Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-0907

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-01 Feb, 2024 | 04:31
Updated At-07 May, 2025 | 20:13
Rejected At-
Credits

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the restore_records() function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to restore records.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:01 Feb, 2024 | 04:31
Updated At:07 May, 2025 | 20:13
Rejected At:
▼CVE Numbering Authority (CNA)

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the restore_records() function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to restore records.

Affected Products
Vendor
webaways
Product
NEX-Forms – Ultimate Form Builder – Contact forms and much more
Default Status
unaffected
Versions
Affected
  • From * through 8.5.6 (semver)
Problem Types
TypeCWE IDDescription
N/AN/ACWE-862 Missing Authorization
Type: N/A
CWE ID: N/A
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Francesco Carlucci
Timeline
EventDate
Disclosed2024-01-31 00:00:00
Event: Disclosed
Date: 2024-01-31 00:00:00
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/26bd4058-ef00-48c8-8ab5-01535f0238a4?source=cve
N/A
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1490
N/A
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1502
N/A
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1524
N/A
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1512
N/A
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1493
N/A
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1539
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/26bd4058-ef00-48c8-8ab5-01535f0238a4?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1490
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1502
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1524
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1512
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1493
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1539
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/26bd4058-ef00-48c8-8ab5-01535f0238a4?source=cve
x_transferred
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1490
x_transferred
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1502
x_transferred
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1524
x_transferred
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1512
x_transferred
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1493
x_transferred
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1539
x_transferred
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/26bd4058-ef00-48c8-8ab5-01535f0238a4?source=cve
Resource:
x_transferred
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1490
Resource:
x_transferred
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1502
Resource:
x_transferred
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1524
Resource:
x_transferred
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1512
Resource:
x_transferred
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1493
Resource:
x_transferred
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1539
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:29 Feb, 2024 | 01:43
Updated At:15 Jan, 2025 | 17:20

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the restore_records() function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to restore records.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Type: Primary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CPE Matches

basixonline
basixonline
>>nex-forms>>Versions before 8.5.7(exclusive)
cpe:2.3:a:basixonline:nex-forms:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-862Primarynvd@nist.gov
CWE ID: CWE-862
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1493security@wordfence.com
Patch
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1512security@wordfence.com
Patch
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1539security@wordfence.com
Patch
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1490security@wordfence.com
Product
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1502security@wordfence.com
Product
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1524security@wordfence.com
Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/26bd4058-ef00-48c8-8ab5-01535f0238a4?source=cvesecurity@wordfence.com
Third Party Advisory
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1493af854a3a-2127-422b-91ae-364da2661108
Patch
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1512af854a3a-2127-422b-91ae-364da2661108
Patch
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1539af854a3a-2127-422b-91ae-364da2661108
Patch
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1490af854a3a-2127-422b-91ae-364da2661108
Product
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1502af854a3a-2127-422b-91ae-364da2661108
Product
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1524af854a3a-2127-422b-91ae-364da2661108
Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/26bd4058-ef00-48c8-8ab5-01535f0238a4?source=cveaf854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1493
Source: security@wordfence.com
Resource:
Patch
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1512
Source: security@wordfence.com
Resource:
Patch
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1539
Source: security@wordfence.com
Resource:
Patch
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1490
Source: security@wordfence.com
Resource:
Product
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1502
Source: security@wordfence.com
Resource:
Product
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1524
Source: security@wordfence.com
Resource:
Product
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/26bd4058-ef00-48c8-8ab5-01535f0238a4?source=cve
Source: security@wordfence.com
Resource:
Third Party Advisory
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1493
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Patch
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1512
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Patch
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1539
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Patch
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1490
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Product
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1502
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Product
Hyperlink: https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1524
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Product
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/26bd4058-ef00-48c8-8ab5-01535f0238a4?source=cve
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

1233Records found

CVE-2024-1130
Matching Score-10
Assigner-Wordfence
ShareView Details
Matching Score-10
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.45% / 62.57%
||
7 Day CHG~0.00%
Published-01 Feb, 2024 | 04:31
Updated-15 Jan, 2025 | 17:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the set_read() function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to mark records as read.

