Total
5748 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-40834 | 1 Apple | 1 Macos | 2025-11-04 | 4.4 Medium |
| This issue was addressed by adding an additional prompt for user consent. This issue is fixed in macOS Sonoma 14.6, macOS Monterey 12.7.6, macOS Ventura 13.6.8. A shortcut may be able to bypass sensitive Shortcuts app settings. | ||||
| CVE-2024-8383 | 2 Mozilla, Redhat | 8 Firefox, Firefox Esr, Enterprise Linux and 5 more | 2025-11-04 | 7.5 High |
| Firefox normally asks for confirmation before asking the operating system to find an application to handle a scheme that the browser does not support. It did not ask before doing so for the Usenet-related schemes news: and snews:. Since most operating systems don't have a trusted newsreader installed by default, an unscrupulous program that the user downloaded could register itself as a handler. The website that served the application download could then launch that application at will. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Firefox ESR < 115.15. | ||||
| CVE-2024-40852 | 1 Apple | 3 Ios And Ipados, Ipados, Iphone Os | 2025-11-04 | 7.5 High |
| This issue was addressed by restricting options offered on a locked device. This issue is fixed in iOS 18 and iPadOS 18. An attacker may be able to see recent photos without authentication in Assistive Access. | ||||
| CVE-2025-12157 | 1 Wordpress | 1 Wordpress | 2025-11-04 | 5.3 Medium |
| The Simple User Capabilities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_reset_capability' AJAX endpoint in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to reset any user's capabilities. | ||||
| CVE-2025-11890 | 3 Beycanpress, Woocommerce, Wordpress | 3 Crypto Payment Gateway With Payeer For Woocommerce, Woocommerce, Wordpress | 2025-11-04 | 7.5 High |
| The Crypto Payment Gateway with Payeer for WooCommerce plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 1.0.3. This is due to the plugin not properly verifying a payments status through server-side validation though the /wc-api/bp-payeer-gateway-callback endpoint. This makes it possible for unauthenticated attackers to update unpaid order statuses to paid resulting in a loss of revenue. | ||||
| CVE-2025-63293 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2025-11-04 | 6.5 Medium |
| FairSketch Rise Ultimate Project Manager & CRM 3.9.4 is vulnerable to Insecure Permissions. A remote authenticated user can append comments or upload attachments to tickets for which they lack view or edit authorization, due to missing authorization checks in the ticketing/commenting API. | ||||
| CVE-2025-64294 | 1 Wordpress | 1 Wordpress | 2025-11-04 | 5.3 Medium |
| Missing Authorization vulnerability in d3wp WP Snow Effect allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP Snow Effect: from n/a through 1.1.15. | ||||
| CVE-2025-12158 | 1 Wordpress | 1 Wordpress | 2025-11-04 | 9.8 Critical |
| The Simple User Capabilities plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the suc_submit_capabilities() function in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to elevate the role of any user account to administrator. | ||||
| CVE-2025-64348 | 1 Elog | 1 Elog | 2025-11-04 | 7.1 High |
| ELOG allows an authenticated user to modify or overwrite the configuration file, resulting in denial of service. If the execute facility is specifically enabled with the "-x" command line flag, attackers could execute OS commands on the host machine. By default, ELOG is not configured to allow shell commands or self-registration. | ||||
| CVE-2025-11975 | 2 Fusewp, Wordpress | 2 Fusewp, Wordpress | 2025-11-04 | 4.3 Medium |
| The FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_changes() function in all versions up to, and including, 1.1.23.0. This makes it possible for unauthenticated attackers to add and edit sync rules. | ||||
| CVE-2025-62712 | 1 Jumpserver | 1 Jumpserver | 2025-11-04 | 9.6 Critical |
| JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts. | ||||
| CVE-2025-64356 | 2 F1logic, Wordpress | 2 Insert Php Code Snippet, Wordpress | 2025-11-04 | 4.3 Medium |
| Missing Authorization vulnerability in f1logic Insert PHP Code Snippet insert-php-code-snippet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Insert PHP Code Snippet: from n/a through <= 1.4.3. | ||||
| CVE-2025-12175 | 2 Stellarwp, Wordpress | 2 The Events Calendar, Wordpress | 2025-11-04 | 4.3 Medium |
| The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'tec_qr_code_modal' AJAX endpoint in all versions up to, and including, 6.15.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view draft event names and generate/view QR codes for them. | ||||
| CVE-2025-12180 | 2 Qodeinteractive, Wordpress | 2 Qi Blocks, Wordpress | 2025-11-04 | 4.3 Medium |
| The Qi Blocks plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.3. This is due to the plugin storing arbitrary CSS styles submitted via the `qi-blocks/v1/update-styles` REST API endpoint without proper sanitization in the `update_global_styles_callback()` function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary CSS, which can be used to perform actions such as hiding content, overlaying fake UI elements, or exfiltrating sensitive information via CSS injection techniques. | ||||
| CVE-2025-11833 | 2 Saadiqbal, Wordpress | 2 Post Smtp, Wordpress | 2025-11-04 | 9.8 Critical |
| The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover. | ||||
| CVE-2025-11816 | 2 Wordpress, Wplegalpages | 2 Wordpress, Wp Legal Pages | 2025-11-04 | 5.3 Medium |
| The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disconnect_account_request() function in all versions up to, and including, 3.5.1. This makes it possible for unauthenticated attackers to disconnect the site from its API plan. | ||||
| CVE-2025-12041 | 2 Apos37, Wordpress | 2 Eri File Library, Wordpress | 2025-11-04 | 5.3 Medium |
| The ERI File Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'erifl_file' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to download files restricted to specific user roles. | ||||
| CVE-2025-64349 | 1 Elog | 1 Elog | 2025-11-04 | 8.8 High |
| ELOG allows an authenticated user to modify another user's profile. An attacker can edit a target user's email address, then request a password reset, and take control of the target account. By default, ELOG is not configured to allow self-registration. | ||||
| CVE-2025-64350 | 2 Rank Math Seo, Wordpress | 2 Rank Math Seo, Wordpress | 2025-11-04 | 3.8 Low |
| Missing Authorization vulnerability in Rank Math SEO Rank Math SEO seo-by-rank-math allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rank Math SEO: from n/a through <= 1.0.252.1. | ||||
| CVE-2025-64352 | 2 Wordpress, Wpdeveloper | 2 Wordpress, Essential Addons For Elementor | 2025-11-04 | 2.7 Low |
| Missing Authorization vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Addons for Elementor: from n/a through <= 6.2.4. | ||||