Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-54296

Summary
Assigner-Patchstack
Assigner Org ID-21595511-bba5-4825-b968-b78d1f9984a3
Published At-13 Dec, 2024 | 14:25
Updated At-13 Dec, 2024 | 15:30
Rejected At-
Credits

WordPress CoSchool LMS plugin <= 1.2 - Account Takeover vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in Codexpert, Inc CoSchool LMS allows Authentication Bypass.This issue affects CoSchool LMS: from n/a through 1.2.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Patchstack
Assigner Org ID:21595511-bba5-4825-b968-b78d1f9984a3
Published At:13 Dec, 2024 | 14:25
Updated At:13 Dec, 2024 | 15:30
Rejected At:
▼CVE Numbering Authority (CNA)
WordPress CoSchool LMS plugin <= 1.2 - Account Takeover vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in Codexpert, Inc CoSchool LMS allows Authentication Bypass.This issue affects CoSchool LMS: from n/a through 1.2.

Affected Products
Vendor
Codexpert, Inc
Product
CoSchool LMS
Collection URL
https://wordpress.org/plugins
Package Name
coschool
Default Status
unaffected
Versions
Affected
  • From n/a through 1.2 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-288CWE-288 Authentication Bypass Using an Alternate Path or Channel
Type: CWE
CWE ID: CWE-288
Description: CWE-288 Authentication Bypass Using an Alternate Path or Channel
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-115CAPEC-115 Authentication Bypass
CAPEC ID: CAPEC-115
Description: CAPEC-115 Authentication Bypass
Solutions
Configurations
Workarounds
Exploits
Credits
finder
stealthcopter (Patchstack Alliance)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://patchstack.com/database/wordpress/plugin/coschool/vulnerability/wordpress-coschool-lms-plugin-1-2-account-takeover-vulnerability?_s_id=cve
vdb-entry
Hyperlink: https://patchstack.com/database/wordpress/plugin/coschool/vulnerability/wordpress-coschool-lms-plugin-1-2-account-takeover-vulnerability?_s_id=cve
Resource:
vdb-entry
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:audit@patchstack.com
Published At:13 Dec, 2024 | 15:15
Updated At:13 Dec, 2024 | 15:15

Authentication Bypass Using an Alternate Path or Channel vulnerability in Codexpert, Inc CoSchool LMS allows Authentication Bypass.This issue affects CoSchool LMS: from n/a through 1.2.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-288Primaryaudit@patchstack.com
CWE ID: CWE-288
Type: Primary
Source: audit@patchstack.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://patchstack.com/database/wordpress/plugin/coschool/vulnerability/wordpress-coschool-lms-plugin-1-2-account-takeover-vulnerability?_s_id=cveaudit@patchstack.com
N/A
Hyperlink: https://patchstack.com/database/wordpress/plugin/coschool/vulnerability/wordpress-coschool-lms-plugin-1-2-account-takeover-vulnerability?_s_id=cve
Source: audit@patchstack.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

139Records found
CVE-2025-30973
Matching Score-8
Assigner-Patchstack
ShareView Details
Matching Score-8
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 18.20%
||
7 Day CHG~0.00%
Published-16 Jul, 2025 | 11:28
Updated-16 Jul, 2025 | 16:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CoSchool LMS plugin <= 1.4.3 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in Codexpert, Inc CoSchool LMS allows Object Injection. This issue affects CoSchool LMS: from n/a through 1.4.3.

Action-Not Available
Vendor-Codexpert, Inc
Product-CoSchool LMS
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-55591
Matching Score-4
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-4
Assigner-Fortinet, Inc.
CVSS Score-9.6||CRITICAL
EPSS-94.25% / 99.92%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 14:08
Updated-30 Jul, 2025 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-01-21||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiproxyfortiosFortiOSFortiProxyFortiOS and FortiProxy
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2024-54294
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.30% / 52.56%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:25
Updated-13 Dec, 2024 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Firebase OTP Authentication plugin <= 1.0.1 - Account Takeover vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in appgenixinfotech Firebase OTP Authentication allows Authentication Bypass.This issue affects Firebase OTP Authentication: from n/a through 1.0.1.

Action-Not Available
Vendor-appgenixinfotech
Product-Firebase OTP Authentication
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2024-54295
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.30% / 52.56%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:25
Updated-13 Dec, 2024 | 15:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ListApp Mobile Manager plugin <= 1.7.7 - Account Takeover vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in InspireUI ListApp Mobile Manager allows Authentication Bypass.This issue affects ListApp Mobile Manager: from n/a through 1.7.7.

Action-Not Available
Vendor-InspireUI
Product-ListApp Mobile Manager
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2024-50487
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.37% / 57.98%
||
7 Day CHG+0.04%
Published-28 Oct, 2024 | 11:17
Updated-31 Oct, 2024 | 00:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress MaanStore API plugin <= 1.0.1 - Account Takeover vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in MaanTheme MaanStore API allows Authentication Bypass.This issue affects MaanStore API: from n/a through 1.0.1.

Action-Not Available
Vendor-maanthemeMaanThememaantheme
Product-maanstore_apiMaanStore APImaanstore_api
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-50503
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.19% / 41.05%
||
7 Day CHG+0.02%
Published-30 Oct, 2024 | 07:37
Updated-01 Nov, 2024 | 12:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress User Toolkit plugin <= 1.2.3 - Account Takeover vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in Deryck Oñate User Toolkit allows Authentication Bypass.This issue affects User Toolkit: from n/a through 1.2.3.

Action-Not Available
Vendor-Deryck Oñate
Product-User Toolkit
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2024-50477
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-74.08% / 98.78%
||
7 Day CHG~0.00%
Published-28 Oct, 2024 | 11:23
Updated-31 Oct, 2024 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Stacks Mobile App Builder plugin <= 5.2.3 - Account Takeover vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in Stacks Stacks Mobile App Builder stacks-mobile-app-builder allows Authentication Bypass.This issue affects Stacks Mobile App Builder: from n/a through 5.2.3.

