Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-47362

Summary
Assigner-Patchstack
Assigner Org ID-21595511-bba5-4825-b968-b78d1f9984a3
Published At-01 Nov, 2024 | 14:17
Updated At-28 Apr, 2026 | 16:10
Rejected At-
Credits

WordPress Strong Testimonials plugin <= 3.1.16 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Chill Strong Testimonials strong-testimonials.This issue affects Strong Testimonials: from n/a through <= 3.1.16.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Patchstack
Assigner Org ID:21595511-bba5-4825-b968-b78d1f9984a3
Published At:01 Nov, 2024 | 14:17
Updated At:28 Apr, 2026 | 16:10
Rejected At:
▼CVE Numbering Authority (CNA)
WordPress Strong Testimonials plugin <= 3.1.16 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Chill Strong Testimonials strong-testimonials.This issue affects Strong Testimonials: from n/a through <= 3.1.16.

Affected Products
Vendor
WP Chill
Product
Strong Testimonials
Collection URL
https://wordpress.org/plugins
Package Name
strong-testimonials
Default Status
unaffected
Versions
Affected
  • From 0 through 3.1.16 (custom)
    • -> unaffectedfrom3.1.17
Problem Types
TypeCWE IDDescription
CWECWE-862Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Joshua Chan | Patchstack Bug Bounty Program
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://patchstack.com/database/Wordpress/Plugin/strong-testimonials/vulnerability/wordpress-strong-testimonials-plugin-3-1-16-broken-access-control-vulnerability?_s_id=cve
vdb-entry
Hyperlink: https://patchstack.com/database/Wordpress/Plugin/strong-testimonials/vulnerability/wordpress-strong-testimonials-plugin-3-1-16-broken-access-control-vulnerability?_s_id=cve
Resource:
vdb-entry
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:audit@patchstack.com
Published At:01 Nov, 2024 | 15:15
Updated At:23 Apr, 2026 | 15:19

Missing Authorization vulnerability in WP Chill Strong Testimonials strong-testimonials.This issue affects Strong Testimonials: from n/a through <= 3.1.16.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Type: Primary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CPE Matches
wpchill
wpchill
>>strong_testimonials>>Versions before 3.1.17(exclusive)
cpe:2.3:a:wpchill:strong_testimonials:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-862Secondaryaudit@patchstack.com
CWE ID: CWE-862
Type: Secondary
Source: audit@patchstack.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://patchstack.com/database/Wordpress/Plugin/strong-testimonials/vulnerability/wordpress-strong-testimonials-plugin-3-1-16-broken-access-control-vulnerability?_s_id=cveaudit@patchstack.com
N/A
Hyperlink: https://patchstack.com/database/Wordpress/Plugin/strong-testimonials/vulnerability/wordpress-strong-testimonials-plugin-3-1-16-broken-access-control-vulnerability?_s_id=cve
Source: audit@patchstack.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1043Records found
CVE-2024-1218
Matching Score-10
Assigner-Wordfence
ShareView Details
Matching Score-10
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 35.44%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 18:56
Updated-08 Apr, 2026 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contact Form builder with drag & drop for WordPress – Kali Forms <= 2.3.41 - Missing Authorization

The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized access and modification of data via API due to an inconsistent capability check on several REST endpoints in all versions up to, and including, 2.3.41. This makes it possible for authenticated attackers, with contributor access and higher, to obtain access to or modify forms or entries.

Action-Not Available
Vendor-kaliformswpchill
Product-contact_form_builderKali Forms — Contact Form & Drag-and-Drop Builder
CWE ID-CWE-862
Missing Authorization
CVE-2024-10399
Matching Score-10
Assigner-Wordfence
ShareView Details
Matching Score-10
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 36.93%
||
7 Day CHG~0.00%
Published-30 Oct, 2024 | 05:32
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Download Monitor <= 5.0.13 - Missing Authorization to Sensitive Information Exposure

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_search_users function in all versions up to, and including, 5.0.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain usernames and emails of site users.

Action-Not Available
Vendor-wpchill
Product-Download Monitor
CWE ID-CWE-862
Missing Authorization
CVE-2026-1860
Matching Score-10
Assigner-Wordfence
ShareView Details
Matching Score-10
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 1.32%
||
7 Day CHG~0.00%
Published-18 Feb, 2026 | 07:25
Updated-08 Apr, 2026 | 17:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kali Forms <= 2.4.8 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Form Data Exposure

The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the `get_items_permissions_check()` permission callback on the `/kaliforms/v1/forms/{id}` REST API endpoint only checking for the `edit_posts` capability without verifying that the requesting user has ownership or authorization over the specific form resource. This makes it possible for authenticated attackers, with Contributor-level access and above, to read form configuration data belonging to other users (including administrators) by enumerating form IDs. Exposed data includes form field structures, Google reCAPTCHA secret keys (if configured), email notification templates, and server paths.

Action-Not Available
Vendor-wpchill
Product-Kali Forms — Contact Form & Drag-and-Drop Builder
CWE ID-CWE-862
Missing Authorization
CVE-2026-24939
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.00%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 14:08
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Modula Image Gallery plugin <= 2.13.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Chill Modula Image Gallery modula-best-grid-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Modula Image Gallery: from n/a through <= 2.13.6.

Action-Not Available
Vendor-WP Chill
Product-Modula Image Gallery
CWE ID-CWE-862
Missing Authorization
CVE-2024-12853
Matching Score-8
Assigner-Wordfence
ShareView Details
Matching Score-8
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-12.45% / 93.94%
||
7 Day CHG~0.00%
Published-08 Jan, 2025 | 09:18
Updated-08 Apr, 2026 | 17:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Modula Image Gallery <= 2.11.10 - Authenticated (Author+) Arbitrary File Upload

The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the zip upload functionality in all versions up to, and including, 2.11.10. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Action-Not Available
Vendor-wpchillwpchill
Product-modula_image_galleryModula Image Gallery – Photo Grid & Video Gallery
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-49256
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 47.56%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Htaccess File Editor plugin <= 1.0.18 - Broken Access Control vulnerability

Incorrect Authorization vulnerability in WP Chill Htaccess File Editor htaccess-file-editor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Htaccess File Editor: from n/a through <= 1.0.18.

Action-Not Available
Vendor-wpchillWP Chill
Product-htaccess_file_editorHtaccess File Editor
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-34007
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-9.9||CRITICAL
EPSS-0.31% / 54.43%
||
7 Day CHG~0.00%
Published-20 Dec, 2023 | 18:49
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Download Monitor Plugin <= 4.8.3 is vulnerable to Arbitrary File Upload

Unrestricted Upload of File with Dangerous Type vulnerability in WPChill Download Monitor.This issue affects Download Monitor: from n/a through 4.8.3.

Action-Not Available
Vendor-wpchillWPChill
Product-download_monitorDownload Monitor
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-1217
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-7.6||HIGH
EPSS-0.06% / 19.63%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 18:56
Updated-08 Apr, 2026 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contact Form builder with drag & drop for WordPress – Kali Forms <= 2.3.41 - Missing Authorization to Arbitrary Plugin Deactivation

The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the await_plugin_deactivation function in all versions up to, and including, 2.3.41. This makes it possible for authenticated attackers, with subscriber access or higher, to deactivate any active plugins.

Action-Not Available
Vendor-kaliformswpchill
Product-contact_form_builderKali Forms — Contact Form & Drag-and-Drop Builder
CWE ID-CWE-862
Missing Authorization
CVE-2024-12711
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 56.93%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 11:11
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RSVP and Event Management <= 2.7.13 - Missing Authorization

The RSVP and Event Management plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX functions like bulk_delete_attendees() and bulk_delete_questions() in all versions up to, and including, 2.7.13. This makes it possible for unauthenticated attackers to delete questions and attendees and for authenticated users to update question menu orders.

