Missing Authorization vulnerability in dFactory Responsive Lightbox allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Responsive Lightbox: from n/a through 2.4.7.
Missing Authorization vulnerability in CozyThemes Blockbooster allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Blockbooster: from n/a through 1.0.10.
Missing Authorization vulnerability in Arraytics Timetics allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Timetics: from n/a through 1.0.23.
Missing Authorization vulnerability in CozyThemes Fota WP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fota WP: from n/a through 1.4.1.
Missing Authorization vulnerability in WebsiteinWP Blogpoet allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Blogpoet: from n/a through 1.0.3.
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Local File Inclusion, Arbitrary Settings Update, and User Creation in all versions up to, and including, 2.1.6 via several functions called by the 'checkFormRequest' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. Attackers can also update arbitrary settings and create user accounts even when registration is disabled, leading to user creation with a default role of Administrator.
Missing Authorization vulnerability in Analytify.This issue affects Analytify: from n/a through 4.2.3.
Missing Authorization vulnerability in Strategy11 Form Builder Team Formidable Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Formidable Forms: from n/a through 5.5.4.
Missing Authorization vulnerability in Hennessey Digital Attorney.This issue affects Attorney: from n/a through 3.
Missing Authorization vulnerability in CozyThemes Hello Agency allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Hello Agency: from n/a through 1.0.5.
The NI VeriStand Gateway is missing authorization checks when an actor attempts to access File Transfer resources. These missing checks may result in information disclosure or remote code execution. This affects NI VeriStand 2024 Q2 and prior versions.
Missing Authorization vulnerability in SeventhQueen Sweet Date sweetdate allows Privilege Escalation.This issue affects Sweet Date: from n/a through <= 3.7.3.
Missing Authorization vulnerability in OpenText™ Filr allows Authentication Bypass. The vulnerability could allow unauthenticated users to get XSRF token and do RPC with carefully crafted programs. This issue affects Filr: through 25.1.2.
Missing Authorization vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.8.6.
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.14.7. This is due to insufficient verification on the 'phone' parameter of the 'firebase_sms_login' and 'firebase_sms_login_v2' functions. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email address or phone number. Additionally, if a new email address is supplied, a new user account is created with the default role, even if registration is disabled.
CodeAstro Membership Management System 1.0 contains a missing authentication vulnerability in delete_members.php that allows unauthenticated attackers to delete arbitrary member records via the id parameter.
Missing Authorization vulnerability in VeronaLabs WP SMS.This issue affects WP SMS: from n/a through 6.9.3.
Missing Authorization vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders.This issue affects Smart Online Order for Clover: from n/a through <= 1.5.6.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1.
Missing Authorization vulnerability in ReviewX ReviewX allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ReviewX: from n/a through 1.6.28.
The Tutor LMS plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to add, modify, or delete data.
In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint. The attacker can fully compromise the system resulting in High impact on confidentiality, integrity and availability.
A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unauthorized access to additional services.
The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument
Missing Authorization vulnerability in WPWeb Elite WooCommerce PDF Vouchers allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WooCommerce PDF Vouchers: from n/a through 4.9.4.
The bSecure plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its order_info REST endpoint in versions 1.3.7 through 1.7.9. The plugin registers the /webhook/v2/order_info/ route with a permission_callback that always returns true, effectively bypassing all authentication. This makes it possible for unauthenticated attackers who know any user’s email to obtain a valid login cookie and fully impersonate that account.
Access Control vulnerability in TheInnovs EleForms allows . This issue affects EleForms: from n/a through 2.9.9.9.
Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform Defender Security defender-security.This issue affects Defender Security: from n/a through <= 4.7.1.
Missing Authorization vulnerability in WofficeIO Woffice Core allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Woffice Core: from n/a through 5.4.8.
In Boa, there is a possible escalation of privilege due to a missing permission check. This could lead to remote escalation of privilege from a proximal attacker with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: A20210008; Issue ID: OSBNB00123241.
Missing Authorization vulnerability in StylemixThemes MasterStudy LMS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MasterStudy LMS: from n/a through 3.2.12.
Missing Authorization vulnerability in CRM Perks CRM Perks Forms allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects CRM Perks Forms: from n/a through 1.1.5.
Missing Authorization vulnerability in Uncanny Owl Uncanny Automator Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uncanny Automator Pro: from n/a through 5.3.0.0.
Missing authorization vulnerability exists in Unifier and Unifier Cast. If this vulnerability is exploited, arbitrary code may be executed with LocalSystem privilege. As a result, a malicious program may be installed, data may be altered or deleted.
Missing Authorization vulnerability in Jewel Theme Master Addons for Elementor.This issue affects Master Addons for Elementor: from n/a through 2.0.5.4.1.
Missing Authorization vulnerability in AdFoxly AdFoxly – Ad Manager, AdSense Ads & Ads.Txt.This issue affects AdFoxly – Ad Manager, AdSense Ads & Ads.Txt: from n/a through 1.8.5.
Missing Authorization vulnerability in Netgsm.This issue affects Netgsm: from n/a through 2.9.19.
Missing Authorization vulnerability in SoftLab Upload Fields for WPForms.This issue affects Upload Fields for WPForms: from n/a through 1.0.2.
Missing Authorization vulnerability in AA-Team WZone.This issue affects WZone: from n/a through 14.0.10.
Flag Forge is a Capture The Flag (CTF) platform. In version 2.1.0, the /api/admin/assign-badge endpoint lacks proper access control, allowing any authenticated user to assign high-privilege badges (e.g., Staff) to themselves. This could lead to privilege escalation and impersonation of administrative roles. This issue has been patched in version 2.2.0.
Missing Authorization vulnerability in Hamid Alinia Login with phone number login-with-phone-number.This issue affects Login with phone number: from n/a through <= 1.6.93.
Missing Authorization vulnerability in WPFactory Products, Order & Customers Export for WooCommerce.This issue affects Products, Order & Customers Export for WooCommerce: from n/a through 2.0.8.
Missing Authorization vulnerability in zorem Advanced Local Pickup for WooCommerce.This issue affects Advanced Local Pickup for WooCommerce: from n/a through 1.6.2.
FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1.
Missing Authorization vulnerability in typps Calendarista Basic Edition calendarista-basic-edition.This issue affects Calendarista Basic Edition: from n/a through <= 3.0.5.
Missing Authorization vulnerability in tainacan Tainacan tainacan.This issue affects Tainacan: from n/a through <= 0.20.7.
Missing Authorization vulnerability in Bricksforge.This issue affects Bricksforge: from n/a through 2.0.17.
Missing Authorization vulnerability in DELUCKS GmbH DELUCKS SEO.This issue affects DELUCKS SEO: from n/a through 2.5.4.
Missing Authorization vulnerability in Email Subscribers & Newsletters.This issue affects Email Subscribers & Newsletters: from n/a through 5.7.13.
Missing Authorization vulnerability in WPDeveloper EmbedPress.This issue affects EmbedPress: from n/a through 3.9.8.