| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The Send PDF for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of form submissions due to a missing capability check on the hooks function in all versions up to, and including, 1.0.2.3. This makes it possible for unauthenticated attackers to download information about contact form entries with PDFs. |
| Missing Authorization vulnerability in Salesforce Pardot.This issue affects Pardot: from n/a through 2.1.0. |
| Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected. |
| The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_create_index() function in all versions up to, and including, 5.5.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger index creation. |
| Missing Authorization vulnerability in Ovic Team Ovic Addon Toolkit.This issue affects Ovic Addon Toolkit: from n/a through 2.6.1.
|
| Missing Authorization vulnerability in Sparkle WP Editorialmag editorialmag.This issue affects Editorialmag: from n/a through 1.1.9. |
| Missing Authorization vulnerability in Vektor,Inc. VK Block Patterns.This issue affects VK Block Patterns: from n/a through 1.31.0.
|
| Missing Authorization vulnerability in Supsystic Data Tables Generator by Supsystic.This issue affects Data Tables Generator by Supsystic: from n/a through 1.10.31.
|
| The RSVP and Event Management plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX functions like bulk_delete_attendees() and bulk_delete_questions() in all versions up to, and including, 2.7.13. This makes it possible for unauthenticated attackers to delete questions and attendees and for authenticated users to update question menu orders. |
| The WC Price History for Omnibus plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX actions in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and modify history data. |
| The AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT (GPT-4o 128K) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the engine_request_data() function in all versions up to, and including, 2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings. |
| The Dataverse Integration plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks within its reset_password_link REST endpoint in versions 2.77 through 2.81. The endpoint’s handler accepts a client-supplied id, email, or login, looks up that user, and calls get_password_reset_key() unconditionally. Because it only checks that the caller is authenticated, and not that they own or may edit the target account, any authenticated attacker, with Subscriber-level access and above, can obtain a password reset link for an administrator and hijack that account. |
| In GRAU DATA Blocky before 3.1, Blocky-Gui has a Client-Side Enforcement of Server-Side Security vulnerability. An attacker with Windows administrative or debugging privileges can patch a binary in memory or on disk to bypass the password login requirement and gain full access to all functions of the program. |
| The SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer plugin for WordPress is vulnerable to unauthorized ld+json description injection due to a missing capability check on the save_settings function in all versions up to, and including, 3.10.2. This makes it possible for unauthenticated attackers to save schema types. |
| Incorrect Authorization vulnerability in Supsystic Data Tables Generator.This issue affects Data Tables Generator: from n/a through 1.10.25.
|
| The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wcdn_remove_shoplogo' AJAX action in all versions up to, and including, 5.4.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to remove the shop's logo. |
| Incorrect access control in the firmware update and download processes of DreamCatcher Life v1.8.7 allows attackers to access sensitive information by analyzing the code and data within the APK file. |
| Incorrect access control in the firmware update and download processes of Wear Sync v1.2.0 allows attackers to access sensitive information by analyzing the code and data within the APK file. |
| Incorrect access control in the firmware update and download processes of IVY Smart v4.5.0 allows attackers to access sensitive information by analyzing the code and data within the APK file. |
| Incorrect access control in the firmware update and download processes of Yamaha Headphones Controller v1.6.7 allows attackers to access sensitive information by analyzing the code and data within the APK file. |
