Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-9364

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-18 Oct, 2024 | 04:32
Updated At-18 Oct, 2024 | 16:36
Rejected At-
Credits

SendGrid for WordPress <= 1.4 - Missing Authorization to Authenticated (Subscriber+) Log Deletion

The SendGrid for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wp_mailplus_clear_logs' function in all versions up to, and including, 1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's log files.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:18 Oct, 2024 | 04:32
Updated At:18 Oct, 2024 | 16:36
Rejected At:
▼CVE Numbering Authority (CNA)
SendGrid for WordPress <= 1.4 - Missing Authorization to Authenticated (Subscriber+) Log Deletion

The SendGrid for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wp_mailplus_clear_logs' function in all versions up to, and including, 1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's log files.

Affected Products
Vendor
smackcoders
Product
SendGrid for WordPress
Default Status
unaffected
Versions
Affected
  • From * through 1.4 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Nir KUM
Timeline
EventDate
Disclosed2024-10-17 15:43:25
Event: Disclosed
Date: 2024-10-17 15:43:25
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/bb7d99a7-1e7d-43e1-839c-286b454c8276?source=cve
N/A
https://plugins.svn.wordpress.org/wp-sendgrid-mailer/tags/1.4/wp-sendgrid-mailer.php
N/A
https://plugins.trac.wordpress.org/browser/wp-sendgrid-mailer/trunk/wp-sendgrid-mailer.php#L167
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/bb7d99a7-1e7d-43e1-839c-286b454c8276?source=cve
Resource: N/A
Hyperlink: https://plugins.svn.wordpress.org/wp-sendgrid-mailer/tags/1.4/wp-sendgrid-mailer.php
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/wp-sendgrid-mailer/trunk/wp-sendgrid-mailer.php#L167
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:18 Oct, 2024 | 05:15
Updated At:22 Oct, 2024 | 15:26

The SendGrid for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wp_mailplus_clear_logs' function in all versions up to, and including, 1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's log files.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: Primary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CPE Matches
smackcoders
smackcoders
>>sendgrid>>Versions up to 1.4(inclusive)
cpe:2.3:a:smackcoders:sendgrid:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-862Primarysecurity@wordfence.com
CWE ID: CWE-862
Type: Primary
Source: security@wordfence.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://plugins.svn.wordpress.org/wp-sendgrid-mailer/tags/1.4/wp-sendgrid-mailer.phpsecurity@wordfence.com
Product
https://plugins.trac.wordpress.org/browser/wp-sendgrid-mailer/trunk/wp-sendgrid-mailer.php#L167security@wordfence.com
Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/bb7d99a7-1e7d-43e1-839c-286b454c8276?source=cvesecurity@wordfence.com
Third Party Advisory
Hyperlink: https://plugins.svn.wordpress.org/wp-sendgrid-mailer/tags/1.4/wp-sendgrid-mailer.php
Source: security@wordfence.com
Resource:
Product
Hyperlink: https://plugins.trac.wordpress.org/browser/wp-sendgrid-mailer/trunk/wp-sendgrid-mailer.php#L167
Source: security@wordfence.com
Resource:
Product
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/bb7d99a7-1e7d-43e1-839c-286b454c8276?source=cve
Source: security@wordfence.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

797Records found
CVE-2025-31530
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.12%
||
7 Day CHG-0.02%
Published-31 Mar, 2025 | 12:55
Updated-01 Apr, 2025 | 20:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Google SEO Pressor Snippet plugin <= 2.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in smackcoders Google SEO Pressor Snippet allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Google SEO Pressor Snippet: from n/a through 2.0.

Action-Not Available
Vendor-smackcoders
Product-Google SEO Pressor Snippet
CWE ID-CWE-862
Missing Authorization
CVE-2025-22647
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 9.89%
||
7 Day CHG-0.01%
Published-27 Mar, 2025 | 15:07
Updated-27 Mar, 2025 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress AIO Performance Profiler plugin <= 1.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in smackcoders AIO Performance Profiler, Monitor, Optimize, Compress & Debug allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AIO Performance Profiler, Monitor, Optimize, Compress & Debug: from n/a through 1.2.