Action-Not Available
Vendor-stacksmarketStacksstacks
Product-stacks_mobile_app_builderStacks Mobile App Builderstacks_mobile_app_builder
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-49247
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.40% / 60.10%
||
7 Day CHG~0.00%
Published-16 Oct, 2024 | 12:31
Updated-16 Oct, 2024 | 16:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress BuddyPress Better Registration plugin <= 1.6 - Broken Authentication vulnerability

: Authentication Bypass Using an Alternate Path or Channel vulnerability in sooskriszta, webforza BuddyPress Better Registration allows : Authentication Bypass.This issue affects BuddyPress Better Registration: from n/a through 1.6.

Action-Not Available
Vendor-sooskriszta, webforzaoc2ps
Product-BuddyPress Better Registrationbetter-bp-registration
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2021-43935
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.1||HIGH
EPSS-0.20% / 41.92%
||
7 Day CHG~0.00%
Published-15 Dec, 2021 | 18:05
Updated-16 Sep, 2024 | 23:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ICSMA-21-343-01 Hillrom Welch Allyn Cardio Products

The impacted products, when configured to use SSO, are affected by an improper authentication vulnerability. This vulnerability allows the application to accept manual entry of any active directory (AD) account provisioned in the application without supplying a password, resulting in access to the application as the supplied AD account, with all associated privileges.

Action-Not Available
Vendor-Hill-Rom Holdings, Inc.Baxter International, Inc.
Product-welch_allyn_q-stress_cardiac_stress_testing_systemwelch_allyn_connex_cardiowelch_allyn_q-stress_cardiac_stress_testing_system_firmwarewelch_allyn_hscribe_holter_analysis_systemwelch_allyn_diagnostic_cardiology_suitewelch_allyn_xscribe_cardiac_stress_testing_systemwelch_allyn_vision_express_holter_analysis_systemwelch_allyn_xscribe_cardiac_stress_testing_system_firmwarewelch_allyn_rscribe_resting_ecg_systemwelch_allyn_hscribe_holter_analysis_system_firmwareWelch Allyn R-Scribe Resting ECG SystemWelch Allyn H-Scribe Holter Analysis SystemWelch Allyn X-Scribe Cardiac Stress Testing SystemWelch Allyn Vision ExpressWelch Allyn Connex CardioWelch Allyn Diagnostic Cardiology SuiteWelch Allyn Q-Stress Cardiac Stress Testing System
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-287
Improper Authentication
CVE-2024-47009
Matching Score-4
Assigner-Ivanti
ShareView Details
Matching Score-4
Assigner-Ivanti
CVSS Score-7.3||HIGH
EPSS-17.29% / 94.78%
||
7 Day CHG~0.00%
Published-08 Oct, 2024 | 16:28
Updated-16 Oct, 2024 | 13:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.

Action-Not Available
Vendor-Ivanti Software
Product-avalancheAvalancheavalanche
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2024-47406
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-9.1||CRITICAL
EPSS-0.36% / 57.50%
||
7 Day CHG+0.04%
Published-25 Oct, 2024 | 06:18
Updated-05 Nov, 2024 | 19:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sharp and Toshiba Tec MFPs improperly process HTTP authentication requests, resulting in an authentication bypass vulnerability.

