Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-31350

Summary
Assigner-Patchstack
Assigner Org ID-21595511-bba5-4825-b968-b78d1f9984a3
Published At-09 Jun, 2024 | 18:04
Updated At-28 Apr, 2026 | 16:09
Rejected At-
Credits

WordPress AWP Classifieds plugin <= 4.3.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in AWP Classifieds Team AWP Classifieds.This issue affects AWP Classifieds: from n/a through 4.3.1.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Patchstack
Assigner Org ID:21595511-bba5-4825-b968-b78d1f9984a3
Published At:09 Jun, 2024 | 18:04
Updated At:28 Apr, 2026 | 16:09
Rejected At:
▼CVE Numbering Authority (CNA)
WordPress AWP Classifieds plugin <= 4.3.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in AWP Classifieds Team AWP Classifieds.This issue affects AWP Classifieds: from n/a through 4.3.1.

Affected Products
Vendor
Strategy11AWP Classifieds Team
Product
AWP Classifieds
Collection URL
https://wordpress.org/plugins
Package Name
another-wordpress-classifieds-plugin
Default Status
unaffected
Versions
Affected
  • From n/a through 4.3.1 (custom)
    • -> unaffectedfrom4.3.2
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Update to 4.3.2 or a higher version.

Configurations
Workarounds
Exploits
Credits
finder
Abdi Pranata (Patchstack Alliance)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://patchstack.com/database/vulnerability/another-wordpress-classifieds-plugin/wordpress-awp-classifieds-plugin-4-3-1-broken-access-control-vulnerability?_s_id=cve
vdb-entry
Hyperlink: https://patchstack.com/database/vulnerability/another-wordpress-classifieds-plugin/wordpress-awp-classifieds-plugin-4-3-1-broken-access-control-vulnerability?_s_id=cve
Resource:
vdb-entry
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://patchstack.com/database/vulnerability/another-wordpress-classifieds-plugin/wordpress-awp-classifieds-plugin-4-3-1-broken-access-control-vulnerability?_s_id=cve
vdb-entry
x_transferred
Hyperlink: https://patchstack.com/database/vulnerability/another-wordpress-classifieds-plugin/wordpress-awp-classifieds-plugin-4-3-1-broken-access-control-vulnerability?_s_id=cve
Resource:
vdb-entry
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:audit@patchstack.com
Published At:09 Jun, 2024 | 18:15
Updated At:25 Sep, 2024 | 14:36

Missing Authorization vulnerability in AWP Classifieds Team AWP Classifieds.This issue affects AWP Classifieds: from n/a through 4.3.1.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Secondary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: Primary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CPE Matches
Strategy11
strategy11
>>awp_classifieds>>Versions before 4.3.2(exclusive)
cpe:2.3:a:strategy11:awp_classifieds:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-862Primaryaudit@patchstack.com
CWE ID: CWE-862
Type: Primary
Source: audit@patchstack.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://patchstack.com/database/vulnerability/another-wordpress-classifieds-plugin/wordpress-awp-classifieds-plugin-4-3-1-broken-access-control-vulnerability?_s_id=cveaudit@patchstack.com
Third Party Advisory
Hyperlink: https://patchstack.com/database/vulnerability/another-wordpress-classifieds-plugin/wordpress-awp-classifieds-plugin-4-3-1-broken-access-control-vulnerability?_s_id=cve
Source: audit@patchstack.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

1738Records found
CVE-2023-2877
Matching Score-8
Assigner-WPScan
ShareView Details
Matching Score-8
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-70.01% / 98.69%
||
7 Day CHG~0.00%
Published-27 Jun, 2023 | 13:17
Updated-03 Dec, 2024 | 17:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution

The Formidable Forms WordPress plugin before 6.3.1 does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the WordPress.org plugin repository onto the site, leading to Remote Code Execution.

Action-Not Available
Vendor-UnknownStrategy11
Product-formidable_formsFormidable Forms
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-45806
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 52.50%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:22
Updated-28 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Formidable Forms plugin <= 5.5.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Strategy11 Form Builder Team Formidable Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Formidable Forms: from n/a through 5.5.4.

Action-Not Available
Vendor-Strategy11
Product-formidable_formsFormidable Forms
CWE ID-CWE-862
Missing Authorization
CVE-2025-25120
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.87%
||
7 Day CHG~0.00%
Published-07 Feb, 2025 | 10:11
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Slide Banners plugin <= 1.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Melodic Media Slide Banners slide-banners allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Slide Banners: from n/a through <= 1.3.

Action-Not Available
Vendor-Melodic Media
Product-Slide Banners
CWE ID-CWE-862
Missing Authorization
CVE-2025-4202
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-Not Assigned
Published-16 May, 2026 | 12:30
Updated-16 May, 2026 | 13:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multicollab: Content Team Collaboration and Editorial Workflow <= 5.2 - Missing Authorization to Authenticated (Subscriber+) Collaboration Comment

The Multicollab: Content Team Collaboration and Editorial Workflow plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'cf_add_comment' function in all versions up to, and including, 5.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add comments to arbitrary collaborations.

Action-Not Available
Vendor-multicollab
Product-Multicollab: Content Team Collaboration and Editorial Workflow
CWE ID-CWE-862
Missing Authorization
CVE-2026-4128
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 0.76%
||
7 Day CHG~0.00%
Published-22 Apr, 2026 | 07:45
Updated-22 Apr, 2026 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TP Restore Categories And Taxonomies <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Taxonomy Deletion via 'tpmcattt_delete_term' AJAX Action

The TP Restore Categories And Taxonomies plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. The delete_term() function, which handles the 'tpmcattt_delete_term' AJAX action, does not perform any capability check (e.g., current_user_can()) to verify the user has sufficient permissions. While it does verify a nonce via check_ajax_referer(), this nonce is generated for all authenticated users via the admin_enqueue_scripts hook and exposed on any wp-admin page (including profile.php, which subscribers can access). This makes it possible for authenticated attackers, with Subscriber-level access and above, to permanently delete taxonomy term records from the plugin's trash/backup tables by sending a crafted AJAX request with a valid nonce and an arbitrary term_id.

