Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-11702

Summary
Assigner-GitLab
Assigner Org ID-ceab7361-8a18-47b1-92ba-4d7d25f6715a
Published At-29 Oct, 2025 | 07:04
Updated At-26 Feb, 2026 | 16:57
Rejected At-
Credits

Missing Authorization in GitLab

GitLab has remediated an issue in EE affecting all versions from 17.1 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker with specific permissions to hijack project runners from other projects.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitLab
Assigner Org ID:ceab7361-8a18-47b1-92ba-4d7d25f6715a
Published At:29 Oct, 2025 | 07:04
Updated At:26 Feb, 2026 | 16:57
Rejected At:
▼CVE Numbering Authority (CNA)
Missing Authorization in GitLab

GitLab has remediated an issue in EE affecting all versions from 17.1 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker with specific permissions to hijack project runners from other projects.

Affected Products
Vendor
GitLab Inc.GitLab
Product
GitLab
Repo
git://git@gitlab.com:gitlab-org/gitlab.git
CPEs
  • cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Default Status
unaffected
Versions
Affected
  • From 17.1 before 18.3.5 (semver)
  • From 18.4 before 18.4.3 (semver)
  • From 18.5 before 18.5.1 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862: Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862: Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.18.5HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 8.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Upgrade to versions 18.3.5, 18.4.3, 18.5.1 or above.

Configurations
Workarounds
Exploits
Credits
finder
Thanks [iamgk808](https://hackerone.com/iamgk808) for reporting this vulnerability through our HackerOne bug bounty program
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://about.gitlab.com/releases/2025/10/22/patch-release-gitlab-18-5-1-released/
N/A
https://gitlab.com/gitlab-org/gitlab/-/issues/576900
issue-tracking
permissions-required
https://hackerone.com/reports/3356284
technical-description
exploit
permissions-required
Hyperlink: https://about.gitlab.com/releases/2025/10/22/patch-release-gitlab-18-5-1-released/
Resource: N/A
Hyperlink: https://gitlab.com/gitlab-org/gitlab/-/issues/576900
Resource:
issue-tracking
permissions-required
Hyperlink: https://hackerone.com/reports/3356284
Resource:
technical-description
exploit
permissions-required
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@gitlab.com
Published At:29 Oct, 2025 | 07:15
Updated At:03 Nov, 2025 | 18:32

GitLab has remediated an issue in EE affecting all versions from 17.1 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker with specific permissions to hijack project runners from other projects.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.5HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 8.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CPE Matches
GitLab Inc.
gitlab
>>gitlab>>Versions from 17.1.0(inclusive) to 18.3.5(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
GitLab Inc.
gitlab
>>gitlab>>Versions from 18.4.0(inclusive) to 18.4.3(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
GitLab Inc.
gitlab
>>gitlab>>18.5.0
cpe:2.3:a:gitlab:gitlab:18.5.0:*:*:*:enterprise:*:*:*
Weaknesses
CWE IDTypeSource
CWE-862Primarycve@gitlab.com
CWE ID: CWE-862
Type: Primary
Source: cve@gitlab.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://about.gitlab.com/releases/2025/10/22/patch-release-gitlab-18-5-1-released/cve@gitlab.com
Release Notes
Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/576900cve@gitlab.com
Broken Link
https://hackerone.com/reports/3356284cve@gitlab.com
Permissions Required
Hyperlink: https://about.gitlab.com/releases/2025/10/22/patch-release-gitlab-18-5-1-released/
Source: cve@gitlab.com
Resource:
Release Notes
Vendor Advisory
Hyperlink: https://gitlab.com/gitlab-org/gitlab/-/issues/576900
Source: cve@gitlab.com
Resource:
Broken Link
Hyperlink: https://hackerone.com/reports/3356284
Source: cve@gitlab.com
Resource:
Permissions Required

Change History

0
Information is not available yet

Similar CVEs

632Records found
CVE-2024-30537
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 44.45%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 09:01
Updated-02 Aug, 2024 | 01:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPC Badge Management for WooCommerce plugin <= 2.4.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPClever WPC Badge Management for WooCommerce.This issue affects WPC Badge Management for WooCommerce: from n/a through 2.4.0.

