Lucene search
+L

862 matches found

Patchstack
Patchstack
added 2026/01/30 5:6 a.m.9 views

WordPress Paid Memberships Pro plugin < 2.12.9 - Contributor+ Arbitrary User Custom Field Disclosure vulnerability

Contributor+ Arbitrary User Custom Field Disclosure vulnerability discovered by Scott Kingsley Clark in WordPress Plugin Paid Memberships Pro versions 2.12.9...

4.3CVSS5.9AI score0.00548EPSS
Exploits2References1Affected Software1
Patchstack
Patchstack
added 2026/01/28 6:19 a.m.13 views

WordPress New User Approve plugin <= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary User Approval, Denial, and Information Disclosure vulnerability

Missing Authorization to Unauthenticated Arbitrary User Approval, Denial, and Information Disclosure vulnerability discovered by Deadbee - NA in WordPress Plugin New User Approve versions = 3.2.2...

7.3CVSS5.9AI score0.00323EPSS
Exploits0References1Affected Software1
RedhatCVE
RedhatCVE
added 2026/01/09 8:54 a.m.10 views

CVE-2021-41129

Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a confirmationtoken input during the two-factor authentication process to reference a cache value not associated with the login attempt. In rare cases this can...

8.1CVSS6.9AI score0.01696EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 8:39 a.m.18 views

CVE-2022-35947

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Affected versions have been found to be vulnerable to a SQL injection attack which an attacker could...

10CVSS7.7AI score0.00981EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/01/08 3:4 p.m.23 views

CVE-2025-67603 Lack of client authorization allows arbitrary users to influence the firewall configuration

A Improper Authorization vulnerability in Foomuuri llows arbitrary users to influence the firewall configuration.This issue affects Foomuuri: from ? before 0.31...

5.1CVSS0.00148EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/01/07 9:17 a.m.20 views

CVE-2025-1668

The School Management System – WPSchoolPress plugin for WordPress is vulnerable to arbitrary user deletion due to a missing capability check on the wpspDeleteUser function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access a...

5.4CVSS6.6AI score0.00281EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/07 9:11 a.m.7 views

CVE-2025-1295

The Templines Elementor Helper Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.7. This is due to allowing arbitrary user meta updates. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update thei...

8.8CVSS6.9AI score0.00466EPSS
Exploits0References1
Patchstack
Patchstack
added 2025/12/31 12:0 a.m.9 views

WordPress MelaPress Login Security Premium plugin 2.1.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary User Deletion vulnerability discovered by Michelle Porter - Wordfence in WordPress Plugin MelaPress Login Security Premium versions 2.1.0...

8.2CVSS5.9AI score0.00355EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2025/12/31 12:0 a.m.8 views

WordPress MelaPress Login Security plugin 2.1.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary User Deletion vulnerability discovered by Michelle Porter - Wordfence in WordPress Plugin MelaPress Login Security versions 2.1.0...

8.2CVSS5.9AI score0.00355EPSS
Exploits0References1Affected Software1
CNNVD
CNNVD
added 2025/12/22 12:0 a.m.4 views

Ragic Enterprise Cloud Database 安全漏洞

Ragic Enterprise Cloud Database is an enterprise cloud database from China Immediate Technology Ragic. A security vulnerability exists in Ragic Enterprise Cloud Database that stems from the use of hard-coded encryption keys, which could allow an unauthenticated, remote attacker to utilize a fixed...

9.8CVSS6.8AI score0.0045EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/12/19 12:0 a.m.35 views

CVE-2025-66911

Turms IM Server v0.10.0-SNAPSHOT and earlier contains a broken access control vulnerability in the user online status query functionality. The handleQueryUserOnlineStatusesRequest method in UserServiceController.java allows any authenticated user to query the online status, device information, an...

0.0028EPSS
Exploits1References3
EUVD
EUVD
added 2025/12/18 12:22 p.m.12 views

EUVD-2025-204262

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.3 via the "woofaddsubscr" function due to missing validation on a user controlled key. This makes it possible for authenticat...

4.3CVSS5.3AI score0.00306EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2025/11/30 1:53 a.m.5 views

CVE-2025-13615 StreamTube Core <= 4.78 - Unauthenticated Arbitrary User Password Change

The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for...

9.8CVSS5.8AI score0.00324EPSS
Exploits1References2
NVD
NVD
added 2025/11/21 2:15 p.m.8 views

CVE-2025-11127

The Mstoreapp Mobile App WordPress plugin through 2.08 and Mstoreapp Mobile Multivendor through 9.0.1 do not properly verify users identify when using an AJAX action, allowing unauthenticated users to retrieve a valid session for arbitrary users by knowing their email address...

9.8CVSS0.00294EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/11/12 12:0 a.m.3 views

CVE-2025-60645

A Cross-Site Request Forgery CSRF in xxl-api v1.3.0 allows attackers to arbitrarily add users to the management module via a crafted GET request...

6.3AI score0.00147EPSS
Exploits1References2
CNNVD
CNNVD
added 2025/11/12 12:0 a.m.4 views

xxl-api 安全漏洞

xxl-api is an interface management platform for Xu Xueli's individual developers. A security vulnerability exists in xxl-api v1.3.0, which stems from a cross-site request forgery in the management module that could lead to arbitrary user additions...

6.5CVSS6.7AI score0.00147EPSS
Exploits1References3
OSV
OSV
added 2025/11/12 12:0 a.m.3 views

CVE-2025-60645

A Cross-Site Request Forgery CSRF in xxl-api v1.3.0 allows attackers to arbitrarily add users to the management module via a crafted GET request...

6.5CVSS6.6AI score0.00147EPSS
Exploits1References4
Cvelist
Cvelist
added 2025/11/07 4:28 a.m.13 views

CVE-2025-4522 IDonate 2.0.0 - 2.1.9 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion via admin_post_donor_delete Function

The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Insecure Direct Object Reference via the adminpostdonordelete function in versions 2.0.0 to 2.1.9. By supplying an arbitrary userid parameter value to the wpdeleteuser function, authenticated...

6.5CVSS0.00249EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2025/11/07 4:28 a.m.5 views

CVE-2025-4522 IDonate 2.0.0 - 2.1.9 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion via admin_post_donor_delete Function

The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Insecure Direct Object Reference via the adminpostdonordelete function in versions 2.0.0 to 2.1.9. By supplying an arbitrary userid parameter value to the wpdeleteuser function, authenticated...

6.5CVSS6.2AI score0.00249EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2025/11/07 12:0 a.m.7 views

PT-2025-45448

An issue was discovered in rymcu forest thru commit f782e85 2025-09-04 in function doBefore in file src/main/java/com/rymcu/forest/core/service/security/AuthorshipAspect.java, allowing authorized attackers to delete arbitrary users posts...

7AI score0.00246EPSS
Exploits1References3
Rows per page
Query Builder