Action-Not Available
Vendor-tplugins
Product-TP Restore Categories And Taxonomies
CWE ID-CWE-862
Missing Authorization
CVE-2022-31765
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-8.8||HIGH
EPSS-0.50% / 66.32%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 00:00
Updated-14 Apr, 2026 | 09:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected devices do not properly authorize the change password function of the web interface. This could allow low privileged users to escalate their privileges.

Action-Not Available
Vendor-Siemens AG
Product-6gk5748-1gd00-0ab0_firmware6gk5786-1fc00-0aa0_firmware6gk5786-2fe00-0ab0_firmware6gk5788-1gd00-0ab0_firmware6gk5788-2fc00-0aa0_firmware6gk5788-2gd00-0ta06gk5213-3bb00-2ab2_firmware6gk5208-0ua00-5es66gk5416-4gr00-2am26gk5205-3bb00-2tb2_firmware6gk5205-3bb00-2ab26gk5213-3bd00-2tb2_firmware6gk5786-2fc00-0ac0_firmware6gk5786-2fe00-0aa06gk5208-0ga00-2tc26gk5788-2hy01-0aa0_firmware6gk5328-4fs00-2rr3_firmware6gk5788-2hy01-0aa06gk5774-1fx00-0aa06ag1206-2bs00-7ac2_firmware6gk5856-2ea00-3da16gk5206-2gs00-2ac26gk5738-1gy00-0ab06gk5622-2gs00-2ac26gk5526-8gr00-2ar2_firmware6gk5786-2hc00-0aa0_firmware6gk5552-0aa00-2ar2_firmware6gk5642-2gs00-2ac26gk5328-4ss00-3ar3_firmware6gk5206-2gs00-2tc26gk5748-1gy01-0aa0_firmware6gk5324-0ba00-3ar36gk5216-0ha00-2as6_firmware6gk5328-4fs00-3ar36gk5788-2fc00-0ac0_firmware6gk5774-1fx00-0ab06gk5786-1fc00-0ab06gk5416-4gr00-2am2_firmware6gk5328-4ss00-3ar36gk5812-1aa00-2aa2_firmware6gk5804-0ap00-2aa26gk5748-1gd00-0aa06gk5774-1fx00-0ab0_firmware6gk5766-1ge00-7ta0_firmware6gk5224-4gs00-2fc2_firmware6gk5324-0ba00-3ar3_firmware6gk5552-0aa00-2hr26gk5788-2gd00-0ab06gk5216-0ha00-2ts66gk5766-1ge00-3db0_firmware6gk5788-1fc00-0aa06gk5216-3rs00-2ac26gk5408-4gq00-2am26gk5761-1fc00-0ab0_firmware6gk5208-0ba00-2ac2_firmware6gk5826-2ab00-2ab2_firmware6gk5408-4gp00-2am26gk5761-1fc00-0ab06gk5761-1fc00-0aa0_firmware6gk5208-0ga00-2fc2_firmware6gk5408-8gs00-2am26gk5328-4fs00-3ar3_firmware6gk5766-1ge00-7da0_firmware6gk5552-0aa00-2ar26gk5876-4aa00-2da2_firmware6gk5786-2fc00-0ac06gk5788-2gy01-0aa0_firmware6gk5216-0ba00-2fc26gk5788-1gy01-0aa06gk5876-3aa02-2ba2_firmware6gk5524-8gs00-3ar2_firmware6gk5876-3aa02-2ba26gk5722-1fc00-0ab06gk5206-2rs00-2ac26gk5205-3bf00-2ab2_firmware6gk5528-0ar00-2hr2_firmware6gk5734-1fx00-0aa06gk5788-1fc00-0aa0_firmware6gk5208-0ba00-2fc26gk5722-1fc00-0aa06gk5205-3bd00-2ab26gk5876-3aa02-2ea2_firmware6gk5778-1gy00-0aa06gk5206-2gs00-2fc2_firmware6gk5324-0ba00-2ar3_firmware6gk5734-1fx00-0aa6_firmware6gk5326-2qs00-3rr3_firmware6gk5526-8gr00-3ar26gk5766-1je00-3da06gk5778-1gy00-0tb0_firmware6gk5763-1al00-3aa0_firmware6gk5766-1ge00-7tb06gk5763-1al00-3da0_firmware6gk5204-0ba00-2yf2_firmware6gk5224-4gs00-2fc26gk5208-0ha00-2ts6_firmware6gk5786-1fc00-0ab0_firmware6gk5208-0ra00-2ac2_firmware6gk5528-0ar00-2ar2_firmware6gk5216-0ha00-2es66gk5206-2rs00-2ac2_firmware6gk5812-1aa00-2aa26gk5524-8gr00-2ar26gk5774-1fx00-0aa0_firmware6gk5326-2qs00-3ar3_firmware6gk5816-1ba00-2aa26gk5774-1fy00-0tb0_firmware6gk5786-2fe00-0aa0_firmware6gk5206-2rs00-5fc26gk5642-2gs00-2ac2_firmware6gk5816-1aa00-2aa26gk5788-1fc00-0ab0_firmware6gk5853-2ea00-2da1_firmware6gk5632-2gs00-2ac2_firmware6gk5224-4gs00-2ac2_firmware6gk5778-1gy00-0aa0_firmware6gk5206-2bb00-2ac2_firmware6gk5208-0ba00-2ab2_firmware6gk5748-1fc00-0aa0_firmware6gk5748-1gy01-0ta06gk5216-0ba00-2ab26gk5206-2rs00-5ac2_firmware6gk5208-0ba00-2fc2_firmware6gk5788-2gd00-0aa0_firmware6gk5778-1gy00-0ab0_firmware6gk5326-2qs00-3rr36gk5408-8gs00-2am2_firmware6gk5876-4aa00-2ba26gk5205-3bd00-2tb26gk5774-1fy00-0ta0_firmware6gk5224-4gs00-2tc26gk5216-0ua00-5es66gk5721-1fc00-0ab06gk5528-0aa00-2ar26gk5788-2fc00-0ab0_firmware6gk5408-4gq00-2am2_firmware6gk5208-0ga00-2ac26gk5208-0ba00-2ab26gk5216-4bs00-2ac26gk5774-1fx00-0ab6_firmware6gk5204-2aa00-2gf26gk5766-1je00-7da0_firmware6gk5213-3bd00-2ab26gk5748-1gy01-0ta0_firmware6gk5876-4aa00-2ba2_firmware6gk5786-2fc00-0aa06gk5528-0ar00-2ar26gk5804-0ap00-2aa2_firmware6gk5206-2gs00-2ac2_firmware6gk5646-2gs00-2ac26gk5216-0ha00-2es6_firmware6gk5786-2fc00-0ab0_firmware6gk5208-0ra00-2ac26gk5205-3bb00-2ab2_firmware6gk5748-1fc00-0ab0_firmware6gk5853-2ea00-2da16gk5788-2gd00-0aa06gk5208-0ha00-2as6_firmware6gk5748-1fc00-0aa06gk5208-0ga00-2fc26gk5216-0ba00-2tb2_firmware6gk5216-3rs00-5ac26gk5208-0ga00-2tc2_firmware6