Authentication Bypass

Authenticated attackers with Subscriber-level access can modify tracking settings in the Employee Spotlight WordPress plugin (versions up to 5.1.3) due to missing authorization checks in the employee_spotlight_check_optin() function. The vulnerability allows privilege escalation to perform account integrity modifications that should require administrator approval, affecting all installations of this plugin without patches applied.

FaceTime caller ID spoofing vulnerability in Apple operating systems allows remote attackers to spoof their caller identity due to inconsistent user interface state management. Affected versions include iOS 18.7.2 and earlier, iPadOS 18.7.2 and earlier, macOS Sequoia 15.7.2 and earlier, macOS Sonoma 14.8.2 and earlier, macOS Tahoe 26.1 and earlier, visionOS 26.1 and earlier, and watchOS 26.1 and earlier. The vulnerability requires no user interaction or authentication and carries low real-world exploitation risk (EPSS 0.07%, percentile 21%), with no public exploit code or active exploitation confirmed.

Simple Bike Rental WordPress plugin versions up to 1.0.6 allow authenticated subscribers to retrieve sensitive customer booking data due to missing capability checks on the 'simpbire_carica_prenotazioni' AJAX action. Attackers with subscriber-level access can exfiltrate personally identifiable information including names, email addresses, and phone numbers from all booking records. CVSS 4.3 reflects the moderate severity of unauthorized information disclosure without requiring administrative access.

Authenticated attackers with Subscriber-level access can duplicate arbitrary WordPress posts via the PDF for Contact Form 7 + Drag and Drop Template Builder plugin (versions up to 6.3.3) due to missing capability checks in the 'rednumber_duplicate' function. This allows disclosure of sensitive content including password-protected and private posts. The vulnerability requires authentication but exploits insufficient privilege validation, creating a post enumeration and information disclosure risk for multi-user WordPress installations. No public exploit code or active exploitation has been confirmed at the time of analysis.

WP Fastest Cache Premium plugin versions up to 1.7.4 contain a Server-Side Request Forgery (SSRF) vulnerability in the 'get_server_time_ajax_request' AJAX action that allows authenticated Subscriber-level users to send arbitrary web requests originating from the server, potentially enabling reconnaissance and manipulation of internal services. The free version is unaffected. No public exploit code has been identified at time of analysis, with a very low EPSS score of 0.04% indicating minimal real-world exploitation likelihood despite the authenticated attack vector.

Authenticated attackers with WordPress Subscriber-level access and above can modify arbitrary plugin settings in the Vimeo SimpleGallery plugin versions up to 0.2 due to missing authorization checks on the vimeogallery_admin function. The vulnerability allows privilege escalation within WordPress, enabling lower-privileged users to alter plugin configurations they should not have access to. No public exploit code or active exploitation has been identified at the time of analysis.

BuddyTask plugin for WordPress versions up to 1.3.0 fails to enforce capability checks on multiple AJAX endpoints, allowing authenticated subscribers and above to view, create, modify, and delete task boards in any BuddyPress group regardless of membership or group privacy settings. The CVSS 5.4 (Medium) rating reflects confidentiality and integrity impacts limited to group task data with low attack complexity and no user interaction required, though the actual organizational risk depends on BuddyPress deployment scope and task board sensitivity.

Premmerce Wishlist for WooCommerce plugin versions up to 1.1.10 fails to enforce authorization checks on the deleteWishlist() function, allowing authenticated Subscriber-level users to delete arbitrary wishlists belonging to other users. The vulnerability stems from missing capability validation rather than authentication bypass; while the CVSS vector indicates unauthenticated access (PR:N), the description specifies Subscriber-level authentication is required, suggesting the vector may reflect the function's accessibility rather than actual authentication bypass. With EPSS of 0.04% and no public exploit code identified, real-world exploitation risk is minimal despite the authorization flaw.

Unauthenticated attackers can modify plugin settings and create arbitrary filter options in the Filter Plus plugin for WordPress (versions up to 1.1.6) due to missing capability checks on AJAX actions 'filter_save_settings' and 'add_filter_options'. This allows unauthorized data modification with no confidentiality impact but enables attackers to alter product filtering functionality without authentication. The vulnerability has a low EPSS score (0.08%, 23rd percentile) despite network accessibility, indicating limited real-world exploitation likelihood.

