Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-11833

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-01 Nov, 2025 | 03:34
Updated At-08 Apr, 2026 | 16:50
Rejected At-
Credits

Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App <= 3.6.0 - Missing Authorization to Account Takeover via Unauthenticated Email Log Disclosure

The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:01 Nov, 2025 | 03:34
Updated At:08 Apr, 2026 | 16:50
Rejected At:
▼CVE Numbering Authority (CNA)
Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App <= 3.6.0 - Missing Authorization to Account Takeover via Unauthenticated Email Log Disclosure

The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover.

Affected Products
Vendor
saadiqbal
Product
Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App
Default Status
unaffected
Versions
Affected
  • From 0 through 3.6.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Carl Pearson
Timeline
EventDate
Vendor Notified2025-10-15 19:30:48
Disclosed2025-10-31 14:46:56
Event: Vendor Notified
Date: 2025-10-15 19:30:48
Event: Disclosed
Date: 2025-10-31 14:46:56
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/491f44fc-712c-4f67-b5c2-a7396941afc1?source=cve
N/A
https://plugins.trac.wordpress.org/browser/post-smtp/tags/3.5.0/Postman/PostmanEmailLogs.php#L51
N/A
https://plugins.trac.wordpress.org/changeset/3386160/post-smtp
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/491f44fc-712c-4f67-b5c2-a7396941afc1?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/post-smtp/tags/3.5.0/Postman/PostmanEmailLogs.php#L51
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset/3386160/post-smtp
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:01 Nov, 2025 | 04:15
Updated At:04 Nov, 2025 | 15:41

The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-862Primarysecurity@wordfence.com
CWE ID: CWE-862
Type: Primary
Source: security@wordfence.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/browser/post-smtp/tags/3.5.0/Postman/PostmanEmailLogs.php#L51security@wordfence.com
N/A
https://plugins.trac.wordpress.org/changeset/3386160/post-smtpsecurity@wordfence.com
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/491f44fc-712c-4f67-b5c2-a7396941afc1?source=cvesecurity@wordfence.com
N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/post-smtp/tags/3.5.0/Postman/PostmanEmailLogs.php#L51
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset/3386160/post-smtp
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/491f44fc-712c-4f67-b5c2-a7396941afc1?source=cve
Source: security@wordfence.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

361Records found

CVE-2024-7950
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-1.20% / 64.35%
||
7 Day CHG~0.00%
Published-04 Sep, 2024 | 02:33
Updated-08 Apr, 2026 | 17:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Job Portal <= 2.1.6 - Missing Authorization to Unauthenticated Local File Inclusion, Arbitrary Settings Update, and User Creation

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Local File Inclusion, Arbitrary Settings Update, and User Creation in all versions up to, and including, 2.1.6 via several functions called by the 'checkFormRequest' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. Attackers can also update arbitrary settings and create user accounts even when registration is disabled, leading to user creation with a default role of Administrator.

Action-Not Available
Vendor-WP Job Portal
Product-wp_job_portalWP Job Portal – AI-Powered Recruitment System for Company or Job Board websitewp_job_portal
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-862
Missing Authorization
CVE-2024-8289
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-1.26% / 65.89%
||
7 Day CHG~0.00%
Published-04 Sep, 2024 | 08:30
Updated-08 Apr, 2026 | 17:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.0 - Missing Authorization to Limited Vendor Privilege Escalation/Account Takeover

The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to privilege escalation/de-escalation and account takeover due to an insufficient capability check on the update_item_permissions_check and create_item_permissions_check functions in all versions up to, and including, 4.2.0. This makes it possible for unauthenticated attackers to change the password of any user with the vendor role, create new users with the vendor role, and demote other users like administrators to the vendor role.

Action-Not Available
Vendor-multivendorxwcmpmultivendorx
Product-multivendorxMultiVendorX – WooCommerce Multivendor Marketplace Solutionsmultivendorx
CWE ID-CWE-862
Missing Authorization
CVE-2024-6805
Matching Score-4
Assigner-National Instruments
ShareView Details
Matching Score-4
Assigner-National Instruments
CVSS Score-7.5||HIGH
EPSS-0.95% / 57.03%
||
7 Day CHG~0.00%
Published-22 Jul, 2024 | 21:00
Updated-17 Sep, 2024 | 14:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization Checks in NI VeriStand Gateway for File Transfer Resources

The NI VeriStand Gateway is missing authorization checks when an actor attempts to access File Transfer resources. These missing checks may result in information disclosure or remote code execution. This affects NI VeriStand 2024 Q2 and prior versions.

