Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-0829

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-13 Mar, 2024 | 15:27
Updated At-08 Apr, 2026 | 17:23
Rejected At-
Credits

Comments Extra Fields For Post,Pages and CPT <= 5.0 - Missing Authorization

The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.0. This is due to missing or incorrect capability checks on several ajax actions. This makes it possible for authenticated attackers, with subscriber access or higher, to invoke those actions. As a result, they may modify comment form fields and update plugin settings.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:13 Mar, 2024 | 15:27
Updated At:08 Apr, 2026 | 17:23
Rejected At:
▼CVE Numbering Authority (CNA)
Comments Extra Fields For Post,Pages and CPT <= 5.0 - Missing Authorization

The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.0. This is due to missing or incorrect capability checks on several ajax actions. This makes it possible for authenticated attackers, with subscriber access or higher, to invoke those actions. As a result, they may modify comment form fields and update plugin settings.

Affected Products
Vendor
nmedia
Product
Comments Extra Fields For Post,Pages and CPT
Default Status
unaffected
Versions
Affected
  • From 0 through 5.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Francesco Carlucci
Timeline
EventDate
Disclosed2024-02-26 00:00:00
Event: Disclosed
Date: 2024-02-26 00:00:00
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/cc5754c2-a052-41ac-af19-7c4f55860f95?source=cve
N/A
https://plugins.trac.wordpress.org/browser/wp-comment-fields/trunk/classes/admin.class.php
N/A
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3040734%40wp-comment-fields%2Ftrunk&old=3039523%40wp-comment-fields%2Ftrunk&sfp_email=&sfph_mail=
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/cc5754c2-a052-41ac-af19-7c4f55860f95?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/wp-comment-fields/trunk/classes/admin.class.php
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3040734%40wp-comment-fields%2Ftrunk&old=3039523%40wp-comment-fields%2Ftrunk&sfp_email=&sfph_mail=
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/cc5754c2-a052-41ac-af19-7c4f55860f95?source=cve
x_transferred
https://plugins.trac.wordpress.org/browser/wp-comment-fields/trunk/classes/admin.class.php
x_transferred
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3040734%40wp-comment-fields%2Ftrunk&old=3039523%40wp-comment-fields%2Ftrunk&sfp_email=&sfph_mail=
x_transferred
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/cc5754c2-a052-41ac-af19-7c4f55860f95?source=cve
Resource:
x_transferred
Hyperlink: https://plugins.trac.wordpress.org/browser/wp-comment-fields/trunk/classes/admin.class.php
Resource:
x_transferred
Hyperlink: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3040734%40wp-comment-fields%2Ftrunk&old=3039523%40wp-comment-fields%2Ftrunk&sfp_email=&sfph_mail=
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:13 Mar, 2024 | 16:15
Updated At:08 Apr, 2026 | 19:19

The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.0. This is due to missing or incorrect capability checks on several ajax actions. This makes it possible for authenticated attackers, with subscriber access or higher, to invoke those actions. As a result, they may modify comment form fields and update plugin settings.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CPE Matches

