Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-6066

Summary
Assigner-WPScan
Assigner Org ID-1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81
Published At-15 Jan, 2024 | 15:10
Updated At-09 Jan, 2026 | 21:02
Rejected At-
Credits

WP Custom Widget Area <= 1.2.5 - Subscriber+ Menus Creation/Deletion/Update

The WP Custom Widget area WordPress plugin through 1.2.5 does not properly apply capability and nonce checks on any of its AJAX action callback functions, which could allow attackers with subscriber+ privilege to create, delete or modify menus on the site.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:WPScan
Assigner Org ID:1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81
Published At:15 Jan, 2024 | 15:10
Updated At:09 Jan, 2026 | 21:02
Rejected At:
▼CVE Numbering Authority (CNA)
WP Custom Widget Area <= 1.2.5 - Subscriber+ Menus Creation/Deletion/Update

The WP Custom Widget area WordPress plugin through 1.2.5 does not properly apply capability and nonce checks on any of its AJAX action callback functions, which could allow attackers with subscriber+ privilege to create, delete or modify menus on the site.

Affected Products
Vendor
Unknown
Product
WP Custom Widget area
Collection URL
https://wordpress.org/plugins
Default Status
affected
Versions
Affected
  • From 0 through 1.2.5 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Krzysztof Zając (CERT PL)
coordinator
WPScan
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://wpscan.com/vulnerability/f8f84d47-49aa-4258-a8a6-3de8e7342623
exploit
vdb-entry
technical-description
Hyperlink: https://wpscan.com/vulnerability/f8f84d47-49aa-4258-a8a6-3de8e7342623
Resource:
exploit
vdb-entry
technical-description
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://wpscan.com/vulnerability/f8f84d47-49aa-4258-a8a6-3de8e7342623
exploit
vdb-entry
technical-description
x_transferred
Hyperlink: https://wpscan.com/vulnerability/f8f84d47-49aa-4258-a8a6-3de8e7342623
Resource:
exploit
vdb-entry
technical-description
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:contact@wpscan.com
Published At:15 Jan, 2024 | 16:15
Updated At:12 May, 2025 | 15:15

The WP Custom Widget area WordPress plugin through 1.2.5 does not properly apply capability and nonce checks on any of its AJAX action callback functions, which could allow attackers with subscriber+ privilege to create, delete or modify menus on the site.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Secondary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: Primary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CPE Matches
kishorkhambu
kishorkhambu
>>wp_custom_widget_area>>Versions up to 1.2.5(inclusive)
cpe:2.3:a:kishorkhambu:wp_custom_widget_area:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-862Primarynvd@nist.gov
CWE ID: CWE-862
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://wpscan.com/vulnerability/f8f84d47-49aa-4258-a8a6-3de8e7342623contact@wpscan.com
Exploit
Third Party Advisory
https://wpscan.com/vulnerability/f8f84d47-49aa-4258-a8a6-3de8e7342623af854a3a-2127-422b-91ae-364da2661108
Exploit
Third Party Advisory
Hyperlink: https://wpscan.com/vulnerability/f8f84d47-49aa-4258-a8a6-3de8e7342623
Source: contact@wpscan.com
Resource:
Exploit
Third Party Advisory
Hyperlink: https://wpscan.com/vulnerability/f8f84d47-49aa-4258-a8a6-3de8e7342623
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

1028Records found
CVE-2021-24355
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 45.52%
||
7 Day CHG~0.00%
Published-14 Jun, 2021 | 13:37
Updated-03 Aug, 2024 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Update and Retrieve Wildcard Value

In the Simple 301 Redirects by BetterLinks WordPress plugin before 2.0.4, the lack of capability checks and insufficient nonce check on the AJAX actions, simple301redirects/admin/get_wildcard and simple301redirects/admin/wildcard, made it possible for authenticated users to retrieve and update the wildcard value for redirects.