Action-Not Available
Vendor-niNIni
Product-veristandVeriStandveristand
CWE ID-CWE-862
Missing Authorization
CVE-2024-6806
Matching Score-4
Assigner-National Instruments
ShareView Details
Matching Score-4
Assigner-National Instruments
CVSS Score-9.8||CRITICAL
EPSS-1.02% / 59.14%
||
7 Day CHG~0.00%
Published-22 Jul, 2024 | 21:03
Updated-17 Sep, 2024 | 14:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization Checks In NI VeriStand Gateway For Project Resources

The NI VeriStand Gateway is missing authorization checks when an actor attempts to access Project resources. These missing checks may result in remote code execution. This affects NI VeriStand 2024 Q2 and prior versions.

Action-Not Available
Vendor-niNIni
Product-veristandVeriStandveristand
CWE ID-CWE-862
Missing Authorization
CVE-2024-6328
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.67% / 47.47%
||
7 Day CHG~0.00%
Published-12 Jul, 2024 | 10:59
Updated-08 Apr, 2026 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MStore API – Create Native Android & iOS Apps On The Cloud <= 4.14.7 - Authentication Bypass

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.14.7. This is due to insufficient verification on the 'phone' parameter of the 'firebase_sms_login' and 'firebase_sms_login_v2' functions. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email address or phone number. Additionally, if a new email address is supplied, a new user account is created with the default role, even if registration is disabled.

Action-Not Available
Vendor-inspireuiinspireuifluxbuilder
Product-mstore_apiMStore API – Create Native Android & iOS Apps On The Cloudmstore_api
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-862
Missing Authorization
CVE-2022-3320
Matching Score-4
Assigner-Cloudflare, Inc.
ShareView Details
Matching Score-4
Assigner-Cloudflare, Inc.
CVSS Score-6.7||MEDIUM
EPSS-0.38% / 29.81%
||
7 Day CHG~0.00%
Published-28 Oct, 2022 | 09:30
Updated-05 May, 2025 | 14:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bypassing Cloudflare Zero Trust policies using warp-cli set-custom-endpoint command

It was possible to bypass policies configured for Zero Trust Secure Web Gateway by using warp-cli 'set-custom-endpoint' subcommand. Using this command with an unreachable endpoint caused the WARP Client to disconnect and allowed bypassing administrative restrictions on a Zero Trust enrolled endpoint.

Action-Not Available
Vendor-Cloudflare, Inc.
Product-warpWARP
CWE ID-CWE-862
Missing Authorization
CVE-2024-56273
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.39% / 30.55%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 10:49
Updated-11 May, 2026 | 22:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPvivid Backup plugin <= 0.9.106 - Broken Access Control vulnerability

Missing Authorization vulnerability in wpvividplugins WPvivid Backup and Migration wpvivid-backuprestore allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPvivid Backup and Migration: from n/a through <= 0.9.106.

Action-Not Available
Vendor-wpvividwpvividplugins
Product-migration\,_backup\,_stagingWPvivid Backup and Migration
CWE ID-CWE-862
Missing Authorization
CVE-2024-56066
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.65% / 46.69%
||
7 Day CHG+0.01%
Published-31 Dec, 2024 | 13:20
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Agency Toolkit plugin <= 1.0.23 - Privilege Escalation vulnerability

Missing Authorization vulnerability in inspry Agency Toolkit agency-toolkit allows Privilege Escalation.This issue affects Agency Toolkit: from n/a through <= 1.0.23.

Action-Not Available
Vendor-inspry
Product-Agency Toolkit
CWE ID-CWE-862
Missing Authorization
CVE-2024-53805
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.56% / 42.74%
||
7 Day CHG+0.01%
Published-06 Dec, 2024 | 13:05
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Mailster plugin <= 1.8.16.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in brandtoss WP Mailster wp-mailster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Mailster: from n/a through <= 1.8.16.0.

