Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2020-25917

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-26 Dec, 2020 | 01:50
Updated At-04 Aug, 2024 | 15:49
Rejected At-
Credits

Stratodesk NoTouch Center before 4.4.68 is affected by: Incorrect Access Control. A low privileged user on the platform, for example a user with "helpdesk" privileges, can perform privileged operations including adding a new administrator to the platform via the easyadmin/user/submitCreateTCUser.do page.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:26 Dec, 2020 | 01:50
Updated At:04 Aug, 2024 | 15:49
Rejected At:
▼CVE Numbering Authority (CNA)

Stratodesk NoTouch Center before 4.4.68 is affected by: Incorrect Access Control. A low privileged user on the platform, for example a user with "helpdesk" privileges, can perform privileged operations including adding a new administrator to the platform via the easyadmin/user/submitCreateTCUser.do page.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://packetstormsecurity.com/files/160652/Stratodesk-NoTouch-Center-Privilege-Escalation.html
x_refsource_MISC
Hyperlink: http://packetstormsecurity.com/files/160652/Stratodesk-NoTouch-Center-Privilege-Escalation.html
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://packetstormsecurity.com/files/160652/Stratodesk-NoTouch-Center-Privilege-Escalation.html
x_refsource_MISC
x_transferred
Hyperlink: http://packetstormsecurity.com/files/160652/Stratodesk-NoTouch-Center-Privilege-Escalation.html
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:26 Dec, 2020 | 02:15
Updated At:21 Jul, 2021 | 11:39

Stratodesk NoTouch Center before 4.4.68 is affected by: Incorrect Access Control. A low privileged user on the platform, for example a user with "helpdesk" privileges, can perform privileged operations including adding a new administrator to the platform via the easyadmin/user/submitCreateTCUser.do page.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary2.06.5MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 6.5
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P
CPE Matches
stratodesk
stratodesk
>>notouch_center>>Versions before 4.4.68(exclusive)
cpe:2.3:a:stratodesk:notouch_center:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-669Primarynvd@nist.gov
CWE-862Primarynvd@nist.gov
CWE ID: CWE-669
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-862
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://packetstormsecurity.com/files/160652/Stratodesk-NoTouch-Center-Privilege-Escalation.htmlcve@mitre.org
Exploit
Third Party Advisory
VDB Entry
Hyperlink: http://packetstormsecurity.com/files/160652/Stratodesk-NoTouch-Center-Privilege-Escalation.html
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory
VDB Entry

Change History

0
Information is not available yet

Similar CVEs

470Records found
CVE-2024-31987
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-27.74% / 96.27%
||
7 Day CHG~0.00%
Published-10 Apr, 2024 | 20:32
Updated-21 Jan, 2025 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XWiki Platform remote code execution from account via custom skins support

XWiki Platform is a generic wiki platform. Starting in version 6.4-milestone-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus allowing remote code execution. This has been patched in XWiki 14.10.19, 15.5.4 and 15.10RC1. No known workarounds are available except for upgrading.

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platformxwiki-platform
CWE ID-CWE-862
Missing Authorization
CVE-2024-30485
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-46.98% / 97.59%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 10:58
Updated-07 Oct, 2024 | 16:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Finale Lite plugin <= 2.18.0 - Subscriber+ Arbitrary Plugin Installation/Activation vulnerability

Missing Authorization vulnerability in XLPlugins Finale Lite.This issue affects Finale Lite: from n/a through 2.18.0.

Action-Not Available
Vendor-xlpluginsXLPluginsxlplugins
Product-finaleFinale Litefinale_lite
CWE ID-CWE-862
Missing Authorization
CVE-2024-30484
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 44.55%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 19:08
Updated-02 Aug, 2024 | 01:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress RT Easy Builder plugin <= 2.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in RT Easy Builder – Advanced addons for Elementor.This issue affects RT Easy Builder – Advanced addons for Elementor: from n/a through 2.0.

Action-Not Available
Vendor-risethemes
Product-rt_easy_builderRT Easy Builder – Advanced addons for Elementor
CWE ID-CWE-862
Missing Authorization
CVE-2024-31248
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.39% / 58.99%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 11:10
Updated-02 Dec, 2024 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress All-in-One Video Gallery plugin <= 3.5.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Team Plugins360 All-in-One Video Gallery.This issue affects All-in-One Video Gallery: from n/a through 3.5.2.

Action-Not Available
Vendor-plugins360Team Plugins360
Product-all-in-one_video_galleryAll-in-One Video Gallery
CWE ID-CWE-862
Missing Authorization
CVE-2024-31267
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 44.55%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 11:14
Updated-01 Nov, 2024 | 14:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Flexible Checkout Fields for WooCommerce plugin <= 4.1.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Desk Flexible Checkout Fields for WooCommerce.This issue affects Flexible Checkout Fields for WooCommerce: from n/a through 4.1.2.

Action-Not Available
Vendor-wpdeskWP Desk
Product-flexible_checkout_fieldsFlexible Checkout Fields for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2024-30467
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.38% / 58.70%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 10:49
Updated-08 Oct, 2024 | 21:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Essential Blocks plugin <= 4.4.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPDeveloper Essential Blocks for Gutenberg.This issue affects Essential Blocks for Gutenberg: from n/a through 4.4.9.

Action-Not Available
Vendor-WPDeveloper
Product-essential_blocksEssential Blocks for Gutenberg
CWE ID-CWE-862
Missing Authorization
CVE-2024-30464
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.16% / 37.25%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 10:41
Updated-10 Oct, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Social Icons Widget & Block by WPZOOM plugin <= 4.2.15 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPZOOM Social Icons Widget & Block by WPZOOM.This issue affects Social Icons Widget & Block by WPZOOM: from n/a through 4.2.15.

Action-Not Available
Vendor-wpzoomWPZOOM
Product-social_icons_widgetSocial Icons Widget & Block by WPZOOM
CWE ID-CWE-862
Missing Authorization
CVE-2024-30234
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.37% / 57.93%
||
7 Day CHG~0.00%
Published-26 Mar, 2024 | 12:16
Updated-27 Mar, 2025 | 19:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WholesaleX plugin <= 1.3.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Wholesale Team WholesaleX.This issue affects WholesaleX: from n/a through 1.3.1.

Action-Not Available
Vendor-wpxpoWholesale Team
Product-wholesalexWholesaleX
CWE ID-CWE-862
Missing Authorization
CVE-2024-31252
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.30% / 53.10%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 11:12
Updated-26 Nov, 2024 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Responsive Lightbox & Gallery plugin <= 2.4.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in dFactory Responsive Lightbox.This issue affects Responsive Lightbox: from n/a through 2.4.6.

