Latest CVE Feed
-
4.3
MEDIUMCVE-2025-62083
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Messiah BoomDevs WordPress Coming Soon Plugin allows Retrieve Embedded Sensitive Data.This issue affects BoomDevs WordPress Coming Soon Plugin: from n/a through... Read more
Affected Products :- Published: Dec. 31, 2025
- Modified: Jan. 20, 2026
- Vuln Type: Information Disclosure
-
4.3
MEDIUMCVE-2025-15376
The Stopwords for comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the 'set_stopwords_for_comments' and 'delete_stopwords_for_comments' function... Read more
Affected Products :- Published: Jan. 14, 2026
- Modified: Jan. 14, 2026
- Vuln Type: Cross-Site Request Forgery
-
4.3
MEDIUMCVE-2025-14482
The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it p... Read more
Affected Products :- Published: Jan. 14, 2026
- Modified: Jan. 14, 2026
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2026-1003
The GetGenie plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.3.0. This is due to the plugin not properly verifying that a user is authorized to delete a specific post. This makes it possible for authentic... Read more
Affected Products :- Published: Jan. 16, 2026
- Modified: Jan. 16, 2026
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-14853
The LEAV Last Email Address Validator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions <= 1.7.1. This is due to missing or incorrect nonce validation on the display_settings_page function. This makes it possible for unauthentic... Read more
Affected Products :- Published: Jan. 16, 2026
- Modified: Jan. 16, 2026
- Vuln Type: Cross-Site Request Forgery
-
4.3
MEDIUMCVE-2025-69221
LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control when querying agent permissions. An authenticated attacker can read the permissions of arbitrary agents, even if they have no permissions for t... Read more
Affected Products : librechat- Published: Jan. 07, 2026
- Modified: Jan. 15, 2026
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-68140
EVerest is an EV charging software stack. Prior to version 2025.9.0, once the validity of the received V2G message has been verified, it is checked whether the submitted session ID matches the registered one. However, if no session has been registered, th... Read more
Affected Products :- Published: Jan. 21, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Authentication
-
4.3
MEDIUMCVE-2026-0497
SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application.... Read more
Affected Products :- Published: Jan. 13, 2026
- Modified: Jan. 13, 2026
- Vuln Type: Information Disclosure
-
4.3
MEDIUMCVE-2026-0493
Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an... Read more
Affected Products :- Published: Jan. 13, 2026
- Modified: Jan. 13, 2026
- Vuln Type: Cross-Site Request Forgery
-
4.3
MEDIUMCVE-2025-13934
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_e... Read more
Affected Products : tutor_lms- Published: Jan. 09, 2026
- Modified: Jan. 13, 2026
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-66315
There is a configuration defect vulnerability in the version server of ZTE MF258K Pro products. Due to improper directory permission settings, an attacker can execute write permissions in a specific directory.... Read more
Affected Products :- Published: Jan. 09, 2026
- Modified: Jan. 13, 2026
- Vuln Type: Misconfiguration
-
4.3
MEDIUMCVE-2025-13935
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_complete' function. T... Read more
Affected Products : tutor_lms- Published: Jan. 09, 2026
- Modified: Jan. 13, 2026
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-13921
The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' functi... Read more
Affected Products :- Published: Jan. 23, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-62080
Cross-Site Request Forgery (CSRF) vulnerability in Channelize.Io Team Live Shopping & Shoppable Videos For WooCommerce allows Cross Site Request Forgery.This issue affects Live Shopping & Shoppable Videos For WooCommerce: from n/a through 2.2.0.... Read more
Affected Products :- Published: Dec. 31, 2025
- Modified: Jan. 20, 2026
- Vuln Type: Cross-Site Request Forgery
-
4.3
MEDIUMCVE-2026-22784
Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password unlock functionality that allows users to gain possibly unauthorized access to other users' password-protected albums. Wh... Read more
Affected Products : lychee- Published: Jan. 12, 2026
- Modified: Jan. 16, 2026
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2026-0674
Missing Authorization vulnerability in Campaign Monitor Campaign Monitor for WordPress forms-for-campaign-monitor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Campaign Monitor for WordPress: from n/a through <... Read more
Affected Products : campaign_monitor- Published: Jan. 08, 2026
- Modified: Jan. 20, 2026
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-13628
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all version... Read more
Affected Products : tutor_lms- Published: Jan. 09, 2026
- Modified: Jan. 13, 2026
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2026-23724
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/atendido/cadastro_ocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-con... Read more
Affected Products : wegia- Published: Jan. 16, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Cross-Site Scripting
-
4.3
MEDIUMCVE-2026-23731
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, The web application is vulnerable to clickjacking attacks. The WeGIA application does not send any defensive HTTP headers related to framing protection. In particular, X-Frame-Options is ... Read more
Affected Products : wegia- Published: Jan. 16, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Misconfiguration
-
4.3
MEDIUMCVE-2025-31046
Missing Authorization vulnerability in WPvibes AnyWhere Elementor Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyWhere Elementor Pro: from n/a through 2.29.... Read more
Affected Products :- Published: Jan. 05, 2026
- Modified: Jan. 20, 2026
- Vuln Type: Authorization