Action-Not Available
Vendor-wpmailsterbrandtossmailster
Product-wp_mailsterWP Mailstermailster
CWE ID-CWE-862
Missing Authorization
CVE-2022-29906
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.22% / 64.92%
||
7 Day CHG~0.00%
Published-29 Apr, 2022 | 03:42
Updated-03 Aug, 2024 | 06:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The admin API module in the QuizGame extension for MediaWiki through 1.37.2 (before 665e33a68f6fa1167df99c0aa18ed0157cdf9f66) omits a check for the quizadmin user.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-862
Missing Authorization
CVE-2024-53298
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-9.8||CRITICAL
EPSS-0.45% / 36.13%
||
7 Day CHG~0.00%
Published-20 Jun, 2025 | 13:51
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.0.1, contains a missing authorization vulnerability in the NFS export. An unauthenticated attacker with remote access could potentially exploit this vulnerability leading to unauthorized filesystem access. The attacker may be able to read, modify, and delete arbitrary files. This vulnerability is considered critical as it can be leveraged to fully compromise the system. Dell recommends customers to upgrade at the earliest opportunity.

Action-Not Available
Vendor-Dell Inc.
Product-powerscale_onefsPowerScale OneFS
CWE ID-CWE-862
Missing Authorization
CVE-2024-53591
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.54% / 41.53%
||
7 Day CHG~0.00%
Published-18 Apr, 2025 | 00:00
Updated-23 Jun, 2025 | 19:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in the login page of Seclore v3.27.5.0 allows attackers to bypass authentication via a brute force attack.

Action-Not Available
Vendor-secloren/a
Product-secloren/a
CWE ID-CWE-862
Missing Authorization
CVE-2024-52480
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.36% / 27.57%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 13:10
Updated-29 Apr, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Jobify plugin < 4.3.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Astoundify Jobify jobify.This issue affects Jobify: from n/a through < 4.3.0.

Action-Not Available
Vendor-astoundifyAstoundifyastoundify
Product-jobifyJobifyjobify-job_board
CWE ID-CWE-862
Missing Authorization
CVE-2024-52382
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.95% / 57.07%
||
7 Day CHG~0.00%
Published-14 Nov, 2024 | 17:38
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Matix Popup Builder plugin <= 1.0.0 - Arbitrary Option Update to Privilege Escalation vulnerability

Missing Authorization vulnerability in medmatech Matix Popup Builder medma-matix allows Privilege Escalation.This issue affects Matix Popup Builder: from n/a through <= 1.0.0.

Action-Not Available
Vendor-medmatechmedmatechnologies
Product-Matix Popup Buildermatix_popup_builder
CWE ID-CWE-862
Missing Authorization
CVE-2022-28993
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.58% / 72.48%
||
7 Day CHG~0.00%
Published-20 May, 2022 | 12:53
Updated-03 Aug, 2024 | 06:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multi Store Inventory Management System v1.0 allows attackers to perform an account takeover via a crafted POST request.

Action-Not Available
Vendor-bdtaskn/a
Product-multi_store_inventory_management_systemn/a
CWE ID-CWE-862
Missing Authorization
CVE-2024-50475
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-1.22% / 64.99%
||
7 Day CHG~0.00%
Published-29 Oct, 2024 | 08:39
Updated-12 May, 2026 | 23:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Signup Page plugin <= 1.0 - Arbitrary Option Update to Privilege Escalation vulnerability

Missing Authorization vulnerability in Scott Gamon Signup Page signup-page allows Privilege Escalation.This issue affects Signup Page: from n/a through <= 1.0.

Action-Not Available
Vendor-Scott Gamonscott_gamon
Product-Signup Pagesignup_page
CWE ID-CWE-862
Missing Authorization
CVE-2024-50476
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-1.22% / 64.99%
||
7 Day CHG~0.00%
Published-29 Oct, 2024 | 08:38
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress GRÜN spendino Spendenformular plugin <= 1.0.1 - Arbitrary Option Update to Privilege Escalation vulnerability

Missing Authorization vulnerability in GRÜN Software Group GmbH GRÜN spendino Spendenformular spendino allows Privilege Escalation.This issue affects GRÜN spendino Spendenformular: from n/a through <= 1.0.1.