Action-Not Available
Vendor-wpcleverWPClever
Product-wpc_badge_management_for_woocommerceWPC Badge Management for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2024-30470
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.30% / 52.93%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 10:51
Updated-08 Oct, 2024 | 20:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress YITH WooCommerce Account Funds Premium plugin <= 1.32.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in YITH YITH WooCommerce Account Funds Premium.This issue affects YITH WooCommerce Account Funds Premium: from n/a through 1.33.0.

Action-Not Available
Vendor-Your Inspiration Solutions S.L.U. (YITH) (YITHEMES)
Product-woocommerce_account_fundsYITH WooCommerce Account Funds Premiumyith_woocommerce_account_funds_premium
CWE ID-CWE-862
Missing Authorization
CVE-2024-30485
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-53.46% / 97.95%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 10:58
Updated-07 Oct, 2024 | 16:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Finale Lite plugin <= 2.18.0 - Subscriber+ Arbitrary Plugin Installation/Activation vulnerability

Missing Authorization vulnerability in XLPlugins Finale Lite.This issue affects Finale Lite: from n/a through 2.18.0.

Action-Not Available
Vendor-xlpluginsXLPluginsxlplugins
Product-finaleFinale Litefinale_lite
CWE ID-CWE-862
Missing Authorization
CVE-2024-30484
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 44.45%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 19:08
Updated-02 Aug, 2024 | 01:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress RT Easy Builder plugin <= 2.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in RT Easy Builder – Advanced addons for Elementor.This issue affects RT Easy Builder – Advanced addons for Elementor: from n/a through 2.0.

Action-Not Available
Vendor-risethemes
Product-rt_easy_builderRT Easy Builder – Advanced addons for Elementor
CWE ID-CWE-862
Missing Authorization
CVE-2024-30466
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.16% / 36.72%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 10:43
Updated-08 Oct, 2024 | 21:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WooCommerce Multilingual & Multicurrency plugin <= 5.3.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in OnTheGoSystems WooCommerce Multilingual & Multicurrency.This issue affects WooCommerce Multilingual & Multicurrency: from n/a through 5.3.4.

Action-Not Available
Vendor-onthegosystemsOnTheGoSystems
Product-woocommerce_multilingual_\&_multicurrencyWooCommerce Multilingual & Multicurrency
CWE ID-CWE-862
Missing Authorization
CVE-2024-30464
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.16% / 36.72%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 10:41
Updated-10 Oct, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Social Icons Widget & Block by WPZOOM plugin <= 4.2.15 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPZOOM Social Icons Widget & Block by WPZOOM.This issue affects Social Icons Widget & Block by WPZOOM: from n/a through 4.2.15.

Action-Not Available
Vendor-wpzoomWPZOOM
Product-social_icons_widgetSocial Icons Widget & Block by WPZOOM
CWE ID-CWE-862
Missing Authorization
CVE-2024-4351
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-28.12% / 96.41%
||
7 Day CHG~0.00%
Published-16 May, 2024 | 09:32
Updated-22 Jan, 2025 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tutor LMS Pro <= 2.7.0 - Missing Authorization to Privilege Escalation

The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on the 'authenticate' function in all versions up to, and including, 2.7.0. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to gain control of an existing administrator account.

Action-Not Available
Vendor-Themeum
Product-tutor_lmsTutor LMS Protutor_lms
CWE ID-CWE-862
Missing Authorization
CVE-2024-30515
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 44.45%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 11:00
Updated-07 Oct, 2024 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Events Manager plugin <= 6.4.6.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Pixelite Events Manager.This issue affects Events Manager: from n/a through 6.4.6.4.

Action-Not Available
Vendor-pixelitePixelite
Product-events_managerEvents Manager
CWE ID-CWE-862
Missing Authorization
CVE-2024-43310
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.39% / 59.67%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-13 Nov, 2024 | 01:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce plugin <= 3.4.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in UkrSolution Print Barcode Labels for your WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Print Barcode Labels for your WooCommerce products/orders: from n/a through 3.4.9.

Action-Not Available
Vendor-ukrsolutionUkrSolution
Product-print_labels_with_barcodesPrint Barcode Labels for your WooCommerce products/orders
CWE ID-CWE-862
Missing Authorization
CVE-2025-5805
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.05% / 15.45%
||
7 Day CHG~0.00%
Published-22 Jan, 2026 | 16:51
Updated-26 Jan, 2026 | 23:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Electron theme <= 1.8.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Ninetheme Electron electron allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Electron: from n/a through <= 1.8.2.