gk5208-0ba00-2tb26gk5761-1fc00-0aa06gk5788-2fc00-0ac06gk5216-4bs00-2ac2_firmware6gk5774-1fx00-0aa6_firmware6gk5208-0ga00-2ac2_firmware6gk5206-2bs00-2ac26gk5208-0ra00-5ac26gk5778-1gy00-0tb06gk5216-0ba00-2ac26gk5774-1fx00-0ab66gk5204-0ba00-2gf26gk5721-1fc00-0aa06gk5812-1ba00-2aa2_firmware6gk5526-8gs00-4ar2_firmware6gk5552-0aa00-2hr2_firmware6gk5408-8gr00-2am2_firmware6ag1216-4bs00-7ac26gk5216-4gs00-2ac2_firmware6gk5722-1fc00-0ac06gk5778-1gy00-0ta06gk5216-4gs00-2ac26ag1216-4bs00-7ac2_firmware6gk6108-4am00-2da26gk5526-8gs00-3ar26gk5524-8gr00-4ar26gk5786-2hc00-0ab06gk5874-2aa00-2aa2_firmware6gk5208-0ba00-2tb2_firmware6gk5216-4gs00-2fc2_firmware6gk5224-4gs00-2tc2_firmware6gk5766-1ge00-7db0_firmware6gk5524-8gr00-3ar2_firmware6gk5774-1fy00-0ta06gk5763-1al00-7da0_firmware6gk5766-1ge00-7db06gk5788-1gd00-0ab06gk5526-8gr00-3ar2_firmware6gk5524-8gs00-2ar26gk5213-3bd00-2tb26gk5748-1gd00-0aa0_firmware6gk5856-2ea00-3aa16gk5328-4fs00-3rr3_firmware6gk5204-2aa00-2yf26gk5528-0ar00-2hr26gk5786-2fc00-0aa0_firmware6gk5524-8gr00-2ar2_firmware6gk5721-1fc00-0aa0_firmware6gk5204-2aa00-2yf2_firmware6gk5788-2gd00-0tc0_firmware6gk5816-1ba00-2aa2_firmware6gk5524-8gr00-4ar2_firmware6gk5812-1ba00-2aa26gk5766-1je00-7da06gk5416-4gs00-2am26gk5721-1fc00-0ab0_firmware6gk5408-4gp00-2am2_firmware6gk5526-8gs00-2ar26gk5208-0ha00-2es66gk5216-0ha00-2as66gk5774-1fx00-0aa66gk5524-8gs00-2ar2_firmware6gk5528-0aa00-2hr2_firmware6gk5528-0aa00-2hr26gk5216-0ha00-2ts6_firmware6gk5206-2bb00-2ac26gk5216-0ba00-2fc2_firmware6gk5786-2hc00-0aa06gk5524-8gs00-4ar26gk5763-1al00-7da06gk5205-3bf00-2tb2_firmware6gk5738-1gy00-0ab0_firmware6gk5774-1fx00-0ac0_firmware6gk5734-1fx00-0ab0_firmware6gk5216-0ba00-2tb26gk5204-0ba00-2gf2_firmware6gk5786-2fc00-0ab06gk5552-0ar00-2ar2_firmware6gk5526-8gr00-2ar26gk5552-0ar00-2hr2_firmware6gk5876-4aa00-2da26gk5622-2gs00-2ac2_firmware6gk5786-2hc00-0ab0_firmware6gk5328-4ss00-2ar36gk5224-0ba00-2ac2_firmware6gk5328-4fs00-2ar36gk5216-3rs00-5ac2_firmware6gk5874-2aa00-2aa26gk5205-3bf00-2ab26gk5213-3bf00-2tb2_firmware6gk5205-3bb00-2tb26gk5206-2rs00-5fc2_firmware6gk5734-1fx00-0ab06gk5778-1gy00-0ab06gk5874-3aa00-2aa2_firmware6gk5216-4gs00-2fc26gk5788-2gy01-0ta0_firmware6gk5766-1ge00-7da06gk5213-3bb00-2tb2_firmware6gk5738-1gy00-0aa0_firmware6gk5216-0ba00-2ab2_firmware6gk5788-1gd00-0aa06gk5876-3aa02-2ea26gk5646-2gs00-2ac2_firmware6gk5788-2fc00-0aa06gk5636-2gs00-2ac2_firmware6gk5205-3bd00-2tb2_firmware6gk5766-1ge00-3da06gk5526-8gs00-4ar26gk5206-2gs00-2fc26gk5766-1ge00-3db06gk5213-3bf00-2tb26gk5328-4ss00-2ar3_firmware6ag1208-0ba00-7ac26gk5328-4fs00-3rr36gk6108-4am00-2da2_firmware6gk5788-2gy01-0ta06gk5778-1gy00-0ta0_firmware6gk5206-2gs00-2tc2_firmware6gk5856-2ea00-3da1_firmware6ag1206-2bb00-7ac2_firmware6gk5204-0ba00-2yf26gk5205-3bf00-2tb26gk5208-0ha00-2as66gk5208-0ha00-2ts66gk5788-2gd00-0tb0_firmware6gk5734-1fx00-0ab66gk5766-1je00-7ta0_firmware6gk5763-1al00-3da06gk5213-3bf00-2ab2_firmware6gk5788-2gy01-0aa06gk5766-1ge00-3da0_firmware6gk5786-2fe00-0ab06gk5766-1je00-7ta06gk5208-0ua00-5es6_firmware6gk5213-3bf00-2ab26ag1206-2bs00-7ac26gk5524-8gs00-3ar26gk5722-1fc00-0aa0_firmware6gk5738-1gy00-0aa06gk5632-2gs00-2ac26gk5324-0ba00-2ar36gk5526-8gr00-4ar26gk5206-2bs00-2ac2_firmware6gk6108-4am00-2ba2_firmware6gk5766-1ge00-7tb0_firmware6gk5748-1gy01-0aa06gk5213-3bb00-2tb26gk6108-4am00-2ba26gk5552-0ar00-2hr26gk5216-0ua00-5es6_firmware6gk5213-3bb00-2ab26gk5524-8gs00-4ar2_firmware6gk5788-2fc00-0ab06gk5526-8gs00-2ar2_firmware6gk5748-1fc00-0ab06gk5766-1ge00-7ta06gk5826-2ab00-2ab26gk5204-2aa00-2gf2_firmware6gk5552-0ar00-2ar26gk5856-2ea00-3aa1_firmware6gk5224-4gs00-2ac26gk5816-1aa00-2aa2_firmware6gk5526-8gr00-4ar2_firmware6gk5408-8gr00-2am26gk5216-4gs00-2tc2_firmware6gk5328-4fs00-2rr36gk5213-3bd00-2ab2_firmware6gk5206-2bs00-2fc2_firmware6gk5216-3rs00-2ac2_firmware6gk5734-1fx00-0aa0_firmware6gk5216-4gs00-2tc26gk5526-8gs00-3ar2_firmware6gk5524-8gr00-3ar26gk5206-2bd00-2ac2_firmware6gk5722-1fc00-0ac0_firmware6gk5788-2gd00-0tc06gk5206-2rs00-5ac26gk5734-1fx00-0ab6_firmware6gk5774-1fx00-0ac06ag1208-0ba00-7ac2_firmware6gk5788-2gd00-0ab0_firmware6ag1206-2bb00-7ac26gk5722-1fc00-0ab0_firmware6gk5208-0ba00-2ac26gk5788-2gd00-0tb06gk5788-1gd00-0aa0_firmware6gk5328-4fs00-2ar3_firmware6gk5528-0aa00-2ar2_firmware6gk5416-4gs00-2am2_firmware6gk5206-2bd00-2ac26gk5786-1fc00-0aa06gk5748-1gd00-0ab06gk5216-0ba00-2ac2_firmware6gk5208-0ha00-2es6_firmware6gk5763-1al00-3aa06gk5734-1fx00-0aa66gk5766-1je00-3da0_firmware6gk5326-2qs00-3ar36gk5788-1fc00-0ab06gk5224-0ba00-2ac26gk5205-3bd00-2ab2_firmware6gk5788-2gd00-0ta0_firmware6gk5636-2gs00-2ac26gk5206-2bs00-2fc26gk5774-1fy00-0tb06gk5208-0ra00-5ac2_firmware6gk5874-3aa00-2aa26gk5788-1gy01-0aa0_firmwareSCALANCE