Action-Not Available
Vendor-dfactorydFactory
Product-responsive_lightbox_\&_galleryResponsive Lightbox
CWE ID-CWE-862
Missing Authorization
CVE-2024-31261
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.28% / 50.77%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 11:13
Updated-26 Nov, 2024 | 15:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Announcer – Notification & message bars plugin <= 6.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Aakash Chakravarthy Announcer – Notification & message bars.This issue affects Announcer – Notification & message bars: from n/a through 6.0.

Action-Not Available
Vendor-Aakash Web
Product-announcerAnnouncer – Notification & message bars
CWE ID-CWE-862
Missing Authorization
CVE-2024-31099
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.4||MEDIUM
EPSS-0.16% / 37.42%
||
7 Day CHG~0.00%
Published-01 Apr, 2024 | 14:07
Updated-29 May, 2025 | 13:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Phlox Core Elements plugin <= 2.15.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in Averta Shortcodes and extra features for Phlox theme auxin-elements.This issue affects Shortcodes and extra features for Phlox theme: from n/a through 2.15.7.

Action-Not Available
Vendor-Depicter (Averta)
Product-shortcodes_and_extra_features_for_phlox_themeShortcodes and extra features for Phlox theme
CWE ID-CWE-862
Missing Authorization
CVE-2021-39232
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-8.8||HIGH
EPSS-0.71% / 71.41%
||
7 Day CHG~0.00%
Published-19 Nov, 2021 | 09:20
Updated-04 Aug, 2024 | 01:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing admin check for SCM related admin commands

In Apache Ozone versions prior to 1.2.0, certain admin related SCM commands can be executed by any authenticated users, not just by admins.

Action-Not Available
Vendor-The Apache Software Foundation
Product-ozoneApache Ozone
CWE ID-CWE-862
Missing Authorization
CVE-2024-31098
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.1||HIGH
EPSS-0.32% / 54.72%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 08:58
Updated-09 Oct, 2024 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress New Order Notification for Woocommerce plugin <= 2.0.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Mr.Ebabi New Order Notification for Woocommerce.This issue affects New Order Notification for Woocommerce: from n/a through 2.0.2.

Action-Not Available
Vendor-mrebabiMr.Ebabi
Product-new_order_notification_for_woocommerceNew Order Notification for Woocommerce
CWE ID-CWE-862
Missing Authorization
CVE-2024-30470
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.39% / 59.24%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 10:51
Updated-08 Oct, 2024 | 20:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress YITH WooCommerce Account Funds Premium plugin <= 1.32.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in YITH YITH WooCommerce Account Funds Premium.This issue affects YITH WooCommerce Account Funds Premium: from n/a through 1.33.0.

Action-Not Available
Vendor-Your Inspiration Solutions S.L.U. (YITH) (YITHEMES)
Product-woocommerce_account_fundsYITH WooCommerce Account Funds Premiumyith_woocommerce_account_funds_premium
CWE ID-CWE-862
Missing Authorization
CVE-2021-38388
Matching Score-4
Assigner-LY Corporation
ShareView Details
Matching Score-4
Assigner-LY Corporation
CVSS Score-8.8||HIGH
EPSS-0.30% / 52.73%
||
7 Day CHG~0.00%
Published-08 Sep, 2021 | 17:50
Updated-12 May, 2025 | 01:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Central Dogma allows privilege escalation with mirroring to the internal dogma repository that has a file managing the authorization of the project.

Action-Not Available
Vendor-linecorpLINE Corporation
Product-central_dogmaCentral Dogma
CWE ID-CWE-862
Missing Authorization
CVE-2024-30235
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.43% / 61.59%
||
7 Day CHG~0.00%
Published-26 Mar, 2024 | 12:20
Updated-07 Feb, 2025 | 16:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Multiple Page Generator Plugin – MPG plugin <= 3.4.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Themeisle Multiple Page Generator Plugin – MPG.This issue affects Multiple Page Generator Plugin – MPG: from n/a through 3.4.0.

Action-Not Available
Vendor-ThemeisleThemeisle
Product-multiple_page_generatorMultiple Page Generator Plugin – MPG
CWE ID-CWE-862
Missing Authorization
CVE-2024-30517
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 44.55%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 11:02
Updated-07 Oct, 2024 | 18:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Sliced Invoices plugin <= 3.9.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Sliced Invoices.This issue affects Sliced Invoices: from n/a through 3.9.2.

Action-Not Available
Vendor-slicedinvoicesSliced Invoices
Product-sliced_invoicesSliced Invoices
CWE ID-CWE-862
Missing Authorization
CVE-2023-40334
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 40.07%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:24
Updated-12 Mar, 2025 | 17:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress HUSKY – Products Filter for WooCommerce Professional plugin <= 1.3.4.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in realmag777 HUSKY allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HUSKY: from n/a through 1.3.4.2.

Action-Not Available
Vendor-PluginUs.Net (RealMag777)
Product-husky_-_products_filter_professional_for_woocommerceHUSKY
CWE ID-CWE-862
Missing Authorization
CVE-2021-39236
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-8.8||HIGH
EPSS-0.64% / 69.57%
||
7 Day CHG~0.00%
Published-19 Nov, 2021 | 09:20
Updated-04 Aug, 2024 | 02:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Owners of the S3 tokens are not validated

In Apache Ozone before 1.2.0, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user.

Action-Not Available
Vendor-The Apache Software Foundation
Product-ozoneApache Ozone
CWE ID-CWE-862
Missing Authorization
CVE-2021-36909
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-1.21% / 78.12%
||
7 Day CHG~0.00%
Published-18 Nov, 2021 | 14:41
Updated-28 Mar, 2025 | 16:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Reset PRO Premium plugin <= 5.98 - Authenticated Database Reset vulnerability

Authenticated Database Reset vulnerability in WordPress WP Reset PRO Premium plugin (versions <= 5.98) allows any authenticated user to wipe the entire database regardless of their authorization. It leads to a complete website reset and takeover.

Action-Not Available
Vendor-webfactoryltdWebFactory Ltd.
Product-wp_reset_proWP Reset PRO
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2024-27190
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.50% / 65.09%
||
7 Day CHG~0.00%
Published-21 Mar, 2024 | 17:04
Updated-14 Feb, 2025 | 15:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Download Media plugin <= 1.4.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Jean-David Daviet Download Media.This issue affects Download Media: from n/a through 1.4.2.