Action-Not Available
Vendor-Ninetheme
Product-Electron
CWE ID-CWE-862
Missing Authorization
CVE-2025-5803
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.06% / 18.08%
||
7 Day CHG~0.00%
Published-06 Nov, 2025 | 15:54
Updated-20 Jan, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.2.

Action-Not Available
Vendor-e4jvikwp
Product-VikBooking Hotel Booking Engine & PMS
CWE ID-CWE-862
Missing Authorization
CVE-2024-27190
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.50% / 65.86%
||
7 Day CHG~0.00%
Published-21 Mar, 2024 | 17:04
Updated-14 Feb, 2025 | 15:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Download Media plugin <= 1.4.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Jean-David Daviet Download Media.This issue affects Download Media: from n/a through 1.4.2.

Action-Not Available
Vendor-jeandaviddavietJean-David Daviet
Product-download_mediaDownload Media
CWE ID-CWE-862
Missing Authorization
CVE-2024-43162
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.41% / 61.13%
||
7 Day CHG+0.10%
Published-01 Nov, 2024 | 14:17
Updated-07 Feb, 2025 | 16:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Easy Digital Downloads plugin <= 3.2.12 - Broken Access Control vulnerability

Missing Authorization vulnerability in Easy Digital Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Digital Downloads: from n/a through 3.2.12.

Action-Not Available
Vendor-Sandhills Development, LLC (EasyDigitalDownloads)Awesome Motive Inc.
Product-easy_digital_downloadsEasy Digital Downloads
CWE ID-CWE-862
Missing Authorization
CVE-2024-27950
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.15% / 35.94%
||
7 Day CHG~0.00%
Published-01 Mar, 2024 | 07:46
Updated-17 Dec, 2025 | 21:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Sirv Plugin <= 7.2.0 is vulnerable to Broken Access Control

Missing Authorization vulnerability in sirv.Com Image Optimizer, Resizer and CDN – Sirv.This issue affects Image Optimizer, Resizer and CDN – Sirv: from n/a through 7.2.0.

Action-Not Available
Vendor-sirvsirv.com
Product-sirvImage Optimizer, Resizer and CDN – Sirv
CWE ID-CWE-862
Missing Authorization
CVE-2025-5835
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.06% / 18.63%
||
7 Day CHG-0.00%
Published-25 Jul, 2025 | 06:43
Updated-28 Jul, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Droip <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Many Actions

The Droip plugin for WordPress is vulnerable to unauthorized modification and access of data due to a missing capability check on the droip_post_apis() function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform many actions as the AJAX hooks to several functions. Some potential impacts include arbitrary post deletion, arbitrary post creation, post duplication, settings update, user manipulation, and much more.

Action-Not Available
Vendor-DroipThemeum
Product-droipDroip
CWE ID-CWE-862
Missing Authorization
CVE-2025-58334
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-8.1||HIGH
EPSS-0.00% / 0.10%
||
7 Day CHG~0.00%
Published-28 Aug, 2025 | 16:48
Updated-26 Feb, 2026 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains IDE Services before 2025.5.0.1086, 2025.4.2.2164 users without appropriate permissions could assign high-privileged role for themselves

Action-Not Available
Vendor-JetBrains s.r.o.
Product-ide_servicesIDE Services
CWE ID-CWE-862
Missing Authorization
CVE-2022-42884
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.09% / 25.57%
||
7 Day CHG~0.00%
Published-17 Jan, 2024 | 18:17
Updated-23 May, 2025 | 16:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WIP Custom Login Plugin <= 1.2.7 is vulnerable to Broken Access Control

Missing Authorization vulnerability in ThemeinProgress WIP Custom Login.This issue affects WIP Custom Login: from n/a through 1.2.7.

Action-Not Available
Vendor-themeinprogressThemeinProgress
Product-wip_custom_loginWIP Custom Login
CWE ID-CWE-862
Missing Authorization
CVE-2025-55141
Matching Score-4
Assigner-Ivanti
ShareView Details
Matching Score-4
Assigner-Ivanti
CVSS Score-8.8||HIGH
EPSS-3.38% / 87.22%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 15:45
Updated-26 Feb, 2026 | 17:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure authentication related settings.