M876-4 (EU)SCALANCE WAM763-1SCALANCE W1748-1 M12SCALANCE XC224-4C G (EIP Def.)SCALANCE W734-1 RJ45 (USA)SCALANCE XC206-2SFP GSCALANCE XR524-8C, 24VSCALANCE XC206-2 (SC)SCALANCE XB205-3 (SC, PN)SCALANCE XC216-4CSCALANCE SC646-2CSCALANCE XC206-2G PoE (54 V DC)SCALANCE XR328-4C WG (28xGE, DC 24V)SIPLUS NET SCALANCE XC206-2SCALANCE XP216EECSCALANCE XC216EECSCALANCE XR324WG (24 x FE, AC 230V)SCALANCE XB213-3 (ST, E/IP)SCALANCE XB208 (PN)SCALANCE XR552-12M (2HR2, L3 int.)SCALANCE M826-2 SHDSL-RouterSCALANCE XR328-4C WG (24XFE, 4XGE, 24V)SCALANCE W1788-2 M12SCALANCE W786-1 RJ45SCALANCE S615 LAN-RouterSCALANCE W774-1 M12 EECSCALANCE WUM766-1 (USA)SCALANCE XP216SCALANCE W778-1 M12 EECSCALANCE XP216POE EECSCALANCE W761-1 RJ45SCALANCE W722-1 RJ45SCALANCE XP208SCALANCE W1788-2 EEC M12SCALANCE SC642-2CSCALANCE XR526-8C, 24V (L3 int.)SCALANCE XC208GSCALANCE XR328-4C WG (24xFE,4xGE,AC230V)SCALANCE XR528-6M (2HR2)SCALANCE SC632-2CSCALANCE XC224SCALANCE XM408-4C (L3 int.)SCALANCE XB213-3 (SC, PN)SIPLUS NET SCALANCE XC208SCALANCE M812-1 ADSL-RouterSCALANCE XC206-2G PoESCALANCE XR328-4C WG (24xFE, 4xGE,DC24V)SCALANCE XC208G PoE (54 V DC)SCALANCE WAM766-1 EEC (US)SCALANCE W778-1 M12 EEC (USA)SCALANCE W786-2IA RJ45SCALANCE XB213-3 (SC, E/IP)SCALANCE XR526-8C, 24VSCALANCE XC208SCALANCE XB208 (E/IP)SCALANCE XR552-12MSCALANCE XP216 (Ethernet/IP)SCALANCE XB205-3 (ST, E/IP)SCALANCE M876-3 (ROK)SCALANCE MUM853-1 (EU)SCALANCE XF204-2BASCALANCE XR326-2C PoE WGSCALANCE XR526-8C, 1x230V (L3 int.)SCALANCE W774-1 RJ45 (USA)SCALANCE XC216-3G PoE (54 V DC)SCALANCE WAM766-1 EECSCALANCE XR526-8C, 2x230VSCALANCE XC206-2SFP G (EIP DEF.)SCALANCE XR528-6M (L3 int.)SCALANCE XM408-4CSCALANCE XR526-8C, 1x230VSCALANCE XR524-8C, 24V (L3 int.)SCALANCE M874-3SCALANCE XM408-8CSCALANCE M876-4 (NAM)SCALANCE S615 EEC LAN-RouterSCALANCE W786-2 SFPSCALANCE W738-1 M12SCALANCE XC208G (EIP def.)SCALANCE XC224-4C G EECSCALANCE W1788-2IA M12SCALANCE W774-1 RJ45SCALANCE XC206-2SFP EECSCALANCE XM416-4CSCALANCE XC216-3G PoESCALANCE XR524-8C, 2x230VSCALANCE XR528-6M (2HR2, L3 int.)SCALANCE XB205-3LD (SC, E/IP)SCALANCE XC216-4C G EECSCALANCE WUM766-1SCALANCE XC216-4C GSCALANCE XB213-3LD (SC, E/IP)SCALANCE W721-1 RJ45SCALANCE XR326-2C PoE WG (without UL)SCALANCE XR324WG (24 X FE, DC 24V)SCALANCE W748-1 RJ45SCALANCE W788-2 RJ45SCALANCE XR524-8C, 1x230VSCALANCE XR524-8C, 1x230V (L3 int.)SCALANCE MUM856-1 (EU)SCALANCE XC206-2SFP G EECSCALANCE M874-2SCALANCE W734-1 RJ45SCALANCE W748-1 M12SCALANCE XF204-2BA DNASCALANCE XB213-3LD (SC, PN)SCALANCE XC224-4C GSCALANCE XR526-8C, 2x230V (L3 int.)SCALANCE XP208EECSCALANCE XF204 DNASCALANCE XR528-6MSCALANCE WAM766-1SCALANCE W788-1 RJ45SCALANCE M816-1 ADSL-RouterSCALANCE W1788-1 M12SCALANCE W786-2 RJ45SCALANCE XP208 (Ethernet/IP)RUGGEDCOM RM1224 LTE(4G) EUSCALANCE XB205-3 (ST, PN)SCALANCE XB216 (E/IP)SCALANCE XC208G PoESCALANCE XC216-4C G (EIP Def.)SCALANCE W788-2 M12SCALANCE WAM766-1 (US)SCALANCE XC206-2 (ST/BFOC)SCALANCE XP208PoE EECSCALANCE XR524-8C, 2x230V (L3 int.)SCALANCE M804PBSCALANCE W788-1 M12SCALANCE XC206-2G PoE EEC (54 V DC)SCALANCE M876-3SCALANCE XR552-12M (2HR2)SCALANCE M876-4SCALANCE SC636-2CSCALANCE XC206-2SFPSCALANCE XM408-8C (L3 int.)SCALANCE XM416-4C (L3 int.)SCALANCE W788-2 M12 EECSCALANCE XB216 (PN)SCALANCE XC216SCALANCE XF204SIPLUS NET SCALANCE XC216-4CSCALANCE XB205-3LD (SC, PN)SCALANCE SC622-2CSCALANCE WUM763-1SCALANCE MUM856-1 (RoW)SIPLUS NET SCALANCE XC206-2SFPSCALANCE W778-1 M12SCALANCE XB213-3 (ST, PN)SCALANCE XC208EECSCALANCE XC208G EECRUGGEDCOM RM1224 LTE(4G) NAMSCALANCE XR328-4C WG (28xGE, AC 230V)
CWE ID-CWE-862
Missing Authorization
CVE-2024-1090
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.31% / 54.27%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 18:56
Updated-08 Apr, 2026 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ImageRecycle pdf & image compression <= 3.1.13 - Missing Authorization to Settings Update in stopOptimizeAll