Action-Not Available
Vendor-jeandaviddavietJean-David Daviet
Product-download_mediaDownload Media
CWE ID-CWE-862
Missing Authorization
CVE-2021-36225
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.07% / 20.77%
||
7 Day CHG~0.00%
Published-06 Feb, 2023 | 00:00
Updated-26 Mar, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Western Digital My Cloud devices before OS5 allow REST API access by low-privileged accounts, as demonstrated by API commands for firmware uploads and installation.

Action-Not Available
Vendor-n/aWestern Digital Corp.
Product-my_cloud_pr4100my_cloud_osn/a
CWE ID-CWE-862
Missing Authorization
CVE-2021-36232
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.43% / 61.77%
||
7 Day CHG~0.00%
Published-31 Aug, 2021 | 17:37
Updated-04 Aug, 2024 | 00:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Authorization in multiple functions in MIK.starlight 7.9.5.24363 allows an authenticated attacker to escalate privileges.

Action-Not Available
Vendor-unit4n/a
Product-mik.starlightn/a
CWE ID-CWE-862
Missing Authorization
CVE-2024-24833
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.35% / 56.53%
||
7 Day CHG~0.00%
Published-08 May, 2024 | 13:28
Updated-08 Jan, 2025 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Happy Addons for Elementor plugin <= 3.10.1 - Broken Access Control on Post Clone vulnerability

Missing Authorization vulnerability in Leevio Happy Addons for Elementor.This issue affects Happy Addons for Elementor: from n/a through 3.10.1.

Action-Not Available
Vendor-leevioLeevio
Product-happy_addons_for_elementorHappy Addons for Elementor
CWE ID-CWE-862
Missing Authorization
CVE-2023-39312
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.1||CRITICAL
EPSS-0.31% / 53.66%
||
7 Day CHG~0.00%
Published-19 Jun, 2024 | 14:23
Updated-02 Aug, 2024 | 18:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Avada theme <= 7.11.1 - Auth. Unrestricted Zip Extraction vulnerability

Missing Authorization vulnerability in ThemeFusion Avada.This issue affects Avada: from n/a through 7.11.1.

Action-Not Available
Vendor-Avada (ThemeFusion)
Product-avadaAvadaavada
CWE ID-CWE-862
Missing Authorization
CVE-2021-33676
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-6.8||MEDIUM
EPSS-0.24% / 46.71%
||
7 Day CHG~0.00%
Published-14 Jul, 2021 | 11:03
Updated-03 Aug, 2024 | 23:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing authority check in SAP CRM, versions - 700, 701, 702, 712, 713, 714, could be leveraged by an attacker with high privileges to compromise confidentiality, integrity, or availability of the system.

Action-Not Available
Vendor-SAP SE
Product-customer_relationship_managementSAP CRM
CWE ID-CWE-862
Missing Authorization
CVE-2024-25092
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-65.01% / 98.40%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 10:28
Updated-11 Oct, 2024 | 14:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress NextMove Lite plugin <= 2.17.0 - Subscriber+ Arbitrary Plugin Installation/Activation vulnerability

Missing Authorization vulnerability in XLPlugins NextMove Lite.This issue affects NextMove Lite: from n/a through 2.17.0.

Action-Not Available
Vendor-xlpluginsXLPluginsxlplugins
Product-nextmoveNextMove Litenextmove_lite
CWE ID-CWE-862
Missing Authorization
CVE-2021-33671
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-7.6||HIGH
EPSS-0.22% / 44.78%
||
7 Day CHG~0.00%
Published-14 Jul, 2021 | 11:03
Updated-03 Aug, 2024 | 23:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver Guided Procedures (Administration Workset), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. The impact of missing authorization could result to abuse of functionality restricted to a particular user group, and could allow unauthorized users to read, modify or delete restricted data.

Action-Not Available
Vendor-SAP SE
Product-netweaver_guided_proceduresSAP NetWeaver Guided Procedures (Administration Workset)
CWE ID-CWE-862
Missing Authorization
CVE-2021-33704
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-6.3||MEDIUM
EPSS-0.22% / 44.78%
||
7 Day CHG~0.00%
Published-15 Sep, 2021 | 18:01
Updated-03 Aug, 2024 | 23:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Service Layer of SAP Business One, version - 10.0, allows an authenticated attacker to invoke certain functions that would otherwise be restricted to specific users. For an attacker to discover the vulnerable function, no in-depth system knowledge is required. Once exploited via Network stack, the attacker may be able to read, modify or delete restricted data. The impact is that missing authorization can result of abuse of functionality usually restricted to specific users.

Action-Not Available
Vendor-SAP SE
Product-business_oneSAP Business One
CWE ID-CWE-862
Missing Authorization
CVE-2024-23524
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.23% / 45.85%
||
7 Day CHG~0.00%
Published-10 Jun, 2024 | 08:03
Updated-25 Sep, 2024 | 14:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress PilotPress plugin <= 2.0.30 - Broken Access Control vulnerability

Missing Authorization vulnerability in ONTRAPORT Inc. PilotPress.This issue affects PilotPress: from n/a through 2.0.30.

Action-Not Available
Vendor-ontraportONTRAPORT Inc.
Product-pilotpressPilotPress
CWE ID-CWE-862
Missing Authorization
CVE-2023-38475
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 40.07%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-19 Mar, 2025 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Donations Made Easy – Smart Donations plugin <= 4.0.12 - Broken Access Control vulnerability

Missing Authorization vulnerability in RedNao Donations Made Easy – Smart Donations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Donations Made Easy – Smart Donations: from n/a through 4.0.12.

Action-Not Available
Vendor-rednaoRedNao
Product-donations_made_easy_-_smart_donationsDonations Made Easy – Smart Donations
CWE ID-CWE-862
Missing Authorization
CVE-2022-34344
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 43.32%
||
7 Day CHG~0.00%
Published-08 Jan, 2024 | 21:13
Updated-23 May, 2025 | 16:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Wholesale Suite Plugin <= 2.1.5 is vulnerable to Broken Access Control

Missing Authorization vulnerability in Rymera Web Co Wholesale Suite – WooCommerce Wholesale Prices, B2B, Catalog Mode, Order Form, Wholesale User Roles, Dynamic Pricing & More.This issue affects Wholesale Suite – WooCommerce Wholesale Prices, B2B, Catalog Mode, Order Form, Wholesale User Roles, Dynamic Pricing & More: from n/a through 2.1.5.

