Export limit exceeded: 11340 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11340 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-50967 | 2026-04-15 | 6.5 Medium | ||
| The /rest/rights/ REST API endpoint in Becon DATAGerry through 2.2.0 contains an Incorrect Access Control vulnerability. An attacker can remotely access this endpoint without authentication, leading to unauthorized disclosure of sensitive information. | ||||
| CVE-2024-5326 | 2026-04-15 | 8.8 High | ||
| The Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'postx_presets_callback' function in all versions up to, and including, 4.1.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator. | ||||
| CVE-2024-54124 | 1 Clickstudios | 1 Passwordstate | 2026-04-15 | 8.8 High |
| In Click Studios Passwordstate before build 9920, there is a potential permission escalation on the edit folder screen. | ||||
| CVE-2024-5468 | 2026-04-15 | 6.5 Medium | ||
| The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to unauthorized site option deletion due to a missing validation and capability checks on the stm_hb_delete() function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to delete arbitrary options that can be used to perform a denial of service attack on a site. | ||||
| CVE-2024-54916 | 2026-04-15 | 6.8 Medium | ||
| An issue in the SharedConfig class of Telegram Android APK v.11.7.0 allows a physically proximate attacker to bypass authentication and escalate privileges by manipulating the return value of the checkPasscode method. | ||||
| CVE-2024-58101 | 2026-04-15 | 8.1 High | ||
| Samsung Galaxy Buds and Galaxy Buds 2 audio devices are Bluetooth pairable by default without user input nor a way to stop this mode. As a consequence, audio playback takeover or even microphone recording without user consent or notification is achieved. Note: This is considered a low severity vulnerability by the vendor. | ||||
| CVE-2024-6180 | 2 Myeventon, Wordpress | 2 Eventon, Wordpress | 2026-04-15 | 7.2 High |
| The EventON plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eventon_import_settings' ajax action in all versions up to, and including, 2.2.15. This makes it possible for unauthenticated attackers to update plugin settings, including adding stored cross-site scripting to settings options displayed on event calendar pages. | ||||
| CVE-2024-6591 | 1 Nitesh Singh | 1 Ultimate Wordpress Auction Plugin | 2026-04-15 | 5.8 Medium |
| The Ultimate WordPress Auction Plugin plugin for WordPress is vulnerable to unauthorized email creation and sending due to a missing capability check on the 'send_auction_email_callback' and 'resend_auction_email_callback' functions in all versions up to, and including, 4.2.7. This makes it possible for unauthenticated attackers to craft emails that include links and send to any email address. | ||||
| CVE-2024-6599 | 2 Mekshq, Wordpress | 2 Meks Video Importer, Wordpress | 2026-04-15 | 4.3 Medium |
| The Meks Video Importer plugin for WordPress is vulnerable to unauthorized API key modification due to a missing capability check on the ajax_save_settings function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's API keys. CVE-2024-38733 may be a duplicate of this issue. | ||||
| CVE-2024-6688 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Oxygen Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the oxy_save_css_from_admin AJAX action in all versions up to, and including, 4.8.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update stylesheets. | ||||
| CVE-2024-7621 | 1 Wpfeedback | 1 Visual Website Collaboration | 2026-04-15 | 5.4 Medium |
| The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the process_wpfeedback_misc_options() function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins settings which can also be leveraged to gain access to the plugin's settings. | ||||
| CVE-2024-7648 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Opal Membership plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.4 via the private notes functionality on payments which utilizes WordPress comments. This makes it possible for authenticated attackers, with subscriber-level access and above, to view private notes via recent comments that should be restricted to just administrators. | ||||
| CVE-2024-7894 | 1 Andreiigna | 1 If Menu | 2026-04-15 | 5.3 Medium |
| The If Menu plugin for WordPress is vulnerable to unauthorized modification of the plugin's license key due to a missing capability check on the 'actions' function in versions up to, and including, 0.19.1. This makes it possible for unauthenticated attackers to modify delete or modify the license key. | ||||
| CVE-2024-11085 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.4 Medium |
| The WP Log Viewer plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on several AJAX actions in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access logs, update plugin-related user settings and general plugin settings. | ||||
| CVE-2024-9629 | 2026-04-15 | 5.4 Medium | ||
| The Contact Form 7 + Telegram plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'wpcf7_Telegram::ajax' function in versions up to, and including, 0.8.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to approve, pause and refuse subscriptions. | ||||
| CVE-2024-9824 | 2026-04-15 | 4.3 Medium | ||
| The ImagePress – Image Gallery plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'ip_delete_post' and 'ip_update_post_title' functions in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts and update post titles. | ||||
| CVE-2025-0836 | 1 Milestone Systems | 1 Xprotect Vms | 2026-04-15 | 6.3 Medium |
| Missing Authorization vulnerability in Milestone Systems XProtect VMS allows users with read-only access to Management Server to have full read/write access to MIP Webhooks API. | ||||
| CVE-2025-57605 | 1 Aikaan | 1 Iot Platform | 2026-04-15 | 8.8 High |
| Lack of server-side authorisation on department admin assignment APIs in AiKaan IoT Platform allows authenticated users to elevate their privileges by assigning themselves as admins of other departments. This results in unauthorized privilege escalation across the department | ||||
| CVE-2025-11060 | 1 Redhat | 1 Service Mesh | 2026-04-15 | 5.7 Medium |
| A flaw was found in the live query subscription mechanism of the database engine. This vulnerability allows record or guest users to observe unauthorized records within the same table, bypassing access controls, via crafted LIVE SELECT subscriptions when other users alter or delete records. | ||||
| CVE-2025-11887 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Supervisor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX functions in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update various plugin settings. | ||||