The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the stopOptimizeAll function in all versions up to, and including, 3.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify image optimization settings.

Action-Not Available
Vendor-imagerecycleimagerecycle
Product-imagerecycle_pdf_\&_image_compressionImageRecycle pdf & image compression
CWE ID-CWE-862
Missing Authorization
CVE-2025-26369
Matching Score-4
Assigner-Nozomi Networks Inc.
ShareView Details
Matching Score-4
Assigner-Nozomi Networks Inc.
CVSS Score-8.8||HIGH
EPSS-0.15% / 35.90%
||
7 Day CHG~0.00%
Published-12 Feb, 2025 | 13:29
Updated-27 May, 2025 | 21:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to user groups via crafted HTTP requests.

Action-Not Available
Vendor-Q-Free
Product-maxtimeMaxTime
CWE ID-CWE-862
Missing Authorization
CVE-2022-28137
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.65%
||
7 Day CHG~0.00%
Published-29 Mar, 2022 | 12:30
Updated-03 Aug, 2024 | 05:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

Action-Not Available
Vendor-Jenkins
Product-jiratestresultreporterJenkins JiraTestResultReporter Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-24736
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 32.57%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:25
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Post Duplicator plugin <= 2.35 - Broken Access Control vulnerability

Missing Authorization vulnerability in metaphorcreations Post Duplicator post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Duplicator: from n/a through <= 2.35.

Action-Not Available
Vendor-metaphorcreationsmetaphorcreations
Product-post_duplicatorPost Duplicator
CWE ID-CWE-862
Missing Authorization
CVE-2025-24653
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 39.57%
||
7 Day CHG-0.01%
Published-27 Jan, 2025 | 14:22
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Admin and Site Enhancements (ASE) Pro Plugin <= 7.6.1.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in NotFound Admin and Site Enhancements (ASE) Pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Admin and Site Enhancements (ASE) Pro: from n/a through 7.6.1.1.

Action-Not Available
Vendor-NotFound
Product-Admin and Site Enhancements (ASE) Pro
CWE ID-CWE-862
Missing Authorization
CVE-2025-24691
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 21.70%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:24
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress People Lists plugin <= 1.3.10 - Broken Access Control vulnerability

Missing Authorization vulnerability in ctltwp People Lists people-lists allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects People Lists: from n/a through <= 1.3.10.

