Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-33686

Summary
Assigner-Patchstack
Assigner Org ID-21595511-bba5-4825-b968-b78d1f9984a3
Published At-29 Apr, 2024 | 05:56
Updated At-28 Apr, 2026 | 16:09
Rejected At-
Credits

Broken Access Control vulnerability affecting multiple WordPress themes by Extend Themes

Missing Authorization vulnerability in Extend Themes Pathway, Extend Themes Hugo WP, Extend Themes Althea WP, Extend Themes Elevate WP, Extend Themes Brite, Extend Themes Colibri WP, Extend Themes Vertice.This issue affects Pathway: from n/a through 1.0.15; Hugo WP: from n/a through 1.0.8; Althea WP: from n/a through 1.0.13; Elevate WP: from n/a through 1.0.15; Brite: from n/a through 1.0.11; Colibri WP: from n/a through 1.0.94; Vertice: from n/a through 1.0.7.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
ā–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Patchstack
Assigner Org ID:21595511-bba5-4825-b968-b78d1f9984a3
Published At:29 Apr, 2024 | 05:56
Updated At:28 Apr, 2026 | 16:09
Rejected At:
ā–¼CVE Numbering Authority (CNA)
Broken Access Control vulnerability affecting multiple WordPress themes by Extend Themes

Missing Authorization vulnerability in Extend Themes Pathway, Extend Themes Hugo WP, Extend Themes Althea WP, Extend Themes Elevate WP, Extend Themes Brite, Extend Themes Colibri WP, Extend Themes Vertice.This issue affects Pathway: from n/a through 1.0.15; Hugo WP: from n/a through 1.0.8; Althea WP: from n/a through 1.0.13; Elevate WP: from n/a through 1.0.15; Brite: from n/a through 1.0.11; Colibri WP: from n/a through 1.0.94; Vertice: from n/a through 1.0.7.

Affected Products
Vendor
Extend Themes
Product
Pathway
Collection URL
https://wordpress.org/themes/
Package Name
pathway
Default Status
unaffected
Versions
Affected
  • From n/a through 1.0.15 (custom)
    • -> unaffectedfrom1.0.16
Vendor
Extend Themes
Product
Hugo WP
Collection URL
https://wordpress.org/themes/
Package Name
hugo-wp
Default Status
unaffected
Versions
Affected
  • From n/a through 1.0.8 (custom)
    • -> unaffectedfrom1.0.10
Vendor
Extend Themes
Product
Althea WP
Collection URL
https://wordpress.org/themes/
Package Name
althea-wp
Default Status
unaffected
Versions
Affected
  • From n/a through 1.0.13 (custom)
    • -> unaffectedfrom1.0.16
Vendor
Extend Themes
Product
Elevate WP
Collection URL
https://wordpress.org/themes/
Package Name
elevate-wp
Default Status
unaffected
Versions
Affected
  • From n/a through 1.0.15 (custom)
    • -> unaffectedfrom1.0.17
Vendor
Extend Themes
Product
Brite
Collection URL
https://wordpress.org/themes/
Package Name
brite
Default Status
unaffected
Versions
Affected
  • From n/a through 1.0.11 (custom)
    • -> unaffectedfrom1.0.15
Vendor
Extend Themes
Product
Colibri WP
Collection URL
https://wordpress.org/themes/
Package Name
colibri-wp
Default Status
unaffected
Versions
Affected
  • From n/a through 1.0.94 (custom)
    • -> unaffectedfrom1.0.99
Vendor
Extend Themes
Product
Vertice
Collection URL
https://wordpress.org/themes/
Package Name
vertice
Default Status
unaffected
Versions
Affected
  • From n/a through 1.0.7 (custom)
    • -> unaffectedfrom1.0.11
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Update Pathway to 1.0.16, Hugo WP to 1.0.10, Althea WP to 1.0.16, Elevate WP to 1.0.17, Brite to 1.0.15, Colibri WP to 1.0.99, Vertice to 1.0.11 or higher versions.