Action-Not Available
Vendor-sharptoshibatecToshiba Tec CorporationSharp Corporationsharptoshibatec
Product-mx-m6050bp-c542wd_firmwaremx-5110n_firmwaremx-c381_firmwaremx-m6070_abp-b547wdmx-m365n_a_firmwaremx-3570n_firmwaremx-m6071_firmwarebp-60c36_firmwarebp-70m31bp-90c80bp-c533wd_firmwaremx-c400p_firmwaremx-3101nmx-4070n_a_firmwaremx-3070v_amx-m3571_firmwaremx-m3571mx-2651_firmwaremx-m464n_firmwaremx-m2651mx-5070v_firmwaremx-3111umx-b355wz_firmwaremx-4140nmx-4060v_firmwarebp-b550wdmx-5140n_firmwaremx-m5051mx-3050v_amx-b376w_firmwaremx-2600gmx-c303wh_firmwarebp-70c55_firmwaremx-2601nmx-m564n_amx-b376whmx-4071s_firmwaremx-3550v_firmwaremx-m3071_firmwaremx-b456whmx-m356uvmx-c311mx-m904bp-50c26mx-m753u_firmwaremx-m264ue-studio1058_firmwaremx-2640nrmx-m315nmx-b400pmx-2314nrbp-30c25z_firmwaremx-3550n_firmwaredx-c401_j_firmwaremx-m315u_firmwaremx-c303mx-2610nmx-m316nvmx-m314nmx-m4070_amx-b476wh_firmwaremx-m6070_firmwarebp-30m28t_firmwaremx-m4070mx-m453u_firmwaremx-m1206_firmwaremx-m265nv_firmwaremx-m3070_firmwaremx-3100gmx-m265ne_firmwaremx-c401_firmwaremx-m315uv_firmwaremx-3070v_firmwaremx-b355wt_firmwaremx-m1055bp-c535wrmx-m623umx-2610n_firmwaremx-m264u_firmwaremx-m314nr_firmwaremx-7040nmx-3571smx-m4071s_firmwaremx-m3551bp-70c55mx-m354n_firmwaremx-c312_firmwaremx-4111n_firmwaree-studio908_firmwaremx-c380mx-m265uvmx-c402sc_firmwarebp-90c80_firmwaredx-c400mx-b356whmx-m315ne_firmwaremx-1810umx-6050v_firmwaremx-4070v_firmwaremx-m754nmx-2615n_firmwarebp-70m75_firmwaremx-2615nmx-4071smx-5000nmx-c303w_firmwaredx-c400_firmwaremx-6580nmx-c304wh_firmwaremx-m365n_abp-50c65_firmwaremx-m7570mx-3060nmx-3610nrmx-b376wmx-7081_firmwarebp-70m36_firmwarebp-50c55_firmwaremx-3110nmx-m1205mx-b402pmx-m4050_firmwaremx-c382scmx-c310_firmwaremx-m503nmx-3115nmx-m565nmx-3070v_a_firmwaredx-2000u_firmwaremx-m1056mx-m3551_firmwaremx-m3051_firmwaremx-m264nr_firmwaremx-m453nmx-c303whmx-2630nmx-m6071mx-c380p_firmwaremx-3050n_abp-70c65bp-30c25tbp-60c31_firmwarebp-70c36_firmwaremx-4051mx-m364nmx-3061mx-5112nmx-b402scmx-7500n_firmwaremx-m356uv_firmwaremx-3101n_firmwaremx-b382p_firmwaremx-m3550_firmwaremx-4110n_firmwaremx-b382scmx-3116n_firmwaremx-m654nbp-b537wr_firmwaremx-m354ubp-50c36mx-2601n_firmwaremx-b382_firmwaremx-3640n_firmwaremx-m6070mx-5000n_firmwaremx-m3571s_firmwaremx-3070n_amx-3640nr_firmwaremx-m3071smx-m363n_firmwaremx-8090nmx-m315uvbp-30m31_firmwaremx-2640n_firmwaremx-3551_firmwaremx-b476w_firmwaremx-m314n_firmwaremx-6071_firmwaremx-m753umx-3110n_a_firmwaremx-b355wzmx-m503umx-m6051_firmwaremx-c301wmx-c381mx-5071mx-m2651_firmwaremx-5110ne-studio1208_firmwaremx-m265v_firmwaremx-m264nmx-m363nmx-c304whmx-2600n_firmwaremx-m365n_firmwaremx-m6070_a_firmwaremx-6050vdx-c381mx-m5050_firmwaremx-3110n_firmwaremx-2614nmx-b402_firmwaremx-b382pmx-m905mx-3610nr_firmwaremx-m3570_firmwarebp-50c31mx-3561mx-m1205_firmwaremx-2600nmx-4070n_amx-c382scb_firmwarebp-b537wrbp-70c31_firmwaremx-m465n_firmwaremx-5051_firmwaremx-b455wmx-c304wmx-5071s_firmwarebp-50m26mx-4141nbp-50m26_firmwaremx-3110n_abp-50m45mx-3570v_firmwaremx-m4070_a_firmwaremx-m265n_firmwaremx-m4071smx-2615_amx-m564nmx-b382bp-c542wdmx-m265umx-c303wmx-m364n_firmwaremx-m316nv_firmwarebp-70m45bp-70m75bp-c535wdmx-6070v_a_firmwaredx-c311_firmwarebp-30m35_firmwaremx-b476whmx-m503u_firmwaremx-m754n_ae-studio1058mx-3071s_firmwaremx-2310u_firmwaremx-m354nrmx-m3550mx-4061smx-4050n_firmwaremx-4060nmx-3561s_firmwarebp-60c31mx-7090n_firmwaremx-m314umx-c380_firmwaredx-c311j_firmwaremx-4071mx-7081mx-m565n_firmwaremx-m356u_firmwaremx-3140nmx-3561_firmwaremx-m453umx-b476wmx-b381dx-c311jmx-3560vmx-m363u_firmwaremx-b455wz_firmwaremx-2616nmx-4101nmx-m5071_firmwaremx-6070n_a_firmwaremx-4071_firmwaremx-2616n_firmwarebp-30c25_firmwaremx-m356nv_firmwaremx-m5050bp-70m65_firmwaremx-m265nvmx-m314nv_firmwaremx-m266nvdx-c310_firmwaremx-5111nmx-b400p_firmwarebp-30m35mx-8081_firmwaremx-3071_firmwarebp-30m31t_firmwaremx-6580n_firmwaremx-2640nr_firmwarebp-b540wrmx-m283nmx-m5070_firmwarebp-30m28tmx-8090n_firmwarebp-c545wdmx-m264nrmx-m316nbp-c533wdmx-1810u_firmwaremx-m3071s_firmwaremx-4050v_firmwarebp-30m31mx-b355wtmx-3114nmx-2314nmx-5071_firmwaremx-b402sc_firmwaremx-m465nmx-3111u_firmwaremx-c303_firmwaremx-m365nmx-4100n_firmwaremx-7500nmx-4101n_firmwarebp-70m90_firmwarebp-90c70mx-3050nbp-60c36mx-b455wt_firmwaremx-4060n_firmwaremx-3070vmx-3050v_a_firmwarebp-50c26_firmwaremx-3570vmx-c304w_firmwaremx-m754n_firmwaremx-m465n_amx-m3050mx-6050n_firmwaremx-3610n_firmwaremx-4110nmx-5070n_firmwaremx-4140n_amx-m5070dx-c401_jmx-m356ubp-50c45_firmwaremx-4061_firmwaremx-4112n_firmwaremx-c382scbmx-3