| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Subscriber Broken Access Control in MainWP <= 6.1.1 versions. |
| Subscriber Broken Access Control in Wallet System for WooCommerce <= 2.7.6 versions. |
| Unauthenticated Broken Access Control in WP User Frontend <= 4.3.7 versions. |
| A vulnerability was found in BlueChi, a multi-node systemd service controller used in RHIVOS. This flaw allows a user with root privileges on a managed node (qm) to create or override systemd service unit files that affect the host node. This issue can lead to privilege escalation, unauthorized service execution, and potential system compromise. |
| Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify's API controllers consistently validate server ownership with Server::whereTeamId($teamId) before any operation. However, multiple Livewire web UI components accept server_id and destination_uuid from URL query parameters without any team ownership validation, allowing cross-team resource deployment. This vulnerability is fixed in 4.0.0-beta.474. |
| Contributor Broken Access Control in Forget About Shortcode Buttons <= 2.1.3 versions. |
| Subscriber Broken Access Control in Restaurant Menu by MotoPress <= 2.4.11 versions. |
| Contributor Broken Access Control in Live Copy Paste for Elementor <= 1.5.3 versions. |
| Unauthenticated Broken Access Control in Donation Thermometer <= 2.2.7 versions. |
| Unauthenticated Broken Access Control in Five Star Restaurant Menu <= 2.5.2 versions. |
| Unauthenticated Broken Access Control in Intranet & Private Site – All-In-One Intranet <= 1.8.1 versions. |
| Unauthenticated Broken Access Control in Syncee Premium Dropshipping & Wholesale <= 1.0.27 versions. |
| Unauthenticated Broken Access Control in Paymob for WooCommerce <= 4.1.2 versions. |
| Contributor Privilege Escalation in Frisbii Pay <= 1.8.2 versions. |
| Unauthenticated Broken Access Control in MailChimp Block <= 1.1.15 versions. |
| Unauthenticated Broken Access Control in Flash & HTML5 Video <= 2.11.0 versions. |
| Contributor Broken Access Control in SEOPress PRO <= 9.1.1 versions. |
| The Product Specifications for WooCommerce plugin for WordPress is vulnerable to unauthorized modification, creation, and deletion of data in versions up to and including 0.8.9. This is due to a missing capability check and missing nonce verification in the __invoke() methods of the AttributeGroupController and AttributeController classes, which are bound to the 'dwps_modify_groups' and 'dwps_modify_attributes' AJAX actions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create, edit, and delete arbitrary product specification groups and attributes (taxonomy terms in the 'spec-group' and attribute taxonomies), corrupting business data and impacting the site's frontend display. |
| The Masteriyo LMS – LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with student-level access and above, to modify the description (post content) of arbitrary course announcements authored by instructors or administrators. |
| The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activate_plugin function in all versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate a limited set of plugins. |