Configurations
Workarounds
Exploits
Credits
finder
Dhabaleshwar Das (Patchstack Alliance)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://patchstack.com/database/vulnerability/pathway/wordpress-pathway-theme-1-0-15-cross-site-request-forgery-csrf-vulnerability
vdb-entry
https://patchstack.com/database/vulnerability/hugo-wp/wordpress-hugo-wp-theme-1-0-8-broken-access-control-vulnerability
vdb-entry
https://patchstack.com/database/vulnerability/althea-wp/wordpress-althea-wp-theme-1-0-13-broken-access-control-vulnerability
vdb-entry
https://patchstack.com/database/vulnerability/elevate-wp/wordpress-elevate-wp-theme-1-0-15-broken-access-control-vulnerability
vdb-entry
https://patchstack.com/database/vulnerability/brite/wordpress-brite-theme-1-0-11-broken-access-control-vulnerability
vdb-entry
https://patchstack.com/database/vulnerability/colibri-wp/wordpress-colibri-wp-theme-1-0-94-broken-access-control-vulnerability
vdb-entry
https://patchstack.com/database/vulnerability/vertice/wordpress-vertice-theme-1-0-7-broken-access-control-vulnerability
vdb-entry
Hyperlink: https://patchstack.com/database/vulnerability/pathway/wordpress-pathway-theme-1-0-15-cross-site-request-forgery-csrf-vulnerability
Resource:
vdb-entry
Hyperlink: https://patchstack.com/database/vulnerability/hugo-wp/wordpress-hugo-wp-theme-1-0-8-broken-access-control-vulnerability
Resource:
vdb-entry
Hyperlink: https://patchstack.com/database/vulnerability/althea-wp/wordpress-althea-wp-theme-1-0-13-broken-access-control-vulnerability
Resource:
vdb-entry
Hyperlink: https://patchstack.com/database/vulnerability/elevate-wp/wordpress-elevate-wp-theme-1-0-15-broken-access-control-vulnerability
Resource:
vdb-entry
Hyperlink: https://patchstack.com/database/vulnerability/brite/wordpress-brite-theme-1-0-11-broken-access-control-vulnerability
Resource:
vdb-entry
Hyperlink: https://patchstack.com/database/vulnerability/colibri-wp/wordpress-colibri-wp-theme-1-0-94-broken-access-control-vulnerability
Resource:
vdb-entry
Hyperlink: https://patchstack.com/database/vulnerability/vertice/wordpress-vertice-theme-1-0-7-broken-access-control-vulnerability
Resource:
vdb-entry
ā–¼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://patchstack.com/database/vulnerability/pathway/wordpress-pathway-theme-1-0-15-cross-site-request-forgery-csrf-vulnerability
vdb-entry
x_transferred
https://patchstack.com/database/vulnerability/hugo-wp/wordpress-hugo-wp-theme-1-0-8-broken-access-control-vulnerability
vdb-entry
x_transferred
https://patchstack.com/database/vulnerability/althea-wp/wordpress-althea-wp-theme-1-0-13-broken-access-control-vulnerability
vdb-entry
x_transferred
https://patchstack.com/database/vulnerability/elevate-wp/wordpress-elevate-wp-theme-1-0-15-broken-access-control-vulnerability
vdb-entry
x_transferred
https://patchstack.com/database/vulnerability/brite/wordpress-brite-theme-1-0-11-broken-access-control-vulnerability
vdb-entry
x_transferred
https://patchstack.com/database/vulnerability/colibri-wp/wordpress-colibri-wp-theme-1-0-94-broken-access-control-vulnerability
vdb-entry
x_transferred
https://patchstack.com/database/vulnerability/vertice/wordpress-vertice-theme-1-0-7-broken-access-control-vulnerability
vdb-entry
x_transferred
Hyperlink: https://patchstack.com/database/vulnerability/pathway/wordpress-pathway-theme-1-0-15-cross-site-request-forgery-csrf-vulnerability
Resource:
vdb-entry
x_transferred
Hyperlink: https://patchstack.com/database/vulnerability/hugo-wp/wordpress-hugo-wp-theme-1-0-8-broken-access-control-vulnerability
Resource:
vdb-entry
x_transferred
Hyperlink: https://patchstack.com/database/vulnerability/althea-wp/wordpress-althea-wp-theme-1-0-13-broken-access-control-vulnerability
Resource:
vdb-entry
x_transferred
Hyperlink: https://patchstack.com/database/vulnerability/elevate-wp/wordpress-elevate-wp-theme-1-0-15-broken-access-control-vulnerability
Resource:
vdb-entry
x_transferred
Hyperlink: https://patchstack.com/database/vulnerability/brite/wordpress-brite-theme-1-0-11-broken-access-control-vulnerability
Resource:
vdb-entry
x_transferred
Hyperlink: https://patchstack.com/database/vulnerability/colibri-wp/wordpress-colibri-wp-theme-1-0-94-broken-access-control-vulnerability
Resource:
vdb-entry
x_transferred
Hyperlink: https://patchstack.com/database/vulnerability/vertice/wordpress-vertice-theme-1-0-7-broken-access-control-vulnerability
Resource:
vdb-entry
x_transferred
Information is not available yet
ā–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:audit@patchstack.com
Published At:29 Apr, 2024 | 06:15
Updated At:15 Apr, 2026 | 00:35