061smx-m315umx-3070n_firmwaremx-m356nvmx-3571s_firmwaremx-3560v_firmwaremx-3061_firmwaremx-m266nv_firmwarebp-30c25mx-b402mx-b455w_firmwaredx-c311mx-3571mx-7580n_firmwaremx-m314u_firmwaremx-m315nvmx-m265vmx-3100nmx-m1206mx-7090nmx-c301w_firmwaremx-3114n_firmwaremx-2600g_firmwarebp-30c25ymx-5141nmx-m4051dx-2500nmx-c301bp-50c55mx-c381bmx-2614n_firmwaremx-4070n_firmwaremx-m3570mx-m654n_firmwarebp-55c26_firmwaremx-5050n_firmwaremx-5070vmx-3140n_a_firmwaremx-m5051_firmwaremx-6071s_firmwaremx-5051mx-c400_firmwaremx-4061s_firmwaremx-3051mx-b456wh_firmwaremx-5141n_firmwaremx-b456we-studio1208mx-m3070mx-m4071_firmwaremx-3060v_firmwaremx-6071mx-4111nmx-m464nbp-30m35t_firmwaremx-m4051_firmwaremx-m6071s_firmwaremx-3140nrmx-m5071mx-2615_a_firmwaremx-4050nbp-70c31mx-m3050_firmwaremx-m4070_firmwaremx-3061s_firmwaremx-m314nrmx-3640nrmx-3070nmx-m356nmx-c301_firmwarebp-b540wr_firmwaremx-m1204mx-4070v_amx-m266n_firmwarebp-70m65mx-c380pmx-c304mx-6500ndx-c401_firmwaremx-b356wh_firmwaremx-3115n_firmwaremx-3551mx-3050v_firmwaremx-2301nbp-70c36mx-3050n_firmwaremx-m6050_firmwaremx-m905_firmwaremx-3100n_firmwaremx-6240n_firmwaremx-b401_firmwaremx-m4071bp-c535wd_firmwaremx-c400pbp-50c45mx-m7570_firmwarebp-30m31tmx-m3571smx-4100nmx-8081mx-2630n_firmwaremx-b355w_firmwarebp-70m31_firmwaremx-4112nbp-50m31mx-m453n_firmwaremx-2301n_firmwaremx-3140n_firmwaremx-m654n_a_firmwaremx-m266nmx-6070n_firmwarebp-30c25y_firmwaremx-3570nbp-70m55bp-30m28_firmwaremx-m264nvmx-5050vmx-m654n_amx-4140n_firmwaremx-5071sbp-c533wrmx-b455wtmx-m3050_a_firmwaremx-3060vmx-5001nmx-c312mx-m265uv_firmwaremx-3140nr_firmwaremx-m753n_firmwaremx-m3071mx-4060vbp-55c26mx-3071smx-3560n_firmwaremx-b455wzmx-2310rmx-m465n_a_firmwarebp-c535wr_firmwaremx-m315vmx-m316n_firmwarebp-50c31_firmwaremx-5070nmx-m1056_firmwaremx-c304_firmwarebp-c545wd_firmwaremx-2310umx-m264nv_firmwarebp-50m36_firmwaredx-c401bp-70m90mx-3610nmx-7580nbp-b550wd_firmwaremx-4061dx-c310bp-50m45_firmwarebp-50m55_firmwaremx-6070v_amx-m363umx-b401mx-3140n_abp-30c25t_firmwaremx-2314nr_firmwaremx-2310r_firmwaremx-3560nbp-50m31_firmwaremx-b376wh_firmwarebp-70m45_firmwaremx-m354nmx-6050nmx-6500n_firmwaremx-4050vmx-m2630_a_firmwaremx-3050vmx-m315nv_firmwaremx-m753nbp-90c70_firmwaremx-c311_firmwaremx-5111n_firmwaremx-3571_firmwaremx-m1054_firmwaremx-c310mx-4070vmx-m754n_a_firmwaremx-m356n_firmwaremx-m265u_firmwaremx-m265nemx-m623u_firmwaremx-m2630_ae-studio908mx-2640nbp-30c25zmx-6240nmx-c401mx-m623n_firmwaremx-m3070_a_firmwaremx-m264n_firmwaremx-2010umx-3051_firmwaremx-6051mx-6070n_amx-b380p_firmwaremx-m3051mx-m5071s_firmwaremx-m4050mx-m2630_firmwarebp-b547wd_firmwaremx-m3070_amx-3071mx-m6051mx-m265nbp-50m55mx-m1055_firmwaremx-m354u_firmwarebp-70c65_firmwarebp-60c45mx-m1054mx-c382sc_firmwaremx-4140n_a_firmwaremx-6051_firmwarebp-50c36_firmwaremx-b456w_firmwaremx-5141n_abp-70c45bp-30m28mx-6071smx-4051_firmwaremx-m564n_firmwaremx-m315nemx-4141n_firmwaremx-4070v_a_firmwaremx-3100g_firmwaredx-2500n_firmwaredx-2000umx-b380pbp-50c65bp-50m50_firmwaremx-b356wmx-m503n_firmwaremx-b355wmx-5001n_firmwaremx-m314nvmx-m1204_firmwaremx-2314n_firmwaremx-5050nbp-70m55_firmwaremx-b381_firmwaremx-3550nmx-3070n_a_firmwaremx-3640nmx-2651mx-m2630mx-2010u_firmwarebp-70c45_firmwaremx-6070v_firmwaremx-4070nbp-30m35tmx-c400mx-5112n_firmwaremx-7040n_firmwarebp-60c45_firmwaremx-3550vmx-m3050_amx-5140nmx-b382sc_firmwaremx-c381b_firmwaremx-m6570_firmwaremx-b402p_firmwaremx-m283n_firmwaremx-b356w_firmwarebp-c533wr_firmwaredx-c381_firmwarebp-70m36mx-5141n_a_firmwaremx-5050v_firmwaremx-m564n_a_firmwaremx-6070vmx-m6570mx-c402scmx-3050n_a_firmwaremx-m315n_firmwaremx-m354nr_firmwaremx-3060n_firmwaremx-m5071sbp-50m50mx-m623nmx-m6071smx-6070nmx-m904_firmwarebp-50m36mx-3561smx-m315v_firmwaremx-3116ne-STUDIO 908Sharp Digital Full-color MFPs and Monochrome MFPse-STUDIO 1058e-STUDIO 1208mx-b455wz_firmwaremx-m1206_firmwaremx-m7570_firmwaremx-m6071s_firmwaremx-6071s_firmwaree-studio-1208_firmwaremx-6070v_firmwaremx-c304wh_firmwarebp-c545wd_firmwarebp-30c25_firmwarebp-70c65_firmwaremx-8090n_firmwarebp-70m65_firmwarebp-90c80_firmwaremx-7580n_firmwarebp-b550wd_firmwaree-studio-1058_firmwaremx-m905_firmwarebp-70m90_firmwaree-studio-908_firmwaremx-b476wh_firmwaremx-m6070_firmwaremx-8081_firmwarebp-30m35t_firmware
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-47010
Matching Score-4
Assigner-Ivanti
ShareView Details
Matching Score-4
Assigner-Ivanti
CVSS Score-7.3||HIGH
EPSS-27.25% / 96.21%
||
7 Day CHG~0.00%
Published-08 Oct, 2024 | 16:29
Updated-16 Oct, 2024 | 13:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.

