CVE-2025-12963

The LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.29. This is due to the plugin not properly validating a user's identity via the...

TableProgressTracking 跨站请求伪造漏洞

TableProgressTracking is an open source MediaWiki extension from Telepedia. A cross-site request forgery vulnerability exists in TableProgressTracking 1.2.0 and earlier versions, which stems from a lack of CSRF token validation in the REST API, and could lead to a cross-site request forgery attac...

CVE-2025-67513 FreePBX Endpoint Manager's Weak Default Password Allows Unauthenticated Access in Endpoint Module REST API

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions prior to 16.0.96 and 17.0.1 through 17.0.9 have a weak default password. By default, this is a 6 digit numeric value which can be brute forced. This is the apppassword parameter. Depending on local...

CVE-2025-66473 XWiki's REST APIs don't enforce any limits, leading to unavailability and OOM in large wikis

XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of...

Cross-site Scripting (XSS)

Overview io.jenkins.plugins:coverage is a Collects reports of code coverage or mutation coverage tools and visualizes the results. It has support for the following report formats: JaCoCo, Cobertura, and PIT. Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper...

XWiki's REST APIs don't enforce any limits, leading to unavailability and OOM in large wikis

Impact XWiki's REST API doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of pages in the wiki and the memory configuration, this can lead to slowness and unavailability of the wiki. As an example, the...

PT-2025-50359

Name of the Vulnerable Software and Affected Versions Jenkins Coverage Plugin versions 2.3054.ve1ff7b a a 123b and earlier Description The Jenkins Coverage Plugin does not properly validate the configured coverage results ID when creating coverage results. Specifically, the validation occurs only...

CVE-2024-47570

An insertion of sensitive information into log file vulnerability CWE-532 in FortiOS 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0 all versions; FortiProxy 7.4.0 through 7.4.3, 7.2.0 through 7.2.11; FortiPAM 1.4 all versions, 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions...

CVE-2025-62173

Summary Authenticated SQL Injection Vulnerability in Endpoint Module Rest API...

CVE-2025-62173

CVE-2025-62173 is an authenticated SQL injection affecting the FreePBX ERP Endpoint Module Rest API. The vulnerability arises from a lack of validation of externally supplied SQL statements in the Endpoint Module Rest API, enabling an authenticated attacker to execute arbitrary SQL commands and p...

CVE-2025-62173 Authenticated SQL Injection in Endpoint Module Rest API

Summary Authenticated SQL Injection Vulnerability in Endpoint Module Rest API...

CVE-2025-11726 Beaver Builder – WordPress Page Builder <= 2.9.4 - Missing Authorization to Authenticated (Contributor+) Global Preset Modification

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.9.4. This is due to insufficient capability checks in the REST API endpoints under the 'fl-controls/v1' namespace that control site-wide Global Presets...

CVE-2025-11726 Beaver Builder – WordPress Page Builder <= 2.9.4 - Missing Authorization to Authenticated (Contributor+) Global Preset Modification

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.9.4. This is due to insufficient capability checks in the REST API endpoints under the 'fl-controls/v1' namespace that control site-wide Global Presets...

PT-2025-48229

The Tiare Membership plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2. This is due to the 'tiare membership init rest api register' function not restricting what user roles a user can register with. This makes it possible for unauthenticated...

VulnCheck KEV: CVE-2025-52472

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the orderField parameter. The specified value is...

CVE-2025-13452

The CVE-2025-13452 entry applies to the WordPress plugin Admin and Customer Messages After Order for WooCommerce: OrderConvo. Multiple connected reports confirm a vulnerable REST API permission check that returns true when no nonce is provided, enabling missing authorization in all versions up to...

CVE-2025-10646

The CVE-2025-10646 relates to the WordPress Search Exclude plugin. Affected versions up to and including 2.5.7 have an insufficient capability check in the Base::get_rest_permission() method, allowing authenticated attackers with Contributor-level access or higher to modify plugin settings (e.g.,...

PT-2025-48070

An issue in the cms rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file...

CVE-2025-13149

The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the "saveFutureActionData" function in all versions up to, and including,...

CVE-2025-58122

Insufficient permission validation in Checkmk 2.4.0 before version 2.4.0p16 allows low-privileged users to modify notification parameters via the REST API, which could lead to unauthorized actions or information disclosure...