Missing Authorization vulnerability in Extend Themes Pathway, Extend Themes Hugo WP, Extend Themes Althea WP, Extend Themes Elevate WP, Extend Themes Brite, Extend Themes Colibri WP, Extend Themes Vertice.This issue affects Pathway: from n/a through 1.0.15; Hugo WP: from n/a through 1.0.8; Althea WP: from n/a through 1.0.13; Elevate WP: from n/a through 1.0.15; Brite: from n/a through 1.0.11; Colibri WP: from n/a through 1.0.94; Vertice: from n/a through 1.0.7.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-862Secondaryaudit@patchstack.com
CWE ID: CWE-862
Type: Secondary
Source: audit@patchstack.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://patchstack.com/database/vulnerability/althea-wp/wordpress-althea-wp-theme-1-0-13-broken-access-control-vulnerabilityaudit@patchstack.com
N/A
https://patchstack.com/database/vulnerability/brite/wordpress-brite-theme-1-0-11-broken-access-control-vulnerabilityaudit@patchstack.com
N/A
https://patchstack.com/database/vulnerability/colibri-wp/wordpress-colibri-wp-theme-1-0-94-broken-access-control-vulnerabilityaudit@patchstack.com
N/A
https://patchstack.com/database/vulnerability/elevate-wp/wordpress-elevate-wp-theme-1-0-15-broken-access-control-vulnerabilityaudit@patchstack.com
N/A
https://patchstack.com/database/vulnerability/hugo-wp/wordpress-hugo-wp-theme-1-0-8-broken-access-control-vulnerabilityaudit@patchstack.com
N/A
https://patchstack.com/database/vulnerability/pathway/wordpress-pathway-theme-1-0-15-cross-site-request-forgery-csrf-vulnerabilityaudit@patchstack.com
N/A
https://patchstack.com/database/vulnerability/vertice/wordpress-vertice-theme-1-0-7-broken-access-control-vulnerabilityaudit@patchstack.com
N/A
https://patchstack.com/database/vulnerability/althea-wp/wordpress-althea-wp-theme-1-0-13-broken-access-control-vulnerabilityaf854a3a-2127-422b-91ae-364da2661108
N/A
https://patchstack.com/database/vulnerability/brite/wordpress-brite-theme-1-0-11-broken-access-control-vulnerabilityaf854a3a-2127-422b-91ae-364da2661108
N/A
https://patchstack.com/database/vulnerability/colibri-wp/wordpress-colibri-wp-theme-1-0-94-broken-access-control-vulnerabilityaf854a3a-2127-422b-91ae-364da2661108
N/A
https://patchstack.com/database/vulnerability/elevate-wp/wordpress-elevate-wp-theme-1-0-15-broken-access-control-vulnerabilityaf854a3a-2127-422b-91ae-364da2661108
N/A
https://patchstack.com/database/vulnerability/hugo-wp/wordpress-hugo-wp-theme-1-0-8-broken-access-control-vulnerabilityaf854a3a-2127-422b-91ae-364da2661108
N/A
https://patchstack.com/database/vulnerability/pathway/wordpress-pathway-theme-1-0-15-cross-site-request-forgery-csrf-vulnerabilityaf854a3a-2127-422b-91ae-364da2661108
N/A
https://patchstack.com/database/vulnerability/vertice/wordpress-vertice-theme-1-0-7-broken-access-control-vulnerabilityaf854a3a-2127-422b-91ae-364da2661108
N/A
Hyperlink: https://patchstack.com/database/vulnerability/althea-wp/wordpress-althea-wp-theme-1-0-13-broken-access-control-vulnerability
Source: audit@patchstack.com
Resource: N/A
Hyperlink: https://patchstack.com/database/vulnerability/brite/wordpress-brite-theme-1-0-11-broken-access-control-vulnerability
Source: audit@patchstack.com
Resource: N/A
Hyperlink: https://patchstack.com/database/vulnerability/colibri-wp/wordpress-colibri-wp-theme-1-0-94-broken-access-control-vulnerability
Source: audit@patchstack.com
Resource: N/A
Hyperlink: https://patchstack.com/database/vulnerability/elevate-wp/wordpress-elevate-wp-theme-1-0-15-broken-access-control-vulnerability
Source: audit@patchstack.com
Resource: N/A
Hyperlink: https://patchstack.com/database/vulnerability/hugo-wp/wordpress-hugo-wp-theme-1-0-8-broken-access-control-vulnerability
Source: audit@patchstack.com
Resource: N/A
Hyperlink: https://patchstack.com/database/vulnerability/pathway/wordpress-pathway-theme-1-0-15-cross-site-request-forgery-csrf-vulnerability
Source: audit@patchstack.com
Resource: N/A
Hyperlink: https://patchstack.com/database/vulnerability/vertice/wordpress-vertice-theme-1-0-7-broken-access-control-vulnerability
Source: audit@patchstack.com
Resource: N/A
Hyperlink: https://patchstack.com/database/vulnerability/althea-wp/wordpress-althea-wp-theme-1-0-13-broken-access-control-vulnerability
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://patchstack.com/database/vulnerability/brite/wordpress-brite-theme-1-0-11-broken-access-control-vulnerability
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://patchstack.com/database/vulnerability/colibri-wp/wordpress-colibri-wp-theme-1-0-94-broken-access-control-vulnerability
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://patchstack.com/database/vulnerability/elevate-wp/wordpress-elevate-wp-theme-1-0-15-broken-access-control-vulnerability
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://patchstack.com/database/vulnerability/hugo-wp/wordpress-hugo-wp-theme-1-0-8-broken-access-control-vulnerability
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://patchstack.com/database/vulnerability/pathway/wordpress-pathway-theme-1-0-15-cross-site-request-forgery-csrf-vulnerability
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://patchstack.com/database/vulnerability/vertice/wordpress-vertice-theme-1-0-7-broken-access-control-vulnerability
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1283Records found
CVE-2023-41873
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 34.93%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:24
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SAML Single Sign On ā€“ SSO Login plugin <= 5.0.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in miniOrange SAML SP Single Sign On allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SAML SP Single Sign On: from n/a through 5.0.4.