najeebmedia
najeebmedia
>>comments_extra_fields>>Versions before 5.1(exclusive)
cpe:2.3:a:najeebmedia:comments_extra_fields:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-862Primarysecurity@wordfence.com
CWE-862Secondarynvd@nist.gov
CWE ID: CWE-862
Type: Primary
Source: security@wordfence.com
CWE ID: CWE-862
Type: Secondary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/browser/wp-comment-fields/trunk/classes/admin.class.phpsecurity@wordfence.com
Product
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3040734%40wp-comment-fields%2Ftrunk&old=3039523%40wp-comment-fields%2Ftrunk&sfp_email=&sfph_mail=security@wordfence.com
Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/cc5754c2-a052-41ac-af19-7c4f55860f95?source=cvesecurity@wordfence.com
Third Party Advisory
https://plugins.trac.wordpress.org/browser/wp-comment-fields/trunk/classes/admin.class.phpaf854a3a-2127-422b-91ae-364da2661108
Product
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3040734%40wp-comment-fields%2Ftrunk&old=3039523%40wp-comment-fields%2Ftrunk&sfp_email=&sfph_mail=af854a3a-2127-422b-91ae-364da2661108
Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/cc5754c2-a052-41ac-af19-7c4f55860f95?source=cveaf854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Hyperlink: https://plugins.trac.wordpress.org/browser/wp-comment-fields/trunk/classes/admin.class.php
Source: security@wordfence.com
Resource:
Product
Hyperlink: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3040734%40wp-comment-fields%2Ftrunk&old=3039523%40wp-comment-fields%2Ftrunk&sfp_email=&sfph_mail=
Source: security@wordfence.com
Resource:
Patch
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/cc5754c2-a052-41ac-af19-7c4f55860f95?source=cve
Source: security@wordfence.com
Resource:
Third Party Advisory
Hyperlink: https://plugins.trac.wordpress.org/browser/wp-comment-fields/trunk/classes/admin.class.php
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Product
Hyperlink: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3040734%40wp-comment-fields%2Ftrunk&old=3039523%40wp-comment-fields%2Ftrunk&sfp_email=&sfph_mail=
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Patch
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/cc5754c2-a052-41ac-af19-7c4f55860f95?source=cve
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

1381Records found

CVE-2024-12826
Matching Score-10
Assigner-Wordfence
ShareView Details
Matching Score-10
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 24.62%
||
7 Day CHG~0.00%
Published-25 Jan, 2025 | 07:24
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GoHero Store Customizer for WooCommerce <= 3.5 - Missing Authorization to Unuthenticated Settings Update

The GoHero Store Customizer for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wooh_action_settings_save_frontend() function in all versions up to, and including, 3.5. This makes it possible for unauthenticated attackers to update limited plugin settings.

Action-Not Available
Vendor-nmedia
Product-GoHero Store Customizer for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2025-13382
Matching Score-8
Assigner-Wordfence
ShareView Details
Matching Score-8
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 10.25%
||
7 Day CHG~0.00%
Published-25 Nov, 2025 | 07:28
Updated-08 Apr, 2026 | 19:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frontend File Manager Plugin <= 23.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary File Renaming

The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.4. This is due to the plugin not validating file ownership before processing file rename requests in the '/wpfm/v1/file-rename' REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to rename files uploaded by other users via the 'fileid' parameter.

Action-Not Available
Vendor-nmedia
Product-Frontend File Manager Plugin
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-13452
Matching Score-8
Assigner-Wordfence
ShareView Details
Matching Score-8
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 12.48%
||
7 Day CHG+0.01%
Published-25 Nov, 2025 | 07:28
Updated-08 Apr, 2026 | 17:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Admin and Customer Messages After Order for WooCommerce: OrderConvo <= 14 - Missing Authorization to Unauthenticated User Impersonation in Order Messages

The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14. This is due to a flawed permission check in the REST API permission callback that returns true when no nonce is provided. This makes it possible for unauthenticated attackers to impersonate any WordPress user and inject arbitrary messages into any WooCommerce order conversation by directly calling the REST endpoint with controlled user_id, order_id, and context parameters.

Action-Not Available
Vendor-nmedia
Product-Admin and Customer Messages After Order for WooCommerce: OrderConvo
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2022-3124
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-5.3||MEDIUM
EPSS-6.26% / 92.78%
||
7 Day CHG+0.06%
Published-03 Oct, 2022 | 13:45
Updated-03 Aug, 2024 | 01:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frontend File Manager < 21.3 - Unauthenticated File Renaming

The Frontend File Manager Plugin WordPress plugin before 21.3 allows any unauthenticated user to rename uploaded files from users. Furthermore, due to the lack of validation in the destination filename, this could allow allow them to change the content of arbitrary files on the web server

Action-Not Available
Vendor-najeebmediaUnknown
Product-frontend_file_managerFrontend File Manager Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2026-1280
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.29% / 21.16%
||
7 Day CHG~0.00%
Published-28 Jan, 2026 | 11:23
Updated-08 Apr, 2026 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frontend File Manager Plugin <= 23.5 - Missing Authorization to Unauthenticated Arbitrary File Sharing via 'file_id' Parameter

The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only.