Action-Not Available
Vendor-UnknownWPDeveloper
Product-simple_301_redirectsSimple 301 Redirects by BetterLinks
CWE ID-CWE-862
Missing Authorization
CVE-2020-7993
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 44.50%
||
7 Day CHG~0.00%
Published-03 Feb, 2020 | 14:26
Updated-04 Aug, 2024 | 09:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Prototype 1.6.0.1 allows remote authenticated users to forge ticket creation (on behalf of other user accounts) via a modified email ID field.

Action-Not Available
Vendor-prototypejsn/a
Product-prototypen/a
CWE ID-CWE-862
Missing Authorization
CVE-2024-9364
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 43.15%
||
7 Day CHG~0.00%
Published-18 Oct, 2024 | 04:32
Updated-22 Oct, 2024 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SendGrid for WordPress <= 1.4 - Missing Authorization to Authenticated (Subscriber+) Log Deletion

The SendGrid for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wp_mailplus_clear_logs' function in all versions up to, and including, 1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's log files.

Action-Not Available
Vendor-smackcoderssmackcoders
Product-sendgridSendGrid for WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2024-8552
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.41% / 60.70%
||
7 Day CHG~0.00%
Published-26 Sep, 2024 | 02:03
Updated-02 Oct, 2024 | 17:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Download Monitor <= 5.0.9 - Missing Authorization to Authenticated (Subscriber+) Shop Enable

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enable_shop() function in all versions up to, and including, 5.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable shop functionality.

Action-Not Available
Vendor-wpchillwpchill
Product-download_monitorDownload Monitor
CWE ID-CWE-862
Missing Authorization
CVE-2024-8860
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.54%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 07:06
Updated-26 Aug, 2025 | 19:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tourfic <= 2.14.5 - Missing Authorization in Multiple Functions

The Tourfic plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tf_order_status_email_resend_function, tf_visitor_details_edit_function, tf_checkinout_details_edit_function, tf_order_status_edit_function, tf_order_bulk_action_edit_function, tf_remove_room_order_ids, and tf_delete_old_review_fields functions in all versions up to, and including, 2.14.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to resend order status emails, update visitor/order details, edit check-in/out details, edit order status, perform bulk order status updates, remove room order IDs, and delete old review fields, respectively.

Action-Not Available
Vendor-themefic
Product-Tourfic – Ultimate Travel Booking, Hotel Booking & Car Rental WordPress Plugin | WooCommerce Booking
CWE ID-CWE-862
Missing Authorization
CVE-2024-9067
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 42.74%
||
7 Day CHG~0.00%
Published-10 Oct, 2024 | 02:06
Updated-15 Oct, 2024 | 14:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress <= 1.3.0 - Missing Authorization to Arbitrary (Subscriber+) Attachment Deletion

The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'delete_attachment' function in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments.

Action-Not Available
Vendor-kainelabsyouzify
Product-youzifyYouzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2024-8437
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 33.15%
||
7 Day CHG~0.00%
Published-24 Sep, 2024 | 07:30
Updated-29 May, 2025 | 16:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Easy Gallery – WordPress Gallery Plugin <= 4.8.5 - Missing Authorization to Authenticated (Subscriber+) Gallery Manipulation

The WP Easy Gallery – WordPress Gallery Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions hooked via AJAX like wpeg_settings and wpeg_add_gallery in all versions up to, and including, 4.8.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify galleries.

Action-Not Available
Vendor-plugingardenhahncgdev
Product-wp_easy_galleryWP Easy Gallery – WordPress Gallery Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2024-8675
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.49%
||
7 Day CHG~0.00%
Published-01 Oct, 2024 | 07:30
Updated-04 Oct, 2024 | 13:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Soumettre.fr <= 2.1.2 - Missing Authorization

The Soumettre.fr plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the soumettre_disconnect_gateway function in all versions up to, and including, 2.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect the gateway and delete the API key.