Action-Not Available
Vendor-Ivanti Software
Product-avalancheAvalancheavalanche
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2023-4702
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 18.70%
||
7 Day CHG~0.00%
Published-14 Sep, 2023 | 19:01
Updated-25 Jun, 2025 | 13:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authentication Bypass in Digital Yepas

Authentication Bypass Using an Alternate Path or Channel vulnerability in Yepas Digital Yepas allows Authentication Bypass.This issue affects Digital Yepas: before 1.0.1.

Action-Not Available
Vendor-yepasYepas
Product-digital_yepasDigital Yepas
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-43234
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.30% / 52.56%
||
7 Day CHG+0.05%
Published-16 Dec, 2024 | 15:36
Updated-08 Aug, 2025 | 16:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Woffice theme <= 5.4.14 - Unauthenticated Account Takeover vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in WofficeIO Woffice allows Authentication Bypass.This issue affects Woffice: from n/a through 5.4.14.

Action-Not Available
Vendor-xtendifyWofficeIO
Product-wofficeWoffice
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2024-43692
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.3||CRITICAL
EPSS-0.21% / 43.28%
||
7 Day CHG~0.00%
Published-24 Sep, 2024 | 23:46
Updated-01 Oct, 2024 | 16:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Dover Fueling Solutions ProGauge MAGLINK LX CONSOLE Authentication Bypass Using an Alternate Path or Channel

An attacker can directly request the ProGauge MAGLINK LX CONSOLE resource sub page with full privileges by requesting the URL directly.

Action-Not Available
Vendor-doverfuelingsolutionsDover Fueling Solutions (DFS)doverfuelingsolutions
Product-progauge_maglink_lx4_consoleprogauge_maglink_lx_console_firmwareprogauge_maglink_lx_consoleprogauge_maglink_lx4_console_firmwareProGauge MAGLINK LX CONSOLEProGauge MAGLINK LX4 CONSOLEmaglink_lx4_consolemaglink_lx_console
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2021-3897
Matching Score-4
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-4
Assigner-Lenovo Group Ltd.
CVSS Score-9.8||CRITICAL
EPSS-0.36% / 57.67%
||
7 Day CHG~0.00%
Published-22 Apr, 2022 | 21:10
Updated-03 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authentication bypass vulnerability was discovered in an internal service of the Lenovo Fan Power Controller2 (FPC2) and Lenovo System Management Module (SMM) firmware during an that could allow an unauthenticated attacker to execute commands on the SMM and FPC2. SMM2 is not affected.

Action-Not Available
Vendor-IBM CorporationLenovo Group Limited
Product-thinkagile_vx_enclosurenextscale_n1200_enclosure_firmwarethinkagile_hx_enclosure_certified_nodethinksystem_d2_enclosure_firmwarenextscale_fan_power_controller_firmwarenextscale_fan_power_controllerthinksystem_d2_enclosurethinkagile_vx_enclosure_firmwarenextscale_n1200_enclosurethinkagile_hx_enclosure_certified_node_firmwareFan Power Controller2 (FPC2)Lenovo System Management Module (SMM)
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2021-3849
Matching Score-4
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-4
Assigner-Lenovo Group Ltd.
CVSS Score-9.8||CRITICAL
EPSS-0.51% / 65.25%
||
7 Day CHG~0.00%
Published-22 Apr, 2022 | 21:10
Updated-03 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authentication bypass vulnerability was discovered in the web interface of the Lenovo Fan Power Controller2 (FPC2) and Lenovo System Management Module (SMM) firmware that could allow an unauthenticated attacker to execute commands on the SMM and FPC2. SMM2 is not affected.

Action-Not Available
Vendor-IBM CorporationLenovo Group Limited
Product-thinkagile_vx_enclosurenextscale_n1200_enclosure_firmwarethinkagile_hx_enclosure_certified_nodethinksystem_d2_enclosure_firmwarenextscale_fan_power_controller_firmwarenextscale_fan_power_controllerthinksystem_d2_enclosurethinkagile_vx_enclosure_firmwarenextscale_n1200_enclosurethinkagile_hx_enclosure_certified_node_firmwareFan Power Controller2 (FPC2)Lenovo System Management Module (SMM)
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2021-36308
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-5.9||MEDIUM
EPSS-1.72% / 81.65%
||
7 Day CHG~0.00%
Published-20 Nov, 2021 | 01:40
Updated-16 Sep, 2024 | 18:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Networking OS10, versions prior to October 2021 with Smart Fabric Services enabled, contains an authentication bypass vulnerability. A remote unauthenticated attacker could exploit this vulnerability to gain access and perform actions on the affected system.

Action-Not Available
Vendor-Dell Inc.
Product-networking_os10Networking OS
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-287
Improper Authentication
CVE-2024-39309
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-4.81% / 89.07%
||
7 Day CHG+2.07%
Published-01 Jul, 2024 | 21:15
Updated-02 Aug, 2024 | 04:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. The algorithm to detect SQL injection has been improved in versions 6.5.7 and 7.1.0. No known workarounds are available.

Action-Not Available
Vendor-parse-communityparse_community
Product-parse-serverparse_server
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-38437
Matching Score-4
Assigner-Israel National Cyber Directorate (INCD)
ShareView Details
Matching Score-4
Assigner-Israel National Cyber Directorate (INCD)
CVSS Score-9.8||CRITICAL
EPSS-0.80% / 73.03%
||
7 Day CHG~0.00%
Published-21 Jul, 2024 | 07:17
Updated-29 Aug, 2024 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link - CWE-288: Authentication Bypass Using an Alternate Path or Channel

D-Link - CWE-288:Authentication Bypass Using an Alternate Path or Channel

Action-Not Available
Vendor-D-Link Corporation
Product-dsl-225dsl-225_firmwareDSL-225
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2021-32984
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-0.27% / 50.21%
||
7 Day CHG~0.00%
Published-04 Apr, 2022 | 19:45
Updated-16 Apr, 2025 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Automation Direct CLICK PLC CPU Modules Authentication Bypass Using an Alternate Path or Channel

All programming connections receive the same unlocked privileges, which can result in a privilege escalation. During the time Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 is unlocked by an authorized user, an attacker can connect to the PLC and read the project without authorization.

