CVE-2025-63028 WordPress Traveler theme <= 3.2.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in shinetheme Traveler traveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Traveler: from n/a through = 3.2.6...

CVE-2025-62740 WordPress WP-CRM System plugin <= 3.4.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CRM System: from n/a through = 3.4.6...

CVE-2025-67580

CVE-2025-67580 concerns a Missing Authorization vulnerability in the WordPress plugin pair “Constant Contact + WooCommerce” (plugin slug constant-contact-woocommerce) affecting versions n/a through 2.4.1. The issue arises from broken access control; an attacker may exploit misconfigured access le...

CVE-2025-67579 WordPress User Extra Fields plugin <= 16.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Extra Fields: from n/a through = 16.8...

PT-2025-49839

A vulnerability has been identified in SINEC Security Monitor All versions V4.10.0. The affected application does not have proper authorization checks for the file transfer feature in ssmctl-client command. This could allow an authenticated, lowly privileged local attacker to read or write to any...

CVE-2025-12091 Search, Filters & Merchandising for WooCommerce <= 3.0.67 - Missing Authorization to Authenticated (Subscriber+) Plugin Deactivation

The Search, Filters & Merchandising for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wcissaveemail' endpoint in all versions up to, and including, 3.0.67. This makes it possible for authenticated attackers, with...

PT-2025-49038

Name of the Vulnerable Software and Affected Versions Synology BeeDrive for desktop versions prior to 1.4.2-13960 Description A missing authorization flaw exists in BeeDrive. This allows remote attackers to delete arbitrary files through unspecified means. Recommendations Update Synology BeeDrive...

CVE-2025-13696

The Zigaform plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.6.5. This is due to the plugin exposing a public AJAX endpoint that retrieves form submission data without performing authorization checks to verify ownership or access rights. Th...

CVE-2025-11726

CVE-2025-11726 affects Beaver Builder – WordPress Page Builder (

PT-2025-48655

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.3.2. This is due to missing authorization checks on the eh crm edit agent AJAX action. This makes it possible for authenticated attackers, wit...

Mogu blog 安全漏洞

Mogu blog 蘑菇博客 is a micro-architecture based front-end and back-end shared blogging system by individual developers in Streamlet, China. A security vulnerability exists in Mogu blog v2 5.2 and earlier versions, which originates from a lack of authorization checking in the file /storage/ in the...

WordPress Ace Post Type Builder plugin unauthorized custom taxonomy removal vulnerability

WordPress Ace Post Type Builder plugin is a plugin for creating and managing Custom Post Types CustomPostTypes,CPT, which helps users to extend the content structure in WordPress with support for advanced features such as custom fields, categories and tags. WordPress Ace Post Type Builder plugin...

CVE-2025-13405

The Ace Post Type Builder plugin for WordPress is vulnerable to unauthorized custom taxonomy deletion due to missing authorization validation on the cptbdeletecustomtaxonomy function in all versions up to, and including, 1.9. This makes it possible for authenticated attackers, with Subscriber-lev...

CVE-2025-12061 Tax Service Electronic HDM < 1.2.1 - Unauthenticated Arbitrary SQL Execution

The TAX SERVICE Electronic HDM WordPress plugin before 1.2.1 does not authorization and CSRF checks in an AJAX action, allowing unauthenticated users to import and execute arbitrary SQL statements...

CVE-2025-13405

The Ace Post Type Builder plugin for WordPress is vulnerable to unauthorized custom taxonomy deletion due to missing authorization validation on the cptbdeletecustomtaxonomy function in all versions up to, and including, 1.9. This makes it possible for authenticated attackers, with Subscriber-lev...

CVE-2025-13405 Ace Post Type Builder <= 1.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Custom Taxonomy Deletion via 'taxonomy' Parameter

The Ace Post Type Builder plugin for WordPress is vulnerable to unauthorized custom taxonomy deletion due to missing authorization validation on the cptbdeletecustomtaxonomy function in all versions up to, and including, 1.9. This makes it possible for authenticated attackers, with Subscriber-lev...

CVE-2025-13404 atec Duplicate Page & Post <= 1.2.20 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Duplication and Data Exposure

The atec Duplicate Page & Post plugin for WordPress is vulnerable to unauthorized post duplication due to missing authorization validation on the duplicatepost function in all versions up to, and including, 1.2.20. This makes it possible for authenticated attackers, with Contributor-level access...

EUVD-2025-199572

The atec Duplicate Page & Post plugin for WordPress is vulnerable to unauthorized post duplication due to missing authorization validation on the duplicatepost function in all versions up to, and including, 1.2.20. This makes it possible for authenticated attackers, with Contributor-level access...

WordPress Plugin CP Contact Form with PayPal Has Unspecified Vulnerability

WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up a personal blog site on a PHP and MySQL based server.WordPress plugin is an application plugin. A security vulnerability exists in the WordPress plugin CP Contact Form with PayPal, which stem...

PT-2025-48012

The atec Duplicate Page & Post plugin for WordPress is vulnerable to unauthorized post duplication due to missing authorization validation on the duplicate post function in all versions up to, and including, 1.2.20. This makes it possible for authenticated attackers, with Contributor-level access...