Action-Not Available
Vendor-nmedia
Product-Frontend File Manager Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2024-0629
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.40% / 32.04%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:52
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
2Checkout Payment Gateway for WooCommerce <= 6.2 - Missing Authorization via sniff_ins

The 2Checkout Payment Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the sniff_ins function in all versions up to, and including, 6.2. This makes it possible for unauthenticated attackers to make changes to orders and mark them as paid.

Action-Not Available
Vendor-nmedianmedia
Product-2Checkout Payment Gateway for WooCommerce2checkout_payment_gateway
CWE ID-CWE-862
Missing Authorization
CVE-2023-7306
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.32% / 23.65%
||
7 Day CHG~0.00%
Published-25 Jul, 2025 | 08:22
Updated-08 Apr, 2026 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frontend File Manager <= 21.5 - Missing Authorization to Unauthenticated Arbitrary Post Deletion

The Frontend File Manager Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the wpfm_delete_multiple_files() function in all versions up to, and including, 21.5. This makes it possible for unauthenticated attackers to delete arbitrary posts.

Action-Not Available
Vendor-nmedia
Product-Frontend File Manager Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2021-4368
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-9.9||CRITICAL
EPSS-1.85% / 76.77%
||
7 Day CHG~0.00%
Published-07 Jun, 2023 | 01:51
Updated-08 Apr, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frontend File Manager <= 18.2 - Authenticated Settings Change leading to Arbitrary File Upload

The Frontend File Manager plugin for WordPress is vulnerable to Authenticated Settings Change in versions up to, and including, 18.2. This is due to lacking capability checks and a security nonce, all on the wpfm_save_settings AJAX action. This makes it possible for subscriber-level attackers to edit the plugin settings, such as the allowed upload file types. This can lead to remote code execution through other vulnerabilities.

Action-Not Available
Vendor-najeebmedianmedia
Product-frontend_file_manager_pluginFrontend File Manager Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2021-4356
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-9||CRITICAL
EPSS-1.52% / 71.80%
||
7 Day CHG~0.00%
Published-07 Jun, 2023 | 01:51
Updated-08 Apr, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frontend File Manager <= 18.2 - Unauthenticated Arbitrary File Download

The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Download in versions up to, and including, 18.2. This is due to lacking authentication protections, capability checks, and sanitization, all on the wpfm_file_meta_update AJAX action. This makes it possible for unauthenticated attackers to download arbitrary files on the site, potentially leading to site takeover.

Action-Not Available
Vendor-najeebmedianmedia
Product-frontend_file_manager_pluginFrontend File Manager Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2021-4351
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-5.8||MEDIUM
EPSS-0.68% / 48.44%
||
7 Day CHG~0.00%
Published-07 Jun, 2023 | 01:51
Updated-08 Apr, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frontend File Manager <= 18.2 - Unauthenticated Post Meta Change

The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Post Meta Change in versions up to, and including, 18.2. This is due to lacking authentication protections, capability checks, and sanitization, all on the wpfm_file_meta_update AJAX action. This makes it possible for unauthenticated attackers to change the meta data of certain posts and pages.

Action-Not Available
Vendor-najeebmedianmedia
Product-frontend_file_manager_pluginFrontend File Manager Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2021-25018
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.52% / 40.95%
||
7 Day CHG~0.00%
Published-14 Feb, 2022 | 09:20
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PPOM for WooCommerce < 24.0 - Subscriber+ Settings Update to Stored XSS

The PPOM for WooCommerce WordPress plugin before 24.0 does not have authorisation and CSRF checks in the ppom_settings_panel_action AJAX action, allowing any authenticated to call it and set arbitrary settings. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored XSS issues

Action-Not Available
Vendor-najeebmediaUnknown
Product-ppom_for_woocommercePPOM for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2021-4359
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.88% / 54.99%
||
7 Day CHG~0.00%
Published-07 Jun, 2023 | 01:51
Updated-08 Apr, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frontend File Manager Plugin <= 18.2 - Unauthenticated Arbitrary Post Deletion

The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary Post Deletion in versions up to, and including, 18.2. This is due to lacking authentication protections and lacking a security nonce on the wpfm_delete_file AJAX action. This makes it possible for unauthenticated attackers to delete any posts and pages on the site.

