Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-51376

Summary
Assigner-Patchstack
Assigner Org ID-21595511-bba5-4825-b968-b78d1f9984a3
Published At-14 Jun, 2024 | 10:21
Updated At-28 Apr, 2026 | 16:09
Rejected At-
Credits

WordPress ProjectHuddle Client Site plugin <= 1.0.34 - Broken Access Control vulnerability

Missing Authorization vulnerability in Brainstorm Force ProjectHuddle Client Site.This issue affects ProjectHuddle Client Site: from n/a through 1.0.34.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Patchstack
Assigner Org ID:21595511-bba5-4825-b968-b78d1f9984a3
Published At:14 Jun, 2024 | 10:21
Updated At:28 Apr, 2026 | 16:09
Rejected At:
▼CVE Numbering Authority (CNA)
WordPress ProjectHuddle Client Site plugin <= 1.0.34 - Broken Access Control vulnerability

Missing Authorization vulnerability in Brainstorm Force ProjectHuddle Client Site.This issue affects ProjectHuddle Client Site: from n/a through 1.0.34.

Affected Products
Vendor
Brainstorm ForceBrainstorm Force
Product
ProjectHuddle Client Site
Collection URL
https://wordpress.org/plugins
Package Name
projecthuddle-child-site
Default Status
unaffected
Versions
Affected
  • From n/a through 1.0.34 (custom)
    • -> unaffectedfrom1.0.35
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Update to 1.0.35 or a higher version.

Configurations

Workarounds

Exploits

Credits

finder
Rafie Muhammad (Patchstack)
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://patchstack.com/database/vulnerability/projecthuddle-child-site/wordpress-projecthuddle-client-site-plugin-1-0-34-broken-access-control-vulnerability?_s_id=cve
vdb-entry
Hyperlink: https://patchstack.com/database/vulnerability/projecthuddle-child-site/wordpress-projecthuddle-client-site-plugin-1-0-34-broken-access-control-vulnerability?_s_id=cve
Resource:
vdb-entry
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://patchstack.com/database/vulnerability/projecthuddle-child-site/wordpress-projecthuddle-client-site-plugin-1-0-34-broken-access-control-vulnerability?_s_id=cve
vdb-entry
x_transferred
Hyperlink: https://patchstack.com/database/vulnerability/projecthuddle-child-site/wordpress-projecthuddle-client-site-plugin-1-0-34-broken-access-control-vulnerability?_s_id=cve
Resource:
vdb-entry
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:audit@patchstack.com
Published At:14 Jun, 2024 | 11:15
Updated At:17 Jun, 2024 | 12:42

Missing Authorization vulnerability in Brainstorm Force ProjectHuddle Client Site.This issue affects ProjectHuddle Client Site: from n/a through 1.0.34.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-862Secondaryaudit@patchstack.com
CWE ID: CWE-862
Type: Secondary
Source: audit@patchstack.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://patchstack.com/database/vulnerability/projecthuddle-child-site/wordpress-projecthuddle-client-site-plugin-1-0-34-broken-access-control-vulnerability?_s_id=cveaudit@patchstack.com
N/A
Hyperlink: https://patchstack.com/database/vulnerability/projecthuddle-child-site/wordpress-projecthuddle-client-site-plugin-1-0-34-broken-access-control-vulnerability?_s_id=cve
Source: audit@patchstack.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1358Records found

CVE-2026-6883
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-2.6||LOW
EPSS-0.15% / 4.26%
||
7 Day CHG~0.00%
Published-14 May, 2026 | 05:33
Updated-16 May, 2026 | 03:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 15.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to bypass merge request approval requirements due to improper cleanup of orphaned policy records.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-862
Missing Authorization
CVE-2023-39993
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.30% / 21.38%
||
7 Day CHG~0.00%
Published-19 Jun, 2024 | 12:07
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ElementsKit Lite plugin <= 2.9.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Wpmet Elements kit Elementor addons.This issue affects Elements kit Elementor addons: from n/a through 2.9.0.