Action-Not Available
Vendor-Ivanti Software
Product-connect_securepolicy_secureneurons_for_secure_accesszero_trust_access_gatewayPolicy SecureZTA GatewayNeurons for Secure AccessConnect Secure
CWE ID-CWE-862
Missing Authorization
CVE-2025-55142
Matching Score-4
Assigner-Ivanti
ShareView Details
Matching Score-4
Assigner-Ivanti
CVSS Score-8.8||HIGH
EPSS-3.38% / 87.22%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 15:49
Updated-26 Feb, 2026 | 17:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure authentication related settings.

Action-Not Available
Vendor-Ivanti Software
Product-connect_securepolicy_secureneurons_for_secure_accesszero_trust_access_gatewayPolicy SecureZTA GatewayNeurons for Secure AccessConnect Secure
CWE ID-CWE-862
Missing Authorization
CVE-2024-24833
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.38% / 58.94%
||
7 Day CHG-0.09%
Published-08 May, 2024 | 13:28
Updated-08 Jan, 2025 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Happy Addons for Elementor plugin <= 3.10.1 - Broken Access Control on Post Clone vulnerability

Missing Authorization vulnerability in Leevio Happy Addons for Elementor.This issue affects Happy Addons for Elementor: from n/a through 3.10.1.

Action-Not Available
Vendor-leevioLeevio
Product-happy_addons_for_elementorHappy Addons for Elementor
CWE ID-CWE-862
Missing Authorization
CVE-2025-57605
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.06% / 17.27%
||
7 Day CHG+0.01%
Published-22 Sep, 2025 | 00:00
Updated-23 Sep, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Lack of server-side authorisation on department admin assignment APIs in AiKaan IoT Platform allows authenticated users to elevate their privileges by assigning themselves as admins of other departments. This results in unauthorized privilege escalation across the department

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-862
Missing Authorization
CVE-2024-25092
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-70.05% / 98.65%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 10:28
Updated-11 Oct, 2024 | 14:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress NextMove Lite plugin <= 2.17.0 - Subscriber+ Arbitrary Plugin Installation/Activation vulnerability

Missing Authorization vulnerability in XLPlugins NextMove Lite.This issue affects NextMove Lite: from n/a through 2.17.0.

Action-Not Available
Vendor-xlpluginsXLPluginsxlplugins
Product-nextmoveNextMove Litenextmove_lite
CWE ID-CWE-862
Missing Authorization
CVE-2024-43223
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 52.11%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-12 Aug, 2025 | 01:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress EventPrime plugin <= 4.0.3.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in EventPrime Events EventPrime allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through 4.0.3.2.

Action-Not Available
Vendor-EventPrime EventsMetagauss Inc.
Product-eventprimeEventPrime
CWE ID-CWE-862
Missing Authorization
CVE-2022-43453
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.41% / 60.94%
||
7 Day CHG~0.00%
Published-21 Jun, 2024 | 13:33
Updated-03 Aug, 2024 | 13:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Tools plugin <= 3.41 - Auth. Broken Access Control vulnerability

Missing Authorization vulnerability in Bill Minozzi WP Tools.This issue affects WP Tools: from n/a through 3.41.

Action-Not Available
Vendor-billminozziBill Minozzibillminozzi
Product-wp_toolsWP Toolswp_tools
CWE ID-CWE-862
Missing Authorization
CVE-2022-43482
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 54.95%
||
7 Day CHG~0.00%
Published-18 Nov, 2022 | 19:03
Updated-20 Feb, 2025 | 19:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Appointment Booking Calendar plugin <= 1.3.69 - Missing Authorization vulnerability

Missing Authorization vulnerability in Appointment Booking Calendar plugin <= 1.3.69 on WordPress.

Action-Not Available
Vendor-CodePeople
Product-appointment_booking_calendarAppointment Booking Calendar (WordPress plugin)
CWE ID-CWE-862
Missing Authorization
CVE-2022-43581
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.5||HIGH
EPSS-0.39% / 59.48%
||
7 Day CHG~0.00%
Published-07 Dec, 2022 | 17:07
Updated-22 Apr, 2025 | 19:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Content Navigator code execution

IBM Content Navigator 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, and 3.0.12 is vulnerable to missing authorization and could allow an authenticated user to load external plugins and execute code. IBM X-Force ID: 238805.

