Total
7275 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-24532 | 1 Wordpress | 1 Wordpress | 2026-02-17 | 4.3 Medium |
| Missing Authorization vulnerability in SiteLock SiteLock Security – WP Hardening, Login Security & Malware Scans allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteLock Security – WP Hardening, Login Security & Malware Scans: from n/a through 5.0.2. | ||||
| CVE-2023-1333 | 1 Rapidload | 1 Rapidload Power-up For Autoptimize | 2026-02-13 | 4.3 Medium |
| The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the clear_page_cache function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to delete the plugin's cache. | ||||
| CVE-2026-1671 | 2 Switcorp, Wordpress | 2 Activity Log For Wordpress, Wordpress | 2026-02-13 | 6.5 Medium |
| The Activity Log for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the winter_activity_log_action() function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view potentially sensitive information (e.g., the password of a higher level user, such as an administrator) contained in the exposed log files. | ||||
| CVE-2026-1104 | 2 Ninjateam, Wordpress | 2 Fastdup – Fastest Wordpress Migration & Duplicator, Wordpress | 2026-02-13 | 8.8 High |
| The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to create and download full-site backup archives containing the entire WordPress installation, including database exports and configuration files. | ||||
| CVE-2026-25531 | 1 Kanboard | 1 Kanboard | 2026-02-13 | 4.3 Medium |
| Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, The fix for CVE-2023-33968 is incomplete. The TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects, allowing authenticated users to duplicate tasks into projects they cannot access. This vulnerability is fixed in 1.2.50. | ||||
| CVE-2025-30398 | 1 Microsoft | 3 Nuance Powerscribe, Nuance Powerscribe 360, Nuance Powerscribe One | 2026-02-13 | 8.1 High |
| Missing authorization in Nuance PowerScribe allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2026-25939 | 1 Frangoteam | 1 Fuxa | 2026-02-13 | 9.1 Critical |
| FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10, an authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on actions. This has been patched in FUXA version 1.2.11. | ||||
| CVE-2025-49723 | 1 Microsoft | 16 Windows 10 1809, Windows 10 21h2, Windows 10 21h2 and 13 more | 2026-02-13 | 8.8 High |
| Missing authorization in Windows StateRepository API allows an authorized attacker to perform tampering locally. | ||||
| CVE-2025-50171 | 1 Microsoft | 12 Server, Windows, Windows 10 21h2 and 9 more | 2026-02-13 | 9.1 Critical |
| Missing authorization in Remote Desktop Server allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2025-14592 | 1 Gitlab | 1 Gitlab | 2026-02-13 | 3.7 Low |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized operations by submitting GraphQL mutations through the GLQL API endpoint. | ||||
| CVE-2026-21743 | 1 Fortinet | 1 Fortiauthenticator | 2026-02-12 | 6.8 Medium |
| A missing authorization vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow a read-only user to make modification to local users via a file upload to an unprotected endpoint. | ||||
| CVE-2025-67574 | 2 Wordpress, Wpdevart | 2 Wordpress, Booking Calendar | 2026-02-12 | 5.3 Medium |
| Missing Authorization vulnerability in wpdevart Booking calendar, Appointment Booking System booking-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking calendar, Appointment Booking System: from n/a through <= 3.2.30. | ||||
| CVE-2026-1537 | 2 Latepoint, Wordpress | 2 Latepoint – Calendar Booking Plugin For Appointments And Events, Wordpress | 2026-02-12 | 5.3 Medium |
| The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_step() function in all versions up to, and including, 5.2.6. This makes it possible for unauthenticated attackers to view booking information including customer names, email addresses, phone numbers, appointment times, and service details. | ||||
| CVE-2026-25036 | 2 Wordpress, Wpchill | 2 Wordpress, Passster | 2026-02-12 | 6.5 Medium |
| Missing Authorization vulnerability in WP Chill Passster content-protector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Passster: from n/a through <= 4.2.25. | ||||
| CVE-2025-15524 | 2 Fooplugins, Wordpress | 2 Gallery By Foogallery, Wordpress | 2026-02-11 | 4.3 Medium |
| The Gallery by FooGallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax_get_gallery_info() function in all versions up to, and including, 3.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve metadata (name, image count, thumbnail URL) of private, draft, and password-protected galleries by enumerating gallery IDs. | ||||
| CVE-2025-15400 | 2 Openpix, Wordpress | 2 Pix Para Woocommerce, Wordpress | 2026-02-11 | 6.5 Medium |
| The Pix para Woocommerce WordPress plugin through 2.13.3 allows any authenticated user to trigger AJAX actions that reset payment gateway configuration options without capability or nonce checks. This permits any authenticated users, such as subscribers to clear API credentials and webhook status, causing persistent disruption of OpenPix payment functionality. | ||||
| CVE-2026-1748 | 2 Kirilkirkov, Wordpress | 2 Invoct – Pdf Invoices & Billing For Woocommerce, Wordpress | 2026-02-11 | 4.3 Medium |
| The Invoct – PDF Invoices & Billing for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve invoice clients, invoice items, and list of WordPress users along with their emails. | ||||
| CVE-2026-1786 | 2 Badbreze, Wordpress | 2 Twitter Posts To Blog, Wordpress | 2026-02-11 | 6.5 Medium |
| The Twitter posts to Blog plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'dg_tw_options' function in all versions up to, and including, 1.11.25. This makes it possible for unauthenticated attackers to update plugin settings including Twitter API credentials, post author, post status, and the capability required to access the plugin's admin menu. | ||||
| CVE-2026-1833 | 2 Sm Rasmy, Wordpress | 2 Wamate Confirm – Order Confirmation, Wordpress | 2026-02-11 | 5.3 Medium |
| The WaMate Confirm – Order Confirmation plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to block and unblock phone numbers, which should be restricted to administrators. | ||||
| CVE-2025-13391 | 2 Moomoo, Wordpress | 2 Product Options And Price Calculation Formulas For Woocommerce – Uni Cpo (premium), Wordpress | 2026-02-11 | 5.8 Medium |
| The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'uni_cpo_remove_file' function in all versions up to, and including, 4.9.60. This makes it possible for unauthenticated attackers to delete arbitrary attachments or files stored in Dropbox if the file path is known. The vulnerability was partially patched in version 4.9.60. | ||||