Action-Not Available
Vendor-rymeraRymera Web Co
Product-wholesale_suiteWholesale Suite – WooCommerce Wholesale Prices, B2B, Catalog Mode, Order Form, Wholesale User Roles, Dynamic Pricing & More
CWE ID-CWE-862
Missing Authorization
CVE-2024-22296
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.28% / 50.77%
||
7 Day CHG~0.00%
Published-10 Jun, 2024 | 08:07
Updated-25 Sep, 2024 | 16:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress 12 Step Meeting List plugin <= 3.14.28 - Broken Access Control vulnerability

Missing Authorization vulnerability in Code for Recovery 12 Step Meeting List.This issue affects 12 Step Meeting List: from n/a through 3.14.28.

Action-Not Available
Vendor-code4recoveryCode for Recovery
Product-12_step_meeting_list12 Step Meeting List
CWE ID-CWE-862
Missing Authorization
CVE-2024-21254
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-8.8||HIGH
EPSS-0.47% / 63.81%
||
7 Day CHG~0.00%
Published-15 Oct, 2024 | 19:52
Updated-18 Oct, 2024 | 17:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Web Server). Supported versions that are affected are 7.0.0.0.0, 7.6.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in takeover of Oracle BI Publisher. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Action-Not Available
Vendor-Oracle Corporation
Product-bi_publisherOracle BI Publisher
CWE ID-CWE-862
Missing Authorization
CVE-2024-21751
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.16% / 37.25%
||
7 Day CHG~0.00%
Published-10 Jun, 2024 | 08:05
Updated-25 Sep, 2024 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress RabbitLoader plugin <= 2.19.13 - Broken Access Control vulnerability

Missing Authorization vulnerability in RabbitLoader.This issue affects RabbitLoader: from n/a through 2.19.13.

Action-Not Available
Vendor-yoginetworkRabbitLoaderrabbitloader
Product-rabbitloaderRabbitLoaderrabbitloader
CWE ID-CWE-862
Missing Authorization
CVE-2024-1710
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.32% / 53.97%
||
7 Day CHG~0.00%
Published-24 Feb, 2024 | 09:38
Updated-22 Apr, 2025 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Addon Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the onAjaxAction function action in all versions up to, and including, 1.3.76. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several unauthorized actions including uploading arbitrary files.

Action-Not Available
Vendor-unlimited-elementsunitecmsunitecms
Product-addon_libraryAddon Libraryaddon_library
CWE ID-CWE-862
Missing Authorization
CVE-2024-1991
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.22% / 44.71%
||
7 Day CHG~0.00%
Published-09 Apr, 2024 | 18:58
Updated-31 Jan, 2025 | 01:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the update_users_role() function in all versions up to, and including, 5.3.0.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an administrator

Action-Not Available
Vendor-Metagauss Inc.
Product-registrationmagicRegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Loginregistrationmagic
CWE ID-CWE-862
Missing Authorization
CVE-2021-27855
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-8.8||HIGH
EPSS-1.14% / 77.51%
||
7 Day CHG~0.00%
Published-15 Dec, 2021 | 16:14
Updated-17 Sep, 2024 | 02:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FatPipe software allows privilege escalation

FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote, authenticated attacker with read-only privileges to grant themselves administrative privileges. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA001.

Action-Not Available
Vendor-fatpipeincFatPipe
Product-ipvpn_firmwarewarpipvpnwarp_firmwarempvpnmpvpn_firmwareIPVPNMPVPNWARP
CWE ID-CWE-862
Missing Authorization
CVE-2024-13232
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.11% / 30.40%
||
7 Day CHG~0.00%
Published-05 Mar, 2025 | 09:21
Updated-05 Mar, 2025 | 14:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Awesome Import & Export Plugin - Import & Export WordPress Data <= 4.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary SQL Execution/Privilege Escalation

The WordPress Awesome Import & Export Plugin - Import & Export WordPress Data plugin for WordPress is vulnerable arbitrary SQL Execution and privilege escalation due to a missing capability check on the renderImport() function in all versions up to, and including, 4.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary SQL statements that can leveraged to create a new administrative user account.

Action-Not Available
Vendor-ddeveloper
Product-WordPress Awesome Import & Export Plugin - Import & Export WordPress Data
CWE ID-CWE-862
Missing Authorization
CVE-2024-13343
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.08% / 25.50%
||
7 Day CHG+0.01%
Published-01 Feb, 2025 | 03:21
Updated-24 Feb, 2025 | 16:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WooCommerce Customers Manager <= 31.3 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

The WooCommerce Customers Manager plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_assign_new_roles() function in all versions up to, and including, 31.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.

Action-Not Available
Vendor-Vanquish
Product-woocommerce_customers_managerWooCommerce Customers Manager
CWE ID-CWE-269
Improper Privilege Management
CWE ID-CWE-862
Missing Authorization
CVE-2024-13653
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.07% / 23.21%
||
7 Day CHG~0.00%
Published-12 Feb, 2025 | 04:22
Updated-25 Feb, 2025 | 04:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ZoxPress - The All-In-One WordPress News Theme <= 2.12.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

The ZoxPress - The All-In-One WordPress News Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'backup_options' function in all versions up to, and including, 2.12.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Action-Not Available
Vendor-mvpthemesMVPThemes
Product-zoxpressZoxPress - The All-In-One WordPress News Theme
CWE ID-CWE-862
Missing Authorization
CVE-2024-13361
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.3||MEDIUM
EPSS-0.16% / 36.90%
||
7 Day CHG+0.02%
Published-22 Jan, 2025 | 07:29
Updated-12 Feb, 2025 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AI Power: Complete AI Pack <= 1.8.96 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution

The AI Power: Complete AI Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpaicg_save_image_media function in all versions up to, and including, 1.8.96. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload image files and embed shortcode attributes in the image_alt value that will execute when sending a POST request to the attachment page.

Action-Not Available
Vendor-aipowersenols
Product-aipowerAI Power: Complete AI Pack
CWE ID-CWE-862
Missing Authorization
CVE-2022-31765
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-8.8||HIGH
EPSS-0.18% / 40.14%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 00:00
Updated-21 Apr, 2025 | 13:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected devices do not properly authorize the change password function of the web interface. This could allow low privileged users to escalate their privileges.

