Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-11643

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-04 Dec, 2024 | 15:22
Updated At-04 Dec, 2024 | 16:45
Rejected At-
Credits

Accessibility by AllAccessible <= 1.3.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Option Update

The Accessibility by AllAccessible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'AllAccessible_save_settings' function in all versions up to, and including, 1.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:04 Dec, 2024 | 15:22
Updated At:04 Dec, 2024 | 16:45
Rejected At:
▼CVE Numbering Authority (CNA)
Accessibility by AllAccessible <= 1.3.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Option Update

The Accessibility by AllAccessible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'AllAccessible_save_settings' function in all versions up to, and including, 1.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Affected Products
Vendor
allaccessible
Product
Accessibility by AllAccessible
Default Status
unaffected
Versions
Affected
  • From * through 1.3.4 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
AmrAwad
Timeline
EventDate
Disclosed2024-12-03 00:00:00
Event: Disclosed
Date: 2024-12-03 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/bb65d916-7d9e-4562-ab9b-c7ba012a08fb?source=cve
N/A
https://plugins.trac.wordpress.org/browser/allaccessible/trunk/allaccessible.php#L249
N/A
https://plugins.trac.wordpress.org/changeset/3202017/
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/bb65d916-7d9e-4562-ab9b-c7ba012a08fb?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/allaccessible/trunk/allaccessible.php#L249
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset/3202017/
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
allaccessible
Product
accessibility
CPEs
  • cpe:2.3:a:allaccessible:accessibility:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 through 1.3.4 (custom)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:04 Dec, 2024 | 16:15
Updated At:04 Dec, 2024 | 16:15

The Accessibility by AllAccessible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'AllAccessible_save_settings' function in all versions up to, and including, 1.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-862Secondarysecurity@wordfence.com
CWE ID: CWE-862
Type: Secondary
Source: security@wordfence.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/browser/allaccessible/trunk/allaccessible.php#L249security@wordfence.com
N/A
https://plugins.trac.wordpress.org/changeset/3202017/security@wordfence.com
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/bb65d916-7d9e-4562-ab9b-c7ba012a08fb?source=cvesecurity@wordfence.com
N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/allaccessible/trunk/allaccessible.php#L249
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset/3202017/
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/bb65d916-7d9e-4562-ab9b-c7ba012a08fb?source=cve
Source: security@wordfence.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

422Records found
CVE-2022-36352
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.3||MEDIUM
EPSS-0.24% / 47.37%
||
7 Day CHG~0.00%
Published-08 Jan, 2024 | 21:50
Updated-04 Sep, 2024 | 15:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ProfileGrid Plugin <= 5.0.3 is vulnerable to Broken Access Control

Missing Authorization vulnerability in Profilegrid ProfileGrid – User Profiles, Memberships, Groups and Communities.This issue affects ProfileGrid – User Profiles, Memberships, Groups and Communities: from n/a through 5.0.3.

Action-Not Available
Vendor-Metagauss Inc.
Product-profilegridProfileGrid – User Profiles, Memberships, Groups and Communities
CWE ID-CWE-862
Missing Authorization
CVE-2025-1667
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.05% / 16.16%
||
7 Day CHG+0.01%
Published-15 Mar, 2025 | 03:23
Updated-28 Mar, 2025 | 12:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
School Management System – WPSchoolPress <= 2.2.16 - Missing Authorization to Privilege Escalation via Account Takeover

The School Management System – WPSchoolPress plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wpsp_UpdateTeacher() function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access and above, to update arbitrary user details including email which makes it possible to request a password reset and access arbitrary user accounts, including administrators.

Action-Not Available
Vendor-igexsolutionsjdsofttech
Product-wpschoolpressSchool Management System – WPSchoolPress
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-862
Missing Authorization
CVE-2015-10140
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.06% / 19.18%
||
7 Day CHG+0.01%
Published-22 Jul, 2025 | 13:20
Updated-22 Jul, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ajax Load More < 2.8.1.2 - Subscriber+ File Upload & Deletion

The Ajax Load More plugin before 2.8.1.2 does not have authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber, to upload and delete arbitrary files.

Action-Not Available
Vendor-Unknown
Product-Ajax Load More
CWE ID-CWE-862
Missing Authorization
CVE-2023-27310
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-6.6||MEDIUM
EPSS-0.25% / 48.30%
||
7 Day CHG~0.00%
Published-14 Mar, 2023 | 09:31
Updated-27 Feb, 2025 | 19:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.2). The client query handler of the affected application fails to check for proper permissions when assigning groups to user accounts. This could allow an authenticated remote attacker to assign administrative groups to otherwise non-privileged user accounts.

Action-Not Available
Vendor-Siemens AG
Product-ruggedcom_crossbowRUGGEDCOM CROSSBOW
CWE ID-CWE-862
Missing Authorization
CVE-2021-32652
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-0.34% / 56.10%
||
7 Day CHG~0.00%
Published-01 Jun, 2021 | 19:05
Updated-20 Nov, 2024 | 14:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing permission check on email metadata retrieval

Nextcloud Mail is a mail app for the Nextcloud platform. A missing permission check in Nextcloud Mail before 1.4.3 and 1.8.2 allows another authenticated users to access mail metadata of other users. Versions 1.4.3 and 1.8.2 contain patches for this vulnerability; no workarounds other than the patches are known to exist.

Action-Not Available
Vendor-Nextcloud GmbH
Product-mailsecurity-advisories
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2023-27309
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-5||MEDIUM
EPSS-0.22% / 44.22%
||
7 Day CHG~0.00%
Published-14 Mar, 2023 | 09:31
Updated-27 Feb, 2025 | 15:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.2). The client query handler of the affected application fails to check for proper permissions for specific write queries. This could allow an authenticated remote attacker to perform unauthorized actions.

Action-Not Available
Vendor-Siemens AG
Product-ruggedcom_crossbowRUGGEDCOM CROSSBOW
CWE ID-CWE-862
Missing Authorization
CVE-2025-1279
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.07% / 23.19%
||
7 Day CHG+0.02%
Published-25 Apr, 2025 | 08:22
Updated-29 Apr, 2025 | 13:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BM Content Builder <= 3.16.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

The BM Content Builder plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ux_cb_tools_import_item_ajax AJAX action in all versions up to, and including, 3.16.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Action-Not Available
Vendor-SeaTheme
Product-BM Content Builder
CWE ID-CWE-862
Missing Authorization
CVE-2022-3512
Matching Score-4
Assigner-Cloudflare, Inc.
ShareView Details
Matching Score-4
Assigner-Cloudflare, Inc.
CVSS Score-6.7||MEDIUM
EPSS-0.02% / 3.48%
||
7 Day CHG~0.00%
Published-28 Oct, 2022 | 09:22
Updated-06 May, 2025 | 19:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lock WARP switch bypass using warp-cli 'add-trusted-ssid' command

Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" feature resulting in Zero Trust policies not being enforced on an affected endpoint.

