Total
5592 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-12469 | 2025-11-05 | N/A | 4.3 MEDIUM | ||
| The FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.4.1. This is due to the plugin not properly verifying that a user is authorized to perform administrative actions in the `bwfan_test_email` AJAX handler. The nonce used for verification is publicly exposed to all visitors (including unauthenticated users) via the frontend JavaScript localization, and the `check_nonce()` function accepts low-privilege authenticated users who possess this nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send arbitrary emails from the site with attacker-controlled subject and body content. | |||||
| CVE-2025-12675 | 2025-11-05 | N/A | 4.3 MEDIUM | ||
| The KiotViet Sync plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveConfig() function in all versions up to, and including, 1.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's config. | |||||
| CVE-2025-12384 | 2025-11-05 | N/A | 8.6 HIGH | ||
| The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to unauthorized access/modification/loss of data in all versions up to, and including, 2.0.0. This is due to the plugin not properly verifying that a user is authorized to perform an action in the "bplde_save_document_library", "bplde_get_all", "bplde_get_single", and "bplde_delete_document_library" functions. This makes it possible for unauthenticated attackers to create, read, update, and delete arbitrary document_library posts. | |||||
| CVE-2025-11373 | 2025-11-05 | N/A | 4.3 MEDIUM | ||
| The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability checks in the "depicter-media-upload" AJAX route in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload limited files on the affected site's server. | |||||
| CVE-2025-11835 | 2025-11-05 | N/A | 5.3 MEDIUM | ||
| The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability and validation check on the PMS_AJAX_Checkout_Handler::process_payment() function in all versions up to, and including, 2.16.4. This makes it possible for unauthenticated attackers to trigger stored auto-renew charges for arbitrary members. | |||||
| CVE-2025-12582 | 2025-11-05 | N/A | 4.3 MEDIUM | ||
| The Features plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'features_revert_option AJAX endpoint in all versions up to, and including, 0.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to revert options. | |||||
| CVE-2025-64150 | 1 Jenkins | 1 Publish To Bitbucket | 2025-11-04 | N/A | 5.4 MEDIUM |
| A missing permission check in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2025-64148 | 1 Jenkins | 1 Publish To Bitbucket | 2025-11-04 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2025-64142 | 1 Jenkins | 1 Nexus Task Runner | 2025-11-04 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins Nexus Task Runner Plugin 0.9.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | |||||
| CVE-2025-64139 | 1 Jenkins | 1 Start Windocks Container | 2025-11-04 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins Start Windocks Containers Plugin 1.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | |||||
| CVE-2025-64137 | 1 Jenkins | 1 Themis | 2025-11-04 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins Themis Plugin 1.4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server. | |||||
| CVE-2025-64132 | 2025-11-04 | N/A | 5.4 MEDIUM | ||
| Jenkins MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in multiple MCP tools, allowing attackers to trigger builds and obtain information about job and cloud configuration they should not be able to access. | |||||
| CVE-2025-59475 | 1 Jenkins | 1 Jenkins | 2025-11-04 | N/A | 4.3 MEDIUM |
| Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu, allowing attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options in this menu (e.g., whether Credentials Plugin is installed). | |||||
| CVE-2025-59474 | 1 Jenkins | 1 Jenkins | 2025-11-04 | N/A | 5.3 MEDIUM |
| Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel executors widget. | |||||
| CVE-2025-58460 | 1 Jenkins | 1 Opentelemetry | 2025-11-04 | N/A | 4.2 MEDIUM |
| A missing permission check in Jenkins OpenTelemetry Plugin 3.1543.v8446b_92b_cd64 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2025-49829 | 1 Cyberark | 1 Conjur | 2025-11-04 | N/A | 6.5 MEDIUM |
| Conjur provides secrets management and application identity for infrastructure. Missing validations in Secrets Manager, Self-Hosted allows authenticated attackers to inject resources into the database and to bypass permission checks. This issue affects Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue. | |||||
| CVE-2023-42896 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2025-11-04 | N/A | 5.5 MEDIUM |
| An issue was addressed with improved handling of temporary files. This issue is fixed in macOS Monterey 12.7.2, macOS Ventura 13.6.3, iOS 17.2 and iPadOS 17.2, iOS 16.7.3 and iPadOS 16.7.3, macOS Sonoma 14.2. An app may be able to modify protected parts of the file system. | |||||
| CVE-2023-39167 | 1 Enbw | 2 Senec Storage Box, Senec Storage Box Firmware | 2025-11-04 | N/A | 7.5 HIGH |
| In SENEC Storage Box V1,V2 and V3 an unauthenticated remote attacker can obtain the devices' logfiles that contain sensitive data. | |||||
| CVE-2024-23230 | 1 Apple | 1 Macos | 2025-11-04 | N/A | 5.5 MEDIUM |
| This issue was addressed with improved file handling. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. An app may be able to access sensitive user data. | |||||
| CVE-2024-40834 | 1 Apple | 1 Macos | 2025-11-04 | N/A | 4.4 MEDIUM |
| This issue was addressed by adding an additional prompt for user consent. This issue is fixed in macOS Sonoma 14.6, macOS Monterey 12.7.6, macOS Ventura 13.6.8. A shortcut may be able to bypass sensitive Shortcuts app settings. | |||||