Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-0370

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-05 Feb, 2024 | 21:21
Updated At-17 Jun, 2025 | 19:55
Rejected At-
Credits

The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_view' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber access and above, to modify the titles of arbitrary posts.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:05 Feb, 2024 | 21:21
Updated At:17 Jun, 2025 | 19:55
Rejected At:
▼CVE Numbering Authority (CNA)

The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_view' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber access and above, to modify the titles of arbitrary posts.

Affected Products
Vendor
aman086
Product
Views for WPForms – Display & Edit WPForms Entries on your site frontend
Default Status
unaffected
Versions
Affected
  • From * through 3.2.2 (semver)
Problem Types
TypeCWE IDDescription
N/AN/ACWE-284 Improper Access Control
Type: N/A
CWE ID: N/A
Description: CWE-284 Improper Access Control
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Francesco Carlucci
Timeline
EventDate
Disclosed2024-01-24 00:00:00
Event: Disclosed
Date: 2024-01-24 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/3c4c8113-4c46-4179-9c7f-9d5d4337254d?source=cve
N/A
https://plugins.trac.wordpress.org/changeset?old_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.2&old=3026471&new_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.3&new=3026471&sfp_email=&sfph_mail=
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/3c4c8113-4c46-4179-9c7f-9d5d4337254d?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset?old_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.2&old=3026471&new_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.3&new=3026471&sfp_email=&sfph_mail=
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/3c4c8113-4c46-4179-9c7f-9d5d4337254d?source=cve
x_transferred
https://plugins.trac.wordpress.org/changeset?old_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.2&old=3026471&new_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.3&new=3026471&sfp_email=&sfph_mail=
x_transferred
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/3c4c8113-4c46-4179-9c7f-9d5d4337254d?source=cve
Resource:
x_transferred
Hyperlink: https://plugins.trac.wordpress.org/changeset?old_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.2&old=3026471&new_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.3&new=3026471&sfp_email=&sfph_mail=
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:05 Feb, 2024 | 22:16
Updated At:09 Feb, 2024 | 17:30

The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_view' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber access and above, to modify the titles of arbitrary posts.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Secondary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: Primary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CPE Matches
formviewswp
formviewswp
>>views_for_wpforms>>Versions up to 3.2.2(inclusive)
cpe:2.3:a:formviewswp:views_for_wpforms:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-862Primarynvd@nist.gov
CWE ID: CWE-862
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/changeset?old_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.2&old=3026471&new_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.3&new=3026471&sfp_email=&sfph_mail=security@wordfence.com
Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/3c4c8113-4c46-4179-9c7f-9d5d4337254d?source=cvesecurity@wordfence.com
Third Party Advisory
Hyperlink: https://plugins.trac.wordpress.org/changeset?old_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.2&old=3026471&new_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.3&new=3026471&sfp_email=&sfph_mail=
Source: security@wordfence.com
Resource:
Patch
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/3c4c8113-4c46-4179-9c7f-9d5d4337254d?source=cve
Source: security@wordfence.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

796Records found
CVE-2024-12618
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 13.09%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 11:10
Updated-09 Jan, 2025 | 15:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Newsletter2Go <= 4.0.14 - Missing Authorization to Authenticated (Subscriber+) Style Reset

The Newsletter2Go plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'resetStyles' AJAX action in all versions up to, and including, 4.0.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset styles.

Action-Not Available
Vendor-newsletter2go
Product-Newsletter2Go
CWE ID-CWE-862
Missing Authorization
CVE-2024-12606
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 13.09%
||
7 Day CHG~0.00%
Published-10 Jan, 2025 | 03:21
Updated-10 Jan, 2025 | 14:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT (GPT-4o 128K) <= 2.3 - Missing Authorization to Authenticated (Subscriber+) Settings Update

The AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT (GPT-4o 128K) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the engine_request_data() function in all versions up to, and including, 2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings.