Action-Not Available
Vendor-Siemens AG
Product-6gk5788-1gd00-0aa06gk5328-4ss00-2ar3_firmware6gk5876-4aa00-2da26gk5774-1fx00-0aa06gk5748-1gy01-0aa06gk5748-1gd00-0ab0_firmware6gk5766-1ge00-7da0_firmware6gk5763-1al00-3aa06gk5826-2ab00-2ab26gk5788-2gd00-0ta0_firmware6gk5786-2fc00-0ac06gk5766-1ge00-7da06gk5788-1gy01-0aa0_firmware6gk5774-1fy00-0ta06gk5552-0aa00-2ar26gk5778-1gy00-0tb06gk5622-2gs00-2ac2_firmware6gk5722-1fc00-0ac0_firmware6gk5528-0ar00-2hr26gk5208-0ga00-2ac2_firmware6gk5552-0ar00-2hr2_firmware6gk5526-8gs00-4ar26gk5526-8gr00-4ar2_firmware6gk5204-0ba00-2gf2_firmware6gk5408-4gq00-2am26gk5208-0ha00-2ts6_firmware6gk5524-8gr00-3ar2_firmware6gk5788-1gd00-0aa0_firmware6ag1216-4bs00-7ac26gk5856-2ea00-3da16gk5722-1fc00-0aa0_firmware6gk5722-1fc00-0ac06gk5324-0ba00-3ar36gk5205-3bf00-2tb2_firmware6gk5524-8gs00-2ar2_firmware6gk5786-2fc00-0ac0_firmware6gk5761-1fc00-0aa0_firmware6gk5216-3rs00-2ac26gk5788-2gy01-0ta0_firmware6gk5552-0ar00-2ar2_firmware6gk5208-0ga00-2ac26gk5213-3bb00-2tb2_firmware6gk5524-8gr00-4ar2_firmware6gk5216-0ha00-2es6_firmware6gk5552-0aa00-2hr26gk5788-1gd00-0ab0_firmware6gk5734-1fx00-0ab6_firmware6gk5204-0ba00-2gf26gk5786-1fc00-0ab0_firmware6gk5786-2fc00-0aa0_firmware6gk5328-4fs00-3ar36gk5206-2rs00-2ac2_firmware6gk5722-1fc00-0aa06gk5213-3bd00-2ab2_firmware6gk5876-4aa00-2da2_firmware6gk5856-2ea00-3aa16gk5213-3bd00-2tb26gk5876-3aa02-2ba2_firmware6gk5766-1je00-3da0_firmware6gk5206-2rs00-5ac2_firmware6gk5876-4aa00-2ba26gk5408-8gs00-2am26gk5788-2gd00-0aa0_firmware6gk5205-3bb00-2tb26gk5208-0ua00-5es66gk6108-4am00-2da2_firmware6ag1208-0ba00-7ac26gk5786-2hc00-0ab06gk5526-8gr00-2ar2_firmware6gk5748-1gd00-0ab06gk5208-0ra00-2ac2_firmware6gk5748-1fc00-0ab0_firmware6gk5734-1fx00-0aa66gk5761-1fc00-0ab06gk5224-4gs00-2tc26gk5216-0ba00-2ac26gk5788-2gd00-0tb06gk5216-4bs00-2ac26gk5734-1fx00-0ab06gk5766-1je00-7da06gk5876-3aa02-2ea26gk5766-1ge00-7db06gk5216-0ha00-2as66gk5216-0ha00-2es66gk5224-0ba00-2ac26gk5328-4fs00-2rr3_firmware6gk5206-2bd00-2ac26gk5853-2ea00-2da1_firmware6gk5206-2gs00-2tc2_firmware6gk5766-1ge00-7tb0_firmware6gk5213-3bf00-2ab2_firmware6ag1206-2bb00-7ac2_firmware6gk5524-8gs00-2ar26gk5788-2gd00-0ta06gk5524-8gr00-2ar26gk5528-0aa00-2hr2_firmware6gk5812-1ba00-2aa26gk5208-0ga00-2fc26gk5208-0ga00-2fc2_firmware6gk5213-3bf00-2tb26gk5216-0ba00-2ab26gk5216-0ba00-2fc2_firmware6gk5416-4gs00-2am2_firmware6gk5213-3bd00-2ab26gk5206-2gs00-2fc26gk5206-2gs00-2ac26gk5205-3bb00-2ab2_firmware6gk5208-0ba00-2fc2_firmware6gk5774-1fx00-0aa66gk5208-0ba00-2ac2_firmware6gk5206-2rs00-5fc2_firmware6gk5766-1ge00-3da06gk5826-2ab00-2ab2_firmware6gk5206-2bs00-2ac26gk5786-2hc00-0aa0_firmware6gk5528-0aa00-2hr26gk5778-1gy00-0ta0_firmware6gk5224-4gs00-2tc2_firmware6gk5788-2gy01-0aa0_firmware6gk5788-2gd00-0tc06gk5206-2bs00-2fc26gk5208-0ba00-2ac26gk5788-2fc00-0aa0_firmware6gk5748-1fc00-0aa0_firmware6gk5738-1gy00-0aa0_firmware6gk5788-2gd00-0ab06gk5786-2fc00-0aa06gk5788-2hy01-0aa06gk5208-0ha00-2as66gk5774-1fy00-0ta0_firmware6gk5721-1fc00-0ab06gk6108-4am00-2ba2_firmware6gk5205-3bd00-2tb26gk5788-1fc00-0aa06gk5524-8gr00-3ar26gk5774-1fx00-0ac0_firmware6gk5208-0ra00-5ac26gk5786-2hc00-0aa06gk5213-3bb00-2ab26gk5734-1fx00-0ab66gk5766-1ge00-7ta0_firmware6gk5216-0ha00-2ts66gk5786-2fe00-0ab06gk5816-1aa00-2aa2_firmware6gk5206-2gs00-2ac2_firmware6gk5326-2qs00-3rr36ag1216-4bs00-7ac2_firmware6gk5774-1fx00-0aa6_firmware6gk5721-1fc00-0aa0_firmware6gk5216-3rs00-2ac2_firmware6gk5204-2aa00-2gf2_firmware6gk5788-1fc00-0ab06gk5208-0ha00-2es66gk5328-4ss00-3ar3_firmware6gk5216-3rs00-5ac2_firmware6gk5788-1fc00-0ab0_firmware6gk5552-0aa00-2hr2_firmware6gk5216-4gs00-2fc26gk5876-3aa02-2ba26gk5766-1ge00-7ta06gk5788-2gd00-0tc0_firmware6gk5328-4fs00-3ar3_firmware6gk5205-3bd00-2tb2_firmware6gk5786-2fe00-0aa06gk5326-2qs00-3ar36gk5748-1gy01-0ta06gk5206-2rs00-2ac26gk5206-2bb00-2ac2_firmware6gk5213-3bb00-2ab2_firmware6gk5216-0ba00-2tb26gk5748-1fc00-0aa06gk5786-1fc00-0aa06gk5526-8gr00-4ar26gk5206-2bb00-2ac26gk5524-8gs00-4ar26gk5734-1fx00-0aa0_firmware6gk5786-2fe00-0aa0_firmware6gk5748-1gy01-0ta0_firmware6gk5876-4aa00-2ba2_firmware6ag1206-2bs00-7ac2_firmware6gk5812-1aa00-2aa26gk5524-8gs00-3ar2_firmware6gk5763-1al00-7da0_firmware6gk5524