Skip to main content
CVE-2026-25019 MEDIUM This Month

Atarim visual collaboration plugin versions 4.3.1 and earlier contain an access control bypass that allows unauthenticated remote attackers to modify data through improperly configured security levels. The vulnerability affects all installations of the affected plugin and requires no user interaction to exploit. No patch is currently available for this authorization flaw.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25012 MEDIUM This Month

WP Bannerize Pro versions up to 1.11.0 contain a missing authorization vulnerability that allows unauthenticated attackers to bypass access control restrictions and gain unauthorized information disclosure. The improperly configured security levels enable remote exploitation without user interaction, potentially exposing sensitive banner configuration data. WordPress site administrators using affected versions should update to a patched release when available.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25010 MEDIUM This Month

ILLID Share This Image plugin version 2.09 and earlier contains an access control bypass that allows unauthenticated remote attackers to modify content through improperly configured authorization checks. The vulnerability requires no user interaction and can be exploited over the network to alter shared images or related data. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24997 MEDIUM This Month

Wired Impact Wired Impact Volunteer Management wired-impact-volunteer-management is affected by missing authorization (CVSS 5.3).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24994 MEDIUM This Month

sunshinephotocart Sunshine Photo Cart sunshine-photo-cart is affected by missing authorization (CVSS 5.3).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24991 MEDIUM This Month

HT Plugins Extensions For CF7 extensions-for-cf7 is affected by authorization bypass through user-controlled key (CVSS 5.3).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24982 MEDIUM This Month

Brainstorm Force Spectra ultimate-addons-for-gutenberg is affected by missing authorization (CVSS 5.3).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24967 MEDIUM This Month

Amelia booking plugin versions up to 1.2.38 contain an authorization bypass that allows unauthenticated remote attackers to access sensitive information through improperly configured access control mechanisms. The vulnerability requires no user interaction and can be exploited over the network to disclose confidential data. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24945 MEDIUM This Month

Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 is affected by missing authorization (CVSS 5.3).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-0909 MEDIUM This Month

WP ULike (WordPress plugin) versions up to 4.8.3.1. is affected by authorization bypass through user-controlled key (CVSS 5.3).

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25023 MEDIUM This Month

The ContestsWP plugin versions 2.0.7 and earlier expose sensitive embedded data through improper access controls, allowing unauthenticated attackers to retrieve information from the contest-code-checker component. This low-impact information disclosure affects WordPress sites running vulnerable versions of the Run Contests, Raffles, and Giveaways plugin. No patch is currently available to remediate this exposure.

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24998 MEDIUM This Month

WPMU DEV - Your All-in-One WordPress Platform Hustle wordpress-popup contains a security vulnerability (CVSS 5.3).

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24992 MEDIUM This Month

WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics contains a security vulnerability (CVSS 5.3).

WordPress Industrial
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1801 MEDIUM PATCH This Month

HTTP request smuggling in libsoup allows remote attackers to exploit non-compliant chunk header parsing by injecting malformed requests with LF-only line endings instead of proper CRLF formatting. Without requiring authentication, an attacker can cause libsoup to interpret multiple HTTP requests from a single network message, potentially leading to information disclosure. No patch is currently available for this vulnerability.

Information Disclosure Request Smuggling Red Hat Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13473 MEDIUM PATCH This Month

Django versions up to 6.0.2 contains a vulnerability that allows attackers to enumerate users via a timing attack (CVSS 5.3).

Golang Django Red Hat Suse
NVD HeroDevs
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24449 MEDIUM This Month

WRC-X1500GS-B and WRC-X1500GSA-B routers contain a weak credential derivation vulnerability where initial administrative passwords can be predicted from publicly available system information, potentially allowing unauthenticated attackers to gain administrative access. The vulnerability requires physical proximity to the device to obtain necessary system details, limiting its practical exploitability. No patch is currently available for affected devices.

Information Disclosure Wrc X1500Gsa B Firmware Wrc X1500Gs B Firmware
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-20704 MEDIUM This Month

Unauthenticated attackers can perform unauthorized actions on WRC-X1500GS-B and WRC-X1500GSA-B routers through cross-site request forgery attacks that exploit the lack of CSRF protections. An attacker can trick authenticated users into visiting a malicious webpage that silently executes unwanted commands on the affected device. No patch is currently available.

CSRF
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-24667 MEDIUM This Month

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 5.0 MEDIUM]

Authentication Bypass Open Eclass Platform
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-23795 MEDIUM PATCH This Month

Syncope versions up to 3.0.15 is affected by improper restriction of xml external entity reference (CVSS 4.9).

Apache XXE Syncope
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2026-22228 MEDIUM This Month

TP-Link Archer BE230 v1.2 before 1.2.4 Build 20251218 rel.70420 is susceptible to denial-of-service attacks when an authenticated high-privilege user restores a specially crafted configuration file with excessively long parameters. The malicious configuration causes the device to become unresponsive and requires a manual reboot to restore functionality. No patch is currently available for this vulnerability.

TP-Link Archer Be230 Firmware
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-52628 MEDIUM This Month

Aion versions up to 2.0 contains a vulnerability that allows attackers to cookies to be sent in cross-site requests, potentially increasing exposure to cr (CVSS 4.6).