Action-Not Available
Vendor-Cloudflare, Inc.
Product-warpWARP
CWE ID-CWE-862
Missing Authorization
CVE-2025-1304
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.31% / 53.44%
||
7 Day CHG~0.00%
Published-01 May, 2025 | 03:23
Updated-06 May, 2025 | 15:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NewsBlogger <= 0.2.5.1 - Authenticated (Subscriber+) Arbitrary File Upload

The NewsBlogger theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the newsblogger_install_and_activate_plugin() function in all versions up to, and including, 0.2.5.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Action-Not Available
Vendor-spicethemesspicethemes
Product-newsbloggerNewsBlogger
CWE ID-CWE-862
Missing Authorization
CVE-2024-9195
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.07% / 23.21%
||
7 Day CHG~0.00%
Published-28 Feb, 2025 | 08:23
Updated-11 Mar, 2025 | 15:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WHMPress - WHMCS Client Area <= 4.3-revision-3- Authenticated (Subscriber+) Arbitrary Options Update

The WHMPress - WHMCS Client Area plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the update_settings case in the /admin/ajax.php file in all versions up to, and including, 4.3-revision-3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Action-Not Available
Vendor-whmpresscreativeon
Product-whmcs_client_areaWHMCS Client Area for WordPress by WHMpress
CWE ID-CWE-862
Missing Authorization
CVE-2023-23639
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 43.17%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 09:13
Updated-09 Oct, 2024 | 17:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress MainWP Staging Extension Plugin <= 4.0.3 - Subscriber+ Arbitrary Plugin Activation Vulnerability

Missing Authorization vulnerability in MainWP MainWP Staging Extension.This issue affects MainWP Staging Extension: from n/a through 4.0.3.

Action-Not Available
Vendor-mainwpMainWP
Product-staging_extensionMainWP Staging Extension
CWE ID-CWE-862
Missing Authorization
CVE-2021-33704
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-6.3||MEDIUM
EPSS-0.22% / 44.78%
||
7 Day CHG~0.00%
Published-15 Sep, 2021 | 18:01
Updated-03 Aug, 2024 | 23:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Service Layer of SAP Business One, version - 10.0, allows an authenticated attacker to invoke certain functions that would otherwise be restricted to specific users. For an attacker to discover the vulnerable function, no in-depth system knowledge is required. Once exploited via Network stack, the attacker may be able to read, modify or delete restricted data. The impact is that missing authorization can result of abuse of functionality usually restricted to specific users.

Action-Not Available
Vendor-SAP SE
Product-business_oneSAP Business One
CWE ID-CWE-862
Missing Authorization
CVE-2021-27855
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-8.8||HIGH
EPSS-1.14% / 77.51%
||
7 Day CHG~0.00%
Published-15 Dec, 2021 | 16:14
Updated-17 Sep, 2024 | 02:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FatPipe software allows privilege escalation

FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows a remote, authenticated attacker with read-only privileges to grant themselves administrative privileges. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA001.

Action-Not Available
Vendor-fatpipeincFatPipe
Product-ipvpn_firmwarewarpipvpnwarp_firmwarempvpnmpvpn_firmwareIPVPNMPVPNWARP
CWE ID-CWE-862
Missing Authorization
CVE-2024-8114
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-8.2||HIGH
EPSS-0.06% / 19.48%
||
7 Day CHG~0.00%
Published-26 Nov, 2024 | 18:31
Updated-12 Dec, 2024 | 20:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 8.12 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. This issue allows an attacker with access to a victim's Personal Access Token (PAT) to escalate privileges.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-862
Missing Authorization
CVE-2021-27859
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-8.8||HIGH
EPSS-0.75% / 72.19%
||
7 Day CHG~0.00%
Published-15 Dec, 2021 | 16:14
Updated-16 Sep, 2024 | 21:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing authorization vulnerability in FatPipe software

A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows an authenticated, remote attacker with read-only privileges to create an account with administrative privileges. Older versions of FatPipe software may also be vulnerable. This does not appear to be a CSRF vulnerability. The FatPipe advisory identifier for this vulnerability is FPSA005.

Action-Not Available
Vendor-fatpipeincFatPipe
Product-ipvpn_firmwarewarpipvpnwarp_firmwarempvpnmpvpn_firmwareIPVPNMPVPNWARP
CWE ID-CWE-862
Missing Authorization
CVE-2024-8102
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.22% / 45.11%
||
7 Day CHG~0.00%
Published-04 Sep, 2024 | 06:49
Updated-05 Sep, 2024 | 13:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
The Ultimate WordPress Toolkit – WP Extended <= 3.0.8 - Authenticated (Subscriber+) Arbitrary Options Update

The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the module_all_toggle_ajax() function in all versions up to, and including, 3.0.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Action-Not Available
Vendor-wpextendedwpextendedwpextended
Product-wp_extendedThe Ultimate WordPress Toolkit – WP Extendedwp_extended
CWE ID-CWE-862
Missing Authorization
CVE-2024-7258
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-4.59% / 88.81%
||
7 Day CHG~0.00%
Published-23 Aug, 2024 | 04:30
Updated-27 Sep, 2024 | 13:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WooCommerce Google Feed Manager <= 2.8.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Deletion

The WooCommerce Google Feed Manager plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wppfm_removeFeedFile' function in all versions up to, and including, 2.8.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Action-Not Available
Vendor-wpmarketingrobotaukejommwpmarketingrobot
Product-woocommerce_google_feed_managerWooCommerce Google Feed Managerwoocommerce_google_feed_manager
CWE ID-CWE-862
Missing Authorization
CVE-2024-7031
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.36% / 57.04%
||
7 Day CHG~0.00%
Published-03 Aug, 2024 | 08:36
Updated-10 Apr, 2025 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Manager Pro – Filester <= 1.8.2 - Authenticated Plugin Settings Update

The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'njt_fs_saveSettingRestrictions' function in all versions up to, and including, 1.8.2. This makes it possible for authenticated attackers, with a role that has been granted permissions by an Administrator, to update the plugin settings for user role restrictions, including allowing file types such as .php to be uploaded.