Action-Not Available
Vendor-opacewebdesign
Product-AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT (GPT-4o 128K)
CWE ID-CWE-862
Missing Authorization
CVE-2024-12826
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 16.79%
||
7 Day CHG~0.00%
Published-25 Jan, 2025 | 07:24
Updated-27 Jan, 2025 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GoHero Store Customizer for WooCommerce <= 3.5 - Missing Authorization to Unuthenticated Settings Update

The GoHero Store Customizer for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wooh_action_settings_save_frontend() function in all versions up to, and including, 3.5. This makes it possible for unauthenticated attackers to update limited plugin settings.

Action-Not Available
Vendor-nmedia
Product-GoHero Store Customizer for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2024-12431
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.07%
||
7 Day CHG~0.00%
Published-08 Jan, 2025 | 20:30
Updated-05 Aug, 2025 | 15:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization in GitLab

An issue was discovered in GitLab CE/EE affecting all versions starting from 15.5 before 17.5.5, 17.6 before 17.6.3, and 17.7 before 17.7.1, in which unauthorized users could manipulate the status of issues in public projects.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-862
Missing Authorization
CVE-2024-12596
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 18.12%
||
7 Day CHG+0.01%
Published-18 Dec, 2024 | 03:22
Updated-11 Jul, 2025 | 21:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes <= 7.8.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion

The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to arbitrary post deletion due to a missing capability check on the 'llms_delete_cert' action in all versions up to, and including, 7.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts.

Action-Not Available
Vendor-lifterlmschrisbadgett
Product-lifterlmsLifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
CWE ID-CWE-862
Missing Authorization
CVE-2024-12616
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 13.09%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 11:11
Updated-09 Jan, 2025 | 14:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bitly's WordPress Plugin <= 2.7.3 - Missing Authorization to Authenticated (Subscriber+) Settings Update

The Bitly&#039;s WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX actions in all versions up to, and including, 2.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update and retrieve plugin settings.

Action-Not Available
Vendor-bitlydeveloper
Product-Bitly&#039;s WordPress Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2024-12781
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 13.09%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 06:40
Updated-07 Jan, 2025 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Aurum - WordPress & WooCommerce Shopping Theme <= 4.0.2 - Missing Authorization to Authenticated (Subscriber+) Demo Content Import

The Aurum - WordPress & WooCommerce Shopping Theme theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'lab_1cl_demo_install_package_content' function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite content with imported demo content.

Action-Not Available
Vendor-Laborator
Product-Aurum - WordPress & WooCommerce Shopping Theme
CWE ID-CWE-862
Missing Authorization
CVE-2024-12263
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.37%
||
7 Day CHG~0.00%
Published-12 Dec, 2024 | 05:24
Updated-12 Dec, 2024 | 15:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Child Theme Creator by Orbisius <= 1.5.5 - Missing Authorization to Authenticated (Subscriber+) Cloud Snippet Update/Delete

The Child Theme Creator by Orbisius plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cloud_delete() and cloud_update() functions in all versions up to, and including, 1.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update and delete cloud snippets. Please note that this vulnerability was present in the Cloud Library Addon used by the plugin and not in the plugin itself, the cloud library has been removed entirely.

Action-Not Available
Vendor-lordspace
Product-Child Theme Creator by Orbisius
CWE ID-CWE-862
Missing Authorization
CVE-2024-12341
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 17.64%
||
7 Day CHG+0.01%
Published-12 Dec, 2024 | 03:23
Updated-12 Dec, 2024 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Custom Skins Contact Form 7 <= 1.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Update and Skin Creation

The Custom Skins Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'cf7cs_action_callback' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the content of any post and create new skins.

Action-Not Available
Vendor-mahendrapatidarmp
Product-Custom Skins Contact Form 7
CWE ID-CWE-862
Missing Authorization
CVE-2021-4364
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 22.74%
||
7 Day CHG~0.00%
Published-07 Jun, 2023 | 01:51
Updated-20 Dec, 2024 | 23:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the jobsearch_add_job_import_schedule_call() function in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers to add and/or modify schedule calls.

Action-Not Available
Vendor-eyecixhttps://codecanyon.net/item/jobsearch-wp-job-board-wordpress-plugin/21066856
Product-jobsearch_wp_job_boardJobSearch WP Job Board
CWE ID-CWE-862
Missing Authorization
CVE-2024-1288
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 33.51%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 18:56
Updated-11 Mar, 2025 | 16:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saswp_reviews_form_render' function in all versions up to, and including, 1.26. This makes it possible for authenticated attackers, with contributor access and above, to modify the plugin's stored reCaptcha site and secret keys, potentially breaking the reCaptcha functionality.