Action-Not Available
Vendor-Wpmet
Product-Elements kit Elementor addons
CWE ID-CWE-862
Missing Authorization
CVE-2026-6689
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 4.77%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 15:51
Updated-18 Jun, 2026 | 14:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
*Missing* {{invite_user}} *permission check on team creation allows unprivileged users to set open-invite and allowed-domains team settings*

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Fail to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creation (the check was only applied on update/patch), which allows an authenticated user holding PermissionCreateTeam but not PermissionInviteUser on the resulting team to configure invite-controlled team settings (make the team publicly joinable via open invite and/or constrain membership via allowed domains) that they are not permitted to set on an existing team via POST /api/v4/teams with allow_open_invite: true and/or a non-empty allowed_domains in the request body.. Mattermost Advisory ID: MMSA-2026-00655

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-862
Missing Authorization
CVE-2023-3131
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.51% / 39.59%
||
7 Day CHG~0.00%
Published-10 Jul, 2023 | 12:41
Updated-12 Nov, 2024 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MStore API < 3.9.7 - Subscriber+ Unauthorized Settings Update

The MStore API WordPress plugin before 3.9.7 does not secure most of its AJAX actions by implementing privilege checks, nonce checks, or a combination of both.

Action-Not Available
Vendor-inspireuiUnknown
Product-mstore_apiMStore API
CWE ID-CWE-862
Missing Authorization
CVE-2023-38514
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 20.38%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Social Share Icons & Social Share Buttons plugin <= 3.5.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in social share pro Social Share Icons & Social Share Buttons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Social Share Icons & Social Share Buttons: from n/a through 3.5.7.

Action-Not Available
Vendor-social share pro
Product-Social Share Icons & Social Share Buttons
CWE ID-CWE-862
Missing Authorization
CVE-2026-57299
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 8.53%
||
7 Day CHG~0.00%
Published-24 Jun, 2026 | 13:20
Updated-26 Jun, 2026 | 02:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing permission checks in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allow attackers with Overall/Read permission to enumerate the names of configured Contrast metadata.

Action-Not Available
Vendor-Jenkins
Product-contrast_continuous_application_securityJenkins Contrast Continuous Application Security Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-57936
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 17.18%
||
7 Day CHG~0.00%
Published-22 Sep, 2025 | 18:25
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Subresource Integrity (SRI) Manager Plugin <= 0.4.0 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Meitar Subresource Integrity (SRI) Manager wp-sri allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subresource Integrity (SRI) Manager: from n/a through <= 0.4.0.

Action-Not Available
Vendor-Meitar
Product-Subresource Integrity (SRI) Manager
CWE ID-CWE-862
Missing Authorization
CVE-2026-57430
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 8.28%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 14:53
Updated-26 Jun, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SEOPress PRO plugin <= 9.1.1 - Broken Access Control vulnerability

Contributor Broken Access Control in SEOPress PRO <= 9.1.1 versions.

Action-Not Available
Vendor-SEOPress Free
Product-SEOPress PRO
CWE ID-CWE-862
Missing Authorization
CVE-2025-1778
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 9.30%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 05:22
Updated-08 Apr, 2026 | 17:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Art Theme <= 3.12.2.3 - Missing Authorization to Authenticated (Subscriber+) Theme Option Delete

The Art Theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'arttheme_theme_option_restore' AJAX function in all versions up to, and including, 3.12.2.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete the theme option.

Action-Not Available
Vendor-SeaTheme
Product-Art Theme
CWE ID-CWE-862
Missing Authorization
CVE-2025-1667
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.34% / 26.01%
||
7 Day CHG~0.00%
Published-15 Mar, 2025 | 03:23
Updated-08 Apr, 2026 | 19:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
School Management System – WPSchoolPress <= 2.2.16 - Missing Authorization to Privilege Escalation via Account Takeover

The School Management System – WPSchoolPress plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wpsp_UpdateTeacher() function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access and above, to update arbitrary user details including email which makes it possible to request a password reset and access arbitrary user accounts, including administrators.