Action-Not Available
Vendor-najeebmedianmedia
Product-frontend_file_manager_pluginFrontend File Manager Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2021-4350
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-7.2||HIGH
EPSS-0.67% / 47.95%
||
7 Day CHG~0.00%
Published-07 Jun, 2023 | 01:51
Updated-08 Apr, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frontend File Manager <= 18.2 - Unauthenticated HTML Injection leading to Spam Emails

The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated HTML Injection in versions up to, and including, 18.2. This is due to lacking authentication protections on the wpfm_send_file_in_email AJAX action. This makes it possible for unauthenticated attackers to send emails using the site with a custom subject, recipient email, and body with unsanitized HTML content. This effectively lets the attacker use the site as a spam relay.

Action-Not Available
Vendor-najeebmedianmedia
Product-frontend_file_manager_pluginFrontend File Manager Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2021-4369
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-5.8||MEDIUM
EPSS-0.80% / 52.38%
||
7 Day CHG~0.00%
Published-07 Jun, 2023 | 01:51
Updated-08 Apr, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frontend File Manager <= 18.2 - Unauthenticated Content Injection

The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Content Injection in versions up to, and including, 18.2. This is due to lacking authorization protections, checks against users editing other's posts, and lacking a security nonce, all on the wpfm_edit_file_title_desc AJAX action. This makes it possible for unauthenticated attackers to edit the content and title of every page on the site.

Action-Not Available
Vendor-najeebmedianmedia
Product-frontend_file_manager_pluginFrontend File Manager Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-57985
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.75%
||
7 Day CHG~0.00%
Published-22 Sep, 2025 | 18:24
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Ultimate Watermark Plugin <= 1.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in MantraBrain Ultimate Watermark ultimate-watermark allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Watermark: from n/a through <= 1.1.

Action-Not Available
Vendor-MantraBrain
Product-Ultimate Watermark
CWE ID-CWE-862
Missing Authorization
CVE-2025-57969
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.75%
||
7 Day CHG~0.00%
Published-22 Sep, 2025 | 18:24
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Hide WP Toolbar Plugin <= 2.7 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Jeremy Saxey Hide WP Toolbar hide-wp-toolbar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hide WP Toolbar: from n/a through <= 2.7.

Action-Not Available
Vendor-Jeremy Saxey
Product-Hide WP Toolbar
CWE ID-CWE-862
Missing Authorization
CVE-2025-57917
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.27% / 19.26%
||
7 Day CHG~0.00%
Published-22 Sep, 2025 | 18:25
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Printcart Web to Print Product Designer for WooCommerce plugin <= 2.4.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in printcart Printcart Web to Print Product Designer for WooCommerce printcart-integration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Printcart Web to Print Product Designer for WooCommerce: from n/a through <= 2.4.8.

Action-Not Available
Vendor-printcart
Product-Printcart Web to Print Product Designer for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2025-57884
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 7.81%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 11:59
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Greenshift Plugin <= 12.1.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in wpsoul Greenshift greenshift-animation-and-page-builder-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Greenshift: from n/a through <= 12.1.1.

Action-Not Available
Vendor-wpsoul
Product-Greenshift
CWE ID-CWE-862
Missing Authorization
CVE-2025-57894
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 12.45%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 11:59
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPPizza Plugin <= 3.19.8 - Broken Access Control Vulnerability

Missing Authorization vulnerability in ollybach WPPizza wppizza allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPPizza: from n/a through <= 3.19.8.