Action-Not Available
Vendor-GRÜN Software Group GmbHgrun_software_group
Product-GRÜN spendino Spendenformularspendino_spendenformular
CWE ID-CWE-862
Missing Authorization
CVE-2024-50459
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.40% / 31.97%
||
7 Day CHG~0.00%
Published-29 Oct, 2024 | 16:36
Updated-12 May, 2026 | 23:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress AidWP plugin <= 3.2.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Hossni Mubarak AidWP wp-stripe-donation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AidWP: from n/a through <= 3.2.3.

Action-Not Available
Vendor-hmpluginHossni Mubarakhmplugin
Product-aidwpAidWPaccept_stripe_donation_-_aidwp
CWE ID-CWE-862
Missing Authorization
CVE-2024-50500
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.41% / 33.07%
||
7 Day CHG+0.02%
Published-03 Feb, 2025 | 14:23
Updated-11 May, 2026 | 23:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Phlox Core Elements plugin <= 2.17.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in averta Shortcodes and extra features for Phlox theme auxin-elements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shortcodes and extra features for Phlox theme: from n/a through <= 2.17.4.

Action-Not Available
Vendor-Depicter (Averta)
Product-shortcodes_and_extra_features_for_phlox_themeShortcodes and extra features for Phlox theme
CWE ID-CWE-862
Missing Authorization
CVE-2024-48073
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.19% / 64.20%
||
7 Day CHG~0.00%
Published-08 Nov, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

sunniwell HT3300 before 1.0.0.B022.2 is vulnerable to Insecure Permissions. The /usr/local/bin/update program, which is responsible for updating the software in the HT3300 device, is given the execution mode of sudo NOPASSWD. This program is vulnerable to a command injection vulnerability, which could allow an attacker to pass commands to this program via command line arguments to gain elevated root privileges.

Action-Not Available
Vendor-n/asunniwell
Product-n/aht3300_firmware
CWE ID-CWE-862
Missing Authorization
CVE-2024-48538
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.55% / 41.96%
||
7 Day CHG~0.00%
Published-24 Oct, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect access control in the firmware update and download processes of Neye3C v4.5.2.0 allows attackers to access sensitive information by analyzing the code and data within the APK file.

Action-Not Available
Vendor-n/anetdvr
Product-n/aneye3c
CWE ID-CWE-862
Missing Authorization
CVE-2024-47308
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-1.70% / 74.34%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Templately plugin <= 3.1.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPDeveloper Templately templately.This issue affects Templately: from n/a through <= 3.1.2.

Action-Not Available
Vendor-TemplatelyWPDeveloper
Product-templatelyTemplatelytemplately
CWE ID-CWE-862
Missing Authorization
CVE-2024-47302
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.39% / 30.47%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-11 May, 2026 | 21:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Fluent Support plugin <= 1.8.0 - Broken Access Control on Email Verification vulnerability

Missing Authorization vulnerability in Shahjahan Jewel Fluent Support fluent-support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fluent Support: from n/a through <= 1.8.0.

Action-Not Available
Vendor-wpmanageninjaShahjahan Jewelwpmanageninja
Product-fluent_supportFluent Supportfluent_support
CWE ID-CWE-862
Missing Authorization
CVE-2024-47358
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.40% / 32.30%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Popup Maker plugin <= 1.19.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Daniel Iser Popup Maker popup-maker.This issue affects Popup Maker: from n/a through <= 1.19.2.

Action-Not Available
Vendor-code-atlanticDaniel Isercode-atlantic
Product-popup_makerPopup Makerpopup_maker
CWE ID-CWE-862
Missing Authorization
CVE-2024-47321
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.40% / 32.35%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Datepicker plugin <= 2.1.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Fahad Mahmood WP Datepicker wp-datepicker.This issue affects WP Datepicker: from n/a through <= 2.1.1.

