Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-11985

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-21 Nov, 2025 | 07:31
Updated At-21 Nov, 2025 | 14:56
Rejected At-
Credits

Realty Portal <= 0.4.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

The Realty Portal plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'rp_save_property_settings' function in versions 0.1 to 0.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:21 Nov, 2025 | 07:31
Updated At:21 Nov, 2025 | 14:56
Rejected At:
â–¼CVE Numbering Authority (CNA)
Realty Portal <= 0.4.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

The Realty Portal plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'rp_save_property_settings' function in versions 0.1 to 0.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Affected Products
Vendor
nootheme
Product
Realty Portal
Default Status
unaffected
Versions
Affected
  • From 0.1 through 0.4.1 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Kenneth Dunn
Timeline
EventDate
Disclosed2025-11-20 19:23:24
Event: Disclosed
Date: 2025-11-20 19:23:24
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/e8263908-95b3-4b72-a9de-a982618eba2c?source=cve
N/A
https://plugins.trac.wordpress.org/browser/realty-portal/tags/0.1/includes/property/process/ajax-save-property-setting.php#L189
N/A
https://plugins.trac.wordpress.org/browser/realty-portal/tags/0.1/includes/property/process/ajax-save-property-setting.php#L198
N/A
https://plugins.trac.wordpress.org/browser/realty-portal/tags/0.1/includes/functions/enqueue.php#L224
N/A
https://cwe.mitre.org/data/definitions/862.html
N/A
https://developer.wordpress.org/reference/functions/current_user_can/
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/e8263908-95b3-4b72-a9de-a982618eba2c?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/realty-portal/tags/0.1/includes/property/process/ajax-save-property-setting.php#L189
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/realty-portal/tags/0.1/includes/property/process/ajax-save-property-setting.php#L198
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/realty-portal/tags/0.1/includes/functions/enqueue.php#L224
Resource: N/A
Hyperlink: https://cwe.mitre.org/data/definitions/862.html
Resource: N/A
Hyperlink: https://developer.wordpress.org/reference/functions/current_user_can/
Resource: N/A
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:21 Nov, 2025 | 08:15
Updated At:21 Nov, 2025 | 15:13

The Realty Portal plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'rp_save_property_settings' function in versions 0.1 to 0.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-862Primarysecurity@wordfence.com
CWE ID: CWE-862
Type: Primary
Source: security@wordfence.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://cwe.mitre.org/data/definitions/862.htmlsecurity@wordfence.com
N/A
https://developer.wordpress.org/reference/functions/current_user_can/security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/realty-portal/tags/0.1/includes/functions/enqueue.php#L224security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/realty-portal/tags/0.1/includes/property/process/ajax-save-property-setting.php#L189security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/realty-portal/tags/0.1/includes/property/process/ajax-save-property-setting.php#L198security@wordfence.com
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/e8263908-95b3-4b72-a9de-a982618eba2c?source=cvesecurity@wordfence.com
N/A
Hyperlink: https://cwe.mitre.org/data/definitions/862.html
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://developer.wordpress.org/reference/functions/current_user_can/
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/realty-portal/tags/0.1/includes/functions/enqueue.php#L224
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/realty-portal/tags/0.1/includes/property/process/ajax-save-property-setting.php#L189
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/realty-portal/tags/0.1/includes/property/process/ajax-save-property-setting.php#L198
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/e8263908-95b3-4b72-a9de-a982618eba2c?source=cve
Source: security@wordfence.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

549Records found
CVE-2022-41790
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.47% / 36.68%
||
7 Day CHG~0.00%
Published-17 Jan, 2024 | 18:13
Updated-28 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Time Slots Booking Form Plugin <= 1.1.76 is vulnerable to Broken Access Control

Missing Authorization vulnerability in CodePeople WP Time Slots Booking Form.This issue affects WP Time Slots Booking Form: from n/a through 1.1.76.

Action-Not Available
Vendor-CodePeople
Product-wp_time_slots_booking_formWP Time Slots Booking Form
CWE ID-CWE-862
Missing Authorization
CVE-2024-50455
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.35% / 27.09%
||
7 Day CHG~0.00%
Published-29 Oct, 2024 | 21:03
Updated-12 May, 2026 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SEOPress plugin <= 8.1.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Benjamin Denis SEOPress wp-seopress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SEOPress: from n/a through <= 8.1.1.

Action-Not Available
Vendor-seopressBenjamin Denis
Product-seopressSEOPress
CWE ID-CWE-862
Missing Authorization
CVE-2022-40203
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.3||MEDIUM
EPSS-0.40% / 32.09%
||
7 Day CHG~0.00%
Published-17 Jan, 2024 | 16:08
Updated-28 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Advanced Dynamic Pricing for WooCommerce Plugin <= 4.1.5 is vulnerable to Broken Access Control

Missing Authorization vulnerability in AlgolPlus Advanced Dynamic Pricing for WooCommerce.This issue affects Advanced Dynamic Pricing for WooCommerce: from n/a through 4.1.5.

Action-Not Available
Vendor-AlgolPlus
Product-advanced_dynamic_pricing_for_woocommerceAdvanced Dynamic Pricing for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2026-26368
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.53% / 40.44%
||
7 Day CHG~0.00%
Published-15 Feb, 2026 | 15:29
Updated-28 Feb, 2026 | 01:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JUNG eNet SMART HOME server 2.2.1/2.3.1 Account Takeover via resetUserPassword

eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the resetUserPassword JSON-RPC method that allows any authenticated low-privileged user (UG_USER) to reset the password of arbitrary accounts, including those in the UG_ADMIN and UG_SUPER_ADMIN groups, without supplying the current password or having sufficient privileges. By sending a crafted JSON-RPC request to /jsonrpc/management, an attacker can overwrite existing credentials, resulting in direct account takeover with full administrative access and persistent privilege escalation.

Action-Not Available
Vendor-jung-groupJUNG
Product-enet_smart_homeeNet SMART HOME server
CWE ID-CWE-862
Missing Authorization
CVE-2026-26358
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-8.8||HIGH
EPSS-0.37% / 28.36%
||
7 Day CHG~0.00%
Published-19 Feb, 2026 | 08:47
Updated-26 Feb, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell Unisphere for PowerMax, version(s) 10.2, contain(s) a Missing Authorization vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.

