Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

access:pre-auth — CVE vulnerabilities tagged 21272

21272 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2025-26198 CloudClassroom-PHP-Project 安全漏洞 — n/a 9.8AICriticalAI2025-06-18
CVE-2025-34509 Sitecore XM and XP Hardcoded Credentials — Experience ManagerCWE-798 7.5 High2025-06-17
CVE-2025-3515 Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.8.9 - Unauthenticated Arbitrary File Upload via Insufficient Blacklist Checks — Drag and Drop Multiple File Upload for Contact Form 7CWE-434 8.1 High2025-06-17
CVE-2025-3774 Wise Chat <= 3.3.4 - Unauthenticated Stored Cross-Site Scripting via X-Forwarded-For Header — Wise ChatCWE-79 7.2 High2025-06-17
CVE-2025-6087 SSRF vulnerability in opennextjs-cloudflare via /_next/image endpoint CWE-918 9.1AICriticalAI2025-06-16
CVE-2025-5689 Improper Permission Management in SSH Session Handling — authd 8.5 High2025-06-16
CVE-2025-25264 Overly Permissive CORS Policy in WAGO Device Manager — CC100 0751-9x01CWE-942 6.5 Medium2025-06-16
CVE-2025-6169 HAMASTAR Technology WIMP website co-construction management platform - SQL Injection — WIMPCWE-89 9.8 Critical2025-06-16
CVE-2025-6063 XiSearch bar <= 2.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting — XiSearch barCWE-352 6.1 Medium2025-06-14
CVE-2025-6062 Yougler Blogger Profile Page <= v1.01 - Cross-Site Request Forgery to Settings Update — Yougler Blogger Profile PageCWE-352 4.3 Medium2025-06-14
CVE-2025-4592 AI Image Lab – Free AI Image Generator <= 1.0.6 - Cross-Site Request Forgery to API Key Update — AI Image Lab – Free AI Image GeneratorCWE-352 4.3 Medium2025-06-14
CVE-2025-4200 Zagg - Electronics & Accessories WooCommerce WordPress Theme <= 1.4.1 - Unauthenticated Local File Inclusion — Zagg - Electronics & Accessories WooCommerce WordPress ThemeCWE-98 8.1 High2025-06-14
CVE-2025-6055 Zen Sticky Social <= 0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting — Zen Sticky SocialCWE-352 6.1 Medium2025-06-14
CVE-2025-4187 UserPro - Community and User Profile WordPress Plugin <= 5.1.10 - Unauthenticated Arbitrary File Read — UserPro - Community and User Profile WordPress PluginCWE-22 5.9 Medium2025-06-14
CVE-2025-6040 Easy Flashcards <= 0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting — Easy FlashcardsCWE-79 6.1 Medium2025-06-14
CVE-2025-6064 WP URL Shortener <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting — WP URL ShortenerCWE-352 6.1 Medium2025-06-14
CVE-2025-6065 Image Resizer On The Fly <= 1.1 - Unauthenticated Arbitrary File Deletion — Image Resizer On The FlyCWE-22 9.1 Critical2025-06-14
CVE-2025-6059 Seraphinite Accelerator <= 2.27.21 - Cross-Site Request Forgery to Multiple Administrative Actions — Seraphinite AcceleratorCWE-352 4.3 Medium2025-06-14
CVE-2025-49596 MCP Inspector proxy server lacks authentication between the Inspector client and proxy — inspectorCWE-306 9.8AICriticalAI2025-06-13
CVE-2025-5282 WP Travel Engine <= 6.5.1 - Missing Authorization to Unauthenticated Arbitrary Post Deletion — WP Travel Engine – Tour Booking Plugin – Tour Operator SoftwareCWE-862 7.5 High2025-06-13
CVE-2025-5815 Traffic Monitor <= 3.2.2 - Missing Authorization to Unauthenticated Settings Update — Traffic MonitorCWE-862 5.3 Medium2025-06-13
CVE-2025-5928 WP Sliding Login/Dashboard Panel <= 2.1.1 - Cross-Site Request Forgery to Settings Update — WP Sliding Login/Dashboard PanelCWE-352 4.3 Medium2025-06-13
CVE-2025-5938 Digital Marketing and Agency Templates Addons for Elementor <= 1.1.1 - Cross-Site Request Forgery to Import — Digital Marketing and Agency Templates Addons for ElementorCWE-352 5.3 Medium2025-06-13
CVE-2025-5930 WP2HTML <= 1.0.2 - Cross-Site Request Forgery to Settings Update — WP2HTMLCWE-352 4.3 Medium2025-06-13
CVE-2025-5926 Link Shield <= 0.5.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting — Link ShieldCWE-352 6.1 Medium2025-06-13
CVE-2025-5288 REST API | Custom API Generator For Cross Platform And Import Export In WP 1.0.0 - 2.0.3 - Missing Authorization to Unauthenticated Privilege Escalation via process_handler Function — REST API | Custom API Generator For Cross Platform And Import Export In WPCWE-862 9.8 Critical2025-06-13
CVE-2025-6003 WordPress Single Sign-On (SSO) - Multiple Versions - Incorrect Authorization to Sensitive Information Exposure — WordPress Single Sign-On (SSO) - Single Site StandardCWE-863 5.3 Medium2025-06-12
CVE-2025-4973 Workreap <= 3.3.1 - Authentication Bypass via 'workreap_verify_user_account' — WorkreapCWE-288 9.8 Critical2025-06-12
CVE-2025-46035 Tenda AC6 安全漏洞 — n/a 7.5AIHighAI2025-06-12
CVE-2025-3302 Xagio SEO <= 7.1.0.16 - Unauthenticated Stored Cross-Site Scripting via 'HTTP_REFERER' — Xagio SEO – AI Powered SEOCWE-79 7.2 High2025-06-11

Vulnerabilities classified as access:pre-auth represent 21272 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.