Action-Not Available
Vendor-ollybach
Product-WPPizza
CWE ID-CWE-862
Missing Authorization
CVE-2024-6033
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 28.48%
||
7 Day CHG~0.00%
Published-17 Jul, 2024 | 06:45
Updated-08 Apr, 2026 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.4 - Missing Authorization to Authenticated (Contributor+) Event Data Import

The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized data importation due to a missing capability check on the 'import_file' function in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to import events, speakers, schedules and attendee data.

Action-Not Available
Vendor-themewinterarraytics
Product-eventinEventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered)
CWE ID-CWE-862
Missing Authorization
CVE-2024-6012
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.39% / 30.74%
||
7 Day CHG~0.00%
Published-02 Jul, 2024 | 09:32
Updated-08 Apr, 2026 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cost Calculator Builder <= 3.2.12 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Creation

The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'embed-create-page' and 'embed-insert-pages' functions in all versions up to, and including, 3.2.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary posts and append arbitrary content to existing posts.

Action-Not Available
Vendor-stylemixthemesstylemix
Product-cost_calculator_builderCost Calculator Builder
CWE ID-CWE-862
Missing Authorization
CVE-2025-5692
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.3||MEDIUM
EPSS-0.21% / 10.77%
||
7 Day CHG~0.00%
Published-02 Jul, 2025 | 02:03
Updated-08 Apr, 2026 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lead Form Data Collection to CRM <= 3.1 - Missing Authorization to Authenticated (Subscriber+) Many Actions

The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ~/includes/LB_admin_ajax.php file in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform several actions like updating settings. Initially this CVE was assigned specifically to all AJAX actions and the doFieldAjaxAction() function, however it was determined that CVE-2025-47690 is assigned to the doFieldAjaxAction() function that leads to arbitrary options updates.

Action-Not Available
Vendor-smackcoderssmackcoders
Product-lead_form_data_collection_to_crmLead Form Data Collection to CRM
CWE ID-CWE-862
Missing Authorization
CVE-2024-6167
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.30% / 21.62%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 08:33
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Just Custom Fields <= 3.3.2 - Missing Authorization via AJAX actions

The Just Custom Fields plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several AJAX functions in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke this functionality intended for admin users. This enables subscribers to manage field groups, change visibility of items among other things.

Action-Not Available
Vendor-aprokopenko
Product-Just Custom Fields
CWE ID-CWE-862
Missing Authorization
CVE-2025-57972
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.75%
||
7 Day CHG~0.00%
Published-22 Sep, 2025 | 18:24
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Helpdesk Support Ticket System for WooCommerce plugin <= 2.1.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPFactory Helpdesk Support Ticket System for WooCommerce support-ticket-system-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Helpdesk Support Ticket System for WooCommerce: from n/a through <= 2.1.1.

Action-Not Available
Vendor-WPFactory
Product-Helpdesk Support Ticket System for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2025-57995
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.75%
||
7 Day CHG~0.00%
Published-22 Sep, 2025 | 18:24
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress DethemeKit For Elementor Plugin <= 2.1.10 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Detheme DethemeKit For Elementor dethemekit-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DethemeKit For Elementor: from n/a through <= 2.1.10.

Action-Not Available
Vendor-Detheme
Product-DethemeKit For Elementor
CWE ID-CWE-862
Missing Authorization
CVE-2020-13319
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.78% / 51.81%
||
7 Day CHG~0.00%
Published-29 Sep, 2020 | 15:58
Updated-04 Aug, 2024 | 12:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been discovered in GitLab affecting versions prior to 13.1.2, 13.0.8 and 12.10.13. Missing permission check for adding time spent on an issue.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-862
Missing Authorization
CVE-2024-0907
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.60% / 44.65%
||
7 Day CHG~0.00%
Published-01 Feb, 2024 | 04:31
Updated-08 Apr, 2026 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 - Missing Authorization via restore_records()

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the restore_records() function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to restore records.

Action-Not Available
Vendor-basixonlinewebaways
Product-nex-formsNEX-Forms – Ultimate Forms Plugin for WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2024-10092
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.44% / 35.68%
||
7 Day CHG~0.00%
Published-26 Oct, 2024 | 07:36
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Download Monitor <= 5.0.12 - Missing Authorization to API Key Manipulation

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handle_api_key_actions function in all versions up to, and including, 5.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to revoke existing API keys and generate new ones.

