Total
1145 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-39537 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Chimpstudio WP JobHunt allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP JobHunt: from n/a through 7.1. | ||||
| CVE-2025-3853 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 6.5 Medium |
| The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 2.0.0 to 2.6.0 via the callback_generate_api_key() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create valid API keys on behalf of other users. | ||||
| CVE-2024-10667 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 4.3 Medium |
| The Content Slider Block plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.1.5 via the [csb] shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to. | ||||
| CVE-2025-26965 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in ameliabooking Amelia allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Amelia: from n/a through 1.2.16. | ||||
| CVE-2024-10688 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 4.3 Medium |
| The Attesa Extra plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.2 via the 'attesa-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to. | ||||
| CVE-2023-6523 | 1 Extremepacs | 1 Extreme Xds | 2025-07-12 | 8.8 High |
| Authorization Bypass Through User-Controlled Key vulnerability in ExtremePacs Extreme XDS allows Authentication Abuse.This issue affects Extreme XDS: before 3914. | ||||
| CVE-2024-12447 | 1 Wordpress | 1 Wordpress | 2025-07-12 | 4.3 Medium |
| The Get Post Content Shortcode plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.4 via the 'post-content' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the content of password-protected, private, draft, and pending posts. | ||||
| CVE-2024-12103 | 1 Wordpress | 1 Wordpress | 2025-07-12 | 5.3 Medium |
| The Content No Cache: prevent specific content from being cached plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 0.1.2 via the eos_dyn_get_content action due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. | ||||
| CVE-2024-10777 | 2 Wordpress, Wpvibes | 2 Wordpress, Anywhere Elementor | 2025-07-12 | 4.3 Medium |
| The AnyWhere Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.11 via the 'INSERT_ELEMENTOR' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to. | ||||
| CVE-2024-39033 | 1 Newgensoft | 1 Omnidocs | 2025-07-12 | 7.5 High |
| In Newgensoft OmniDocs 11.0_SP1_03_006, Insecure Direct Object Reference (IDOR) in the getuserproperty function allows user's configuration and PII to be stolen. | ||||
| CVE-2025-31833 | 1 Wordpress | 1 Wordpress | 2025-07-12 | 4.9 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in themeglow JobBoard Job listing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobBoard Job listing: from n/a through 1.2.7. | ||||
| CVE-2024-39642 | 1 Thimpress | 1 Learnpress | 2025-07-12 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in ThimPress LearnPress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LearnPress: from n/a through 4.2.6.8.2. | ||||
| CVE-2024-13607 | 1 Wordpress | 1 Wordpress | 2025-07-12 | 4.3 Medium |
| The JS Help Desk – The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.8 via the 'exportusereraserequest' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level permissions and above, to export ticket data for any user. | ||||
| CVE-2024-10795 | 2 Themes4wp, Wordpress | 2 Popularis Extra, Wordpress | 2025-07-12 | 4.3 Medium |
| The Popularis Extra plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.7 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created via Elementor that they should not have access to. | ||||
| CVE-2024-12309 | 1 Wordpress | 1 Wordpress | 2025-07-12 | 5.3 Medium |
| The Rate My Post – Star Rating Plugin by FeedbackWP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.4 via the get_post_status() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to vote on unpublished scheduled posts. | ||||
| CVE-2024-10798 | 2 Wordpress, Wproyal | 2 Wordpress, Royal Elementor Addons And Templates | 2025-07-12 | 4.3 Medium |
| The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1003 via the 'wpr-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created via Elementor that they should not have access to. | ||||
| CVE-2024-4464 | 1 Synology | 1 Media Server | 2025-07-12 | 7.5 High |
| Authorization bypass through user-controlled key vulnerability in streaming service in Synology Media Server before 1.4-2680, 2.0.5-3152 and 2.2.0-3325 allows remote attackers to read specific files via unspecified vectors. | ||||
| CVE-2023-7286 | 1 Wordpress | 1 Wordpress | 2025-07-12 | 6.5 Medium |
| The plugin ACF Quick Edit Fields for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.2.2. This makes it possible for attackers without the edit_users capability to access metadata of other users, this includes contributor-level users and above. | ||||
| CVE-2024-30543 | 2 Upqode, Wordpress | 2 Whizzy, Wordpress | 2025-07-12 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in UPQODE Whizz.This issue affects Whizzy: from n/a through 1.1.18. | ||||
| CVE-2025-39434 | 1 Wordpress | 1 Wordpress | 2025-07-12 | 4.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Scott Taylor Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Avatar: from n/a through 0.1.4. | ||||