Total
7692 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-47527 | 2026-04-15 | N/A | ||
| Missing Authorization vulnerability in Icegram Icegram Collect icegram-rainmaker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Icegram Collect: from n/a through <= 1.3.18. | ||||
| CVE-2025-48147 | 2026-04-15 | N/A | ||
| Missing Authorization vulnerability in Crypto Cloud CryptoCloud - Crypto Payment Gateway cryptocloud-crypto-payment-gateway allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CryptoCloud - Crypto Payment Gateway: from n/a through <= 2.1.2. | ||||
| CVE-2025-8565 | 2 Wordpress, Wplegalpages | 2 Wordpress, Wp Legal Pages | 2026-04-15 | 8.1 High |
| The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on the wplp_gdpr_install_plugin_ajax_handler() function in all versions up to, and including, 3.4.3. This makes it possible for authenticated attackers, with Contributor-level access and above, to install arbitrary repository plugins. | ||||
| CVE-2024-12618 | 2 Newsletter2go, Wordpress | 2 Newsletter2go, Wordpress | 2026-04-15 | 4.3 Medium |
| The Newsletter2Go plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'resetStyles' AJAX action in all versions up to, and including, 4.0.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset styles. | ||||
| CVE-2025-11833 | 2 Saadiqbal, Wordpress | 2 Post Smtp, Wordpress | 2026-04-15 | 9.8 Critical |
| The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover. | ||||
| CVE-2025-49265 | 1 Wpswings | 1 Membership For Woocommerce | 2026-04-15 | N/A |
| Missing Authorization vulnerability in WP Swings Membership For WooCommerce membership-for-woocommerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Membership For WooCommerce: from n/a through <= 2.8.1. | ||||
| CVE-2025-7689 | 2 Themefic, Wordpress | 2 Hydra Booking, Wordpress | 2026-04-15 | 8.8 High |
| The Hydra Booking plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the tfhb_reset_password_callback() function in versions 1.1.0 to 1.1.18. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the password of an Administrator user, achieving full privilege escalation. | ||||
| CVE-2025-12845 | 2 Essekia, Wordpress | 2 Tablesome Table – Contact Form Db – Wpforms, Cf7, Gravity, Forminator, Fluent, Wordpress | 2026-04-15 | 8.8 High |
| The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to unauthorized access of data that leads to privilege escalation due to a missing capability check on the get_table_data() function in versions 0.5.4 to 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve plugin table data that can expose email log information. Attackers can leverage this on sites where the table log is enabled in order to trigger a password reset and obtain the reset key. | ||||
| CVE-2025-14581 | 2 Villatheme, Wordpress | 2 Happy, Wordpress | 2026-04-15 | 4.3 Medium |
| The HAPPY – Helpdesk Support Ticket System plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'submit_form_reply' AJAX action in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit replies to arbitrary support tickets by manipulating the 'happy_topic_id' parameter, regardless of whether they are the ticket owner or have been assigned to the ticket. | ||||
| CVE-2025-10706 | 2 Cridio Studio, Wordpress | 2 Classifiedpro, Wordpress | 2026-04-15 | 8.8 High |
| The Classified Pro theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'cwp_addons_update_plugin_cb' function in all versions up to, and including, 1.0.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected site's server which may make remote code execution possible. Note: The required nonce for the vulnerability is in the CubeWP Framework plugin. | ||||
| CVE-2025-48271 | 2026-04-15 | N/A | ||
| Missing Authorization vulnerability in Leadinfo Leadinfo leadinfo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Leadinfo: from n/a through <= 1.1. | ||||
| CVE-2025-10184 | 2 Google, Oneplus | 2 Android, Oxygenos | 2026-04-15 | N/A |
| The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. The root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the update method of those providers. | ||||
| CVE-2025-13093 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The Devs CRM – Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/devs-crm/v1/bulk-update' REST-API endpoint in all versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to update leads tags. | ||||
| CVE-2025-1666 | 2026-04-15 | 4.3 Medium | ||
| The Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the send_uninstall_survey() function in all versions up to, and including, 4.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit the uninstall survey on behalf of a website. | ||||
| CVE-2025-1682 | 2026-04-15 | 8.8 High | ||
| The Cardealer theme for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.4 due to missing capability check on the 'save_settings' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the default user role. | ||||
| CVE-2025-1681 | 2026-04-15 | 5.4 Medium | ||
| The Cardealer theme for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check and missing filename sanitization on the demo theme scheme AJAX functions in versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to change or delete arbitrary css and js files. | ||||
| CVE-2025-14913 | 2 Wordpress, Wpshuffle | 2 Wordpress, Frontend Post Submission Manager | 2026-04-15 | 5.3 Medium |
| The Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to an incorrect authorization check on the 'media_delete_action' function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to delete arbitrary attachments. | ||||
| CVE-2025-12847 | 2 Smub, Wordpress | 2 All In One Seo, Wordpress | 2026-04-15 | 4.3 Medium |
| The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized arbitrary media attachment deletion due to a missing authorization check in all versions up to, and including, 4.8.9. This is due to the REST API endpoint `/wp-json/aioseo/v1/ai/image-generator` only verifying that users have the `edit_posts` capability (Contributors and above) without checking if they own or have permission to delete the specific media attachments. This makes it possible for authenticated attackers, with Contributor-level access and above, to permanently delete arbitrary media attachments by ID via the REST API, granted they can determine valid attachment IDs. | ||||
| CVE-2025-10938 | 2 Uipress, Wordpress | 2 Uipress Lite, Wordpress | 2026-04-15 | 6.5 Medium |
| The UiPress lite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.08. This is due to missing capability checks in the 'uip_process_block_query' AJAX function. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive user data including password hashes, emails, and other user information that could be used for account takeover attacks. | ||||
| CVE-2025-10753 | 2 Cyberlord92, Wordpress | 2 Oauth Single Sign On – Sso (oauth Client), Wordpress | 2026-04-15 | 5.3 Medium |
| The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 6.26.14. This is due to missing capability checks and authentication verification on the OAuth redirect functionality accessible via the 'oauthredirect' option parameter. This makes it possible for unauthenticated attackers to set the global redirect URL option via the redirect_url parameter granted they can access the site directly. | ||||