Action-Not Available
Vendor-androidbubblesFahad Mahmoodandroidbubbles
Product-wp_datepickerWP Datepickerwp_datepicker
CWE ID-CWE-862
Missing Authorization
CVE-2024-45307
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-0.30% / 21.62%
||
7 Day CHG~0.00%
Published-03 Sep, 2024 | 19:01
Updated-07 Sep, 2024 | 01:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SudoBot missing authorization check in `-config` command

SudoBot, a Discord moderation bot, is vulnerable to privilege escalation and exploit of the `-config` command in versions prior to 9.26.7. Anyone is theoretically able to update any configuration of the bot and potentially gain control over the bot's settings. Every version of v9 before v9.26.7 is affected. Other versions (e.g. v8) are not affected. Users should upgrade to version 9.26.7 to receive a patch. A workaround would be to create a command permission overwrite in the Database. A SQL statement provided in the GitHub Security Advisor can be executed to create a overwrite that disallows users without `ManageGuild` permission to run the `-config` command. Run the SQL statement for every server the bot is in, and replace `<guild_id>` with the appropriate Guild ID each time.

Action-Not Available
Vendor-onesoftnetonesoft-sudo
Product-sudobotsudobot
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-285
Improper Authorization
CVE-2024-45493
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.44% / 35.23%
||
7 Day CHG~0.00%
Published-10 Dec, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in MSA FieldServer Gateway 5.0.0 through 6.5.2 (Fixed in 7.0.0). The FieldServer Gateway has internal users, whose access is supposed to be restricted to login locally on the device. However, an attacker can bypass the check for this, which might allow them to authenticate with an internal user account from the network (if they know their password).

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-862
Missing Authorization
CVE-2024-43974
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.51% / 39.63%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ReviveNews theme <= 1.0.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in CozyThemes ReviveNews allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects ReviveNews: from n/a through 1.0.2.

Action-Not Available
Vendor-cozythemesCozyThemescozythemes
Product-revivenewsReviveNewsrevivenews
CWE ID-CWE-862
Missing Authorization
CVE-2024-4428
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-6.9||MEDIUM
EPSS-0.49% / 38.39%
||
7 Day CHG~0.00%
Published-29 Aug, 2024 | 07:49
Updated-03 Jun, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sensetive Data Exposure in Menulux Managment Portal

Missing Authentication for Critical Function, Missing Authorization vulnerability in Menulux Information Technologies Managment Portal allows Collect Data as Provided by Users. This issue affects Managment Portal: through 21.05.2024.

Action-Not Available
Vendor-menuluxMenulux Information Technologiesmenulux
Product-managment_portalManagment Portalmanagement_portal
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-862
Missing Authorization
CVE-2024-43929
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.43% / 34.35%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JobSearch WP Job Board WordPress Plugin plugin <= 2.5.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in eyecix JobSearch allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JobSearch: from n/a through 2.5.4.

Action-Not Available
Vendor-eyecixeyecixeyecix
Product-jobsearch_wp_job_boardJobSearchjobsearch_wp_job_board
CWE ID-CWE-862
Missing Authorization
CVE-2024-43956
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.43% / 34.35%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress MemberPress plugin <= 1.11.34 - Broken Access Control vulnerability

Missing Authorization vulnerability in Caseproof, LLC Memberpress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Memberpress: from n/a through 1.11.34.

Action-Not Available
Vendor-caseproofCaseproof, LLCcaseproof
Product-memberpressMemberpressmemberpress
CWE ID-CWE-862
Missing Authorization
CVE-2024-43923
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.52% / 40.33%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Timetics plugin <= 1.0.23 - Broken Access Control vulnerability

Missing Authorization vulnerability in Arraytics Timetics allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Timetics: from n/a through 1.0.23.

Action-Not Available
Vendor-arrayticsArraytics
Product-wp_timeticsTimetics
CWE ID-CWE-862
Missing Authorization
CVE-2024-43979
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.48% / 37.89%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Blockbooster theme <= 1.0.10 - Broken Access Control vulnerability

Missing Authorization vulnerability in CozyThemes Blockbooster allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Blockbooster: from n/a through 1.0.10.