Action-Not Available
Vendor-NinjaTeam
Product-filesterFile Manager Pro – Filesterfilester
CWE ID-CWE-862
Missing Authorization
CVE-2022-34344
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 43.33%
||
7 Day CHG~0.00%
Published-08 Jan, 2024 | 21:13
Updated-23 May, 2025 | 16:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Wholesale Suite Plugin <= 2.1.5 is vulnerable to Broken Access Control

Missing Authorization vulnerability in Rymera Web Co Wholesale Suite – WooCommerce Wholesale Prices, B2B, Catalog Mode, Order Form, Wholesale User Roles, Dynamic Pricing & More.This issue affects Wholesale Suite – WooCommerce Wholesale Prices, B2B, Catalog Mode, Order Form, Wholesale User Roles, Dynamic Pricing & More: from n/a through 2.1.5.

Action-Not Available
Vendor-rymeraRymera Web Co
Product-wholesale_suiteWholesale Suite – WooCommerce Wholesale Prices, B2B, Catalog Mode, Order Form, Wholesale User Roles, Dynamic Pricing & More
CWE ID-CWE-862
Missing Authorization
CVE-2021-24356
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-34.27% / 96.84%
||
7 Day CHG~0.00%
Published-14 Jun, 2021 | 13:37
Updated-03 Aug, 2024 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Arbitrary Plugin Activation

In the Simple 301 Redirects by BetterLinks WordPress plugin before 2.0.4, a lack of capability checks and insufficient nonce check on the AJAX action, simple301redirects/admin/activate_plugin, made it possible for authenticated users to activate arbitrary plugins installed on vulnerable sites.

Action-Not Available
Vendor-UnknownWPDeveloper
Product-simple_301_redirectsSimple 301 Redirects by BetterLinks
CWE ID-CWE-862
Missing Authorization
CVE-2021-24163
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.65% / 69.83%
||
7 Day CHG~0.00%
Published-05 Apr, 2021 | 18:27
Updated-03 Aug, 2024 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ninja Forms < 3.4.34 - Authenticated SendWP Plugin Installation and Client Secret Key Disclosure

The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 and retrieve the client_secret key needed to establish the SendWP connection while also installing the SendWP plugin.

Action-Not Available
Vendor-UnknownSaturday Drive, INC
Product-ninja_formsNinja Forms Contact Form – The Drag and Drop Form Builder for WordPress
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-862
Missing Authorization
CVE-2024-6698
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.28% / 51.13%
||
7 Day CHG~0.00%
Published-01 Aug, 2024 | 03:29
Updated-23 Nov, 2024 | 00:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FundEngine – Donation and Crowdfunding Platform <= 1.7.0 - Authenticated (Subscriber+) Privilege Escalation

The FundEngine plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.7.0. This is due to the plugin not properly verifying user meta updated through the update_user_meta function. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their user meta which can be leveraged to update their capabilities to gain administrator access.

Action-Not Available
Vendor-wpmetxpeedstudiowpmet
Product-fundengineFundEngine – Donation and Crowdfunding Platformwp_fundraising_donation_and_crowdfunding_platform
CWE ID-CWE-862
Missing Authorization
CVE-2021-23014
Matching Score-4
Assigner-F5, Inc.
ShareView Details
Matching Score-4
Assigner-F5, Inc.
CVSS Score-8.8||HIGH
EPSS-0.27% / 50.56%
||
7 Day CHG~0.00%
Published-10 May, 2021 | 14:35
Updated-03 Aug, 2024 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, and 14.1.x before 14.1.4, BIG-IP Advanced WAF and ASM are missing authorization checks for file uploads to a specific directory within the REST API which might allow Authenticated users with guest privileges to upload files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Action-Not Available
Vendor-n/aF5, Inc.
Product-big-ip_advanced_web_application_firewallbig-ip_application_security_managerBIG-IP ASM/Advanced WAF
CWE ID-CWE-862
Missing Authorization
CVE-2023-1299
Matching Score-4
Assigner-HashiCorp Inc.
ShareView Details
Matching Score-4
Assigner-HashiCorp Inc.
CVSS Score-7.4||HIGH
EPSS-0.15% / 36.09%
||
7 Day CHG~0.00%
Published-14 Mar, 2023 | 14:46
Updated-27 Feb, 2025 | 15:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nomad Job Submitter Privilege Escalation Using Workload Identity

HashiCorp Nomad and Nomad Enterprise 1.5.0 allow a job submitter to escalate to management-level privileges using workload identity and task API. Fixed in 1.5.1.

Action-Not Available
Vendor-HashiCorp, Inc.
Product-nomadNomad EnterpriseNomad
CWE ID-CWE-862
Missing Authorization
CVE-2021-22149
Matching Score-4
Assigner-Elastic
ShareView Details
Matching Score-4
Assigner-Elastic
CVSS Score-8.8||HIGH
EPSS-0.68% / 70.67%
||
7 Day CHG~0.00%
Published-15 Sep, 2021 | 11:44
Updated-03 Aug, 2024 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Elastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing authorization via an alternate route. Using this vulnerability, an authenticated attacker could utilize API keys belonging to higher privileged users.

Action-Not Available
Vendor-Elasticsearch BV
Product-enterprise_searchElastic Enterprise Search
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CWE ID-CWE-862
Missing Authorization
CVE-2021-21487
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-6.8||MEDIUM
EPSS-0.15% / 35.56%
||
7 Day CHG~0.00%
Published-09 Mar, 2021 | 14:11
Updated-03 Aug, 2024 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Payment Engine version 500, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-payment_engineSAP Payment Engine
CWE ID-CWE-862
Missing Authorization
CVE-2021-21486
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-6.8||MEDIUM
EPSS-0.15% / 35.56%
||
7 Day CHG~0.00%
Published-09 Mar, 2021 | 14:07
Updated-03 Aug, 2024 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Enterprise Financial Services versions, 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-enterprise_financial_servicesSAP Enterprise Financial Services (Bank Customer Accounts)
CWE ID-CWE-862
Missing Authorization
CVE-2021-1508
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-9.8||CRITICAL
EPSS-1.09% / 77.07%
||
7 Day CHG~0.00%
Published-06 May, 2021 | 12:41
Updated-08 Nov, 2024 | 23:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco SD-WAN vManage Software Vulnerabilities

Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application. For more information about these vulnerabilities, see the Details section of this advisory.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-sd-wan_vmanagecatalyst_sd-wan_managerCisco SD-WAN vManage
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-862
Missing Authorization
CVE-2021-1505
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-9.8||CRITICAL
EPSS-1.27% / 78.68%
||
7 Day CHG~0.00%
Published-06 May, 2021 | 12:41
Updated-08 Nov, 2024 | 23:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco SD-WAN vManage Software Vulnerabilities

Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information, or allow an authenticated, local attacker to gain escalated privileges or gain unauthorized access to the application. For more information about these vulnerabilities, see the Details section of this advisory.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-sd-wan_vmanagecatalyst_sd-wan_managerCisco SD-WAN vManage
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-862
Missing Authorization
CVE-2024-56266
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.3||MEDIUM
EPSS-0.14% / 34.40%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 12:01
Updated-22 Jan, 2025 | 17:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress MP3 Audio Player plugin <= 5.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in Sonaar Music MP3 Audio Player for Music, Radio & Podcast by Sonaar allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through 5.8.