Action-Not Available
Vendor-wpchill
Product-RSVP and Event Management
CWE ID-CWE-862
Missing Authorization
CVE-2024-10092
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.11%
||
7 Day CHG~0.00%
Published-26 Oct, 2024 | 07:36
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Download Monitor <= 5.0.12 - Missing Authorization to API Key Manipulation

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handle_api_key_actions function in all versions up to, and including, 5.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to revoke existing API keys and generate new ones.

Action-Not Available
Vendor-wpchill
Product-Download Monitor
CWE ID-CWE-862
Missing Authorization
CVE-2020-36712
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-8.6||HIGH
EPSS-0.32% / 55.23%
||
7 Day CHG~0.00%
Published-07 Jun, 2023 | 01:51
Updated-08 Apr, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kali Forms <= 2.1.1 - Unauthenticated Arbitrary Post Deletion

The Kali Forms plugin for WordPress is vulnerable to Unauthenticated Arbitrary Post Deletion in versions up to, and including, 2.1.1. This is due to the kaliforms_form_delete_uploaded_file function lacking any privilege or user protections. This makes it possible for unauthenticated attackers to delete any site post or page with the id parameter.

Action-Not Available
Vendor-kaliformswpchill
Product-kali_formsKali Forms — Contact Form & Drag-and-Drop Builder
CWE ID-CWE-862
Missing Authorization
CVE-2020-36720
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-7.1||HIGH
EPSS-0.26% / 48.84%
||
7 Day CHG~0.00%
Published-07 Jun, 2023 | 01:51
Updated-08 Apr, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kali Forms <= 2.1.1 - Missing Authorization to Settings Update

The Kali Forms plugin for WordPress is vulnerable to Authenticated Options Change in versions up to, and including, 2.1.1. This is due to the update_option lacking proper authentication checks. This makes it possible for any authenticated attacker to change (or delete) the plugin's settings.

Action-Not Available
Vendor-kaliformswpchill
Product-kali_formsKali Forms — Contact Form & Drag-and-Drop Builder
CWE ID-CWE-862
Missing Authorization
CVE-2020-36721
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.18% / 38.82%
||
7 Day CHG-0.01%
Published-07 Jun, 2023 | 01:51
Updated-08 Apr, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Epsilon Framework Themes (Various Versions) - Unauthenticated Plugin Activation/Deactivation

The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activello_deactivate_plugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' file missing capability and security checks/nonces. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins installed on a vulnerable site.

Action-Not Available
Vendor-cpothemescolorlibmachothemessilkalnswpchill
Product-allegiantbonkersbrilliancemedzone_liteactivelloantreastranscendnewsmagnewspaper_xshapelynaturemag_liteaffluentregina_litepixova_liteilldyBrillianceActivelloNewspaper X
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2023-6491
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 40.27%
||
7 Day CHG~0.00%
Published-07 Jun, 2024 | 05:33
Updated-08 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Strong Testimonials <= 3.1.12 - Authenticated(Contributor+) Improper Authorization to Views Modification

The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the wpmtst_save_view_sticky function in all versions up to, and including, 3.1.12. This makes it possible for authenticated attackers, with contributor access and above, to modify favorite views.

Action-Not Available
Vendor-wpchillwpchill
Product-strong_testimonialsStrong Testimonials
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2025-26975
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.12% / 29.91%
||
7 Day CHG~0.00%
Published-25 Feb, 2025 | 14:17
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Strong Testimonials plugin <= 3.2.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Chill Strong Testimonials strong-testimonials allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Strong Testimonials: from n/a through <= 3.2.3.

Action-Not Available
Vendor-WP Chill
Product-Strong Testimonials
CWE ID-CWE-862
Missing Authorization
CVE-2022-1054
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-5.3||MEDIUM
EPSS-11.69% / 93.72%
||
7 Day CHG~0.00%
Published-18 Apr, 2022 | 17:10
Updated-02 Aug, 2024 | 23:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RSVP and Event Management < 2.7.8 - Unauthenticated Entries Export

The RSVP and Event Management Plugin WordPress plugin before 2.7.8 does not have any authorisation checks when exporting its entries, and has the export function hooked to the init action. As a result, unauthenticated attackers could call it and retrieve PII such as first name, last name and email address of user registered for events

Action-Not Available
Vendor-wpchillUnknown
Product-rsvp_and_event_managementRSVP and Event Management Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2023-46083
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 38.59%
||
7 Day CHG+0.06%
Published-02 Jan, 2025 | 11:59
Updated-29 Apr, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Kali Forms plugin <= 2.3.27 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Chill Kali Forms kali-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kali Forms: from n/a through <= 2.3.27.

Action-Not Available
Vendor-WP Chill
Product-Kali Forms
CWE ID-CWE-862
Missing Authorization
CVE-2025-15466
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.04% / 13.44%
||
7 Day CHG~0.00%
Published-19 Jan, 2026 | 23:21
Updated-08 Apr, 2026 | 16:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Image Photo Gallery Final Tiles Grid <= 3.6.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Gallery Management

The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple AJAX actions in all versions up to, and including, 3.6.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to view, create, modify, clone, delete, and reassign ownership of galleries created by other users, including administrators.

Action-Not Available
Vendor-wpchill
Product-Image Photo Gallery Final Tiles Grid
CWE ID-CWE-862
Missing Authorization
CVE-2025-14003
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.63%
||
7 Day CHG~0.00%
Published-15 Dec, 2025 | 14:25
Updated-08 Apr, 2026 | 16:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Image Gallery – Photo Grid & Video Gallery <= 2.13.3 - Missing Authorization to Authenticated (Author+) Arbitrary Gallery Modification

The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `add_images_to_gallery_callback()` function in all versions up to, and including, 2.13.3. This makes it possible for authenticated attackers, with Author-level access and above, to add images to arbitrary Modula galleries owned by other users.

Action-Not Available
Vendor-wpchill
Product-Modula Image Gallery – Photo Grid & Video Gallery
CWE ID-CWE-862
Missing Authorization
CVE-2025-14426
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.70%
||
7 Day CHG+0.01%
Published-30 Dec, 2025 | 12:22
Updated-08 Apr, 2026 | 17:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Strong Testimonials <= 3.2.18 - Missing Authorization to Authenticated (Contributor+) Rating Meta Update

The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'edit_rating' function in all versions up to, and including, 3.2.18. This makes it possible for authenticated attackers with Contributor-level access and above to modify or delete the rating meta on any testimonial post, including those created by other users, by reusing a valid nonce obtained from their own testimonial edit screen.

Action-Not Available
Vendor-wpchill
Product-Strong Testimonials
CWE ID-CWE-862
Missing Authorization
CVE-2025-14455
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.07% / 22.04%
||
7 Day CHG~0.00%
Published-19 Dec, 2025 | 09:29
Updated-08 Apr, 2026 | 17:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Image Photo Gallery Final Tiles Grid <= 3.6.7 - Missing Authorization to Authenticated (Contributor+) Gallery Management

The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.7. This is due to the plugin not properly verifying that a user is authorized to perform actions on gallery management functions. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete, modify, or clone galleries created by any user, including administrators.

Action-Not Available
Vendor-wpchill
Product-Image Photo Gallery Final Tiles Grid
CWE ID-CWE-862
Missing Authorization
CVE-2023-45275
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.38% / 59.38%
||
7 Day CHG+0.26%
Published-02 Jan, 2025 | 11:59
Updated-29 Apr, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Contact Form builder with drag & drop plugin <= 2.3.28 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Chill Kali Forms kali-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kali Forms: from n/a through <= 2.3.28.