Action-Not Available
Vendor-smackcoders
Product-AIO Performance Profiler, Monitor, Optimize, Compress & Debug
CWE ID-CWE-862
Missing Authorization
CVE-2025-5692
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.3||MEDIUM
EPSS-0.05% / 16.40%
||
7 Day CHG~0.00%
Published-02 Jul, 2025 | 02:03
Updated-27 Aug, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lead Form Data Collection to CRM <= 3.1 - Missing Authorization to Authenticated (Subscriber+) Many Actions

The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ~/includes/LB_admin_ajax.php file in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform several actions like updating settings. Initially this CVE was assigned specifically to all AJAX actions and the doFieldAjaxAction() function, however it was determined that CVE-2025-47690 is assigned to the doFieldAjaxAction() function that leads to arbitrary options updates.

Action-Not Available
Vendor-smackcoderssmackcoders
Product-lead_form_data_collection_to_crmLead Form Data Collection to CRM
CWE ID-CWE-862
Missing Authorization
CVE-2025-47690
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.06% / 18.26%
||
7 Day CHG~0.00%
Published-23 May, 2025 | 12:43
Updated-27 May, 2025 | 14:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Lead Form Data Collection to CRM plugin <= 3.1 - Arbitrary Option Update to Privilege Escalation vulnerability

Missing Authorization vulnerability in smackcoders Lead Form Data Collection to CRM allows Privilege Escalation. This issue affects Lead Form Data Collection to CRM: from n/a through 3.1.

Action-Not Available
Vendor-smackcoders
Product-Lead Form Data Collection to CRM
CWE ID-CWE-862
Missing Authorization
CVE-2022-3244
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-4.2||MEDIUM
EPSS-0.11% / 30.18%
||
7 Day CHG~0.00%
Published-17 Oct, 2022 | 00:00
Updated-13 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Import all XML, CSV & TXT into WordPress < 6.5.8 - Missing Authorisation

The Import all XML, CSV & TXT WordPress plugin before 6.5.8 does not have authorisation in some places, which could allow any authenticated users to access some of the plugin features if they manage to get the related nonce

Action-Not Available
Vendor-smackcodersUnknown
Product-import_all_pages\,_post_types\,_products\,_orders\,_and_users_as_xml_\&_csvImport all XML, CSV & TXT into WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2023-25039
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 19.17%
||
7 Day CHG~0.00%
Published-25 Mar, 2024 | 11:46
Updated-02 Aug, 2024 | 11:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Google Maps CP plugin <= 1.0.43 - Missing Authorization Leading To Feedback Submission Vulnerability

Missing Authorization vulnerability in CodePeople Google Maps CP.This issue affects Google Maps CP: from n/a through 1.0.43.

Action-Not Available
Vendor-CodePeople
Product-Google Maps CP
CWE ID-CWE-862
Missing Authorization
CVE-2023-25026
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.84%
||
7 Day CHG+0.02%
Published-09 Dec, 2024 | 11:31
Updated-09 Dec, 2024 | 18:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress PayPal Brasil para WooCommerce plugin <= 1.4.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in PayPal PayPal Brasil para WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PayPal Brasil para WooCommerce: from n/a through 1.4.2.

Action-Not Available
Vendor-PayPal
Product-PayPal Brasil para WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2023-25037
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.84%
||
7 Day CHG+0.02%
Published-09 Dec, 2024 | 11:31
Updated-09 Dec, 2024 | 18:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Booking Calendar Contact Form plugin <= 1.2.34 - Broken Access Control vulnerability

Missing Authorization vulnerability in CodePeople Booking Calendar Contact Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking Calendar Contact Form: from n/a through 1.2.34.

Action-Not Available
Vendor-CodePeople
Product-Booking Calendar Contact Form
CWE ID-CWE-862
Missing Authorization
CVE-2023-25030
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 25.85%
||
7 Day CHG~0.00%
Published-12 Jun, 2024 | 09:39
Updated-07 Aug, 2024 | 15:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Buy Me a Coffee plugin <= 3.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in Buy Me a Coffee.This issue affects Buy Me a Coffee: from n/a through 3.7.

