Export limit exceeded: 344061 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 344061 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 344061 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344061 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-7786 | 1 Automattic | 1 Sensei Lms | 2025-08-27 | 7.5 High |
| The Sensei LMS WordPress plugin before 4.24.2 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak email templates. | ||||
| CVE-2024-13688 | 1 Wpase | 1 Admin And Site Enhancements | 2025-08-27 | 5.3 Medium |
| The Admin and Site Enhancements (ASE) WordPress plugin before 7.6.10 uses a hardcoded password in its Password Protection feature, allowing attacker to bypass the protection offered via a crafted request | ||||
| CVE-2024-4565 | 2 Advancedcustomfields, Wpengine | 3 Advanced Custom Fields, Advanced Custom Field Pro, Advanced Custom Fields | 2025-08-27 | 7.5 High |
| The Advanced Custom Fields (ACF) WordPress plugin before 6.3, Advanced Custom Fields Pro WordPress plugin before 6.3 allows you to display custom field values for any post via shortcode without checking for the correct access | ||||
| CVE-2024-1287 | 2 Paidmembershipspro, Strangerstudios | 2 Paid Memberships Pro, Paid Memberships Pro | 2025-08-27 | 6.5 Medium |
| The pmpro-member-directory WordPress plugin before 1.2.6 does not prevent users with at least the contributor role from leaking other users' sensitive information, including password hashes via an SQLi vector. | ||||
| CVE-2024-6846 | 2 Smartsearchwp, Webdigit | 2 Chatbot With Chatgpt Wordpress, Chatbot With Chatgpt | 2025-08-27 | 5.3 Medium |
| The Chatbot with ChatGPT WordPress plugin before 2.4.5 does not validate access on some REST routes, allowing for an unauthenticated user to purge error and chat logs | ||||
| CVE-2024-7714 | 1 Ays-pro | 2 Ai Chatbot With Chatgpt, Chatgpt Assistant | 2025-08-27 | 6.5 Medium |
| The AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 lacks sufficient access controls allowing an unauthenticated user to disconnect the AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 from OpenAI, thereby disabling the AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0. Multiple actions are accessible: 'ays_chatgpt_disconnect', 'ays_chatgpt_connect', and 'ays_chatgpt_save_feedback' | ||||
| CVE-2025-4094 | 1 Unitedover | 1 Digits | 2025-08-27 | 9.8 Critical |
| The DIGITS: WordPress Mobile Number Signup and Login WordPress plugin before 8.4.6.1 does not rate limit OTP validation attempts, making it straightforward for attackers to bruteforce them. | ||||
| CVE-2024-5973 | 1 Stylemixthemes | 1 Masterstudy Lms | 2025-08-27 | 8.8 High |
| The MasterStudy LMS WordPress Plugin WordPress plugin before 3.3.24 does not prevent students from creating instructor accounts, which could be used to get access to functionalities they shouldn't have. | ||||
| CVE-2024-5570 | 2 Tobias Cichon, Zitscher | 2 Simple Photoswipe, Simple Photoswipe | 2025-08-27 | 6.5 Medium |
| The Simple Photoswipe WordPress plugin through 0.1 does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them | ||||
| CVE-2024-12812 | 1 Wedevs | 1 Wp Erp | 2025-08-27 | 7.5 High |
| The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before 1.13.4 is affected by an IDOR issue where employees can manipulate parameters to access the data of terminated employees. | ||||
| CVE-2024-11638 | 1 Gtbabel | 1 Gtbabel | 2025-08-27 | 8.8 High |
| The Gtbabel WordPress plugin before 6.6.9 does not ensure that the URL to perform code analysis upon belongs to the blog which could allow unauthenticated attackers to retrieve a logged in user (such as admin) cookies by making them open a crafted URL as the request made to analysed the URL contains such cookies. | ||||
| CVE-2024-12274 | 1 Codepeople | 1 Appointment Booking Calendar | 2025-08-27 | 7.5 High |
| The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin before 1.1.23 export settings functionality exports data to a public folder, with an easily guessable file name, allowing unauthenticated attackers to access the exported files (if they exist). | ||||
| CVE-2024-1295 | 2 Theeventscalendar, Tri | 3 Events Calendar Pro, The Events Calendar, The Events Calendar | 2025-08-27 | 6.5 Medium |
| The events-calendar-pro WordPress plugin before 6.4.0.1, The Events Calendar WordPress plugin before 6.4.0.1 does not prevent users with at least the contributor role from leaking details about events they shouldn't have access to. (e.g. password-protected events, drafts, etc.) | ||||
| CVE-2024-13926 | 1 Connections-pro | 1 Wp-syntax | 2025-08-27 | 7.5 High |
| The WP-Syntax WordPress plugin through 1.2 does not properly handle input, allowing an attacker to create a post containing a large number of tags, thereby exploiting a catastrophic backtracking issue in the regular expression processing to cause a DoS. | ||||
| CVE-2025-2563 | 1 Wpeverest | 1 User Registration \& Membership | 2025-08-27 | 8.1 High |
| The User Registration & Membership WordPress plugin before 4.1.2 does not prevent users to set their account role when the Membership Addon is enabled, leading to a privilege escalation issue and allowing unauthenticated users to gain admin privileges | ||||
| CVE-2024-13896 | 1 Jgehrcke | 1 Wp-geshi-highlight | 2025-08-27 | 6.5 Medium |
| The WP-GeSHi-Highlight — rock-solid syntax highlighting for 259 languages WordPress plugin through 1.4.3 processes user-supplied input as a regular expression via the wp_geshi_filter_replace_code() function, which could lead to Regular Expression Denial of Service (ReDoS) issue | ||||
| CVE-2025-1501 | 1 Nozominetworks | 1 Cmc | 2025-08-27 | 4.3 Medium |
| An access control vulnerability was discovered in the Request Trace and Download Trace functionalities of CMC before 25.1.0 due to a specific access restriction not being properly enforced for users with limited privileges. An authenticated user with limited privileges can request and download trace files due to improper access restrictions, potentially exposing unauthorized network data. | ||||
| CVE-2025-41702 | 1 Welotec | 1 Egos Webgui | 2025-08-27 | 9.8 Critical |
| The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can generate valid HS256 tokens and bypass authentication/authorization due to the use of hard-coded cryptographic key. | ||||
| CVE-2025-53813 | 2 Apple, Nozbe | 2 Macos, Nozbe | 2025-08-27 | N/A |
| The configuration of Nozbe on macOS, specifically the "RunAsNode" fuse enabled, allows a local attacker with unprivileged access to execute arbitrary code that inherits Nozbe TCC (Transparency, Consent, and Control) permissions. Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission. This issue was fixed in version 2025.11 of Nozbe. | ||||
| CVE-2024-57155 | 1 Radar | 1 Radar | 2025-08-27 | 9.8 Critical |
| Incorrect access control in radar v1.0.8 allows attackers to bypass authentication and access sensitive APIs without a token. | ||||