Action-Not Available
Vendor-sonaarSonaar Music
Product-mp3_audio_player_for_music\,_radio_\&_podcastMP3 Audio Player for Music, Radio & Podcast by Sonaar
CWE ID-CWE-862
Missing Authorization
CVE-2024-12848
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-2.30% / 84.10%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 11:11
Updated-09 Jan, 2025 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SKT Page Builder <= 4.6 - Authenticated (Subscriber+) Arbitrary File Upload

The SKT Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the 'addLibraryByArchive' function in all versions up to, and including, 4.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files that make remote code execution possible.

Action-Not Available
Vendor-sonalsinha21
Product-SKT Page Builder
CWE ID-CWE-862
Missing Authorization
CVE-2024-56048
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.23% / 45.57%
||
7 Day CHG+0.03%
Published-18 Dec, 2024 | 18:57
Updated-18 Dec, 2024 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPLMS plugin <= 1.9.9 - Arbitrary Option Update to Privilege Escalation vulnerability

Missing Authorization vulnerability in VibeThemes WPLMS allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPLMS: from n/a through 1.9.9.

Action-Not Available
Vendor-VibeThemes
Product-WPLMS
CWE ID-CWE-862
Missing Authorization
CVE-2022-43482
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 36.00%
||
7 Day CHG~0.00%
Published-18 Nov, 2022 | 19:03
Updated-20 Feb, 2025 | 19:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Appointment Booking Calendar plugin <= 1.3.69 - Missing Authorization vulnerability

Missing Authorization vulnerability in Appointment Booking Calendar plugin <= 1.3.69 on WordPress.

Action-Not Available
Vendor-CodePeople
Product-appointment_booking_calendarAppointment Booking Calendar (WordPress plugin)
CWE ID-CWE-862
Missing Authorization
CVE-2020-9458
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.96% / 82.74%
||
7 Day CHG~0.00%
Published-06 Mar, 2020 | 18:58
Updated-04 Aug, 2024 | 10:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the RegistrationMagic plugin through 4.6.0.3 for WordPress, the export function allows remote authenticated users (with minimal privileges) to export submitted form data and settings via class_rm_form_controller.php rm_form_export.

Action-Not Available
Vendor-n/aMetagauss Inc.
Product-registrationmagicn/a
CWE ID-CWE-862
Missing Authorization
CVE-2024-56276
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.52%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 10:49
Updated-12 Aug, 2025 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPForms Lite plugin <= 1.9.2.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPForms Contact Form by WPForms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through 1.9.2.2.

Action-Not Available
Vendor-WPForms, LLC
Product-wpformsContact Form by WPForms
CWE ID-CWE-862
Missing Authorization
CVE-2022-43453
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.39% / 59.47%
||
7 Day CHG~0.00%
Published-21 Jun, 2024 | 13:33
Updated-03 Aug, 2024 | 13:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Tools plugin <= 3.41 - Auth. Broken Access Control vulnerability

Missing Authorization vulnerability in Bill Minozzi WP Tools.This issue affects WP Tools: from n/a through 3.41.

Action-Not Available
Vendor-billminozziBill Minozzibillminozzi
Product-wp_toolsWP Toolswp_tools
CWE ID-CWE-862
Missing Authorization
CVE-2020-9457
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.79% / 72.96%
||
7 Day CHG~0.00%
Published-06 Mar, 2020 | 18:56
Updated-04 Aug, 2024 | 10:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The RegistrationMagic plugin through 4.6.0.3 for WordPress allows remote authenticated users (with minimal privileges) to import custom vulnerable forms and change form settings via class_rm_form_settings_controller.php, resulting in privilege escalation.

Action-Not Available
Vendor-n/aMetagauss Inc.
Product-registrationmagicn/a
CWE ID-CWE-862
Missing Authorization
CVE-2022-31765
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-8.8||HIGH
EPSS-0.18% / 40.15%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 00:00
Updated-21 Apr, 2025 | 13:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected devices do not properly authorize the change password function of the web interface. This could allow low privileged users to escalate their privileges.

