Missing Authorization vulnerability in Jaed Mosharraf & Pluginbazar Team Open Close WooCommerce Store.This issue affects Open Close WooCommerce Store: from n/a through 4.9.1.
Missing Authorization vulnerability in Salesforce Pardot.This issue affects Pardot: from n/a through 2.1.0.
Missing Authorization vulnerability in Octolize Flexible Shipping.This issue affects Flexible Shipping: from n/a through 4.24.15.
Missing Authorization vulnerability in Copy Content Protection Team Secure Copy Content Protection and Content Locking.This issue affects Secure Copy Content Protection and Content Locking: from n/a through 3.7.1.
Missing Authorization vulnerability in Very Good Plugins Fatal Error Notify.This issue affects Fatal Error Notify: from n/a through 1.5.2.
Missing Authorization vulnerability in Meitar Subresource Integrity (SRI) Manager wp-sri allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subresource Integrity (SRI) Manager: from n/a through <= 0.4.0.
Missing Authorization vulnerability in WP Desk Flexible Checkout Fields for WooCommerce.This issue affects Flexible Checkout Fields for WooCommerce: from n/a through 4.1.2.
The ACF Front End Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_texts() function in all versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary post title, content, and ACF data.
Missing Authorization vulnerability in supsystic Popup by Supsystic popup-by-supsystic.This issue affects Popup by Supsystic: from n/a through <= 1.10.27.
Missing Authorization vulnerability in Shahjahan Jewel FluentCommunity fluent-community allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentCommunity: from n/a through <= 2.0.0.
Missing Authorization vulnerability in WPClever WPC Badge Management for WooCommerce.This issue affects WPC Badge Management for WooCommerce: from n/a through 2.4.0.
Missing Authorization vulnerability in Aakash Chakravarthy Announcer – Notification & message bars.This issue affects Announcer – Notification & message bars: from n/a through 6.0.
The ACF On-The-Go plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the acfg_update_fields() function in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary post titles, descriptions, and ACF values.
Missing Authorization vulnerability in AWP Classifieds Team AWP Classifieds.This issue affects AWP Classifieds: from n/a through 4.3.1.
Missing Authorization vulnerability in Data443 Tracking Code Manager.This issue affects Tracking Code Manager: from n/a through 2.1.0.
Missing Authorization vulnerability in Alex Volkov WP Accessibility Helper (WAH).This issue affects WP Accessibility Helper (WAH): from n/a through 0.6.2.5.
The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized plugin setting update due to a missing capability check on the functions action_request_disable, action_change_template, and action_request_enable in all versions up to, and including, 2.4.43. This makes it possible for authenticated attackers, with contributor access or above, to enable/disable the Brizy editor and modify the template used.
Missing Authorization vulnerability in Premmerce Premmerce Product Filter for WooCommerce premmerce-woocommerce-product-filter.This issue affects Premmerce Product Filter for WooCommerce: from n/a through <= 3.7.2.
Missing Authorization vulnerability in Fahad Mahmood WP Sort Order.This issue affects WP Sort Order: from n/a through 1.3.1.
Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can approve or reject a bank account application affecting the integrity of the application. Confidentiality and Availability are not impacted.
Missing Authorization vulnerability in Sliced Invoices.This issue affects Sliced Invoices: from n/a through 3.9.2.
Missing Authorization vulnerability in Webba Appointment Booking Webba Booking webba-booking-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Webba Booking: from n/a through <= 6.2.1.
Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, attacker can add notes in the review request with 'completed' status affecting the integrity of the application. Confidentiality and Availability are not impacted.
Missing Authorization vulnerability in Pixelite Events Manager.This issue affects Events Manager: from n/a through 6.4.6.4.
The Easy Appointments plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient user validation on the ajax_cancel_appointment() function in all versions up to, and including, 3.11.18. This makes it possible for unauthenticated attackers to cancel other users orders.
Missing Authorization vulnerability in ExtendThemes Colibri Page Builder.This issue affects Colibri Page Builder: from n/a through 1.0.248.