Action-Not Available
Vendor-Dell Inc.
Product-unisphere_for_powermaxPowerMaxUnisphere for PowerMax
CWE ID-CWE-862
Missing Authorization
CVE-2021-22149
Matching Score-4
Assigner-Elastic
ShareView Details
Matching Score-4
Assigner-Elastic
CVSS Score-8.8||HIGH
EPSS-0.92% / 55.69%
||
7 Day CHG~0.00%
Published-15 Sep, 2021 | 11:44
Updated-03 Aug, 2024 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Elastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing authorization via an alternate route. Using this vulnerability, an authenticated attacker could utilize API keys belonging to higher privileged users.

Action-Not Available
Vendor-Elasticsearch BV
Product-enterprise_searchElastic Enterprise Search
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CWE ID-CWE-862
Missing Authorization
CVE-2024-50456
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.29% / 20.51%
||
7 Day CHG~0.00%
Published-29 Oct, 2024 | 21:00
Updated-12 May, 2026 | 23:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SEOPress plugin <= 8.1.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Benjamin Denis SEOPress wp-seopress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SEOPress: from n/a through <= 8.1.1.

Action-Not Available
Vendor-seopressBenjamin Denis
Product-seopressSEOPress
CWE ID-CWE-862
Missing Authorization
CVE-2026-25538
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.39% / 30.86%
||
7 Day CHG~0.00%
Published-04 Feb, 2026 | 21:37
Updated-11 Feb, 2026 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Devtron Attributes API Unauthorized Access Leading to API Token Signing Key Leakage

Devtron is an open source tool integration platform for Kubernetes. In version 2.0.0 and prior, a vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user (including low-privileged CI/CD Developers) to obtain the global API Token signing key by accessing the /orchestrator/attributes?key=apiTokenSecret endpoint. After obtaining the key, attackers can forge JWT tokens for arbitrary user identities offline, thereby gaining complete control over the Devtron platform and laterally moving to the underlying Kubernetes cluster. This issue has been patched via commit d2b0d26.

Action-Not Available
Vendor-devtrondevtron-labs
Product-devtrondevtron
CWE ID-CWE-862
Missing Authorization
CVE-2022-3911
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.46% / 36.44%
||
7 Day CHG~0.00%
Published-02 Jan, 2023 | 21:49
Updated-10 Apr, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
iubenda < 3.3.3 - Subscriber+ Privileges Escalation to Admin

The iubenda WordPress plugin before 3.3.3 does does not have authorisation and CSRF in an AJAX action, and does not ensure that the options to be updated belong to the plugin as long as they are arrays. As a result, any authenticated users, such as subscriber can grant themselves any privileges, such as edit_plugins etc

Action-Not Available
Vendor-iubendaUnknown
Product-iubenda-cookie-law-solutioniubenda | All-in-one Compliance for GDPR / CCPA Cookie Consent + more
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-862
Missing Authorization
CVE-2021-44233
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-8.8||HIGH
EPSS-0.80% / 51.81%
||
7 Day CHG~0.00%
Published-14 Dec, 2021 | 15:44
Updated-04 Aug, 2024 | 04:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP GRC Access Control - versions V1100_700, V1100_731, V1200_750, does not perform necessary authorization checks for an authenticated user, which could lead to escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-access_controlSAP GRC Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2026-25131
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-0.33% / 24.07%
||
7 Day CHG~0.00%
Published-25 Feb, 2026 | 01:55
Updated-25 Feb, 2026 | 20:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenEMR has Broken Access Control in Procedures Configuration

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a Broken Access Control vulnerability exists in the OpenEMR order types management system, allowing low-privilege users (such as Receptionist) to add and modify procedure types without proper authorization. This vulnerability is present in the /openemr/interface/orders/types_edit.php endpoint. Version 8.0.0 contains a patch.

Action-Not Available
Vendor-OpenEMR Foundation, Inc
Product-openemropenemr
CWE ID-CWE-862
Missing Authorization
CVE-2019-1003006
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-1.55% / 71.84%
||
7 Day CHG~0.00%
Published-06 Feb, 2019 | 16:00
Updated-16 Sep, 2024 | 20:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.0 and earlier in src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

Action-Not Available
Vendor-Jenkins
Product-groovyJenkins Groovy Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2026-25045
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.29% / 20.66%
||
7 Day CHG~0.00%
Published-09 Mar, 2026 | 20:11
Updated-13 Mar, 2026 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Budibase Critical Privilege Escalation & IDOR via Missing RBAC on User Role Management (Creator-Role)

Budibase is a low code platform for creating internal tools, workflows, and admin panels. This issue is a combination of Vertical Privilege Escalation and IDOR (Insecure Direct Object Reference) due to missing server-side RBAC checks in the /api/global/users endpoints. A Creator-level user, who should have no permissions to manage users or organizational roles, can instead promote an App Viewer to Tenant Admin, demote a Tenant Admin to App Viewer, or modify the Owner’s account details and all orders (e.g., change name). This is because the API accepts these actions without validating the requesting role, a Creator can replay Owner-only requests using their own session tokens. This leads to full tenant compromise.

Action-Not Available
Vendor-budibaseBudibase
Product-budibasebudibase
CWE ID-CWE-862
Missing Authorization
CVE-2024-50417
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-1.92% / 77.20%
||
7 Day CHG~0.00%
Published-19 Nov, 2024 | 16:30
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Bold Page Builder plugin <= 5.1.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in boldthemes Bold Page Builder bold-page-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bold Page Builder: from n/a through <= 5.1.3.

Action-Not Available
Vendor-BoldThemes
Product-bold_page_builderBold Page Builder
CWE ID-CWE-862
Missing Authorization
CVE-2022-36352
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.3||MEDIUM
EPSS-0.39% / 30.73%
||
7 Day CHG~0.00%
Published-08 Jan, 2024 | 21:50
Updated-28 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ProfileGrid Plugin <= 5.0.3 is vulnerable to Broken Access Control

Missing Authorization vulnerability in Profilegrid ProfileGrid – User Profiles, Memberships, Groups and Communities.This issue affects ProfileGrid – User Profiles, Memberships, Groups and Communities: from n/a through 5.0.3.

Action-Not Available
Vendor-Metagauss Inc.
Product-profilegridProfileGrid – User Profiles, Memberships, Groups and Communities
CWE ID-CWE-862
Missing Authorization
CVE-2026-22765
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-8.8||HIGH
EPSS-0.40% / 31.19%
||
7 Day CHG~0.00%
Published-24 Feb, 2026 | 19:24
Updated-20 Mar, 2026 | 19:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell Wyse Management Suite, versions prior to WMS 5.5, contain a Missing Authorization vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of Privileges.

