164 matches found
CVE-2020-13998
Citrix XenApp 6.5, when 2FA is enabled, allows a remote unauthenticated attacker to ascertain whether a user exists on the server, because the 2FA error page only occurs after a valid username is entered. NOTE: This vulnerability only affects products that are no longer supported by the maintaine...
CVE-2020-13265
User email verification bypass in GitLab CE/EE 12.5 and later through 13.0.1 allows user to bypass email verification...
WordPress AHAthat plugin cross-site request forgery vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. A cross-site request forgery vulnerability exists in the WordPress AHAthat plugin, which stems from the WEB application not adequately verifying that a request is coming from a...
PT-2025-14572 · Yubico · Yubikey
Name of the Vulnerable Software and Affected Versions: Yubico YubiKey versions 5.4.1 through 5.7.3 Description: The issue is related to an incorrect implementation of the FIDO CTAP PIN/UV 2 authentication protocol. Specifically, it uses the signature length from the CTAP PIN/UV 1 protocol, even...
CVE-2025-31161
CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account unless a DMZ proxy instance is used, as exploited in the wild in March and April 2025, aka "Unauthenticated HTTPS port access." A race condition exists in the AWS4-HMAC compatible wi...
CVE-2024-10366
The CVE-2024-10366 vulnerability affects danny-avila/librechat v0.7.5-rc2, where the delete-attachments endpoint does not verify that the attachment ID belongs to the current user. This IDOR allows any authenticated user (low privileges) to delete attachments of other users, with a network-style ...
CVE-2025-0748 Homey <= 2.4.3 - Cross-Site Request Forgery to User Verification
The Homey theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.3. This is due to missing or incorrect nonce validation on the 'homeyverifyusermanually' function. This makes it possible for unauthenticated attackers to update verify an user via a...
CVE-2025-0748 Homey <= 2.4.3 - Cross-Site Request Forgery to User Verification
The Homey theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.3. This is due to missing or incorrect nonce validation on the 'homeyverifyusermanually' function. This makes it possible for unauthenticated attackers to update verify an user via a...
PT-2025-5899 · Nextend · Nextend Social Login Pro
Name of the Vulnerable Software and Affected Versions: Nextend Social Login Pro versions up to, and including, 3.1.16 Description: The issue is due to insufficient verification on the user being supplied during the Apple OAuth authenticate request through the plugin. This makes it possible for...
CVE-2024-50945
An improper access control vulnerability exists in SimplCommerce at commit 230310c8d7a0408569b292c5a805c459d47a1d8f, allowing users to submit reviews without verifying if they have purchased the product...
CVE-2024-10961
The Social Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.9.0. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing...
CVE-2024-10020
The Heateor Social Login WordPress plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.1.35. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log i...
CVE-2024-10114
CVE-2024-10114 – WooCommerce - Social Login (WordPress) Affected product: WooCommerce - Social Login plugin for WordPress.Vulnerability: authentication bypass due to insufficient verification on the user returned by the social login token (root cause: token user verification flaw).Impact (per sou...
CVE-2024-10114 Social Login - WordPress / WooCommerce Plugin <= 2.7.7 - Authentication Bypass via WordPress.com OAuth provider
The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.7.7. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as...
CVE-2024-10097 Loginizer Security and Loginizer <= 1.9.2 - Authentication Bypass via WordPress.com OAuth provider
The Loginizer Security and Loginizer plugins for WordPress are vulnerable to authentication bypass in all versions up to, and including, 1.9.2. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to lo...
CVE-2024-9501 Wp Social Login and Register Social Counter <= 3.0.7 - Authentication Bypass via WordPress.com OAuth provider
The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.0.7. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated...
CVE-2024-9501
CVE-2024-9501 is a high-severity authentication bypass in the WordPress plugin “WP Social Login and Register Social Counter” (
CVE-2024-9488 Comments – wpDiscuz <= 7.6.24 - Authentication Bypass via WordPress.com OAuth provider
The Comments – wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any...
CVE-2024-8943
CVE-2024-8943 affects the WordPress LatePoint plugin, versions up to and including 5.0.12, enabling an authentication bypass due to improper verification of the user supplied during the booking step. Unauthenticated attackers could log in as any existing user (e.g., an administrator) if the site ...
CVE-2024-47768 Lif Authentication Server Has No Auth Check When Updating Password In Account Recovery
Lif Authentication Server is a server used by Lif to do various tasks regarding Lif accounts. This vulnerability has to do with the account recovery system where there does not appear to be a check to make sure the user has been sent the recovery email and entered the correct code. If the attacke...