Action-Not Available
Vendor-ctltwp
Product-People Lists
CWE ID-CWE-862
Missing Authorization
CVE-2025-24603
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 43.50%
||
7 Day CHG~0.00%
Published-27 Jan, 2025 | 14:22
Updated-11 May, 2026 | 23:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce plugin <= 3.4.10 - Broken Access Control vulnerability

Missing Authorization vulnerability in Dmitry V. (CEO of "UKR Solution") Print Barcode Labels for your WooCommerce products/orders a4-barcode-generator.This issue affects Print Barcode Labels for your WooCommerce products/orders: from n/a through <= 3.4.10.

Action-Not Available
Vendor-Dmitry V. (CEO of "UKR Solution")
Product-Print Barcode Labels for your WooCommerce products/orders
CWE ID-CWE-862
Missing Authorization
CVE-2025-24753
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 35.39%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:25
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Kadence Blocks plugin <= 3.3.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in StellarWP Gutenberg Blocks by Kadence Blocks kadence-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gutenberg Blocks by Kadence Blocks: from n/a through <= 3.3.1.

Action-Not Available
Vendor-Kadence WPThe Events Calendar (StellarWP)
Product-gutenberg_blocks_with_aiGutenberg Blocks by Kadence Blocks
CWE ID-CWE-862
Missing Authorization
CVE-2024-10591
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.11% / 29.84%
||
7 Day CHG~0.00%
Published-30 Jan, 2025 | 13:42
Updated-08 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics <= 1.5.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Options Update

The MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hubwoo_save_updates() function in all versions up to, and including, 1.5.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Action-Not Available
Vendor-makewebbettermakewebbetter
Product-hubspot_for_woocommerceMWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics
CWE ID-CWE-862
Missing Authorization
CVE-2025-24613
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 38.17%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:24
Updated-12 May, 2026 | 23:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress FV Thoughtful Comments plugin <= 0.3.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in FolioVision FV Thoughtful Comments thoughtful-comments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FV Thoughtful Comments: from n/a through <= 0.3.5.

Action-Not Available
Vendor-FolioVision
Product-FV Thoughtful Comments
CWE ID-CWE-862
Missing Authorization
CVE-2025-24972
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 30.21%
||
7 Day CHG~0.00%
Published-26 Mar, 2025 | 14:15
Updated-27 Mar, 2025 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse may bypass user preference when adding users to chat groups

Discourse is an open-source discussion platform. Prior to versions `3.3.4` on the `stable` branch and `3.4.0.beta5` on the `beta` branch, in specific circumstances, users could be added to group direct messages despite disabling direct messaging in their preferences. Versions `3.3.4` and `3.4.0.beta5` contain a patch for the issue. A workaround is available. If a user disables chat in their preferences then they cannot be added to new group chats.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discourse
CWE ID-CWE-862
Missing Authorization
CVE-2022-29611
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-8.8||HIGH
EPSS-0.40% / 61.13%
||
7 Day CHG~0.00%
Published-11 May, 2022 | 14:57
Updated-03 Aug, 2024 | 06:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver Application Server for ABAP and ABAP Platform do not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_abapSAP NetWeaver Application Server for ABAP and ABAP Platform
CWE ID-CWE-862
Missing Authorization
CVE-2024-10531
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.22% / 45.13%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 02:33
Updated-08 Apr, 2026 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kognetiks Chatbot for WordPress <= 2.1.7 - Missing Authorization to Authenticated (Subscriber+) Assistant Update

The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_assistant() function in all versions up to, and including, 2.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to update GTP assistants.

Action-Not Available
Vendor-kognetikskognetikskognetiks
Product-kognetiks_chatbotKognetiks Chatbot for WordPresschatbot
CWE ID-CWE-862
Missing Authorization
CVE-2024-10533
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 47.61%
||
7 Day CHG~0.00%
Published-16 Nov, 2024 | 03:29
Updated-08 Apr, 2026 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Chat App <= 3.6.8 - Missing Authorization to Authenticated (Subscriber+) Filebird Plugin Installation

The WP Chat App plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the ajax_install_plugin() function in all versions up to, and including, 3.6.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the filebird plugin.

Action-Not Available
Vendor-NinjaTeam
Product-WP Chat App
CWE ID-CWE-862
Missing Authorization
CVE-2024-0983
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 56.03%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 18:56
Updated-08 Apr, 2026 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ImageRecycle pdf & image compression <= 3.1.13 - Missing Authorization to Settings Update in enableOptimization

The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enableOptimization function in all versions up to, and including, 3.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to enable image optimization.

Action-Not Available
Vendor-imagerecycleimagerecycle
Product-imagerecycle_pdf_\&_image_compressionImageRecycle pdf & image compression
CWE ID-CWE-862
Missing Authorization
CVE-2026-7050
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.02%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 07:48
Updated-12 May, 2026 | 16:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Forms Rb <= 1.1.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via 'form_id' Parameter

The Forms Rb plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to read form submission records, modify form configuration options, and delete records belonging to any form they do not own.

Action-Not Available
Vendor-rbplugins
Product-Forms Rb
CWE ID-CWE-862
Missing Authorization
CVE-2015-10140
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-57.10% / 98.16%
||
7 Day CHG~0.00%
Published-22 Jul, 2025 | 13:20
Updated-09 Jan, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ajax Load More < 2.8.1.2 - Subscriber+ File Upload & Deletion

The Ajax Load More plugin before 2.8.1.2 does not have authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber, to upload and delete arbitrary files.

Action-Not Available
Vendor-connekthqUnknown
Product-ajax_load_moreAjax Load More
CWE ID-CWE-862
Missing Authorization
CVE-2026-7525
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.55%
||
7 Day CHG~0.00%
Published-14 May, 2026 | 03:27
Updated-14 May, 2026 | 14:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
My Calendar <= 3.7.9 - Authenticated (Custom+) Missing Authorization to Unauthorized Event Publication via 'event_approved' Parameter

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with custom-level access and above, to bypass the moderation and approval workflow by tampering with the POST body to publish events or set other unauthorized statuses such as cancelled or private, in ways their role does not permit. While the UI correctly restricts low-privilege users to a draft-only submit button, this restriction is enforced only client-side, making it trivially bypassable by directly manipulating the POST request.