Action-Not Available
Vendor-igexsolutionsjdsofttech
Product-wpschoolpressSchool Management System – WPSchoolPress
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-862
Missing Authorization
CVE-2022-34208
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.55% / 42.13%
||
7 Day CHG~0.00%
Published-22 Jun, 2022 | 14:41
Updated-03 Aug, 2024 | 08:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Beaker builder Plugin 1.10 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Action-Not Available
Vendor-Jenkins
Product-beaker_builderJenkins Beaker builder Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2023-34379
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.37% / 29.41%
||
7 Day CHG~0.00%
Published-17 Jan, 2024 | 16:12
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Cart2Cart: Magento to WooCommerce Migration Plugin <= 2.0.0 is vulnerable to Broken Access Control

Missing Authorization vulnerability in MagneticOne Cart2Cart: Magento to WooCommerce Migration.This issue affects Cart2Cart: Magento to WooCommerce Migration: from n/a through 2.0.0.

Action-Not Available
Vendor-magneticoneMagneticOne
Product-magento_to_woocommerce_migrationCart2Cart: Magento to WooCommerce Migration
CWE ID-CWE-862
Missing Authorization
CVE-2023-33923
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.50% / 39.38%
||
7 Day CHG~0.00%
Published-25 Mar, 2024 | 04:46
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Broken Access Control leading to Arbitrary Plugin Activation in multiple HashThemes themes

Missing Authorization vulnerability in HashThemes Viral News, HashThemes Viral, HashThemes HashOne.This issue affects Viral News: from n/a through 1.4.5; Viral: from n/a through 1.8.0; HashOne: from n/a through 1.3.0.

Action-Not Available
Vendor-HashThemes
Product-Viral NewsViralHashOne
CWE ID-CWE-862
Missing Authorization
CVE-2023-32586
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.45% / 36.30%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SoundCloud Is Gold plugin <= 2.5.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Thomas Michalak Soundcloud Is Gold allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Soundcloud Is Gold: from n/a through 2.5.1.

Action-Not Available
Vendor-Thomas Michalak
Product-Soundcloud Is Gold
CWE ID-CWE-862
Missing Authorization
CVE-2023-32519
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.49% / 38.81%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WCP Contact Form plugin <= 3.1.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Webcodin WCP Contact Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCP Contact Form: from n/a through 3.1.0.

Action-Not Available
Vendor-Webcodin
Product-WCP Contact Form
CWE ID-CWE-862
Missing Authorization
CVE-2023-3352
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.31% / 22.92%
||
7 Day CHG~0.00%
Published-21 Jun, 2024 | 02:05
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Smush – Lazy Load Images, Optimize & Compress Images <= 3.16.4 - Missing Authorization to Resmush List Deletion

The Smush plugin for WordPress is vulnerable to unauthorized deletion of the resmush list due to a missing capability check on the delete_resmush_list() function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to delete the resmush list for Nextgen or the Media Library.

Action-Not Available
Vendor-Incsub, LLC
Product-Smush – Image Optimization, Compression, Lazy Load, WebP & CDN
CWE ID-CWE-862
Missing Authorization
CVE-2023-32574
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.40% / 31.98%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Injection Guard plugin <= 1.2.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Fahad Mahmood Injection Guard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Injection Guard: from n/a through 1.2.1.

Action-Not Available
Vendor-Fahad Mahmood
Product-Injection Guard
CWE ID-CWE-862
Missing Authorization
CVE-2025-1668
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.28% / 19.94%
||
7 Day CHG~0.00%
Published-15 Mar, 2025 | 03:23
Updated-08 Apr, 2026 | 19:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
School Management System – WPSchoolPress <= 2.2.16 - Missing Authorization to Arbitrary User Deletion

The School Management System – WPSchoolPress plugin for WordPress is vulnerable to arbitrary user deletion due to a missing capability check on the wpsp_DeleteUser() function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access and above, to delete arbitrary user accounts.

