Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-11702

Summary
Assigner-GitLab
Assigner Org ID-ceab7361-8a18-47b1-92ba-4d7d25f6715a
Published At-29 Oct, 2025 | 07:04
Updated At-26 Feb, 2026 | 16:57
Rejected At-
Credits

Missing Authorization in GitLab

GitLab has remediated an issue in EE affecting all versions from 17.1 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker with specific permissions to hijack project runners from other projects.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitLab
Assigner Org ID:ceab7361-8a18-47b1-92ba-4d7d25f6715a
Published At:29 Oct, 2025 | 07:04
Updated At:26 Feb, 2026 | 16:57
Rejected At:
▼CVE Numbering Authority (CNA)
Missing Authorization in GitLab

GitLab has remediated an issue in EE affecting all versions from 17.1 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker with specific permissions to hijack project runners from other projects.

Affected Products
Vendor
GitLab Inc.GitLab
Product
GitLab
Repo
git://git@gitlab.com:gitlab-org/gitlab.git
CPEs
  • cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Default Status
unaffected
Versions
Affected
  • From 17.1 before 18.3.5 (semver)
  • From 18.4 before 18.4.3 (semver)
  • From 18.5 before 18.5.1 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862: Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862: Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.18.5HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 8.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Upgrade to versions 18.3.5, 18.4.3, 18.5.1 or above.

Configurations
Workarounds
Exploits
Credits
finder
Thanks [iamgk808](https://hackerone.com/iamgk808) for reporting this vulnerability through our HackerOne bug bounty program
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://about.gitlab.com/releases/2025/10/22/patch-release-gitlab-18-5-1-released/
N/A
https://gitlab.com/gitlab-org/gitlab/-/issues/576900
issue-tracking
permissions-required
https://hackerone.com/reports/3356284
technical-description
exploit
permissions-required
Hyperlink: https://about.gitlab.com/releases/2025/10/22/patch-release-gitlab-18-5-1-released/
Resource: N/A
Hyperlink: https://gitlab.com/gitlab-org/gitlab/-/issues/576900
Resource:
issue-tracking
permissions-required
Hyperlink: https://hackerone.com/reports/3356284
Resource:
technical-description
exploit
permissions-required
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@gitlab.com
Published At:29 Oct, 2025 | 07:15
Updated At:03 Nov, 2025 | 18:32

GitLab has remediated an issue in EE affecting all versions from 17.1 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker with specific permissions to hijack project runners from other projects.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.5HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 8.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CPE Matches
GitLab Inc.
gitlab
>>gitlab>>Versions from 17.1.0(inclusive) to 18.3.5(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
GitLab Inc.
gitlab
>>gitlab>>Versions from 18.4.0(inclusive) to 18.4.3(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
GitLab Inc.
gitlab
>>gitlab>>18.5.0
cpe:2.3:a:gitlab:gitlab:18.5.0:*:*:*:enterprise:*:*:*
Weaknesses
CWE IDTypeSource
CWE-862Primarycve@gitlab.com
CWE ID: CWE-862
Type: Primary
Source: cve@gitlab.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://about.gitlab.com/releases/2025/10/22/patch-release-gitlab-18-5-1-released/cve@gitlab.com
Release Notes
Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/576900cve@gitlab.com
Broken Link
https://hackerone.com/reports/3356284cve@gitlab.com
Permissions Required
Hyperlink: https://about.gitlab.com/releases/2025/10/22/patch-release-gitlab-18-5-1-released/
Source: cve@gitlab.com
Resource:
Release Notes
Vendor Advisory
Hyperlink: https://gitlab.com/gitlab-org/gitlab/-/issues/576900
Source: cve@gitlab.com
Resource:
Broken Link
Hyperlink: https://hackerone.com/reports/3356284
Source: cve@gitlab.com
Resource:
Permissions Required

Change History

0
Information is not available yet

Similar CVEs

632Records found
CVE-2024-43297
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 49.36%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-13 Nov, 2024 | 01:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Clone plugin <= 2.4.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in Migrate Clone allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Clone: from n/a through 2.4.5.

Action-Not Available
Vendor-backupblissMigrate
Product-cloneClone
CWE ID-CWE-862
Missing Authorization
CVE-2022-0611
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.3||MEDIUM
EPSS-0.29% / 52.47%
||
7 Day CHG~0.00%
Published-15 Feb, 2022 | 23:30
Updated-24 Feb, 2026 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization in snipe/snipe-it

Missing Authorization in Packagist snipe/snipe-it prior to 5.3.11.