Action-Not Available
Vendor-basixonlinewebaways
Product-nex-formsNEX-Forms – Ultimate Form Builder – Contact forms and much more
CWE ID-CWE-862
Missing Authorization
CVE-2024-1129
Matching Score-10
Assigner-Wordfence
ShareView Details
Matching Score-10
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.27% / 50.27%
||
7 Day CHG~0.00%
Published-01 Feb, 2024 | 04:31
Updated-15 Jan, 2025 | 17:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the set_starred() function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to mark records as starred.

Action-Not Available
Vendor-basixonlinewebawaysbasixonline
Product-nex-formsNEX-Forms – Ultimate Form Builder – Contact forms and much morenex-forms
CWE ID-CWE-862
Missing Authorization
CVE-2020-2142
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.03%
||
7 Day CHG~0.00%
Published-09 Mar, 2020 | 15:00
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins P4 Plugin 1.10.10 and earlier allows attackers with Overall/Read permission to trigger builds.

Action-Not Available
Vendor-Jenkins
Product-p4Jenkins P4 Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-8488
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 6.07%
||
7 Day CHG~0.00%
Published-02 Aug, 2025 | 09:23
Updated-04 Aug, 2025 | 15:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) <= 2.4.6 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update

The Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_hfe_compatibility_option_callback ()function in all versions up to, and including, 2.4.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the compatibility option setting.

Action-Not Available
Vendor-Brainstorm Force
Product-Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)
CWE ID-CWE-862
Missing Authorization
CVE-2025-8996
Matching Score-4
Assigner-Drupal.org
ShareView Details
Matching Score-4
Assigner-Drupal.org
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 4.75%
||
7 Day CHG~0.00%
Published-15 Aug, 2025 | 16:27
Updated-21 Aug, 2025 | 19:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Layout Builder Advanced Permissions - Moderately critical - Access bypass - SA-CONTRIB-2025-097

Missing Authorization vulnerability in Drupal Layout Builder Advanced Permissions allows Forceful Browsing.This issue affects Layout Builder Advanced Permissions: from 0.0.0 before 2.2.0.

Action-Not Available
Vendor-layout_builder_advanced_permissions_projectThe Drupal Association
Product-layout_builder_advanced_permissionsLayout Builder Advanced Permissions
CWE ID-CWE-862
Missing Authorization
CVE-2022-46846
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.11% / 29.72%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:22
Updated-13 Dec, 2024 | 21:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Trending/Popular Post Slider and Widget plugin <= 1.5.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP OnlineSupport, Essential Plugin Trending/Popular Post Slider and Widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Trending/Popular Post Slider and Widget: from n/a through 1.5.7.

Action-Not Available
Vendor-WP OnlineSupport, Essential Plugin
Product-Trending/Popular Post Slider and Widget
CWE ID-CWE-862
Missing Authorization
CVE-2022-45399
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 19.15%
||
7 Day CHG~0.00%
Published-15 Nov, 2022 | 00:00
Updated-30 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics.

Action-Not Available
Vendor-Jenkins
Product-cluster_statisticsJenkins Cluster Statistics Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-45394
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 19.15%
||
7 Day CHG~0.00%
Published-15 Nov, 2022 | 00:00
Updated-30 Apr, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Delete log Plugin 1.0 and earlier allows attackers with Item/Read permission to delete build logs.

Action-Not Available
Vendor-Jenkins
Product-delete_logJenkins Delete log Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2024-3711
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 43.32%
||
7 Day CHG~0.00%
Published-23 May, 2024 | 05:32
Updated-16 Jan, 2025 | 15:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Brizy – Page Builder <= 2.4.43 - Missing Authorization

The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized plugin setting update due to a missing capability check on the functions action_request_disable, action_change_template, and action_request_enable in all versions up to, and including, 2.4.43. This makes it possible for authenticated attackers, with contributor access or above, to enable/disable the Brizy editor and modify the template used.

Action-Not Available
Vendor-brizythemefusecom
Product-brizyBrizy – Page Builder
CWE ID-CWE-862
Missing Authorization
CVE-2022-45389
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-5.3||MEDIUM
EPSS-0.11% / 30.89%
||
7 Day CHG~0.00%
Published-15 Nov, 2022 | 00:00
Updated-30 Apr, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository.