Action-Not Available
Vendor-soumettre
Product-Soumettre.fr
CWE ID-CWE-862
Missing Authorization
CVE-2025-1666
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.33%
||
7 Day CHG~0.00%
Published-06 Mar, 2025 | 11:11
Updated-06 Mar, 2025 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics <= 4.4.1 - Missing Authorization to Authenticated (Subscriber+) Survey Submission

The Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the send_uninstall_survey() function in all versions up to, and including, 4.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit the uninstall survey on behalf of a website.

Action-Not Available
Vendor-cookiebot
Product-Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics
CWE ID-CWE-862
Missing Authorization
CVE-2020-6273
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 33.56%
||
7 Day CHG~0.00%
Published-12 Aug, 2020 | 13:19
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP S/4 HANA (Fiori UI for General Ledger Accounting), versions 103, 104, does not perform necessary authorization checks for an authenticated user working with attachment service, allowing the attacker to delete attachments due to Missing Authorization Check.

Action-Not Available
Vendor-SAP SE
Product-s\/4_hana_fiori_ui_for_general_ledger_accountingSAP S/4 HANA (Fiori UI for General Ledger Accounting)
CWE ID-CWE-862
Missing Authorization
CVE-2024-9187
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 33.06%
||
7 Day CHG~0.00%
Published-12 Oct, 2024 | 05:39
Updated-15 Oct, 2024 | 13:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Read more By Adam <= 1.1.8 - Missing Authorization to Authenticated (Subscriber+) Read More Button Deletion

The Read more By Adam plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteRm() function in all versions up to, and including, 1.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete read more buttons.

Action-Not Available
Vendor-Adam Skaat (Edmonsoft)
Product-Read more By Adam
CWE ID-CWE-862
Missing Authorization
CVE-2024-1502
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.08% / 22.78%
||
7 Day CHG~0.00%
Published-12 Mar, 2024 | 23:33
Updated-15 Jan, 2025 | 18:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tutor_delete_announcement() function in all versions up to, and including, 2.6.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts.

Action-Not Available
Vendor-Themeum
Product-tutor_lmsTutor LMS – eLearning and online course solution
CWE ID-CWE-862
Missing Authorization
CVE-2024-13687
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.28%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 04:21
Updated-21 Feb, 2025 | 16:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Team Builder – Meet the Team <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Settings Update

The Team Builder – Meet the Team plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_team_builder_options() function in all versions up to, and including, 1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings.

Action-Not Available
Vendor-webdevoceanlabibahmed42
Product-team_builderTeam Builder – Meet the Team
CWE ID-CWE-862
Missing Authorization
CVE-2025-14342
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 6.71%
||
7 Day CHG~0.00%
Published-19 Feb, 2026 | 04:36
Updated-19 Feb, 2026 | 20:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SEO Plugin by Squirrly SEO <= 12.4.14 - Missing Authorization to Authenticated (Subscriber+) Cloud Service Disconnection

The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the sq_ajax_uninstall function in all versions up to, and including, 12.4.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect the site from Squirrly's cloud service.

Action-Not Available
Vendor-cifi
Product-SEO Plugin by Squirrly SEO
CWE ID-CWE-862
Missing Authorization
CVE-2025-14426
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 9.95%
||
7 Day CHG~0.00%
Published-30 Dec, 2025 | 12:22
Updated-31 Dec, 2025 | 20:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Strong Testimonials <= 3.2.18 - Missing Authorization to Authenticated (Contributor+) Rating Meta Update

The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'edit_rating' function in all versions up to, and including, 3.2.18. This makes it possible for authenticated attackers with Contributor-level access and above to modify or delete the rating meta on any testimonial post, including those created by other users, by reusing a valid nonce obtained from their own testimonial edit screen.