Action-Not Available
Vendor-igexsolutionsjdsofttech
Product-wpschoolpressSchool Management System – WPSchoolPress
CWE ID-CWE-862
Missing Authorization
CVE-2022-34798
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.54% / 41.30%
||
7 Day CHG~0.00%
Published-30 Jun, 2022 | 17:47
Updated-03 Aug, 2024 | 09:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Deployment Dashboard Plugin 1.0.10 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials.

Action-Not Available
Vendor-Jenkins
Product-deployment_dashboardJenkins Deployment Dashboard Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-3451
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 17.79%
||
7 Day CHG~0.00%
Published-07 Nov, 2022 | 00:00
Updated-01 May, 2025 | 20:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Product Stock Manager < 1.0.5 - Subscriber+ Unauthorised AJAX Calls

The Product Stock Manager WordPress plugin before 1.0.5 does not have authorisation and proper CSRF checks in multiple AJAX actions, allowing users with a role as low as subscriber to call them. One action in particular could allow to update arbitrary options

Action-Not Available
Vendor-addifyUnknown
Product-product_stock_managerProduct Stock Manager
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-862
Missing Authorization
CVE-2023-32599
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.45% / 36.30%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress reCAPTCHA for all plugin <= 1.22 - Broken Access Control vulnerability

Missing Authorization vulnerability in Bill Minozzi reCAPTCHA for all allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects reCAPTCHA for all: from n/a through 1.22.

Action-Not Available
Vendor-Bill Minozzi
Product-reCAPTCHA for all
CWE ID-CWE-862
Missing Authorization
CVE-2026-9199
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 15.65%
||
7 Day CHG~0.00%
Published-18 Jun, 2026 | 04:31
Updated-18 Jun, 2026 | 15:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Equalize Digital Accessibility Checker <= 1.42.1 - Missing Authorization to Authenticated (Author+) Arbitrary Accessibility Issue Modification via 'largeBatch' Parameter

The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with author-level access and above, to dismiss, ignore, or restore accessibility audit issue records belonging to posts they are not permitted to edit by supplying an issue from their own post as an authorization token to affect matching issues across the entire site. An Author-level user can exploit this by passing largeBatch=true on a dismiss-issue request referencing one of their own post's issues, causing the handler to bulk-modify all site-wide accessibility issues sharing the same 'object' value — including those belonging to administrator-owned posts.

Action-Not Available
Vendor-equalizedigital
Product-Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance
CWE ID-CWE-862
Missing Authorization
CVE-2026-9015
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.30% / 21.78%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 07:43
Updated-28 May, 2026 | 13:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Equalize Digital Accessibility Checker <= 1.42.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Accessibility Issue Modification via edac_insert_ignore_data AJAX Action

The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the ignore state, ignore reason, and ignore comment of arbitrary accessibility issues across the entire site — including mass modification of all rows sharing an 'object' identifier when largeBatch=true is supplied — corrupting accessibility audit integrity by hiding or dismissing findings outside their authorization scope.

Action-Not Available
Vendor-equalizedigital
Product-Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance
CWE ID-CWE-862
Missing Authorization
CVE-2022-34818
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.55% / 42.13%
||
7 Day CHG~0.00%
Published-30 Jun, 2022 | 17:49
Updated-03 Aug, 2024 | 09:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.