Action-Not Available
Vendor-wpchill
Product-Download Monitor
CWE ID-CWE-862
Missing Authorization
CVE-2023-6742
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.41% / 32.87%
||
7 Day CHG~0.00%
Published-11 Jan, 2024 | 08:32
Updated-08 Apr, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Envira Gallery Lite <= 1.8.7.2 - Missing Authorization to Gallery Modification via envira_gallery_insert_images

The Gallery Plugin for WordPress – Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'envira_gallery_insert_images' function in all versions up to, and including, 1.8.7.1. This makes it possible for authenticated attackers, with contributor access and above, to modify galleries on other users' posts.

Action-Not Available
Vendor-Envira Gallery, LLC (Envira Gallery)Awesome Motive Inc.
Product-envira_galleryEnvira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CWE ID-CWE-862
Missing Authorization
CVE-2023-6883
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 24.47%
||
7 Day CHG~0.00%
Published-11 Jan, 2024 | 06:49
Updated-08 Apr, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Easy Social Feed <= 6.5.2 - Missing Authorization to Settings Modification

The Easy Social Feed plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in all versions up to, and including, 6.5.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions, such as modifying the plugin's Facebook and Instagram access tokens and updating group IDs.

Action-Not Available
Vendor-easysocialfeedsjaved
Product-easy_social_feedEasy Social Feed – Social Photos Gallery and Post Feed for WordPress
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CWE ID-CWE-862
Missing Authorization
CVE-2025-54712
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 9.24%
||
7 Day CHG+0.01%
Published-14 Aug, 2025 | 18:21
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Easy Elementor Addons Plugin <= 2.2.7 - Broken Access Control Vulnerability

Missing Authorization vulnerability in hashthemes Easy Elementor Addons easy-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Elementor Addons: from n/a through <= 2.2.7.

Action-Not Available
Vendor-hashthemes
Product-Easy Elementor Addons
CWE ID-CWE-862
Missing Authorization
CVE-2023-7292
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.27% / 19.17%
||
7 Day CHG~0.00%
Published-16 Oct, 2024 | 06:43
Updated-08 Apr, 2026 | 17:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Paytium: Mollie payment forms & donations <= 4.3.7 - Missing Authorization in 'paytium_notice_dismiss'

The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized notification dismissal due to a missing capability check on the paytium_notice_dismiss function in versions up to, and including, 4.3.7. This makes it possible for authenticated attackers with subscriber-level access to dismiss admin notices.

Action-Not Available
Vendor-paytiumpaytiumsupport
Product-paytiumPaytium: Mollie payment forms & donations
CWE ID-CWE-862
Missing Authorization
CVE-2025-54011
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 9.24%
||
7 Day CHG~0.00%
Published-16 Jul, 2025 | 10:36
Updated-13 May, 2026 | 00:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SMTP2GO plugin <= 1.12.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in SMTP2GO SMTP2GO smtp2go allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SMTP2GO: from n/a through <= 1.12.1.

Action-Not Available
Vendor-SMTP2GO
Product-SMTP2GO
CWE ID-CWE-862
Missing Authorization
CVE-2025-53452
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 21.09%
||
7 Day CHG~0.00%
Published-22 Sep, 2025 | 18:25
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Event Rocket Plugin <= 3.3 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Barry Event Rocket allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Event Rocket: from n/a through 3.3.

Action-Not Available
Vendor-Barry
Product-Event Rocket
CWE ID-CWE-862
Missing Authorization
CVE-2025-53997
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 14.52%
||
7 Day CHG~0.00%
Published-16 Jul, 2025 | 10:36
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Houzez theme <= 4.0.4 - Broken Access Control Vulnerability

Missing Authorization vulnerability in favethemes Houzez houzez allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Houzez: from n/a through <= 4.0.4.

