Atarim visual collaboration plugin versions 4.3.1 and earlier contain an access control bypass that allows unauthenticated remote attackers to modify data through improperly configured security levels. The vulnerability affects all installations of the affected plugin and requires no user interaction to exploit. No patch is currently available for this authorization flaw.
WP Bannerize Pro versions up to 1.11.0 contain a missing authorization vulnerability that allows unauthenticated attackers to bypass access control restrictions and gain unauthorized information disclosure. The improperly configured security levels enable remote exploitation without user interaction, potentially exposing sensitive banner configuration data. WordPress site administrators using affected versions should update to a patched release when available.
ILLID Share This Image plugin version 2.09 and earlier contains an access control bypass that allows unauthenticated remote attackers to modify content through improperly configured authorization checks. The vulnerability requires no user interaction and can be exploited over the network to alter shared images or related data. No patch is currently available.
Wired Impact Wired Impact Volunteer Management wired-impact-volunteer-management is affected by missing authorization (CVSS 5.3).
sunshinephotocart Sunshine Photo Cart sunshine-photo-cart is affected by missing authorization (CVSS 5.3).
HT Plugins Extensions For CF7 extensions-for-cf7 is affected by authorization bypass through user-controlled key (CVSS 5.3).
Brainstorm Force Spectra ultimate-addons-for-gutenberg is affected by missing authorization (CVSS 5.3).
Amelia booking plugin versions up to 1.2.38 contain an authorization bypass that allows unauthenticated remote attackers to access sensitive information through improperly configured access control mechanisms. The vulnerability requires no user interaction and can be exploited over the network to disclose confidential data. No patch is currently available.
Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 is affected by missing authorization (CVSS 5.3).
WP ULike (WordPress plugin) versions up to 4.8.3.1. is affected by authorization bypass through user-controlled key (CVSS 5.3).
The ContestsWP plugin versions 2.0.7 and earlier expose sensitive embedded data through improper access controls, allowing unauthenticated attackers to retrieve information from the contest-code-checker component. This low-impact information disclosure affects WordPress sites running vulnerable versions of the Run Contests, Raffles, and Giveaways plugin. No patch is currently available to remediate this exposure.
WPMU DEV - Your All-in-One WordPress Platform Hustle wordpress-popup contains a security vulnerability (CVSS 5.3).
WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics contains a security vulnerability (CVSS 5.3).
HTTP request smuggling in libsoup allows remote attackers to exploit non-compliant chunk header parsing by injecting malformed requests with LF-only line endings instead of proper CRLF formatting. Without requiring authentication, an attacker can cause libsoup to interpret multiple HTTP requests from a single network message, potentially leading to information disclosure. No patch is currently available for this vulnerability.
Django versions up to 6.0.2 contains a vulnerability that allows attackers to enumerate users via a timing attack (CVSS 5.3).
WRC-X1500GS-B and WRC-X1500GSA-B routers contain a weak credential derivation vulnerability where initial administrative passwords can be predicted from publicly available system information, potentially allowing unauthenticated attackers to gain administrative access. The vulnerability requires physical proximity to the device to obtain necessary system details, limiting its practical exploitability. No patch is currently available for affected devices.
Unauthenticated attackers can perform unauthorized actions on WRC-X1500GS-B and WRC-X1500GSA-B routers through cross-site request forgery attacks that exploit the lack of CSRF protections. An attacker can trick authenticated users into visiting a malicious webpage that silently executes unwanted commands on the affected device. No patch is currently available.
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 5.0 MEDIUM]
Syncope versions up to 3.0.15 is affected by improper restriction of xml external entity reference (CVSS 4.9).
TP-Link Archer BE230 v1.2 before 1.2.4 Build 20251218 rel.70420 is susceptible to denial-of-service attacks when an authenticated high-privilege user restores a specially crafted configuration file with excessively long parameters. The malicious configuration causes the device to become unresponsive and requires a manual reboot to restore functionality. No patch is currently available for this vulnerability.
Aion versions up to 2.0 contains a vulnerability that allows attackers to cookies to be sent in cross-site requests, potentially increasing exposure to cr (CVSS 4.6).