Action-Not Available
Vendor-buymeacoffeeBuy Me a Coffee
Product-buy_me_a_coffeeBuy Me a Coffee
CWE ID-CWE-862
Missing Authorization
CVE-2023-2414
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.06% / 20.15%
||
7 Day CHG~0.00%
Published-09 Jun, 2023 | 05:33
Updated-20 Mar, 2025 | 17:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Online Booking & Scheduling Calendar for WordPress by vcita <= 4.4.6 - Missing Authorization to Settings Update and Arbitrary File Upload

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_save_settings_callback function in versions up to, and including, 4.4.6. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to modify the plugins settings, upload arbitrary files, and inject malicious JavaScript (before 4.3.2).

Action-Not Available
Vendor-vcitavcita
Product-online_booking_\&_scheduling_calendarOnline Booking & Scheduling Calendar for WordPress by vcita
CWE ID-CWE-862
Missing Authorization
CVE-2023-47820
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.60%
||
7 Day CHG+0.01%
Published-09 Dec, 2024 | 11:30
Updated-09 Dec, 2024 | 13:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Like Button plugin <= 1.7.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in CRUDLab WP Like Button allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Like Button: from n/a through 1.7.0.

Action-Not Available
Vendor-CRUDLab
Product-WP Like Button
CWE ID-CWE-862
Missing Authorization
CVE-2019-0367
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 39.19%
||
7 Day CHG~0.00%
Published-08 Oct, 2019 | 19:16
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver Process Integration (B2B Toolkit), before versions 1.0 and 2.0, does not perform necessary authorization checks for an authenticated user, allowing the import of B2B table content that leads to Missing Authorization Check.

Action-Not Available
Vendor-SAP SE
Product-netweaver_process_integrationSAP NetWeaver Process Integration (B2B Toolkit)
CWE ID-CWE-862
Missing Authorization
CVE-2023-47761
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.60%
||
7 Day CHG+0.01%
Published-09 Dec, 2024 | 11:30
Updated-09 Dec, 2024 | 18:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Simple 301 Redirects by BetterLinks plugin <= 2.0.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPDeveloper Simple 301 Redirects by BetterLinks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple 301 Redirects by BetterLinks: from n/a through 2.0.7.

Action-Not Available
Vendor-WPDeveloper
Product-Simple 301 Redirects by BetterLinks
CWE ID-CWE-862
Missing Authorization
CVE-2023-47754
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 32.53%
||
7 Day CHG~0.00%
Published-18 Dec, 2023 | 23:49
Updated-02 Aug, 2024 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Delete Duplicate Posts Plugin <= 4.8.9 is vulnerable to Broken Access Control

Missing Authorization vulnerability in Clever plugins Delete Duplicate Posts allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Delete Duplicate Posts: from n/a through 4.8.9.

Action-Not Available
Vendor-cleverpluginsClever plugins
Product-delete_duplicate_postsDelete Duplicate Posts
CWE ID-CWE-862
Missing Authorization
CVE-2023-23823
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.37%
||
7 Day CHG+0.01%
Published-09 Dec, 2024 | 11:31
Updated-09 Dec, 2024 | 18:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Enhanced Text Widget plugin <= 1.5.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in Clever Widgets Enhanced Text Widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Enhanced Text Widget: from n/a through 1.5.8.

Action-Not Available
Vendor-Clever Widgets
Product-Enhanced Text Widget
CWE ID-CWE-862
Missing Authorization
CVE-2023-48740
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.60%
||
7 Day CHG+0.01%
Published-09 Dec, 2024 | 11:30
Updated-09 Jun, 2025 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Easy Social Feed plugin <= 6.5.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Easy Social Feed Easy Social Feed allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Social Feed: from n/a through 6.5.1.