Action-Not Available
Vendor-Dell Inc.
Product-Wyse Management Suite
CWE ID-CWE-862
Missing Authorization
CVE-2026-22481
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 8.17%
||
7 Day CHG~0.00%
Published-22 Jan, 2026 | 16:52
Updated-28 Apr, 2026 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress BD Courier Order Ratio Checker plugin <= 2.0.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Rasedul Haque Rumi BD Courier Order Ratio Checker bd-courier-order-ratio-checker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BD Courier Order Ratio Checker: from n/a through <= 2.0.1.

Action-Not Available
Vendor-Rasedul Haque Rumi
Product-BD Courier Order Ratio Checker
CWE ID-CWE-862
Missing Authorization
CVE-2026-22472
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 8.17%
||
7 Day CHG~0.00%
Published-22 Jan, 2026 | 16:52
Updated-28 Apr, 2026 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Easy Form Builder plugin <= 3.9.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Form Builder: from n/a through <= 3.9.6.

Action-Not Available
Vendor-hassantafreshi
Product-Easy Form Builder
CWE ID-CWE-862
Missing Authorization
CVE-2026-22683
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.68% / 47.41%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 16:50
Updated-25 May, 2026 | 23:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windmill < 1.615.0 Operator Role Missing Authorization Checks RCE

Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0.

Action-Not Available
Vendor-windmillWindmill LabsNextcloud GmbH
Product-windmillflowWindmill CE (Community Edition)Windmill EE (Enterprise Edition)
CWE ID-CWE-862
Missing Authorization
CVE-2022-34344
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.46% / 36.35%
||
7 Day CHG~0.00%
Published-08 Jan, 2024 | 21:13
Updated-28 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Wholesale Suite Plugin <= 2.1.5 is vulnerable to Broken Access Control

Missing Authorization vulnerability in Rymera Web Co Wholesale Suite – WooCommerce Wholesale Prices, B2B, Catalog Mode, Order Form, Wholesale User Roles, Dynamic Pricing & More.This issue affects Wholesale Suite – WooCommerce Wholesale Prices, B2B, Catalog Mode, Order Form, Wholesale User Roles, Dynamic Pricing & More: from n/a through 2.1.5.

Action-Not Available
Vendor-rymeraRymera Web Co
Product-wholesale_suiteWholesale Suite – WooCommerce Wholesale Prices, B2B, Catalog Mode, Order Form, Wholesale User Roles, Dynamic Pricing & More
CWE ID-CWE-862
Missing Authorization
CVE-2022-3512
Matching Score-4
Assigner-Cloudflare, Inc.
ShareView Details
Matching Score-4
Assigner-Cloudflare, Inc.
CVSS Score-6.7||MEDIUM
EPSS-0.39% / 30.95%
||
7 Day CHG~0.00%
Published-28 Oct, 2022 | 09:22
Updated-06 May, 2025 | 19:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lock WARP switch bypass using warp-cli 'add-trusted-ssid' command

Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" feature resulting in Zero Trust policies not being enforced on an affected endpoint.

Action-Not Available
Vendor-Cloudflare, Inc.
Product-warpWARP
CWE ID-CWE-862
Missing Authorization
CVE-2026-21668
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.8||HIGH
EPSS-0.51% / 39.31%
||
7 Day CHG~0.00%
Published-12 Mar, 2026 | 15:09
Updated-10 May, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability allowing an authenticated domain user to bypass restrictions and manipulate arbitrary files on a Backup Repository.

Action-Not Available
Vendor-Veeam Software Group GmbH
Product-veeam_backup_\&_replicationBackup and Replication
CWE ID-CWE-693
Protection Mechanism Failure
CWE ID-CWE-862
Missing Authorization
CVE-2026-2001
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.38% / 29.34%
||
7 Day CHG~0.00%
Published-16 Feb, 2026 | 19:24
Updated-08 Apr, 2026 | 16:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WowRevenue <= 2.1.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation

The WowRevenue plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'Notice::install_activate_plugin' function in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected site's server which may make remote code execution possible.

Action-Not Available
Vendor-wpxpo
Product-WowRevenue – Product Bundles & Bulk Discounts
CWE ID-CWE-862
Missing Authorization
CVE-2026-1499
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.94% / 56.26%
||
7 Day CHG~0.00%
Published-06 Feb, 2026 | 08:25
Updated-14 Apr, 2026 | 15:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Duplicate <= 1.1.8 - Authenticated (Subscriber+) Arbitrary File Upload via 'process_add_site' AJAX Action

The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on the `process_add_site()` AJAX action combined with path traversal in the file upload functionality. This makes it possible for authenticated (subscriber-level) attackers to set the internal `prod_key_random_id` option, which can then be used by an unauthenticated attacker to bypass authentication checks and write arbitrary files to the server via the `handle_upload_single_big_file()` function, ultimately leading to remote code execution.

Action-Not Available
Vendor-revmakx
Product-WP Duplicate – WordPress Migration Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2020-12138
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-3.32% / 87.01%
||
7 Day CHG~0.00%
Published-27 Apr, 2020 | 14:31
Updated-04 Aug, 2024 | 11:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

AMD ATI atillk64.sys 5.11.9.0 allows low-privileged users to interact directly with physical memory by calling one of several driver routines that map physical memory into the virtual address space of the calling process. This could enable low-privileged users to achieve NT AUTHORITY\SYSTEM privileges via a DeviceIoControl call associated with MmMapIoSpace, IoAllocateMdl, MmBuildMdlForNonPagedPool, or MmMapLockedPages.

Action-Not Available
Vendor-n/aAdvanced Micro Devices, Inc.
Product-atillk64n/a
CWE ID-CWE-862
Missing Authorization
CVE-2026-1720
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.28% / 19.15%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 13:24
Updated-22 Apr, 2026 | 21:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation <= 1.4.24 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation

The WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the 'install_and_active_plugin' function in all versions up to, and including, 1.4.24. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins.