Action-Not Available
Vendor-WP Chill
Product-Kali Forms
CWE ID-CWE-862
Missing Authorization
CVE-2024-8552
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.41% / 61.15%
||
7 Day CHG~0.00%
Published-26 Sep, 2024 | 02:03
Updated-08 Apr, 2026 | 16:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Download Monitor <= 5.0.9 - Missing Authorization to Authenticated (Subscriber+) Shop Enable

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enable_shop() function in all versions up to, and including, 5.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable shop functionality.

Action-Not Available
Vendor-wpchillwpchill
Product-download_monitorDownload Monitor
CWE ID-CWE-862
Missing Authorization
CVE-2026-39561
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 10.85%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 08:30
Updated-29 Apr, 2026 | 10:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Revive.so plugin <= 2.0.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Chill Revive.so revive-so allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Revive.so: from n/a through <= 2.0.7.

Action-Not Available
Vendor-WP Chill
Product-Revive.so
CWE ID-CWE-862
Missing Authorization
CVE-2026-25375
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 16.35%
||
7 Day CHG~0.00%
Published-19 Feb, 2026 | 08:27
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Image Photo Gallery Final Tiles Grid plugin <= 3.6.10 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Photo Gallery Final Tiles Grid: from n/a through <= 3.6.10.

Action-Not Available
Vendor-WP Chill
Product-Image Photo Gallery Final Tiles Grid
CWE ID-CWE-862
Missing Authorization
CVE-2026-24957
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.04% / 12.59%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 14:08
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Strong Testimonials plugin <= 3.2.20 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Chill Strong Testimonials strong-testimonials allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Strong Testimonials: from n/a through <= 3.2.20.

Action-Not Available
Vendor-WP Chill
Product-Strong Testimonials
CWE ID-CWE-862
Missing Authorization
CVE-2026-25036
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.01% / 3.40%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 14:08
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Passster plugin <= 4.2.25 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Chill Passster content-protector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Passster: from n/a through <= 4.2.25.

Action-Not Available
Vendor-WP Chill
Product-Passster
CWE ID-CWE-862
Missing Authorization
CVE-2026-1254
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.62%
||
7 Day CHG~0.00%
Published-14 Feb, 2026 | 08:26
Updated-08 Apr, 2026 | 17:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Modula Image Gallery – Photo Grid & Video Gallery <= 2.13.6 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post/Page Editing

The Modula Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.13.6. This is due to the plugin not properly verifying that a user is authorized to modify specific posts before updating them via the REST API. This makes it possible for authenticated attackers, with contributor level access and above, to update the title, excerpt, and content of arbitrary posts by passing post IDs in the modulaImages field when editing a gallery.

Action-Not Available
Vendor-wpchill
Product-Modula Image Gallery – Photo Grid & Video Gallery
CWE ID-CWE-862
Missing Authorization
CVE-2022-4972
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-1.77% / 82.77%
||
7 Day CHG~0.00%
Published-16 Oct, 2024 | 06:43
Updated-08 Apr, 2026 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Download Monitor <= 4.7.51 - Missing Authorization to Unauthenticated Data Export

The Download Monitor plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST-API routes related to reporting in versions up to, and including, 4.7.51. This makes it possible for unauthenticated attackers to view user data and other sensitive information intended for administrators.

Action-Not Available
Vendor-wpchillwpchillwpchill
Product-download_monitorDownload Monitordownload_monitor
CWE ID-CWE-862
Missing Authorization
CVE-2022-4974
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.3||MEDIUM
EPSS-0.21% / 42.55%
||
7 Day CHG~0.00%
Published-16 Oct, 2024 | 06:43
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Freemius SDK <= 2.4.2 - Missing Authorization Checks

The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.