Action-Not Available
Vendor-miniOrange
Product-SAML SP Single Sign On
CWE ID-CWE-862
Missing Authorization
CVE-2026-24535
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.97%
||
7 Day CHG~0.00%
Published-23 Jan, 2026 | 14:28
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Automatic Featured Images from Videos plugin <= 1.2.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in webdevstudios Automatic Featured Images from Videos automatic-featured-images-from-videos allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Automatic Featured Images from Videos: from n/a through <= 1.2.7.

Action-Not Available
Vendor-webdevstudios
Product-Automatic Featured Images from Videos
CWE ID-CWE-862
Missing Authorization
CVE-2026-24387
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 2.24%
||
7 Day CHG~0.00%
Published-22 Jan, 2026 | 16:52
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Quick Post Duplicator plugin <= 2.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Arul Prasad J WP Quick Post Duplicator wp-quick-post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Quick Post Duplicator: from n/a through <= 2.1.

Action-Not Available
Vendor-Arul Prasad J
Product-WP Quick Post Duplicator
CWE ID-CWE-862
Missing Authorization
CVE-2023-41869
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 38.33%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:24
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Accessibility Helper (WAH) plugin <= 0.6.2.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Alex Volkov WP Accessibility Helper (WAH) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Accessibility Helper (WAH): from n/a through 0.6.2.4.

Action-Not Available
Vendor-Alex Volkov
Product-WP Accessibility Helper (WAH)
CWE ID-CWE-862
Missing Authorization
CVE-2023-4282
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.08% / 24.56%
||
7 Day CHG~0.00%
Published-10 Aug, 2023 | 11:05
Updated-08 Apr, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
EmbedPress <= 3.8.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Delete via admin_post_remove and remove_private_data

The EmbedPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'admin_post_remove' and 'remove_private_data' functions in versions up to, and including, 3.8.2. This makes it possible for authenticated attackers with subscriber privileges or above, to delete plugin settings.

Action-Not Available
Vendor-WPDeveloper
Product-embedpressEmbedPress ā€“ PDF Embedder, Embed YouTube Videos, 3D FlipBook, Social feeds, Docs & more
CWE ID-CWE-862
Missing Authorization
CVE-2023-41865
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 38.33%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:24
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Slider Pro plugin <= 4.8.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in bqworks Slider Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Slider Pro: from n/a through 4.8.6.

Action-Not Available
Vendor-bqworks
Product-Slider Pro
CWE ID-CWE-862
Missing Authorization
CVE-2026-24522
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.97%
||
7 Day CHG~0.00%
Published-23 Jan, 2026 | 14:28
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Subscribe plugin <= 1.2.16 - Broken Access Control vulnerability

Missing Authorization vulnerability in MyThemeShop WP Subscribe wp-subscribe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Subscribe: from n/a through <= 1.2.16.

Action-Not Available
Vendor-MyThemeShop
Product-WP Subscribe
CWE ID-CWE-862
Missing Authorization
CVE-2026-24578
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.97%
||
7 Day CHG~0.00%
Published-23 Jan, 2026 | 14:28
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Admin login URL Change plugin <= 1.1.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in Jahid Hasan Admin login URL Change admin-login-url-change allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Admin login URL Change: from n/a through <= 1.1.5.

Action-Not Available
Vendor-Jahid Hasan
Product-Admin login URL Change
CWE ID-CWE-862
Missing Authorization
CVE-2023-41689
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 39.69%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:24
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Post to Google My Business (Google Business Profile) plugin <= 3.1.14 - Broken Access Control vulnerability

Missing Authorization vulnerability in Koen Reus Post to Google My Business (Google Business Profile) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post to Google My Business (Google Business Profile): from n/a through 3.1.14.

Action-Not Available
Vendor-Koen Reus
Product-Post to Google My Business (Google Business Profile)
CWE ID-CWE-862
Missing Authorization
CVE-2025-3624
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.48%
||
7 Day CHG~0.00%
Published-16 May, 2025 | 06:42
Updated-16 May, 2025 | 15:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization Vulnerability in Hitachi Ops Center Analyzer

Missing Authorization vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.4-00.

