Export limit exceeded: 10585 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10585 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-3312 | 2 Tonjoostudio, Wordpress | 2 Easy Custom Auto Excerpt, Wordpress | 2026-04-15 | 5.3 Medium |
| The Easy Custom Auto Excerpt plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.12. This makes it possible for unauthenticated attackers to obtain excerpts of password-protected posts. | ||||
| CVE-2024-43154 | 2 Bracketspace, Wordpress | 2 Advanced Cron Manager, Wordpress | 2026-04-15 | 4.3 Medium |
| Missing Authorization vulnerability in BracketSpace Advanced Cron Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Cron Manager – debug & control: from n/a through 2.5.9. | ||||
| CVE-2025-7689 | 2 Themefic, Wordpress | 2 Hydra Booking, Wordpress | 2026-04-15 | 8.8 High |
| The Hydra Booking plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the tfhb_reset_password_callback() function in versions 1.1.0 to 1.1.18. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the password of an Administrator user, achieving full privilege escalation. | ||||
| CVE-2024-37926 | 1 Volkov | 1 Wp Accessibility Helper | 2026-04-15 | 5.3 Medium |
| Missing Authorization vulnerability in Alex Volkov WP Accessibility Helper (WAH) allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP Accessibility Helper (WAH): from n/a through 0.6.2.9. | ||||
| CVE-2024-5858 | 2026-04-15 | 4.3 Medium | ||
| The AI Infographic Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the qcld_openai_title_generate_desc AJAX action in all versions up to, and including, 4.7.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary post titles. | ||||
| CVE-2024-4010 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2026-04-15 | 8.8 High |
| The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on the handle_ajax_request function in all versions up to, and including, 5.7.19. This makes it possible for authenticated attackers, with subscriber-level access and above, to cause a loss of confidentiality, integrity, and availability, by performing multiple unauthorized actions. Some of these actions could also be leveraged to conduct PHP Object Injection and SQL Injection attacks. | ||||
| CVE-2024-44116 | 2026-04-15 | 4.3 Medium | ||
| The RFC enabled function module allows a low privileged user to add any workbook to any user's workplace favourites. This vulnerability could be utilized to identify usernames and access information about targeted user's workplaces. There is low impact on integrity of the application. | ||||
| CVE-2024-30217 | 2026-04-15 | 4.3 Medium | ||
| Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can approve or reject a bank account application affecting the integrity of the application. Confidentiality and Availability are not impacted. | ||||
| CVE-2024-37516 | 2026-04-15 | 6.3 Medium | ||
| Missing Authorization vulnerability in fifu.App Featured Image from URL allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Image from URL: from n/a through 4.8.2. | ||||
| CVE-2024-1371 | 1 Wordpress | 2 Leadconnector, Wordpress | 2026-04-15 | 6.5 Medium |
| The LeadConnector plugin for WordPress is vulnerable to unauthorized modification & loss of data due to a missing capability check on the lc_public_api_proxy() function in all versions up to, and including, 1.7. This makes it possible for unauthenticated attackers to delete arbitrary posts. CVE-2024-34378 is likely a duplicate of this issue. | ||||
| CVE-2024-13717 | 2 Vcita, Wordpress | 2 Contact Form And Calls To Action By Vcita, Wordpress | 2026-04-15 | 4.3 Medium |
| The Contact Form and Calls To Action by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_ajax_toggle_ae and vcita_ajax_toggle_contact functions in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to enabled and disable widgets. | ||||
| CVE-2024-13747 | 2026-04-15 | 4.3 Medium | ||
| The WooMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'template_delete_saved' function in all versions up to, and including, 3.0.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject SQL into an existing post deletion query. | ||||
| CVE-2023-35045 | 2026-04-15 | 4.3 Medium | ||
| Missing Authorization vulnerability in Fat Rat Fat Rat Collect.This issue affects Fat Rat Collect: from n/a through 2.6.7. | ||||
| CVE-2024-5768 | 2026-04-15 | 6.4 Medium | ||
| The MIMO Woocommerce Order Tracking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mimo_update_provider' function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update shipping provider information, including adding stored cross-site scripting. | ||||
| CVE-2024-13767 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.1 High |
| The Live2DWebCanvas plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ClearFiles() function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2024-28627 | 1 Flipsnack | 1 Flipsnack | 2026-04-15 | 7.5 High |
| An issue in Flipsnack v.18/03/2024 allows a local attacker to obtain sensitive information via the reader.gz.js file. | ||||
| CVE-2024-28394 | 1 Advancedplugins | 1 Reportsstatistics | 2026-04-15 | 9.8 Critical |
| An issue in Advanced Plugins reportsstatistics v1.3.20 and before allows a remote attacker to execute arbitrary code via the Sales Reports, Statistics, Custom Fields & Export module. | ||||
| CVE-2024-37439 | 1 Uncannyowl | 1 Uncanny Toolkit Pro For Learndash | 2026-04-15 | 5.4 Medium |
| Missing Authorization vulnerability in Uncanny Owl Uncanny Toolkit Pro for LearnDash allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uncanny Toolkit Pro for LearnDash: from n/a through 4.1.4.0 | ||||
| CVE-2024-27086 | 2026-04-15 | 3.9 Low | ||
| The MSAL library enabled acquisition of security tokens to call protected APIs. MSAL.NET applications targeting Xamarin Android and .NET Android (e.g., MAUI) using the library from versions 4.48.0 to 4.60.0 are impacted by a low severity vulnerability. A malicious application running on a customer Android device can cause local denial of service against applications that were built using MSAL.NET for authentication on the same device (i.e., prevent the user of the legitimate application from logging in) due to incorrect activity export configuration. MSAL.NET version 4.60.1 includes the fix. As a workaround, a developer may explicitly mark the MSAL.NET activity non-exported. | ||||
| CVE-2024-41729 | 2026-04-15 | 4.3 Medium | ||
| Due to missing authorization checks, SAP BEx Analyzer allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on confidentiality of the application. | ||||