Action-Not Available
Vendor-wpxpo
Product-WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation
CWE ID-CWE-862
Missing Authorization
CVE-2026-1104
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.27% / 17.75%
||
7 Day CHG~0.00%
Published-12 Feb, 2026 | 14:25
Updated-08 Apr, 2026 | 16:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FastDup – Fastest WordPress Migration & Duplicator <= 2.7.1 - Missing Authorization to Authenticated (Contributor+) Backup Creation and Download

The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to create and download full-site backup archives containing the entire WordPress installation, including database exports and configuration files.

Action-Not Available
Vendor-NinjaTeam
Product-FastDup – Fastest WordPress Migration & Duplicator
CWE ID-CWE-862
Missing Authorization
CVE-2022-31765
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-8.8||HIGH
EPSS-0.88% / 54.21%
||
7 Day CHG~0.00%
Published-11 Oct, 2022 | 00:00
Updated-14 Apr, 2026 | 09:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected devices do not properly authorize the change password function of the web interface. This could allow low privileged users to escalate their privileges.

Action-Not Available
Vendor-Siemens AG
Product-6gk5748-1gd00-0ab0_firmware6gk5786-1fc00-0aa0_firmware6gk5786-2fe00-0ab0_firmware6gk5788-1gd00-0ab0_firmware6gk5788-2fc00-0aa0_firmware6gk5788-2gd00-0ta06gk5213-3bb00-2ab2_firmware6gk5208-0ua00-5es66gk5416-4gr00-2am26gk5205-3bb00-2tb2_firmware6gk5205-3bb00-2ab26gk5213-3bd00-2tb2_firmware6gk5786-2fc00-0ac0_firmware6gk5786-2fe00-0aa06gk5208-0ga00-2tc26gk5788-2hy01-0aa0_firmware6gk5328-4fs00-2rr3_firmware6gk5788-2hy01-0aa06gk5774-1fx00-0aa06ag1206-2bs00-7ac2_firmware6gk5856-2ea00-3da16gk5206-2gs00-2ac26gk5738-1gy00-0ab06gk5622-2gs00-2ac26gk5526-8gr00-2ar2_firmware6gk5786-2hc00-0aa0_firmware6gk5552-0aa00-2ar2_firmware6gk5642-2gs00-2ac26gk5328-4ss00-3ar3_firmware6gk5206-2gs00-2tc26gk5748-1gy01-0aa0_firmware6gk5324-0ba00-3ar36gk5216-0ha00-2as6_firmware6gk5328-4fs00-3ar36gk5788-2fc00-0ac0_firmware6gk5774-1fx00-0ab06gk5786-1fc00-0ab06gk5416-4gr00-2am2_firmware6gk5328-4ss00-3ar36gk5812-1aa00-2aa2_firmware6gk5804-0ap00-2aa26gk5748-1gd00-0aa06gk5774-1fx00-0ab0_firmware6gk5766-1ge00-7ta0_firmware6gk5224-4gs00-2fc2_firmware6gk5324-0ba00-3ar3_firmware6gk5552-0aa00-2hr26gk5788-2gd00-0ab06gk5216-0ha00-2ts66gk5766-1ge00-3db0_firmware6gk5788-1fc00-0aa06gk5216-3rs00-2ac26gk5408-4gq00-2am26gk5761-1fc00-0ab0_firmware6gk5208-0ba00-2ac2_firmware6gk5826-2ab00-2ab2_firmware6gk5408-4gp00-2am26gk5761-1fc00-0ab06gk5761-1fc00-0aa0_firmware6gk5208-0ga00-2fc2_firmware6gk5408-8gs00-2am26gk5328-4fs00-3ar3_firmware6gk5766-1ge00-7da0_firmware6gk5552-0aa00-2ar26gk5876-4aa00-2da2_firmware6gk5786-2fc00-0ac06gk5788-2gy01-0aa0_firmware6gk5216-0ba00-2fc26gk5788-1gy01-0aa06gk5876-3aa02-2ba2_firmware6gk5524-8gs00-3ar2_firmware6gk5876-3aa02-2ba26gk5722-1fc00-0ab06gk5206-2rs00-2ac26gk5205-3bf00-2ab2_firmware6gk5528-0ar00-2hr2_firmware6gk5734-1fx00-0aa06gk5788-1fc00-0aa0_firmware6gk5208-0ba00-2fc26gk5722-1fc00-0aa06gk5205-3bd00-2ab26gk5876-3aa02-2ea2_firmware6gk5778-1gy00-0aa06gk5206-2gs00-2fc2_firmware6gk5324-0ba00-2ar3_firmware6gk5734-1fx00-0aa6_firmware6gk5326-2qs00-3rr3_firmware6gk5526-8gr00-3ar26gk5766-1je00-3da06gk5778-1gy00-0tb0_firmware6gk5763-1al00-3aa0_firmware6gk5766-1ge00-7tb06gk5763-1al00-3da0_firmware6gk5204-0ba00-2yf2_firmware6gk5224-4gs00-2fc26gk5208-0ha00-2ts6_firmware6gk5786-1fc00-0ab0_firmware6gk5208-0ra00-2ac2_firmware6gk5528-0ar00-2ar2_firmware6gk5216-0ha00-2es66gk5206-2rs00-2ac2_firmware6gk5812-1aa00-2aa26gk5524-8gr00-2ar26gk5774-1fx00-0aa0_firmware6gk5326-2qs00-3ar3_firmware6gk5816-1ba00-2aa26gk5774-1fy00-0tb0_firmware6gk5786-2fe00-0aa0_firmware6gk5206-2rs00-5fc26gk5642-2gs00-2ac2_firmware6gk5816-1aa00-2aa26gk5788-1fc00-0ab0_firmware6gk5853-2ea00-2da1_firmware6gk5632-2gs00-2ac2_firmware6gk5224-4gs00-2ac2_firmware6gk5778-1gy00-0aa0_firmware6gk5206-2bb00-2ac2_firmware6gk5208-0ba00-2ab2_firmware6gk5748-1fc00-0aa0_firmware6gk5748-1gy01-0ta06gk5216-0ba00-2ab26gk5206-2rs00-5ac2_firmware6gk5208-0ba00-2fc2_firmware6gk5788-2gd00-0aa0_firmware6gk5778-1gy00-0ab0_firmware6gk5326-2qs00-3rr36gk5408-8gs00-2am2_firmware6gk5876-4aa00-2ba26gk5205-3bd00-2tb26gk5774-1fy00-0ta0_firmware6gk5224-4gs00-2tc26gk5216-0ua00-5es66gk5721-1fc00-0ab06gk5528-0aa00-2ar26gk5788-2fc00-0ab0_firmware6gk5408-4gq00-2am2_firmware6gk5208-0ga00-2ac26gk5208-0ba00-2ab26gk5216-4bs00-2ac26gk5774-1fx00-0ab6_firmware6gk5204-2aa00-2gf26gk5766-1je00-7da0_firmware6gk5213-3