CVE-2025-14982

The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the...

PT-2026-3214

The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the...

CVE-2025-69581

An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personaldata endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on the same device to...

CVE-2025-69581

An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personaldata endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on the same device to...

CVE-2025-69581

Chamillo LMS 1.11.2 has a data exposure flaw on the Social Network /personal_data endpoint due to missing cache-control headers. This allows unauthorized users on the same device to view full sensitive user data after logout (via the browser back button). Root cause: improper cache control. Impac...

PT-2026-3305

Name of the Vulnerable Software and Affected Versions Chamillo LMS version 1.11.2 Description The Social Network /personal data API endpoint in Chamillo LMS does not implement proper cache control, leading to exposure of full sensitive user information even after logout. Utilizing the browser bac...

CVE-2025-69581

An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personaldata endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on the same device to...

CVE-2025-14317

In Crazy Bubble Tea mobile application authenticated attacker can obtain personal information about other users by enumerating a loyaltyGuestId parameter. Server does not verify the permissions required to obtain the data. This issue was fixed in version 915 Android and 7.4.1 iOS...

CVE-2025-14854

The WP-CRM System WordPress plugin has an unauthorized-access vulnerability due to missing capability checks in AJAX handlers wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status, affecting all versions up to 3.4.5. Authenticated users with subscriber-level access and above can enu...

CVE-2025-14782

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listenforcsvexport' function. This is due to the plugin not properly verifying that a user is authorized to...

CVE-2023-25645

There is a permission and access control vulnerability in some ZTE AndroidTV STBs. Due to improper permission settings, non-privileged application can perform functions that are protected with signature/privilege-level permissions. Exploitation of this vulnerability could clear personal data and...

CVE-2020-23768

An information disclosure vulnerability was discovered in alipayfunction.php in the log file of Alibaba payment interface on PHPPYUN prior to version 5.0.1. If exploited, this vulnerability will allow attackers to obtain users' personally identifiable information including e-mail address and...

CVE-2025-23777

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in willowsconsulting GDPR Personal Data Reports gdpr-personal-data-reports allows Stored XSS.This issue affects GDPR Personal Data Reports: from n/a through = 1.0.5...

CVE-2025-13679

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getorderbyid function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with...

CVE-2026-0656

The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'checkipaymuresponse' function. This is due to the plugin not validating webhook request authenticity through signature verification or origi...

CVE-2025-14782

CVE-2025-14782 details from Wordfence confirm a direct authorization bypass in the Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress. The issue affects all versions up to and including 1.49.1 and arises from missing authorization checks in the listen_for_csv...

CVE-2025-13679

CVE-2025-13679 (Tutor LMS) : A missing capability check on get_order_by_id() in Tutor LMS ≤ 3.9.3 allows authenticated users with Subscriber+ privileges to enumerate orders and exfiltrate student PII (name, email, phone, billing address). WordPress plugin: Tutor LMS – eLearning and online course ...

PT-2026-1706

Name of the Vulnerable Software and Affected Versions Tutor LMS versions up to and including 3.9.3 Description The Tutor LMS plugin for WordPress is susceptible to unauthorized data access due to a missing capability check within the get order by id function. This allows authenticated attackers...

Spree API has Unauthenticated IDOR - Guest Address

Summary An Unauthenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. Details During testing, it was observed that all guest users can make a...

CVE-2026-0656 iPaymu Payment Gateway for WooCommerce <= 2.0.2 - Missing Authentication to Unauthenticated Payment Bypass and Order Information Disclosure

The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'checkipaymuresponse' function. This is due to the plugin not validating webhook request authenticity through signature verification or origi...