Unauthenticated payment bypass in Campay Woocommerce Payment Gateway plugin (versions up to 1.2.2) allows remote attackers to mark orders as successfully completed without actually processing payment, directly resulting in financial loss. The vulnerability stems from insufficient transaction validation in the payment processing workflow, enabling attackers to manipulate order status through the payment gateway interface.

Premmerce Brands for WooCommerce plugin versions up to 1.2.13 allow authenticated attackers with Subscriber-level access to modify brand permalink settings due to a missing capability check in the saveBrandsSettings function. The vulnerability requires only network access and low-privilege authentication, enabling unauthorized data modification of WordPress brand configuration without user interaction.

A critical authentication bypass and path traversal vulnerability in PipesHub AI platform allows unauthenticated remote attackers to upload files with directory traversal sequences, enabling arbitrary file writes anywhere the service account has permissions. This vulnerability affects PipesHub versions prior to 0.1.0-beta and has a publicly available proof-of-concept exploit, making it an immediate priority for organizations using this enterprise search and workflow automation platform. With a CVSS score of 9.8 and the ability to plant malicious code or overwrite critical files, this represents a severe risk to affected systems.

WPForms Google Sheet Connector plugin through version 4.0.0 allows unauthenticated remote attackers to modify data by exploiting missing authorization checks on access control mechanisms. The vulnerability enables unauthorized manipulation of form submissions and Google Sheet integrations without proper permission validation, affecting WordPress installations using this plugin.

Happy Addons for Elementor through version 3.20.3 allows authenticated users to access functionality they should not have permission to use due to missing authorization checks on API endpoints or admin functions. The vulnerability requires valid user authentication and results in information disclosure, with a CVSS score of 4.3 and an extremely low EPSS exploitation probability of 0.04%, suggesting minimal real-world attack incentive despite the access control flaw.

Porto Theme - Functionality plugin for WordPress (versions before 3.7.3) allows authenticated users to access sensitive information through broken access control, enabling privilege escalation or information disclosure without proper authorization checks. While the vulnerability requires valid WordPress credentials and has low CVSS severity (4.3), the confirmed patch availability and authentication requirement reduce immediate risk. No public exploit code or active exploitation has been identified at the time of analysis.

Media Library Assistant WordPress plugin through version 3.29 allows authenticated users to bypass authorization controls and access or modify content they should not have permission to reach via user-controlled keys in access control mechanisms. The vulnerability requires an authenticated user with limited privileges (PR:L) and affects confidentiality and integrity of stored media library data, though with relatively low exploitation probability (EPSS 0.04%) and no confirmed active exploitation at time of analysis.

Authenticated users can access sensitive contact form data and functionality they should not have permission to view or modify due to missing authorization checks in Contact Form by BestWebSoft plugin versions up to 4.3.6. The vulnerability allows logged-in attackers with low-level privileges to bypass access controls and view contact information or modify form settings with only network access and no additional user interaction required. This is not actively exploited according to available intelligence, though the access control bypass pattern is a common attack vector.

Missing authorization in ExpressTech Systems Quiz And Survey Master WordPress plugin through version 10.3.2 allows unauthenticated remote attackers to read sensitive quiz and survey data by exploiting incorrectly configured access control security levels. The vulnerability is assigned CVSS 5.3 (moderate), affects the plugin across multiple versions, and enables unauthorized information disclosure without requiring authentication or user interaction.

Xagio SEO WordPress plugin through version 7.1.0.35 contains a missing authorization vulnerability that allows authenticated users to perform unauthorized actions due to incorrectly configured access control security levels. The vulnerability has a CVSS score of 4.3 with low real-world exploitation probability (EPSS 0.04%), affecting authenticated users who can bypass intended access restrictions to modify plugin functionality or settings.

Missing authorization in Easy Payment Payment Gateway for PayPal (woo-paypal-gateway) WordPress plugin versions up to 9.0.53 allows unauthenticated remote attackers to access sensitive payment gateway data through improper access control configuration. The vulnerability enables unauthorized information disclosure with low confidentiality impact. EPSS score of 0.04% indicates minimal observed exploitation probability despite network accessibility and no authentication requirement.