Action-Not Available
Vendor-Hitachi, Ltd.
Product-Hitachi Ops Center Analyzer
CWE ID-CWE-862
Missing Authorization
CVE-2026-24326
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 2.77%
||
7 Day CHG~0.00%
Published-10 Feb, 2026 | 03:04
Updated-17 Feb, 2026 | 15:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing authorization check in SAP S/4HANA Defense & Security (Disconnected Operations)

Due to a missing authorization check in the Disconnected Operations of the SAP S/4HANA Defense & Security, an attacker with user privileges could call remote-enabled function modules to do direct update on standard SAP database table . This results in low impact on integrity, with no impact on confidentiality or availability of the application.

Action-Not Available
Vendor-SAP SE
Product-s\/4hana_defense_\&_securitySAP S/4HANA Defense & Security (Disconnected Operations)
CWE ID-CWE-862
Missing Authorization
CVE-2026-24571
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.97%
||
7 Day CHG~0.00%
Published-23 Jan, 2026 | 14:28
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress BOX NOW Delivery plugin <= 3.0.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in boxnow BOX NOW Delivery box-now-delivery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BOX NOW Delivery: from n/a through <= 3.0.2.

Action-Not Available
Vendor-boxnow
Product-BOX NOW Delivery
CWE ID-CWE-862
Missing Authorization
CVE-2023-5417
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.03%
||
7 Day CHG~0.00%
Published-22 Nov, 2023 | 15:33
Updated-08 Apr, 2026 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Funnelforms Free <= 3.4 - Missing Authorization to Category Update

The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_update_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to modify the Funnelforms category for a given post ID.

Action-Not Available
Vendor-funnelformsfunnelforms
Product-funnelformsInteractive Contact Form and Multi Step Form Builder with Drag & Drop Editor ā€“ Funnelforms Free
CWE ID-CWE-862
Missing Authorization
CVE-2023-40670
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 34.93%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:24
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ReviewX plugin <= 1.6.17 - Broken Access Control vulnerability

Missing Authorization vulnerability in ReviewX Team ReviewX allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ReviewX: from n/a through 1.6.17.

Action-Not Available
Vendor-ReviewX TeamReviewXWPDeveloper
Product-reviewxReviewX
CWE ID-CWE-862
Missing Authorization
CVE-2024-6688
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.06%
||
7 Day CHG~0.00%
Published-27 Aug, 2024 | 04:29
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Oxygen Builder <= 4.8.3 - Missing Authorization to Authenticated (Subscriber+) Stylesheet Update

The Oxygen Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the oxy_save_css_from_admin AJAX action in all versions up to, and including, 4.8.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update stylesheets.

Action-Not Available
Vendor-Oxygen
Product-Oxygen Builder
CWE ID-CWE-862
Missing Authorization
CVE-2023-41132
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 34.93%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:24
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Category Slider for WooCommerce plugin <= 1.4.15 - Broken Access Control vulnerability

Missing Authorization vulnerability in ShapedPlugin LLC Category Slider for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Category Slider for WooCommerce: from n/a through 1.4.15.

Action-Not Available
Vendor-ShapedPlugin LLC
Product-Category Slider for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2023-40331
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 34.93%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:24
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Accordion Slider plugin <= 1.9.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in bqworks Accordion Slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accordion Slider: from n/a through 1.9.6.

Action-Not Available
Vendor-bqworks
Product-Accordion Slider
CWE ID-CWE-862
Missing Authorization
CVE-2023-40213
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 41.07%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:24
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Justified Gallery plugin <= 1.7.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Mateusz Czardybon Justified Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Justified Gallery: from n/a through 1.7.3.

Action-Not Available
Vendor-Mateusz Czardybon
Product-Justified Gallery
CWE ID-CWE-862
Missing Authorization
CVE-2020-2255
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 19.11%
||
7 Day CHG~0.00%
Published-16 Sep, 2020 | 13:20
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Blue Ocean Plugin 1.23.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Action-Not Available
Vendor-Jenkins
Product-blue_oceanJenkins Blue Ocean Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2023-39922
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 44.49%
||
7 Day CHG~0.00%
Published-19 Jun, 2024 | 12:17
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Avada theme <= 7.11.1 - Authenticated Broken Access Control vulnerability

Missing Authorization vulnerability in ThemeFusion Avada.This issue affects Avada: from n/a through 7.11.1.

Action-Not Available
Vendor-Avada (ThemeFusion)
Product-avadaAvada
CWE ID-CWE-862
Missing Authorization
CVE-2023-32586
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 38.33%
||
7 Day CHG+0.02%
Published-13 Dec, 2024 | 14:23
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SoundCloud Is Gold plugin <= 2.5.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Thomas Michalak Soundcloud Is Gold allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Soundcloud Is Gold: from n/a through 2.5.1.