Action-Not Available
Vendor-Jenkins
Product-xp-devJenkins XP-Dev Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-44578
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.11% / 29.72%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-13 Dec, 2024 | 21:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Owl Carousel plugin <= 0.5.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Pierre JEHAN Owl Carousel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Owl Carousel: from n/a through 0.5.3.

Action-Not Available
Vendor-Pierre JEHAN
Product-Owl Carousel
CWE ID-CWE-862
Missing Authorization
CVE-2022-45349
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 19.17%
||
7 Day CHG~0.00%
Published-25 Mar, 2024 | 11:18
Updated-31 Jan, 2025 | 14:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Betheme premium theme <= 26.6.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a through 26.6.1.

Action-Not Available
Vendor-Muffin Group
Product-bethemeBetheme
CWE ID-CWE-862
Missing Authorization
CVE-2022-45070
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 39.37%
||
7 Day CHG~0.00%
Published-17 May, 2024 | 06:27
Updated-03 Aug, 2024 | 14:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Conditional Checkout Fields for WooCommerce plugin <= 1.2.3 - Broken Authentication vulnerability

Missing Authorization vulnerability in FmeAddons Conditional Checkout Fields for WooCommerce.This issue affects Conditional Checkout Fields for WooCommerce: from n/a through 1.2.3.

Action-Not Available
Vendor-FmeAddons
Product-Conditional Checkout Fields for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2025-9202
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 6.07%
||
7 Day CHG~0.00%
Published-20 Aug, 2025 | 06:39
Updated-20 Aug, 2025 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ColorMag <= 4.0.19 - Missing Authorization to Authenticated (Subscriber+) ThemeGrill Demo Importer Plugin Installation

The ColorMag theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the welcome_notice_import_handler() function in all versions up to, and including, 4.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the ThemeGrill Demo Importer plugin.

Action-Not Available
Vendor-themegrill
Product-ColorMag
CWE ID-CWE-862
Missing Authorization
CVE-2020-2094
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 26.20%
||
7 Day CHG~0.00%
Published-15 Jan, 2020 | 15:15
Updated-04 Aug, 2024 | 06:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers with Overall/Read permission to send a fixed email to an attacker-specific recipient.

Action-Not Available
Vendor-Jenkins
Product-health_advisor_by_cloudbeesJenkins Health Advisor by CloudBees Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-4385
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 19.81%
||
7 Day CHG~0.00%
Published-21 Feb, 2023 | 08:50
Updated-12 Mar, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Intuitive Custom Post Order < 3.1.4 - Subscriber+ Arbitrary Menu Order Update

The Intuitive Custom Post Order WordPress plugin before 3.1.4 does not check for authorization in the update-menu-order ajax action, allowing any logged in user (with roles as low as Subscriber) to update the menu order

Action-Not Available
Vendor-intuitive_custom_post_order_projectUnknown
Product-intuitive_custom_post_orderIntuitive Custom Post Order
CWE ID-CWE-862
Missing Authorization
CVE-2022-41692
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 36.00%
||
7 Day CHG~0.00%
Published-18 Nov, 2022 | 18:54
Updated-20 Feb, 2025 | 19:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Appointment Hour Booking plugin <= 1.3.71 - Missing Authorization vulnerability

Missing Authorization vulnerability in Appointment Hour Booking plugin <= 1.3.71 on WordPress.

Action-Not Available
Vendor-CodePeople
Product-appointment_hour_bookingAppointment Hour Booking (WordPress plugin)
CWE ID-CWE-862
Missing Authorization
CVE-2025-8482
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 6.64%
||
7 Day CHG~0.00%
Published-12 Aug, 2025 | 06:42
Updated-12 Aug, 2025 | 16:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Local Avatars <= 2.8.4 - Missing Authorization to Authenticated (Subscriber+) Avatar Migration

The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of data in version 2.8.4. This is due to a missing capability check on the migrate_from_wp_user_avatar() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to migrate avatar metadata for all users.

Action-Not Available
Vendor-10up
Product-Simple Local Avatars
CWE ID-CWE-862
Missing Authorization
CVE-2022-24594
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.28% / 50.82%
||
7 Day CHG+0.01%
Published-25 Feb, 2022 | 11:31
Updated-03 Aug, 2024 | 04:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In waline 1.6.1, an attacker can submit messages using X-Forwarded-For to forge any IP address.