Action-Not Available
Vendor-favethemes
Product-Houzez
CWE ID-CWE-862
Missing Authorization
CVE-2023-7019
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 24.64%
||
7 Day CHG~0.00%
Published-11 Jan, 2024 | 08:32
Updated-08 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LightStart – Maintenance Mode, Coming Soon and Landing Page Builder <= 2.6.8 - Missing Authorization

The LightStart – Maintenance Mode, Coming Soon and Landing Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the insert_template function in all versions up to, and including, 2.6.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to change page designs.

Action-Not Available
Vendor-Themeisle
Product-lightstartLightStart – Maintenance Mode, Coming Soon and Landing Page Builder
CWE ID-CWE-862
Missing Authorization
CVE-2025-54047
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 9.24%
||
7 Day CHG~0.00%
Published-16 Jul, 2025 | 10:36
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Cost Calculator plugin <= 7.4 - Broken Access Control Vulnerability

Missing Authorization vulnerability in QuanticaLabs Cost Calculator ql-cost-calculator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cost Calculator: from n/a through <= 7.4.

Action-Not Available
Vendor-QuanticaLabs
Product-Cost Calculator
CWE ID-CWE-862
Missing Authorization
CVE-2025-54045
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 9.05%
||
7 Day CHG+0.01%
Published-16 Dec, 2025 | 08:12
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CM On Demand Search And Replace plugin <= 1.5.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in CreativeMindsSolutions CM On Demand Search And Replace cm-on-demand-search-and-replace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CM On Demand Search And Replace: from n/a through <= 1.5.5.

Action-Not Available
Vendor-CreativeMindsSolutions
Product-CM On Demand Search And Replace
CWE ID-CWE-862
Missing Authorization
CVE-2023-33998
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.41% / 33.32%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Easy Social Icons plugin <= 3.2.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in cybernetikz Easy Social Icons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Social Icons: from n/a through 3.2.5.

Action-Not Available
Vendor-cybernetikz
Product-Easy Social Icons
CWE ID-CWE-862
Missing Authorization
CVE-2023-3403
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.57% / 43.54%
||
7 Day CHG+0.11%
Published-18 Jul, 2023 | 02:39
Updated-08 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ProfileGrid <= 5.5.1 - Missing Authorization to User Import

The ProfileGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pm_upload_csv' function in versions up to, and including, 5.5.1. This makes it possible for authenticated attackers, with subscriber-level permissions or above to import new users and update existing users.

Action-Not Available
Vendor-Metagauss Inc.
Product-profilegridProfileGrid – User Profiles, Groups and Communities
CWE ID-CWE-862
Missing Authorization
CVE-2023-34009
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.46% / 36.89%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Social Media Share Buttons & Social Sharing Icons plugin <= 2.8.1 - Broken Access Control + CSRF

Missing Authorization vulnerability in Inisev Social Media & Share Icons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Social Media & Share Icons: from n/a through 2.8.1.

Action-Not Available
Vendor-Inisev
Product-Social Media & Share Icons
CWE ID-CWE-862
Missing Authorization
CVE-2023-3352
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.31% / 23.13%
||
7 Day CHG~0.00%
Published-21 Jun, 2024 | 02:05
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Smush – Lazy Load Images, Optimize & Compress Images <= 3.16.4 - Missing Authorization to Resmush List Deletion

The Smush plugin for WordPress is vulnerable to unauthorized deletion of the resmush list due to a missing capability check on the delete_resmush_list() function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to delete the resmush list for Nextgen or the Media Library.

Action-Not Available
Vendor-Incsub, LLC
Product-Smush – Image Optimization, Compression, Lazy Load, WebP & CDN
CWE ID-CWE-862
Missing Authorization
CVE-2023-34387
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.46% / 37.14%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Constant Contact Forms plugin <= 2.0.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Constant Contact Constant Contact Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Constant Contact Forms: from n/a through 2.0.3.