Action-Not Available
Vendor-Siemens AG
Product-6gk5788-1gd00-0aa06gk5328-4ss00-2ar3_firmware6gk5876-4aa00-2da26gk5774-1fx00-0aa06gk5748-1gy01-0aa06gk5748-1gd00-0ab0_firmware6gk5766-1ge00-7da0_firmware6gk5763-1al00-3aa06gk5826-2ab00-2ab26gk5788-2gd00-0ta0_firmware6gk5786-2fc00-0ac06gk5766-1ge00-7da06gk5788-1gy01-0aa0_firmware6gk5774-1fy00-0ta06gk5552-0aa00-2ar26gk5778-1gy00-0tb06gk5622-2gs00-2ac2_firmware6gk5722-1fc00-0ac0_firmware6gk5528-0ar00-2hr26gk5208-0ga00-2ac2_firmware6gk5552-0ar00-2hr2_firmware6gk5526-8gs00-4ar26gk5526-8gr00-4ar2_firmware6gk5204-0ba00-2gf2_firmware6gk5408-4gq00-2am26gk5208-0ha00-2ts6_firmware6gk5524-8gr00-3ar2_firmware6gk5788-1gd00-0aa0_firmware6ag1216-4bs00-7ac26gk5856-2ea00-3da16gk5722-1fc00-0aa0_firmware6gk5722-1fc00-0ac06gk5324-0ba00-3ar36gk5205-3bf00-2tb2_firmware6gk5524-8gs00-2ar2_firmware6gk5786-2fc00-0ac0_firmware6gk5761-1fc00-0aa0_firmware6gk5216-3rs00-2ac26gk5788-2gy01-0ta0_firmware6gk5552-0ar00-2ar2_firmware6gk5208-0ga00-2ac26gk5213-3bb00-2tb2_firmware6gk5524-8gr00-4ar2_firmware6gk5216-0ha00-2es6_firmware6gk5552-0aa00-2hr26gk5788-1gd00-0ab0_firmware6gk5734-1fx00-0ab6_firmware6gk5204-0ba00-2gf26gk5786-1fc00-0ab0_firmware6gk5786-2fc00-0aa0_firmware6gk5328-4fs00-3ar36gk5206-2rs00-2ac2_firmware6gk5722-1fc00-0aa06gk5213-3bd00-2ab2_firmware6gk5876-4aa00-2da2_firmware6gk5856-2ea00-3aa16gk5213-3bd00-2tb26gk5876-3aa02-2ba2_firmware6gk5766-1je00-3da0_firmware6gk5206-2rs00-5ac2_firmware6gk5876-4aa00-2ba26gk5408-8gs00-2am26gk5788-2gd00-0aa0_firmware6gk5205-3bb00-2tb26gk5208-0ua00-5es66gk6108-4am00-2da2_firmware6ag1208-0ba00-7ac26gk5786-2hc00-0ab06gk5526-8gr00-2ar2_firmware6gk5748-1gd00-0ab06gk5208-0ra00-2ac2_firmware6gk5748-1fc00-0ab0_firmware6gk5734-1fx00-0aa66gk5761-1fc00-0ab06gk5224-4gs00-2tc26gk5216-0ba00-2ac26gk5788-2gd00-0tb06gk5216-4bs00-2ac26gk5734-1fx00-0ab06gk5766-1je00-7da06gk5876-3aa02-2ea26gk5766-1ge00-7db06gk5216-0ha00-2as66gk5216-0ha00-2es66gk5224-0ba00-2ac26gk5328-4fs00-2rr3_firmware6gk5206-2bd00-2ac26gk5853-2ea00-2da1_firmware6gk5206-2gs00-2tc2_firmware6gk5766-1ge00-7tb0_firmware6gk5213-3bf00-2ab2_firmware6ag1206-2bb00-7ac2_firmware6gk5524-8gs00-2ar26gk5788-2gd00-0ta06gk5524-8gr00-2ar26gk5528-0aa00-2hr2_firmware6gk5812-1ba00-2aa26gk5208-0ga00-2fc26gk5208-0ga00-2fc2_firmware6gk5213-3bf00-2tb26gk5216-0ba00-2ab26gk5216-0ba00-2fc2_firmware6gk5416-4gs00-2am2_firmware6gk5213-3bd00-2ab26gk5206-2gs00-2fc26gk5206-2gs00-2ac26gk5205-3bb00-2ab2_firmware6gk5208-0ba00-2fc2_firmware6gk5774-1fx00-0aa66gk5208-0ba00-2ac2_firmware6gk5206-2rs00-5fc2_firmware6gk5766-1ge00-3da06gk5826-2ab00-2ab2_firmware6gk5206-2bs00-2ac26gk5786-2hc00-0aa0_firmware6gk5528-0aa00-2hr26gk5778-1gy00-0ta0_firmware6gk5224-4gs00-2tc2_firmware6gk5788-2gy01-0aa0_firmware6gk5788-2gd00-0tc06gk5206-2bs00-2fc26gk5208-0ba00-2ac26gk5788-2fc00-0aa0_firmware6gk5748-1fc00-0aa0_firmware6gk5738-1gy00-0aa0_firmware6gk5788-2gd00-0ab06gk5786-2fc00-0aa06gk5788-2hy01-0aa06gk5208-0ha00-2as66gk5774-1fy00-0ta0_firmware6gk5721-1fc00-0ab06gk6108-4am00-2ba2_firmware6gk5205-3bd00-2tb26gk5788-1fc00-0aa06gk5524-8gr00-3ar26gk5774-1fx00-0ac0_firmware6gk5208-0ra00-5ac26gk5786-2hc00-0aa06gk5213-3bb00-2ab26gk5734-1fx00-0ab66gk5766-1ge00-7ta0_firmware6gk5216-0ha00-2ts66gk5786-2fe00-0ab06gk5816-1aa00-2aa2_firmware6gk5206-2gs00-2ac2_firmware6gk5326-2qs00-3rr36ag1216-4bs00-7ac2_firmware6gk5774-1fx00-0aa6_firmware6gk5721-1fc00-0aa0_firmware6gk5216-3rs00-2ac2_firmware6gk5204-2aa00-2gf2_firmware6gk5788-1fc00-0ab06gk5208-0ha00-2es66gk5328-4ss00-3ar3_firmware6gk5216-3rs00-5ac2_firmware6gk5788-1fc00-0ab0_firmware6gk5552-0aa00-2hr2_firmware6gk5216-4gs00-2fc26gk5876-3aa02-2ba26gk5766-1ge00-7ta06gk5788-2gd00-0tc0_firmware6gk5328-4fs00-3ar3_firmware6gk5205-3bd00-2tb2_firmware6gk5786-2fe00-0aa06gk5326-2qs00-3ar36gk5748-1gy01-0ta06gk5206-2rs00-2ac26gk5206-2bb00-2ac2_firmware6gk5213-3bb00-2ab2_firmware6gk5216-0ba00-2tb26gk5748-1fc00-0aa06gk5786-1fc00-0aa06gk5526-8gr00-4ar26gk5206-2bb00-2ac26gk5524-8gs00-4ar26gk5734-1fx00-0aa0_firmware6gk5786-2fe00-0aa0_firmware6gk5748-1gy01-0ta0_firmware6gk5876-4aa00-2ba2_firmware6ag1206-2bs00-7ac2_firmware6gk5812-1aa00-2aa26gk5524-8gs00-3ar2_firmware6gk5763-1al00-7da0_firmware6gk5