Paysera WooCommerce Payment Gateway plugin through version 3.10.0 contains a missing authorization flaw allowing authenticated users with lower privilege levels to access or perform actions intended for higher-privilege roles, resulting in limited information disclosure. The vulnerability stems from incorrectly configured access control checks and has an EPSS score of 0.04% (11th percentile), indicating low real-world exploitation probability despite the CVSS 4.3 rating and authenticated attack vector.

Missing authorization in themezaa Litho Addons for WordPress (versions through 3.5) allows authenticated users to bypass access controls and gain unauthorized read/write access to sensitive data. The vulnerability stems from incorrectly configured access control security levels that fail to properly validate user permissions before exposing functionality. With an EPSS score of 0.04% and CVSS 5.4, exploitation requires valid authentication but no advanced attack complexity; this represents a moderate privilege escalation risk for multi-user WordPress installations.

Missing authorization controls in the Notification for Telegram WordPress plugin through version 3.5 allow authenticated users to modify notification settings they should not have access to, resulting in limited integrity impact. The vulnerability requires valid user credentials (PR:L in CVSS vector) and affects the plugin's access control enforcement rather than authentication bypass. With an EPSS score of 0.04% and no confirmed active exploitation, this represents a low-probability real-world risk despite the authentication bypass tag.

Missing authorization in Eupago Gateway For Woocommerce allows unauthenticated remote attackers to modify data via incorrectly configured access control, affecting versions up to 4.7.1. The vulnerability enables integrity compromise without requiring authentication or user interaction, though with low attack complexity. EPSS scoring of 0.04% indicates minimal real-world exploitation probability despite moderate CVSS severity.

Missing authorization controls in Mario Peshev WP-CRM System plugin up to version 3.4.6 allow unauthenticated remote attackers to modify data through incorrectly configured access control security levels. The CVSS 5.3 score reflects low integrity impact with no confidentiality or availability consequences, but the vulnerability exposes the plugin to unauthorized data manipulation attacks without authentication.

Missing authorization in Яндекс Доставка (Boxberry) WordPress plugin version 2.34 and earlier allows authenticated users to access or modify resources they should not be permitted to via incorrectly configured access control. An attacker with valid credentials can exploit broken access control mechanisms to view or modify sensitive data without proper privilege validation, though the CVSS 5.4 score reflects limited direct impact (confidentiality and integrity), and the 0.04% EPSS score indicates low real-world exploitation probability.

Bertha AI WordPress plugin through version 1.13 allows unauthenticated attackers to modify content via incorrectly configured access control, enabling unauthorized changes to website data without authentication. The vulnerability stems from missing authorization checks on sensitive operations, classified as CWE-862 (Missing Authorization). While CVSS scores 5.3 (medium severity), EPSS exploitation probability is minimal at 0.04%, indicating low real-world attack likelihood despite the straightforward attack vector.

Same-origin policy bypass in Firefox and Thunderbird request handling allows unauthenticated remote attackers to access sensitive information from cross-origin resources with low attack complexity and no user interaction required. The vulnerability affects Firefox versions below 146, Firefox ESR below 115.31 and 140.6, Thunderbird below 146, and Thunderbird ESR below 140.6. No public exploit code has been identified at time of analysis, and the EPSS score of 0.04% indicates low real-world exploitation probability despite the moderate CVSS rating.

Downloads Panel in Mozilla Firefox and Thunderbird allows remote spoofing attacks enabling integrity compromise without authentication. Affects Firefox <146, Thunderbird <146, Firefox ESR <140.7, and Thunderbird ESR <140.7. The authentication bypass flaw (CWE-290) permits network-based attackers to manipulate download information displayed to users with low attack complexity and no user interaction required. Despite CVSS 7.5 (High), EPSS score of 0.02% (3rd percentile) indicates minimal real-world exploitation likelihood. No active exploitation confirmed (not in CISA KEV), and no public exploit identified at time of analysis.

Tuleap is an Open Source Suite for management of software development and collaboration. Versions below 17.0.99.1762431347 of Tuleap Community Edition and Tuleap Enterprise Edition below 17.0-2, 16.13-7 and 16.12-10 allow attackers to access file release system information in projects they do not have access to. This issue is fixed in version 17.0.99.1762431347 of the Tuleap Community Edition and versions 17.0-2, 16.13-7 and 16.12-10 of Tuleap Enterprise Edition.

