Total
6213 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-5317 | 2 Apple, Bitdefender | 3 Macos, Endpoint Security, Endpoint Security Tools | 2025-12-08 | 5.5 Medium |
| An improper access restriction to a folder in Bitdefender Endpoint Security Tools for Mac (BEST) before 7.20.52.200087 allows local users with administrative privileges to bypass the configured uninstall password protection. An unauthorized user with sudo privileges can manually remove the application directory (/Applications/Endpoint Security for Mac.app/) and the related directories within /Library/Bitdefender/AVP without needing the uninstall password. | ||||
| CVE-2025-64379 | 3 Booster, Pluggabl, Wordpress | 3 Booster For Woocommerce, Booster For Woocommerce, Wordpress | 2025-12-08 | 4.3 Medium |
| Missing Authorization vulnerability in Pluggabl Booster for WooCommerce woocommerce-jetpack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booster for WooCommerce: from n/a through <= 7.4.0. | ||||
| CVE-2025-66110 | 2 Bplugins, Wordpress | 2 Tiktok Feed Plugin, Wordpress | 2025-12-05 | 5.3 Medium |
| Missing Authorization vulnerability in bPlugins Tiktok Feed b-tiktok-feed allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tiktok Feed: from n/a through <= 1.0.22. | ||||
| CVE-2025-13354 | 2 Taxopress, Wordpress | 2 Taxopress, Wordpress | 2025-12-05 | 4.3 Medium |
| The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.40.1. This is due to the plugin not properly verifying that a user is authorized to perform an action in the "taxopress_merge_terms_batch" function. This makes it possible for authenticated attackers, with subscriber level access and above, to merge or delete arbitrary taxonomy terms. | ||||
| CVE-2025-12826 | 2 Webdevstudios, Wordpress | 2 Custom Post Type Ui, Wordpress | 2025-12-05 | 4.8 Medium |
| The Custom Post Type UI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.18.0. This is due to the plugin not verifying that a user has the required capability to perform actions in the "cptui_process_post_type" function. This makes it possible for authenticated attackers, with subscriber level access and above, to add, edit, or delete custom post types in limited situations. | ||||
| CVE-2025-55471 | 1 Youlai | 1 Youlai-boot | 2025-12-05 | 7.5 High |
| Incorrect access control in the getUserFormData function of youlai-boot v2.21.1 allows attackers to access sensitive information for other users. | ||||
| CVE-2025-11564 | 2 Themeum, Wordpress | 2 Tutor Lms, Wordpress | 2025-12-05 | 5.3 Medium |
| The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check while verifying webhook signatures on the "verifyAndCreateOrderData" function in all versions up to, and including, 3.8.3. This makes it possible for unauthenticated attackers to bypass payment verification and mark orders as paid by submitting forged webhook requests with `payment_type` set to 'recurring'. | ||||
| CVE-2025-62882 | 3 Castos, Craig Hewitt, Wordpress | 3 Seriously Simple Podcasting, Seriously Simple Podcasting, Wordpress | 2025-12-05 | 4.3 Medium |
| Missing Authorization vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Seriously Simple Podcasting: from n/a through <= 3.13.0. | ||||
| CVE-2025-54159 | 1 Synology | 1 Beedrive For Desktop | 2025-12-04 | 7.5 High |
| Missing authorization vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows remote attackers to delete arbitrary files via unspecified vectors. | ||||
| CVE-2025-2848 | 1 Synology | 1 Mail Server | 2025-12-04 | 6.3 Medium |
| A vulnerability in Synology Mail Server allows remote authenticated attackers to read and write non-sensitive settings, and disable some non-critical functions. | ||||
| CVE-2025-4522 | 2 Themeatelier, Wordpress | 2 Idonate, Wordpress | 2025-12-04 | 6.5 Medium |
| The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Insecure Direct Object Reference via the admin_post_donor_delete() function in versions 2.0.0 to 2.1.9. By supplying an arbitrary user_id parameter value to the wp_delete_user() function, authenticated attackers, with Subscriber-level access and above could delete arbitrary user accounts, including those of administrators. | ||||
| CVE-2025-13790 | 1 Scada-lts | 1 Scada-lts | 2025-12-04 | 4.3 Medium |
| A vulnerability was determined in Scada-LTS up to 2.7.8.1. This impacts an unknown function. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-46174 | 1 Ruoyi | 1 Ruoyi | 2025-12-04 | 7.5 High |
| Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java. | ||||
| CVE-2025-13472 | 1 Perforce | 1 Blazemeter | 2025-12-04 | N/A |
| A fix was made in BlazeMeter Jenkins Plugin version 4.27 to allow users only with certain permissions to see the list of available resources like credential IDs, bzm workspaces and bzm project Ids. Prior to this fix, anyone could see this list as a dropdown on the Jenkins UI. | ||||
| CVE-2025-13342 | 2 Dynamiapps, Wordpress | 2 Frontend Admin, Wordpress | 2025-12-04 | 9.8 Critical |
| The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validation in the ActionOptions::run() save handler. This makes it possible for unauthenticated attackers to modify critical WordPress options such as users_can_register, default_role, and admin_email via submitting crafted form data to public frontend forms. | ||||
| CVE-2025-12887 | 2 Saadiqbal, Wordpress | 2 Post Smtp, Wordpress | 2025-12-04 | 5.4 Medium |
| The Post SMTP plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.1. This is due to the plugin not properly verifying that a user is authorized to update OAuth tokens on the 'handle_gmail_oauth_redirect' function. This makes it possible for authenticated attackers, with subscriber level access and above, to inject invalid or attacker-controlled OAuth credentials. | ||||
| CVE-2025-13756 | 1 Wordpress | 1 Wordpress | 2025-12-04 | 4.3 Medium |
| The Fluent Booking plugin for WordPress is vulnerable to unauthorized calendar import and management due to a missing capability check on the "importCalendar" function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with subscriber level access and above, to import arbitrary calendars and manage them. | ||||
| CVE-2025-10304 | 2 Everestthemes, Wordpress | 2 Everest Backup, Wordpress | 2025-12-04 | 5.3 Medium |
| The Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the process_status_unlink() function in all versions up to, and including, 2.3.8. This makes it possible for unauthenticated attackers to delete the back-up progress files and cause a back-up to fail while it is in progress. | ||||
| CVE-2025-46175 | 1 Ruoyi | 1 Ruoyi | 2025-12-04 | 7.5 High |
| Ruoyi v4.8.0 is vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the authRole method of SysUserController.java. | ||||
| CVE-2025-66060 | 3 Castos, Craig Hewitt, Wordpress | 3 Seriously Simple Podcasting, Seriously Simple Podcasting, Wordpress | 2025-12-04 | 5.3 Medium |
| Missing Authorization vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Seriously Simple Podcasting: from n/a through <= 3.13.0. | ||||