Action-Not Available
Vendor-Thomas Michalak
Product-Soundcloud Is Gold
CWE ID-CWE-862
Missing Authorization
CVE-2023-39993
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.37%
||
7 Day CHG~0.00%
Published-19 Jun, 2024 | 12:07
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ElementsKit Lite plugin <= 2.9.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Wpmet Elements kit Elementor addons.This issue affects Elements kit Elementor addons: from n/a through 2.9.0.

Action-Not Available
Vendor-Wpmet
Product-Elements kit Elementor addons
CWE ID-CWE-862
Missing Authorization
CVE-2026-24543
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.97%
||
7 Day CHG~0.00%
Published-23 Jan, 2026 | 14:28
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Materialis Companion plugin <= 1.3.52 - Broken Access Control vulnerability

Missing Authorization vulnerability in Horea Radu Materialis Companion materialis-companion allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Materialis Companion: from n/a through <= 1.3.52.

Action-Not Available
Vendor-Horea Radu
Product-Materialis Companion
CWE ID-CWE-862
Missing Authorization
CVE-2023-32574
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 38.33%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Injection Guard plugin <= 1.2.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Fahad Mahmood Injection Guard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Injection Guard: from n/a through 1.2.1.

Action-Not Available
Vendor-Fahad Mahmood
Product-Injection Guard
CWE ID-CWE-862
Missing Authorization
CVE-2026-24580
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.97%
||
7 Day CHG~0.00%
Published-23 Jan, 2026 | 14:28
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Ecwid Shopping Cart plugin <= 7.0.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.5.

Action-Not Available
Vendor-Ecwid by Lightspeed Ecommerce Shopping Cart
Product-Ecwid Shopping Cart
CWE ID-CWE-862
Missing Authorization
CVE-2023-3999
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.3||MEDIUM
EPSS-0.01% / 3.31%
||
7 Day CHG~0.00%
Published-31 Aug, 2023 | 05:33
Updated-08 Apr, 2026 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Waiting: One-click countdowns <= 0.6.2 - Missing Authorization

The Waiting: One-click countdowns plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on its AJAX calls in versions up to, and including, 0.6.2. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to create and delete countdowns as well as manipulate other plugin settings.

Action-Not Available
Vendor-pluginpluginbuilders
Product-waitingWaiting: One-click countdowns
CWE ID-CWE-862
Missing Authorization
CVE-2023-40209
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.17% / 38.40%
||
7 Day CHG~0.00%
Published-12 Jun, 2024 | 09:53
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Highcompress Image Compressor plugin <= 6.0.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Himalaya Saxena Highcompress Image Compressor.This issue affects Highcompress Image Compressor: from n/a through 6.0.0.

Action-Not Available
Vendor-himalayasaxenaHimalaya Saxenahimalaya_saxena
Product-highcompress_image_compressorHighcompress Image Compressorhighcompress_image_compressor
CWE ID-CWE-862
Missing Authorization
CVE-2020-2260
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 9.22%
||
7 Day CHG~0.00%
Published-16 Sep, 2020 | 13:20
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Perfecto Plugin 1.17 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials.

Action-Not Available
Vendor-Jenkins
Product-perfectoJenkins Perfecto Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2026-24358
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.97%
||
7 Day CHG~0.00%
Published-22 Jan, 2026 | 16:52
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Quiz And Survey Master plugin <= 10.3.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quiz And Survey Master: from n/a through <= 10.3.3.

Action-Not Available
Vendor-ExpressTech Systems
Product-Quiz And Survey Master
CWE ID-CWE-862
Missing Authorization
CVE-2023-39995
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 34.93%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Portfolio and Projects plugin <= 1.3.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP OnlineSupport, Essential Plugin Portfolio and Projects allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Portfolio and Projects: from n/a through 1.3.7.

Action-Not Available
Vendor-WP OnlineSupport, Essential Plugin
Product-Portfolio and Projects
CWE ID-CWE-862
Missing Authorization
CVE-2023-5416
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.03%
||
7 Day CHG~0.00%
Published-22 Nov, 2023 | 15:33
Updated-08 Apr, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Funnelforms Free <= 3.4 - Missing Authorization to Category Deletion

The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_delete_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete categories.

Action-Not Available
Vendor-funnelformsfunnelforms
Product-funnelformsInteractive Contact Form and Multi Step Form Builder with Drag & Drop Editor ā€“ Funnelforms Free
CWE ID-CWE-862
Missing Authorization
CVE-2023-40001
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.41%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:24
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress iThemes Sync plugin <= 2.1.13 - Broken Access Control vulnerability

Missing Authorization vulnerability in SolidWP iThemes Sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iThemes Sync: from n/a through 2.1.13.