Action-Not Available
Vendor-kaizencoderspatrickposnerdipcodetoddhalfpennyrisethemegetsparrowbycrikwpmooseivan_paulinwgaugevincoitldninjas/elementinvadermatthias-reuterninjalibscliffpaulickvinod-dalviedgegalleryplugincodeiesvernalmohsinofflinejetixwptranzlykartikparmar/koen12344pluginswarepippozanardowpsoulpasyukjaydeep-nimavatnpluginspagupdamian-gorapopeatingco2okjcodexmikebelsivanchernyakovactuaryzaskgfiremmeowcrewinvisnetdanielisermarviorochatickeraavidthemes/essekiahumblethemesjanwylshelob9munirkamalsyntacticsdotsbavokoservicessmartwpresssamdaniclosetechnologyblockmeisterwebheadllcthinleekdovypdotrextobias_conradinfosatechahmed17tobias_conrad/sorsawostylingwebbenprinceahmedlitonice13cloudlivingversacompbrandonfirexyulexswitcorpwpcohortdjenhwpdevpowersintoxstudiousmanaliqureshiethereumicoiolkoudaljkohlbachirkanusetkadiviframeworklistplusattestfrostbourncodexonicssalttechnogaloovermattpramschuferrichard-bzerozendesignwptravelenginecyberhobothemeseitprintyedisonaveblocksparesebetsamuelsilvaptunitecmsxplodedthemesmajickwpconedevmaurolopes/tripettointeractivegeomapswhiteshadowmilukove/dvizheniasnazzythemeswpdivewalkerwpwpt00lsgiladtakoniinfornwebmvvapps/wpjolialex-yesaadiqbalpaulio21patrickgarmanoceasmulticollabsslatlasmbrown24buttonizermcurlysonalsinha21tauhidprogkher/wpdeversurbmadangub86maltathemesmaxsdesignanfrageformularggeddescrollsequencegowebsmartyblackandwhitedigitalmarcqueraltwpscriptsdanielealessandrajavmahupfivfsruslanmeepluginsandyabelowsslzenejslondon/5starpluginsanasbinmukimoceanwpthemestynasirahmedwupow3scloudpenguininitiativesgallerycreatorcloudspongewpgeniuzrenaudbodkylegilmanjburleigh1modulemasterswphrmanagerbestpluginswordpressmaartenbelmanshiddenpearlsvanyukovproteusthemes9brada6sovstackcleverpluginstheafricanbosstherealwebdisruptthemeythemesmasterblocksrankbearxjohnykmihail-barinovwpengineiksstudiokartechifyskymindsjohnc1979khothemespremmercemhmrajibwordpluslostboy7clickervoltcoderpresswordpresscheftheafricanboss/halmatfullworkswpeka-clubbandidomte90wpcohort/wpvibesjurskikkikuchi1220nicheaddonsboriscolombier/prelcalleythemescadudecastroalvesankitmaruspartacannastaadeothemesdarellmilukovefoopluginsrafacarvalhidowpkubestarfishwpcromer12wpeventpartners/codesavorymumarym1985josevegaelliotvsshabtinitin247ggwiczpassionatebrainscebbiwebba-agencysakurapixelseancarricoseezeebouncingsproutbenmoreassyntakdevswpbitszeethemerebelcodejwebsolthijzieflexithemesmantrabrainchillichalliproperfractionsangaranwiserstepsdreamfoxsmgteamtakanakuielbisnerodashlabsltdcommercepunditpootlepressbilaltaswpdeliciousanssilaitilacmbibby/alexmossdrosendouriahs-victorslidedecksj_oskshaikatfastaf/oloyede-jamiumajick/stevejburgemuhammad-rehmanpeterschulznlekanatheedeeshawoninfowpmunichinterfacelabpootlepress/dgwyerultimateblocksmikewire_rocksolidplugins360moomooagencymohammedrezqshamim51maciejbak85dudodam6plequalizedigitalclosemarketing/svovafjwindalphabposervicewoodyhaydaybadhonrockslimbcodetribalnerdpluginandplayibenicwp-makingkrspcypressnorthtonyzeolijamesparkninjawoopopsjanthielemanndavidandersonggriessermnelson4pagebuildersandwichdaniyalahmedkvohotv/royalnavneetgloriousthemessjavedwebmuehleprasadkirpekarmilmorthemekraftkitthemeshqthemethemelocationpmbaldha/creativethemeshqgreenjaymediawpchillultradevskairasebet/dejanmarkovicglowlogixdivisumomatstarsaharonyankaggdesignrafalosinskichetmaclinekallivemeshfoxmoonweconnectcodelynn999olezhyk5powerfulwpbeeneebaguilerasoftinputwpwptblukeseagermdedevmberdingblockypagestevehentywpmagicspmbaldhah3technologiestropicalistasindyakinsergeikartikparmarbrightvesseldevprotectyouruploadsstaxwpfrenifyboltonstudioswpsaadkenanfallonatakanozivacybfintalwplegalpagesalekvthecodechimemojofywpstreamweaselsdaigo75danish-alimelapressimtiazrayhanronena100bpluginsBdThemesRoyal Elementor AddonsThe Events Calendar (StellarWP)WPWeb EliteThemeisle
Product-annasta Filters for WooCommerceBattle Suit for DiviBetter Robots.txt – AI-Ready Crawl Control & Bot GovernanceStyler Mate for Contact Form 7eaSYNC Booking – Hotels, Restaurants & Car RentalsWidget Detector for ElementorTickera – Sell Tickets & Manage EventsBlock Slider – Responsive Image Slider, Video Slider & Post SliderGloriousThemes Starter SitesGateway for PayLate on WooCommerceUltimate Post Kit Addons for ElementorDivi Content RestrictorLivemesh Addons for Beaver BuilderWidgets on Pages and PostsEvent Tickets and RegistrationWP Page TemplatesAutoSave NetAWCA – The Great Analytics Insights for Your eStoreWebinarIgnition – Live, Automated & Evergreen Webinars for WooCommerceInsert or Embed Articulate Content into WordPressForm Vibes – Database Manager for FormsQuick Contact FormLocal Delivery Drivers for WooCommerceAddon Elements for Elementor (formerly Elementor Addon Elements)Media Cloud for Bunny CDN, Amazon S3, Cloudflare R2, Google Cloud Storage, DigitalOcean and moreMenu Item SchedulerExpire tagsAdd Pinterest conversion tags for Pinterest Ads + Site verificationGA4WP – Analytics Dashboard for the WebsiteHM Multiple RolesWP Search FilterPlace Order Without Payment for WooCommerceBookPress – For Book AuthorsMusic Player for Elementor – Audio Player & Podcast PlayerPost Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)Bulk Attachment DownloadWordPress Dev Powers – ACF Color Coded Field Types PluginPost Carousel DiviWP Google Street View (with 360° virtual tour) & Google maps + Local SEOAutomatic Internal Links for SEO by PagupEasy Post Views CountAdvanced Page Visit Counter – Most Wanted Analytics Plugin for WordPressWordPress Gallery Plugin – Edge Photo GalleryBulk WooCommerce Category CreatorBooking Addon for WooCommerceEasy PrayerUkrposhtaPremmerce Variation Swatches for WooCommerceThe Events CalendarTK Google Fonts GDPR CompliantGuest posting / Frontend Posting / Front Editor – WP Front User SubmitDuplicate Variations for WoocommerceCF7 Constant Contact Fields MappingGeo MashupReplyable – Subscribe to Comments and Reply by EmailWP Photo EffectsMenu Image, Icons made easyAwesome SSLFiboSearch – Ajax Search for WooCommerceProduct Image Watermark for WooBetter SharingPremmerceRT Easy Builder – Advanced addons for ElementorAll-in-One Video GalleryTinyMCE AnnotateKVoucherWP fail2ban – Advanced SecurityDa ReactionsPayment Gateway for PayFabricNotification Bar, Announcement and Cookie Notice WordPress Plugin – FooBarNotifSMS – SMS Notifications OTP & 2FA for WordPress & WooCommerceWP Easy Pay – Payment and Donation form Builder for SquareConversion de moneda WoocommerceCustomers Table for WooCommerce: View, Search, Bulk EditorSchema Plugin For Divi, Gutenberg & ShortcodesMaster Accordion ( Former WP Awesome FAQ Plugin )Masonry Gallery & Posts For Divi (WP Tools)Blocksy CompanionRoyal Addons for Elementor – Addons and Templates Kit for ElementorBlockSpare — News, Magazine and Blog Addons for (Gutenberg) Block EditorWP Get PersonalPost Slider and Post Carousel with Post Vertical Scrolling Widget – A Responsive Post SliderGet Better Reviews for WooCommerceInbound BrewSimple Feature Requests Free – User Feedback BoardAnfrageformular – Multi Step Drag & Drop Formular Builder – LeadgenerierungEqualize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 complianceWordPress Coupon Plugin for Bloggers and Marketers – WP OffersEasy Code SnippetsDeMomentSomTres AddressDeMomentSomTres Media Tools AutoMarket ExporterWP GratifyHQTheme ExtraSlideDeck: Responsive WordPress Slider PluginMulti Page Auto Advance for Gravity FormsWP BugBotDeals of the Day WooCommercebbResolutionsSmart Variations Images & Swatches for WooCommercePremmerce Wishlist for WooCommerceRevolution for ElementorEasy Social Feed – Social Photos Gallery and Post Feed for WordPressPayment Gateway Per Product for WooCommerceWP Notification BellHelpie FAQ — Accordion, Docs & Knowledge BaseFrontend group restriction for LearnDashWidgets for WooCommerce Products on ElementorNugget by Ingot: Easy, automated and native A/B testing for everyoneGreenshift – animation and page builder blocksSTEWoo – Super Transactional Emails for WooCommerceThe best plugin for restrict content, support all Custom Post Types and Elementor – Password ProtectedFlat Rate Shipping Method for WooCommerceSimple Sitemap – Create a Responsive HTML SitemapClickerVolt – Affiliate Links & Click Tracking for Performance MarketersWooCommerce Next Order CouponNEXUSCAPTCHA 4WP – Antispam CAPTCHA solution for WordPressWP Relevant AdsIks Menu – WordPress Category Accordion Menu & FAQsWP Data Access – App Builder for Tables, Forms, Charts, Maps & DashboardsMarijuana Age VerifyWooCommerce upcoming ProductsEvents Calendar RegistrationChoice Payment Gateway for WooCommerceFilr – Secure document libraryWOW Styler for CF7 – Visual Styler for Contact Form 7 FormsPage Builder Sandwich – Front End WordPress Page Builder PluginBetter Addons for ElementorCuisine PalaceSVG Flags – Beautiful Scalable Flags For All Countries!VidSEO – Video transcript embedding for WordPress & LLMRating-Widget: Star Review SystemCryptocurrency Product for WooCommerceNew User ApproveUnakitGo Fetch Jobs (for WP Job Manager)Pixel Manager for WooCommerce – Conversion Tracking, Google Ads, GA4, TikTok, Dynamic RemarketingAutomizy Gravity FormsRaCar Clear Cart for WooCommerceWP-HR Manager: The Human Resources Plugin for