Action-Not Available
Vendor-Mohammed & Ahmed Kaludi (Magazine3)
Product-schema_\&_structured_data_for_wp_\&_ampSchema & Structured Data for WP & AMP
CWE ID-CWE-862
Missing Authorization
CVE-2024-12327
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.93%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 04:22
Updated-07 Jan, 2025 | 16:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LazyLoad Background Images <= 1.0.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update

The LazyLoad Background Images plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pblzbg_save_settings() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings.

Action-Not Available
Vendor-proloybhaduri
Product-LazyLoad Background Images
CWE ID-CWE-862
Missing Authorization
CVE-2021-4366
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.3||MEDIUM
EPSS-0.03% / 7.10%
||
7 Day CHG~0.00%
Published-07 Jun, 2023 | 01:51
Updated-20 Dec, 2024 | 23:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The PWA for WP & AMP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the pwaforwp_update_features_options function in versions up to, and including, 1.7.32. This makes it possible for authenticated attackers to change the otherwise restricted settings within the plugin.

Action-Not Available
Vendor-Mohammed & Ahmed Kaludi (Magazine3)
Product-pwa_for_wp_\&_ampPWA for WP & AMP
CWE ID-CWE-862
Missing Authorization
CVE-2024-12331
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.66%
||
7 Day CHG~0.00%
Published-19 Dec, 2024 | 11:14
Updated-05 Mar, 2025 | 18:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Manager Pro – Filester <= 1.8.6 - Missing Authorization to Authenticated (Subscriber+) Filebird Plugin Installation

The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_install_plugin' function in all versions up to, and including, 1.8.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the Filebird plugin.

Action-Not Available
Vendor-NinjaTeam
Product-filesterFile Manager Pro – Filester
CWE ID-CWE-862
Missing Authorization
CVE-2024-12614
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.10% / 27.53%
||
7 Day CHG+0.01%
Published-16 Jan, 2025 | 09:39
Updated-17 Jan, 2025 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Passwords Manager <= 1.4.8 - Missing Authorization to Authenticated (Subscriber+) Add Password + Update Encryption Key

The Passwords Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pms_save_setting' and 'post_new_pass' AJAX actions in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins settings and add passwords.

Action-Not Available
Vendor-hirewebxpertscoder426
Product-passwords_managerPasswords Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE ID-CWE-862
Missing Authorization
CVE-2024-12249
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 16.45%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 11:10
Updated-09 Jan, 2025 | 14:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GS Insever Portfolio <= 1.4.5 - Missing Authorization to Authenticated (Subscriber+) CSS Injection

The GS Insever Portfolio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_settings() function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's CSS settings.

Action-Not Available
Vendor-samdani
Product-GS Insever Portfolio
CWE ID-CWE-862
Missing Authorization
CVE-2024-12164
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 15.95%
||
7 Day CHG~0.00%
Published-12 Feb, 2025 | 04:22
Updated-25 Feb, 2025 | 03:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPSyncSheets Lite For WPForms – WPForms Google Spreadsheet Addon <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Settings Reset

The WPSyncSheets Lite For WPForms – WPForms Google Spreadsheet Addon plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpsslwp_reset_settings() function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings.

Action-Not Available
Vendor-creativewerkdesignscreativewerkdesigns
Product-wpsyncsheetsWPSyncSheets Lite For WPForms – WPForms Google Spreadsheet Addon
CWE ID-CWE-862
Missing Authorization
CVE-2024-1124
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 20.76%
||
7 Day CHG~0.00%
Published-09 Mar, 2024 | 07:01
Updated-15 Jan, 2025 | 21:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the ep_send_attendees_email() function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to send arbitrary emails with arbitrary content from the site.

Action-Not Available
Vendor-Metagauss Inc.
Product-eventprimeEventPrime – Events Calendar, Bookings and Tickets
CWE ID-CWE-862
Missing Authorization
CVE-2024-11851
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 13.09%
||
7 Day CHG~0.00%
Published-15 Jan, 2025 | 11:29
Updated-15 Jan, 2025 | 14:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NitroPack <= 1.17.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Transient Update

The NitroPack plugin for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the nitropack_rml_notification function in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber access or higher, to update arbitrary transients. Note, that these transients can only be updated to integers and not arbitrary values.