Action-Not Available
Vendor-joedolson
Product-My Calendar – Accessible Event Manager
CWE ID-CWE-862
Missing Authorization
CVE-2025-23957
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 35.90%
||
7 Day CHG~0.00%
Published-16 Jan, 2025 | 20:08
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Sur.ly plugin <= 3.0.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in surdotly Sur.ly surly allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sur.ly: from n/a through <= 3.0.3.

Action-Not Available
Vendor-surdotly
Product-Sur.ly
CWE ID-CWE-862
Missing Authorization
CVE-2026-39477
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 9.59%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 08:30
Updated-29 Apr, 2026 | 10:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CartFlows plugin <= 2.2.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Brainstorm Force CartFlows cartflows allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CartFlows: from n/a through <= 2.2.3.

Action-Not Available
Vendor-Brainstorm Force
Product-CartFlows
CWE ID-CWE-862
Missing Authorization
CVE-2026-39592
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 9.59%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 08:30
Updated-29 Apr, 2026 | 10:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress DEPART plugin <= 1.0.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in Andy Ha DEPART depart-deposit-and-part-payment-for-woo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DEPART: from n/a through <= 1.0.7.

Action-Not Available
Vendor-Andy Ha
Product-DEPART
CWE ID-CWE-862
Missing Authorization
CVE-2024-10629
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-57.64% / 98.19%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 02:02
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GPX Viewer <= 2.2.9 - Authenticated (Subscriber+) Arbitrary File Creation

The GPX Viewer plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check and file type validation in the gpxv_file_upload() function in all versions up to, and including, 2.2.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary files on the affected site's server which may make remote code execution possible.

Action-Not Available
Vendor-axelkellerdevfarm
Product-GPX Viewerwp_gpx_maps
CWE ID-CWE-862
Missing Authorization
CVE-2025-23188
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 19.78%
||
7 Day CHG~0.00%
Published-11 Mar, 2025 | 00:32
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization check in SAP S/4HANA (RBD)

An authenticated user with low privileges can exploit a missing authorization check in an IBS module of FS-RBD, allowing unauthorized access to perform actions beyond their intended permissions. This causes a low impact on integrity with no impact on confidentiality and availability.

Action-Not Available
Vendor-SAP SE
Product-SAP S/4HANA (RBD)
CWE ID-CWE-862
Missing Authorization
CVE-2020-13296
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.33% / 55.73%
||
7 Day CHG~0.00%
Published-29 Sep, 2020 | 15:54
Updated-04 Aug, 2024 | 12:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been discovered in GitLab affecting versions >=10.7 <13.0.14, >=13.1.0 <13.1.8, >=13.2.0 <13.2.6. Improper Access Control for Deploy Tokens

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-862
Missing Authorization
CVE-2025-22665
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 30.48%
||
7 Day CHG~0.00%
Published-27 Mar, 2025 | 14:25
Updated-12 May, 2026 | 23:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress RapidLoad plugin <= 2.4.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Shakeeb Sadikeen RapidLoad unusedcss allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RapidLoad: from n/a through <= 2.4.4.

Action-Not Available
Vendor-Shakeeb Sadikeen
Product-RapidLoad
CWE ID-CWE-862
Missing Authorization
CVE-2022-28139
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 9.07%
||
7 Day CHG~0.00%
Published-29 Mar, 2022 | 12:30
Updated-03 Aug, 2024 | 05:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

Action-Not Available
Vendor-Jenkins
Product-rocketchat_notifierJenkins RocketChat Notifier Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2015-8840
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.48% / 65.09%
||
7 Day CHG~0.00%
Published-08 Apr, 2016 | 00:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote authenticated users to obtain sensitive information, gain privileges, or possibly have unspecified other impact via requests to (1) webcontent/cas/cas_enter.jsp, (2) webcontent/cas/cas_validate.jsp, or (3) webcontent/aas/aas_store.jsp, aka SAP Security Note 1945215.

Action-Not Available
Vendor-n/aSAP SE
Product-netweaver_application_server_javan/a
CWE ID-CWE-862
Missing Authorization
CVE-2026-39506
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 9.59%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 08:30
Updated-29 Apr, 2026 | 10:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress AI Engine (Pro) plugin < 3.4.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Jordy Meow AI Engine (Pro) ai-engine-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Engine (Pro): from n/a through < 3.4.2.

Action-Not Available
Vendor-Jordy Meow
Product-AI Engine (Pro)
CWE ID-CWE-862
Missing Authorization
CVE-2025-22667
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 30.95%
||
7 Day CHG~0.00%
Published-27 Mar, 2025 | 14:24
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Export Order, Product, Customer & Coupon for WooCommerce to Google Sheets plugin <= 1.8.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Creative Werk Designs Export Order, Product, Customer & Coupon for WooCommerce to Google Sheets wpsyncsheets-woocommerce.This issue affects Export Order, Product, Customer & Coupon for WooCommerce to Google Sheets: from n/a through <= 1.8.2.

Action-Not Available
Vendor-Creative Werk Designs
Product-Export Order, Product, Customer & Coupon for WooCommerce to Google Sheets
CWE ID-CWE-862
Missing Authorization
CVE-2025-22561
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.68%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 15:39
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Title Experiments Free plugin <= 9.0.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in kbowson Title Experiments Free wp-experiments-free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Title Experiments Free: from n/a through <= 9.0.4.

Action-Not Available
Vendor-kbowson
Product-Title Experiments Free
CWE ID-CWE-862
Missing Authorization
CVE-2026-6709
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 9.27%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 07:48
Updated-12 May, 2026 | 21:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Coinbase Commerce for Contact Form 7 <= 1.1.2 - Missing Authorization to Authenticated (Subscriber+) API Key Modification via 'cccf7_api_key' Parameter

The Coinbase Commerce for Contact Form 7 plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.1.2. This is due to a missing capability check and missing nonce verification in the save_settings() function, which is registered on the admin_post_cccf7_save_settings hook. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the plugin's Coinbase Commerce API key option (cccf7_api_key) via a crafted POST request to /wp-admin/admin-post.