Action-Not Available
Vendor-snipeitappsnipe
Product-snipe-itsnipe/snipe-it
CWE ID-CWE-862
Missing Authorization
CVE-2021-47701
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.12% / 31.06%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 20:35
Updated-17 Dec, 2025 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenBMCS User Management Privilege Escalation

OpenBMCS 2.4 allows an attacker to escalate privileges from a read user to an admin user by manipulating permissions and exploiting a vulnerability in the update_user_permissions.php script. Attackers can submit a malicious HTTP POST request to PHP scripts in '/plugins/useradmin/' directory.

Action-Not Available
Vendor-openbmcsOPEN BMCS
Product-openbmcsOpenBMCS
CWE ID-CWE-862
Missing Authorization
CVE-2025-1657
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.18% / 39.02%
||
7 Day CHG~0.00%
Published-15 Mar, 2025 | 02:22
Updated-28 Mar, 2025 | 12:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Directory Listings WordPress plugin – uListing <= 2.1.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Update and PHP Object Injection

The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to unauthorized modification of data and PHP Object Injection due to a missing capability check on the stm_listing_ajax AJAX action in all versions up to, and including, 2.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to update post meta data and inject PHP Objects that may be unserialized.

Action-Not Available
Vendor-stylemixthemesstylemix
Product-ulistingDirectory Listings WordPress plugin – uListing
CWE ID-CWE-862
Missing Authorization
CVE-2025-14386
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.12% / 31.42%
||
7 Day CHG+0.02%
Published-28 Jan, 2026 | 11:23
Updated-29 Jan, 2026 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization 2.4.4 - 2.5.12 - Missing Authorization to Authenticated (Subscriber+) Authentication Bypass via Account Takeover

The Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the 'generate_sso_url' and 'validate_sso_token' functions in versions 2.4.4 to 2.5.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the 'nonce_token' authentication value to log in to the first Administrator's account.

Action-Not Available
Vendor-shahrukhlinkgraph
Product-Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization
CWE ID-CWE-862
Missing Authorization
CVE-2023-45760
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.37% / 58.57%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 11:59
Updated-29 May, 2025 | 20:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress wpDiscuz plugin <= 7.6.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in gVectors Team wpDiscuz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpDiscuz: from n/a through 7.6.3.

Action-Not Available
Vendor-gvectorsgVectors Team
Product-wpdiscuzwpDiscuz
CWE ID-CWE-862
Missing Authorization
CVE-2023-46212
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.3||MEDIUM
EPSS-0.05% / 16.21%
||
7 Day CHG~0.00%
Published-18 Dec, 2023 | 23:57
Updated-02 Aug, 2024 | 20:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP EXtra Plugin <= 6.2 is vulnerable to Broken Access Control

Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in TienCOP WP EXtra allows Accessing Functionality Not Properly Constrained by ACLs, Cross Site Request Forgery.This issue affects WP EXtra: from n/a through 6.2.

Action-Not Available
Vendor-wpvnteamTienCOP
Product-wp_extraWP EXtra
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-10896
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.30% / 52.90%
||
7 Day CHG~0.00%
Published-04 Nov, 2025 | 04:27
Updated-04 Nov, 2025 | 20:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple Plugins <= Multiple Versions - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Upload

Multiple plugins for WordPress with the Jewel Theme Recommended Plugins Library are vulnerable to Unrestricted Upload of File with Dangerous Type via arbitrary plugin installation in all versions up to, and including, 1.0.2.3. This is due to missing capability checks on the '*_recommended_upgrade_plugin' function which allows arbitrary plugin URLs to be installed. This makes it possible for authenticated attackers with subscriber-level access and above to upload arbitrary plugin packages to the affected site's server via a crafted plugin URL, which may make remote code execution possible.

Action-Not Available
Vendor-litonice13
Product-Content Locker for ElementorImage Hover Effects for ElementorImage Comparison Addon for ElementorMaster Blocks – Ultimate Gutenberg Blocks for Marketers
CWE ID-CWE-862
Missing Authorization
CVE-2023-44151
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.16% / 36.72%
||
7 Day CHG~0.00%
Published-19 Jun, 2024 | 11:49
Updated-20 Sep, 2024 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Pre-Publish Checklist plugin <= 1.1.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Brainstorm Force Pre-Publish Checklist.This issue affects Pre-Publish Checklist: from n/a through 1.1.1.