Action-Not Available
Vendor-nitropack
Product-NitroPack – Caching & Speed Optimization for Core Web Vitals, Defer CSS & JS, Lazy load Images and CDN
CWE ID-CWE-862
Missing Authorization
CVE-2024-1129
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.27% / 50.27%
||
7 Day CHG~0.00%
Published-01 Feb, 2024 | 04:31
Updated-15 Jan, 2025 | 17:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the set_starred() function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to mark records as starred.

Action-Not Available
Vendor-basixonlinewebawaysbasixonline
Product-nex-formsNEX-Forms – Ultimate Form Builder – Contact forms and much morenex-forms
CWE ID-CWE-862
Missing Authorization
CVE-2024-12110
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 17.64%
||
7 Day CHG+0.01%
Published-06 Dec, 2024 | 08:24
Updated-06 Dec, 2024 | 17:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gold Addons for Elementor <= 1.3.2 - Missing Authorization to Authenticated (Subscriber+) License Activation/Deactivation

The Gold Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate() and deactivate() functions in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate and deactivate licenses.

Action-Not Available
Vendor-jerryscg
Product-Gold Addons for Elementor
CWE ID-CWE-862
Missing Authorization
CVE-2024-12113
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.03%
||
7 Day CHG~0.00%
Published-25 Jan, 2025 | 07:24
Updated-28 May, 2025 | 20:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress By KaineLabs <= 1.3.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Review Deletion

The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_user_review() and delete_review() functions in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other user's reviews.

Action-Not Available
Vendor-kainelabsyouzify
Product-youzifyYouzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2024-12027
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 17.64%
||
7 Day CHG+0.01%
Published-06 Dec, 2024 | 08:24
Updated-06 Dec, 2024 | 14:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Message Filter for Contact Form 7 <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) Filter Updates/Deletions

The Message Filter for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updateFilter() and deleteFilter() functions in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to update and delete filters.

Action-Not Available
Vendor-kofimokome
Product-Message Filter for Contact Form 7
CWE ID-CWE-862
Missing Authorization
CVE-2023-6598
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.61%
||
7 Day CHG~0.00%
Published-11 Jan, 2024 | 08:33
Updated-14 Nov, 2024 | 15:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SpeedyCache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the speedycache_save_varniship, speedycache_img_update_settings, speedycache_preloading_add_settings, and speedycache_preloading_delete_resource functions in all versions up to, and including, 1.1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to update plugin options.

Action-Not Available
Vendor-softaculoussoftaculous
Product-speedycacheSpeedyCache – Cache, Optimization, Performance
CWE ID-CWE-862
Missing Authorization
CVE-2021-4446
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.3||MEDIUM
EPSS-0.07% / 21.72%
||
7 Day CHG~0.00%
Published-16 Oct, 2024 | 06:43
Updated-10 Jan, 2025 | 14:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Essential Addons for Elementor <= 4.6.4 - Missing Authorization

The Essential Addons for Elementor plugin for WordPress is vulnerable to authorization bypass in versions up to and including 4.6.4 due to missing capability checks and nonce disclosure. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to perform many unauthorized actions such as changing settings and installing arbitrary plugins.

Action-Not Available
Vendor-WPDeveloper
Product-essential_addons_for_elementorEssential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders
CWE ID-CWE-862
Missing Authorization
CVE-2024-12033
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 16.58%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 11:11
Updated-22 Jan, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jupiter X Core <= 4.8.5 - Missing Authorization to Authenticated Library Sync

The Jupiter X Core plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the sync_libraries() function in all versions up to, and including, 4.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to sync libraries

Action-Not Available
Vendor-artbeesartbees
Product-jupiter_x_coreJupiter X Core
CWE ID-CWE-862
Missing Authorization
CVE-2024-11844
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 19.72%
||
7 Day CHG~0.00%
Published-03 Dec, 2024 | 08:32
Updated-05 Jun, 2025 | 15:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IdeaPush <= 8.71 - Missing Authorization to Board Term Deletion

The IdeaPush plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the idea_push_taxonomy_save_routine function in all versions up to, and including, 8.71. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete terms for the "boards" taxonomy.