Action-Not Available
Vendor-wpchill
Product-Strong Testimonials
CWE ID-CWE-862
Missing Authorization
CVE-2024-13810
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.03%
||
7 Day CHG~0.00%
Published-05 Mar, 2025 | 09:21
Updated-05 Mar, 2025 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Zass - WooCommerce Theme for Handmade Artists and Artisans <= 3.9.9.10 - Missing Authorization to Authenticated (Subscriber+) Demo Import

The Zass - WooCommerce Theme for Handmade Artists and Artisans theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'zass_import_zass' AJAX actions in all versions up to, and including, 3.9.9.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo content and overwrite the site.

Action-Not Available
Vendor-AlThemist
Product-Zass - WooCommerce Theme for Handmade Artists and Artisans
CWE ID-CWE-862
Missing Authorization
CVE-2024-13715
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.28%
||
7 Day CHG~0.00%
Published-30 Jan, 2025 | 13:42
Updated-30 Jan, 2025 | 18:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
zStore Manager Basic <= 3.311 - Missing Authorization to Authenticated (Subscriber+) Cache Clearing

The zStore Manager Basic plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the zstore_clear_cache() function in all versions up to, and including, 3.311. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the plugin's cache.

Action-Not Available
Vendor-ikjwebilenejohnson
Product-zstore_manager_basiczStore Manager Basic
CWE ID-CWE-862
Missing Authorization
CVE-2024-1653
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.30%
||
7 Day CHG~0.00%
Published-27 Feb, 2024 | 11:05
Updated-22 Apr, 2025 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Categorify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the categorifyAjaxUpdateFolderPosition in all versions up to, and including, 1.0.7.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the folder position of categories as well as update the metadata of other taxonomies.

Action-Not Available
Vendor-frenifyfrenify
Product-categorifyCategorify – WordPress Media Library Category & File Manager
CWE ID-CWE-862
Missing Authorization
CVE-2024-1649
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.30%
||
7 Day CHG~0.00%
Published-27 Feb, 2024 | 11:05
Updated-07 Jan, 2025 | 14:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Categorify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the categorifyAjaxDeleteCategory function in all versions up to, and including, 1.0.7.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete categories.

Action-Not Available
Vendor-frenifyfrenify
Product-categorifyCategorify – WordPress Media Library Category & File Manager
CWE ID-CWE-862
Missing Authorization
CVE-2024-1861
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 30.71%
||
7 Day CHG~0.00%
Published-28 Feb, 2024 | 09:33
Updated-27 Jan, 2025 | 17:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the antihacker_truncate_scan_table() function in all versions up to, and including, 4.52. This makes it possible for authenticated attackers, with subscriber-level access and above, to truncate the scan table.

Action-Not Available
Vendor-billminozzisminozzi
Product-anti_hackerDisable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan
CWE ID-CWE-862
Missing Authorization
CVE-2024-1390
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 44.60%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 18:56
Updated-22 Jan, 2025 | 16:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the creating_pricing_table_page function in all versions up to, and including, 2.11.1. This makes it possible for authenticated attackers, with subscriber access or higher, to create pricing tables.

Action-Not Available
Vendor-cozmoslabsiovamihai
Product-membership_\&_content_restriction_-_paid_member_subscriptionsPaid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
CWE ID-CWE-862
Missing Authorization
CVE-2024-1388
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 36.38%
||
7 Day CHG~0.00%
Published-28 Feb, 2024 | 06:46
Updated-16 Jan, 2025 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Yuki theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_customizer_options() function in all versions up to, and including, 1.3.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to reset the theme's settings.

Action-Not Available
Vendor-wpmoosewpmoose
Product-yukiYuki
CWE ID-CWE-862
Missing Authorization
CVE-2024-13651
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.28%
||
7 Day CHG~0.00%
Published-01 Feb, 2025 | 03:21
Updated-21 Feb, 2025 | 15:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RapidLoad – Optimize Web Vitals Automatically <= 2.4.4 - Missing Authorization to Authenticated (Subscriber+) Limited Setting Reset

The RapidLoad – Optimize Web Vitals Automatically plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_deactivate() function in all versions up to, and including, 2.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset some of the plugin's settings.

