Search Results (8626 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-12155 1 Straightvisions 1 Sv100 Companion 2026-04-15 9.8 Critical
The SV100 Companion plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the settings_import() function in all versions up to, and including, 2.0.02. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. CVE-2024-54229 may be a duplicate of this issue.
CVE-2025-49910 1 Wordpress 1 Wordpress 2026-04-15 8.2 High
Missing Authorization vulnerability in AmentoTech Private Limited WPGuppy wpguppy-lite allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPGuppy: from n/a through <= 1.1.4.
CVE-2024-12176 2026-04-15 5.3 Medium
The WordLift – AI powered SEO – Schema plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'wl_config_plugin' AJAX action in all versions up to, and including, 3.54.2. This makes it possible for unauthenticated attackers to update the plugin's settings.
CVE-2024-9629 2026-04-15 5.4 Medium
The Contact Form 7 + Telegram plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'wpcf7_Telegram::ajax' function in versions up to, and including, 0.8.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to approve, pause and refuse subscriptions.
CVE-2025-64171 1 Marin3r 1 Marin3r 2026-04-15 6.5 Medium
MARIN3R is a lightweight, CRD based envoy control plane for kubernetes. In versions 0.13.3 and below, there is a cross-namespace secret access vulnerability in the project's DiscoveryServiceCertificate which allows users to bypass RBAC and access secrets in unauthorized namespaces. This issue is fixed in version 0.13.4.
CVE-2024-5600 1 Happymonkeyagency 1 Scss Happy Compiler 2026-04-15 5.4 Medium
The SCSS Happy Compiler – Compile SCSS to CSS & Automatic Enqueue plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check and insufficient sanitization on the import_settings() function in all versions up to, and including, 1.3.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject malicious web scripts.
CVE-2024-54222 2 Seraphinitesolutions, Wordpress 2 Seraphinite Accelerator, Wordpress 2026-04-15 4.3 Medium
Missing Authorization vulnerability in Seraphinite Solutions Seraphinite Accelerator seraphinite-accelerator allows Retrieve Embedded Sensitive Data.This issue affects Seraphinite Accelerator: from n/a through <= 2.22.15.
CVE-2024-35168 2026-04-15 4.3 Medium
Missing Authorization vulnerability in Discourse WP Discourse.This issue affects WP Discourse: from n/a through 2.5.1.
CVE-2024-35174 2 Flothemes, Wordpress 2 Flo Forms, Wordpress 2026-04-15 5.3 Medium
Missing Authorization vulnerability in Flothemes Flo Forms.This issue affects Flo Forms: from n/a through 1.0.42.
CVE-2024-37926 1 Volkov 1 Wp Accessibility Helper 2026-04-15 5.3 Medium
Missing Authorization vulnerability in Alex Volkov WP Accessibility Helper (WAH) allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP Accessibility Helper (WAH): from n/a through 0.6.2.9.
CVE-2024-38774 2 Siteground, Wordpress 2 Siteground Security, Wordpress 2026-04-15 5.4 Medium
Missing Authorization vulnerability in SiteGround SiteGround Security allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteGround Security: from n/a through 1.5.0.
CVE-2024-38777 2026-04-15 6.5 Medium
Missing Authorization vulnerability in CreativeMotion Titan Anti-spam & Security allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Titan Anti-spam & Security: from n/a through 7.3.6.
CVE-2024-38794 1 Mediaron 1 Custom Query Blocks 2026-04-15 5.3 Medium
Missing Authorization vulnerability in MediaRon LLC Custom Query Blocks allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Custom Query Blocks: from n/a through 5.2.0.
CVE-2025-33182 1 Nvidia 6 Jetson Agx Xavier, Jetson Linux, Jetson Tk1 and 3 more 2026-04-15 7.6 High
NVIDIA Jetson Linux contains a vulnerability in UEFI, where improper authentication may allow a privileged user to cause corruption of the Linux Device Tree. A successful exploitation of this vulnerability might lead to data tampering, denial of service.
CVE-2025-68920 2026-04-15 8.9 High
C-Kermit (aka ckermit) through 10.0 Beta.12 (aka 416-beta12) before 244644d allows a remote Kermit system to overwrite files on the local system, or retrieve arbitrary files from the local system.
CVE-2024-43143 2026-04-15 6.4 Medium
Missing Authorization vulnerability in Roundup WP Registrations for the Events Calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Registrations for the Events Calendar: from n/a through 2.12.1.
CVE-2025-10184 2 Google, Oneplus 2 Android, Oxygenos 2026-04-15 N/A
The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. The root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the update method of those providers.
CVE-2025-68947 1 Nsecsoft 1 Nscknl 2026-04-15 4.7 Medium
NSecsoft 'NSecKrnl' is a Windows driver that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes by issuing crafted IOCTL requests to the driver.
CVE-2025-15516 2 Plugins360, Wordpress 2 All-in-one Video Gallery, Wordpress 2026-04-15 4.3 Medium
The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary string-based user meta keys for their own account.
CVE-2025-69023 2 Marketingfire, Wordpress 2 Discussion Board, Wordpress 2026-04-15 4.3 Medium
Missing Authorization vulnerability in Marketing Fire Discussion Board wp-discussion-board allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Discussion Board: from n/a through <= 2.5.7.