-8gr00-2ar2_firmware6gk5856-2ea00-3da1_firmware6gk5788-2gd00-0tb0_firmware6gk5416-4gr00-2am26gk5812-1aa00-2aa2_firmware6gk5788-2gd00-0aa06gk5722-1fc00-0ab06gk5528-0aa00-2ar2_firmware6gk5816-1ba00-2aa26gk5526-8gs00-2ar2_firmware6gk5778-1gy00-0aa0_firmware6gk5874-2aa00-2aa26gk5734-1fx00-0aa06gk5788-2gd00-0ab0_firmware6gk5524-8gr00-4ar26gk5524-8gs00-4ar2_firmware6gk5748-1gd00-0aa0_firmware6gk5816-1ba00-2aa2_firmware6gk5874-3aa00-2aa2_firmware6gk5804-0ap00-2aa26gk5208-0ba00-2tb2_firmware6gk5636-2gs00-2ac2_firmware6gk5528-0aa00-2ar26gk5774-1fx00-0ab0_firmware6gk5774-1fx00-0ab6_firmware6gk5206-2rs00-5ac26gk5224-4gs00-2ac26gk5328-4fs00-3rr3_firmware6gk5788-1fc00-0aa0_firmware6gk5526-8gr00-3ar26gk5816-1aa00-2aa26gk5552-0ar00-2hr26gk5408-4gp00-2am26gk5326-2qs00-3rr3_firmware6gk5328-4fs00-2ar3_firmware6gk5216-0ha00-2ts6_firmware6gk5761-1fc00-0ab0_firmware6gk5774-1fx00-0ab66gk5748-1fc00-0ab06gk5774-1fy00-0tb06gk5205-3bb00-2ab26gk5208-0ga00-2tc2_firmware6gk5876-3aa02-2ea2_firmware6gk5734-1fx00-0aa6_firmware6gk5774-1fx00-0ac06gk5204-0ba00-2yf2_firmware6gk5206-2gs00-2fc2_firmware6gk5646-2gs00-2ac26gk5856-2ea00-3aa1_firmware6gk5224-0ba00-2ac2_firmware6gk5216-0ba00-2ac2_firmware6gk5786-1fc00-0ab06gk5324-0ba00-2ar3_firmware6gk5738-1gy00-0aa06gk5763-1al00-3aa0_firmware6gk5216-4gs00-2fc2_firmware6gk5416-4gr00-2am2_firmware6gk5224-4gs00-2fc2_firmware6gk5328-4fs00-2ar36gk5213-3bf00-2tb2_firmware6gk5205-3bb00-2tb2_firmware6gk5766-1ge00-3db0_firmware6gk5526-8gs00-2ar26gk5738-1gy00-0ab06gk5324-0ba00-3ar3_firmware6gk5788-1gy01-0aa06gk5788-2fc00-0aa06gk5788-2fc00-0ac0_firmware6gk5524-8gs00-3ar26gk5326-2qs00-3ar3_firmware6gk5224-4gs00-2ac2_firmware6gk5324-0ba00-2ar36gk5208-0ga00-2tc26gk5213-3bf00-2ab26gk5552-0aa00-2ar2_firmware6gk5216-4gs00-2tc26gk5206-2rs00-5fc26gk5642-2gs00-2ac2_firmware6gk5763-1al00-3da0_firmware6gk5208-0ua00-5es6_firmware6gk5206-2gs00-2tc26gk5774-1fx00-0aa0_firmware6gk5216-0ua00-5es66gk5646-2gs00-2ac2_firmware6gk5766-1ge00-7db0_firmware6gk5788-2hy01-0aa0_firmware6gk5788-2fc00-0ac06gk5205-3bf00-2ab26gk5778-1gy00-0tb0_firmware6gk5788-2gy01-0aa06gk5552-0ar00-2ar26gk5786-2fc00-0ab0_firmware6gk5778-1gy00-0ta06gk5213-3bd00-2tb2_firmware6gk5766-1je00-3da06gk5528-0ar00-2ar2_firmware6gk5328-4fs00-2rr36gk5766-1je00-7da0_firmware6gk5622-2gs00-2ac26gk5213-3bb00-2tb26gk5204-2aa00-2yf26gk5786-2fc00-0ab06gk5208-0ba00-2ab26gk5204-2aa00-2gf26gk5738-1gy00-0ab0_firmware6gk5778-1gy00-0aa06gk5778-1gy00-0ab0_firmware6gk5216-0ba00-2fc26gk5804-0ap00-2aa2_firmware6gk5328-4ss00-3ar36gk5874-2aa00-2aa2_firmware6gk5763-1al00-7da06gk5216-3rs00-5ac26gk5208-0ba00-2tb26gk5874-3aa00-2aa26gk5721-1fc00-0aa06gk5632-2gs00-2ac26gk5328-4fs00-3rr36gk5205-3bd00-2ab26gk5778-1gy00-0ab06gk5766-1ge00-3db06gk5734-1fx00-0ab0_firmware6gk6108-4am00-2ba26gk5528-0ar00-2hr2_firmware6gk5721-1fc00-0ab0_firmware6gk5208-0ha00-2as6_firmware6gk5224-4gs00-2fc26gk5526-8gr00-2ar26gk5748-1gd00-0aa06gk5208-0ra00-2ac26gk5206-2bs00-2ac2_firmware6gk5528-0ar00-2ar26gk5761-1fc00-0aa06gk5774-1fx00-0ab06gk5205-3bf00-2tb26gk5763-1al00-3da06gk5216-0ua00-5es6_firmware6gk5632-2gs00-2ac2_firmware6gk5216-4gs00-2ac26gk5766-1je00-7ta0_firmware6gk5408-8gr00-2am2_firmware6gk5812-1ba00-2aa2_firmware6gk5722-1fc00-0ab0_firmware6gk5636-2gs00-2ac26ag1206-2bs00-7ac26gk5786-2hc00-0ab0_firmware6gk5786-1fc00-0aa0_firmware6gk5204-0ba00-2yf26gk5788-2fc00-0ab0_firmware6gk5208-0ha00-2ts66gk5642-2gs00-2ac26gk5216-0ba00-2ab2_firmware6gk5526-8gs00-3ar2_firmware6gk5408-4gp00-2am2_firmware6gk5526-8gs00-4ar2_firmware6gk5788-2gy01-0ta06gk5208-0ba00-2fc26gk5526-8gr00-3ar2_firmware6gk6108-4am00-2da26gk5408-4gq00-2am2_firmware6gk5216-0ba00-2tb2_firmware6gk5774-1fy00-0tb0_firmware6gk5786-2fe00-0ab0_firmware6gk5216-4bs00-2ac2_firmware6gk5408-8gr00-2am26gk5766-1ge00-7tb06gk5206-2bs00-2fc2_firmware6gk5216-4gs00-2ac2_firmware6gk5205-3bd00-2ab2_firmware6gk5328-4ss00-2ar36gk5208-0ha00-2es6_firmware6gk5408-8gs00-2am2_firmware6gk5205-3bf00-2ab2_firmware6gk5416-4gs00-2am26gk5766-1ge00-3da0_firmware6ag1206-2bb00-7ac26gk5208-0ra00-5ac2_firmware6gk5788-2fc00-0ab06gk5216-4gs00-2tc2_firmware6gk5766-1je00-7ta06gk5204-2aa00-2yf2_firmware6gk5526-8gs00-3ar26gk5216-0ha00-2as6_firmware6gk5748-1gy01-0aa0_firmware6gk5853-2ea00-2da16gk5788-1gd00-0ab06gk5206-2bd00-2ac2_firmware6gk5208-0ba00-2ab2_firmware6ag1208-0ba00-7ac2_firmwareSCALANCE