Action-Not Available
Vendor-cozythemesCozyThemescozythemes
Product-blockboosterBlockboosterblockbooster
CWE ID-CWE-862
Missing Authorization
CVE-2024-44019
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.39% / 30.47%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Contact Form 7 Campaign Monitor Extension plugin <= 0.4.67 - Arbitrary File Deletion vulnerability

Missing Authorization vulnerability in Renzo Johnson Contact Form 7 Campaign Monitor Extension contact-form-7-campaign-monitor-extension.This issue affects Contact Form 7 Campaign Monitor Extension: from n/a through <= 0.4.67.

Action-Not Available
Vendor-renzojohnsonRenzo Johnsonrenzojohnson
Product-contact_form_7_campaign_monitor_extensionContact Form 7 Campaign Monitor Extensioncontact_form_7_compaign_monitor_extension
CWE ID-CWE-862
Missing Authorization
CVE-2024-43980
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.51% / 39.45%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress FotaWP theme <= 1.4.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in CozyThemes Fota WP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fota WP: from n/a through 1.4.1.

Action-Not Available
Vendor-cozythemesCozyThemescozythemes
Product-fotawpFota WPfotawp
CWE ID-CWE-862
Missing Authorization
CVE-2024-43341
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.46% / 37.00%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Hello Agency theme <= 1.0.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in CozyThemes Hello Agency allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Hello Agency: from n/a through 1.0.5.

Action-Not Available
Vendor-cozythemesCozyThemescozythemes
Product-hello_agencyHello Agencyhello_agency
CWE ID-CWE-862
Missing Authorization
CVE-2024-43253
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.60% / 44.58%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Smart Online Order for Clover plugin <= 1.5.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders.This issue affects Smart Online Order for Clover: from n/a through <= 1.5.6.

Action-Not Available
Vendor-zaytechZAYTECHzaytech
Product-smart_online_order_for_cloverSmart Online Order for Cloversmart_online_order_for_clover
CWE ID-CWE-862
Missing Authorization
CVE-2024-43331
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.36% / 28.49%
||
7 Day CHG~0.00%
Published-22 Aug, 2024 | 11:29
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP SMS plugin <= 6.9.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in VeronaLabs WP SMS.This issue affects WP SMS: from n/a through 6.9.3.

Action-Not Available
Vendor-veronalabsVeronaLabsveronalabs
Product-wp_smsWP SMSwp_sms
CWE ID-CWE-862
Missing Authorization
CVE-2024-41730
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-9.8||CRITICAL
EPSS-75.87% / 99.47%
||
7 Day CHG~0.00%
Published-13 Aug, 2024 | 03:31
Updated-12 Sep, 2024 | 13:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authentication check in SAP BusinessObjects Business Intelligence Platform

In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint. The attacker can fully compromise the system resulting in High impact on confidentiality, integrity and availability.

Action-Not Available
Vendor-SAP SE
Product-business_objects_business_intelligence_platformSAP BusinessObjects Business Intelligence Platformsap_business_objects_business_intgelligence_platform
CWE ID-CWE-862
Missing Authorization
CVE-2021-27573
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-14.19% / 96.14%
||
7 Day CHG~0.00%
Published-07 May, 2021 | 16:32
Updated-03 Aug, 2024 | 21:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Emote Remote Mouse through 4.0.0.0. Remote unauthenticated users can execute arbitrary code via crafted UDP packets with no prior authorization or authentication.

Action-Not Available
Vendor-remotemousen/a
Product-emote_remote_mousen/a
CWE ID-CWE-862
Missing Authorization
CVE-2024-39650
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.3||HIGH
EPSS-0.44% / 35.38%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WooCommerce PDF Vouchers plugin < 4.9.5 - Unauthenticated Multiple Vulnerabilities

Missing Authorization vulnerability in WPWeb Elite WooCommerce PDF Vouchers allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WooCommerce PDF Vouchers: from n/a through 4.9.4.

