A missing permission check in Jenkins Assembla merge request builder Plugin 1.1.13 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.
Missing Authorization vulnerability in Acato Branded Social Images allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Branded Social Images: from n/a through 1.1.0.
The Resido - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_api_key and save_api_key AJAX actions in all versions up to, and including, 3.6. This makes it possible for unauthenticated attackers to issue requests to internal services and update API key details.
Missing Authorization vulnerability in Yoast Yoast SEO Premium.This issue affects Yoast SEO Premium: from n/a through 20.4.
Missing Authorization vulnerability in AWESOME TOGI Product Category Tree allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Category Tree: from n/a through 2.5.
Missing Authorization vulnerability in Aleksandar Urošević Stock Ticker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Stock Ticker: from n/a through 3.23.0.
The Ultimate Coming Soon & Maintenance plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ucsm_activate_lite_template_lite function in all versions up to, and including, 1.0.9. This makes it possible for unauthenticated attackers to change the template used for the coming soon / maintenance page.
Missing Authorization vulnerability in Shoaib Saleem WP Post Rating allows Functionality Misuse.This issue affects WP Post Rating: from n/a through 2.5.
Missing Authorization vulnerability in WP OnlineSupport, Essential Plugin Meta slider and carousel with lightbox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Meta slider and carousel with lightbox: from n/a through 1.6.2.
The WP Helper Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'whp_smtp_send_mail_test' function in all versions up to, and including, 4.6.1. This makes it possible for unauthenticated attackers to send emails containing any content and originating from the vulnerable WordPress instance to any recipient.
The UserPro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'userpro_shortcode_template' function in versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to arbitrary shortcode execution. An attacker can leverage CVE-2023-2446 to get sensitive information via shortcode.
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.6.1 via the woof_messenger_remove_subscr AJAX action due to missing validation on the 'key' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to unsubscribe users from a product notification sign-ups, if they can successfully obtain or brute force the key value for users who signed up to receive notifications. This vulnerability requires the plugin's Products Messenger extension to be enabled.
Missing Authorization vulnerability in WP OnlineSupport, Essential Plugin Album and Image Gallery plus Lightbox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Album and Image Gallery plus Lightbox: from n/a through 1.6.2.
Missing Authorization vulnerability in Igor Benic Simple Giveaways allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Giveaways: from n/a through 2.48.0.
Missing Authorization vulnerability in Shaon Easy Google Analytics for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Google Analytics for WordPress: from n/a through 1.6.0.
The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized medication of data via the /wp-json/vcita-wordpress/v1/actions/auth REST-API endpoint in versions up to, and including, 4.2.10 due to a missing capability check on the processAction function. This makes it possible for unauthenticated attackers modify the plugin's settings.
The Flynax Bridge plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to delete arbitrary users.
cPanel before 84.0.20 allows attackers to bypass intended restrictions on features and demo accounts via WebDisk UAPI calls (SEC-541).
Missing MAC layer security in Silicon Labs Wi-SUN Linux Border Router v1.5.2 and earlier allows malicious node to route malicious messages through network.
Missing Authorization vulnerability in WPEverest User Registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through 2.3.2.1.
Missing Authorization vulnerability in ThimPress Eduma allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eduma: from n/a through 5.6.4.
Missing MAC layer security in Silicon Labs Wi-SUN SDK v1.5.0 and earlier allows malicious node to route malicious messages through network.
Missing Authorization vulnerability in Solid Plugins AnalyticsWP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects AnalyticsWP: from n/a through 2.0.0.
Missing Authorization vulnerability in ed4becky Rootspersona allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rootspersona: from n/a through 3.7.5.
Missing Authorization vulnerability in ThemeGoods Grand Restaurant WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Grand Restaurant WordPress: from n/a through 7.0.
Missing Authorization vulnerability in magepeopleteam Booking and Rental Manager allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Booking and Rental Manager: from n/a through 2.3.8.
Missing Authorization vulnerability in jegtheme JNews.This issue affects JNews: from n/a through 11.6.5.
Missing Authorization vulnerability in Max Chirkov Advanced Text Widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Text Widget : from n/a through 2.1.2.
Missing Authorization vulnerability in Fantastic Plugins Fantastic Content Protector Free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fantastic Content Protector Free: from n/a through 2.6.
Missing Authorization vulnerability in magepeopleteam Booking and Rental Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Booking and Rental Manager: from n/a through 2.2.8.
In JetBrains TeamCity before 2024.12 improper access control allowed unauthorized users to modify build logs
Missing Authorization vulnerability in WP OnlineSupport, Essential Plugin Trending/Popular Post Slider and Widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Trending/Popular Post Slider and Widget: from n/a through 1.5.7.
A vulnerability in the access-control logic of the NETCONF over Secure Shell (SSH) of Cisco IOS XR Software may allow connections despite an access control list (ACL) that is configured to deny access to the NETCONF over SSH of an affected device. The vulnerability is due to a missing check in the NETCONF over SSH access control list (ACL). An attacker could exploit this vulnerability by connecting to an affected device using NETCONF over SSH. A successful exploit could allow the attacker to connect to the device on the NETCONF port. Valid credentials are required to access the device. This vulnerability does not affect connections to the default SSH process on the device.
An issue was discovered in GitLab Community and Enterprise Edition 11.9.x and 11.10.x before 11.10.1. Merge requests created by email could be used to bypass push rules in certain situations.
Missing Authorization vulnerability in quantumcloud Simple Link Directory Pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple Link Directory Pro: from n/a through 14.7.3.
The Coming Soon Page & Maintenance Mode plugin for WordPress is vulnerable to unauthenticated settings reset in versions up to, and including 1.8.1 due to missing capability checks in the ~/functions/data-reset-post.php file which makes it possible for unauthenticated attackers to trigger a plugin settings reset.
Missing Authorization vulnerability in blackandwhitedigital WP Genealogy – Your Family History Website allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Genealogy – Your Family History Website: from n/a through 0.1.9.
Missing Authorization vulnerability in Alimir WP ULike. This issue affects WP ULike: from n/a through 4.7.9.1.
Missing Authorization vulnerability in Iqonic Design WPBookit allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WPBookit: from n/a through 1.0.1.
Missing Authorization vulnerability in PickPlugins Job Board Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Job Board Manager: from n/a through 2.1.60.
Missing Authorization vulnerability in Galaxy Weblinks WP Clone any post type allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Clone any post type: from n/a through 3.4.
Missing Authorization vulnerability in JoomSky JS Job Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JS Job Manager: from n/a through 2.0.2.
Missing Authorization vulnerability in InfoGiants Simple Website Logo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple Website Logo: from n/a through 1.1.
Missing Authorization vulnerability in WP Event Manager WP Event Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Event Manager: from n/a through 3.1.47.
Missing Authorization vulnerability in Miguel Fuentes Payment QR WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Payment QR WooCommerce: from n/a through 1.1.6.
Missing Authorization vulnerability in WebProtect.ai Astra Security Suite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Astra Security Suite: from n/a through 0.2.
Missing Authorization vulnerability in alexvtn Chatbox Manager allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Chatbox Manager: from n/a through 1.2.2.
Missing Authorization vulnerability in amazewp fluXtore allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects fluXtore: from n/a through 1.6.0.
Missing Authorization vulnerability in Giannis Kipouros Terms & Conditions Per Product allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Terms & Conditions Per Product: from n/a through 1.2.15.
Missing Authorization vulnerability in matthewrubin Review Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Review Manager: from n/a through 2.2.0.