Action-Not Available
Vendor-IBM Corporation
Product-content_navigatorContent Navigator
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE ID-CWE-862
Missing Authorization
CVE-2020-27220
Matching Score-4
Assigner-Eclipse Foundation
ShareView Details
Matching Score-4
Assigner-Eclipse Foundation
CVSS Score-8.8||HIGH
EPSS-0.39% / 59.67%
||
7 Day CHG~0.00%
Published-14 Jan, 2021 | 22:35
Updated-04 Aug, 2024 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Eclipse Hono AMQP and MQTT protocol adapters do not check whether an authenticated gateway device is authorized to receive command & control messages when it has subscribed only to commands for a specific device. The missing check involves verifying that the command target device is configured giving permission for the gateway device to act on its behalf. This means an authenticated device of a certain tenant, notably also a non-gateway device acting like a gateway, may receive command & control messages targeted at a different device of the same tenant without corresponding permissions getting checked.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-honoEclipse Hono
CWE ID-CWE-862
Missing Authorization
CVE-2020-25718
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-8.8||HIGH
EPSS-0.20% / 41.84%
||
7 Day CHG~0.00%
Published-18 Feb, 2022 | 00:00
Updated-04 Aug, 2024 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in the way samba, as an Active Directory Domain Controller, is able to support an RODC (read-only domain controller). This would allow an RODC to print administrator tickets.

Action-Not Available
Vendor-n/aSambaFedora Project
Product-fedorasambasamba
CWE ID-CWE-862
Missing Authorization
CVE-2022-41790
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 32.76%
||
7 Day CHG~0.00%
Published-17 Jan, 2024 | 18:13
Updated-17 Jun, 2025 | 21:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Time Slots Booking Form Plugin <= 1.1.76 is vulnerable to Broken Access Control

Missing Authorization vulnerability in CodePeople WP Time Slots Booking Form.This issue affects WP Time Slots Booking Form: from n/a through 1.1.76.

Action-Not Available
Vendor-CodePeople
Product-wp_time_slots_booking_formWP Time Slots Booking Form
CWE ID-CWE-862
Missing Authorization
CVE-2020-25629
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-8.8||HIGH
EPSS-0.55% / 67.83%
||
7 Day CHG~0.00%
Published-08 Dec, 2020 | 00:16
Updated-04 Aug, 2024 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. This is fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.

Action-Not Available
Vendor-n/aMoodle Pty Ltd
Product-moodleMoodle
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2020-25499
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-19.03% / 95.24%
||
7 Day CHG~0.00%
Published-09 Dec, 2020 | 20:30
Updated-04 Aug, 2024 | 15:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLINK A3002RU-V2.0.0 B20190814.1034 allows authenticated remote users to modify the system's 'Run Command'. An attacker can use this functionality to execute arbitrary OS commands on the router.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a702r-v2a702r-v3_firmwarea3002ru-v1_firmwarea3002ru-v2n300rt_firmwaren100re-v3_firmwarea702r-v3n200re-v3_firmwarea3002ru-v2_firmwaren150rta3002rn302r_plusn300rh-v3n200re-v4_firmwaren200re-v4n210re_firmwaren100re-v3a702r-v2_firmwaren200re-v3n150rt_firmwarea3002r_firmwaren302r_plus_firmwaren300rta3002ru-v1n300rh-v3_firmwaren210ren/a
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-26818
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.27% / 49.80%
||
7 Day CHG~0.00%
Published-10 Nov, 2020 | 16:17
Updated-04 Aug, 2024 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, which reveals sensitive system information that would otherwise be restricted to highly privileged users because of missing authorization, resulting in Information Disclosure.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_abapSAP NetWeaver AS ABAP (Web Dynpro)
CWE ID-CWE-862
Missing Authorization
CVE-2020-25917
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.29% / 52.52%
||
7 Day CHG~0.00%
Published-26 Dec, 2020 | 01:50
Updated-04 Aug, 2024 | 15:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stratodesk NoTouch Center before 4.4.68 is affected by: Incorrect Access Control. A low privileged user on the platform, for example a user with "helpdesk" privileges, can perform privileged operations including adding a new administrator to the platform via the easyadmin/user/submitCreateTCUser.do page.

Action-Not Available
Vendor-stratodeskn/a
Product-notouch_centern/a
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-669
Incorrect Resource Transfer Between Spheres
CVE-2025-53246
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.06% / 18.08%
||
7 Day CHG~0.00%
Published-06 Nov, 2025 | 15:53
Updated-20 Jan, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Backup and Move Plugin <= 0.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Gaurav Aggarwal Backup and Move backup-and-move allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Backup and Move: from n/a through <= 0.1.