Action-Not Available
Vendor-SolidWP (iThemes)The Events Calendar (StellarWP)
Product-iThemes Sync
CWE ID-CWE-862
Missing Authorization
CVE-2026-24563
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.97%
||
7 Day CHG~0.00%
Published-23 Jan, 2026 | 14:28
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress LifePress plugin <= 2.2.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Ashan Perera LifePress lifepress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LifePress: from n/a through <= 2.2.1.

Action-Not Available
Vendor-Ashan Perera
Product-LifePress
CWE ID-CWE-862
Missing Authorization
CVE-2023-40362
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-8.54% / 92.48%
||
7 Day CHG~0.00%
Published-12 Jan, 2024 | 00:00
Updated-20 Jun, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in CentralSquare Click2Gov Building Permit before October 2023. Lack of access control protections allows remote attackers to arbitrarily delete the contractors from any user's account when the user ID and contractor information is known.

Action-Not Available
Vendor-centralsquaren/a
Product-click2gov_building_permitn/a
CWE ID-CWE-862
Missing Authorization
CVE-2023-40334
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 52.45%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:24
Updated-11 May, 2026 | 22:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress HUSKY plugin <= 1.3.4.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in RealMag777 HUSKY woocommerce-products-filter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HUSKY: from n/a through <= 1.3.4.2.

Action-Not Available
Vendor-PluginUs.Net (RealMag777)
Product-husky_-_products_filter_professional_for_woocommerceHUSKY
CWE ID-CWE-862
Missing Authorization
CVE-2024-6167
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 40.37%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 08:33
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Just Custom Fields <= 3.3.2 - Missing Authorization via AJAX actions

The Just Custom Fields plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several AJAX functions in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke this functionality intended for admin users. This enables subscribers to manage field groups, change visibility of items among other things.

Action-Not Available
Vendor-aprokopenko
Product-Just Custom Fields
CWE ID-CWE-862
Missing Authorization
CVE-2024-5997
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.13%
||
7 Day CHG~0.00%
Published-18 Jul, 2024 | 21:32
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Duplica <= 0.6 - Authenticated (Subscriber+) Missing Authorization to Users/Posts Duplicates Creation

The Duplica ā€“ Duplicate Posts, Pages, Custom Posts or Users plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the duplicate_user and duplicate_post functions in all versions up to, and including, 0.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create duplicates of users and posts/pages.

Action-Not Available
Vendor-codexpert
Product-Duplica ā€“ Duplicate Posts, Pages, Custom Posts or Users
CWE ID-CWE-862
Missing Authorization
CVE-2026-24579
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.97%
||
7 Day CHG~0.00%
Published-23 Jan, 2026 | 14:28
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Ai Image Alt Text Generator for WP plugin <= 1.1.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Messiah Ai Image Alt Text Generator for WP ai-image-alt-text-generator-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ai Image Alt Text Generator for WP: from n/a through <= 1.1.9.

Action-Not Available
Vendor-WP Messiah
Product-Ai Image Alt Text Generator for WP
CWE ID-CWE-862
Missing Authorization
CVE-2024-6033
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.38%
||
7 Day CHG~0.00%
Published-17 Jul, 2024 | 06:45
Updated-08 Apr, 2026 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Event Manager, Events Calendar, Tickets, Registrations ā€“ Eventin <= 4.0.4 - Missing Authorization to Authenticated (Contributor+) Event Data Import

The Event Manager, Events Calendar, Tickets, Registrations ā€“ Eventin plugin for WordPress is vulnerable to unauthorized data importation due to a missing capability check on the 'import_file' function in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to import events, speakers, schedules and attendee data.

Action-Not Available
Vendor-themewinterarraytics
Product-eventinEventin ā€“ Event Calendar, Event Registration, Tickets & Booking (AI Powered)
CWE ID-CWE-862
Missing Authorization
CVE-2024-5987
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.09% / 24.73%
||
7 Day CHG~0.00%
Published-29 Aug, 2024 | 05:30
Updated-08 Apr, 2026 | 17:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Accessibility Helper <= 0.6.2.8 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update

The WP Accessibility Helper (WAH) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_contrast_variations' and 'save_empty_contrast_variations' functions in all versions up to, and including, 0.6.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit or delete contrast settings. Please note these issues were patched in 0.6.2.8, though it broke functionality and the vendor has not responded to our follow-ups.

Action-Not Available
Vendor-volkovvol4ikman
Product-wp_accessibility_helperWP Accessibility Helper (WAH)
CWE ID-CWE-862
Missing Authorization
CVE-2026-24532
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 2.24%
||
7 Day CHG~0.00%
Published-23 Jan, 2026 | 14:28
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SiteLock Security plugin <= 5.0.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in SiteLock SiteLock Security ā€“ WP Hardening, Login Security & Malware Scans sitelock allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteLock Security ā€“ WP Hardening, Login Security & Malware Scans: from n/a through <= 5.0.2.