Action-Not Available
Vendor-Jenkins
Product-failed_job_deactivatorJenkins Failed Job Deactivator Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2023-32316
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.1||HIGH
EPSS-0.38% / 30.18%
||
7 Day CHG~0.00%
Published-26 May, 2023 | 22:36
Updated-14 Jan, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Users can add themselves to any organization in CloudExplorer Lite

CloudExplorer Lite is an open source cloud management tool. In affected versions users can add themselves to any organization in CloudExplorer Lite. This is due to a missing permission check on the user profile. It is recommended to upgrade the version to v1.1.0. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-FIT2CLOUD Inc.CloudExplorer Lite (FIT2CLOUD Inc.)
Product-cloudexplorerCloudExplorer-Lite
CWE ID-CWE-862
Missing Authorization
CVE-2023-30522
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.45% / 35.90%
||
7 Day CHG~0.00%
Published-12 Apr, 2023 | 17:05
Updated-07 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Fogbugz Plugin 2.2.17 and earlier allows attackers with Item/Read permission to trigger builds of jobs specified in a 'jobname' request parameter.

Action-Not Available
Vendor-Jenkins
Product-fogbugzJenkins Fogbugz Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2026-9619
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.31% / 22.45%
||
7 Day CHG~0.00%
Published-24 Jun, 2026 | 05:33
Updated-25 Jun, 2026 | 13:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Reviews and Rating <= 1.1.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via sync_reviews AJAX Action

The Reviews and Rating – Docplanner plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger outbound scraping of external websites and write scraped review data into the wp_dp_reviews database table, as well as send feature-request emails from the site administrator's email address.

Action-Not Available
Vendor-berfect
Product-Reviews and Rating – Docplanner
CWE ID-CWE-862
Missing Authorization
CVE-2023-30783
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.40% / 32.22%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:31
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Smart WooCommerce Search plugin <= 2.5.0 - Broken Access Control

Missing Authorization vulnerability in YummyWP Smart WooCommerce Search allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smart WooCommerce Search: from n/a through 2.5.0.

Action-Not Available
Vendor-YummyWP
Product-Smart WooCommerce Search
CWE ID-CWE-862
Missing Authorization
CVE-2019-16571
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.71% / 49.18%
||
7 Day CHG~0.00%
Published-17 Dec, 2019 | 14:40
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins RapidDeploy Plugin 4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server.

Action-Not Available
Vendor-Jenkins
Product-rapiddeployJenkins RapidDeploy Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2023-28675
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.43% / 34.22%
||
7 Day CHG~0.00%
Published-23 Mar, 2023 | 11:26
Updated-25 Feb, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials.

Action-Not Available
Vendor-Jenkins
Product-octoperf_load_testingJenkins OctoPerf Load Testing Plugin Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2026-5296
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 9.46%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 17:55
Updated-27 May, 2026 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that when foundational flows were enabled at the group level, could have allowed an authenticated user with developer-role permissions to bypass flow restrictions under certain conditions.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-862
Missing Authorization
CVE-2025-1666
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 23.76%
||
7 Day CHG~0.00%
Published-06 Mar, 2025 | 11:11
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics <= 4.4.1 - Missing Authorization to Authenticated (Subscriber+) Survey Submission

The Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the send_uninstall_survey() function in all versions up to, and including, 4.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit the uninstall survey on behalf of a website.

Action-Not Available
Vendor-cookiebot
Product-Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode
CWE ID-CWE-862
Missing Authorization
CVE-2023-28990
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.46% / 36.55%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Viral Mag theme <= 1.0.9 - Authenticated Arbitrary Plugin Activation Vulnerability

Missing Authorization vulnerability in HashThemes Viral Mag allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Viral Mag: from n/a through 1.0.9.

Action-Not Available
Vendor-HashThemes
Product-Viral Mag
CWE ID-CWE-862
Missing Authorization
CVE-2026-9246
Matching Score-4
Assigner-Devolutions Inc.
ShareView Details
Matching Score-4
Assigner-Devolutions Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 4.75%
||
7 Day CHG~0.00%
Published-22 May, 2026 | 15:26
Updated-22 May, 2026 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-862
Missing Authorization
CVE-2023-29431
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.39% / 30.80%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:31
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress qTranslate X Cleanup and WPML Import plugin <= 3.0.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in OntheGoSystems qTranslate X Cleanup and WPML Import allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects qTranslate X Cleanup and WPML Import: from n/a through 3.0.1.