A Potential Command Injection vulnerability in HCL AION. An This can allow unintended command execution, potentially leading to unauthorized actions on the underlying system.This issue affects AION: 2.0 [CVSS 4.5 MEDIUM]
TP-Link Archer BE230 firmware v1.2 before build 20251218 rel.70420 lacks proper input validation in HTTP request processing, allowing a network-adjacent attacker with high privileges to crash the web service. An attacker exploiting this vulnerability can render the device's web interface temporarily unavailable until manual recovery or reboot occurs. No patch is currently available.
Articentgroup Zip Rar Extractor Tool 1.345.93.0 is vulnerable to Directory Traversal. The vulnerability resides in the ZIP file processing component, specifically in the functionality responsible for extracting and handling ZIP archive contents. [CVSS 4.3 MEDIUM]
Iulia Cazan Latest Post Shortcode latest-post-shortcode is affected by missing authorization (CVSS 4.3).
WP Sync for Notion plugin through version 1.7.0 contains improper access control that allows authenticated users to modify data without proper authorization checks. An attacker with WordPress user privileges could exploit this vulnerability to alter synchronized content between WordPress and Notion. The vulnerability requires user interaction and network access but poses a medium risk to WordPress installations using affected versions.
Nelio Popups versions 1.3.5 and earlier contain an authorization bypass vulnerability that allows authenticated users to modify popup content without proper access controls. An attacker with valid credentials can exploit misconfigured access control levels to make unauthorized changes to popups. No patch is currently available.
Northern Beaches Websites WP Custom Admin Interface wp-custom-admin-interface is affected by missing authorization (CVSS 4.3).
WPElemento Importer through version 0.6.4 contains a missing authorization flaw that allows authenticated users to modify data due to improper access control enforcement. An attacker with valid credentials can exploit this vulnerability to perform unauthorized modifications without requiring user interaction. No patch is currently available for this issue.
approveme WP Forms Signature Contract Add-On wp-forms-signature-contract-add-on is affected by missing authorization (CVSS 4.3).
Insufficient access control checks in myCred plugin version 2.9.7.3 and earlier allow authenticated users to modify data they should not have permission to change. An attacker with valid credentials could exploit misconfigured security levels to perform unauthorized modifications, though the vulnerability requires legitimate user access and has no currently available patch.
Insufficient access control in Themefic Travelfic Toolkit version 1.3.3 and earlier allows authenticated users to modify data due to improperly configured authorization checks. An attacker with valid credentials can bypass intended permission restrictions to perform unauthorized actions. No patch is currently available for this vulnerability.
Tiny File Manager through 2.6 contains a server-side request forgery (SSRF) vulnerability in the URL upload feature. [CVSS 4.3 MEDIUM]
Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery is affected by missing authorization (CVSS 4.3).
LA-Studio LA-Studio Element Kit for Elementor lastudio-element-kit is affected by missing authorization (CVSS 4.3).
WP Chill Modula Image Gallery modula-best-grid-gallery is affected by missing authorization (CVSS 4.3).
Unauthenticated attackers can perform Cross-Site Request Forgery (CSRF) attacks against users of Enter Addons version 2.3.2 and earlier, potentially modifying victim data through unwanted actions. The vulnerability requires user interaction to succeed but carries no authentication barriers, allowing attackers to forge requests that alter application state. No patch is currently available to remediate this issue.
Copyscape Copyscape Premium copyscape-premium is affected by cross-site request forgery (csrf) (CVSS 4.3).
Sigmize through version 0.0.9 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to perform unintended actions on behalf of authenticated users. The flaw requires user interaction but could enable unauthorized modifications or state changes within the application. No patch is currently available.
magepeopleteam WpEvently mage-eventpress is affected by cross-site request forgery (csrf) (CVSS 4.3).
A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. [CVSS 4.3 MEDIUM]
UsersWP plugin versions 1.2.53 and earlier contain a CSRF vulnerability that enables attackers to perform unauthorized actions on behalf of authenticated users without their knowledge. An attacker can craft malicious requests to modify user data or settings through a victim's browser session. No patch is currently available for this vulnerability.
ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. [CVSS 4.1 MEDIUM]