Action-Not Available
Vendor-rapidloadshakee93
Product-rapidload_power-up_for_autoptimizeRapidLoad – Optimize Web Vitals Automatically
CWE ID-CWE-862
Missing Authorization
CVE-2024-1870
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 22.21%
||
7 Day CHG~0.00%
Published-09 Mar, 2024 | 09:37
Updated-28 Jan, 2025 | 18:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Colibri Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callActivateLicenseEndpoint function in all versions up to, and including, 1.0.260. This makes it possible for authenticated attackers, with subscriber access or higher, to update the license key.

Action-Not Available
Vendor-extendthemesextendthemes
Product-colibri_page_builderColibri Page Builder
CWE ID-CWE-862
Missing Authorization
CVE-2025-13756
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.93%
||
7 Day CHG~0.00%
Published-03 Dec, 2025 | 13:52
Updated-04 Dec, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution <= 1.9.11 - Authenticated (Subscriber+) Missing Authorization to Calendar Import and Management

The Fluent Booking plugin for WordPress is vulnerable to unauthorized calendar import and management due to a missing capability check on the "importCalendar" function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with subscriber level access and above, to import arbitrary calendars and manage them.

Action-Not Available
Vendor-techjewel
Product-Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution
CWE ID-CWE-862
Missing Authorization
CVE-2025-13750
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 9.90%
||
7 Day CHG~0.00%
Published-17 Dec, 2025 | 06:36
Updated-18 Dec, 2025 | 15:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Converter for Media <= 6.3.2 - Missing Authorization to Authenticated (Subscriber+) Optimized Image Deletion via regenerate-attachment REST Endpoint

The Converter for Media – Optimize images | Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `/webp-converter/v1/regenerate-attachment` REST endpoint in all versions up to, and including, 6.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete optimized WebP/AVIF variants for arbitrary attachments.

Action-Not Available
Vendor-mateuszgbiorczyk
Product-Converter for Media – Optimize images | Convert WebP & AVIF
CWE ID-CWE-862
Missing Authorization
CVE-2024-9109
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 30.04%
||
7 Day CHG~0.00%
Published-25 Oct, 2024 | 05:35
Updated-06 Nov, 2024 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
UPS Live Rates and Access Points <= 2.3.11 - Missing Authorization to Plugin API key reset

The WooCommerce UPS Shipping – Live Rates and Access Points plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_oauth_data function in all versions up to, and including, 2.3.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's API key.

Action-Not Available
Vendor-octolizeoctolize
Product-woocommerce_ups_shippingWooCommerce UPS Shipping – Live Rates and Access Points
CWE ID-CWE-862
Missing Authorization
CVE-2024-13716
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.28%
||
7 Day CHG~0.00%
Published-28 Feb, 2025 | 08:23
Updated-28 Feb, 2025 | 13:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Forex Calculators <= 1.3.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update

The Forex Calculators plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_settings_callback() function in all versions up to, and including, 1.3.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings.

Action-Not Available
Vendor-tarborali
Product-Forex Calculators
CWE ID-CWE-862
Missing Authorization
CVE-2024-13639
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 36.10%
||
7 Day CHG~0.00%
Published-13 Feb, 2025 | 08:21
Updated-18 Feb, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Read More & Accordion <= 3.4.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary 'Read More' Post Deletion

The Read More & Accordion plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the expmDeleteData() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary 'read more' posts.

Action-Not Available
Vendor-edmonparkerAdam Skaat (Edmonsoft)
Product-read_more_\&_accordionRead More & Accordion
CWE ID-CWE-862
Missing Authorization
CVE-2024-1376
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.49%
||
7 Day CHG~0.00%
Published-24 May, 2024 | 06:42
Updated-04 Apr, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Event post <= 5.9.4 - Missing Authorization

The Event post plugin for WordPress is vulnerable to unauthorized bulk metadata update due to a missing capability check on the save_bulkdatas function in all versions up to, and including, 5.9.4. This makes it possible for authenticated attackers, with subscriber access or higher, to update post_meta_data.