W774-1 RJ45SCALANCE M876-4 (NAM)SCALANCE W1788-2IA M12SCALANCE XB213-3 (ST, E/IP)SCALANCE XR524-8C, 24VSCALANCE XB213-3 (ST, PN)SCALANCE XC216EECRUGGEDCOM RM1224 LTE(4G) NAMSCALANCE XB205-3 (ST, PN)SCALANCE XC208SCALANCE XB213-3LD (SC, PN)SCALANCE XC206-2G PoESCALANCE XR328-4C WG (28xGE, DC 24V)SCALANCE XB205-3LD (SC, PN)SCALANCE W734-1 RJ45 (USA)SCALANCE S615 EECSCALANCE MUM856-1 (RoW)SCALANCE XR324WG (24 X FE, DC 24V)SCALANCE XR528-6M (2HR2)SCALANCE XR528-6M (L3 int.)SCALANCE XB216 (E/IP)SCALANCE XC216-4CSCALANCE XB208 (E/IP)SCALANCE XR324WG (24 x FE, AC 230V)SCALANCE XC206-2 (SC)SCALANCE W778-1 M12 EECSCALANCE XR524-8C, 1x230VSCALANCE W788-1 M12SCALANCE M876-3 (EVDO)SCALANCE XP208SCALANCE XR552-12M (2HR2)SCALANCE XF204-2BA DNASCALANCE WAM766-1 EEC (EU)SCALANCE XB205-3LD (SC, E/IP)SCALANCE XF204-2BASCALANCE WUM763-1SIPLUS NET SCALANCE XC216-4CSCALANCE W788-2 M12 EECSCALANCE W786-2 RJ45SCALANCE XB213-3 (SC, PN)SCALANCE W1788-2 EEC M12SCALANCE XC206-2SFPSCALANCE XP216POE EECSCALANCE XM408-4C (L3 int.)SCALANCE W1788-2 M12SCALANCE W786-1 RJ45SCALANCE XP208EECSCALANCE MUM856-1 (EU)SCALANCE S615SCALANCE WAM766-1 (US)SCALANCE SC646-2CSCALANCE M826-2 SHDSL-RouterSCALANCE W786-2 SFPSCALANCE XR524-8C, 24V (L3 int.)SCALANCE XR552-12M (2HR2, L3 int.)SCALANCE XC206-2 (ST/BFOC)SCALANCE W722-1 RJ45SCALANCE XM416-4CSCALANCE W788-1 RJ45SCALANCE XR526-8C, 24V (L3 int.)SCALANCE XR528-6MSCALANCE XR528-6M (2HR2, L3 int.)SCALANCE XC216-4C GSCALANCE M874-2SCALANCE XR526-8C, 2x230VSCALANCE W1748-1 M12SCALANCE XP216 (Ethernet/IP)SCALANCE W774-1 M12 EECSCALANCE XR328-4C WG (24xFE,4xGE,AC230V)SCALANCE XC224-4C GSCALANCE XC208G PoE (54 V DC)SCALANCE M816-1 ADSL-Router (Annex B)SCALANCE XC206-2G PoE EEC (54 V DC)SCALANCE XP208 (Ethernet/IP)SCALANCE M876-3 (ROK)SCALANCE XB216 (PN)SCALANCE XC216-4C G (EIP Def.)SCALANCE M876-4SCALANCE XR526-8C, 24VSCALANCE W734-1 RJ45SCALANCE SC636-2CSCALANCE W788-2 RJ45SCALANCE XM408-4CSCALANCE XC208G PoESCALANCE XR524-8C, 1x230V (L3 int.)SCALANCE WUM766-1 (US)SCALANCE W778-1 M12SCALANCE W748-1 RJ45SCALANCE XM408-8C (L3 int.)SCALANCE XB213-3LD (SC, E/IP)SCALANCE XC216SCALANCE XC208G EECSCALANCE XC208G (EIP def.)SCALANCE XC208GSCALANCE XR526-8C, 2x230V (L3 int.)SCALANCE XP216EECSCALANCE M816-1 ADSL-Router (Annex A)SCALANCE XC206-2G PoE (54 V DC)SCALANCE XM416-4C (L3 int.)RUGGEDCOM RM1224 LTE(4G) EUSCALANCE XC206-2SFP GSCALANCE W774-1 RJ45 (USA)SCALANCE MUM853-1 (EU)SCALANCE XR328-4C WG (24xFE, 4xGE,DC24V)SCALANCE W778-1 M12 EEC (USA)SCALANCE W1788-1 M12SCALANCE W738-1 M12SCALANCE M876-4 (EU)SCALANCE XR524-8C, 2x230VSCALANCE XR526-8C, 1x230V (L3 int.)SCALANCE M804PBSCALANCE XC216-3G PoE (54 V DC)SCALANCE XR326-2C PoE WG (without UL)SCALANCE XB205-3 (SC, PN)SCALANCE XC206-2SFP EECSCALANCE W721-1 RJ45SCALANCE XC206-2SFP G (EIP DEF.)SCALANCE WAM766-1 (EU)SCALANCE M812-1 ADSL-Router (Annex B)SCALANCE SC632-2CSCALANCE XP208PoE EECSCALANCE W786-2IA RJ45SCALANCE XF204SCALANCE XF204 DNASCALANCE M812-1 ADSL-Router (Annex A)SCALANCE XB213-3 (SC, E/IP)SCALANCE XR524-8C, 2x230V (L3 int.)SCALANCE XB208 (PN)SCALANCE XC224SCALANCE XR326-2C PoE WGSCALANCE M874-3SCALANCE WUM766-1 (EU)SCALANCE XB205-3 (ST, E/IP)SCALANCE XC208EECSCALANCE WAM763-1SCALANCE XR328-4C WG (24XFE, 4XGE, 24V)SIPLUS NET SCALANCE XC206-2SCALANCE XM408-8CSCALANCE W748-1 M12SCALANCE SC642-2CSCALANCE XR552-12MSCALANCE XR526-8C, 1x230VSCALANCE XR328-4C WG (28xGE, AC 230V)SIPLUS NET SCALANCE XC208SCALANCE XC206-2SFP G EECSCALANCE XC224-4C G EECSCALANCE WAM766-1 EEC (US)SCALANCE W761-1 RJ45SCALANCE XC216-3G PoESCALANCE XC216-4C G EECSIPLUS NET SCALANCE XC206-2SFPSCALANCE XP216SCALANCE XC224-4C G (EIP Def.)SCALANCE SC622-2CSCALANCE W788-2 M12
CWE ID-CWE-862
Missing Authorization
CVE-2024-13643
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.19% / 41.24%
||
7 Day CHG~0.00%
Published-11 Feb, 2025 | 07:30
Updated-11 Feb, 2025 | 15:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Zox News <= 3.17.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Modification