Action-Not Available
Vendor-SiteLock
Product-SiteLock Security ā€“ WP Hardening, Login Security & Malware Scans
CWE ID-CWE-862
Missing Authorization
CVE-2023-38475
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 52.45%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Donations Made Easy ā€“ Smart Donations plugin <= 4.0.12 - Broken Access Control vulnerability

Missing Authorization vulnerability in RedNao Donations Made Easy ā€“ Smart Donations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Donations Made Easy ā€“ Smart Donations: from n/a through 4.0.12.

Action-Not Available
Vendor-rednaoRedNao
Product-donations_made_easy_-_smart_donationsDonations Made Easy ā€“ Smart Donations
CWE ID-CWE-862
Missing Authorization
CVE-2023-28494
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 46.52%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 07:06
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Contact Form Email plugin <= 1.3.31 - Missing Authorization Leading To Feedback Submission Vulnerability

Missing Authorization vulnerability in CodePeople Contact Form Email allows Functionality Misuse.This issue affects Contact Form Email: from n/a through 1.3.31.

Action-Not Available
Vendor-CodePeople
Product-Contact Form Emailcontact_form_email
CWE ID-CWE-862
Missing Authorization
CVE-2023-38514
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.75%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Social Share Icons & Social Share Buttons plugin <= 3.5.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in social share pro Social Share Icons & Social Share Buttons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Social Share Icons & Social Share Buttons: from n/a through 3.5.7.

Action-Not Available
Vendor-social share pro
Product-Social Share Icons & Social Share Buttons
CWE ID-CWE-862
Missing Authorization
CVE-2023-38395
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.12% / 30.92%
||
7 Day CHG~0.00%
Published-12 Jun, 2024 | 09:38
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Clone Menu plugin <= 1.0.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Afzal Multani WP Clone Menu.This issue affects WP Clone Menu: from n/a through 1.0.1.

Action-Not Available
Vendor-afzalmultaniAfzal Multani
Product-wp_clone_menuWP Clone Menu
CWE ID-CWE-862
Missing Authorization
CVE-2025-32295
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.48%
||
7 Day CHG~0.00%
Published-16 May, 2025 | 15:45
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Salon Booking Wordpress plugin <= 10.10.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in wordpresschef Salon Booking Pro salon-booking-plugin-pro-cc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Salon Booking Pro: from n/a through <= 10.10.2.

Action-Not Available
Vendor-wordpresschef
Product-Salon Booking Pro
CWE ID-CWE-862
Missing Authorization
CVE-2026-2301
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 12.09%
||
7 Day CHG~0.00%
Published-25 Feb, 2026 | 09:26
Updated-08 Apr, 2026 | 17:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Post Duplicator <= 3.0.8 - Missing Authorization to Authenticated (Contributor+) Protected Post Meta Insertion via 'customMetaData' Parameter

The Post Duplicator plugin for WordPress is vulnerable to unauthorized arbitrary protected post meta insertion in all versions up to, and including, 3.0.8. This is due to the `duplicate_post()` function in `includes/api.php` using `$wpdb->insert()` directly to the `wp_postmeta` table instead of WordPress's standard `add_post_meta()` function, which would call `is_protected_meta()` to prevent lower-privileged users from setting protected meta keys (those starting with `_`). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary protected post meta keys such as `_wp_page_template`, `_wp_attached_file`, and other sensitive meta keys on duplicated posts via the `customMetaData` JSON array parameter in the `/wp-json/post-duplicator/v1/duplicate-post` REST API endpoint.

Action-Not Available
Vendor-metaphorcreations
Product-Post Duplicator
CWE ID-CWE-862
Missing Authorization
CVE-2023-38477
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 34.93%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress QR code MeCard/vCard generator plugin <= 1.6.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Stanislav Kuznetsov QR code MeCard/vCard generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects QR code MeCard/vCard generator: from n/a through 1.6.0.

Action-Not Available
Vendor-Stanislav Kuznetsov
Product-QR code MeCard/vCard generator
CWE ID-CWE-862
Missing Authorization
CVE-2026-22481
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.97%
||
7 Day CHG~0.00%
Published-22 Jan, 2026 | 16:52
Updated-28 Apr, 2026 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress BD Courier Order Ratio Checker plugin <= 2.0.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Rasedul Haque Rumi BD Courier Order Ratio Checker bd-courier-order-ratio-checker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BD Courier Order Ratio Checker: from n/a through <= 2.0.1.

Action-Not Available
Vendor-Rasedul Haque Rumi
Product-BD Courier Order Ratio Checker
CWE ID-CWE-862
Missing Authorization
CVE-2023-37885
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 30.31%
||
7 Day CHG~0.00%
Published-25 Mar, 2024 | 04:32
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress RealHomes theme <= 4.0.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in InspiryThemes RealHomes.This issue affects RealHomes: from n/a through 4.0.2.

Action-Not Available
Vendor-inspirythemesInspiryThemes
Product-realhomesRealHomes
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • ...
  • 25
  • 26
  • Next
Details not found