Total CVEs

142,588

Critical Severity

4,002

High Severity

14,356

Last 7 Days

1,782
Quick preset (or use dates below)
Clear Filters
Showing 13,981 - 14,000 of 14,783 CVEs
CVE-2025-13935 MEDIUM - 4.3

The Tutor LMS โ€“ eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_complete' function. This makes it possible for authentic...

Published: Jan 09, 2026
Source: NVD
CVE-2025-13934 MEDIUM - 4.3

The Tutor LMS โ€“ eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_enrollment()` AJAX handler. This makes it poss...

Published: Jan 09, 2026
Source: NVD
CVE-2025-13753 MEDIUM - 4.3

The WP Table Builder โ€“ Drag & Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the save_table() function in all versions up to, and including, 2.0.19. This makes it possible for authenticated attackers, with Sub...

Published: Jan 09, 2026
Source: NVD
CVE-2025-13628 MEDIUM - 4.3

The Tutor LMS โ€“ eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3...

Published: Jan 09, 2026
Source: NVD
CVE-2026-20975 MEDIUM - 5.5

Improper handling of insufficient permission in Samsung Cloud prior to version 5.6.11 allows local attackers to access specific files in arbitrary path.

Vendor: samsung
Product: cloud
Published: Jan 09, 2026
Source: NVD
CVE-2026-20973 MEDIUM - 5.3

Out-of-bounds read in libimagecodec.quram.so prior to SMR Jan-2026 Release 1 allows remote attacker to access out-of-bounds memory.

Published: Jan 09, 2026
Source: NVD
CVE-2026-20969 MEDIUM - 5.5

Improper input validation in SecSettings prior to SMR Jan-2026 Release 1 allows local attacker to access file with system privilege. User interaction is required for triggering this vulnerability.

Vendor: samsung
Product: android
Published: Jan 09, 2026
Source: NVD
CVE-2026-20968 MEDIUM - 6.7

Use after free in DualDAR prior to SMR Jan-2026 Release 1 allows local privileged attackers to execute arbitrary code.

Vendor: samsung
Product: android
Published: Jan 09, 2026
Source: NVD
CVE-2026-0563 MEDIUM - 6.4

The WP Google Street View (with 360ยฐ virtual tour) & Google maps + Local SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpgsv_map' shortcode in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This make...

Published: Jan 09, 2026
Source: NVD
CVE-2025-15019 MEDIUM - 6.4

The BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bialty_cs_alt' post meta in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping....

Published: Jan 09, 2026
Source: NVD
CVE-2025-14980 MEDIUM - 6.5

The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive data including the OpenAI API ...

Published: Jan 09, 2026
Source: NVD
CVE-2025-14893 MEDIUM - 6.4

The IndieWeb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Telephone' parameter in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level access ...

Published: Jan 09, 2026
Source: NVD
CVE-2025-14782 MEDIUM - 5.3

The Forminator Forms โ€“ Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_export' function. This is due to the plugin not properly verifying that a user is auth...

Published: Jan 09, 2026
Source: NVD
CVE-2025-14720 MEDIUM - 5.3

The Booking for Appointments and Events Calendar โ€“ Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. This makes it possible for unauthenticated attackers to mark payments as refunde...

Published: Jan 09, 2026
Source: NVD
CVE-2025-14718 MEDIUM - 5.4

The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attacke...

Published: Jan 09, 2026
Source: NVD
CVE-2025-14574 MEDIUM - 5.3

The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including third party services API key...

Published: Jan 09, 2026
Source: NVD
CVE-2025-14803 MEDIUM - 6.8

The NEX-Forms WordPress plugin before 9.1.8 does not sanitise and escape some of its settings. The NEX-Forms WordPress plugin before 9.1.8 can be configured in such a way that could allow subscribers to perform Stored Cross-Site Scripting.

Published: Jan 09, 2026
Source: NVD
CVE-2025-13749 MEDIUM - 4.3

The Clearfy Cache โ€“ WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is due to missing nonce validation on the "wbcr_upm_change_flag" function. This makes it po...

Published: Jan 09, 2026
Source: NVD
CVE-2025-14886 MEDIUM - 5.3

The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `order` REST API endpoint in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to mark any WooCommerce order as...

Published: Jan 09, 2026
Source: NVD
CVE-2025-66315 MEDIUM - 4.3

There is a configuration defect vulnerability in the version server of ZTE MF258K Pro products. Due to improper directory permission settings, an attacker can execute write permissions in a specific directory.

Published: Jan 09, 2026
Source: NVD