Action-Not Available
Vendor-easysocialfeedEasy Social Feed
Product-easy_social_feedEasy Social Feed
CWE ID-CWE-862
Missing Authorization
CVE-2023-22834
Matching Score-4
Assigner-Palantir Technologies
ShareView Details
Matching Score-4
Assigner-Palantir Technologies
CVSS Score-2.7||LOW
EPSS-0.04% / 9.44%
||
7 Day CHG~0.00%
Published-26 Jun, 2023 | 23:06
Updated-07 Nov, 2024 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
The contour service was not checking that users had permission to create an analysis for a given dataset

The Contour Service was not checking that users had permission to create an analysis for a given dataset. This could allow an attacker to clutter up Compass folders with extraneous analyses, that the attacker would otherwise not have permission to create.

Action-Not Available
Vendor-palantirPalantir
Product-contourcom.palantir.contour:contour-dispatch
CWE ID-CWE-425
Direct Request ('Forced Browsing')
CWE ID-CWE-862
Missing Authorization
CVE-2023-47760
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 41.24%
||
7 Day CHG+0.03%
Published-09 Dec, 2024 | 11:30
Updated-22 Jan, 2025 | 18:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Essential Blocks plugin <= 4.2.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPDeveloper Essential Blocks for Gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Blocks for Gutenberg: from n/a through 4.2.0.

Action-Not Available
Vendor-WPDeveloper
Product-essential_blocksEssential Blocks for Gutenberg
CWE ID-CWE-862
Missing Authorization
CVE-2023-47793
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 34.33%
||
7 Day CHG+0.02%
Published-09 Dec, 2024 | 11:30
Updated-09 Dec, 2024 | 13:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Acme Fix Images plugin <= 1.0.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in acmethemes Acme Fix Images allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Acme Fix Images: from n/a through 1.0.0.

Action-Not Available
Vendor-acmethemes
Product-Acme Fix Images
CWE ID-CWE-862
Missing Authorization
CVE-2023-47762
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.60%
||
7 Day CHG+0.01%
Published-09 Dec, 2024 | 11:30
Updated-09 Dec, 2024 | 18:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress BetterDocs plugin <= 2.5.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPDeveloper BetterDocs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BetterDocs: from n/a through 2.5.2.

Action-Not Available
Vendor-WPDeveloper
Product-BetterDocs
CWE ID-CWE-862
Missing Authorization
CVE-2023-23882
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 15.66%
||
7 Day CHG~0.00%
Published-17 Jan, 2024 | 16:44
Updated-23 May, 2025 | 16:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Ultimate Addons for Beaver Builder – Lite Plugin <= 1.5.5 is vulnerable to Broken Access Control

Missing Authorization vulnerability in Brainstorm Force Ultimate Addons for Beaver Builder – Lite.This issue affects Ultimate Addons for Beaver Builder – Lite: from n/a through 1.5.5.

Action-Not Available
Vendor-Brainstorm Force
Product-ultimate_addons_for_beaver_builderUltimate Addons for Beaver Builder – Lite
CWE ID-CWE-862
Missing Authorization
CVE-2023-23716
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.60%
||
7 Day CHG+0.01%
Published-09 Dec, 2024 | 11:31
Updated-09 Dec, 2024 | 18:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Zendesk Support for WordPress plugin <= 1.8.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Zendesk Zendesk Support for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zendesk Support for WordPress: from n/a through 1.8.4.

Action-Not Available
Vendor-Zendesk
Product-Zendesk Support for WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2023-47757
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.79%
||
7 Day CHG~0.00%
Published-17 Nov, 2023 | 08:52
Updated-28 Aug, 2024 | 14:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress AWeber Plugin <= 7.3.9 is vulnerable to Broken Access Control

Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in AWeber AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth allows Accessing Functionality Not Properly Constrained by ACLs, Cross-Site Request Forgery.This issue affects AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth: from n/a through 7.3.9.

Action-Not Available
Vendor-AWeber
Product-aweberAWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-48751
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 19.63%
||
7 Day CHG~0.00%
Published-18 Dec, 2023 | 23:44
Updated-20 Nov, 2024 | 20:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Participants Database Plugin <= 2.5.5 is vulnerable to Broken Access Control

Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in Roland Barker, xnau webdesign Participants Database allows Accessing Functionality Not Properly Constrained by ACLs, Cross Site Request Forgery.This issue affects Participants Database: from n/a through 2.5.5.