Action-Not Available
Vendor-avecnousbastho
Product-event_postEvent post
CWE ID-CWE-862
Missing Authorization
CVE-2025-12953
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.93%
||
7 Day CHG~0.00%
Published-11 Nov, 2025 | 11:03
Updated-14 Nov, 2025 | 15:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Classified Listing – AI-Powered Classified ads & Business Directory Plugin <= 5.2.0 - Missing Authorization to Authenticated (Subscriber+) Listing Types Tampering

The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "rtcl_ajax_add_listing_type", "rtcl_ajax_update_listing_type", and "rtcl_ajax_delete_listing_type" function in all versions up to, and including, 5.2.0. This makes it possible for authenticated attackers, with subscriber level access and above, to add, update, or delete listing types.

Action-Not Available
Vendor-techlabpro1
Product-Classified Listing – AI-Powered Classified ads & Business Directory Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2024-1804
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 40.67%
||
7 Day CHG~0.00%
Published-27 Jul, 2024 | 01:51
Updated-19 Sep, 2024 | 13:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tutor LMS – Migration Tool <= 2.2.0 - Missing Authorization in tutor_import_from_xml

The Tutor LMS – Migration Tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tutor_import_from_xml function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to import courses.

Action-Not Available
Vendor-Themeum
Product-tutor_lms_-_migration_toolTutor LMS – Migration Tool
CWE ID-CWE-862
Missing Authorization
CVE-2024-13717
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.28%
||
7 Day CHG~0.00%
Published-31 Jan, 2025 | 05:22
Updated-31 Jan, 2025 | 19:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contact Form and Calls To Action by vcita <= 2.7.1 - Missing Authorization to Authenticated (Subscriber+) Contact/Widget Toggle

The Contact Form and Calls To Action by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_ajax_toggle_ae and vcita_ajax_toggle_contact functions in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to enabled and disable widgets.

Action-Not Available
Vendor-vcita
Product-Contact Form and Calls To Action by vcita
CWE ID-CWE-862
Missing Authorization
CVE-2024-1771
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.08% / 24.48%
||
7 Day CHG~0.00%
Published-06 Mar, 2024 | 05:33
Updated-11 Mar, 2025 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Total theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the total_order_sections() function in all versions up to, and including, 2.1.59. This makes it possible for authenticated attackers, with subscriber-level access and above, to repeat sections on the homepage.

Action-Not Available
Vendor-hashthemeshashthemeshashthemes
Product-totalTotaltotal
CWE ID-CWE-862
Missing Authorization
CVE-2024-13686
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 25.47%
||
7 Day CHG~0.00%
Published-04 Mar, 2025 | 03:37
Updated-04 Mar, 2025 | 16:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
VW Storefront <= 0.9.9 - Missing Authorization to Authenticated (Subscriber+) Settings Reset

The VW Storefront theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vw_storefront_reset_all_settings() function in all versions up to, and including, 0.9.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the themes settings.

Action-Not Available
Vendor-vowelweb
Product-VW Storefront
CWE ID-CWE-862
Missing Authorization
CVE-2024-12826
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 42.18%
||
7 Day CHG~0.00%
Published-25 Jan, 2025 | 07:24
Updated-27 Jan, 2025 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GoHero Store Customizer for WooCommerce <= 3.5 - Missing Authorization to Unuthenticated Settings Update

The GoHero Store Customizer for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wooh_action_settings_save_frontend() function in all versions up to, and including, 3.5. This makes it possible for unauthenticated attackers to update limited plugin settings.

