Lucene search
K

38 matches found

NVD
NVD
added 2 days ago8 views

CVE-2026-56308

Capgo before 12.128.2 allows email address changes without requiring current password re-authentication or verification of the existing email address. An attacker with access to a valid session cookie or authenticated browser can change the account email to gain control of account recovery and...

8.4CVSS0.00244EPSS
Exploits0References2
EUVD
EUVD
added 3 days ago6 views

EUVD-2026-43148

The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to, and including, 4.2.3. This is due to the plugin not properly validating a user's identity prior to updating their details like email during customer profile synchronization from webhook...

8.1CVSS6.1AI score0.00302EPSS
Exploits0References2
NVD
NVD
added 2026/07/01 8:16 a.m.8 views

CVE-2026-11387

The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior to updati...

9.8CVSS0.0038EPSS
Exploits1References8
CNNVD
CNNVD
added 2026/05/08 12:0 a.m.13 views

SysReptor 安全漏洞

SysReptor is an open-source penetration testing report platform developed by Syslifters. Versions of SysReptor prior to 2026.29 contained security vulnerabilities. These vulnerabilities stemmed from the ability of users with administrator privileges to change the email addresses of users with...

3.8CVSS5.8AI score0.00162EPSS
Exploits0References2
OSV
OSV
added 2026/01/15 7:28 p.m.5 views

CVE-2026-23622 CSRF Protection Bypass: Sensitive endpoints accept GET requests, enabling admin account takeover

Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EASecurity.php::csrfverify only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from...

8.7CVSS6.7AI score0.00203EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/01/15 3:52 p.m.2 views

CVE-2021-47754 Arunna 1.0.0 - 'Multiple' Cross-Site Request Forgery (CSRF)

Arunna 1.0.0 contains a cross-site request forgery vulnerability that allows attackers to manipulate user profile settings without authentication. Attackers can craft a malicious form to change user details, including passwords, email, and administrative privileges by tricking authenticated users...

6.9CVSS6.3AI score0.00204EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/01/15 12:0 a.m.5 views

PT-2026-3099

Name of the Vulnerable Software and Affected Versions Easy!Appointments versions 1.5.2 and earlier Description The application's CSRF protection in application/core/EA Security.php::csrf verify only applies to POST requests, bypassing validation for other request methods like GET. Several...

8.8CVSS6AI score0.00203EPSS
Exploits1References9
RedhatCVE
RedhatCVE
added 2026/01/06 6:5 p.m.5 views

CVE-2025-59955

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the /api/v1/teams/teamid/members and /api/v1/teams/current/members API endpoints allows...

7.1CVSS6.2AI score0.00252EPSS
Exploits1References1
OSV
OSV
added 2026/01/05 5:46 p.m.6 views

CVE-2025-59955 Coolify leaksensitive information `email_change_code` in `/api/v1/teams/{team_id | current}/members` API endpoint

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the /api/v1/teams/teamid/members and /api/v1/teams/current/members API endpoints allows...

7.1CVSS6.1AI score0.00252EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/01/05 12:0 a.m.5 views

Coolify 安全漏洞

Coolify is an open source and self-hosted Heroku/Netlify/Vercel replacement from coolLabs Open Source. A security vulnerability exists in Coolify v4.0.0-beta.420.8 and earlier versions, which stems from an information leak in the API endpoint that could lead to unauthorized email address changes...

7.1CVSS6.2AI score0.00252EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2025/12/13 3:59 a.m.5 views

CVE-2025-12963

The LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.29. This is due to the plugin not properly validating a user's identity via the...

9.8CVSS6.8AI score0.00317EPSS
Exploits0References1
CVE
CVE
added 2025/12/12 3:20 a.m.26 views

CVE-2025-12963

CVE-2025-12963 concerns the LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress. The connected sources confirm a root cause: missing authorization on the REST API endpoint wp-json/lazytasks/api/v1/user/role/edit/ allows unauthenticated users to mo...

9.8CVSS6.4AI score0.00317EPSS
Exploits0References2
OSV
OSV
added 2025/11/04 8:48 p.m.5 views

CVE-2025-55155 MantisBT: Authentication bypass for some passwords due to PHP type juggling

Mantis Bug Tracker MantisBT is an open source issue tracker. In versions 2.27.1 and below, when a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user. This could result in storing an invalid email address, preventing...

5.4CVSS6.4AI score0.00149EPSS
Exploits1References5
Snyk
Snyk
added 2025/11/03 8:12 p.m.2 views

Insufficient Verification of Data Authenticity

Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the email address change. An attacker can cause unauthorized disclosure of information by updating their profile with an email address they do...

5.4CVSS6.2AI score0.00149EPSS
Exploits1References3
NVD
NVD
added 2025/11/01 7:15 a.m.8 views

CVE-2025-6574

The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and excluding, 6.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for...

8.8CVSS0.00277EPSS
Exploits0References2
CNNVD
CNNVD
added 2025/10/27 12:0 a.m.9 views

VirtFusion 安全漏洞

VirtFusion is a virtualization management panel from VirtFusion, UK. A security vulnerability exists in VirtFusion 6.0.2 and earlier versions, which stems from an improper restriction of authentication attempts for the Email Change Handler component in the file /account/settings, which could lead...

6.9CVSS5.6AI score0.00427EPSS
Exploits0References4
EUVD
EUVD
added 2025/10/03 8:7 p.m.4 views

EUVD-2025-27545

Malicious code in bioql PyPI...

8.8CVSS6.5AI score0.003EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/08/16 6:39 a.m.2 views

CVE-2025-8898 Taxi Booking Manager for Woocommerce | E-cab <= 1.3.0 - Missing Authorization to Unauthenticated Privilege Escalation via Account Takeover

The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.0. This is due to the plugin not properly validating a user's capabilities prior to updating a plugin setting or their identit...

9.8CVSS7.8AI score0.00438EPSS
Exploits0References3
Cvelist
Cvelist
added 2025/08/16 6:39 a.m.12 views

CVE-2025-8898 Taxi Booking Manager for Woocommerce | E-cab <= 1.3.0 - Missing Authorization to Unauthenticated Privilege Escalation via Account Takeover

The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.0. This is due to the plugin not properly validating a user's capabilities prior to updating a plugin setting or their identit...

9.8CVSS0.00438EPSS
Exploits0References3
CVE
CVE
added 2025/08/08 6:26 p.m.40 views

CVE-2025-4796

The Eventin WordPress plugin (

8.8CVSS7AI score0.00564EPSS
Exploits3References3Affected Software1
Rows per page
Query Builder