Action-Not Available
Vendor-xnauRoland Barker, xnau webdesign
Product-participants_databaseParticipants Database
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-23520
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 33.84%
||
7 Day CHG~0.00%
Published-26 Mar, 2024 | 11:47
Updated-20 Mar, 2025 | 19:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress PopupAlly plugin <= 2.1.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in AccessAlly PopupAlly.This issue affects PopupAlly: from n/a through 2.1.0.

Action-Not Available
Vendor-accessallyAccessAllyaccessally
Product-popupallyPopupAllypopupally_wordpress
CWE ID-CWE-862
Missing Authorization
CVE-2023-47778
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.08% / 24.88%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 14:18
Updated-02 Jan, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress LuckyWP Scripts Control plugin <= 1.2.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in LuckyWP LuckyWP Scripts Control allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LuckyWP Scripts Control: from n/a through 1.2.1.

Action-Not Available
Vendor-LuckyWP
Product-LuckyWP Scripts Control
CWE ID-CWE-862
Missing Authorization
CVE-2023-2174
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 15.03%
||
7 Day CHG~0.00%
Published-31 Aug, 2023 | 05:33
Updated-27 Sep, 2024 | 14:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The BadgeOS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_badgeos_log_entries function in versions up to, and including, 3.7.1.6. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete the plugin's log entries.

Action-Not Available
Vendor-badgeoslearningtimes
Product-badgeosBadgeOS
CWE ID-CWE-862
Missing Authorization
CVE-2023-2189
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.67%
||
7 Day CHG~0.00%
Published-09 Jun, 2023 | 05:33
Updated-20 Dec, 2024 | 23:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Elementor Addons, Widgets and Enhancements – Stax plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the toggle_widget function in versions up to, and including, 1.4.3. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to enable or disable Elementor widgets.

Action-Not Available
Vendor-staxwpstaxwp
Product-staxElementor Addons, Widgets and Enhancements – Stax
CWE ID-CWE-862
Missing Authorization
CVE-2023-47838
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.37%
||
7 Day CHG+0.01%
Published-09 Dec, 2024 | 11:30
Updated-09 Dec, 2024 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Conditional Fields for Contact Form 7 plugin <= 2.4.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Jules Colle Conditional Fields for Contact Form 7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Conditional Fields for Contact Form 7: from n/a through 2.4.1.

Action-Not Available
Vendor-Jules Colle
Product-Conditional Fields for Contact Form 7
CWE ID-CWE-862
Missing Authorization
CVE-2025-58193
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-Not Assigned
Published-27 Aug, 2025 | 17:45
Updated-27 Aug, 2025 | 18:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Uncanny Automator Plugin <= 6.7.0.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Uncanny Owl Uncanny Automator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Uncanny Automator: from n/a through 6.7.0.1.

Action-Not Available
Vendor-Uncanny Owl Inc.
Product-Uncanny Automator
CWE ID-CWE-862
Missing Authorization
CVE-2023-47776
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.60%
||
7 Day CHG+0.01%
Published-09 Dec, 2024 | 11:30
Updated-09 Dec, 2024 | 13:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress miniorange otp verification plugin <= 4.2.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in miniOrange miniorange otp verification allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects miniorange otp verification: from n/a through 4.2.1.

Action-Not Available
Vendor-miniOrange
Product-miniorange otp verification
CWE ID-CWE-862
Missing Authorization
CVE-2023-47807
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 26.71%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 14:16
Updated-06 Mar, 2025 | 16:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress 10WebAnalytics plugin <= 1.2.12 - Broken Access Control vulnerability

Missing Authorization vulnerability in 10Web 10WebAnalytics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 10WebAnalytics: from n/a through 1.2.12.

