Search Results (11952 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-38743 1 Upqode 1 Plum 2026-04-15 5.3 Medium
Access Control vulnerability in Upqode Plum: Spin Wheel & Email Pop-up allows . This issue affects Plum: Spin Wheel & Email Pop-up: from n/a through 2.0.
CVE-2025-62736 1 Wordpress 1 Wordpress 2026-04-15 4.3 Medium
Missing Authorization vulnerability in opicron Image Cleanup image-cleanup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Cleanup: from n/a through <= 1.9.2.
CVE-2024-37276 1 Fifu 1 Featured Image From Url 2026-04-15 5.3 Medium
Missing Authorization vulnerability in fifu.App Featured Image from URL allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Image from URL: from n/a through 4.8.1.
CVE-2025-64219 2 Strategy11, Wordpress 2 Business Directory Plugin - Easy Listing Directories, Wordpress 2026-04-15 4.3 Medium
Missing Authorization vulnerability in Strategy11 Team Business Directory business-directory-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Business Directory: from n/a through <= 6.4.18.
CVE-2024-38699 1 Wpswings 1 Wallet System For Woocommerce 2026-04-15 7.5 High
Missing Authorization vulnerability in WP Swings Wallet System for WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Wallet System for WooCommerce: from n/a through 2.5.13.
CVE-2025-64179 1 Treeverse 1 Lakefs 2026-04-15 5.3 Medium
lakeFS is an open-source tool that transforms object storage into a Git-like repositories. In versions 1.69.0 and below, missing authentication in the /api/v1/usage-report/summary endpoint allows anyone to retrieve aggregate API usage counts. While no sensitive data is disclosed, the endpoint may reveal information about service activity or uptime. This issue is fixed in version 1.71.0 . To workaround the vulnerability, use a load-balancer or application level firewall in order to block the request route /api/v1/usage-report/summary.
CVE-2024-38690 1 Ipanorama 360 Wordpress Virtual Tour Builder Project 1 Ipanorama 360 Wordpress Virtual Tour Builder 2026-04-15 5.3 Medium
Missing Authorization vulnerability in Avirtum iPanorama 360 WordPress Virtual Tour Builder allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects iPanorama 360 WordPress Virtual Tour Builder: from n/a through 1.8.3.
CVE-2025-64229 2 Boldgrid, Wordpress 2 Client Invoicing By Sprout Invoices, Wordpress 2026-04-15 4.3 Medium
Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.7.
CVE-2025-64171 1 Marin3r 1 Marin3r 2026-04-15 6.5 Medium
MARIN3R is a lightweight, CRD based envoy control plane for kubernetes. In versions 0.13.3 and below, there is a cross-namespace secret access vulnerability in the project's DiscoveryServiceCertificate which allows users to bypass RBAC and access secrets in unauthorized namespaces. This issue is fixed in version 0.13.4.
CVE-2025-42955 1 Sap 1 Cloud Connector 2026-04-15 3.5 Low
Due to a missing authorization check in SAP Cloud Connector, an attacker on an adjacent network with low privileges could send a crafted request to the endpoint responsible for testing LDAP connections. A successful exploit could lead to reduced performance, hence a low-impact on availability of the service. Confidentiality and integrity of the data are not affected.
CVE-2024-1994 2026-04-15 4.3 Medium
The Image Watermark plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the watermark_action_ajax() function in all versions up to, and including, 1.7.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to apply and remove watermarks from images.
CVE-2025-30074 1 Parallels 1 Parallels Desktop 2026-04-15 7.8 High
Alludo Parallels Desktop before 19.4.2 and 20.x before 20.2.2 for macOS on Intel platforms allows privilege escalation to root via the VM creation routine.
CVE-2025-42984 2026-04-15 5.4 Medium
SAP S/4HANA Manage Central Purchase Contract does not perform necessary authorization checks for an authenticated user. Due to this, an attacker could execute the function import on the entity making it inaccessible for unrestricted user. This has low impact on confidentiality and availability of the application.
CVE-2025-43004 2026-04-15 5.3 Medium
Due to a security misconfiguration vulnerability, customers can develop Production Operator Dashboards (PODs) that enable outside users to access customer data when they access these dashboards. Since no mechanisms exist to enforce authentication, malicious unauthenticated users can view non-sensitive customer information. However, this does not affect data integrity or availability.
CVE-2025-11378 2 Shortpixel, Wordpress 3 Image Optimizer, Shortpixel Image Optimizer, Wordpress 2026-04-15 5.4 Medium
The ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'shortpixel_ajaxRequest' AJAX action in all versions up to, and including, 6.3.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to export and import site options.
CVE-2025-3063 1 Wordpress 1 Wordpress 2026-04-15 8.8 High
The Shopper Approved Reviews plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajax_callback_update_sa_option() function in versions 2.0 to 2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
CVE-2025-43009 2026-04-15 6.3 Medium
SAP Service Parts Management (SPM) does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on Confidentiality, integrity and availability of the application.
CVE-2025-5894 2026-04-15 8.8 High
Smart Parking Management System from Honding Technology has a Missing Authorization vulnerability, allowing remote attackers with regular privileges to access a specific functionality to create administrator accounts, and subsequently log into the system using those accounts.
CVE-2025-9228 1 Mobile-industrial-robots 5 Mir100, Mir1000, Mir200 and 2 more 2026-04-15 4.3 Medium
MiR software versions prior to version 3.0.0 have insufficient authorization controls when creating text notes, allowing low-privilege users to create notes which are intended only for administrative users.
CVE-2025-67584 1 Wordpress 1 Wordpress 2026-04-15 5.3 Medium
Missing Authorization vulnerability in rtCamp GoDAM godam allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GoDAM: from n/a through <= 1.4.6.