WordPressReally Simple Featured Video – Featured Video Support for Posts, Pages & WooCommerce ProductsWordPress Auto SEO Plugin – Upfiv SEO WizardCookie Banner for GDPR / CCPA – WPLP Cookie ConsentFunnelmentalsShipping Gateway Per Product for WooCommerceDeMomentSomTres Grid ArchiveLicense Manager for WooCommerceVit Website ReviewsLawPress – Law Firm Website ManagementSpeculorAquarella LiteJoli Table Of ContentsWP Travel Engine – Tour Booking Plugin – Tour Operator SoftwareReset Course Progress For LearnDashResponsive Social Slider WidgetNitek Carousel Slider Cool TransitionsNumber ChatStreamWeasels Twitch IntegrationTreePress – Easy Family Trees & Ancestor ProfilesEvents Addon for ElementorContact List – Online Staff Directory & Address BookProtect Uploads with Login – Protect Your UploadsFrontend Admin by DynamiAppsWholesale for WooCommerceFull Page Blog DesignerAgy – Age verification for WooCommerceEthereumICOFuse Social Floating SidebarMOBILOOK — Mobile View & Mobile‑Friendly TestServer InfoCategorify – WordPress Media Library Category & File ManagerWUPO Group Attributes for WooCommerceLMS Plugin – eLearning, Online Courses by AttestMixed Media Gallery BlocksWordPress Slider Block GutensliderBlog Sidebar WidgetOcean ExtraNicheTable – Responsive Comparison Table BlockGlossaryConeBlog – Elementor Blog WidgetsXT Floating Cart for WooCommerceAEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image OptimizationUnder ConstructionElationAll in One Invite CodesLittleBot InvoicesUltra Elementor AddonsCustom Registration and Custom Login Forms with New RecaptchaMedia Library File DownloadSecure IP LoginsDomain Mapping System | Create Microsites with Multiple Alias Domains (multisite optional)Team Members – A WordPress Team Plugin with Gallery, Grid, Carousel, Slider, Table, List, and MoreClean Social IconsCoupon Affiliates – Affiliate Plugin for WooCommerceCountry Based Payments for WooCommerceFooter Plugin for DiviImage Carousel For DiviAge Verification Screen for WooCommerceDelivery for WooCommercePrice Bands for WooCommercePootle Pagebuilder – WordPress Page builderSEO Audit – WP Site AuditorSocial Gallery LiteContact Form 7 – Capsule CRM – IntegrationEverseCustom Login Page CustomizerRun time Image resizingBookit — Booking & Appointment CalendarFive-Star Ratings ShortcodeWordPress Everse Starter Sites – Elementor TemplatesSurveyFunnel – Survey Plugin for WordPressGutenberg Blocks – ACF Blocks SuiteWP Disable SitemapPro Broken Links MaintainerCustom WooCommerce Checkout Fields EditorAdd Tiktok Pixel for Tiktok ads (+Woocommerce)Security SafeFeedpress Generator – External RSS Frontend CustomizerModern Designs for Gravity FormsACF for WooCommerce ProductFile Manager for Google Drive – Integrate Google DriveAirpressDynamic Pricing and Discount Rules for WooCommerceBetter Messages – Integration for WC Vendors MarketplaceLightbox & Modal Popup WordPress Plugin – FooBoxDancePress (TRWA)SKT Templates – 100% Free Templates for Elementor & GutenbergAdvanced Classifieds & Directory ProListPlus – Unlimited Listing DirectoryUltimate Widgets LightPanorama – 360 Virtual Tour, Panoramic image viewer and MoreUltimeterQyrr – simply and modern QR-Code creationChange Price Title for WooCommerceCheckout with Cash App on EDDSV Tracking ManagerPodcast Box – Best Podcasting Plugin for WordPressElements for LifterLMSPassster – Password Protect Pages and ContentVillarAds.txt & App-ads.txt Manager for WordPressEasy Smooth Scroll Links – Smooth Scrolling AnchorLocalSEOMapWordPress form builder plugin for contact forms, surveys and quizzes – TripettoBlock, Suspend, Report for BuddyPressAdd Twitter Pixel for Twitter adsPremmerce Multi-currency for WoocommerceXT Quick View for WooCommercePrimary Addon for ElementorClimateClick: Climate Action for allFocus on Reviews for WooCommerceFeatured Images in RSS for Mailchimp & MoreSEO BoosterPremmerce Product Filter for WooCommerceBook BuyBack PricesWPGSI: Spreadsheet IntegrationSSL Atlas – Free SSL Certificate & HTTPS Redirect for WordPressWP Group PromoterFast WordPressPost Snippets – Custom WordPress Code Snippets CustomizerImage Alt Text Manager – Bulk & Dynamic Alt Tags For image SEO Optimization + AIActivity Log For MainWPHasiumBlocked in China | Check if your site is available in the Chinese mainlandElastaFeatured Products First for WooCommerce – A Extension of WooCommerce (WooCommerce Addon Plugin)Display Eventbrite EventsWP Affiliate DisclosureRestaurant & Cafe Addon for ElementorTeam Collaboration & Content Workflow Plugin for WordPress Editorial Teams – MulticollabWordPress Animation Plugin – Animated EverythingWP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL ScanContact Form 7 Multi-Step FormsWoocommerce Customer Reviews with Artificial Intelligence analyzis, with IBM Watson Tone AnalyzerPower Ups for ElementorWP Lead StreamVideopackWordPress Translation plugin for Post, Pages & WooCommerce products. Tranzly IO AI DeepL automatic WordPress Translator.Auto SEO META keywords (META tags keywords) optimization + WooCommerceBulk Edit Coupons for WooCommerce – WP Sheet EditorWooCommerce PayPlugRW Divi Unite GalleryWP Tools Divi Product CarouselQuick Affiliate StorePremmerce Permalink Manager for WooCommercePremmerce WooCommerce Customers ManagerWP Sessions Time Monitoring Full AutomaticWP Dev Powers – Display Screen Dimensions to Admin PluginAbeta Link PunchOutScrollsequence – Cinematic Scroll Image Animation PluginPremmerce Redirect ManagerYT Player – Embed and Customize Video PlayersPremmerce Wholesale Pricing for WooCommerceDelete Duplicate Postskk Star Ratings – Rate Post & Collect User FeedbacksDelete Posts automaticallyDrip Feed Content Extended for LearndashMaster Blocks – Gutenberg Site BuilderStation Pro – Advanced Audio Streaming & Player for WordPressWordPress SEO ChecklistOverlay Image Divi ModuleAnt Admin Notices for TeamAmelaSuper Video player – Fully Customizable Video Player with PlaylistWP Conference ScheduleEasy Math Captcha for CF7OpenseaXT Ajax Add To Cart for WooCommerceTiered Pricing Table for WooCommerceBulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO)Code ManagerWidget for Contact form 7StoreCustomizer – A plugin to Customize all WooCommerce PagesPopOverXYZ – Show Light Weight Beautiful Tool Tips On Any TextProduct Author for WooCommerceMaster Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template KitsPurusCaxton – Create Pro page layouts in GutenbergSalon Booking System – Free VersionWP School CalendarQuick Event ManagerWP Meta and Date RemoverTopNewsWp – Display Tikcer News, RSS Feed Widget and Many MoreWordPress Google TranslateAFI – The Easiest Integration PluginVO Store Locator – WP Store Locator PluginWS BootstrapPast Events ExtensionEasy Appointment Booking & Scheduling System – Webba Booking CalendarMultisite Robots.txt ManagerWPOptin – AI-Powered Top Bars, PopUps & Lead GenerationBlog Designer Pack – Blog, Post Grid, Post Slider, Post Carousel, Category Post, NewsShare This ImageRedirection for Contact Form 7Education Addon for ElementorShubanChat Button- Leads and Order over ChatAutomatic YouTube GalleryGenealogical Tree – Family Tree & Ancestry for WordPressWP Frontend ProfileGet feedback from visitors – WP Feedback Suite PluginInternal Link Juicer: SEO Auto Linker for WordPresswGauge – Free VersionViralikeSocialMark – Easy Watermark/Logo on Social Media Post Link Share PreviewImpexium Single Sign OnURL Shortify – Simple and Easy URL ShortenerTablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, FluentBlockMeister – Block Pattern BuilderFAQ Manager For Divi, Gutenberg Block & ShortcodeHooked Editable ContentPowerFolio – Portfolio & Image Gallery for ElementorRadio Player – Live Shoutcast, Icecast and Any Audio Stream PlayerPreloader for DiviError Log MonitorLive Drag and Drop Builder for Contact Form 7Better Messages – Live Chat, Chat Rooms, Real-Time Messaging & Private MessagesPremmerce User RolesWordPress Dev Powers – Element Selector jQuery Powers PluginDivi Gravity Forms (WP Tools)WordPress WooCommerce Sync for Google SheetPurosaWP MooseWP Activity LogComments Not Replied ToPledged Plugins Secure Gateway for Authorize.net and WooCommerceWP Table Builder – Drag & Drop Table BuilderAdvanced Database ReplacerEthPress – Web3 LoginTarot Card OracleGFireM Action AfterNokkeChange Prices with Time for WooCommerceSnazzyAdmin WP Admin ThemeModern Addons for Elementor Page BuilderHuCommerce | Magyar kiegészítések WooCommerce webáruházakhozSend Prebuilt EmailsAlley Business ToolkitProduct Attachment for WooCommercejav's – WooCommerce and Trello integration WooTrelloOrder and Inventory Manager for WooCommerceWalker CorePremmerce Product Search for WooCommerceSync eCommerce NEOUltimate Divi Modules Suite – Divi Sumo LiteWP Books Gallery – Build Stunning Book Showcases & Libraries in MinutesZip Code RedirectSurbma | GDPR Proof Cookie Consent & Notice BarProduct Options and Price Calculation Formulas for WooCommerce – Uni CPOProduct Customer List for WooCommerceStop Contact Form 7 Spam & WPForms Spam – Free ProtectionEasy Newsletter SignupsRest Routes – Custom Endpoints for WordPress REST APIBulk Edit Categories and Tags – Create Thousands Quickly on the EditorCP Simple NewsletterMeridiaSimple