Action-Not Available
Vendor-10Web (TenWeb, Inc.)
Product-10webanalytics10WebAnalytics
CWE ID-CWE-862
Missing Authorization
CVE-2023-47756
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.60%
||
7 Day CHG+0.01%
Published-09 Dec, 2024 | 11:30
Updated-09 Dec, 2024 | 13:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Welcome Email Editor plugin <= 5.0.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in David Vongries Welcome Email Editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Welcome Email Editor: from n/a through 5.0.6.

Action-Not Available
Vendor-David Vongries
Product-Welcome Email Editor
CWE ID-CWE-862
Missing Authorization
CVE-2023-47780
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.60%
||
7 Day CHG+0.01%
Published-09 Dec, 2024 | 11:30
Updated-09 Dec, 2024 | 13:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress EasyAzon – Amazon Associates Affiliate Plugin plugin <= 5.1.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in EasyAzon EasyAzon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EasyAzon: from n/a through 5.1.0.

Action-Not Available
Vendor-EasyAzon
Product-EasyAzon
CWE ID-CWE-862
Missing Authorization
CVE-2023-47692
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.08% / 24.88%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 12:00
Updated-02 Jan, 2025 | 14:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Flo Forms plugin <= 1.0.41 - Broken Access Control vulnerability

Missing Authorization vulnerability in Flothemes Flo Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flo Forms: from n/a through 1.0.41.

Action-Not Available
Vendor-Flothemes
Product-Flo Forms
CWE ID-CWE-862
Missing Authorization
CVE-2023-47523
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.08% / 24.88%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 12:00
Updated-02 Jan, 2025 | 14:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Auto Tag Creator plugin <= 1.0.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Ecreate Infotech Auto Tag Creator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Auto Tag Creator: from n/a through 1.0.2.

Action-Not Available
Vendor-Ecreate Infotech
Product-Auto Tag Creator
CWE ID-CWE-862
Missing Authorization
CVE-2023-1414
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 13.40%
||
7 Day CHG~0.00%
Published-24 Apr, 2023 | 18:31
Updated-04 Feb, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP VR < 8.3.0 - Subscriber+ Arbitrary Tour Update

The WP VR WordPress plugin before 8.3.0 does not have authorisation and CSRF checks in various AJAX actions, one in particular could allow any authenticated users, such as subscriber to update arbitrary tours

Action-Not Available
Vendor-rexthemeUnknown
Product-wp_vrWP VR
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-862
Missing Authorization
CVE-2025-8482
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 6.64%
||
7 Day CHG~0.00%
Published-12 Aug, 2025 | 06:42
Updated-12 Aug, 2025 | 16:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Local Avatars <= 2.8.4 - Missing Authorization to Authenticated (Subscriber+) Avatar Migration

The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of data in version 2.8.4. This is due to a missing capability check on the migrate_from_wp_user_avatar() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to migrate avatar metadata for all users.

Action-Not Available
Vendor-10up
Product-Simple Local Avatars
CWE ID-CWE-862
Missing Authorization
CVE-2023-46612
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.08% / 24.88%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 12:00
Updated-02 Jan, 2025 | 14:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Mediabay plugin <= 1.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in codedrafty Mediabay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mediabay: from n/a through 1.6.

Action-Not Available
Vendor-codedrafty
Product-Mediabay
CWE ID-CWE-862
Missing Authorization
CVE-2024-1649
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.70%
||
7 Day CHG~0.00%
Published-27 Feb, 2024 | 11:05
Updated-07 Jan, 2025 | 14:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Categorify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the categorifyAjaxDeleteCategory function in all versions up to, and including, 1.0.7.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete categories.

Action-Not Available
Vendor-frenifyfrenify
Product-categorifyCategorify – WordPress Media Library Category & File Manager
CWE ID-CWE-862
Missing Authorization
CVE-2023-1337
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-1.37% / 79.42%
||
7 Day CHG~0.00%
Published-10 Mar, 2023 | 19:20
Updated-13 Jan, 2025 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the clear_uucss_logs function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to delete plugin log files.