bd00-2ab26gk5748-1gy01-0ta0_firmware6gk5876-4aa00-2ba2_firmware6gk5786-2fc00-0aa06gk5528-0ar00-2ar26gk5804-0ap00-2aa2_firmware6gk5206-2gs00-2ac2_firmware6gk5646-2gs00-2ac26gk5216-0ha00-2es6_firmware6gk5786-2fc00-0ab0_firmware6gk5208-0ra00-2ac26gk5205-3bb00-2ab2_firmware6gk5748-1fc00-0ab0_firmware6gk5853-2ea00-2da16gk5788-2gd00-0aa06gk5208-0ha00-2as6_firmware6gk5748-1fc00-0aa06gk5208-0ga00-2fc26gk5216-0ba00-2tb2_firmware6gk5216-3rs00-5ac26gk5208-0ga00-2tc2_firmware6gk5208-0ba00-2tb26gk5761-1fc00-0aa06gk5788-2fc00-0ac06gk5216-4bs00-2ac2_firmware6gk5774-1fx00-0aa6_firmware6gk5208-0ga00-2ac2_firmware6gk5206-2bs00-2ac26gk5208-0ra00-5ac26gk5778-1gy00-0tb06gk5216-0ba00-2ac26gk5774-1fx00-0ab66gk5204-0ba00-2gf26gk5721-1fc00-0aa06gk5812-1ba00-2aa2_firmware6gk5526-8gs00-4ar2_firmware6gk5552-0aa00-2hr2_firmware6gk5408-8gr00-2am2_firmware6ag1216-4bs00-7ac26gk5216-4gs00-2ac2_firmware6gk5722-1fc00-0ac06gk5778-1gy00-0ta06gk5216-4gs00-2ac26ag1216-4bs00-7ac2_firmware6gk6108-4am00-2da26gk5526-8gs00-3ar26gk5524-8gr00-4ar26gk5786-2hc00-0ab06gk5874-2aa00-2aa2_firmware6gk5208-0ba00-2tb2_firmware6gk5216-4gs00-2fc2_firmware6gk5224-4gs00-2tc2_firmware6gk5766-1ge00-7db0_firmware6gk5524-8gr00-3ar2_firmware6gk5774-1fy00-0ta06gk5763-1al00-7da0_firmware6gk5766-1ge00-7db06gk5788-1gd00-0ab06gk5526-8gr00-3ar2_firmware6gk5524-8gs00-2ar26gk5213-3bd00-2tb26gk5748-1gd00-0aa0_firmware6gk5856-2ea00-3aa16gk5328-4fs00-3rr3_firmware6gk5204-2aa00-2yf26gk5528-0ar00-2hr26gk5786-2fc00-0aa0_firmware6gk5524-8gr00-2ar2_firmware6gk5721-1fc00-0aa0_firmware6gk5204-2aa00-2yf2_firmware6gk5788-2gd00-0tc0_firmware6gk5816-1ba00-2aa2_firmware6gk5524-8gr00-4ar2_firmware6gk5812-1ba00-2aa26gk5766-1je00-7da06gk5416-4gs00-2am26gk5721-1fc00-0ab0_firmware6gk5408-4gp00-2am2_firmware6gk5526-8gs00-2ar26gk5208-0ha00-2es66gk5216-0ha00-2as66gk5774-1fx00-0aa66gk5524-8gs00-2ar2_firmware6gk5528-0aa00-2hr2_firmware6gk5528-0aa00-2hr26gk5216-0ha00-2ts6_firmware6gk5206-2bb00-2ac26gk5216-0ba00-2fc2_firmware6gk5786-2hc00-0aa06gk5524-8gs00-4ar26gk5763-1al00-7da06gk5205-3bf00-2tb2_firmware6gk5738-1gy00-0ab0_firmware6gk5774-1fx00-0ac0_firmware6gk5734-1fx00-0ab0_firmware6gk5216-0ba00-2tb26gk5204-0ba00-2gf2_firmware6gk5786-2fc00-0ab06gk5552-0ar00-2ar2_firmware6gk5526-8gr00-2ar26gk5552-0ar00-2hr2_firmware6gk5876-4aa00-2da26gk5622-2gs00-2ac2_firmware6gk5786-2hc00-0ab0_firmware6gk5328-4ss00-2ar36gk5224-0ba00-2ac2_firmware6gk5328-4fs00-2ar36gk5216-3rs00-5ac2_firmware6gk5874-2aa00-2aa26gk5205-3bf00-2ab26gk5213-3bf00-2tb2_firmware6gk5205-3bb00-2tb26gk5206-2rs00-5fc2_firmware6gk5734-1fx00-0ab06gk5778-1gy00-0ab06gk5874-3aa00-2aa2_firmware6gk5216-4gs00-2fc26gk5788-2gy01-0ta0_firmware6gk5766-1ge00-7da06gk5213-3bb00-2tb2_firmware6gk5738-1gy00-0aa0_firmware6gk5216-0ba00-2ab2_firmware6gk5788-1gd00-0aa06gk5876-3aa02-2ea26gk5646-2gs00-2ac2_firmware6gk5788-2fc00-0aa06gk5636-2gs00-2ac2_firmware6gk5205-3bd00-2tb2_firmware6gk5766-1ge00-3da06gk5526-8gs00-4ar26gk5206-2gs00-2fc26gk5766-1ge00-3db06gk5213-3bf00-2tb26gk5328-4ss00-2ar3_firmware6ag1208-0ba00-7ac26gk5328-4fs00-3rr36gk6108-4am00-2da2_firmware6gk5788-2gy01-0ta06gk5778-1gy00-0ta0_firmware6gk5206-2gs00-2tc2_firmware6gk5856-2ea00-3da1_firmware6ag1206-2bb00-7ac2_firmware6gk5204-0ba00-2yf26gk5205-3bf00-2tb26gk5208-0ha00-2as66gk5208-0ha00-2ts66gk5788-2gd00-0tb0_firmware6gk5734-1fx00-0ab66gk5766-1je00-7ta0_firmware6gk5763-1al00-3da06gk5213-3bf00-2ab2_firmware6gk5788-2gy01-0aa06gk5766-1ge00-3da0_firmware6gk5786-2fe00-0ab06gk5766-1je00-7ta06gk5208-0ua00-5es6_firmware6gk5213-3bf00-2ab26ag1206-2bs00-7ac26gk5524-8gs00-3ar26gk5722-1fc00-0aa0_firmware6gk5738-1gy00-0aa06gk5632-2gs00-2ac26gk5324-0ba00-2ar36gk5526-8gr00-4ar26gk5206-2bs00-2ac2_firmware6gk6108-4am00-2ba2_firmware6gk5766-1ge00-7tb0_firmware6gk5748-1gy01-0aa06gk5213-3bb00-2tb26gk6108-4am00-2ba26gk5552-0ar00-2hr26gk5216-0ua00-5es6_firmware6gk5213-3bb00-2ab26gk5524-8gs00-4ar2_firmware6gk5788-2fc00-0ab06gk5526-8gs00-2ar2_firmware6gk5748-1fc00-0ab06gk5766-1ge00-7ta06gk5826-2ab00-2ab26gk5204-2aa00-2gf2_firmware6gk5552-0ar00-2ar26gk5856-2ea00-3aa1_firmware6gk5224-4gs00-2ac26gk5816-1aa00-2aa2_firmware6gk5526-8gr00-4ar2_firmware6gk5408-8gr00-2am26gk5216-4gs00-2tc2_firmware6gk5328-4fs00-2rr36gk5213-3bd00-2ab2_firmware6gk5206-2bs00-2fc2_firmware6gk5216-3rs00-2ac2_firmware6gk5734-1fx00-0aa0_firmware6gk5216-4gs00-2tc26gk5526-8gs00-3ar2_firmware6gk5524-8gr00-3ar26gk5206-2bd00-2ac2_firmware6gk5722-1fc00-0ac0_firmware6gk5788-2gd00-0tc06gk5206-2rs00-5ac26gk5734-1fx00-0ab6_firmware6gk5774-1fx00-0ac06ag1208-0ba00-7ac2_firmware6gk5788-2gd00-0ab0_firmware6ag1206-2bb00-7ac26gk5722-1fc00-0ab0_firmware6gk5208-0ba00-2ac26gk5788-2gd00-0tb06gk5788-1gd00-0aa0_firmware6gk5328-4fs00-2ar3_firmware6gk5528-0aa00-2ar2_firmware6gk5416-4gs00-2am2_firmware6gk5206-2bd00-2ac26gk5786-1fc00-0aa06gk5748-1gd00-0ab06gk5216-0ba00-2ac2_firmware6gk5208-0ha00-2es6_firmware6gk5763-1al00-3aa06gk5734-1fx00-0aa66gk5766-1je00-3da0_firmware6gk5326-2qs00-3ar36gk5788-1fc00-0ab06gk5224-0ba00-2ac26gk5205-3bd00-2ab2_firmware6gk5788-2gd00-0ta0_firmware6gk5636-2gs00-2ac26gk5206-2bs00-2fc26gk5774-1fy00-0tb06gk5208-0ra00-5ac2_firmware6gk5874-3aa00-2aa26gk5788-1gy01-0aa0_firmwareSCALANCE