Action-Not Available
Vendor-AutomationDirect
Product-c0-12dd1e-d_firmwarec0-10dd1e-dc0-12dd1e-1-dc0-11dd1e-dc0-11dre-d_firmwarec0-12are-1-dc0-11dd2e-d_firmwarec0-10dd1e-d_firmwarec0-11dd2e-dc0-12dre-2-dc0-12are-d_firmwarec0-12dd2e-d_firmwarec0-12dre-dc0-12are-2-dc0-10dre-d_firmwarec0-12dd1e-dc0-11dre-dc0-10dre-dc0-11are-dc0-12dd2e-dc0-12dd1e-2-d_firmwarec0-12dd1e-1-d_firmwarec0-12dre-d_firmwarec0-12are-2-d_firmwarec0-12dd2e-2-d_firmwarec0-12dd2e-1-d_firmwarec0-11dd1e-d_firmwarec0-12dd1e-2-dc0-12dd2e-1-dc0-10dd2e-dc0-12dre-2-d_firmwarec0-11are-d_firmwarec0-10are-d_firmwarec0-10dd2e-d_firmwarec0-12dd2e-2-dc0-12are-1-d_firmwarec0-12dre-1-d_firmwarec0-12dre-1-dc0-10are-dc0-12are-dCLICK PLC CPU Modules: C0-1x CPUs
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-287
Improper Authentication
CVE-2024-36470
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-8.1||HIGH
EPSS-0.00% / 0.05%
||
7 Day CHG~0.00%
Published-29 May, 2024 | 13:29
Updated-07 Feb, 2025 | 20:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 authentication bypass was possible in specific edge cases

Action-Not Available
Vendor-JetBrains s.r.o.
Product-teamcityTeamCityteamcity
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2021-32967
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-0.26% / 49.04%
||
7 Day CHG~0.00%
Published-30 Aug, 2021 | 17:11
Updated-03 Aug, 2024 | 23:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to add a new administrative user without being authenticated or authorized, which may allow the attacker to log in and use the device with administrative privileges.

Action-Not Available
Vendor-n/aDelta Electronics, Inc.
Product-diaenergieDelta Electronics DIAEnergie
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-287
Improper Authentication
CVE-2024-36042
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.17% / 38.20%
||
7 Day CHG~0.00%
Published-03 Jun, 2024 | 05:47
Updated-29 May, 2025 | 20:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Silverpeas before 6.3.5 allows authentication bypass by omitting the Password field to AuthenticationServlet, often providing an unauthenticated user with superadmin access.

Action-Not Available
Vendor-silverpeasn/asilverpeas
Product-silverpeasn/asilverpeas
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2019-3758
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-8.1||HIGH
EPSS-0.77% / 72.48%
||
7 Day CHG~0.00%
Published-18 Sep, 2019 | 22:23
Updated-16 Sep, 2024 | 17:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

RSA Archer, versions prior to 6.6 P2 (6.6.0.2), contain an improper authentication vulnerability. The vulnerability allows sysadmins to create user accounts with insufficient credentials. Unauthenticated attackers could gain unauthorized access to the system using those accounts.

Action-Not Available
Vendor-Dell Inc.RSA Security LLC
Product-archerRSA Archer
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-521
Weak Password Requirements
CVE-2024-27198
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-9.8||CRITICAL
EPSS-94.58% / 100.00%
||
7 Day CHG~0.00%
Published-04 Mar, 2024 | 17:21
Updated-30 Jul, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2024-03-28||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible

Action-Not Available
Vendor-JetBrains s.r.o.
Product-teamcityTeamCityteamcityTeamCity
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2024-28200
Matching Score-4
Assigner-N-able
ShareView Details
Matching Score-4
Assigner-N-able
CVSS Score-9.1||CRITICAL
EPSS-0.06% / 19.41%
||
7 Day CHG~0.00%
Published-01 Jul, 2024 | 20:49
Updated-22 Aug, 2024 | 13:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
N-central Authentication Bypass

The N-central server is vulnerable to an authentication bypass of the user interface. This vulnerability is present in all deployments of N-central prior to 2024.2. This vulnerability was discovered through internal N-central source code review and N-able has not observed any exploitation in the wild.

Action-Not Available
Vendor-n-ableN-ablen-able
Product-n-centralN-centraln-central
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-287
Improper Authentication
CVE-2021-21952
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-9.4||CRITICAL
EPSS-0.46% / 63.11%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:07
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authentication bypass vulnerability exists in the CMD_DEVICE_GET_RSA_KEY_REQUEST functionality of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h. A specially-crafted set of network packets can lead to increased privileges.

Action-Not Available
Vendor-ankern/a
Product-eufy_homebase_2_firmwareeufy_homebase_2Anker"
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-287
Improper Authentication
CVE-2024-2012
Matching Score-4
Assigner-Hitachi Energy
ShareView Details
Matching Score-4
Assigner-Hitachi Energy
CVSS Score-9.1||CRITICAL
EPSS-0.22% / 45.22%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 13:16
Updated-15 Aug, 2024 | 21:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

vulnerability exists in the FOXMAN-UN/UNEM server / API Gateway that if exploited an attacker could use to allow unintended commands or code to be executed on the UNEM server allowing sensitive data to be read or modified or could cause other unintended behavior

Action-Not Available
Vendor-Hitachi Energy Ltd.
Product-foxman-ununemFOXMAN-UNUNEMfoxman_ununem
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2024-2055
Matching Score-4
Assigner-Austin Hackers Anonymous
ShareView Details
Matching Score-4
Assigner-Austin Hackers Anonymous
CVSS Score-9.8||CRITICAL
EPSS-0.07% / 20.37%
||
7 Day CHG~0.00%
Published-05 Mar, 2024 | 18:56
Updated-13 Feb, 2025 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Artica Proxy Unauthenticated File Manager Vulnerability

The "Rich Filemanager" feature of Artica Proxy provides a web-based interface for file management capabilities. When the feature is enabled, it does not require authentication by default, and runs as the root user.