Action-Not Available
Vendor-WPWeb Elite
Product-woocommerce_pdf_vouchersWooCommerce PDF Voucherswoocommerce_pdf_vouchers
CWE ID-CWE-862
Missing Authorization
CVE-2024-38748
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.52% / 40.33%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress EleForms plugin <= 2.9.9.9 - Broken Access Control vulnerability

Access Control vulnerability in TheInnovs EleForms allows . This issue affects EleForms: from n/a through 2.9.9.9.

Action-Not Available
Vendor-theinnovsTheInnovsthelnnovs
Product-eleformsEleFormseleforms
CWE ID-CWE-862
Missing Authorization
CVE-2019-15932
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.33% / 81.44%
||
7 Day CHG~0.00%
Published-12 Dec, 2019 | 13:39
Updated-05 Aug, 2024 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Intesync Solismed 3.3sp has Incorrect Access Control.

Action-Not Available
Vendor-intesyncn/a
Product-solismedn/a
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2019-13547
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-3.30% / 87.01%
||
7 Day CHG~0.00%
Published-31 Oct, 2019 | 20:59
Updated-04 Aug, 2024 | 23:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. There is an unsecured function that allows anyone who can access the IP address to use the function without authentication.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-wise-paas\/rmmAdvantech WISE-PaaS/RMM
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2025-59828
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.34% / 26.09%
||
7 Day CHG~0.00%
Published-24 Sep, 2025 | 19:30
Updated-26 Nov, 2025 | 17:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Claude Code Vulnerable to Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions

Claude Code is an agentic coding tool. Prior to Claude Code version 1.0.39, when using Claude Code with Yarn versions 2.0+, Yarn plugins are auto-executed when running yarn --version. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins would be executed prior to the user accepting the risks of working in an untrusted directory. Users running Yarn Classic were unaffected by this issue. This issue has been fixed in version 1.0.39. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version.

Action-Not Available
Vendor-anthropicanthropics
Product-claude_codeclaude-code
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CWE ID-CWE-862
Missing Authorization
CVE-2024-37463
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.44% / 35.63%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CRM Perks Forms plugin <= 1.1.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in CRM Perks CRM Perks Forms allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects CRM Perks Forms: from n/a through 1.1.5.

Action-Not Available
Vendor-crmperksCRM Perkscrmperks
Product-crm_perks_formsCRM Perks Formscrm_perks_forms
CWE ID-CWE-862
Missing Authorization
CVE-2024-37119
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.53% / 41.02%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Uncanny Automator Pro plugin < 5.3.0.1 - Unauthenticated License Settings Reset vulnerability

Missing Authorization vulnerability in Uncanny Owl Uncanny Automator Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uncanny Automator Pro: from n/a through 5.3.0.0.

Action-Not Available
Vendor-Uncanny Owl Inc.
Product-uncanny_automatorUncanny Automator Prouncanny_automator
CWE ID-CWE-862
Missing Authorization
CVE-2024-37444
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.53% / 41.02%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Defender plugin <= 4.7.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform Defender Security defender-security.This issue affects Defender Security: from n/a through <= 4.7.1.

Action-Not Available
Vendor-WPMU DEV - Your All-in-One WordPress PlatformIncsub, LLC
Product-defenderDefender Securitydefender_security
CWE ID-CWE-862
Missing Authorization
CVE-2024-37470
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.2||HIGH
EPSS-0.49% / 38.41%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Woffice Core plugin <= 5.4.8 - Unauthenticated Broken Access Control vulnerability

Missing Authorization vulnerability in WofficeIO Woffice Core allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Woffice Core: from n/a through 5.4.8.

Action-Not Available
Vendor-xtendifyWofficeIOwofficeio
Product-wofficeWoffice Corewoffice_core
CWE ID-CWE-862
Missing Authorization
CVE-2024-36246
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-0.55% / 41.78%
||
7 Day CHG~0.00%
Published-31 May, 2024 | 06:11
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authorization vulnerability exists in Unifier and Unifier Cast. If this vulnerability is exploited, arbitrary code may be executed with LocalSystem privilege. As a result, a malicious program may be installed, data may be altered or deleted.

Action-Not Available
Vendor-Yokogawa Rental & Lease Corporationyokogawa_rental_lease_corporation
Product-UnifierUnifier Castunifierunifier_cast
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 7
  • 8
  • Next
Details not found