M876-4 (EU)SCALANCE WAM763-1SCALANCE W1748-1 M12SCALANCE XC224-4C G (EIP Def.)SCALANCE W734-1 RJ45 (USA)SCALANCE XC206-2SFP GSCALANCE XR524-8C, 24VSCALANCE XC206-2 (SC)SCALANCE XB205-3 (SC, PN)SCALANCE XC216-4CSCALANCE SC646-2CSCALANCE XC206-2G PoE (54 V DC)SCALANCE XR328-4C WG (28xGE, DC 24V)SIPLUS NET SCALANCE XC206-2SCALANCE XP216EECSCALANCE XC216EECSCALANCE XR324WG (24 x FE, AC 230V)SCALANCE XB213-3 (ST, E/IP)SCALANCE XB208 (PN)SCALANCE XR552-12M (2HR2, L3 int.)SCALANCE M826-2 SHDSL-RouterSCALANCE XR328-4C WG (24XFE, 4XGE, 24V)SCALANCE W1788-2 M12SCALANCE W786-1 RJ45SCALANCE S615 LAN-RouterSCALANCE W774-1 M12 EECSCALANCE WUM766-1 (USA)SCALANCE XP216SCALANCE W778-1 M12 EECSCALANCE XP216POE EECSCALANCE W761-1 RJ45SCALANCE W722-1 RJ45SCALANCE XP208SCALANCE W1788-2 EEC M12SCALANCE SC642-2CSCALANCE XR526-8C, 24V (L3 int.)SCALANCE XC208GSCALANCE XR328-4C WG (24xFE,4xGE,AC230V)SCALANCE XR528-6M (2HR2)SCALANCE SC632-2CSCALANCE XC224SCALANCE XM408-4C (L3 int.)SCALANCE XB213-3 (SC, PN)SIPLUS NET SCALANCE XC208SCALANCE M812-1 ADSL-RouterSCALANCE XC206-2G PoESCALANCE XR328-4C WG (24xFE, 4xGE,DC24V)SCALANCE XC208G PoE (54 V DC)SCALANCE WAM766-1 EEC (US)SCALANCE W778-1 M12 EEC (USA)SCALANCE W786-2IA RJ45SCALANCE XB213-3 (SC, E/IP)SCALANCE XR526-8C, 24VSCALANCE XC208SCALANCE XB208 (E/IP)SCALANCE XR552-12MSCALANCE XP216 (Ethernet/IP)SCALANCE XB205-3 (ST, E/IP)SCALANCE M876-3 (ROK)SCALANCE MUM853-1 (EU)SCALANCE XF204-2BASCALANCE XR326-2C PoE WGSCALANCE XR526-8C, 1x230V (L3 int.)SCALANCE W774-1 RJ45 (USA)SCALANCE XC216-3G PoE (54 V DC)SCALANCE WAM766-1 EECSCALANCE XR526-8C, 2x230VSCALANCE XC206-2SFP G (EIP DEF.)SCALANCE XR528-6M (L3 int.)SCALANCE XM408-4CSCALANCE XR526-8C, 1x230VSCALANCE XR524-8C, 24V (L3 int.)SCALANCE M874-3SCALANCE XM408-8CSCALANCE M876-4 (NAM)SCALANCE S615 EEC LAN-RouterSCALANCE W786-2 SFPSCALANCE W738-1 M12SCALANCE XC208G (EIP def.)SCALANCE XC224-4C G EECSCALANCE W1788-2IA M12SCALANCE W774-1 RJ45SCALANCE XC206-2SFP EECSCALANCE XM416-4CSCALANCE XC216-3G PoESCALANCE XR524-8C, 2x230VSCALANCE XR528-6M (2HR2, L3 int.)SCALANCE XB205-3LD (SC, E/IP)SCALANCE XC216-4C G EECSCALANCE WUM766-1SCALANCE XC216-4C GSCALANCE XB213-3LD (SC, E/IP)SCALANCE W721-1 RJ45SCALANCE XR326-2C PoE WG (without UL)SCALANCE XR324WG (24 X FE, DC 24V)SCALANCE W748-1 RJ45SCALANCE W788-2 RJ45SCALANCE XR524-8C, 1x230VSCALANCE XR524-8C, 1x230V (L3 int.)SCALANCE MUM856-1 (EU)SCALANCE XC206-2SFP G EECSCALANCE M874-2SCALANCE W734-1 RJ45SCALANCE W748-1 M12SCALANCE XF204-2BA DNASCALANCE XB213-3LD (SC, PN)SCALANCE XC224-4C GSCALANCE XR526-8C, 2x230V (L3 int.)SCALANCE XP208EECSCALANCE XF204 DNASCALANCE XR528-6MSCALANCE WAM766-1SCALANCE W788-1 RJ45SCALANCE M816-1 ADSL-RouterSCALANCE W1788-1 M12SCALANCE W786-2 RJ45SCALANCE XP208 (Ethernet/IP)RUGGEDCOM RM1224 LTE(4G) EUSCALANCE XB205-3 (ST, PN)SCALANCE XB216 (E/IP)SCALANCE XC208G PoESCALANCE XC216-4C G (EIP Def.)SCALANCE W788-2 M12SCALANCE WAM766-1 (US)SCALANCE XC206-2 (ST/BFOC)SCALANCE XP208PoE EECSCALANCE XR524-8C, 2x230V (L3 int.)SCALANCE M804PBSCALANCE W788-1 M12SCALANCE XC206-2G PoE EEC (54 V DC)SCALANCE M876-3SCALANCE XR552-12M (2HR2)SCALANCE M876-4SCALANCE SC636-2CSCALANCE XC206-2SFPSCALANCE XM408-8C (L3 int.)SCALANCE XM416-4C (L3 int.)SCALANCE W788-2 M12 EECSCALANCE XB216 (PN)SCALANCE XC216SCALANCE XF204SIPLUS NET SCALANCE XC216-4CSCALANCE XB205-3LD (SC, PN)SCALANCE SC622-2CSCALANCE WUM763-1SCALANCE MUM856-1 (RoW)SIPLUS NET SCALANCE XC206-2SFPSCALANCE W778-1 M12SCALANCE XB213-3 (ST, PN)SCALANCE XC208EECSCALANCE XC208G EECRUGGEDCOM RM1224 LTE(4G) NAMSCALANCE XR328-4C WG (28xGE, AC 230V)
CWE ID-CWE-862
Missing Authorization
CVE-2022-31595
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-8.8||HIGH
EPSS-0.71% / 48.85%
||
7 Day CHG~0.00%
Published-14 Jun, 2022 | 18:45
Updated-03 Aug, 2024 | 07:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Financial Consolidation - version 1010,�does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