Action-Not Available
Vendor-northernbeacheswebsitesnorthernbeacheswebsites
Product-ideapushIdeaPush
CWE ID-CWE-862
Missing Authorization
CVE-2024-1158
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.49%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:26
Updated-11 Mar, 2025 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the buddyforms_new_page function in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber access or higher, to create pages with arbitrary titles. These pages are published.

Action-Not Available
Vendor-themekraftsvenl77
Product-buddyformsPost Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)
CWE ID-CWE-862
Missing Authorization
CVE-2024-11354
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 20.30%
||
7 Day CHG~0.00%
Published-21 Nov, 2024 | 02:06
Updated-26 Nov, 2024 | 17:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate YouTube Video & Shorts Player With Vimeo <= 3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Playlist/Video Deletion

The Ultimate YouTube Video & Shorts Player With Vimeo plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the del_ytsingvid() function in all versions up to, and including, 3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete single playlists.

Action-Not Available
Vendor-codelizarcodelizarplugs
Product-ultimate_youtube_video_\&_shorts_player_with_vimeoUltimate YouTube Video & Shorts Player With Vimeo
CWE ID-CWE-862
Missing Authorization
CVE-2024-11911
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.66%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 08:24
Updated-11 Feb, 2025 | 14:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Crowdfunding <= 2.1.12 - Missing Authorization to Authenticated (Subscriber+) WooCommerce Installation

The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the install_woocommerce_plugin() function action in all versions up to, and including, 2.1.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install WooCommerce. This has a limited impact on most sites because WooCommerce is a requirement.

Action-Not Available
Vendor-Themeum
Product-wp_crowdfundingWP Crowdfunding
CWE ID-CWE-862
Missing Authorization
CVE-2024-11724
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.37%
||
7 Day CHG~0.00%
Published-12 Dec, 2024 | 06:46
Updated-14 Jul, 2025 | 17:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) <= 3.6.5 - Missing Authorization to Authenticated (Subscriber+) Whitelist Script

The Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpl_script_save AJAX action in all versions up to, and including, 3.6.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to whitelist scripts.

Action-Not Available
Vendor-wpekawplegalpages
Product-wp_cookie_consentCookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent
CWE ID-CWE-862
Missing Authorization
CVE-2024-12018
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.08% / 24.13%
||
7 Day CHG~0.00%
Published-12 Dec, 2024 | 05:24
Updated-12 Dec, 2024 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Snippet Shortcodes <= 4.1.6 - Authenticated (Subscriber+) Shortcode Deletion

The Snippet Shortcodes plugin for WordPress is vulnerable to unauthorized Shortcode Deletion due to missing authorization in all versions up to, and including, 4.1.6. Note that a nonce is used as authentication here, but the value is leaked. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's Shortcodes.

Action-Not Available
Vendor-aliakro
Product-Snippet Shortcodes
CWE ID-CWE-862
Missing Authorization
CVE-2024-11918
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 18.30%
||
7 Day CHG~0.00%
Published-28 Nov, 2024 | 05:57
Updated-29 Nov, 2024 | 15:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Image Alt Text <= 2.0.0 - Missing Authorization to Authenticated (Subscriber+) Image Alt Text Update

The Image Alt Text plugin for WordPress is vulnerable to unauthorized modification of data| due to a missing capability check on the iat_add_alt_txt_action and iat_update_alt_txt_action AJAX actions in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the alt text on arbitrary images.

Action-Not Available
Vendor-rswebstudios
Product-Image Alt Text
CWE ID-CWE-862
Missing Authorization
CVE-2024-12026
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 17.64%
||
7 Day CHG+0.01%
Published-07 Dec, 2024 | 01:45
Updated-09 Dec, 2024 | 18:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Message Filter for Contact Form 7 <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) New Filter Creation

The Message Filter for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveFilter() function in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new filters.