Action-Not Available
Vendor-OntheGoSystems
Product-qTranslate X Cleanup and WPML Import
CWE ID-CWE-862
Missing Authorization
CVE-2026-49052
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 4.75%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 14:55
Updated-27 May, 2026 | 16:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ElementsKit Elementor addons Lite plugin <= 3.9.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in Wpmet ElementsKit Elementor addons Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementsKit Elementor addons Lite: from n/a through 3.9.6.

Action-Not Available
Vendor-Wpmet
Product-ElementsKit Elementor addons Lite
CWE ID-CWE-862
Missing Authorization
CVE-2026-4949
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 23.43%
||
7 Day CHG~0.00%
Published-15 Apr, 2026 | 22:26
Updated-22 Apr, 2026 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ProfilePress <= 4.16.12 - Missing Authorization to Authenticated (Subscriber+) Inactive Membership Plan Subscription

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.16.12. This is due to the 'process_checkout' function not properly enforcing the plan active status check when a 'change_plan_sub_id' parameter is provided. This makes it possible for authenticated attackers, with Subscriber-level access and above, to subscribe to inactive membership plans by supplying an arbitrary 'change_plan_sub_id' value in the checkout request.

Action-Not Available
Vendor-properfraction
Product-Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
CWE ID-CWE-862
Missing Authorization
CVE-2023-28416
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.38% / 29.98%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:31
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Chankhe theme <= 1.0.5 - Authenticated Arbitrary Plugin Activation vulnerability

Missing Authorization vulnerability in Sparkle Themes Chankhe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chankhe: from n/a through 1.0.5.

Action-Not Available
Vendor-Sparkle Themes
Product-Chankhe
CWE ID-CWE-862
Missing Authorization
CVE-2023-28532
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.37% / 29.15%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:31
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Real Estate Directory theme <= 1.0.5 - Authenticated Arbitrary Plugin Activation

Missing Authorization vulnerability in wpdirectorykit.com Real Estate Directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Real Estate Directory: from n/a through 1.0.5.

Action-Not Available
Vendor-wpdirectorykit.com
Product-Real Estate Directory
CWE ID-CWE-862
Missing Authorization
CVE-2023-2764
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.51% / 39.63%
||
7 Day CHG~0.00%
Published-09 Jun, 2023 | 05:33
Updated-08 Apr, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Draw Attention <= 2.0.11 - Missing Authorization to Arbitrary Post Featured Image Modification

The Draw Attention plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_set_featured_image function in versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change the featured image of arbitrary posts with an image that exists in the media library.

Action-Not Available
Vendor-N Squared Digital, LLC
Product-draw_attentionInteractive Image Map Plugin – Draw Attention
CWE ID-CWE-862
Missing Authorization
CVE-2023-2786
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.35% / 27.31%
||
7 Day CHG~0.00%
Published-16 Jun, 2023 | 08:43
Updated-06 Dec, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Channel commands execution doesn't properly verify permissions

Mattermost fails to properly check the permissions when executing commands allowing a member with no permissions to post a message in a channel to actually post it by executing channel commands.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-862
Missing Authorization
CVE-2023-28492
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.31% / 22.90%
||
7 Day CHG~0.00%
Published-03 Jun, 2024 | 22:09
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Calendar Event Multi View plugin <= 1.4.10 - Missing Authorization Leading To Feedback Submission vulnerability

Missing Authorization vulnerability in CodePeople CP Multi View Event Calendar allows Functionality Misuse.This issue affects CP Multi View Event Calendar: from n/a through 1.4.10.