Action-Not Available
Vendor-nmedia
Product-GoHero Store Customizer for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2024-1288
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 32.92%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 18:56
Updated-11 Mar, 2025 | 16:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saswp_reviews_form_render' function in all versions up to, and including, 1.26. This makes it possible for authenticated attackers, with contributor access and above, to modify the plugin's stored reCaptcha site and secret keys, potentially breaking the reCaptcha functionality.

Action-Not Available
Vendor-Mohammed & Ahmed Kaludi (Magazine3)
Product-schema_\&_structured_data_for_wp_\&_ampSchema & Structured Data for WP & AMP
CWE ID-CWE-862
Missing Authorization
CVE-2025-12783
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.93%
||
7 Day CHG~0.00%
Published-12 Dec, 2025 | 03:20
Updated-15 Dec, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Premmerce Brands for WooCommerce <= 1.2.13 - Missing Authorization To Authenticated (Subscriber+) Brand Permalink Settings Update

The Premmerce Brands for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveBrandsSettings function in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify brand permalink settings.

Action-Not Available
Vendor-premmerce
Product-Premmerce Brands for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2025-12751
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.93%
||
7 Day CHG~0.00%
Published-19 Nov, 2025 | 05:45
Updated-19 Nov, 2025 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WSChat – WordPress Live Chat <= 3.1.6 - Missing Authorization to Authenticated (Subscriber+) Settings Reset

The WSChat – WordPress Live Chat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'reset_settings' AJAX endpoint in all versions up to, and including, 3.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings.

Action-Not Available
Vendor-elextensions
Product-WSChat – WordPress Live Chat
CWE ID-CWE-862
Missing Authorization
CVE-2024-13335
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.20%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 11:07
Updated-05 Feb, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sastra Essential Addons for Elementor – Free Elementor Addons, Widgets and Templates <= 1.0.14 - Missing Authorization to Spexo Theme Install

The Spexo Addons for Elementor – Free Elementor Addons, Widgets and Templates plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the tmpcoder_theme_install_func() function in all versions up to, and including, 1.0.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install a theme.

Action-Not Available
Vendor-templatescodertemplatescoderthemes
Product-spexo_addons_for_elementorSpexo Addons for Elementor – Free Elementor Addons, Widgets and Templates
CWE ID-CWE-862
Missing Authorization
CVE-2024-13449
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.10% / 27.84%
||
7 Day CHG~0.00%
Published-25 Jan, 2025 | 08:23
Updated-04 Feb, 2025 | 18:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Boom Fest <= 2.2.1 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update

The Boom Fest plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'bf_admin_action' function in all versions up to, and including, 2.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings that change the appearance of the website.

Action-Not Available
Vendor-ibsoftsibsofts
Product-boom_festBoom Fest
CWE ID-CWE-862
Missing Authorization
CVE-2024-13415
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 30.08%
||
7 Day CHG~0.00%
Published-31 Jan, 2025 | 05:22
Updated-31 Jan, 2025 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Food Menu – Restaurant Menu & Online Ordering for WooCommerce <= 5.1.4 - Missing Authorization to Authenticated (Subscriber+) Settings Update

The Food Menu – Restaurant Menu & Online Ordering for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the response() function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's settings.

Action-Not Available
Vendor-techlabpro1
Product-Food Menu – Restaurant Menu & Online Ordering for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2024-8667
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.25% / 47.95%
||
7 Day CHG~0.00%
Published-24 Oct, 2024 | 07:35
Updated-25 Oct, 2024 | 12:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce <= 2.10.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Publication

The HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized post publication due to a missing capability check on the activateCampaign() function in all versions up to, and including, 2.10.0. This makes it possible for authenticated attackers, with contributor-level access and above, to publish arbitrary posts like ones they have submitted for review, or a site administrator has in draft.

Action-Not Available
Vendor-nlemsieh
Product-HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2024-13424
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.50%
||
7 Day CHG~0.00%
Published-31 Jan, 2025 | 05:22
Updated-31 Jan, 2025 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ni Sales Commission For WooCommerce <= 1.2.4 - Missing Authorization to Authenticated (Subscriber+) Commission Update

The Ni Sales Commission For WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'niwoosc_ajax' AJAX endpoint in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins settings and modify commission amounts.