A remote code execution vulnerability (CVSS 2.7) that allows a privileged user. Remediation should follow standard vulnerability management procedures.

In isValidMediaUri of SettingsProvider.java, there is a possible cross user media read due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete registered identity providers, leading to an account takeover or Denial of Service (DoS).

Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request.

In rebootWipeUserData of RecoverySystem.java, there is a possible way to factory reset the device while in DSU mode due to a missing permission check. This could lead to physical denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

In multiple locations, there is a possible way to read files from another user due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

In multiple files, there is a possible way to reveal information across users due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

In multiple functions of WifiScanModeActivity.java, there is a possible way to bypass a device config restriction due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

In multiple locations, there is a possible way to read files from another user due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

In multiple functions of CertInstaller.java, there is a possible way to install certificates due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Android contains a missing authentication vulnerability (CVE-2025-48572, CVSS 7.8) in multiple locations that allows background activity launches through a permissions bypass, enabling local privilege escalation without user interaction. KEV-listed, this vulnerability enables malicious apps to perform privileged operations silently in the background, bypassing Android's activity launch restrictions.

In ensureBound of RemotePrintService.java, there is a possible way for a background app to keep foreground permissions due to a permissions bypass. This could lead to local escalation of privilege with user execution privileges needed. User interaction is not needed for exploitation.

Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users.

Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily delete reactions made to other users' Memos.

Improper configuration of the SSH service in Infinera MTC-9 allows an unauthenticated attacker to execute arbitrary commands and access data on file system . This issue affects MTC-9: from R22.1.1.0275 before R23.0.

Remote shell service (RSH) in Infinera MTC-9 version R22.1.1.0275 allows an attacker to utilize password-less user accounts and obtain system access by activating a reverse shell.This issue affects MTC-9: from R22.1.1.0275 before R23.0.

A weakness has been identified in Campcodes Retro Basketball Shoes Online Store 1.0. The impacted element is an unknown function of the file /admin/admin_running.php. Executing a manipulation of the argument product_image can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.

In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its fdbs have been flushed. The port's state has been toggled to disabled so no learning should happen at that time, but if we have MST enabled, it will bypass the port's state, that together with VLAN filtering disabled can lead to fdb learning at a time when it shouldn't happen while the port is being deleted. VLAN filtering must be disabled because we flush the port VLANs when it's being deleted which will stop learning. This fix adds a check for the port's vlan group which is initialized to NULL when the port is getting deleted, that avoids the port state bypass. When MST is enabled there would be a minimal new overhead in the fast-path because the port's vlan group pointer is cache-hot. [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be

A flaw has been found in Verysync 微力同步 up to 2.21.3. This impacts an unknown function of the file /rest/f/api/resources/f96956469e7be39d/tmp/text.txt?override=false of the component Web Administration Module. Executing manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

A security flaw has been discovered in code-projects Employee Profile Management System 1.0. Impacted is an unknown function of the file /profiling/add_file_query.php. The manipulation of the argument per_file results in unrestricted upload. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.

A vulnerability was found in SGAI Space1 NAS N1211DS up to 1.0.915. This issue affects the function GET_FACTORY_INFO/GET_USER_INFO of the file /cgi-bin/JSONAPI of the component gsaiagent. The manipulation results in unprotected storage of credentials. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability has been found in TOZED ZLT M30S and ZLT M30S PRO 1.47/3.09.06. Affected is an unknown function of the component Web Interface. Such manipulation leads to hard-coded credentials. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

A security vulnerability in for WordPress is vulnerable to Insecure Direct Object Reference in all (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

A remote code execution vulnerability in for WordPress is vulnerable to Missing Authorization in (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

A security vulnerability in Accessiy By CodeConfig Accessibility (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

A security vulnerability in for WordPress is vulnerable to authorization bypass in (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

The g-FFL Cockpit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.1 via the /server_status REST API endpoint due to a lack of capability checks. This makes it possible for unauthenticated attackers to extract information about the server.

A security vulnerability in all (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

A security vulnerability in all (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

A security vulnerability in all (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

A remote code execution vulnerability in all (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

A security vulnerability in for WordPress is vulnerable to unauthorized access in all (CVSS 5.4). Remediation should follow standard vulnerability management procedures.