Action-Not Available
Vendor-coderpress
Product-Coinbase Commerce for Contact Form 7
CWE ID-CWE-862
Missing Authorization
CVE-2025-2276
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 31.52%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 23:22
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Dashboard <= 3.8.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Modules Activation/Deactivation

The Ultimate Dashboard – Custom WordPress Dashboard plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_module_actions function in all versions up to, and including, 3.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate/deactivate plugin modules.

Action-Not Available
Vendor-davidvongries
Product-Ultimate Dashboard – Custom WordPress Dashboard
CWE ID-CWE-862
Missing Authorization
CVE-2025-22800
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 20.51%
||
7 Day CHG~0.00%
Published-13 Jan, 2025 | 13:11
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Post SMTP plugin <= 2.9.11 - Broken Access Control vulnerability

Missing Authorization vulnerability in Saad Iqbal Post SMTP post-smtp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post SMTP: from n/a through <= 2.9.11.

Action-Not Available
Vendor-wpexpertsSaad Iqbal
Product-post_smtpPost SMTP
CWE ID-CWE-862
Missing Authorization
CVE-2024-10437
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 45.37%
||
7 Day CHG~0.00%
Published-29 Oct, 2024 | 09:31
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPC Smart Messages for WooCommerce <= 4.2.1 - Missing Authorization to Authenticated (Subscriber+) Message Activation/Deactivation

The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to unauthorized Smar Message activation/deactivation due to a missing capability check on the ajax_enable function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or deactivate smart messages.

Action-Not Available
Vendor-wpclever
Product-WPC Smart Messages for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2025-22298
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.68%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 10:49
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Hive Support plugin <= 1.1.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in Hive Support Hive Support hive-support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hive Support: from n/a through <= 1.1.6.

Action-Not Available
Vendor-Hive Support
Product-Hive Support
CWE ID-CWE-862
Missing Authorization
CVE-2026-39816
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.02% / 3.85%
||
7 Day CHG-0.00%
Published-08 May, 2026 | 13:38
Updated-09 May, 2026 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache NiFi: Missing Execute Code Required Permission on TinkerpopClientService

The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, enabling Groovy Script execution in the service prior to submitting the query. The missing Restricted annotation allows users without the Execute Code Permission to configure the Service in installations that use fine-grained authorization and have the optional TinkerpopClientService installed. Apache NiFi installations that do not have the nifi-other-graph-services-nar installed are not subject to this vulnerability. Upgrading to Apache NiFi 2.9.0 is the recommended mitigation.

Action-Not Available
Vendor-The Apache Software Foundation
Product-nifiApache NiFi
CWE ID-CWE-862
Missing Authorization
CVE-2026-40502
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-1.12% / 78.43%
||
7 Day CHG~0.00%
Published-16 Apr, 2026 | 00:08
Updated-23 Apr, 2026 | 19:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenHarness Remote Administrative Command Injection via Gateway Handler

OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient distinction between local-only and remote-safe commands in the gateway handler. Attackers can execute administrative commands such as /permissions full_auto through remote chat sessions to change permission modes of a running OpenHarness instance without operator authorization.

Action-Not Available
Vendor-hkudsHKUDS
Product-openharnessOpenHarness
CWE ID-CWE-862
Missing Authorization
CVE-2025-2075
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-11.58% / 93.72%
||
7 Day CHG-14.94%
Published-04 Apr, 2025 | 04:21
Updated-08 Apr, 2026 | 17:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncanny Automator <= 6.3.0.2 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.3.0.2. This is due to add_role() and user_role() functions missing proper capability checks performed through the validate_rest_call() function. This makes it possible for unauthenticated attackers to set the role of arbitrary users to administrator granting full access to the site, though privilege escalation requires an active account on the site so this is considered an authenticated privilege escalation.

Action-Not Available
Vendor-Uncanny Owl Inc.
Product-uncanny_automatorUncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2026-40729
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 8.18%
||
7 Day CHG~0.00%
Published-15 Apr, 2026 | 10:21
Updated-29 Apr, 2026 | 10:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress 3D viewer – Embed 3D Models plugin <= 1.8.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in bPlugins 3D viewer – Embed 3D Models 3d-viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 3D viewer – Embed 3D Models: from n/a through <= 1.8.5.

Action-Not Available
Vendor-bPlugins
Product-3D viewer – Embed 3D Models
CWE ID-CWE-862
Missing Authorization
CVE-2020-13270
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-7.5||HIGH
EPSS-0.36% / 58.12%
||
7 Day CHG~0.00%
Published-10 Jun, 2020 | 14:35
Updated-04 Aug, 2024 | 12:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing permission check on fork relation creation in GitLab CE/EE 11.3 and later through 13.0.1 allows guest users to create a fork relation on restricted public projects via API

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-862
Missing Authorization
CVE-2020-13319
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 33.95%
||
7 Day CHG~0.00%
Published-29 Sep, 2020 | 15:58
Updated-04 Aug, 2024 | 12:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been discovered in GitLab affecting versions prior to 13.1.2, 13.0.8 and 12.10.13. Missing permission check for adding time spent on an issue.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-862
Missing Authorization
CVE-2025-15476
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.93%
||
7 Day CHG~0.00%
Published-07 Feb, 2026 | 08:26
Updated-08 Apr, 2026 | 17:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
The Bucketlister <= 0.1.5 - Missing Authorization to Authenticated (Subscriber+) Bucket List Modification

The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlister_do_admin_ajax() function in all versions up to, and including, 0.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add delete or modify arbitrary bucket list items.

Action-Not Available
Vendor-simonfairbairn
Product-The Bucketlister
CWE ID-CWE-862
Missing Authorization
CVE-2020-13266
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 17.34%
||
7 Day CHG~0.00%
Published-09 Jun, 2020 | 15:34
Updated-04 Aug, 2024 | 12:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1 allows users to update permissions of other users' deploy keys under certain conditions

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-862
Missing Authorization
CVE-2025-1666
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 25.55%
||
7 Day CHG~0.00%
Published-06 Mar, 2025 | 11:11
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics <= 4.4.1 - Missing Authorization to Authenticated (Subscriber+) Survey Submission

The Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the send_uninstall_survey() function in all versions up to, and including, 4.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit the uninstall survey on behalf of a website.

Action-Not Available
Vendor-cookiebot
Product-Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 34
  • 35
  • Next
Details not found