Action-Not Available
Vendor-SAP SE
Product-adaptive_server_enterpriseSAP Financial Consolidation
CWE ID-CWE-862
Missing Authorization
CVE-2025-8418
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.55% / 41.47%
||
7 Day CHG~0.00%
Published-12 Aug, 2025 | 06:42
Updated-08 Apr, 2026 | 17:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
B Slider- Gutenberg Slider Block for WP <= 1.1.30 - Authenticated (Subscriber+) Missing Authorization to Arbitrary Plugin Installation

The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Arbitrary Plugin Installation in all versions up to, and including, 1.1.30. This is due to missing capability checks on the activated_plugin function. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the server which can make remote code execution possible.

Action-Not Available
Vendor-bplugins
Product-bSlider – Create Responsive Image, Post, Product, and Video Sliders
CWE ID-CWE-862
Missing Authorization
CVE-2025-8807
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 25.57%
||
7 Day CHG~0.00%
Published-10 Aug, 2025 | 11:32
Updated-16 Sep, 2025 | 14:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
xujeff tianti 天梯 save authorization

A vulnerability was found in xujeff tianti 天梯 up to 2.3. It has been declared as critical. This vulnerability affects unknown code of the file /tianti-module-admin/user/ajax/save. The manipulation leads to missing authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-tianti_projectxujeff
Product-tiantitianti 天梯
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-8322
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-8.7||HIGH
EPSS-0.35% / 26.50%
||
7 Day CHG~0.00%
Published-30 Jul, 2025 | 02:49
Updated-31 Jul, 2025 | 18:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ventem|e-School - Missing Authorization

The e-School from Ventem has a Missing Authorization vulnerability, allowing remote attackers with regular privilege to access administrator functions, including creating, modifying, and deleting accounts. They can even escalate any account to system administrator privilege.

Action-Not Available
Vendor-Ventem
Product-e-School
CWE ID-CWE-862
Missing Authorization
CVE-2025-8593
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.39% / 30.75%
||
7 Day CHG~0.00%
Published-11 Oct, 2025 | 09:28
Updated-08 Apr, 2026 | 17:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GSheetConnector For Gravity Forms <= 1.3.27 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation

The GSheetConnector For Gravity Forms plugin for WordPress is vulnerable to authorization bypass in versions less than, or equal to, 1.3.27. This is due to a missing capability check on the 'install_plugin' function. This makes it possible for authenticated attackers, with subscriber-level access and above to install plugins on the target site and potentially achieve arbitrary code execution on the server under certain conditions.

