Latest CVE Feed
-
5.3
MEDIUMCVE-2025-62085
Missing Authorization vulnerability in berthaai BERTHA AI bertha-ai-free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BERTHA AI: from n/a through <= 1.13.... Read more
Affected Products : bertha_ai- Published: Dec. 09, 2025
- Modified: Dec. 11, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-62737
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in opicron Image Cleanup image-cleanup allows Retrieve Embedded Sensitive Data.This issue affects Image Cleanup: from n/a through <= 1.9.2.... Read more
Affected Products :- Published: Dec. 09, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Information Disclosure
-
5.3
MEDIUMCVE-2025-12093
The Voidek Employee Portal plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX actions in all versions up to, and including, 1.0.6. This makes it possible for unauthenticated attackers to perform sev... Read more
Affected Products :- Published: Dec. 05, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-67583
Missing Authorization vulnerability in ThemeAtelier IDonate idonate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects IDonate: from n/a through <= 2.1.15.... Read more
Affected Products : idonate- Published: Dec. 09, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-14442
The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to sensitive information exposure due to storage of exported CSV files in a publicly accessible directory with predictable filenames in all versions up to, and inclu... Read more
Affected Products : secure_copy_content_protection_and_content_locking- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Information Disclosure
-
5.3
MEDIUMCVE-2025-63049
Missing Authorization vulnerability in CridioStudio ListingPro Lead Form listingpro-lead-form allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects ListingPro Lead Form: from n/a through <= 1.0.2.... Read more
Affected Products :- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-14065
The Simple Bike Rental plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'simpbire_carica_prenotazioni' AJAX action in all versions up to, and including, 1.0.6. This makes it possible for authentica... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-12408
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 7.2.2.2 via the 'get_location' action due to insufficient restrictions on which locations can be i... Read more
Affected Products : events_manager- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Information Disclosure
-
5.3
MEDIUMCVE-2025-63008
Missing Authorization vulnerability in weDevs WP ERP erp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP ERP: from n/a through <= 1.16.7.... Read more
Affected Products : wp_erp- Published: Dec. 09, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-13312
The CRM Memberships plugin for WordPress is vulnerable to unauthorized membership tag creation due to a missing capability check on the 'ntzcrm_add_new_tag' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated att... Read more
Affected Products :- Published: Dec. 05, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-13006
The SurveyFunnel – Survey Plugin for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via several unprotected /wp-json/surveyfunnel/v2/ REST API endpoints. This makes it possible fo... Read more
Affected Products : medikaid- Published: Dec. 05, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Information Disclosure
-
5.3
MEDIUMCVE-2025-59949
FreshRSS is a free, self-hostable RSS aggregator. Versions prior to 1.27.1 have a logout cross-site request forgery vulnerability that can lead to denial of service via <track src>. Version 1.27.1 patches the issue.... Read more
Affected Products : freshrss- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Request Forgery
-
5.3
MEDIUMCVE-2025-12841
The Bookit WordPress plugin before 2.5.1 has a publicly accessible REST endpoint that allows unauthenticated update of the plugins Stripe payment options.... Read more
Affected Products : bookit- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Misconfiguration
-
5.3
MEDIUMCVE-2025-61950
In GroupSession, a Circular notice can be created with its memo field non-editable, but the authorization check is improperly implemented. With some crafted request, a logged-in user may alter the memo field. The affected products and versions are GroupSe... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-63043
Authorization Bypass Through User-Controlled Key vulnerability in PickPlugins Post Grid and Gutenberg Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Grid and Gutenberg Blocks: from n/a through 2.3.19... Read more
Affected Products : post_grid- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2024-58297
PyroCMS v3.0.1 contains a stored cross-site scripting vulnerability in the admin redirects configuration that allows attackers to inject malicious scripts. Attackers can insert a payload in the 'Redirect From' field to execute arbitrary JavaScript when ad... Read more
Affected Products : pyrocms- Published: Dec. 11, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Scripting
-
5.3
MEDIUMCVE-2024-58296
CE Phoenix v3.0.1 contains a stored cross-site scripting vulnerability in the currencies administration panel that allows attackers to inject malicious scripts. Attackers can insert XSS payloads in the title field to execute arbitrary JavaScript when admi... Read more
Affected Products :- Published: Dec. 11, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Scripting
-
5.3
MEDIUMCVE-2024-58291
Flatboard 3.2 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts in forum information fields. Attackers can insert JavaScript payloads that execute when other users view the forum, pot... Read more
Affected Products :- Published: Dec. 11, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Scripting
-
5.3
MEDIUMCVE-2025-64667
User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
-
5.3
MEDIUMCVE-2025-12584
The Quick View for WooCommerce plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.17 via the 'wqv_popup_content' AJAX endpoint due to insufficient restrictions on which products can be included. This makes... Read more
Affected Products :- Published: Nov. 27, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Information Disclosure