Action-Not Available
Vendor-Brainstorm Force
Product-pre-publish_checklistPre-Publish Checklist
CWE ID-CWE-862
Missing Authorization
CVE-2025-10706
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.41% / 61.33%
||
7 Day CHG~0.00%
Published-16 Oct, 2025 | 06:47
Updated-16 Oct, 2025 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Classified Pro <= 1.0.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation

The Classified Pro theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'cwp_addons_update_plugin_cb' function in all versions up to, and including, 1.0.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected site's server which may make remote code execution possible. Note: The required nonce for the vulnerability is in the CubeWP Framework plugin.

Action-Not Available
Vendor-Cridio Studio
Product-ClassifiedPro - reCommerce WordPress Theme
CWE ID-CWE-862
Missing Authorization
CVE-2023-41945
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.06% / 18.44%
||
7 Day CHG~0.00%
Published-06 Sep, 2023 | 12:09
Updated-26 Sep, 2024 | 20:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled, resulting in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted.

Action-Not Available
Vendor-Jenkins
Product-assembla_authJenkins Assembla Auth Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2023-39922
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 44.45%
||
7 Day CHG~0.00%
Published-19 Jun, 2024 | 12:17
Updated-05 Feb, 2025 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Avada theme <= 7.11.1 - Authenticated Broken Access Control vulnerability

Missing Authorization vulnerability in ThemeFusion Avada.This issue affects Avada: from n/a through 7.11.1.

Action-Not Available
Vendor-Avada (ThemeFusion)
Product-avadaAvada
CWE ID-CWE-862
Missing Authorization
CVE-2023-40334
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 52.11%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:24
Updated-12 Mar, 2025 | 17:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress HUSKY – Products Filter for WooCommerce Professional plugin <= 1.3.4.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in realmag777 HUSKY allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HUSKY: from n/a through 1.3.4.2.

Action-Not Available
Vendor-PluginUs.Net (RealMag777)
Product-husky_-_products_filter_professional_for_woocommerceHUSKY
CWE ID-CWE-862
Missing Authorization
CVE-2023-38475
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 52.11%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-19 Mar, 2025 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Donations Made Easy – Smart Donations plugin <= 4.0.12 - Broken Access Control vulnerability

Missing Authorization vulnerability in RedNao Donations Made Easy – Smart Donations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Donations Made Easy – Smart Donations: from n/a through 4.0.12.

Action-Not Available
Vendor-rednaoRedNao
Product-donations_made_easy_-_smart_donationsDonations Made Easy – Smart Donations
CWE ID-CWE-862
Missing Authorization
CVE-2023-37885
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 30.88%
||
7 Day CHG~0.00%
Published-25 Mar, 2024 | 04:32
Updated-13 Jan, 2026 | 14:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress RealHomes theme <= 4.0.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in InspiryThemes RealHomes.This issue affects RealHomes: from n/a through 4.0.2.

Action-Not Available
Vendor-inspirythemesInspiryThemes
Product-realhomesRealHomes
CWE ID-CWE-862
Missing Authorization
CVE-2023-37886
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.09% / 24.77%
||
7 Day CHG~0.00%
Published-25 Mar, 2024 | 04:29
Updated-13 Jan, 2026 | 14:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress RealHomes theme <= 4.0.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in InspiryThemes RealHomes.This issue affects RealHomes: from n/a through 4.0.2.

Action-Not Available
Vendor-inspirythemesInspiryThemes
Product-realhomesRealHomes
CWE ID-CWE-862
Missing Authorization
CVE-2023-38102
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-8.8||HIGH
EPSS-0.35% / 56.98%
||
7 Day CHG~0.00%
Published-03 May, 2024 | 01:59
Updated-06 Feb, 2025 | 18:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NETGEAR ProSAFE Network Management System createUser Missing Authorization Privilege Escalation Vulnerability

NETGEAR ProSAFE Network Management System createUser Missing Authorization Privilege Escalation Vulnerability. This vulnerability allows remote attackers to escalate privileges on affected installations of NETGEAR ProSAFE Network Management System. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the createUser function. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user. Was ZDI-CAN-19726.