Action-Not Available
Vendor-Artica Tech SARL
Product-Artica Proxyartica_proxy
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-552
Files or Directories Accessible to External Parties
CVE-2024-13182
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.23% / 45.41%
||
7 Day CHG~0.00%
Published-13 Feb, 2025 | 12:41
Updated-13 Feb, 2025 | 14:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Directorybox Manager <= 2.5 - Authentication Bypass

The WP Directorybox Manager plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.5. This is due to incorrect authentication in the 'wp_dp_parse_request' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator.

Action-Not Available
Vendor-Chimpstudio
Product-WP Directorybox Manager
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2024-13446
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.12% / 31.34%
||
7 Day CHG~0.00%
Published-12 Mar, 2025 | 09:22
Updated-02 Apr, 2025 | 12:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Workreap <= 3.2.5 - Unauthenticated Privilege Escalation via Account Takeover

The Workreap plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.2.5. This is due to the plugin not properly validating a user's identity prior to (1) performing a social auto-login or (2) updating their profile details (e.g. password). This makes it possible for unauthenticated attackers to (1) login as an arbitrary user if their email address is known or (2) change an arbitrary user's password, including administrators, and leverage that to gain access to their account. NOTE: This vulnerability was partially fixed in version 3.2.5.

Action-Not Available
Vendor-amentotechAmentoTech
Product-workreapWorkreap
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2024-13181
Matching Score-4
Assigner-Ivanti
ShareView Details
Matching Score-4
Assigner-Ivanti
CVSS Score-7.3||HIGH
EPSS-13.36% / 93.91%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 16:53
Updated-16 Jan, 2025 | 21:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. This CVE addresses incomplete fixes from CVE-2024-47010.

Action-Not Available
Vendor-Ivanti Software
Product-avalancheAvalanche
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2024-12847
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-9.8||CRITICAL
EPSS-0.10% / 29.11%
||
7 Day CHG~0.00%
Published-10 Jan, 2025 | 19:36
Updated-10 Jan, 2025 | 21:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NETGEAR DGN setup.cgi OS Command Injection

NETGEAR DGN1000 before 1.1.00.48 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can execute arbitrary operating system commands as root by sending crafted HTTP requests to the setup.cgi endpoint. This vulnerability has been exploited in the wild since at least 2017.

Action-Not Available
Vendor-NETGEAR, Inc.
Product-DGN1000
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2024-11286
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.41% / 60.38%
||
7 Day CHG+0.04%
Published-14 Mar, 2025 | 04:22
Updated-08 Jul, 2025 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP JobHunt <= 7.1 - Authentication Bypass

The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the cs_parse_request() function. This makes it possible for unauthenticated attackers to to log in to any user's account, including administrators.

Action-Not Available
Vendor-chimpgroupn/a
Product-jobcareerWP JobHunt
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2024-11028
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-1.02% / 76.30%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 09:30
Updated-19 Nov, 2024 | 15:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MultiManager WP – Manage All Your WordPress Sites Easily <= 1.0.5 - Authentication Bypass via User Impersonation

The MultiManager WP – Manage All Your WordPress Sites Easily plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.5. This is due to the user impersonation feature inappropriately determining the current user via user-supplied input. This makes it possible for unauthenticated attackers to generate an impersonation link that will allow them to log in as any existing user, such as an administrator. NOTE: The user impersonation feature was disabled in version 1.1.0 and re-enabled with a patch in version 1.1.2.

Action-Not Available
Vendor-icdsofticdsofticdsoft
Product-multimanager_wpMultiManager WP – Manage All Your WordPress Sites Easilymultimanager_wp_manage_all_your_word_press_sites_easily
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2024-10924
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-93.63% / 99.83%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 03:18
Updated-20 Nov, 2024 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Really Simple Security (Free, Pro, and Pro Multisite) 9.0.0 - 9.1.1.1 - Authentication Bypass

The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).

Action-Not Available
Vendor-really-simple-pluginsReally Simple Pluginsrogierlankhorstreally-simple-plugins
Product-really_simple_securityReally Simple Security – Simple and Performant Security (formerly Really Simple SSL)Really Simple Security Pro multisiteReally Simple Security Proreally_simple_security
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2023-42793
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-9.8||CRITICAL
EPSS-94.58% / 100.00%
||
7 Day CHG~0.00%
Published-19 Sep, 2023 | 16:57
Updated-30 Jul, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2023-10-25||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible

Action-Not Available
Vendor-JetBrains s.r.o.
Product-teamcityTeamCityTeamCity
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-10381
Matching Score-4
Assigner-Indian Computer Emergency Response Team (CERT-In)
ShareView Details
Matching Score-4
Assigner-Indian Computer Emergency Response Team (CERT-In)
CVSS Score-9.3||CRITICAL
EPSS-0.57% / 67.77%
||
7 Day CHG+0.03%
Published-25 Oct, 2024 | 12:36
Updated-14 Nov, 2024 | 21:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authentication Bypass Vulnerability in Matrix Door Controller

This vulnerability exists in Matrix Door Controller Cosec Vega FAXQ due to improper implementation of session management at the web-based management interface. A remote attacker could exploit this vulnerability by sending a specially crafted http request on the vulnerable device. Successful exploitation of this vulnerability could allow remote attacker to gain unauthorized access and take complete control of the targeted device.

Action-Not Available
Vendor-matrixcomsecMatrix Comsecmatrix_comsec
Product-cosec_vega_faxq_firmwarecosec_vega_faxqMatrix Door Controller Cosec Vega FAXQmatrix_door_controller_cosec_vega_faxq_firmware
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2023-42770
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-10||CRITICAL
EPSS-0.11% / 29.78%
||
7 Day CHG~0.00%
Published-21 Nov, 2023 | 00:14
Updated-11 Jun, 2025 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Red Lion Controls Sixnet RTU Authentication Bypass Using An Alternative Path Or Channel

Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message is received over TCP/IP the RTU will simply accept the message with no authentication challenge.