Action-Not Available
Vendor-rapidloadshakee93
Product-power-up_for_autoptimizeRapidLoad Power-Up for Autoptimize
CWE ID-CWE-862
Missing Authorization
CVE-2023-1027
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 21.65%
||
7 Day CHG~0.00%
Published-28 Feb, 2023 | 12:54
Updated-13 Jan, 2025 | 17:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The WP Meta SEO plugin for WordPress is vulnerable to unauthorized sitemap generation due to a missing capability check on the checkAllCategoryInSitemap function in versions up to, and including, 4.5.3. This makes it possible for authenticated attackers with subscriber-level access to obtain post categories. This vulnerability occurred as a result of the plugin relying on nonce checks as a means of access control, and that nonce being accessible to all authenticated users regardless of role.

Action-Not Available
Vendor-JoomUnited
Product-wp_meta_seoWP Meta SEO
CWE ID-CWE-862
Missing Authorization
CVE-2024-1652
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.70%
||
7 Day CHG~0.00%
Published-27 Feb, 2024 | 11:05
Updated-07 Jan, 2025 | 14:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Categorify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the categorifyAjaxClearCategory function in all versions up to, and including, 1.0.7.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to clear categories.

Action-Not Available
Vendor-frenifyfrenify
Product-categorifyCategorify – WordPress Media Library Category & File Manager
CWE ID-CWE-862
Missing Authorization
CVE-2023-4627
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.53%
||
7 Day CHG~0.00%
Published-12 Mar, 2024 | 09:33
Updated-15 Jan, 2025 | 16:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_config() function in versions up to, and including, 4.4. This makes it possible for authenticated attackers with subscriber-level access and above to update the 'ladipage_config' option.

Action-Not Available
Vendor-ladipagebinhnguyenplus
Product-ladipageLadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…
CWE ID-CWE-862
Missing Authorization
CVE-2023-0713
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.03% / 7.12%
||
7 Day CHG~0.00%
Published-07 Feb, 2023 | 21:05
Updated-07 Nov, 2023 | 04:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_add_folder function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke this function and perform actions intended for administrators such as modifying the folder structure maintained by the plugin.

Action-Not Available
Vendor-wickedpluginswickedplugins
Product-wicked_foldersWicked Folders
CWE ID-CWE-862
Missing Authorization
CVE-2023-45765
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 26.71%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 11:59
Updated-31 Jan, 2025 | 16:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP ERP plugin <= 1.12.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in weDevs WP ERP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP ERP: from n/a through 1.12.6.

Action-Not Available
Vendor-weDevs Pte. Ltd.
Product-wp_erpWP ERP
CWE ID-CWE-862
Missing Authorization
CVE-2023-46203
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 26.71%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 12:00
Updated-02 Jan, 2025 | 14:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Just Custom Fields plugin <= 3.3.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in JustCoded / Alex Prokopenko Just Custom Fields allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Just Custom Fields: from n/a through 3.3.2.

Action-Not Available
Vendor-JustCoded / Alex Prokopenko
Product-Just Custom Fields
CWE ID-CWE-862
Missing Authorization
CVE-2023-45631
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 26.71%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 11:59
Updated-21 Mar, 2025 | 18:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Gallery – Image and Video Gallery with Thumbnails plugin <= 2.0.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in wpdevart Responsive Image Gallery, Gallery Album allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Image Gallery, Gallery Album: from n/a through 2.0.3.

Action-Not Available
Vendor-WpDevArt
Product-galleryResponsive Image Gallery, Gallery Album
CWE ID-CWE-862
Missing Authorization
CVE-2023-45110
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 26.71%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 11:59
Updated-06 Jan, 2025 | 20:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Bold Timeline Lite plugin <= 1.1.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in BoldThemes Bold Timeline Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bold Timeline Lite: from n/a through 1.1.9.

Action-Not Available
Vendor-BoldThemes
Product-Bold Timeline Lite
CWE ID-CWE-862
Missing Authorization
CVE-2023-45002
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 26.71%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 11:59
Updated-06 Jan, 2025 | 20:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP User Frontend plugin <= 3.6.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in weDevs WP User Frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through 3.6.8.

Action-Not Available
Vendor-weDevs Pte. Ltd.
Product-WP User Frontend
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 15
  • 16
  • Next
Details not found