Action-Not Available
Vendor-Gaurav Aggarwal
Product-Backup and Move
CWE ID-CWE-862
Missing Authorization
CVE-2025-54002
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.05% / 15.45%
||
7 Day CHG~0.00%
Published-22 Jan, 2026 | 16:51
Updated-26 Jan, 2026 | 23:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress xSmart theme <= 1.2.9.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Jthemes xSmart xsmart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects xSmart: from n/a through <= 1.2.9.4.

Action-Not Available
Vendor-Jthemes
Product-xSmart
CWE ID-CWE-862
Missing Authorization
CVE-2020-24614
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-6.40% / 90.90%
||
7 Day CHG~0.00%
Published-25 Aug, 2020 | 13:36
Updated-04 Aug, 2024 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Fossil before 2.10.2, 2.11.x before 2.11.2, and 2.12.x before 2.12.1 allows remote authenticated users to execute arbitrary code. An attacker must have check-in privileges on the repository.

Action-Not Available
Vendor-fossil-scmn/aopenSUSEFedora Project
Product-fossilfedorabackports_sleleapn/a
CWE ID-CWE-862
Missing Authorization
CVE-2022-41234
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.43% / 62.39%
||
7 Day CHG~0.00%
Published-21 Sep, 2022 | 15:45
Updated-28 May, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint, allowing users with Overall/Read permission to trigger jobs that are configured to be triggerable via Rundeck.

Action-Not Available
Vendor-Jenkins
Product-rundeckJenkins Rundeck Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2020-23489
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-5.01% / 89.58%
||
7 Day CHG~0.00%
Published-16 Nov, 2020 | 17:04
Updated-04 Aug, 2024 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The import.json.php file before 8.9 for Avideo is vulnerable to a File Deletion vulnerability. This allows the deletion of configuration.php, which leads to certain privilege checks not being in place, and therefore a user can escalate privileges to admin.

Action-Not Available
Vendor-wwbnn/a
Product-avideon/a
CWE ID-CWE-862
Missing Authorization
CVE-2022-41228
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.29% / 51.95%
||
7 Day CHG~0.00%
Published-21 Sep, 2022 | 15:45
Updated-28 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier allows attackers with Overall/Read permissions to connect to an attacker-specified webserver using attacker-specified credentials.

Action-Not Available
Vendor-Jenkins
Product-ns-nd_integration_performance_publisherJenkins NS-ND Integration Performance Publisher Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-52824
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.07% / 20.26%
||
7 Day CHG+0.01%
Published-27 Jun, 2025 | 11:52
Updated-30 Jun, 2025 | 18:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Mobile DJ Manager plugin <= 1.7.6 - Privilege Escalation Vulnerability

Missing Authorization vulnerability in MDJM Mobile DJ Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Mobile DJ Manager: from n/a through 1.7.6.

Action-Not Available
Vendor-MDJM
Product-Mobile DJ Manager
CWE ID-CWE-862
Missing Authorization
CVE-2025-5117
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.11% / 29.14%
||
7 Day CHG~0.00%
Published-27 May, 2025 | 11:14
Updated-28 May, 2025 | 15:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Property 1.0.5 - 1.0.6 - Missing Authorization to Authenticated (Author+) Privilege Escalation via property_package_user_role Metadata in PayPal Registration

The Property plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the use of the property_package_user_role metadata in versions 1.0.5 to 1.0.6. This makes it possible for authenticated attackers, with Author‐level access and above, to elevate their privileges to that of an administrator by creating a package post whose property_package_user_role is set to administrator and then submitting the PayPal registration form.

Action-Not Available
Vendor-themeglow
Product-Property – Real Estate Directory Listing
CWE ID-CWE-862
Missing Authorization
CVE-2022-40203
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.3||MEDIUM
EPSS-0.10% / 28.01%
||
7 Day CHG~0.00%
Published-17 Jan, 2024 | 16:08
Updated-17 Jun, 2025 | 21:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Advanced Dynamic Pricing for WooCommerce Plugin <= 4.1.5 is vulnerable to Broken Access Control

Missing Authorization vulnerability in AlgolPlus Advanced Dynamic Pricing for WooCommerce.This issue affects Advanced Dynamic Pricing for WooCommerce: from n/a through 4.1.5.

