Total
834 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-31933 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An unauthenticated attacker can check the existence of usernames in the system by querying an API. | |||||
| CVE-2025-31654 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., "rooms"). | |||||
| CVE-2025-31950 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An unauthenticated attacker can obtain EV charger energy consumption information of other users. | |||||
| CVE-2025-27565 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs. | |||||
| CVE-2025-27575 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID. | |||||
| CVE-2025-31949 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An authenticated attacker can obtain any plant name by knowing the plant ID. | |||||
| CVE-2025-31357 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An unauthenticated attacker can obtain a user's plant list by knowing the username. | |||||
| CVE-2025-25276 | 2025-04-16 | N/A | 5.3 MEDIUM | ||
| An unauthenticated attacker can hijack other users' devices and potentially control them. | |||||
| CVE-2025-26977 | 1 Ninjateam | 1 Filebird | 2025-04-15 | N/A | 3.8 LOW |
| Authorization Bypass Through User-Controlled Key vulnerability in Ninja Team Filebird allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Filebird: from n/a through 6.4.2.1. | |||||
| CVE-2025-3282 | 2025-04-15 | N/A | 5.3 MEDIUM | ||
| The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_membership_register_member() due to missing validation on the 'membership_id' user controlled key. This makes it possible for unauthenticated attackers to update any user's membership to any other active or non-active membership type. | |||||
| CVE-2025-3575 | 2025-04-15 | N/A | N/A | ||
| Insecure Direct Object Reference vulnerability in Deporsite from T-INNOVA allows an attacker to retrieve sensitive information from others users via "idUsuario" parameter in "/helper/Familia/establecerUsuarioSeleccion" endpoint. | |||||
| CVE-2025-3574 | 2025-04-15 | N/A | N/A | ||
| Insecure Direct Object Reference vulnerability in Deporsite from T-INNOVA allows an attacker to retrieve sensitive information from others users via "idUsuario" parameter in "/helper/Familia/obtenerFamiliaUsuario" endpoint. | |||||
| CVE-2025-3292 | 2025-04-15 | N/A | 4.3 MEDIUM | ||
| The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_update_profile_details() due to missing validation on the 'user_id' user controlled key. This makes it possible for unauthenticated attackers to update other user's passwords, if they have access to the user ID and email. | |||||
| CVE-2024-33668 | 1 Zammad | 1 Zammad | 2025-04-15 | N/A | 9.1 CRITICAL |
| An issue was discovered in Zammad before 6.3.0. The Zammad Upload Cache uses insecure, partially guessable FormIDs to identify content. An attacker could try to brute force them to upload malicious content to article drafts they have no access to. | |||||
| CVE-2022-4097 | 1 Updraftplus | 1 All-in-one Security | 2025-04-14 | N/A | 5.3 MEDIUM |
| The All-In-One Security (AIOS) WordPress plugin before 5.0.8 is susceptible to IP Spoofing attacks, which can lead to bypassed security features (like IP blocks, rate limiting, brute force protection, and more). | |||||
| CVE-2024-12335 | 1 Theme-fusion | 1 Avada Builder | 2025-04-14 | N/A | 4.3 MEDIUM |
| The Avada (Fusion) Builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.11.12 via the handle_clone_post() function and the 'fusion_blog' shortcode and due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to. | |||||
| CVE-2022-4239 | 2025-04-14 | N/A | 6.5 MEDIUM | ||
| The Workreap WordPress theme before 2.6.4 does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreap_addons_service_remove action, allowing any user to delete any post by knowing or guessing the id. | |||||
| CVE-2023-36238 | 1 Webkul | 1 Bagisto | 2025-04-14 | N/A | 6.5 MEDIUM |
| Insecure Direct Object Reference (IDOR) in Bagisto v.1.5.1 allows an attacker to obtain sensitive information via the invoice ID parameter. | |||||
| CVE-2024-47316 | 1 Salonbookingsystem | 1 Salon Booking System | 2025-04-11 | N/A | 4.3 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in Salon Booking System Salon booking system.This issue affects Salon booking system: from n/a through 10.9. | |||||
| CVE-2024-10670 | 1 Nicheaddons | 1 Primary Addon For Elementor | 2025-04-11 | N/A | 4.3 MEDIUM |
| The Primary Addon for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.6.2 via the [prim_elementor_template] shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created with Elementor that they should not have access to. | |||||