Missing Authorization vulnerability in Wiremo Wiremo woo-reviews-by-wiremo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wiremo: from n/a through <= 1.4.99.

Cross-Site Request Forgery (CSRF) vulnerability in MERGADO Mergado Pack mergado-marketing-pack allows Cross Site Request Forgery.This issue affects Mergado Pack: from n/a through <= 4.2.1.

Missing Authorization vulnerability in Web Builder 143 Sticky Notes for WP Dashboard wb-sticky-notes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sticky Notes for WP Dashboard: from n/a through <= 1.2.4.

Cross-Site Request Forgery (CSRF) vulnerability in Imdad Next Web iNext Woo Pincode Checker inext-woo-pincode-checker allows Cross Site Request Forgery.This issue affects iNext Woo Pincode Checker: from n/a through <= 2.3.1.

Cross-Site Request Forgery (CSRF) vulnerability in Channelize.io Team Live Shopping &amp; Shoppable Videos For WooCommerce live-shopping-video-streams allows Cross Site Request Forgery.This issue affects Live Shopping &amp; Shoppable Videos For WooCommerce: from n/a through <= 2.2.0.

Missing Authorization vulnerability in Damian WP Export Categories &amp; Taxonomies wp-export-categories-taxonomies allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Export Categories &amp; Taxonomies: from n/a through <= 1.0.3.

A local privilege escalation vulnerability exists in SevenCs ORCA G2 2.0.1.35 (EC2007 Kernel v5.22). The flaw is a Time-of-Check Time-of-Use (TOCTOU) race condition in the license management logic. The regService process, which runs with SYSTEM privileges, creates a fixed directory and writes files without verifying whether the path is an NTFS reparse point. By exploiting this race condition, an attacker can replace the target directory with a junction pointing to a user-controlled path. This causes the SYSTEM-level process to drop binaries in a location fully controlled by the attacker, allowing arbitrary code execution with SYSTEM privileges. The vulnerability can be exploited by any standard user with only a single UAC confirmation, making it highly practical and dangerous in real-world environments.

Insertion of Sensitive Information Into Sent Data vulnerability in Efí Bank Gerencianet Oficial woo-gerencianet-official allows Retrieve Embedded Sensitive Data.This issue affects Gerencianet Oficial: from n/a through <= 3.1.3.

Cross-Site Request Forgery (CSRF) vulnerability in appointify Appointify appointify allows Cross Site Request Forgery.This issue affects Appointify: from n/a through <= 1.0.8.

Missing Authorization vulnerability in Mykola Lukin Orders Chat for WooCommerce orders-chat-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Orders Chat for WooCommerce: from n/a through <= 1.2.0.

Missing Authorization vulnerability in Flowbox Flowbox flowbox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flowbox: from n/a through <= 1.1.6.

Authorization Bypass Through User-Controlled Key vulnerability in Eduardo Villão MyD Delivery myd-delivery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MyD Delivery: from n/a through <= 1.7.1.

A security flaw has been discovered in PHPGurukul Small CRM 4.0. This impacts an unknown function of the file /admin/edit-user.php. The manipulation results in missing authorization. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

Authorization Bypass Through User-Controlled Key vulnerability in Liton Arefin Master Addons for Elementor master-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Master Addons for Elementor: from n/a through <= 2.0.9.9.4.

Missing Authorization vulnerability in WP Grids EasyTest convertpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EasyTest: from n/a through <= 1.0.1.

Missing Authorization vulnerability in topdevs.net Simple Like Page simple-facebook-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Like Page: from n/a through <= 1.5.3.

Missing Authorization vulnerability in quadlayers QuadLayers TikTok Feed wp-tiktok-feed allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects QuadLayers TikTok Feed: from n/a through <= 4.6.5.

Missing Authorization vulnerability in nicdark Hotel Booking nd-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Booking: from n/a through <= 3.8.

Missing Authorization vulnerability in Marco Milesi WP Attachments wp-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Attachments: from n/a through <= 5.2.

Missing Authorization vulnerability in nikmelnik Realbig realbig-media allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Realbig: from n/a through <= 1.1.3.

Missing Authorization vulnerability in NewClarity DMCA Protection Badge dmca-badge allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DMCA Protection Badge: from n/a through <= 2.2.0.

Missing Authorization vulnerability in Information Technology Wawp automation-web-platform allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wawp: from n/a through <= 4.4.

Insertion of Sensitive Information Into Sent Data vulnerability in Vladimir Statsenko Terms descriptions terms-descriptions allows Retrieve Embedded Sensitive Data.This issue affects Terms descriptions: from n/a through <= 3.4.10.

Missing Authorization vulnerability in SaifuMak Add Custom Codes add-custom-codes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Add Custom Codes: from n/a through <= 4.80.

Missing Authorization vulnerability in totalsoft Portfolio Gallery gallery-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Portfolio Gallery: from n/a through <= 1.4.8.