Due to missing authorization check, attacker with business user account in SAP ABAP Platform - version 758, 795, can change the privacy setting of job templates from shared to private. As a result, the selected template would only be accessible to the owner.
A missing permission check in Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier allows attackers with Item/Read permission to trigger a build.
Missing Authorization vulnerability in Metagauss RegistrationMagic.This issue affects RegistrationMagic: from n/a through 5.2.5.9.
Missing Authorization vulnerability in netopsae Accessibility by AudioEye accessibility-by-audioeye allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accessibility by AudioEye: from n/a through <= 1.0.49.
Missing Authorization vulnerability in JoomUnited WP Media folder.This issue affects WP Media folder: from n/a through 5.7.2.
Missing Authorization vulnerability in Uriahs Victor Location Picker at Checkout for WooCommerce.This issue affects Location Picker at Checkout for WooCommerce: from n/a through 1.8.9.
Missing Authorization vulnerability in ryanpcmcquen Import external attachments import-external-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Import external attachments: from n/a through <= 1.5.12.
Missing Authorization vulnerability in weDevs WooCommerce Conversion Tracking.This issue affects WooCommerce Conversion Tracking: from n/a through 2.0.11.
Missing Authorization vulnerability in Deepak anand WP Dummy Content Generator.This issue affects WP Dummy Content Generator: from n/a through 3.1.2.
The Intuitive Custom Post Order WordPress plugin before 3.1.4 does not check for authorization in the update-menu-order ajax action, allowing any logged in user (with roles as low as Subscriber) to update the menu order
Missing Authorization vulnerability in Appointment Booking Calendar plugin <= 1.3.69 on WordPress.
Missing Authorization vulnerability in Galleryape Gallery Images Ape allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gallery Images Ape: from n/a through 2.2.8.
Missing Authorization vulnerability in Plugin Devs News Ticker for Elementor news-ticker-for-elementor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects News Ticker for Elementor: from n/a through <= 2.1.3.
The WP OAuth Server (OAuth Authentication) WordPress plugin before 4.3.0 has a flawed CSRF and authorisation check when deleting a client, which could allow any authenticated users, such as subscriber to delete arbitrary client.
Missing Authorization vulnerability in Appointment Hour Booking plugin <= 1.3.71 on WordPress.
The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the publish_lp() function hooked via an AJAX action in versions up to, and including, 4.4. This makes it possible for authenticated attackers with subscriber-level access and above to change the LadiPage key (a key fully controlled by the attacker), enabling them to freely create new pages, including web pages that trigger stored XSS
Missing Authorization vulnerability in CodePeople WP Time Slots Booking Form.This issue affects WP Time Slots Booking Form: from n/a through 1.1.76.
Missing Authorization vulnerability in emarket-design Request a Quote request-a-quote allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Request a Quote: from n/a through <= 2.5.3.
Nonce token leakage and missing authorization in SearchWP premium plugin <= 4.2.5 on WordPress leading to plugin settings change.
In the Simple 301 Redirects by BetterLinks WordPress plugin before 2.0.4, the lack of capability checks and insufficient nonce check on the AJAX actions, simple301redirects/admin/get_wildcard and simple301redirects/admin/wildcard, made it possible for authenticated users to retrieve and update the wildcard value for redirects.
The Logo Showcase with Slick Slider WordPress plugin before 1.2.5 does not have CSRF and authorisation checks in the lswss_save_attachment_data AJAX action, allowing any authenticated users, such as Subscriber, to change title, description, alt text, and URL of arbitrary uploaded media.
Missing Authorization vulnerability in Envira Gallery Team Envira Photo Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Envira Photo Gallery: from n/a through 1.8.7.3.
Missing Authorization vulnerability in Zorem Advanced Local Pickup for WooCommerce.This issue affects Advanced Local Pickup for WooCommerce: from n/a through 1.5.2.
The Royal Elementor Addons WordPress plugin before 1.3.56 does not have authorisation and CSRF checks when creating a template, and does not ensure that the post created is a template. This could allow any authenticated users, such as subscriber to create a post (as well as any post type) with an arbitrary title