Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

access:pre-auth — CVE vulnerabilities tagged 21158

21158 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2025-13366 Rabbit Hole <= 1.1 - Cross-Site Request Forgery to Settings Reset — Rabbit HoleCWE-352 4.3 Medium2025-12-12
CVE-2025-14391 Simple Theme Changer <= 1.0 - Cross-Site Request Forgery to Arbitrary Theme Switcher Configuration Update — Simple Theme ChangerCWE-352 4.3 Medium2025-12-12
CVE-2025-14137 Simple AL Slider <= 1.2.10 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] — Simple AL SliderCWE-79 6.1 Medium2025-12-12
CVE-2025-12834 Accept Stripe Payments Using Contact Form 7 <= 3.1 - Reflected Cross-Site Scripting via failure_message — Accept Stripe Payments Using Contact Form 7CWE-79 6.1 Medium2025-12-12
CVE-2025-14160 Upcoming for Calendly <= 1.2.4 - Cross-Site Request Forgery to Settings Update — Upcoming for CalendlyCWE-352 4.3 Medium2025-12-12
CVE-2025-13314 Product Filtering by Categories, Tags, Price Range for WooCommerce <= 1.1.6 - Missing Authorization to Unauthenticated Plugin Settings Modification — Filter Plus – Product Filter & WordPress FilterCWE-862 5.3 Medium2025-12-12
CVE-2025-13987 Purchase and Expense Manager <= 1.1.2 - Cross-Site Request Forgery to Arbitrary Purchase Record Deletion — Purchase and Expense ManagerCWE-352 4.3 Medium2025-12-12
CVE-2025-14062 Animated Pixel Marquee Creator <= 1.0.0 - Cross-Site Request Forgery via 'marquee' Parameter — Animated Pixel Marquee CreatorCWE-352 4.3 Medium2025-12-12
CVE-2025-12963 LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart <= 1.2.29 - Missing Authorization to Uanuthenticated Privilege Escalation — LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt ChartCWE-862 9.8 Critical2025-12-12
CVE-2025-14132 Category Dropdown List <= 1.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] — Category Dropdown ListCWE-79 6.1 Medium2025-12-12
CVE-2025-13988 评论小秘书 <= 1.3.2 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] — 评论小秘书CWE-79 6.1 Medium2025-12-12
CVE-2025-14161 Truefy Embed <= 1.1.0 - Cross-Site Request Forgery to 'truefy_embed_options_update' Settings Update — Truefy EmbedCWE-352 4.3 Medium2025-12-12
CVE-2025-14354 Resource Library for Logged In Users <= 1.5 - Cross-Site Request Forgery to Multiple Administrative Actions — Resource Library for Logged In UsersCWE-352 4.3 Medium2025-12-12
CVE-2025-13363 IMAQ Core <= 1.2.1 - Cross-Site Request Forgery to URL Structure Update — IMAQ CORECWE-352 4.3 Medium2025-12-12
CVE-2025-14165 Kirim.Email WooCommerce Integration <= 1.2.9 - Cross-Site Request Forgery to Settings Update — Kirim.Email WooCommerce IntegrationCWE-352 4.3 Medium2025-12-12
CVE-2025-14044 Visitor Logic Lite <= 1.0.3 - Unauthenticated PHP Object Injection via 'lpblocks' Cookie — Visitor Logic LiteCWE-502 8.1 High2025-12-12
CVE-2025-14158 Coding Blocks <= 1.1.0 - Cross-Site Request Forgery to Settings Update — Coding BlocksCWE-352 4.3 Medium2025-12-12
CVE-2025-13408 Foxtool All-in-One: Contact chat button, Custom login, Media optimize images <= 2.5.2 - Cross-Site Request Forgery to Google OAuth Connection — Foxtool All-in-One: Contact chat button, Custom login, Media optimize imagesCWE-352 4.3 Medium2025-12-12
CVE-2025-12883 Campay Woocommerce Payment Gateway <= 1.2.2 - Unauthenticated Payment Bypass — Campay Woocommerce Payment GatewayCWE-639 5.3 Medium2025-12-12
CVE-2025-14344 Multi Uploader for Gravity Forms <= 1.1.7 - Unauthenticated Arbitrary File Deletion — Multi Uploader for Gravity FormsCWE-22 9.8 Critical2025-12-12
CVE-2025-14129 Like DisLike Voting <= 1.0.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] — Like DisLike VotingCWE-79 6.1 Medium2025-12-12
CVE-2025-14125 Complag <= 1.0.2 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] — ComplagCWE-79 6.1 Medium2025-12-12
CVE-2025-14162 BMLT WordPress Plugin <= 3.11.4 - Cross-Site Request Forgery to Settings Creation and Deletion — BMLT WordPress SatelliteCWE-352 4.3 Medium2025-12-12
CVE-2025-67780 SpaceX Starlink Dish 安全漏洞 — Starlink DishCWE-306 4.2 Medium2025-12-11
CVE-2024-58312 xbtitFM 4.1.18 Unauthenticated Path Traversal in nfogen.php — xbtitFMCWE-22 7.5AIHighAI2025-12-11
CVE-2024-58310 APC Network Management Card 4 Path Traversal via Directory Traversal — Network Management Card 4CWE-22 7.5AIHighAI2025-12-11
CVE-2024-58309 xbtitFM 4.1.18 Unauthenticated SQL Injection in shoutedit.php — xbtitFMCWE-89 9.8AICriticalAI2025-12-11
CVE-2024-58308 Quick.CMS 6.7 SQL Injection Authentication Bypass via Admin Login — Quick.CMSCWE-89 9.8AICriticalAI2025-12-11
CVE-2024-58300 Siklu MultiHaul TG Series < 2.0.0 Unauthenticated Credential Disclosure Vulnerability — MultiHaul TG seriesCWE-306 9.8AICriticalAI2025-12-11
CVE-2024-58298 Compuware iStrobe Web 20.13 Pre-Auth Remote Code Execution via File Upload — Compuware iStrobe WebCWE-434 9.8AICriticalAI2025-12-11

Vulnerabilities classified as access:pre-auth represent 21158 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.