524-8gr00-2ar2_firmware6gk5856-2ea00-3da1_firmware6gk5788-2gd00-0tb0_firmware6gk5416-4gr00-2am26gk5812-1aa00-2aa2_firmware6gk5788-2gd00-0aa06gk5722-1fc00-0ab06gk5528-0aa00-2ar2_firmware6gk5816-1ba00-2aa26gk5526-8gs00-2ar2_firmware6gk5778-1gy00-0aa0_firmware6gk5874-2aa00-2aa26gk5734-1fx00-0aa06gk5788-2gd00-0ab0_firmware6gk5524-8gr00-4ar26gk5524-8gs00-4ar2_firmware6gk5748-1gd00-0aa0_firmware6gk5816-1ba00-2aa2_firmware6gk5874-3aa00-2aa2_firmware6gk5804-0ap00-2aa26gk5208-0ba00-2tb2_firmware6gk5636-2gs00-2ac2_firmware6gk5528-0aa00-2ar26gk5774-1fx00-0ab0_firmware6gk5774-1fx00-0ab6_firmware6gk5206-2rs00-5ac26gk5224-4gs00-2ac26gk5328-4fs00-3rr3_firmware6gk5788-1fc00-0aa0_firmware6gk5526-8gr00-3ar26gk5816-1aa00-2aa26gk5552-0ar00-2hr26gk5408-4gp00-2am26gk5326-2qs00-3rr3_firmware6gk5328-4fs00-2ar3_firmware6gk5216-0ha00-2ts6_firmware6gk5761-1fc00-0ab0_firmware6gk5774-1fx00-0ab66gk5748-1fc00-0ab06gk5774-1fy00-0tb06gk5205-3bb00-2ab26gk5208-0ga00-2tc2_firmware6gk5876-3aa02-2ea2_firmware6gk5734-1fx00-0aa6_firmware6gk5774-1fx00-0ac06gk5204-0ba00-2yf2_firmware6gk5206-2gs00-2fc2_firmware6gk5646-2gs00-2ac26gk5856-2ea00-3aa1_firmware6gk5224-0ba00-2ac2_firmware6gk5216-0ba00-2ac2_firmware6gk5786-1fc00-0ab06gk5324-0ba00-2ar3_firmware6gk5738-1gy00-0aa06gk5763-1al00-3aa0_firmware6gk5216-4gs00-2fc2_firmware6gk5416-4gr00-2am2_firmware6gk5224-4gs00-2fc2_firmware6gk5328-4fs00-2ar36gk5213-3bf00-2tb2_firmware6gk5205-3bb00-2tb2_firmware6gk5766-1ge00-3db0_firmware6gk5526-8gs00-2ar26gk5738-1gy00-0ab06gk5324-0ba00-3ar3_firmware6gk5788-1gy01-0aa06gk5788-2fc00-0aa06gk5788-2fc00-0ac0_firmware6gk5524-8gs00-3ar26gk5326-2qs00-3ar3_firmware6gk5224-4gs00-2ac2_firmware6gk5324-0ba00-2ar36gk5208-0ga00-2tc26gk5213-3bf00-2ab26gk5552-0aa00-2ar2_firmware6gk5216-4gs00-2tc26gk5206-2rs00-5fc26gk5642-2gs00-2ac2_firmware6gk5763-1al00-3da0_firmware6gk5208-0ua00-5es6_firmware6gk5206-2gs00-2tc26gk5774-1fx00-0aa0_firmware6gk5216-0ua00-5es66gk5646-2gs00-2ac2_firmware6gk5766-1ge00-7db0_firmware6gk5788-2hy01-0aa0_firmware6gk5788-2fc00-0ac06gk5205-3bf00-2ab26gk5778-1gy00-0tb0_firmware6gk5788-2gy01-0aa06gk5552-0ar00-2ar26gk5786-2fc00-0ab0_firmware6gk5778-1gy00-0ta06gk5213-3bd00-2tb2_firmware6gk5766-1je00-3da06gk5528-0ar00-2ar2_firmware6gk5328-4fs00-2rr36gk5766-1je00-7da0_firmware6gk5622-2gs00-2ac26gk5213-3bb00-2tb26gk5204-2aa00-2yf26gk5786-2fc00-0ab06gk5208-0ba00-2ab26gk5204-2aa00-2gf26gk5738-1gy00-0ab0_firmware6gk5778-1gy00-0aa06gk5778-1gy00-0ab0_firmware6gk5216-0ba00-2fc26gk5804-0ap00-2aa2_firmware6gk5328-4ss00-3ar36gk5874-2aa00-2aa2_firmware6gk5763-1al00-7da06gk5216-3rs00-5ac26gk5208-0ba00-2tb26gk5874-3aa00-2aa26gk5721-1fc00-0aa06gk5632-2gs00-2ac26gk5328-4fs00-3rr36gk5205-3bd00-2ab26gk5778-1gy00-0ab06gk5766-1ge00-3db06gk5734-1fx00-0ab0_firmware6gk6108-4am00-2ba26gk5528-0ar00-2hr2_firmware6gk5721-1fc00-0ab0_firmware6gk5208-0ha00-2as6_firmware6gk5224-4gs00-2fc26gk5526-8gr00-2ar26gk5748-1gd00-0aa06gk5208-0ra00-2ac26gk5206-2bs00-2ac2_firmware6gk5528-0ar00-2ar26gk5761-1fc00-0aa06gk5774-1fx00-0ab06gk5205-3bf00-2tb26gk5763-1al00-3da06gk5216-0ua00-5es6_firmware6gk5632-2gs00-2ac2_firmware6gk5216-4gs00-2ac26gk5766-1je00-7ta0_firmware6gk5408-8gr00-2am2_firmware6gk5812-1ba00-2aa2_firmware6gk5722-1fc00-0ab0_firmware6gk5636-2gs00-2ac26ag1206-2bs00-7ac26gk5786-2hc00-0ab0_firmware6gk5786-1fc00-0aa0_firmware6gk5204-0ba00-2yf26gk5788-2fc00-0ab0_firmware6gk5208-0ha00-2ts66gk5642-2gs00-2ac26gk5216-0ba00-2ab2_firmware6gk5526-8gs00-3ar2_firmware6gk5408-4gp00-2am2_firmware6gk5526-8gs00-4ar2_firmware6gk5788-2gy01-0ta06gk5208-0ba00-2fc26gk5526-8gr00-3ar2_firmware6gk6108-4am00-2da26gk5408-4gq00-2am2_firmware6gk5216-0ba00-2tb2_firmware6gk5774-1fy00-0tb0_firmware6gk5786-2fe00-0ab0_firmware6gk5216-4bs00-2ac2_firmware6gk5408-8gr00-2am26gk5766-1ge00-7tb06gk5206-2bs00-2fc2_firmware6gk5216-4gs00-2ac2_firmware6gk5205-3bd00-2ab2_firmware6gk5328-4ss00-2ar36gk5208-0ha00-2es6_firmware6gk5408-8gs00-2am2_firmware6gk5205-3bf00-2ab2_firmware6gk5416-4gs00-2am26gk5766-1ge00-3da0_firmware6ag1206-2bb00-7ac26gk5208-0ra00-5ac2_firmware6gk5788-2fc00-0ab06gk5216-4gs00-2tc2_firmware6gk5766-1je00-7ta06gk5204-2aa00-2yf2_firmware6gk5526-8gs00-3ar26gk5216-0ha00-2as6_firmware6gk5748-1gy01-0aa0_firmware6gk5853-2ea00-2da16gk5788-1gd00-0ab06gk5206-2bd00-2ac2_firmware6gk5208-0ba00-2ab2_firmware6ag1208-0ba00-7ac2_firmwareSCALANCE