Action-Not Available
Vendor-NETGEAR, Inc.
Product-prosafe_network_management_systemProSAFE Network Management Systemprosafe_network_management_system
CWE ID-CWE-862
Missing Authorization
CVE-2023-37869
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.40% / 60.38%
||
7 Day CHG~0.00%
Published-19 Jun, 2024 | 13:46
Updated-23 Jan, 2025 | 16:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Premium Addons PRO plugin <= 2.9.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Premium Addons Premium Addons PRO.This issue affects Premium Addons PRO: from n/a through 2.9.0.

Action-Not Available
Vendor-leap13Premium Addons
Product-premium_addonsPremium Addons PRO
CWE ID-CWE-862
Missing Authorization
CVE-2024-54268
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.57% / 68.34%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:24
Updated-12 Mar, 2025 | 17:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SiteOrigin Widgets Bundle plugin <= 1.64.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in SiteOrigin SiteOrigin Widgets Bundle allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteOrigin Widgets Bundle: from n/a through 1.64.0.

Action-Not Available
Vendor-siteoriginSiteOrigin
Product-siteorigin_widgets_bundleSiteOrigin Widgets Bundle
CWE ID-CWE-862
Missing Authorization
CVE-2024-56048
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.46% / 64.05%
||
7 Day CHG~0.00%
Published-18 Dec, 2024 | 18:57
Updated-12 Dec, 2025 | 22:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPLMS plugin <= 1.9.9 - Arbitrary Option Update to Privilege Escalation vulnerability

Missing Authorization vulnerability in VibeThemes WPLMS allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPLMS: from n/a through 1.9.9.

Action-Not Available
Vendor-vibethemesVibeThemes
Product-wordpress_learning_management_systemWPLMS
CWE ID-CWE-862
Missing Authorization
CVE-2023-36676
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 43.18%
||
7 Day CHG~0.00%
Published-19 Jun, 2024 | 13:52
Updated-20 Sep, 2024 | 23:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Spectra plugin <= 2.6.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in Brainstorm Force Spectra.This issue affects Spectra: from n/a through 2.6.6.

Action-Not Available
Vendor-Brainstorm Force
Product-spectraSpectra
CWE ID-CWE-862
Missing Authorization
CVE-2023-36695
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.24% / 47.54%
||
7 Day CHG~0.00%
Published-13 Jun, 2024 | 23:46
Updated-03 Oct, 2024 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Sublanguage plugin <= 2.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in Maxime Schoeni Sublanguage.This issue affects Sublanguage: from n/a through 2.9.

Action-Not Available
Vendor-maximeschoeniMaxime Schoeni
Product-sublanguageSublanguage
CWE ID-CWE-862
Missing Authorization
CVE-2021-27859
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-8.8||HIGH
EPSS-0.75% / 72.98%
||
7 Day CHG~0.00%
Published-15 Dec, 2021 | 16:14
Updated-16 Sep, 2024 | 21:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing authorization vulnerability in FatPipe software

A missing authorization vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 allows an authenticated, remote attacker with read-only privileges to create an account with administrative privileges. Older versions of FatPipe software may also be vulnerable. This does not appear to be a CSRF vulnerability. The FatPipe advisory identifier for this vulnerability is FPSA005.

Action-Not Available
Vendor-fatpipeincFatPipe
Product-ipvpn_firmwarewarpipvpnwarp_firmwarempvpnmpvpn_firmwareIPVPNMPVPNWARP
CWE ID-CWE-862
Missing Authorization
CVE-2023-35051
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.27% / 50.25%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-19 Mar, 2025 | 21:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Contact Forms by Cimatti plugin <= 1.5.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in Cimatti Consulting Contact Forms by Cimatti allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Forms by Cimatti: from n/a through 1.5.7.

Action-Not Available
Vendor-cimattiCimatti Consulting
Product-wordpress_contact_formsContact Forms by Cimatti
CWE ID-CWE-862
Missing Authorization
CVE-2023-33265
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.17% / 38.55%
||
7 Day CHG~0.00%
Published-18 Jul, 2023 | 00:00
Updated-02 May, 2025 | 10:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, executor services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted.