Action-Not Available
Vendor-anzia
Product-Ni Sales Commission For WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2024-13229
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 32.84%
||
7 Day CHG~0.00%
Published-13 Feb, 2025 | 04:21
Updated-24 Feb, 2025 | 17:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rank Math SEO <= 1.0.235 - Missing Authorization to Authenticated (Contributor+) Arbitrary Schema Deletion

The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the update_metadata() function in all versions up to, and including, 1.0.235. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete any schema metadata assigned to any post.

Action-Not Available
Vendor-rankmathrankmath
Product-seoRank Math SEO – AI SEO Tools to Dominate SEO Rankings
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2025-12640
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 9.90%
||
7 Day CHG~0.00%
Published-08 Jan, 2026 | 02:21
Updated-08 Jan, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager <= 3.1.5 - Missing Authorization to Authenticated (Author+) Media Replacement

The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Replacement in all versions up to, and including, 3.1.5. This is due to missing object-level authorization checks in the handle_folders_file_upload() function. This makes it possible for authenticated attackers, with Author-level access and above, to replace arbitrary media files from the WordPress Media Library.

Action-Not Available
Vendor-galdub
Product-Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
CWE ID-CWE-862
Missing Authorization
CVE-2024-13368
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.20%
||
7 Day CHG~0.00%
Published-25 Jan, 2025 | 07:24
Updated-04 Feb, 2025 | 19:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress <= 1.3.1 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update

The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the youzify_offer_banner() function in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary site options to a value of one.

Action-Not Available
Vendor-kainelabsyouzify
Product-youzifyYouzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2024-8432
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 45.35%
||
7 Day CHG~0.00%
Published-24 Sep, 2024 | 01:56
Updated-27 Sep, 2024 | 12:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Appointment & Event Booking Calendar Plugin – Webba Booking <= 5.0.48 - Missing Authorization to Authenticated (Subscriber+) CSS Settings Update

The Appointment & Event Booking Calendar Plugin – Webba Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_appearance() function in all versions up to, and including, 5.0.48. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the booking form's CSS.

Action-Not Available
Vendor-webba-bookingwebba-agency
Product-webba_bookingAppointment & Event Booking Calendar Plugin – Webba Booking
CWE ID-CWE-862
Missing Authorization
CVE-2024-13420
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 19.06%
||
7 Day CHG+0.01%
Published-02 May, 2025 | 03:21
Updated-06 May, 2025 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Smart Framework <= Multiple Plugins - Missing Authorization to Authenticated (Subscriber+) Settings Updates

Multiple plugins and/or themes for WordPress are vulnerable to unauthorized access due to a missing capability check on several AJAX actions like 'gsf_reset_section_options', 'gsf_reset_section_options', 'gsf_create_preset_options' and more in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset and modify some of the plugin/theme settings. This issue was escalated to Envato over two months from the date of this disclosure and the issues, while partially patched, are still vulnerable.

Action-Not Available
Vendor-g5plusG5Theme
Product-aprilbenaabeyotauteurBeyot FrameworkBenaa FrameworkApril FrameworkAuteur Framework
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-12781
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 40.16%
||
7 Day CHG+0.05%
Published-07 Jan, 2025 | 06:40
Updated-07 Jan, 2025 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Aurum - WordPress & WooCommerce Shopping Theme <= 4.0.2 - Missing Authorization to Authenticated (Subscriber+) Demo Content Import

The Aurum - WordPress & WooCommerce Shopping Theme theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'lab_1cl_demo_install_package_content' function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite content with imported demo content.

Action-Not Available
Vendor-Laborator
Product-Aurum - WordPress & WooCommerce Shopping Theme
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 20
  • 21
  • Next
Details not found