The Zox News - Professional WordPress News & Magazine Theme plugin for WordPress is vulnerable to unauthorized data modification. This vulnerability can lead to privilege escalation and denial of service conditions due to missing capability checks on the backup_options() and reset_options() functions in all versions up to and including 3.17.0. This vulnerability allows authenticated attackers with Subscriber-level access and above to update and delete arbitrary option values on the WordPress site. Attackers can exploit this issue to update the default user role for registration to Administrator and enable user registration, thereby gaining administrative access to the vulnerable site. Additionally, they could delete critical options, causing errors that may disrupt the site's functionality and deny service to legitimate users.

Action-Not Available
Vendor-MVPThemes
Product-Zox News - Professional WordPress News & Magazine Theme
CWE ID-CWE-862
Missing Authorization
CVE-2024-13677
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.07% / 23.21%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 04:21
Updated-21 Feb, 2025 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GetBookingsWp - Appointments & Bookings Plugin Basic Version <= 1.1.27 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover

The GetBookingsWP – Appointments Booking Calendar Plugin For WordPress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.27. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

Action-Not Available
Vendor-istmopluginsistmoplugins
Product-get_bookings_wpGetBookingsWP – Appointments Booking Calendar Plugin For WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2024-12544
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.37% / 58.03%
||
7 Day CHG~0.00%
Published-01 Mar, 2025 | 07:24
Updated-03 Mar, 2025 | 17:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity <= 1.12.17 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Deletion via SurveyJS_DeleteFile

The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to arbitrary file deletion due to a missing capability check on the callback function of the SurveyJS_DeleteFile class in all versions up to, and including, 1.12.17. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This function is still vulnerable to Cross-Site Request Forgery as of 1.12.20.

Action-Not Available
Vendor-devsoftbaltic
Product-SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity
CWE ID-CWE-862
Missing Authorization
CVE-2024-12259
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.14% / 35.26%
||
7 Day CHG+0.02%
Published-18 Dec, 2024 | 03:22
Updated-18 Dec, 2024 | 16:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CRM WordPress Plugin – RepairBuddy <= 3.8120 - Missing Authorization to Account Takeover/Privilege Escalation

The CRM WordPress Plugin – RepairBuddy plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.8120. This is due to the plugin not properly validating a user's identity prior to updating their email through the wc_update_user_data AJAX action. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

Action-Not Available
Vendor-sweetdaisy86
Product-CRM WordPress Plugin – RepairBuddy
CWE ID-CWE-862
Missing Authorization
CVE-2022-31595
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-8.8||HIGH
EPSS-0.34% / 56.37%
||
7 Day CHG~0.00%
Published-14 Jun, 2022 | 18:45
Updated-03 Aug, 2024 | 07:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Financial Consolidation - version 1010,�does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-adaptive_server_enterpriseSAP Financial Consolidation
CWE ID-CWE-862
Missing Authorization
CVE-2024-12594
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-4.33% / 88.47%
||
7 Day CHG~0.00%
Published-24 Dec, 2024 | 05:23
Updated-24 Dec, 2024 | 15:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ALL In One Custom Login Page <= 7.1.1 - Missing Authorization to Authenticated (Subscriber+)Privilege Escalation

The Custom Login Page Styler – Login Protected Private Site , Change wp-admin login url , WordPress login logo , Temporary admin login access , Rename login , Login customizer, Hide wp-login – Limit Login Attempts – Locked Site plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'lps_generate_temp_access_url' AJAX action in all versions up to, and including, 7.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to login as other users such as subscribers.

Action-Not Available
Vendor-zia-imtiaz
Product-Custom Login Page Styler
CWE ID-CWE-862
Missing Authorization
CVE-2024-12810
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.09% / 25.81%
||
7 Day CHG+0.02%
Published-14 Mar, 2025 | 11:15
Updated-27 Mar, 2025 | 01:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JobCareer | Job Board Responsive WordPress Theme <= 7.1 - Missing Authorization to Authenticated (Subscriber+) Multiple Administrative Actions

The JobCareer | Job Board Responsive WordPress Theme theme for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability checks on multiple functions in all versions up to, and including, 7.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files, generate backups, restore backups, update theme options, and reset theme options to default settings.

Action-Not Available
Vendor-chimpgroupn/a
Product-jobcareerJobCareer | Job Board Responsive WordPress Theme
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 9
  • 10
  • Next
Details not found