Action-Not Available
Vendor-walinen/a
Product-walinen/a
CWE ID-CWE-862
Missing Authorization
CVE-2025-8595
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 6.07%
||
7 Day CHG~0.00%
Published-06 Aug, 2025 | 02:24
Updated-06 Aug, 2025 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Zakra <= 4.1.5 - Missing Authorization to Subscriber+ Demo Import

The Zakra theme for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the welcome_notice_import_handler() function in all versions up to, and including, 4.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo settings.

Action-Not Available
Vendor-themegrill
Product-Zakra
CWE ID-CWE-862
Missing Authorization
CVE-2025-8152
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.06% / 19.71%
||
7 Day CHG~0.00%
Published-02 Aug, 2025 | 07:24
Updated-04 Aug, 2025 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP CTA – Call To Action Plugin, Sticky CTA, Sticky Buttons <= 1.7.0 - Missing Authorization to Unauthenticated Sticky Status Update

The WP CTA – Call To Action Plugin, Sticky CTA, Sticky Buttons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_cta_status' and 'change_sticky_sidebar_name' functions in all versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to update the status of a sticky and update the name displayed in the back-end WP CTA Dashboard.

Action-Not Available
Vendor-blendmedia
Product-WP CTA
CWE ID-CWE-862
Missing Authorization
CVE-2022-4169
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 16.46%
||
7 Day CHG~0.00%
Published-28 Nov, 2022 | 17:33
Updated-07 Feb, 2025 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Theme and plugin translation for Polylang is vulnerable to authorization bypass in versions up to, and including, 3.2.16 due to missing capability checks in the process_polylang_theme_translation_wp_loaded() function. This makes it possible for unauthenticated attackers to update plugin and theme translation settings and to import translation strings.

Action-Not Available
Vendor-theme_and_plugin_translation_for_polylang_projectmarcinkazmierski
Product-theme_and_plugin_translation_for_polylangTheme and plugin translation for Polylang (TTfP)
CWE ID-CWE-862
Missing Authorization
CVE-2022-41790
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.40%
||
7 Day CHG~0.00%
Published-17 Jan, 2024 | 18:13
Updated-17 Jun, 2025 | 21:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Time Slots Booking Form Plugin <= 1.1.76 is vulnerable to Broken Access Control

Missing Authorization vulnerability in CodePeople WP Time Slots Booking Form.This issue affects WP Time Slots Booking Form: from n/a through 1.1.76.

Action-Not Available
Vendor-CodePeople
Product-wp_time_slots_booking_formWP Time Slots Booking Form
CWE ID-CWE-862
Missing Authorization
CVE-2025-7821
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 9.99%
||
7 Day CHG~0.00%
Published-23 Aug, 2025 | 04:25
Updated-25 Aug, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WC Plus <= 1.2.0 - Missing Authorization to Unauthenticated Settings Manipulation

The WC Plus plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pluswc_logo_favicon_logo_base' AJAX action in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update the site's favicon logo base.

Action-Not Available
Vendor-wcplus
Product-WC Plus
CWE ID-CWE-862
Missing Authorization
CVE-2022-4103
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 16.85%
||
7 Day CHG~0.00%
Published-09 Jan, 2023 | 22:13
Updated-09 Apr, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Royal Elementor Addons < 1.3.56 - Subscriber+ Arbitrary Post Creation

The Royal Elementor Addons WordPress plugin before 1.3.56 does not have authorisation and CSRF checks when creating a template, and does not ensure that the post created is a template. This could allow any authenticated users, such as subscriber to create a post (as well as any post type) with an arbitrary title

Action-Not Available
Vendor-UnknownRoyal Elementor Addons
Product-royal_elementor_addonsRoyal Elementor Addons (Elementor Templates, Post Grid, Mega Menu & Header Footer Builder, WooCommerce Builder, Product Grid, Slider, Parallax Image & other Free Elementor Widgets)
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-862
Missing Authorization
CVE-2022-40223
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.16% / 36.93%
||
7 Day CHG~0.00%
Published-08 Nov, 2022 | 18:20
Updated-20 Feb, 2025 | 19:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SearchWP premium plugin <= 4.2.5 - Broken Authentication vulnerability

Nonce token leakage and missing authorization in SearchWP premium plugin <= 4.2.5 on WordPress leading to plugin settings change.

Action-Not Available
Vendor-SearchWP, LLC (SearchWP)
Product-searchwpSearchWP
CWE ID-CWE-862
Missing Authorization
CVE-2025-6726
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 8.04%
||
7 Day CHG~0.00%
Published-18 Jul, 2025 | 05:23
Updated-22 Jul, 2025 | 13:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Block Editor Gallery Slider <= 1.1.1 - Missing Authorization to Authenticated (Subscriber+) Limited Post Meta Update

The Block Editor Gallery Slider plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the classic_gallery_slider_options() function in all versions up to, and including, 1.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update limited post meta for arbitrary posts.

Action-Not Available
Vendor-krasenslavov
Product-Block Editor Gallery Slider
CWE ID-CWE-862
Missing Authorization
CVE-2024-3213
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 55.92%
||
7 Day CHG~0.00%
Published-09 Apr, 2024 | 18:59
Updated-04 Feb, 2025 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Relevanssi – A Better Search plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the relevanssi_update_counts() function in all versions up to, and including, 4.22.1. This makes it possible for unauthenticated attackers to execute expensive queries on the application that could lead into DOS.

Action-Not Available
Vendor-relevanssimsaariRelevanssirelevanssi
Product-relevanssiRelevanssi – A Better Search (Pro)Relevanssi – A Better Searchrelevanssi
CWE ID-CWE-862
Missing Authorization
CVE-2025-6720
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.09% / 25.60%
||
7 Day CHG~0.00%
Published-19 Jul, 2025 | 05:32
Updated-22 Jul, 2025 | 13:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vchasno Kasa <= 1.0.3 - Unauthenticated Log File Clearing

The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the clear_all_log() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to clear log files.

Action-Not Available
Vendor-bandido
Product-MORKVA Vchasno Kasa Integration
CWE ID-CWE-862
Missing Authorization
CVE-2025-7828
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 5.54%
||
7 Day CHG~0.00%
Published-23 Aug, 2025 | 04:25
Updated-25 Aug, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Filter & Combine RSS Feeds <= 0.4 - Missing Authorization to Authenticated (Contributor+) Feed Deletion

The WP Filter & Combine RSS Feeds plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the post_listing_page() function in all versions up to, and including, 0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete feeds.

Action-Not Available
Vendor-evigeo
Product-WP Filter & Combine RSS Feeds
CWE ID-CWE-862
Missing Authorization
CVE-2025-7827
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 5.54%
||
7 Day CHG~0.00%
Published-23 Aug, 2025 | 04:25
Updated-25 Aug, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ni WooCommerce Customer Product Report <= 1.2.4 - Missing Authorization to Authenticated (Subscriber+) Settings Update

The Ni WooCommerce Customer Product Report plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ni_woocpr_action() function in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings.

Action-Not Available
Vendor-anzia
Product-Ni WooCommerce Customer Product Report
CWE ID-CWE-862
Missing Authorization
CVE-2024-31432
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 41.33%
||
7 Day CHG~0.00%
Published-15 Apr, 2024 | 09:31
Updated-02 Aug, 2024 | 01:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Restrict Content plugin <= 3.2.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in StellarWP Restrict Content.This issue affects Restrict Content: from n/a through 3.2.8.

Action-Not Available
Vendor-The Events Calendar (StellarWP)Liquid Web, LLC
Product-Restrict Contentrestrict_content
CWE ID-CWE-862
Missing Authorization
CVE-2022-3923
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.08% / 23.59%
||
7 Day CHG~0.00%
Published-09 Jan, 2023 | 22:13
Updated-09 Apr, 2025 | 18:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ActiveCampaign for WooCommerce < 1.9.8 - Subscriber+ Error Log Cleanup

The ActiveCampaign for WooCommerce WordPress plugin before 1.9.8 does not have authorisation check when cleaning up its error logs via an AJAX action, which could allow any authenticated users, such as subscriber to call it and remove error logs.

Action-Not Available
Vendor-UnknownActiveCampaign
Product-activecampaign_for_woocommerceActiveCampaign for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2024-31350
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 47.17%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 18:04
Updated-25 Sep, 2024 | 14:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress AWP Classifieds plugin <= 4.3.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in AWP Classifieds Team AWP Classifieds.This issue affects AWP Classifieds: from n/a through 4.3.1.

Action-Not Available
Vendor-Strategy11
Product-awp_classifiedsAWP Classifieds
CWE ID-CWE-862
Missing Authorization
CVE-2025-6730
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 6.60%
||
7 Day CHG~0.00%
Published-29 Jul, 2025 | 09:23
Updated-29 Jul, 2025 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bonanza – WooCommerce Free Gifts Lite <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Opt In Success

The Bonanza – WooCommerce Free Gifts Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the xlo_optin_call() function in all versions up to, and including, 1.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to set the opt in status to success.

Action-Not Available
Vendor-amans2k
Product-Bonanza – WooCommerce Free Gifts Lite
CWE ID-CWE-862
Missing Authorization
CVE-2025-7822
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 8.04%
||
7 Day CHG+0.01%
Published-24 Jul, 2025 | 09:22
Updated-25 Jul, 2025 | 15:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Wallcreeper <= 1.6.1 - Missing Authorization to Authenticated (Susbcriber+) Cache Enable/Disable

The WP Wallcreeper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the admin_notices hook in all versions up to, and including, 1.6.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable and disable caching.

Action-Not Available
Vendor-alexalouit
Product-WP Wallcreeper
CWE ID-CWE-862
Missing Authorization
CVE-2025-57884
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 5.54%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 11:59
Updated-22 Aug, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Greenshift Plugin <= 12.1.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in wpsoul Greenshift allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Greenshift: from n/a through 12.1.1.

Action-Not Available
Vendor-wpsoul
Product-Greenshift
CWE ID-CWE-862
Missing Authorization
CVE-2025-58201
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-27 Aug, 2025 | 17:45
Updated-27 Aug, 2025 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress AfterShip Tracking Plugin <= 1.17.17 - Broken Access Control Vulnerability

Missing Authorization vulnerability in AfterShip & Automizely AfterShip Tracking allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects AfterShip Tracking: from n/a through 1.17.17.

Action-Not Available
Vendor-AfterShip & Automizely
Product-AfterShip Tracking
CWE ID-CWE-862
Missing Authorization
CVE-2025-58193
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-Not Assigned
Published-27 Aug, 2025 | 17:45
Updated-27 Aug, 2025 | 18:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Uncanny Automator Plugin <= 6.7.0.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Uncanny Owl Uncanny Automator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Uncanny Automator: from n/a through 6.7.0.1.

Action-Not Available
Vendor-Uncanny Owl Inc.
Product-Uncanny Automator
CWE ID-CWE-862
Missing Authorization
CVE-2025-57894
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 5.54%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 11:59
Updated-22 Aug, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPPizza Plugin <= 3.19.8 - Broken Access Control Vulnerability

Missing Authorization vulnerability in ollybach WPPizza allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPPizza: from n/a through 3.19.8.

Action-Not Available
Vendor-ollybach
Product-WPPizza
CWE ID-CWE-862
Missing Authorization
CVE-2025-5846
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-2.7||LOW
EPSS-0.01% / 1.51%
||
7 Day CHG~0.00%
Published-26 Jun, 2025 | 05:31
Updated-12 Aug, 2025 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization in GitLab

An issue has been discovered in GitLab EE affecting all versions from 16.10 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypassed framework-specific permission checks.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-862
Missing Authorization
CVE-2025-5811
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.09% / 25.60%
||
7 Day CHG~0.00%
Published-18 Jul, 2025 | 05:24
Updated-22 Jul, 2025 | 13:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Listly: Listicles For WordPress <= 2.7 - Unauthenticated Arbitrary Transient Deletion

The Listly: Listicles For WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Init() function in all versions up to, and including, 2.7. This makes it possible for unauthenticated attackers to delete arbitrary transient values on the WordPress site.

