31 matches found
CVE-2026-40291
Chamilo LMS exposes an insecure direct object modification in PUT /api/users/{id} prior to version 2.0.0-RC.3, allowing any authenticated user with ROLE_STUDENT to escalate to ROLE_ADMIN by modifying their own roles field. The API Platform check is_granted('EDIT', object) only verifies ownership,...
CVE-2025-1682
The Cardealer theme for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.4 due to missing capability check on the 'savesettings' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the default user ro...
CVE-2023-53908
CVE-2023-53908 affects Belden HiSecOS 04.0.01. A privilege-escalation flaw allows authenticated users to modify their access role via crafted XML in NETCONF payloads sent to the /mops_data endpoint, elevating to administrative level. Affected component: XML-based NETCONF configuration handling; r...
EUVD-2014-0153
Malware in sbrugna...
EUVD-2023-44281
Malicious code in bioql PyPI...
EUVD-2024-44445
Malicious code in bioql PyPI...
EUVD-2023-54021
Malicious code in bioql PyPI...
EUVD-2023-54111
Malicious code in bioql PyPI...
EUVD-2023-54164
Malicious code in bioql PyPI...
EUVD-2023-58276
Malicious code in bioql PyPI...
EUVD-2025-10842
Malicious code in bioql PyPI...
EUVD-2025-5486
Malicious code in bioql PyPI...
CVE-2023-6009
The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.4 due to insufficient restriction on the 'userproupdateuserprofile' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify...
CVE-2023-3636
The WP Project Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.4 due to insufficient restriction on the 'saveusersmapname' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modif...
CVE-2023-2833
The ReviewX plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.13 due to insufficient restriction on the 'rxsetscreenoptions' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their...
CVE-2025-2907
The CVE-2025-2907 issue affects the WordPress plugin Order Delivery Date Pro for WooCommerce (versions before 12.3.1). The root cause is missing authorization and CSRF checks when importing settings, allowing an unauthenticated attacker to update arbitrary options such as default_user_role to adm...
CVE-2025-1682
The Cardealer theme for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.4 due to missing capability check on the 'savesettings' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the default user ro...
CVE-2024-4870
The Frontend Registration – Contact Form 7 plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1 due to insufficient restriction on the 'cf7frr' post meta. This makes it possible for authenticated attackers, with editor-level access and above, to modify...
CVE-2024-4870 Frontend Registration – Contact Form 7 <= 5.1 - Authenticated (Editor+) Privilege Escalation
The Frontend Registration – Contact Form 7 plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1 due to insufficient restriction on the 'cf7frr' post meta. This makes it possible for authenticated attackers, with editor-level access and above, to modify...
UserPro < 5.1.5 - Authenticated (Subscriber+) Privilege Escalation
Description The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.4 due to insufficient restriction on the 'userproupdateuserprofile' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber,...