W774-1 RJ45SCALANCE M876-4 (NAM)SCALANCE W1788-2IA M12SCALANCE XB213-3 (ST, E/IP)SCALANCE XR524-8C, 24VSCALANCE XB213-3 (ST, PN)SCALANCE XC216EECRUGGEDCOM RM1224 LTE(4G) NAMSCALANCE XB205-3 (ST, PN)SCALANCE XC208SCALANCE XB213-3LD (SC, PN)SCALANCE XC206-2G PoESCALANCE XR328-4C WG (28xGE, DC 24V)SCALANCE XB205-3LD (SC, PN)SCALANCE W734-1 RJ45 (USA)SCALANCE S615 EECSCALANCE MUM856-1 (RoW)SCALANCE XR324WG (24 X FE, DC 24V)SCALANCE XR528-6M (2HR2)SCALANCE XR528-6M (L3 int.)SCALANCE XB216 (E/IP)SCALANCE XC216-4CSCALANCE XB208 (E/IP)SCALANCE XR324WG (24 x FE, AC 230V)SCALANCE XC206-2 (SC)SCALANCE W778-1 M12 EECSCALANCE XR524-8C, 1x230VSCALANCE W788-1 M12SCALANCE M876-3 (EVDO)SCALANCE XP208SCALANCE XR552-12M (2HR2)SCALANCE XF204-2BA DNASCALANCE WAM766-1 EEC (EU)SCALANCE XB205-3LD (SC, E/IP)SCALANCE XF204-2BASCALANCE WUM763-1SIPLUS NET SCALANCE XC216-4CSCALANCE W788-2 M12 EECSCALANCE W786-2 RJ45SCALANCE XB213-3 (SC, PN)SCALANCE W1788-2 EEC M12SCALANCE XC206-2SFPSCALANCE XP216POE EECSCALANCE XM408-4C (L3 int.)SCALANCE W1788-2 M12SCALANCE W786-1 RJ45SCALANCE XP208EECSCALANCE MUM856-1 (EU)SCALANCE S615SCALANCE WAM766-1 (US)SCALANCE SC646-2CSCALANCE M826-2 SHDSL-RouterSCALANCE W786-2 SFPSCALANCE XR524-8C, 24V (L3 int.)SCALANCE XR552-12M (2HR2, L3 int.)SCALANCE XC206-2 (ST/BFOC)SCALANCE W722-1 RJ45SCALANCE XM416-4CSCALANCE W788-1 RJ45SCALANCE XR526-8C, 24V (L3 int.)SCALANCE XR528-6MSCALANCE XR528-6M (2HR2, L3 int.)SCALANCE XC216-4C GSCALANCE M874-2SCALANCE XR526-8C, 2x230VSCALANCE W1748-1 M12SCALANCE XP216 (Ethernet/IP)SCALANCE W774-1 M12 EECSCALANCE XR328-4C WG (24xFE,4xGE,AC230V)SCALANCE XC224-4C GSCALANCE XC208G PoE (54 V DC)SCALANCE M816-1 ADSL-Router (Annex B)SCALANCE XC206-2G PoE EEC (54 V DC)SCALANCE XP208 (Ethernet/IP)SCALANCE M876-3 (ROK)SCALANCE XB216 (PN)SCALANCE XC216-4C G (EIP Def.)SCALANCE M876-4SCALANCE XR526-8C, 24VSCALANCE W734-1 RJ45SCALANCE SC636-2CSCALANCE W788-2 RJ45SCALANCE XM408-4CSCALANCE XC208G PoESCALANCE XR524-8C, 1x230V (L3 int.)SCALANCE WUM766-1 (US)SCALANCE W778-1 M12SCALANCE W748-1 RJ45SCALANCE XM408-8C (L3 int.)SCALANCE XB213-3LD (SC, E/IP)SCALANCE XC216SCALANCE XC208G EECSCALANCE XC208G (EIP def.)SCALANCE XC208GSCALANCE XR526-8C, 2x230V (L3 int.)SCALANCE XP216EECSCALANCE M816-1 ADSL-Router (Annex A)SCALANCE XC206-2G PoE (54 V DC)SCALANCE XM416-4C (L3 int.)RUGGEDCOM RM1224 LTE(4G) EUSCALANCE XC206-2SFP GSCALANCE W774-1 RJ45 (USA)SCALANCE MUM853-1 (EU)SCALANCE XR328-4C WG (24xFE, 4xGE,DC24V)SCALANCE W778-1 M12 EEC (USA)SCALANCE W1788-1 M12SCALANCE W738-1 M12SCALANCE M876-4 (EU)SCALANCE XR524-8C, 2x230VSCALANCE XR526-8C, 1x230V (L3 int.)SCALANCE M804PBSCALANCE XC216-3G PoE (54 V DC)SCALANCE XR326-2C PoE WG (without UL)SCALANCE XB205-3 (SC, PN)SCALANCE XC206-2SFP EECSCALANCE W721-1 RJ45SCALANCE XC206-2SFP G (EIP DEF.)SCALANCE WAM766-1 (EU)SCALANCE M812-1 ADSL-Router (Annex B)SCALANCE SC632-2CSCALANCE XP208PoE EECSCALANCE W786-2IA RJ45SCALANCE XF204SCALANCE XF204 DNASCALANCE M812-1 ADSL-Router (Annex A)SCALANCE XB213-3 (SC, E/IP)SCALANCE XR524-8C, 2x230V (L3 int.)SCALANCE XB208 (PN)SCALANCE XC224SCALANCE XR326-2C PoE WGSCALANCE M874-3SCALANCE WUM766-1 (EU)SCALANCE XB205-3 (ST, E/IP)SCALANCE XC208EECSCALANCE WAM763-1SCALANCE XR328-4C WG (24XFE, 4XGE, 24V)SIPLUS NET SCALANCE XC206-2SCALANCE XM408-8CSCALANCE W748-1 M12SCALANCE SC642-2CSCALANCE XR552-12MSCALANCE XR526-8C, 1x230VSCALANCE XR328-4C WG (28xGE, AC 230V)SIPLUS NET SCALANCE XC208SCALANCE XC206-2SFP G EECSCALANCE XC224-4C G EECSCALANCE WAM766-1 EEC (US)SCALANCE W761-1 RJ45SCALANCE XC216-3G PoESCALANCE XC216-4C G EECSIPLUS NET SCALANCE XC206-2SFPSCALANCE XP216SCALANCE XC224-4C G (EIP Def.)SCALANCE SC622-2CSCALANCE W788-2 M12
CWE ID-CWE-862
Missing Authorization
CVE-2022-41692
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 36.00%
||
7 Day CHG~0.00%
Published-18 Nov, 2022 | 18:54
Updated-20 Feb, 2025 | 19:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Appointment Hour Booking plugin <= 1.3.71 - Missing Authorization vulnerability

