exploiting unprotected access to uninitialized SRCU synchronization structures during concurrent gpiochip driver initialization. An attacker can trigger this vulnerability by causing multiple drivers to call gpiochip_add_data_with_key() simultaneously, resulting in a kernel page fault and denial of service.
Elastic Cloud Storage versions up to 3.8.1.7 is affected by inclusion of sensitive information in source code (CVSS 4.4).
UPress Booter versions up to 1.5.7 contain an authorization bypass in the booter-bots-crawlers-manager component that allows authenticated users to exploit misconfigured access controls and gain unauthorized administrative capabilities. An attacker with low-privilege credentials could achieve complete compromise of the application, including confidentiality, integrity, and availability violations. No patch is currently available for this vulnerability.
Download After Email versions 2.1.9 and earlier contain a missing authorization vulnerability that allows unauthenticated remote attackers to bypass access control restrictions and gain unauthorized access to sensitive functionality. The vulnerability stems from improper validation of user permissions, enabling attackers on the network to read restricted information without authentication. No patch is currently available for this issue.
Improper HTML tag sanitization in Israpil Textmetrics webtexttool versions up to 3.6.3 enables stored XSS attacks that allow authenticated users with high privileges to inject malicious scripts and compromise data confidentiality and integrity. An attacker with administrative access could inject code through web forms that executes in other users' browsers, potentially leading to session hijacking or credential theft. No patch is currently available for affected industrial deployments.
Essekia Tablesome versions up to 1.1.35.2 contain an authorization bypass vulnerability that allows authenticated attackers to access or modify resources they should not have permission to reach due to misconfigured access controls. The vulnerability requires low attack complexity and network access, potentially exposing sensitive data and allowing unauthorized modifications without authentication bypass. A patch is not currently available, leaving affected users vulnerable to exploitation by authenticated users.
Dotstore Fraud Prevention For Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers contains a security vulnerability (CVSS 4.3).
Improper access control in Sugar Calendar (Lite) through version 3.10.1 enables authenticated users to access calendar data and functionality beyond their authorized permission level. An attacker with valid login credentials can exploit misconfigured access controls to view sensitive information from other users' calendars. No patch is currently available for this vulnerability.
The Trusona WordPress plugin version 2.0.0 and earlier contains an authorization bypass that allows authenticated attackers to exploit misconfigured access controls and gain unauthorized information disclosure. An attacker with valid WordPress credentials could leverage this vulnerability to access sensitive data they should not have permission to view. No patch is currently available for this vulnerability.
Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart is affected by missing authorization (CVSS 4.3).
WP Messiah Ai Image Alt Text Generator for WP ai-image-alt-text-generator-for-wp is affected by missing authorization (CVSS 4.3).
Jahid Hasan Admin login URL Change admin-login-url-change is affected by missing authorization (CVSS 4.3).
Improper access control in BOX NOW Delivery versions up to 3.0.2 enables authenticated attackers to read sensitive information by bypassing authorization checks. An attacker with valid credentials could exploit misconfigured security levels to access data they are not authorized to view, resulting in confidential information disclosure.
Sully Media Library File Size media-library-file-size is affected by missing authorization (CVSS 4.3).
briarinc Anything Order by Terms anything-order-by-terms is affected by missing authorization (CVSS 4.3).
LifePress through version 2.1.3 contains an authorization bypass that allows authenticated users to access resources beyond their assigned permission levels. An attacker with valid credentials can exploit misconfigured access controls to read sensitive information they should not have access to. No patch is currently available for this vulnerability.
Harmonic Design HD Quiz versions up to 2.0.9 contain an access control vulnerability that allows authenticated users to read sensitive information by exploiting misconfigured security levels. An attacker with valid credentials can bypass authorization checks to access data they should not have permission to view. No patch is currently available for this issue.
Horea Radu Materialis Companion materialis-companion is affected by missing authorization (CVSS 4.3).
webdevstudios Automatic Featured Images from Videos automatic-featured-images-from-videos is affected by missing authorization (CVSS 4.3).
Insufficient access control in MyThemeShop WP Subscribe plugin through version 1.2.16 allows authenticated attackers to bypass authorization checks and gain unauthorized access to sensitive information. An attacker with a user account can exploit misconfigured security levels to view data they should not have permission to access. No patch is currently available.
Timur Kamaev Kama Thumbnail kama-thumbnail is affected by cross-site request forgery (csrf) (CVSS 4.3).
Dell Data Protection Advisor, versions prior to 19.12, contains an Improper Neutralization of Special Elements Used in a Template Engine vulnerability in the Server. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. [CVSS 4.3 MEDIUM]
Incorrect access control in SiteLock Security plugin versions up to 5.0.2 for WordPress allows authenticated users to modify content they should not have permission to access. An attacker with login credentials could exploit misconfigured security levels to bypass authorization checks and alter website data. No patch is currently available.
The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' function in all versions up to, and including, 2.1.16. [CVSS 4.3 MEDIUM]
Inadequate access control in X Addons for Elementor up to version 1.0.23 permits authenticated users to bypass authorization checks and access restricted functionality. An attacker with valid credentials can exploit misconfigured security levels to gain unauthorized access to sensitive features or data. No patch is currently available for this vulnerability.
bestwebsoft Multilanguage by BestWebSoft multilanguage is affected by missing authorization (CVSS 4.3).
Authenticated users can bypass access controls in topdevs Smart Product Viewer through version 1.5.4 to access resources they should not have permission to view. This missing authorization check allows low-privileged attackers to gain unauthorized read access to sensitive information without requiring any user interaction. No patch is currently available for this vulnerability.
marynixie Related Posts Thumbnails Plugin for WordPress related-posts-thumbnails is affected by cross-site request forgery (csrf) (CVSS 4.7).
GeoDirectory versions before 2.8.150 are vulnerable to cross-site request forgery attacks that could allow an attacker to perform unauthorized actions on behalf of authenticated users. The vulnerability requires user interaction to exploit and can result in integrity violations, though no patch is currently available.
John James Jacoby WP Term Order wp-term-order is affected by cross-site request forgery (csrf) (CVSS 4.3).