Social Page Widget & ShortcodeAidWP – Donation & Payment Forms (Stripe Powered)Multipurpose Gutenberg BlockBulk Edit Posts and Products in SpreadsheetWP Free SSLStreak CRM For Gmail For Contact Form 7 – WordPress PluginLivemesh SiteOrigin WidgetsRun Contests, Raffles, and Giveaways with ContestsWPFrontend Admin – Add and edit posts, pages, users and more all from the frontendCourt Reservation – Manage Your Court Bookings OnlineWordPress Directory Plugin For Business Listings – WP Local PlusEnhanced Ecommerce Google Analytics for WooCommerceKnowledge Base documentation & wiki plugin – BasePress DocsAtlas – Knowledge BaseWP Author BioUltimate Carousel For DiviWoocommerce Customers Order HistoryStore Toolkit – WooCommerce Extensions, Quick Enhancements & Handy ToolsBrandAny Popup – Popup Forms, Optins & AdsAdvanced Menu Manager Pro – Built for Content-heavy WordPress Sites to Add, Filter, Lock, and Edit Menus EasilySticky add to cart for WooWP EmailyEU VAT Assistant for WooCommerceLittleBot ACH for Stripe + PlaidWPMailer – The best mail builder, No More Core for your emails support Elementor, CF7 forms etc…TwentyFourth WP ScraperSocial KitButtonizer – Floating Menus, Sticky Buttons, & Popup BuilderFast Checkout for WooCommerceBanner Management, Product Slider, Product Carousel for WooCommerceBlockyPage – Gutenberg Based Page BuilderEthereum WalletPage Builder for Gutenberg – StarterBlocksGFireM Advance SearchRadio Station by netmix® – Manage and play your Show Schedule in WordPress!JDs PortfolioContent Aware Sidebars – Fastest Widget Area PluginCartPops – High Converting Add To Cart Popup For WooCommerceBuilder for WooCommerce product reviews shortcodes – ReviewShortQuick Paypal PaymentsOne Click LoginRestrict – membership, site, content and user access restrictions for WordPressDrop Shadow BoxesNicheBaseYatri ToolsBAVOKO SEO Tools – All-in-One WordPress SEOPremmerce SEO for WooCommerceRevivePress – Keep your Old Content EvergreenCartoon UrlBlock Styler For Gravity FormsStrumenti Partita IVA per WoocommerceSheetPress – Manage WordPress Meta data with Google SheetsProduct Size Charts Plugin for WooCommerceExtend Filter Products By Price WidgetEasy TikTok Feed – TikTok Video, Feed & Gallery PluginPost List Designer – Category Post, Recent Post, Post ListWP Coupons and Deals – Coupon Plugin For Affiliate MarketersGiveaways for woocommerceMass Pages/Posts CreatorUser Menus – Nav Menu VisibilityPage Builder Gutenberg Blocks – Kioken BlocksPrime Mover – Migrate WordPress Website & BackupsSSL Zen — SSL Certificate Installer & HTTPS RedirectsWPBITS Addons For Elementor Page BuilderLive TV Player – Worldwide Live TV Channels Player for WordPressDigital Goods (Checkout Field Editor) for WooCommerce CheckoutBaniSky Login RedirectWP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes)Connect WooCommerce Shop to ERP/CRM, Verifactu and EU/VAT ComplianceWPVisitorInfo – Show Visitor Information & Conditional Data Based On That InformationStackable – Page Builder Gutenberg BlocksAvailability Datepicker – Booking Calendar for Contact Form 7 – Input WPGenerate Images (AI) – Magic Post ThumbnailGrid & Styler For Contact Form 7 And DiviYASR – Yet Another Star Rating Plugin for WordPressPay For Post with WooCommerceWP SPID ItaliaEther and ERC20 tokens WooCommerce Payment GatewayRestrict User Access – Ultimate Membership & Content ProtectionNinja Libs Amazon SESMailChimp ManagerGallery by FooGallerySQL Reporting Services – SSRS Plugin for WordPressSimple SponsorshipsWoo Admin Product NotesWC Shop Sync – Square Payment Gateway and Product Synchronization for WooCommerceProduct Carousel For WooCommerce – WoorouSellPostcode RedirectFullscreen MenuBulk Edit and Create User Profiles – WP Sheet EditorXT Variation Swatches for WooCommerceDocument Viewer – Embed Word, Excel, PowerPoint & PDFs InstantlyPrime Slider – Addons for ElementorPremmerce Brands for WooCommerceWP Adminify – White Label WordPress, Admin Menu Editor, Login CustomizerJoli FAQ SEO – WordPress FAQ PluginWP Tools Divi Blog CarouselUltimate Gutenberg – Custom Block TemplatesDivi Torque Lite – Divi Theme, Divi Builder & Extra ThemeCodeKit – Custom Codes EditorAPPExperts – Mobile App Builder for WordPress | WooCommerce to iOS and Android AppsFIT: Featured Image ToolkitConnected SermonsKikote – Location Picker at Checkout & Google Address AutoFill Plugin for WooCommerceGet Directions MapShared Files – Frontend File Upload Form & Secure File SharingWP Comment Cleaner – Delete All Comments, Disable Comments, Bulk Delete & Remove CommentsPinblocks — Gutenberg blocks with Pinterest widgetsGlorious Services & SupportBuddyPress WooCommerce My Account Integration. Create WooCommerce Member PagesWP Mobile Menu – The Mobile-Friendly Responsive MenuWordPress Reviews by ReviewPressAdd Linkedin insight tags for Linkedin adsConsultPress LiteWP Required Taxonomies – Categories and Tags MandatoryA no-code page builder for beautiful performance-based contentUltimate Bulk SEO Noindex Nofollow – Speed up Penalty Recovery Ultimate SEO BoosterHide Shipping Method For WooCommerceShipping Method Display Style for WooCommerceLightbox – EverlightBox GalleryLogo Showcase – Responsive Logo Carousel, Logo Slider & Logo GridSV Proven ExpertDynific Addons for Elementor (formerly AnyWhere Elementor)Wadi SurveyRemove Add to Cart WooCommerceazw woocommerce file uploadsWp My Admin BarGuestofy – Restaurant Reservations Plugin, Room Planer, Reservation FormGFireM Fields3D Viewer – Display Interactive 3D ModelsFeedbackScout: The easiest way to collect, prioritise, manage and track customer feedback.Fraud Prevention For WooCommerce and EDDCryptocurrency Portfolio TrackerКнопка ЮMoneyTag Groups is the Advanced Way to Display Your Taxonomy TermsWP Munich Blocks – Gutenberg Blocks for WordPressStreamCast – Live Radio Streaming PlayerWP AutoMedicW3SCloud Contact Form 7 to Zoho CRMWP Event Partners – WordPress Plugin for Event and Conference ManagementFood Store – Online Food Delivery & PickupXT Points & Rewards for WooCommerceRocket Maintenance Mode & Coming Soon PageSpotlight Social Feeds – Block, Shortcode, and WidgetForceFieldForms to Zapier, Integromat, IFTTT, Workato, Automate.io, elastic.io, Built.io, APIANT, WebhookPrint My Blog – Print, PDF, & eBook Converter WordPress PluginRecurWP – WordPress Recurly Payment GatewayLimb Gallery | Create Beautiful Image & Video GalleriesOut of stock display for woocommercePersistent LoginAnnouncement & Notification Banner – BulletinLearnMoreIvory Search – WordPress Search PluginImage Photo Gallery Final Tiles GridEasy Settings for LearnDashWP Radio – Worldwide Online Radio Stations Directory for WordPressBefore and After Product Images for WooCommerceScheduled Notification BarWoowGallerySTAX Header BuilderWP-Cron Status CheckerGo Viral – social share, social sharebar, social locker, social chat, open graph, reactions, share & view countersBulk Auto Image Title Attribute (Image Title tag) optimizer (Image SEO)Justified GalleryWPBakery Page Builder Addons by LivemeshEasy Zillow ReviewsTabs with Recommended Posts (Widget)WP SierraFront End PMWP Frontend Admin – Display WP Admin Pages in the FrontendEmail TrackerPerformance KitEmail Header FooterWP Post BlockSimple Giveaways – Grow your business, email lists and traffic with contestsCheckout with Zelle on WoocommerceThank You Page for WooCommerceMapGeo – Interactive Geo MapsPost to Google My Business (Google Business Profile)WP Link BioAdFoxly – Ad Manager, AdSense Ads & Ads.txtPoints Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCredKRSP Frontend File UploaderUltimate Blocks – 25+ Gutenberg Blocks for Block EditorStarfish Review Generation & Marketing for WordPressB2B Request a QuoteLivemesh Addons by ElementorWP Contact Slider – Contact Form Slider WidgetTK SmugMug Slideshow ShortcodeEmails Blacklist for Everest FormsCoinbase Commerce – Crypto Gateway for WooCommerceUnlimited Elements For ElementorWooCommerce Variation Swatches for ProductsWCC SEO Keyword ResearchRankBearGift Message for WooCommerceSouth Pole: Climate action nowWidgets on PagesContact Widgets For Elementor all the contact links you need in one placeSecurity Ninja – WordPress Security & FirewallProduct Country Restrictions for WooCommerce – Country CatalogsGallery PhotoBlocksWordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and ScheduleFloating Social Share Icons and Social Share buttons – Next Previous Post Links – FLSparrow: Product Reviews and Ratings for WooCommerceLive Scores for SportsPressBroadcast LiteAffiliate Link Builder Plugin for Amazon Associates – Review EngineBulk Edit Products for WooCommerce – WP Sheet EditorDivi CollageEasy Age VerifyDisable Payment Methods based on cart conditions for WooCommerceDashy – Google Analytics advanced dashboardCheckout with Venmo on EDDWP Smart Export (Free)Better Messages – WCFM IntegrationAdvanced Custom Fields options import/exportTurbo WidgetsArendelleExtra Fees for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2025-59551
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.66%
||
7 Day CHG~0.00%
Published-22 Sep, 2025 | 18:26
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Revive.so Plugin <= 2.0.6 - Broken Access Control Vulnerability