CSRF Aion
NVD
CVSS 3.1
4.6
EPSS
0.0%
CVE-2025-52626 MEDIUM This Month

A Potential Command Injection vulnerability in HCL AION. An This can allow unintended command execution, potentially leading to unauthorized actions on the underlying system.This issue affects AION: 2.0 [CVSS 4.5 MEDIUM]

Command Injection Aion
NVD
CVSS 3.1
4.5
EPSS
0.1%
CVE-2026-22220 MEDIUM This Month

TP-Link Archer BE230 firmware v1.2 before build 20251218 rel.70420 lacks proper input validation in HTTP request processing, allowing a network-adjacent attacker with high privileges to crash the web service. An attacker exploiting this vulnerability can render the device's web interface temporarily unavailable until manual recovery or reboot occurs. No patch is currently available.

TP-Link Denial Of Service Archer Be230 Firmware
NVD
CVSS 3.1
4.5
EPSS
0.0%
CVE-2025-63372 MEDIUM This Month

Articentgroup Zip Rar Extractor Tool 1.345.93.0 is vulnerable to Directory Traversal. The vulnerability resides in the ZIP file processing component, specifically in the functionality responsible for extracting and handling ZIP archive contents. [CVSS 4.3 MEDIUM]

Path Traversal Zip Rar Extractor Tool
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-24995 MEDIUM This Month

Iulia Cazan Latest Post Shortcode latest-post-shortcode is affected by missing authorization (CVSS 4.3).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25020 MEDIUM This Month

WP Sync for Notion plugin through version 1.7.0 contains improper access control that allows authenticated users to modify data without proper authorization checks. An attacker with WordPress user privileges could exploit this vulnerability to alter synchronized content between WordPress and Notion. The vulnerability requires user interaction and network access but poses a medium risk to WordPress installations using affected versions.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25016 MEDIUM This Month

Nelio Popups versions 1.3.5 and earlier contain an authorization bypass vulnerability that allows authenticated users to modify popup content without proper access controls. An attacker with valid credentials can exploit misconfigured access control levels to make unauthorized changes to popups. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25011 MEDIUM This Month

Northern Beaches Websites WP Custom Admin Interface wp-custom-admin-interface is affected by missing authorization (CVSS 4.3).

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24996 MEDIUM This Month

WPElemento Importer through version 0.6.4 contains a missing authorization flaw that allows authenticated users to modify data due to improper access control enforcement. An attacker with valid credentials can exploit this vulnerability to perform unauthorized modifications without requiring user interaction. No patch is currently available for this issue.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24985 MEDIUM This Month

approveme WP Forms Signature Contract Add-On wp-forms-signature-contract-add-on is affected by missing authorization (CVSS 4.3).

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24951 MEDIUM This Month

Insufficient access control checks in myCred plugin version 2.9.7.3 and earlier allow authenticated users to modify data they should not have permission to change. An attacker with valid credentials could exploit misconfigured security levels to perform unauthorized modifications, though the vulnerability requires legitimate user access and has no currently available patch.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24940 MEDIUM This Month

Insufficient access control in Themefic Travelfic Toolkit version 1.3.3 and earlier allows authenticated users to modify data due to improperly configured authorization checks. An attacker with valid credentials can bypass intended permission restrictions to perform unauthorized actions. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-46651 MEDIUM This Month

Tiny File Manager through 2.6 contains a server-side request forgery (SSRF) vulnerability in the URL upload feature. [CVSS 4.3 MEDIUM]

SSRF Tiny File Manager
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24965 MEDIUM This Month

Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery is affected by missing authorization (CVSS 4.3).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24947 MEDIUM This Month

LA-Studio LA-Studio Element Kit for Elementor lastudio-element-kit is affected by missing authorization (CVSS 4.3).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24939 MEDIUM This Month

WP Chill Modula Image Gallery modula-best-grid-gallery is affected by missing authorization (CVSS 4.3).

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25014 MEDIUM This Month

Unauthenticated attackers can perform Cross-Site Request Forgery (CSRF) attacks against users of Enter Addons version 2.3.2 and earlier, potentially modifying victim data through unwanted actions. The vulnerability requires user interaction to succeed but carries no authentication barriers, allowing attackers to forge requests that alter application state. No patch is currently available to remediate this issue.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24966 MEDIUM This Month

Copyscape Copyscape Premium copyscape-premium is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24962 MEDIUM This Month

Sigmize through version 0.0.9 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to perform unintended actions on behalf of authenticated users. The flaw requires user interaction but could enable unauthorized modifications or state changes within the application. No patch is currently available.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24942 MEDIUM This Month

magepeopleteam WpEvently mage-eventpress is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-67857 MEDIUM PATCH This Month

A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. [CVSS 4.3 MEDIUM]

Moodle Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25015 MEDIUM This Month

UsersWP plugin versions 1.2.53 and earlier contain a CSRF vulnerability that enables attackers to perform unauthorized actions on behalf of authenticated users without their knowledge. An attacker can craft malicious requests to modify user data or settings through a victim's browser session. No patch is currently available for this vulnerability.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-65924 MEDIUM This Month

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. [CVSS 4.1 MEDIUM]

XSS Erpnext
NVD GitHub
CVSS 3.1
4.1
EPSS
0.0%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy