Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-1078

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-07 Feb, 2024 | 07:32
Updated At-01 Aug, 2024 | 18:26
Rejected At-
Credits

The Quiz Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ays_quick_start() and add_question_rows() functions in all versions up to, and including, 6.5.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary quizzes.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:07 Feb, 2024 | 07:32
Updated At:01 Aug, 2024 | 18:26
Rejected At:
▼CVE Numbering Authority (CNA)

The Quiz Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ays_quick_start() and add_question_rows() functions in all versions up to, and including, 6.5.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary quizzes.

Affected Products
Vendor
AYS Pro Extensionsays-pro
Product
Quiz Maker
Default Status
unaffected
Versions
Affected
  • From * through 6.5.2.4 (semver)
Problem Types
TypeCWE IDDescription
N/AN/ACWE-862 Missing Authorization
Type: N/A
CWE ID: N/A
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Lucio Sá
Timeline
EventDate
Disclosed2024-02-06 00:00:00
Event: Disclosed
Date: 2024-02-06 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/7ba2b270-5f02-4cd8-8a22-1723c3873d67?source=cve
N/A
https://plugins.trac.wordpress.org/changeset/3032035/quiz-maker/tags/6.5.2.5/admin/class-quiz-maker-admin.php?old=3030468&old_path=quiz-maker%2Ftags%2F6.5.2.4%2Fadmin%2Fclass-quiz-maker-admin.php
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/7ba2b270-5f02-4cd8-8a22-1723c3873d67?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset/3032035/quiz-maker/tags/6.5.2.5/admin/class-quiz-maker-admin.php?old=3030468&old_path=quiz-maker%2Ftags%2F6.5.2.4%2Fadmin%2Fclass-quiz-maker-admin.php
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/7ba2b270-5f02-4cd8-8a22-1723c3873d67?source=cve
x_transferred
https://plugins.trac.wordpress.org/changeset/3032035/quiz-maker/tags/6.5.2.5/admin/class-quiz-maker-admin.php?old=3030468&old_path=quiz-maker%2Ftags%2F6.5.2.4%2Fadmin%2Fclass-quiz-maker-admin.php
x_transferred
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/7ba2b270-5f02-4cd8-8a22-1723c3873d67?source=cve
Resource:
x_transferred
Hyperlink: https://plugins.trac.wordpress.org/changeset/3032035/quiz-maker/tags/6.5.2.5/admin/class-quiz-maker-admin.php?old=3030468&old_path=quiz-maker%2Ftags%2F6.5.2.4%2Fadmin%2Fclass-quiz-maker-admin.php
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:07 Feb, 2024 | 08:15
Updated At:14 Feb, 2024 | 18:39

The Quiz Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ays_quick_start() and add_question_rows() functions in all versions up to, and including, 6.5.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary quizzes.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Secondary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: Primary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CPE Matches
AYS Pro Extensions
ays-pro
>>quiz_maker>>Versions before 6.5.2.5(exclusive)
cpe:2.3:a:ays-pro:quiz_maker:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-862Primarynvd@nist.gov
CWE ID: CWE-862
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/changeset/3032035/quiz-maker/tags/6.5.2.5/admin/class-quiz-maker-admin.php?old=3030468&old_path=quiz-maker%2Ftags%2F6.5.2.4%2Fadmin%2Fclass-quiz-maker-admin.phpsecurity@wordfence.com
Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/7ba2b270-5f02-4cd8-8a22-1723c3873d67?source=cvesecurity@wordfence.com
Third Party Advisory
Hyperlink: https://plugins.trac.wordpress.org/changeset/3032035/quiz-maker/tags/6.5.2.5/admin/class-quiz-maker-admin.php?old=3030468&old_path=quiz-maker%2Ftags%2F6.5.2.4%2Fadmin%2Fclass-quiz-maker-admin.php
Source: security@wordfence.com
Resource:
Patch
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/7ba2b270-5f02-4cd8-8a22-1723c3873d67?source=cve
Source: security@wordfence.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

808Records found
CVE-2025-48079
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.72%
||
7 Day CHG~0.00%
Published-16 May, 2025 | 15:45
Updated-19 May, 2025 | 13:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ProfileGrid <= 5.9.5.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Metagauss ProfileGrid allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ProfileGrid : from n/a through 5.9.5.1.

Action-Not Available
Vendor-Metagauss Inc.
Product-ProfileGrid
CWE ID-CWE-862
Missing Authorization
CVE-2019-10377
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.21%
||
7 Day CHG~0.00%
Published-07 Aug, 2019 | 14:20
Updated-04 Aug, 2024 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Avatar Plugin 1.2 and earlier allows attackers with Overall/Read access to change the avatar of any user of Jenkins.

Action-Not Available
Vendor-Jenkins
Product-avatarJenkins Avatar Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2023-37885
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 19.24%
||
7 Day CHG~0.00%
Published-25 Mar, 2024 | 04:32
Updated-02 Aug, 2024 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress RealHomes theme <= 4.0.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in InspiryThemes RealHomes.This issue affects RealHomes: from n/a through 4.0.2.

Action-Not Available
Vendor-InspiryThemes
Product-RealHomes
CWE ID-CWE-862
Missing Authorization
CVE-2025-47692
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.72%
||
7 Day CHG~0.00%
Published-07 May, 2025 | 14:20
Updated-08 May, 2025 | 14:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ContentStudio <= 1.3.3 - Broken Access Control Vulnerability

Missing Authorization vulnerability in contentstudio ContentStudio allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ContentStudio: from n/a through 1.3.3.

Action-Not Available
Vendor-contentstudio
Product-ContentStudio
CWE ID-CWE-862
Missing Authorization
CVE-2019-10455
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.08%
||
7 Day CHG~0.00%
Published-16 Oct, 2019 | 13:00
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Rundeck Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

Action-Not Available
Vendor-Jenkins
Product-rundeckJenkins Rundeck Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2019-10389
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.08%
||
7 Day CHG~0.00%
Published-07 Aug, 2019 | 14:20
Updated-04 Aug, 2024 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server.

Action-Not Available
Vendor-Jenkins
Product-relution_enterprise_appstore_publisherJenkins Relution Enterprise Appstore Publisher Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2019-10409
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.08%
||
7 Day CHG~0.00%
Published-25 Sep, 2019 | 15:05
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Project Inheritance Plugin 2.0.0 and earlier allowed attackers with Overall/Read permission to trigger project generation from templates.

Action-Not Available
Vendor-Jenkins
Product-project_inheritanceJenkins Project Inheritance Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2019-10457
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.08%
||
7 Day CHG~0.00%
Published-16 Oct, 2019 | 13:00
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

Action-Not Available
Vendor-Jenkins
Product-oracle_cloud_infrastructure_compute_classicJenkins Oracle Cloud Infrastructure Compute Classic Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-4520
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.03% / 7.48%
||
7 Day CHG~0.00%
Published-14 May, 2025 | 02:23
Updated-12 Aug, 2025 | 01:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncanny Automator <= 6.4.0.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update

The Uncanny Automator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in versions up to, and including, 6.4.0.2. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update plugin settings.

Action-Not Available
Vendor-Uncanny Owl Inc.
Product-uncanny_automatorUncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2023-38395
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.12% / 32.11%
||
7 Day CHG~0.00%
Published-12 Jun, 2024 | 09:38
Updated-07 Aug, 2024 | 15:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Clone Menu plugin <= 1.0.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Afzal Multani WP Clone Menu.This issue affects WP Clone Menu: from n/a through 1.0.1.

Action-Not Available
Vendor-afzalmultaniAfzal Multani
Product-wp_clone_menuWP Clone Menu
CWE ID-CWE-862
Missing Authorization
CVE-2019-10442
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.08%
||
7 Day CHG~0.00%
Published-16 Oct, 2019 | 13:00
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

Action-Not Available
Vendor-Jenkins
Product-icescrumJenkins iceScrum Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-4431
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.72%
||
7 Day CHG~0.00%
Published-30 May, 2025 | 07:23
Updated-04 Jun, 2025 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Featured Image Plus <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) Featured Image Update

The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fip_save_attach_featured function in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update featured image of any post.

Action-Not Available
Vendor-krasenslavovkrasenslavov
Product-featured_image_plusFeatured Image Plus – Quick & Bulk Edit with Unsplash
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2019-1003036
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 6.72%
||
7 Day CHG~0.00%
Published-08 Mar, 2019 | 21:00
Updated-05 Aug, 2024 | 03:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A data modification vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgent.java that allows attackers with Overall/Read permission to attach a public IP address to an Azure VM agent.

Action-Not Available
Vendor-Jenkins
Product-azure_vm_agentsJenkins Azure VM Agents Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2019-0367
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 39.16%
||
7 Day CHG~0.00%
Published-08 Oct, 2019 | 19:16
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver Process Integration (B2B Toolkit), before versions 1.0 and 2.0, does not perform necessary authorization checks for an authenticated user, allowing the import of B2B table content that leads to Missing Authorization Check.

Action-Not Available
Vendor-SAP SE
Product-netweaver_process_integrationSAP NetWeaver Process Integration (B2B Toolkit)
CWE ID-CWE-862
Missing Authorization
CVE-2025-42991
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.72%
||
7 Day CHG~0.00%
Published-10 Jun, 2025 | 00:12
Updated-12 Jun, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization check in SAP S/4HANA (Bank Account Application)

SAP S/4HANA (Bank Account Application) does not perform necessary authorization checks. This allows an authenticated 'approver' user to delete attachment from bank account application of other user, leading to a low impact on integrity, with no impact on the confidentiality of the data or the availability of the application.

Action-Not Available
Vendor-SAP SE
Product-SAP S/4HANA (Bank Account Application)
CWE ID-CWE-862
Missing Authorization
CVE-2025-39413
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 16.15%
||
7 Day CHG+0.01%
Published-30 Apr, 2025 | 17:18
Updated-16 May, 2025 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Simple Sitemap – Create a Responsive HTML Sitemap plugin <= 3.5.14 - Broken Access Control vulnerability

Missing Authorization vulnerability in David Gwyer Simple Sitemap – Create a Responsive HTML Sitemap.This issue affects Simple Sitemap – Create a Responsive HTML Sitemap: from n/a through 3.5.14.

Action-Not Available
Vendor-wpgopluginsDavid Gwyer
Product-simple_sitemapSimple Sitemap – Create a Responsive HTML Sitemap
CWE ID-CWE-862
Missing Authorization
CVE-2019-10187
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-4||MEDIUM
EPSS-0.13% / 33.88%
||
7 Day CHG~0.00%
Published-31 Jul, 2019 | 21:39
Updated-04 Aug, 2024 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to.

Action-Not Available
Vendor-Moodle Pty Ltd
Product-moodlemoodle
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2025-39571
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.30%
||
7 Day CHG~0.00%
Published-16 Apr, 2025 | 12:44
Updated-16 Apr, 2025 | 13:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WowStore <= 4.2.4 - Broken Access Control Vulnerability

Missing Authorization vulnerability in WPXPO WowStore allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WowStore: from n/a through 4.2.4.

Action-Not Available
Vendor-WPXPO
Product-WowStore
CWE ID-CWE-862
Missing Authorization
CVE-2025-39511
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.72%
||
7 Day CHG~0.00%
Published-16 May, 2025 | 15:45
Updated-19 May, 2025 | 13:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Pinterest Automatic Pin <= 4.18.2 - Broken Access Control Vulnerability

Missing Authorization vulnerability in ValvePress Pinterest Automatic Pin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Pinterest Automatic Pin: from n/a through 4.18.2.

Action-Not Available
Vendor-ValvePress
Product-Pinterest Automatic Pin
CWE ID-CWE-862
Missing Authorization
CVE-2025-39398
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.72%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 17:22
Updated-21 May, 2025 | 20:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Hotel + Bed and Breakfast Booking Calendar Theme | Bellevue theme <= 4.2.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Themovation Hotel + Bed and Breakfast Booking Calendar Theme | Bellevue.This issue affects Hotel + Bed and Breakfast Booking Calendar Theme | Bellevue: from n/a through 4.2.2.

Action-Not Available
Vendor-Themovation
Product-Hotel + Bed and Breakfast Booking Calendar Theme | Bellevue
CWE ID-CWE-862
Missing Authorization
CVE-2025-39412
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.72%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 17:25
Updated-27 May, 2025 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Master Slider plugin <= 3.10.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in Averta Master Slider.This issue affects Master Slider: from n/a through 3.10.8.

Action-Not Available
Vendor-Depicter (Averta)
Product-master_sliderMaster Slider
CWE ID-CWE-862
Missing Authorization
CVE-2025-39602
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.30%
||
7 Day CHG~0.00%
Published-16 Apr, 2025 | 12:44
Updated-16 Apr, 2025 | 14:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WooCommerce Product Table Lite plugin <= 3.9.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in WC Product Table WooCommerce Product Table Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WooCommerce Product Table Lite: from n/a through 3.9.5.

Action-Not Available
Vendor-WC Product Table
Product-WooCommerce Product Table Lite
CWE ID-CWE-862
Missing Authorization
CVE-2025-3437
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 13.28%
||
7 Day CHG~0.00%
Published-08 Apr, 2025 | 09:21
Updated-08 Aug, 2025 | 19:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Motors – Car Dealership & Classified Listings Plugin <= 1.4.66 - Missing Authorization to Authenticated (Subscriber+) Wizard Set-up

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in the ajax_actions.php file in all versions up to, and including, 1.4.66. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute several initial set-up actions.

Action-Not Available
Vendor-stylemixthemesstylemix
Product-motors_-_car_dealer\,_classifieds_\&_listingMotors – Car Dealership & Classified Listings Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-3452
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 13.28%
||
7 Day CHG+0.01%
Published-29 Apr, 2025 | 08:21
Updated-06 May, 2025 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SecuPress Free <= 2.3.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation

The SecuPress Free — WordPress Security plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'secupress_reinstall_plugins_admin_ajax_cb' function in all versions up to, and including, 2.3.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins.

Action-Not Available
Vendor-secupresssecupress
Product-secupressSecuPress Free — WordPress Security
CWE ID-CWE-862
Missing Authorization
CVE-2024-1771
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.08% / 25.24%
||
7 Day CHG-0.03%
Published-06 Mar, 2024 | 05:33
Updated-11 Mar, 2025 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Total theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the total_order_sections() function in all versions up to, and including, 2.1.59. This makes it possible for authenticated attackers, with subscriber-level access and above, to repeat sections on the homepage.

Action-Not Available
Vendor-hashthemeshashthemeshashthemes
Product-totalTotaltotal
CWE ID-CWE-862
Missing Authorization
CVE-2024-1652
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.67%
||
7 Day CHG~0.00%
Published-27 Feb, 2024 | 11:05
Updated-07 Jan, 2025 | 14:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Categorify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the categorifyAjaxClearCategory function in all versions up to, and including, 1.0.7.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to clear categories.

Action-Not Available
Vendor-frenifyfrenify
Product-categorifyCategorify – WordPress Media Library Category & File Manager
CWE ID-CWE-862
Missing Authorization
CVE-2025-7827
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 6.64%
||
7 Day CHG~0.00%
Published-23 Aug, 2025 | 04:25
Updated-25 Aug, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ni WooCommerce Customer Product Report <= 1.2.4 - Missing Authorization to Authenticated (Subscriber+) Settings Update

The Ni WooCommerce Customer Product Report plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ni_woocpr_action() function in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings.

Action-Not Available
Vendor-anzia
Product-Ni WooCommerce Customer Product Report
CWE ID-CWE-862
Missing Authorization
CVE-2024-1804
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.08% / 25.52%
||
7 Day CHG~0.00%
Published-27 Jul, 2024 | 01:51
Updated-19 Sep, 2024 | 13:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tutor LMS – Migration Tool <= 2.2.0 - Missing Authorization in tutor_import_from_xml

The Tutor LMS – Migration Tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tutor_import_from_xml function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to import courses.

Action-Not Available
Vendor-Themeum
Product-tutor_lms_-_migration_toolTutor LMS – Migration Tool
CWE ID-CWE-862
Missing Authorization
CVE-2025-7822
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 8.12%
||
7 Day CHG+0.01%
Published-24 Jul, 2025 | 09:22
Updated-25 Jul, 2025 | 15:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Wallcreeper <= 1.6.1 - Missing Authorization to Authenticated (Susbcriber+) Cache Enable/Disable

The WP Wallcreeper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the admin_notices hook in all versions up to, and including, 1.6.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable and disable caching.

Action-Not Available
Vendor-alexalouit
Product-WP Wallcreeper
CWE ID-CWE-862
Missing Authorization
CVE-2025-32226
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.30%
||
7 Day CHG~0.00%
Published-04 Apr, 2025 | 15:59
Updated-07 Apr, 2025 | 14:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Display product variations dropdown on shop page plugin <= 1.1.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Anzar Ahmed Display product variations dropdown on shop page allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Display product variations dropdown on shop page: from n/a through 1.1.3.

Action-Not Available
Vendor-Anzar Ahmed
Product-Display product variations dropdown on shop page
CWE ID-CWE-862
Missing Authorization
CVE-2024-13639
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 19.74%
||
7 Day CHG~0.00%
Published-13 Feb, 2025 | 08:21
Updated-18 Feb, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Read More & Accordion <= 3.4.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary 'Read More' Post Deletion

The Read More & Accordion plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the expmDeleteData() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary 'read more' posts.

Action-Not Available
Vendor-edmonparkerAdam Skaat (Edmonsoft)
Product-read_more_\&_accordionRead More & Accordion
CWE ID-CWE-862
Missing Authorization
CVE-2024-13703
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 13.04%
||
7 Day CHG~0.00%
Published-13 Mar, 2025 | 01:45
Updated-26 May, 2025 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CRM and Lead Management by vcita <= 2.7.1 - Missing Authorization to Authenticated (Susbcriber+) Widget Toggle

The CRM and Lead Management by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_ajax_toggle_ae() function in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable and disable plugin widgets.

Action-Not Available
Vendor-vcitavcita
Product-crm_and_lead_management_by_vcitaCRM and Lead Management by vcita
CWE ID-CWE-862
Missing Authorization
CVE-2024-12781
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 13.14%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 06:40
Updated-07 Jan, 2025 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Aurum - WordPress & WooCommerce Shopping Theme <= 4.0.2 - Missing Authorization to Authenticated (Subscriber+) Demo Content Import

The Aurum - WordPress & WooCommerce Shopping Theme theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'lab_1cl_demo_install_package_content' function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite content with imported demo content.

Action-Not Available
Vendor-Laborator
Product-Aurum - WordPress & WooCommerce Shopping Theme
CWE ID-CWE-862
Missing Authorization
CVE-2025-32233
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.30%
||
7 Day CHG~0.00%
Published-04 Apr, 2025 | 15:59
Updated-07 Apr, 2025 | 14:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Revive.so <= 2.0.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Chill Revive.so – Bulk Rewrite and Republish Blog Posts allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Revive.so – Bulk Rewrite and Republish Blog Posts: from n/a through 2.0.3.

Action-Not Available
Vendor-WP Chill
Product-Revive.so – Bulk Rewrite and Republish Blog Posts
CWE ID-CWE-862
Missing Authorization
CVE-2025-32239
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.17%
||
7 Day CHG-0.02%
Published-04 Apr, 2025 | 15:59
Updated-07 Apr, 2025 | 14:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Social Share Buttons & Analytics Plugin plugin <= 4.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in Joao Romao Social Share Buttons & Analytics Plugin – GetSocial.io allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Social Share Buttons & Analytics Plugin – GetSocial.io: from n/a through 4.5.

Action-Not Available
Vendor-Joao Romao
Product-Social Share Buttons & Analytics Plugin – GetSocial.io
CWE ID-CWE-862
Missing Authorization
CVE-2025-7828
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 6.64%
||
7 Day CHG~0.00%
Published-23 Aug, 2025 | 04:25
Updated-25 Aug, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Filter & Combine RSS Feeds <= 0.4 - Missing Authorization to Authenticated (Contributor+) Feed Deletion

The WP Filter & Combine RSS Feeds plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the post_listing_page() function in all versions up to, and including, 0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete feeds.

Action-Not Available
Vendor-evigeo
Product-WP Filter & Combine RSS Feeds
CWE ID-CWE-862
Missing Authorization
CVE-2024-13717
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.41%
||
7 Day CHG~0.00%
Published-31 Jan, 2025 | 05:22
Updated-31 Jan, 2025 | 19:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contact Form and Calls To Action by vcita <= 2.7.1 - Missing Authorization to Authenticated (Subscriber+) Contact/Widget Toggle

The Contact Form and Calls To Action by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_ajax_toggle_ae and vcita_ajax_toggle_contact functions in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to enabled and disable widgets.

Action-Not Available
Vendor-vcita
Product-Contact Form and Calls To Action by vcita
CWE ID-CWE-862
Missing Authorization
CVE-2023-36531
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-5.82% / 90.18%
||
7 Day CHG+0.76%
Published-13 Dec, 2024 | 14:23
Updated-13 Dec, 2024 | 20:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress LiquidPoll plugin <= 3.3.68 - Broken Access Control vulnerability

Missing Authorization vulnerability in LiquidPoll LiquidPoll – Advanced Polls for Creators and Brands allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LiquidPoll – Advanced Polls for Creators and Brands: from n/a through 3.3.68.

Action-Not Available
Vendor-LiquidPoll
Product-LiquidPoll – Advanced Polls for Creators and Brands
CWE ID-CWE-862
Missing Authorization
CVE-2025-32277
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.17%
||
7 Day CHG-0.02%
Published-04 Apr, 2025 | 15:59
Updated-08 Apr, 2025 | 18:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress RepairBuddy plugin <= 3.8211 - Broken Access Control vulnerability

Missing Authorization vulnerability in Ateeq Rafeeq RepairBuddy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects RepairBuddy: from n/a through 3.8211.

Action-Not Available
Vendor-Ateeq Rafeeq
Product-RepairBuddy
CWE ID-CWE-862
Missing Authorization
CVE-2025-32295
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.72%
||
7 Day CHG~0.00%
Published-16 May, 2025 | 15:45
Updated-19 May, 2025 | 13:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Salon Booking Wordpress plugin <= 10.10.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in wordpresschef Salon Booking Pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Salon Booking Pro: from n/a through 10.10.2.

Action-Not Available
Vendor-wordpresschef
Product-Salon Booking Pro
CWE ID-CWE-862
Missing Authorization
CVE-2025-32229
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.30%
||
7 Day CHG~0.00%
Published-04 Apr, 2025 | 15:59
Updated-07 Apr, 2025 | 14:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Variable Inspector plugin <= 2.6.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Bowo Variable Inspector allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Variable Inspector: from n/a through 2.6.3.

Action-Not Available
Vendor-Bowo
Product-Variable Inspector
CWE ID-CWE-862
Missing Authorization
CVE-2024-13358
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 19.30%
||
7 Day CHG~0.00%
Published-01 Mar, 2025 | 03:22
Updated-26 May, 2025 | 01:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages <= 3.4.24 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update

The BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wc4bp_delete_page() function in all versions up to, and including, 3.4.24. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins page setting.

Action-Not Available
Vendor-themekraftsvenl77
Product-buddypress_woocommerce_my_account_integrationBuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages
CWE ID-CWE-862
Missing Authorization
CVE-2024-1376
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.98%
||
7 Day CHG~0.00%
Published-24 May, 2024 | 06:42
Updated-04 Apr, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Event post <= 5.9.4 - Missing Authorization

The Event post plugin for WordPress is vulnerable to unauthorized bulk metadata update due to a missing capability check on the save_bulkdatas function in all versions up to, and including, 5.9.4. This makes it possible for authenticated attackers, with subscriber access or higher, to update post_meta_data.

Action-Not Available
Vendor-avecnousbastho
Product-event_postEvent post
CWE ID-CWE-862
Missing Authorization
CVE-2025-32232
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.30%
||
7 Day CHG~0.00%
Published-04 Apr, 2025 | 15:59
Updated-07 Apr, 2025 | 14:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress StaffList plugin <= 3.2.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in ERA404 StaffList allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects StaffList: from n/a through 3.2.6.

Action-Not Available
Vendor-ERA404
Product-StaffList
CWE ID-CWE-862
Missing Authorization
CVE-2025-32236
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.30%
||
7 Day CHG~0.00%
Published-10 Apr, 2025 | 08:09
Updated-11 Apr, 2025 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Woocommerce Products Reorder Drag Drop Multiple Sort plugin <= 1.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in Vagonic Woocommerce Products Reorder Drag Drop Multiple Sort – Sortable, Rearrange Products Vagonic. This issue affects Woocommerce Products Reorder Drag Drop Multiple Sort – Sortable, Rearrange Products Vagonic: from n/a through 1.9.

Action-Not Available
Vendor-Vagonic
Product-Woocommerce Products Reorder Drag Drop Multiple Sort – Sortable, Rearrange Products Vagonic
CWE ID-CWE-862
Missing Authorization
CVE-2024-37218
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.08% / 24.04%
||
7 Day CHG+0.01%
Published-01 Nov, 2024 | 14:18
Updated-01 Nov, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Page Builder Sandwich <= 5.1.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in WordPress Page Builder Sandwich Team Page Builder Sandwich – Front-End Page Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Page Builder Sandwich – Front-End Page Builder: from n/a through 5.1.0.

Action-Not Available
Vendor-WordPress Page Builder Sandwich Team
Product-Page Builder Sandwich – Front-End Page Builder
CWE ID-CWE-862
Missing Authorization
CVE-2024-13652
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.41%
||
7 Day CHG~0.00%
Published-30 Jan, 2025 | 13:41
Updated-31 Jan, 2025 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ECPay Ecommerce for WooCommerce <= 1.1.2411060 - Missing Authorization to Authenticated (Subscriber+) Log Deletion

The ECPay Ecommerce for WooCommerce plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'clear_ecpay_debug_log' AJAX action in all versions up to, and including, 1.1.2411060. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the plugin's log files.

Action-Not Available
Vendor-ecpayecpaytechsupport
Product-ecpay_ecommerce_for_woocommerceECPay Ecommerce for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2025-32231
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.30%
||
7 Day CHG~0.00%
Published-04 Apr, 2025 | 15:59
Updated-07 Apr, 2025 | 14:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Bookingor plugin <= 1.0.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in Bookingor Bookingor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bookingor: from n/a through 1.0.6.

Action-Not Available
Vendor-Bookingor
Product-Bookingor
CWE ID-CWE-862
Missing Authorization
CVE-2025-31865
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 6.82%
||
7 Day CHG-0.02%
Published-01 Apr, 2025 | 14:52
Updated-01 Apr, 2025 | 20:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CartBoss plugin <= 4.1.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in CartBoss SMS Abandoned Cart Recovery ✦ CartBoss allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SMS Abandoned Cart Recovery ✦ CartBoss: from n/a through 4.1.2.

Action-Not Available
Vendor-CartBoss
Product-SMS Abandoned Cart Recovery ✦ CartBoss
CWE ID-CWE-862
Missing Authorization
CVE-2025-31781
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 6.82%
||
7 Day CHG-0.02%
Published-01 Apr, 2025 | 14:51
Updated-01 Apr, 2025 | 20:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Gift Cards for WooCommerce plugin <= 1.5.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in ahmadshyk Gift Cards for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Gift Cards for WooCommerce: from n/a through 1.5.8.

Action-Not Available
Vendor-ahmadshyk
Product-Gift Cards for WooCommerce
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • ...
  • 16
  • 17
  • Next
Details not found