Vulnerabilities (CVE)

Filtered by CWE-862
Total 5241 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-49829 1 Cyberark 1 Conjur 2025-09-11 N/A 6.5 MEDIUM
Conjur provides secrets management and application identity for infrastructure. Missing validations in Secrets Manager, Self-Hosted allows authenticated attackers to inject resources into the database and to bypass permission checks. This issue affects Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue.
CVE-2025-53348 2025-09-11 N/A 5.3 MEDIUM
Missing Authorization vulnerability in Laborator Kalium. This issue affects Kalium: from n/a through 3.18.3.
CVE-2025-39553 2025-09-11 N/A 4.3 MEDIUM
Missing Authorization vulnerability in andy_moyle Church Admin. This issue affects Church Admin: from n/a through 5.0.9.
CVE-2025-39541 2025-09-11 N/A 6.5 MEDIUM
Missing Authorization vulnerability in Roland Murg WP Simple Booking Calendar. This issue affects WP Simple Booking Calendar: from n/a through 2.0.13.
CVE-2025-53291 2025-09-11 N/A 5.4 MEDIUM
Missing Authorization vulnerability in spoddev2021 Spreadconnect. This issue affects Spreadconnect: from n/a through 2.1.5.
CVE-2025-49860 2025-09-11 N/A 5.3 MEDIUM
Missing Authorization vulnerability in Majestic Support Majestic Support. This issue affects Majestic Support: from n/a through 1.1.0.
CVE-2025-53340 2025-09-11 N/A 5.3 MEDIUM
Missing Authorization vulnerability in awesomesupport Awesome Support. This issue affects Awesome Support: from n/a through 6.3.4.
CVE-2025-58753 2025-09-11 N/A N/A
Copyparty is a portable file server. In versions prior to 1.19.8, there was a missing permission-check in the shares feature (the `shr` global-option). When a share was created for just one file inside a folder, it was possible to access the other files inside that folder by guessing the filenames. It was not possible to descend into subdirectories in this manner; only the sibling files were accessible. This issue did not affect filekeys or dirkeys. Version 1.19.8 fixes the issue.
CVE-2025-58976 2025-09-11 N/A 4.3 MEDIUM
Missing Authorization vulnerability in Equalize Digital Accessibility Checker by Equalize Digital allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Accessibility Checker by Equalize Digital: from n/a through 1.31.0.
CVE-2025-58981 2025-09-11 N/A 5.4 MEDIUM
Missing Authorization vulnerability in Equalize Digital Accessibility Checker by Equalize Digital allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Accessibility Checker by Equalize Digital: from n/a through 1.31.0.
CVE-2025-58980 2025-09-11 N/A 5.3 MEDIUM
Missing Authorization vulnerability in recorp Export WP Page to Static HTML/CSS allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Export WP Page to Static HTML/CSS: from n/a through 4.1.0.
CVE-2025-59005 2025-09-11 N/A 4.3 MEDIUM
Missing Authorization vulnerability in frenify Categorify allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Categorify: from n/a through 1.0.7.5.
CVE-2025-58978 2025-09-11 N/A 5.3 MEDIUM
Missing Authorization vulnerability in WP Swings PDF Generator for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDF Generator for WordPress: from n/a through 1.5.4.
CVE-2025-58979 2025-09-11 N/A 5.3 MEDIUM
Missing Authorization vulnerability in BerqWP BerqWP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BerqWP: from n/a through 2.2.53.
CVE-2025-9979 2025-09-11 N/A 4.3 MEDIUM
The Maspik plugin for WordPress is vulnerable to Missing Authorization in version 2.5.6 and prior. This is due to missing capability checks on the Maspik_spamlog_download_csv function. This makes it possible for authenticated attackers, with subscriber-level access and above, to export and download the spam log database containing blocked submission attempts, which may include misclassified but legitimate submissions with sensitive data.
CVE-2025-8423 2025-09-11 N/A 5.4 MEDIUM
The My WP Translate plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mtswpt_remove_plugin() and ajax_update_export_code() functions in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and delete arbitrary WordPress options which can cause a denial of service.
CVE-2025-8778 2025-09-11 N/A 4.3 MEDIUM
The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the nitropack_set_compression_ajax() function in all versions up to, and including, 1.18.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the nitropack-enableCompression option and effectively change plugin compression settings.
CVE-2025-10040 2025-09-11 N/A 7.7 HIGH
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ftp_details' AJAX action in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a configured set of SFTP/FTP credentials.
CVE-2025-8425 2025-09-11 N/A 8.8 HIGH
The My WP Translate plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajax_import_strings() function in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
CVE-2025-0763 2025-09-11 N/A 4.3 MEDIUM
The Ultimate Classified Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_custom_fields function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change plugin custom fields.