Action-Not Available
Vendor-redlioncontrolsRed Lion Controls
Product-vt-ipm2m-113-d_firmwarevt-mipm-245-d_firmwarevt-ipm2m-213-dvt-mipm-135-d_firmwarevt-mipm-135-dst-ipm-6350st-ipm-6350_firmwarest-ipm-8460_firmwarevt-mipm-245-dvt-ipm2m-213-d_firmwarest-ipm-8460vt-ipm2m-113-dVT-mIPm-135-DVT-IPm2m-213-DST-IPm-8460ST-IPm-6350VT-IPm2m-113-DVT-mIPm-245-D
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-10284
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 58.88%
||
7 Day CHG+0.08%
Published-09 Nov, 2024 | 02:32
Updated-29 Jan, 2025 | 18:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CE21 Suite <= 2.2.0 - Authentication Bypass

The CE21 Suite plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.2.0. This is due to hardcoded encryption key in the 'ce21_authentication_phrase' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.

Action-Not Available
Vendor-ce21CE21, LLC.
Product-ce21_suiteCE21 Suitece21-suite
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2023-50272
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-7.5||HIGH
EPSS-0.02% / 4.32%
||
7 Day CHG~0.00%
Published-19 Dec, 2023 | 15:42
Updated-07 May, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A potential security vulnerability has been identified in HPE Integrated Lights-Out 5 (iLO 5) and Integrated Lights-Out 6 (iLO 6). The vulnerability could be remotely exploited to allow authentication bypass.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)
Product-integrated_lights-out_6integrated_lights-out_6_firmwareintegrated_lights-out_5_firmwareintegrated_lights-out_5HPE Integrated Lights-out 5 (iLO 5), HPE Integrated Lights-out 6 (iLO 6),
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2023-41351
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-0.09% / 25.66%
||
7 Day CHG~0.00%
Published-03 Nov, 2023 | 05:41
Updated-04 Sep, 2024 | 20:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chunghwa Telecom NOKIA G-040W-Q - Broken Access Control

Chunghwa Telecom NOKIA G-040W-Q has a vulnerability of authentication bypass, which allows an unauthenticated remote attacker to bypass the authentication mechanism to log in to the device by an alternative URL. This makes it possible for unauthenticated remote attackers to log in as any existing users, such as an administrator, to perform arbitrary system operations or disrupt service.

Action-Not Available
Vendor-Chunghwa TelecomNokia Corporation
Product-g-040w-qg-040w-q_firmwareNOKIA G-040W-Qg-040w-q_firmware
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2019-18250
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-0.12% / 32.08%
||
7 Day CHG~0.00%
Published-25 Nov, 2019 | 23:13
Updated-05 Aug, 2024 | 01:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In all versions of ABB Power Generation Information Manager (PGIM) and Plant Connect, the affected product is vulnerable to authentication bypass, which may allow an attacker to remotely bypass authentication and extract credentials from the affected device.

Action-Not Available
Vendor-n/aABB
Product-plant_connectpower_generation_information_managerABB Power Generation Information Manager (PGIM) and Plant Connect All Versions
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-287
Improper Authentication
CVE-2023-37057
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.46% / 89.81%
||
7 Day CHG~0.00%
Published-17 Jun, 2024 | 00:00
Updated-14 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in JLINK Unionman Technology Co. Ltd Jlink AX1800 v.1.0 allows a remote attacker to execute arbitrary code via the router's authentication mechanism.

Action-Not Available
Vendor-n/ajlink
Product-n/aax1800
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2025-8995
Matching Score-4
Assigner-Drupal.org
ShareView Details
Matching Score-4
Assigner-Drupal.org
CVSS Score-9.8||CRITICAL
EPSS-0.09% / 26.99%
||
7 Day CHG+0.02%
Published-15 Aug, 2025 | 16:27
Updated-21 Aug, 2025 | 19:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.4.

Action-Not Available
Vendor-authenticator_login_projectThe Drupal Association
Product-authenticator_loginAuthenticator Login
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-7007
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.7||HIGH
EPSS-0.08% / 23.82%
||
7 Day CHG~0.00%
Published-25 Jul, 2024 | 16:42
Updated-26 Aug, 2024 | 16:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authentication Bypass Using an Alternate Path or Channel in Positron Broadcast Signal Processor TRA7005

Positron Broadcast Signal Processor TRA7005 v1.20 is vulnerable to an authentication bypass exploit that could allow an attacker to have unauthorized access to protected areas of the application.

Action-Not Available
Vendor-positronPositron S.R.Lpositronsrl
Product-tra7005tra7005_firmwareBroadcast Signal Processor TRA7005broadcast_signal_processor_tra7005
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2025-7642
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.18% / 40.46%
||
7 Day CHG~0.00%
Published-23 Aug, 2025 | 04:25
Updated-25 Aug, 2025 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simpler Checkout 0.7.0 - 1.1.9 - Authentication Bypass

The Simpler Checkout plugin for WordPress is vulnerable to Authentication Bypass in versions 0.7.0 to 1.1.9. This is due to the plugin not properly verifying a user's identity prior to logging them in as an admin through the simplerwc_woocommerce_order_created() function. This makes it possible for unauthenticated attackers to log in as other users based on their order ID, which can be an administrator if a site admin has placed a test order.

Action-Not Available
Vendor-simplercheckout
Product-Simpler Checkout
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2025-7444
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.42% / 61.24%
||
7 Day CHG~0.00%
Published-18 Jul, 2025 | 08:22
Updated-22 Jul, 2025 | 13:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LoginPress Pro <= 5.0.1 - Authentication Bypass via WordPress.com OAuth provider

The LoginPress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.0.1. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.

Action-Not Available
Vendor-LoginPress
Product-LoginPress Pro
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2025-7710
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.29% / 52.16%
||
7 Day CHG-0.00%
Published-02 Aug, 2025 | 11:23
Updated-04 Aug, 2025 | 15:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Brave Conversion Engine (PRO) <= 0.7.7 - Authentication Bypass to Administrator

The Brave Conversion Engine (PRO) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.7.7. This is due to the plugin not properly restricting a claimed identity while authenticating with Facebook. This makes it possible for unauthenticated attackers to log in as other users, including administrators.

Action-Not Available
Vendor-Brave
Product-Brave Conversion Engine (PRO)
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found