Missing Authorization vulnerability in WP Chill Revive.so revive-so allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Revive.so: from n/a through <= 2.0.6.

Action-Not Available
Vendor-WP Chill
Product-Revive.so
CWE ID-CWE-862
Missing Authorization
CVE-2025-32233
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 49.13%
||
7 Day CHG~0.00%
Published-04 Apr, 2025 | 15:59
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Revive.so plugin <= 2.0.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Chill Revive.so revive-so allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Revive.so: from n/a through <= 2.0.3.

Action-Not Available
Vendor-WP Chill
Product-Revive.so
CWE ID-CWE-862
Missing Authorization
CVE-2024-12848
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-6.08% / 90.80%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 11:11
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SKT Page Builder <= 4.6 - Authenticated (Subscriber+) Arbitrary File Upload

The SKT Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the 'addLibraryByArchive' function in all versions up to, and including, 4.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files that make remote code execution possible.

Action-Not Available
Vendor-sonalsinha21
Product-SKT Page Builder
CWE ID-CWE-862
Missing Authorization
CVE-2025-40837
Matching Score-4
Assigner-Ericsson
ShareView Details
Matching Score-4
Assigner-Ericsson
CVSS Score-8.7||HIGH
EPSS-0.06% / 19.43%
||
7 Day CHG-0.00%
Published-25 Sep, 2025 | 14:52
Updated-02 Oct, 2025 | 17:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ericsson Indoor Connect 8855 - Missing Authorization Vulnerability

Ericsson Indoor Connect 8855 contains a missing authorization vulnerability which if exploited can allow access to the system as a user with higher privileges than intended.

Action-Not Available
Vendor-Ericsson
Product-indoor_connect_8855_firmwareindoor_connect_8855Indoor Connect 8855
CWE ID-CWE-862
Missing Authorization
CVE-2024-12881
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.34% / 56.89%
||
7 Day CHG~0.00%
Published-24 Dec, 2024 | 09:21
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PlugVersions – Easily rollback to previous versions of your plugins <= 0.0.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Creation

The PlugVersions – Easily rollback to previous versions of your plugins plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the eos_plugin_reviews_restore_version() function in all versions up to, and including, 0.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary files leveraging files included locally.

Action-Not Available
Vendor-giuse
Product-PlugVersions – Easily roll back to previous versions of your plugins.
CWE ID-CWE-862
Missing Authorization
CVE-2024-13677
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.05% / 14.54%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 04:21
Updated-08 Apr, 2026 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GetBookingsWp - Appointments & Bookings Plugin Basic Version <= 1.1.27 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover

The GetBookingsWP – Appointments Booking Calendar Plugin For WordPress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.27. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

Action-Not Available
Vendor-istmopluginsistmoplugins
Product-get_bookings_wpGetBookingsWP – Appointments Booking Calendar Plugin For WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2024-13447
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.28% / 50.98%
||
7 Day CHG~0.00%
Published-22 Jan, 2025 | 11:07
Updated-08 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Hotel Booking <= 2.1.6 - Missing Authorization to Authenticated (Subscriber+) User Email Retrieval

The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hotel_booking_load_order_user AJAX action in all versions up to, and including, 2.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a list of registered user emails.