Action-Not Available
Vendor-hazelcastn/a
Product-hazelcastimdgn/a
CWE ID-CWE-862
Missing Authorization
CVE-2021-23014
Matching Score-4
Assigner-F5, Inc.
ShareView Details
Matching Score-4
Assigner-F5, Inc.
CVSS Score-8.8||HIGH
EPSS-0.27% / 50.70%
||
7 Day CHG~0.00%
Published-10 May, 2021 | 14:35
Updated-03 Aug, 2024 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, and 14.1.x before 14.1.4, BIG-IP Advanced WAF and ASM are missing authorization checks for file uploads to a specific directory within the REST API which might allow Authenticated users with guest privileges to upload files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Action-Not Available
Vendor-n/aF5, Inc.
Product-big-ip_advanced_web_application_firewallbig-ip_application_security_managerBIG-IP ASM/Advanced WAF
CWE ID-CWE-862
Missing Authorization
CVE-2023-33996
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.66% / 70.91%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-13 Dec, 2024 | 20:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Spam protection, AntiSpam, FireWall by CleanTalk plugin <= 6.10 - Broken Access Control vulnerability

Missing Authorization vulnerability in СleanTalk - Anti-Spam Protection Spam protection, AntiSpam, FireWall by CleanTalk allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spam protection, AntiSpam, FireWall by CleanTalk: from n/a through 6.10.

Action-Not Available
Vendor-СleanTalk - Anti-Spam Protection
Product-Spam protection, AntiSpam, FireWall by CleanTalk
CWE ID-CWE-862
Missing Authorization
CVE-2025-32542
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.25% / 48.54%
||
7 Day CHG~0.00%
Published-11 Apr, 2025 | 08:42
Updated-11 Apr, 2025 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Eazy Plugin Manager plugin <= 4.3.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in EazyPlugins Eazy Plugin Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Eazy Plugin Manager: from n/a through 4.3.0.

Action-Not Available
Vendor-EazyPlugins
Product-Eazy Plugin Manager
CWE ID-CWE-862
Missing Authorization
CVE-2021-21486
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-6.8||MEDIUM
EPSS-0.15% / 34.92%
||
7 Day CHG~0.00%
Published-09 Mar, 2021 | 14:07
Updated-03 Aug, 2024 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Enterprise Financial Services versions, 101, 102, 103, 104, 105, 600, 603, 604, 605, 606, 616, 617, 618, 800, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-enterprise_financial_servicesSAP Enterprise Financial Services (Bank Customer Accounts)
CWE ID-CWE-862
Missing Authorization
CVE-2025-3058
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.26% / 48.63%
||
7 Day CHG~0.00%
Published-24 Apr, 2025 | 08:23
Updated-29 Apr, 2025 | 13:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Xelion Webchat <= 9.1.0 - Authenticated (Subscriber+) Arbitrary Options Update

The Xelion Webchat plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the xwc_save_settings() function in all versions up to, and including, 9.1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Action-Not Available
Vendor-jauharixelion
Product-Xelion Webchat
CWE ID-CWE-862
Missing Authorization
CVE-2019-25142
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.55% / 67.70%
||
7 Day CHG+0.11%
Published-07 Jun, 2023 | 01:51
Updated-23 Dec, 2024 | 16:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Mesmerize & Materialis themes for WordPress are vulnerable to authenticated options change in versions up to, and including,1.6.89 (Mesmerize) and 1.0.172 (Materialis). This is due to 'companion_disable_popup' function only checking the nonce while sending user input to the 'update_option' function. This makes it possible for authenticated attackers to change otherwise restricted options.

Action-Not Available
Vendor-extendthemesextendthemes
Product-materialismesmerizeMesmerizeMaterialis
CWE ID-CWE-862
Missing Authorization
CVE-2019-18610
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-41.89% / 97.37%
||
7 Day CHG-1.12%
Published-22 Nov, 2019 | 17:31
Updated-05 Aug, 2024 | 01:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in manager.c in Sangoma Asterisk through 13.x, 16.x, 17.x and Certified Asterisk 13.21 through 13.21-cert4. A remote authenticated Asterisk Manager Interface (AMI) user without system authorization could use a specially crafted Originate AMI request to execute arbitrary system commands.

Action-Not Available
Vendor-n/aDebian GNU/LinuxDigium, Inc.
Product-certified_asteriskasteriskdebian_linuxn/a
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • ...
  • 11
  • 12
  • 13
  • Next
Details not found