Action-Not Available
Vendor-kofimokome
Product-Message Filter for Contact Form 7
CWE ID-CWE-862
Missing Authorization
CVE-2024-11583
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.38%
||
7 Day CHG~0.00%
Published-30 Jan, 2025 | 13:41
Updated-31 Jan, 2025 | 20:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg <= 1.5.9 - Missing Authorization to Icon Font Deletion

The Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'remove_zipped_font' function in all versions up to, and including, 1.5.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete icon fonts that were previously uploaded.

Action-Not Available
Vendor-visualmodovisualmodo
Product-borderlessBorderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg
CWE ID-CWE-862
Missing Authorization
CVE-2024-11709
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 21.09%
||
7 Day CHG+0.01%
Published-12 Dec, 2024 | 04:23
Updated-12 Dec, 2024 | 15:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AI Post Generator | AutoWriter <= 3.5 - Missing Authorization to Authenticated (Contributor+) Post/Page Deletion

The AI Post Generator | AutoWriter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ai_post_generator_delete_Post AJAX action in all versions up to, and including, 3.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary pages and posts.

Action-Not Available
Vendor-kekotron
Product-AI Post Generator | AutoWriter
CWE ID-CWE-862
Missing Authorization
CVE-2024-11353
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 19.72%
||
7 Day CHG+0.01%
Published-07 Dec, 2024 | 01:45
Updated-09 Dec, 2024 | 18:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SMS for Lead Capture Forms <= 1.1.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Message Deletion

The SMS for Lead Capture Forms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_message() function in all versions up to, and including, 1.1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary messages.

Action-Not Available
Vendor-clicksend
Product-SMS for Lead Capture Forms
CWE ID-CWE-862
Missing Authorization
CVE-2024-11271
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.10% / 27.48%
||
7 Day CHG~0.00%
Published-08 Jan, 2025 | 04:17
Updated-17 Jan, 2025 | 20:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Webinar Plugin – WebinarPress <= 1.33.24 - Missing Authorization to Authenticated (Subscriber+) Webinar Updates

The WordPress Webinar Plugin – WebinarPress plugin for WordPress is vulnerable to modification of data due to a missing capability check on several functions in all versions up to, and including, 1.33.24. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify webinars.

Action-Not Available
Vendor-webinarpresswpwebinarsystem
Product-webinarpressWordPress Webinar Plugin – WebinarPress
CWE ID-CWE-862
Missing Authorization
CVE-2024-1092
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.43%
||
7 Day CHG~0.00%
Published-05 Feb, 2024 | 21:21
Updated-03 Sep, 2024 | 15:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the feedzy dashboard in all versions up to, and including, 4.4.1. This makes it possible for authenticated attackers, with contributor access or higher, to create, edit or delete feed categories created by them.

Action-Not Available
Vendor-Themeisle
Product-rss_aggregator_by_feedzyRSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
CWE ID-CWE-862
Missing Authorization
CVE-2024-10854
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 18.30%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 02:02
Updated-17 Jan, 2025 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Buy one click WooCommerce <= 2.2.9 - Missing Authorization to Authenticated (Subscriber+) Settings Import

The Buy one click WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the buy_one_click_import_options AJAX action in all versions up to, and including, 2.2.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import plugin settings.

Action-Not Available
Vendor-zixnnorthmule
Product-buy_one_click_woocommerceBuy one click WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2024-1078
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.21%
||
7 Day CHG~0.00%
Published-07 Feb, 2024 | 07:32
Updated-01 Aug, 2024 | 18:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Quiz Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ays_quick_start() and add_question_rows() functions in all versions up to, and including, 6.5.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary quizzes.

Action-Not Available
Vendor-AYS Pro Extensions
Product-quiz_makerQuiz Maker
CWE ID-CWE-862
Missing Authorization
CVE-2024-10897
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 20.30%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 04:29
Updated-20 Nov, 2024 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tutor LMS Elementor Addons <= 2.1.5 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Installation

The Tutor LMS Elementor Addons plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the install_etlms_dependency_plugin() function in all versions up to, and including, 2.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install Elementor or Tutor LMS. Please note the impact of this issue is incredibly limited due to the fact that these two plugins will likely already be installed as a dependency of the plugin.