Action-Not Available
Vendor-AlgolPlus
Product-advanced_dynamic_pricing_for_woocommerceAdvanced Dynamic Pricing for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2025-49394
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.06% / 18.08%
||
7 Day CHG~0.00%
Published-06 Nov, 2025 | 15:53
Updated-20 Jan, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Image Gallery block – Create and display photo gallery/photo album. plugin <= 1.0.7 - Broken Authentication vulnerability

Missing Authorization vulnerability in bPlugins Image Gallery block – Create and display photo gallery/photo album. 3d-image-gallery allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Image Gallery block – Create and display photo gallery/photo album.: from n/a through <= 1.0.7.

Action-Not Available
Vendor-bPlugins
Product-Image Gallery block – Create and display photo gallery/photo album.
CWE ID-CWE-862
Missing Authorization
CVE-2025-49375
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.05% / 15.45%
||
7 Day CHG~0.00%
Published-22 Jan, 2026 | 16:51
Updated-26 Jan, 2026 | 23:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress HomeLancer theme <= 1.0.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in cozythemes HomeLancer homelancer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HomeLancer: from n/a through <= 1.0.1.

Action-Not Available
Vendor-cozythemes
Product-HomeLancer
CWE ID-CWE-862
Missing Authorization
CVE-2022-3911
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.21% / 43.10%
||
7 Day CHG~0.00%
Published-02 Jan, 2023 | 21:49
Updated-10 Apr, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
iubenda < 3.3.3 - Subscriber+ Privileges Escalation to Admin

The iubenda WordPress plugin before 3.3.3 does does not have authorisation and CSRF in an AJAX action, and does not ensure that the options to be updated belong to the plugin as long as they are arrays. As a result, any authenticated users, such as subscriber can grant themselves any privileges, such as edit_plugins etc

Action-Not Available
Vendor-iubendaUnknown
Product-iubenda-cookie-law-solutioniubenda | All-in-one Compliance for GDPR / CCPA Cookie Consent + more
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-862
Missing Authorization
CVE-2024-22296
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.38% / 58.94%
||
7 Day CHG~0.00%
Published-10 Jun, 2024 | 08:07
Updated-25 Sep, 2024 | 16:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress 12 Step Meeting List plugin <= 3.14.28 - Broken Access Control vulnerability

Missing Authorization vulnerability in Code for Recovery 12 Step Meeting List.This issue affects 12 Step Meeting List: from n/a through 3.14.28.

Action-Not Available
Vendor-code4recoveryCode for Recovery
Product-12_step_meeting_list12 Step Meeting List
CWE ID-CWE-862
Missing Authorization
CVE-2024-37517
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 55.21%
||
7 Day CHG+0.08%
Published-01 Nov, 2024 | 14:18
Updated-06 Mar, 2025 | 14:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Spectra plugin <= 2.13.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in Brainstorm Force Spectra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through 2.13.7.

Action-Not Available
Vendor-Brainstorm Force
Product-spectraSpectra
CWE ID-CWE-862
Missing Authorization
CVE-2024-37453
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 54.42%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-10 Feb, 2025 | 18:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ProfileGrid – User Profiles, Groups and Communities plugin <= 5.8.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in ProfileGrid User Profiles ProfileGrid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ProfileGrid: from n/a through 5.8.7.

Action-Not Available
Vendor-Metagauss Inc.
Product-profilegridProfileGrid
CWE ID-CWE-862
Missing Authorization
CVE-2024-21751
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.16% / 36.72%
||
7 Day CHG~0.00%
Published-10 Jun, 2024 | 08:05
Updated-25 Sep, 2024 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress RabbitLoader plugin <= 2.19.13 - Broken Access Control vulnerability

Missing Authorization vulnerability in RabbitLoader.This issue affects RabbitLoader: from n/a through 2.19.13.

Action-Not Available
Vendor-yoginetworkRabbitLoaderrabbitloader
Product-rabbitloaderRabbitLoaderrabbitloader
CWE ID-CWE-862
Missing Authorization
CVE-2025-48138
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 25.49%
||
7 Day CHG+0.01%
Published-16 May, 2025 | 15:45
Updated-30 May, 2025 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress BERTHA AI <= 1.12.11 - Broken Access Control Vulnerability

Missing Authorization vulnerability in berthaai BERTHA AI allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BERTHA AI: from n/a through 1.12.11.

Action-Not Available
Vendor-berthaberthaai
Product-bertha_aiBERTHA AI
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • ...
  • 6
  • 7
  • 8
  • ...
  • 12
  • 13
  • Next
Details not found