Action-Not Available
Vendor-milanmk
Product-Listly: Listicles For WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2025-6215
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.12% / 32.51%
||
7 Day CHG+0.04%
Published-23 Jul, 2025 | 02:24
Updated-23 Jul, 2025 | 15:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Omnishop <= 1.0.9 - Missing Registration Restriction to Unauthenticated Account Creation via /users/register REST Endpoint

The Omnishop plugin for WordPress is vulnerable to Unauthenticated Registration Bypass in all versions up to, and including, 1.0.9. Its /users/register endpoint is exposed to the public (permission_callback always returns true) and invokes wp_create_user() unconditionally, ignoring the site’s users_can_register option and any nonce or CAPTCHA checks. This makes it possible for unauthenticated attackers to create arbitrary user accounts (customer) on sites where registrations should be closed.

Action-Not Available
Vendor-omnishop
Product-Omnishop – Mobile shop apps complementing your WooCommerce webshop
CWE ID-CWE-862
Missing Authorization
CVE-2024-22151
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.24% / 47.16%
||
7 Day CHG~0.00%
Published-08 Jun, 2024 | 16:19
Updated-26 Aug, 2025 | 20:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Import and export users and customers plugin <= 1.24.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in Codection Import and export users and customers.This issue affects Import and export users and customers: from n/a through 1.24.6.

Action-Not Available
Vendor-codectionCodectioncodection
Product-import_and_export_users_and_customersImport and export users and customersimport_and_export_users_and_customers
CWE ID-CWE-862
Missing Authorization
CVE-2025-5812
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 8.04%
||
7 Day CHG~0.00%
Published-26 Jun, 2025 | 02:06
Updated-27 Jun, 2025 | 14:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
VG WORT METIS <= 2.0.0 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update

The VG WORT METIS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the gutenberg_save_post() function in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update limited post settings.

Action-Not Available
Vendor-vgwort
Product-VG WORT METIS
CWE ID-CWE-862
Missing Authorization
CVE-2024-30216
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 21.88%
||
7 Day CHG~0.00%
Published-09 Apr, 2024 | 01:02
Updated-02 Aug, 2024 | 01:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization check in SAP S/4 HANA (Cash Management)

Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, attacker can add notes in the review request with 'completed' status affecting the integrity of the application. Confidentiality and Availability are not impacted.

Action-Not Available
Vendor-SAP SE
Product-SAP S/4 HANA (Cash Management)
CWE ID-CWE-862
Missing Authorization
CVE-2025-5814
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.10% / 28.39%
||
7 Day CHG~0.00%
Published-07 Jun, 2025 | 04:22
Updated-09 Jun, 2025 | 15:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Profiler – What Slowing Down Your WP <= 1.0.0 - Missing Authentication to Unauthenticated Arbitrary Plugin Reactivation via State Restoration

The Profiler – What Slowing Down Your WP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpsd_plugin_control() function in all versions up to, and including, 1.0.0. This makes it possible for unauthenticated attackers to reactivate previously deactivated plugins after accessing the "Profiler" page.

Action-Not Available
Vendor-switcorp
Product-Profiler – What Slowing Down Your WP
CWE ID-CWE-862
Missing Authorization
CVE-2024-30463
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 39.37%
||
7 Day CHG~0.00%
Published-29 Mar, 2024 | 16:22
Updated-13 Mar, 2025 | 01:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress BEAR plugin <= 1.1.4.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in realmag777 BEAR.This issue affects BEAR: from n/a through 1.1.4.3.

Action-Not Available
Vendor-PluginUs.Net (RealMag777)
Product-bear_-_woocommerce_bulk_editor_and_products_manager_professionalBEAR
CWE ID-CWE-862
Missing Authorization
CVE-2024-30459
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.13% / 33.73%
||
7 Day CHG~0.00%
Published-08 May, 2024 | 13:22
Updated-02 Aug, 2024 | 01:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress AI WP Writer plugin <= 3.6.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in AIpost AI WP Writer.This issue affects AI WP Writer: from n/a through 3.6.5.

Action-Not Available
Vendor-AIpost
Product-AI WP Writer
CWE ID-CWE-862
Missing Authorization
CVE-2024-2298
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 20.75%
||
7 Day CHG~0.00%
Published-08 Mar, 2024 | 06:58
Updated-15 Jan, 2025 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the atkp_import_product() function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to to perform unauthorized actions such as creating importing products.

Action-Not Available
Vendor-servitcservit
Product-affiliate-toolkitaffiliate-toolkit – WordPress Affiliate Plugin
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 24
  • 25
  • Next
Details not found