Action-Not Available
Vendor-Constant Contact
Product-Constant Contact Forms
CWE ID-CWE-862
Missing Authorization
CVE-2025-53341
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 14.52%
||
7 Day CHG+0.02%
Published-14 Aug, 2025 | 18:21
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Stratus Theme <= 4.2.5 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Themovation App, SaaS & Software Startup Tech Theme - Stratus stratusx allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects App, SaaS & Software Startup Tech Theme - Stratus: from n/a through <= 4.2.5.

Action-Not Available
Vendor-Themovation
Product-App, SaaS & Software Startup Tech Theme - Stratus
CWE ID-CWE-862
Missing Authorization
CVE-2025-53346
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 4.81%
||
7 Day CHG~0.00%
Published-02 Jun, 2026 | 09:52
Updated-02 Jun, 2026 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Thim Core Plugin <= 2.3.3 - Broken Access Control Vulnerability

Missing Authorization vulnerability in ThimPress Thim Core allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Thim Core: from n/a through 2.3.3.

Action-Not Available
Vendor-ThimPress (PhysCode)
Product-Thim Core
CWE ID-CWE-862
Missing Authorization
CVE-2025-53323
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 8.44%
||
7 Day CHG~0.00%
Published-27 Jun, 2025 | 13:21
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Pre-Publish Post Checklist plugin <= 3.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in danbriapps Pre-Publish Post Checklist pre-publish-post-checklist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pre-Publish Post Checklist: from n/a through <= 3.1.

Action-Not Available
Vendor-danbriapps
Product-Pre-Publish Post Checklist
CWE ID-CWE-862
Missing Authorization
CVE-2023-6959
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.43% / 34.70%
||
7 Day CHG~0.00%
Published-05 Feb, 2024 | 21:21
Updated-08 Apr, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Getwid – Gutenberg Blocks <= 2.0.4 - Missing Authorization to Recaptcha API Key Modification

The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the recaptcha_api_key_manage function in all versions up to, and including, 2.0.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to add, modify, or delete the 'Recaptcha Site Key' and 'Recaptcha Secret Key' settings.

Action-Not Available
Vendor-motopressjetmonsters
Product-getwidGetwid – Gutenberg Blocks
CWE ID-CWE-862
Missing Authorization
CVE-2023-32959
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 8.15%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 10:50
Updated-11 Jun, 2026 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress MetroStore theme <= 1.3.2 - Broken Access Control

Missing Authorization vulnerability in Sparkle WP MetroStore metrostore allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MetroStore: from n/a through 1.3.2.

Action-Not Available
Vendor-Sparkle WP
Product-MetroStore
CWE ID-CWE-862
Missing Authorization
CVE-2025-52554
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.9||MEDIUM
EPSS-0.27% / 18.57%
||
7 Day CHG~0.00%
Published-03 Jul, 2025 | 20:08
Updated-04 Sep, 2025 | 16:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
n8n Improper Authorization in Workflow Execution Stop Endpoint Allows Terminating Other Users’ Workflows

n8n is a workflow automation platform. Prior to version 1.99.1, an authorization vulnerability was discovered in the /rest/executions/:id/stop endpoint of n8n. An authenticated user can stop workflow executions that they do not own or that have not been shared with them, leading to potential business disruption. This issue has been patched in version 1.99.1. A workaround involves restricting access to the /rest/executions/:id/stop endpoint via reverse proxy or API gateway.

Action-Not Available
Vendor-n8nn8n-io
Product-n8nn8n
CWE ID-CWE-862
Missing Authorization
CVE-2023-32316
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.1||HIGH
EPSS-0.38% / 30.48%
||
7 Day CHG~0.00%
Published-26 May, 2023 | 22:36
Updated-14 Jan, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Users can add themselves to any organization in CloudExplorer Lite

CloudExplorer Lite is an open source cloud management tool. In affected versions users can add themselves to any organization in CloudExplorer Lite. This is due to a missing permission check on the user profile. It is recommended to upgrade the version to v1.1.0. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-FIT2CLOUD Inc.CloudExplorer Lite (FIT2CLOUD Inc.)
Product-cloudexplorerCloudExplorer-Lite
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 27
  • 28
  • Next
Details not found