Action-Not Available
Vendor-ThimPress (PhysCode)
Product-wp_hotel_bookingWP Hotel Booking
CWE ID-CWE-862
Missing Authorization
CVE-2023-5331
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.39%
||
7 Day CHG~0.00%
Published-09 Oct, 2023 | 10:40
Updated-05 Sep, 2024 | 19:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Information Leak via IDOR in file_id in Draft Posts

Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-862
Missing Authorization
CVE-2025-4047
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 36.24%
||
7 Day CHG~0.00%
Published-03 Jun, 2025 | 02:27
Updated-08 Apr, 2026 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Broken Link Checker <= 2.4.4 - Missing Autorization to Authenticated (Subscriber+) Plugin Status Dashboard View

The Broken Link Checker plugin for WordPress is vulnerable to unauthorized data access due to a missing capability check on the ajax_full_status and ajax_dashboard_status functions in all versions up to, and including, 2.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view the plugin's status.

Action-Not Available
Vendor-Incsub, LLC
Product-Broken Link Checker
CWE ID-CWE-862
Missing Authorization
CVE-2024-13374
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 33.76%
||
7 Day CHG~0.00%
Published-12 Feb, 2025 | 05:28
Updated-08 Apr, 2026 | 16:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Table Manager <= 4.1.3 - Missing Authorization to Authenticated (Subscriber+) Directory Traversal to Folder/File Name Disclosure

The WP Table Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on thewptm_getFolders AJAX action in all versions up to, and including, 4.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary file names and directories.

Action-Not Available
Vendor-JoomUnited
Product-wp_table_managerWP Table Manager
CWE ID-CWE-862
Missing Authorization
CVE-2024-1370
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.21% / 42.57%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:26
Updated-08 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Maintenance Page <= 1.0.8 - Missing Authorization to Sensitive Information Exposure

The Maintenance Page plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the subscribe_download function hooked via AJAX action in all versions up to, and including, 1.0.8. This makes it possible for authenticated attackers, with subscriber access or higher, to download a csv containing subscriber emails.

Action-Not Available
Vendor-themegrillthemegrill
Product-maintenance_pageMaintenance Page
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2024-13653
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.09% / 24.67%
||
7 Day CHG~0.00%
Published-12 Feb, 2025 | 04:22
Updated-08 Apr, 2026 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ZoxPress - The All-In-One WordPress News Theme <= 2.12.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

The ZoxPress - The All-In-One WordPress News Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'backup_options' and 'restore_options' functions in all versions up to, and including, 2.12.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Action-Not Available
Vendor-mvpthemesMVPThemes
Product-zoxpressZoxPress - The All-In-One WordPress News Theme
CWE ID-CWE-862
Missing Authorization
CVE-2024-13361
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.3||MEDIUM
EPSS-0.21% / 43.38%
||
7 Day CHG~0.00%
Published-22 Jan, 2025 | 07:29
Updated-08 Apr, 2026 | 16:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AI Power: Complete AI Pack <= 1.8.96 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution

The AI Power: Complete AI Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpaicg_save_image_media function in all versions up to, and including, 1.8.96. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload image files and embed shortcode attributes in the image_alt value that will execute when sending a POST request to the attachment page.

Action-Not Available
Vendor-aipowersenols
Product-aipowerAI Puffer – Your AI engine for WordPress (formerly AI Power)
CWE ID-CWE-862
Missing Authorization
CVE-2025-31544
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 36.35%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 12:55
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Swiss Toolkit For WP plugin <= 1.4.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Messiah Swiss Toolkit For WP swiss-toolkit-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Swiss Toolkit For WP: from n/a through <= 1.4.5.

Action-Not Available
Vendor-WP Messiah
Product-Swiss Toolkit For WP
CWE ID-CWE-862
Missing Authorization
CVE-2024-13232
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.12% / 30.79%
||
7 Day CHG~0.00%
Published-05 Mar, 2025 | 09:21
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Awesome Import & Export Plugin - Import & Export WordPress Data <= 4.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary SQL Execution/Privilege Escalation

The WordPress Awesome Import & Export Plugin - Import & Export WordPress Data plugin for WordPress is vulnerable arbitrary SQL Execution and privilege escalation due to a missing capability check on the renderImport() function in all versions up to, and including, 4.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary SQL statements that can leveraged to create a new administrative user account.

Action-Not Available
Vendor-ddeveloper
Product-WordPress Awesome Import & Export Plugin - Import & Export WordPress Data
CWE ID-CWE-862
Missing Authorization
CVE-2024-13643
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.09% / 25.32%
||
7 Day CHG~0.00%
Published-11 Feb, 2025 | 07:30
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Zox News <= 3.17.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Modification

The Zox News - Professional WordPress News & Magazine Theme plugin for WordPress is vulnerable to unauthorized data modification. This vulnerability can lead to privilege escalation and denial of service conditions due to missing capability checks on the backup_options() and reset_options() functions in all versions up to and including 3.17.0. This vulnerability allows authenticated attackers with Subscriber-level access and above to update and delete arbitrary option values on the WordPress site. Attackers can exploit this issue to update the default user role for registration to Administrator and enable user registration, thereby gaining administrative access to the vulnerable site. Additionally, they could delete critical options, causing errors that may disrupt the site's functionality and deny service to legitimate users.

Action-Not Available
Vendor-MVPThemes
Product-Zox News - Professional WordPress News & Magazine Theme
CWE ID-CWE-862
Missing Authorization
CVE-2024-12821
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.09% / 24.72%
||
7 Day CHG~0.00%
Published-30 Jan, 2025 | 13:42
Updated-08 Apr, 2026 | 17:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Media Manager for UserPro <= 3.12.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

The Media Manager for UserPro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the upm_upload_media() function in all versions up to, and including, 3.12.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Action-Not Available
Vendor-userpropluginDeluxeThemes
Product-media_managerMedia Manager for UserPro
CWE ID-CWE-862
Missing Authorization
CVE-2024-12594
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-3.02% / 86.68%
||
7 Day CHG~0.00%
Published-24 Dec, 2024 | 05:23
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ALL In One Custom Login Page <= 7.1.1 - Missing Authorization to Authenticated (Subscriber+)Privilege Escalation

The Custom Login Page Styler – Login Protected Private Site , Change wp-admin login url , WordPress login logo , Temporary admin login access , Rename login , Login customizer, Hide wp-login – Limit Login Attempts – Locked Site plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'lps_generate_temp_access_url' AJAX action in all versions up to, and including, 7.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to login as other users such as subscribers.

Action-Not Available
Vendor-zia-imtiaz
Product-Login Page Styler – Custom WordPress Login Page Customizer & Security
CWE ID-CWE-862
Missing Authorization
CVE-2024-12719
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 40.35%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 09:22
Updated-08 Apr, 2026 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress File Upload <= 4.24.15 - Missing Authorization to Authenticated (Subscriber+) Limited Path Traversal

The WordPress File Upload plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wfu_ajax_action_read_subfolders' function in all versions up to, and including, 4.24.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform limited path traversal to view directories and subdirectories in WordPress. Files cannot be viewed.

Action-Not Available
Vendor-iptanusnickboss
Product-wordpress_file_uploadIptanus File Upload
CWE ID-CWE-862
Missing Authorization
CVE-2024-12202
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.20% / 42.27%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 07:22
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Croma Music <= 3.6 - Authenticated (Subscriber+) Arbitrary Options Update in ironMusic_ajax

The Croma Music plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'ironMusic_ajax' function in all versions up to, and including, 3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Action-Not Available
Vendor-IronTemplates
Product-Croma Music
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 20
  • 21
  • Next
Details not found