Action-Not Available
Vendor-CodePeople
Product-CP Multi View Event Calendar
CWE ID-CWE-862
Missing Authorization
CVE-2023-28494
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.31% / 23.19%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 07:06
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Contact Form Email plugin <= 1.3.31 - Missing Authorization Leading To Feedback Submission Vulnerability

Missing Authorization vulnerability in CodePeople Contact Form Email allows Functionality Misuse.This issue affects Contact Form Email: from n/a through 1.3.31.

Action-Not Available
Vendor-CodePeople
Product-Contact Form Emailcontact_form_email
CWE ID-CWE-862
Missing Authorization
CVE-2023-27625
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.39% / 30.44%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:31
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Site Reviews plugin <= 6.5.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Paul Ryley Site Reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Site Reviews: from n/a through 6.5.0.

Action-Not Available
Vendor-Paul Ryley
Product-Site Reviews
CWE ID-CWE-862
Missing Authorization
CVE-2026-48973
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 9.96%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 14:28
Updated-27 May, 2026 | 15:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SVG Support plugin <= 2.5.14 - Broken Access Control vulnerability

Missing Authorization vulnerability in Benbodhi SVG Support allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SVG Support: from n/a through 2.5.14.

Action-Not Available
Vendor-Benbodhi
Product-SVG Support
CWE ID-CWE-862
Missing Authorization
CVE-2023-27460
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.38% / 29.67%
||
7 Day CHG~0.00%
Published-03 Jun, 2024 | 22:01
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CP Contact Form with PayPal plugin <= 1.3.34 - Missing Authorization Leading To Feedback Submission vulnerability

Missing Authorization vulnerability in CodePeople, paypaldev CP Contact Form with Paypal allows Functionality Misuse.This issue affects CP Contact Form with Paypal: from n/a through 1.3.34.

Action-Not Available
Vendor-CodePeople, paypaldev
Product-CP Contact Form with Paypal
CWE ID-CWE-862
Missing Authorization
CVE-2023-28165
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.37% / 29.15%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:31
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Backup Bank: WordPress Backup Plugin plugin <= 4.0.28 - Broken Access Control vulnerability

Missing Authorization vulnerability in Tech Banker Backup Bank: WordPress Backup Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Backup Bank: WordPress Backup Plugin: from n/a through 4.0.28.

Action-Not Available
Vendor-Tech Banker
Product-Backup Bank: WordPress Backup Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2023-2083
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.57% / 42.88%
||
7 Day CHG~0.00%
Published-09 Jun, 2023 | 05:33
Updated-08 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Essential Blocks <= 4.0.6 - Missing Authorization via save

The Essential Blocks plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the save function in versions up to, and including, 4.0.6. This makes it possible for subscriber-level attackers to save plugin settings. While a nonce check is present, it is only executed when a nonce is provided. Not providing a nonce results in the nonce verification to be skipped. There is no capability check.

Action-Not Available
Vendor-WPDeveloper
Product-essential_blocksGutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns
CWE ID-CWE-862
Missing Authorization
CVE-2023-2783
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.44% / 35.12%
||
7 Day CHG~0.00%
Published-16 Jun, 2023 | 08:39
Updated-06 Dec, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
App Framework does not checks for the secret provided in the incoming webhook request

Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost App Framework
CWE ID-CWE-862
Missing Authorization
CVE-2026-48811
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 5.06%
||
7 Day CHG~0.00%
Published-29 May, 2026 | 19:47
Updated-01 Jun, 2026 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FreeScout: Thread Deletion Bypasses Mailbox Access Revocation

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, FreeScout allows a non-admin user to permanently delete an internal note (private thread) from any conversation, even after that user's access to the mailbox containing the conversation has been revoked. The ThreadPolicy::delete authorization policy does not verify mailbox membership, so a former team member retains destructive write access to notes they created. This vulnerability is fixed in 1.8.221.

Action-Not Available
Vendor-freescout-help-desk
Product-freescout
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 27
  • 28
  • Next
Details not found