A vulnerability exists in Google Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy that allows for remote code execution. It is possible for a user to write a JavaCallout that injected a malicious object into the MessageContext to execute arbitrary Java code and system commands at runtime, leading to unauthorized access to data, lateral movement within the network, and access to backend systems. The Apigee hybrid versions below have all been updated to protect from this vulnerability: * Hybrid_1.11.2+ * Hybrid_1.12.4+ * Hybrid_1.13.3+ * Hybrid_1.14.1+ * OPDK_5202+ * OPDK_5300+

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the affected endpoints relied on client-side or UI-level checks instead of enforcing permissions on the server, users with low-privileged roles (such as students) could perform operations intended only for instructors or administrators via directly using the API's. This vulnerability is fixed in 2.41.0.

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attacker can inject headers named REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, LOCAL_PORT that are parsed into the request header multimap via read_headers() in httplib.h (headers.emplace), then the server later appends its own internal metadata using the same header names in Server::process_request without erasing duplicates. Because Request::get_header_value returns the first entry for a header key (id == 0) and the client-supplied headers are parsed before server-inserted headers, downstream code that uses these header names may inadvertently use attacker-controlled values. Affected files/locations: cpp-httplib/httplib.h (read_headers, Server::process_request, Request::get_header_value, get_header_value_u64) and cpp-httplib/docker/main.cc (get_client_ip, nginx_access_logger, nginx_error_logger). Attack surface: attacker-controlled HTTP headers in incoming requests flow into the Request.headers multimap and into logging code that reads forwarded headers, enabling IP spoofing, log poisoning, and authorization bypass via header shadowing. This vulnerability is fixed in 0.27.0.

Dell CloudBoost Virtual Appliance, versions 19.13.0.0 and prior, contains an Improper Restriction of Excessive Authentication Attempts vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access.

Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1.

Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2.

Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a participant with chat permissions was able to delete poll drafts of other participants within the conversation based on their numeric ID. This vulnerability is fixed in 20.1.8 and 21.1.2.

Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.7 and 0.9.4, authenticated users were able to view meta data of columns in other tables of the Tables app by modifying the numeric ID in a request. This vulnerability is fixed in 0.8.7 and 0.9.4.

Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.6 and 0.9.3, a malicious user was able to create their own table and then move a column to a victims table. This vulnerability is fixed in 0.8.6 and 0.9.3.

The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another user’s file into the “pending approval” without access to the file by using the numeric file id. This vulnerability is fixed in 1.3.1 and 2.5.0.

Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.9, 0.9.6, and 1.0.1, the information which table (numeric ID) is shared with which groups or users and the respective permissions was not limited to privileged users. This vulnerability is fixed in 0.8.9, 0.9.6, and 1.0.1.

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bulk tagging. This vulnerability is fixed in 31.0.1.

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.19, 5.5.6, and 6.0.1, the calendar app allowed blindly booking appointments with a squential ID without known the appointment token. This vulnerability is fixed in 4.7.19, 5.5.6, and 6.0.1.

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to 1.27.1, the macro executes Velocity from the details pages without checking for permissions, which can lead to remote code execution. This vulnerability is fixed in 1.27.1.

Authentication Bypass via Hardcoded Credentials GoAway up to v0.62.18, fixed in 0.62.19, uses a hardcoded secret for signing JWT tokens used for authentication.

File upload vulnerability in Fanvil x210 V2 2.12.20 allows unauthenticated attackers on the local network to store arbitrary files on the filesystem.

A security vulnerability in Apache HTTP Server (CVSS 5.4). Remediation should follow standard vulnerability management procedures.

A security vulnerability in Wp Social Login and Register Social Counter (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

A security vulnerability in Projectopia - WordPress Project Management (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login - User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.39. This is due to the plugin not properly validating that an OTP was generated before comparing it to user input in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting an empty OTP value.

A security vulnerability in all (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

A security vulnerability in all (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

A security vulnerability in Voidek Employee Portal (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49.

A security vulnerability in all (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

A security vulnerability in for WordPress is vulnerable to authorization bypass in all (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

A security vulnerability in all (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

A security vulnerability in EPROLO Dropshipping (CVSS 4.3). Remediation should follow standard vulnerability management procedures.