Missing Authorization vulnerability in Appointment Hour Booking plugin <= 1.3.71 on WordPress.

Action-Not Available
Vendor-CodePeople
Product-appointment_hour_bookingAppointment Hour Booking (WordPress plugin)
CWE ID-CWE-862
Missing Authorization
CVE-2024-54378
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.70% / 71.11%
||
7 Day CHG+0.10%
Published-16 Dec, 2024 | 14:31
Updated-16 Dec, 2024 | 16:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Quietly Insights plugin <= 1.2.2 - Arbitrary Option Update to Privilege Escalation vulnerability

Missing Authorization vulnerability in Quietly Quietly Insights allows Privilege Escalation.This issue affects Quietly Insights: from n/a through 1.2.2.

Action-Not Available
Vendor-Quietly
Product-Quietly Insights
CWE ID-CWE-862
Missing Authorization
CVE-2020-9456
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.96% / 82.74%
||
7 Day CHG~0.00%
Published-06 Mar, 2020 | 18:54
Updated-04 Aug, 2024 | 10:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the RegistrationMagic plugin through 4.6.0.3 for WordPress, the user controller allows remote authenticated users (with minimal privileges) to elevate their privileges to administrator via class_rm_user_controller.php rm_user_edit.

Action-Not Available
Vendor-n/aMetagauss Inc.
Product-registrationmagicn/a
CWE ID-CWE-862
Missing Authorization
CVE-2022-41790
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.40%
||
7 Day CHG~0.00%
Published-17 Jan, 2024 | 18:13
Updated-17 Jun, 2025 | 21:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Time Slots Booking Form Plugin <= 1.1.76 is vulnerable to Broken Access Control

Missing Authorization vulnerability in CodePeople WP Time Slots Booking Form.This issue affects WP Time Slots Booking Form: from n/a through 1.1.76.

Action-Not Available
Vendor-CodePeople
Product-wp_time_slots_booking_formWP Time Slots Booking Form
CWE ID-CWE-862
Missing Authorization
CVE-2024-10591
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.08% / 25.50%
||
7 Day CHG+0.01%
Published-30 Jan, 2025 | 13:42
Updated-10 Apr, 2025 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics <= 1.5.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Options Update

The MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hubwoo_save_updates() function in all versions up to, and including, 1.5.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Action-Not Available
Vendor-makewebbettermakewebbetter
Product-hubspot_for_woocommerceMWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics
CWE ID-CWE-862
Missing Authorization
CVE-2024-53803
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 47.33%
||
7 Day CHG+0.01%
Published-06 Dec, 2024 | 13:07
Updated-10 Feb, 2025 | 16:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Mailster plugin <= 1.8.16.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in brandtoss WP Mailster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Mailster: from n/a through 1.8.16.0.

Action-Not Available
Vendor-wpmailsterbrandtoss
Product-wp_mailsterWP Mailster
CWE ID-CWE-862
Missing Authorization
CVE-2024-54268
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 36.50%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:24
Updated-12 Mar, 2025 | 17:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SiteOrigin Widgets Bundle plugin <= 1.64.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in SiteOrigin SiteOrigin Widgets Bundle allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteOrigin Widgets Bundle: from n/a through 1.64.0.

Action-Not Available
Vendor-siteoriginSiteOrigin
Product-siteorigin_widgets_bundleSiteOrigin Widgets Bundle
CWE ID-CWE-862
Missing Authorization
CVE-2024-54379
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.70% / 71.11%
||
7 Day CHG+0.10%
Published-16 Dec, 2024 | 14:31
Updated-16 Dec, 2024 | 16:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Minterpress plugin <= 1.0.5 - Arbitrary Option Update to Privilege Escalation vulnerability

Missing Authorization vulnerability in Blokhaus Minterpress allows Privilege Escalation.This issue affects Minterpress: from n/a through 1.0.5.

Action-Not Available
Vendor-Blokhaus
Product-Minterpress
CWE ID-CWE-862
Missing Authorization
CVE-2022-31595
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-8.8||HIGH
EPSS-0.34% / 56.37%
||
7 Day CHG~0.00%
Published-14 Jun, 2022 | 18:45
Updated-03 Aug, 2024 | 07:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Financial Consolidation - version 1010,�does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-adaptive_server_enterpriseSAP Financial Consolidation
CWE ID-CWE-862
Missing Authorization
CVE-2024-53816
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 34.22%
||
7 Day CHG+0.02%
Published-09 Dec, 2024 | 12:59
Updated-03 Feb, 2025 | 14:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Tutor LMS Elementor Addons plugin <= 2.1.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in Themeum Tutor LMS Elementor Addons.This issue affects Tutor LMS Elementor Addons: from n/a through 2.1.5.

Action-Not Available
Vendor-Themeum
Product-tutor_lms_elementor_addonsTutor LMS Elementor Addons
CWE ID-CWE-862
Missing Authorization
CVE-2022-30951
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.91% / 74.87%
||
7 Day CHG~0.00%
Published-17 May, 2022 | 14:06
Updated-03 Aug, 2024 | 07:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote Command library does not implement access control, potentially allowing users to start processes even if they're not allowed to log in.

Action-Not Available
Vendor-Jenkins
Product-wmi_windows_agentsJenkins WMI Windows Agents Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-3876
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.07% / 20.44%
||
7 Day CHG~0.00%
Published-10 May, 2025 | 11:22
Updated-12 May, 2025 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SMS Alert Order Notifications – WooCommerce <= 3.8.1 - Authenticated (Subscriber+) Privilege Escalation via handleWpLoginCreateUserAction Function

The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to insufficient user OTP validation in the handleWpLoginCreateUserAction() function in all versions up to, and including, 3.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate any account by supplying its username or email and elevate their privileges to that of an administrator.

Action-Not Available
Vendor-cozyvision1
Product-SMS Alert Order Notifications – WooCommerce
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 8
  • 9
  • Next
Details not found