Action-Not Available
Vendor-Themeum
Product-tutor_lms_elementor_addonsTutor LMS Elementor Addons
CWE ID-CWE-862
Missing Authorization
CVE-2023-5415
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 26.39%
||
7 Day CHG~0.00%
Published-22 Nov, 2023 | 15:33
Updated-02 Aug, 2024 | 07:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_add_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to add new categories.

Action-Not Available
Vendor-funnelformsfunnelforms
Product-funnelformsInteractive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free
CWE ID-CWE-862
Missing Authorization
CVE-2024-10528
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 22.62%
||
7 Day CHG~0.00%
Published-21 Nov, 2024 | 05:33
Updated-21 Nov, 2024 | 13:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Member <= 2.8.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Profile Picture Update

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to unauthorized profile picture updates due to a missing capability check on the wp_ajax_um_resize_image() and ajax_resize_image() functions in all versions up to, and including, 2.8.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the profile pictures of other users.

Action-Not Available
Vendor-Ultimate Member Group Ltd
Product-Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2024-10531
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.07% / 22.63%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 02:33
Updated-18 Nov, 2024 | 15:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kognetiks Chatbot for WordPress <= 2.1.7 - Missing Authorization to Authenticated (Subscriber+) Assistant Update

The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_assistant() function in all versions up to, and including, 2.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to update GTP assistants.

Action-Not Available
Vendor-kognetikskognetikskognetiks
Product-kognetiks_chatbotKognetiks Chatbot for WordPresschatbot
CWE ID-CWE-862
Missing Authorization
CVE-2024-10663
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 17.64%
||
7 Day CHG~0.00%
Published-04 Dec, 2024 | 02:40
Updated-04 Dec, 2024 | 21:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Eleblog – Elementor Blog And Magazine Addons <= 1.8 - Missing Authorization to Authenticated (Subscriber+) Deactivation Submission

The Eleblog – Elementor Blog And Magazine Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the goodbye_form_callback() function in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit a deactivation reason.

Action-Not Available
Vendor-smarettheme
Product-Eleblog – Elementor Blog And Magazine Addons
CWE ID-CWE-862
Missing Authorization
CVE-2024-10326
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 2.61%
||
7 Day CHG~0.00%
Published-08 Mar, 2025 | 12:21
Updated-12 Mar, 2025 | 16:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RomethemeKit For Elementor <= 1.5.3 - Missing Authorization in save_options and reset_widgets

The RomethemeKit For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_options and reset_widgets functions in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings or reset plugin widgets to their default state (all enabled). NOTE: This vulnerability was partially fixed in version 1.5.3.

Action-Not Available
Vendor-romethemerometheme
Product-romethemekit_for_elementorRomethemeKit For Elementor
CWE ID-CWE-862
Missing Authorization
CVE-2024-10532
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 18.30%
||
7 Day CHG~0.00%
Published-21 Nov, 2024 | 02:06
Updated-21 Nov, 2024 | 13:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bard Extra <= 1.2.7 - Missing Authorization to Authenticated (Subscriber+) Demo Import

The Bard Extra plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bardxtra_import_xml() function in all versions up to, and including, 1.2.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to import demo data.

Action-Not Available
Vendor-Royal Elementor Addons
Product-Bard Extra
CWE ID-CWE-862
Missing Authorization
CVE-2024-10437
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 30.89%
||
7 Day CHG+0.02%
Published-29 Oct, 2024 | 09:31
Updated-29 Oct, 2024 | 14:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPC Smart Messages for WooCommerce <= 4.2.1 - Missing Authorization to Authenticated (Subscriber+) Message Activation/Deactivation

The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to unauthorized Smar Message activation/deactivation due to a missing capability check on the ajax_enable function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or deactivate smart messages.

Action-Not Available
Vendor-wpclever
Product-WPC Smart Messages for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2024-1090
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 46.69%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 18:56
Updated-22 Apr, 2025 | 16:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the stopOptimizeAll function in all versions up to, and including, 3.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify image optimization settings.

Action-Not Available
Vendor-imagerecycleimagerecycle
Product-imagerecycle_pdf_\&_image_compressionImageRecycle pdf & image compression
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • ...
  • 15
  • 16
  • Next
Details not found