Action-Not Available
Vendor-westerndeal
Product-GSheetConnector for Gravity Forms – Send Gravity Forms Entries to Google Sheets in Real-Time
CWE ID-CWE-862
Missing Authorization
CVE-2025-7695
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.55% / 41.31%
||
7 Day CHG~0.00%
Published-24 Jul, 2025 | 09:22
Updated-25 Jul, 2025 | 15:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Dataverse Integration 2.77 - 2.81 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via reset_password_link REST Route

The Dataverse Integration plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks within its reset_password_link REST endpoint in versions 2.77 through 2.81. The endpoint’s handler accepts a client-supplied id, email, or login, looks up that user, and calls get_password_reset_key() unconditionally. Because it only checks that the caller is authenticated, and not that they own or may edit the target account, any authenticated attacker, with Subscriber-level access and above, can obtain a password reset link for an administrator and hijack that account.

Action-Not Available
Vendor-alexacrm
Product-Dataverse Integration
CWE ID-CWE-862
Missing Authorization
CVE-2025-7689
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.34% / 25.19%
||
7 Day CHG~0.00%
Published-29 Jul, 2025 | 09:23
Updated-29 Jul, 2025 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hydra Booking 1.1.0 - 1.1.18 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via tfhb_reset_password_callback Function

The Hydra Booking plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the tfhb_reset_password_callback() function in versions 1.1.0 to 1.1.18. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the password of an Administrator user, achieving full privilege escalation.

Action-Not Available
Vendor-themefic
Product-Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings
CWE ID-CWE-862
Missing Authorization
CVE-2022-30951
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.81% / 51.99%
||
7 Day CHG~0.00%
Published-17 May, 2022 | 14:06
Updated-03 Aug, 2024 | 07:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote Command library does not implement access control, potentially allowing users to start processes even if they're not allowed to log in.

Action-Not Available
Vendor-Jenkins
Product-wmi_windows_agentsJenkins WMI Windows Agents Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-6813
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.36% / 27.22%
||
7 Day CHG~0.00%
Published-18 Jul, 2025 | 04:23
Updated-22 Jul, 2025 | 13:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
aapanel WP Toolkit 1.0 - 1.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via auto_login() Function

The aapanel WP Toolkit plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks within the auto_login() function in versions 1.0 to 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to bypass all role checks and gain full admin privileges.

Action-Not Available
Vendor-aapanel
Product-aapanel WP Toolkit
CWE ID-CWE-862
Missing Authorization
CVE-2021-4447
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.44% / 35.24%
||
7 Day CHG~0.00%
Published-16 Oct, 2024 | 06:43
Updated-08 Apr, 2026 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Essential Addons for Elementor <= 4.6.4 - Authenticated (Contributor+) Privilege Escalation

The Essential Addons for Elementor plugin for WordPress is vulnerable to privilege escalation in versions up to and including 4.6.4 due to a lack of restrictions on who can add a registration form and a custom registration role to an Elementor created page. This makes it possible for attackers with access to the Elementor page builder to create a new registration form that defaults to the user role being set to administrator and subsequently register as an administrative user.

Action-Not Available
Vendor-WPDeveloper
Product-essential_addons_for_elementorEssential Addons for Elementor – Popular Elementor Templates & Widgetsessential_addons_for_elementor
CWE ID-CWE-862
Missing Authorization
CVE-2025-59017
Matching Score-4
Assigner-f4fb688c-4412-4426-b4b8-421ecf27b14a
ShareView Details
Matching Score-4
Assigner-f4fb688c-4412-4426-b4b8-421ecf27b14a
CVSS Score-5.3||MEDIUM
EPSS-0.28% / 19.10%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 09:01
Updated-10 Sep, 2025 | 13:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Broken Access Control in Backend AJAX Routes

Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules.

Action-Not Available
Vendor-TYPO3 Association
Product-typo3TYPO3 CMS
CWE ID-CWE-862
Missing Authorization
CVE-2025-5894
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-8.7||HIGH
EPSS-0.54% / 40.84%
||
7 Day CHG~0.00%
Published-09 Jun, 2025 | 07:33
Updated-09 Jun, 2025 | 18:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Honding Technology Smart Parking Management System - Missing Authorization

Smart Parking Management System from Honding Technology has a Missing Authorization vulnerability, allowing remote attackers with regular privileges to access a specific functionality to create administrator accounts, and subsequently log into the system using those accounts.

Action-Not Available
Vendor-Honding Technology
Product-Smart Parking Management System
CWE ID-CWE-862
Missing Authorization
CVE-2025-5701
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-1.68% / 73.89%
||
7 Day CHG~0.00%
Published-05 Jun, 2025 | 11:15
Updated-08 Apr, 2026 | 17:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HyperComments <= 1.2.2 - Unauthenticated (Subscriber+) Arbitrary Options Update

The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Action-Not Available
Vendor-siteheart
Product-HyperComments
CWE ID-CWE-862
Missing Authorization
CVE-2025-5835
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.34% / 25.46%
||
7 Day CHG~0.00%
Published-25 Jul, 2025 | 06:43
Updated-08 Apr, 2026 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Droip <= 2.2.6 - Missing Authorization to Authenticated (Subscriber+) Many Actions

The Droip plugin for WordPress is vulnerable to unauthorized modification and access of data due to a missing capability check on the droip_post_apis() function in all versions up to, and including, 2.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform many actions as the AJAX hooks to several functions. Some potential impacts include arbitrary post deletion, arbitrary post creation, post duplication, settings update, user manipulation, and much more.

Action-Not Available
Vendor-DroipThemeum
Product-droipDroip
CWE ID-CWE-862
Missing Authorization
CVE-2024-49325
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.41% / 32.43%
||
7 Day CHG~0.00%
Published-20 Oct, 2024 | 10:40
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Photo Gallery Builder plugin <= 3.0 - Broken Access Control to Notice Dismissal vulnerability

Missing Authorization vulnerability in wpdiscover Photo Gallery Builder photo-gallery-builder allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Photo Gallery Builder: from n/a through <= 3.0.

Action-Not Available
Vendor-wpdiscoverwpdiscover
Product-photo_gallery_builderPhoto Gallery Builder
CWE ID-CWE-862
Missing Authorization
CVE-2024-48039
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 23.32%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CubeWP Framework plugin <= 1.1.15 - Broken Access Control vulnerability

Missing Authorization vulnerability in Imran Tauqeer CubeWP cubewp-framework allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CubeWP: from n/a through <= 1.1.15.

Action-Not Available
Vendor-cubewpImran Tauqeer
Product-cubewpCubeWP
CWE ID-CWE-862
Missing Authorization
CVE-2024-47317
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.38% / 29.13%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Ads by WPQuads plugin <= 2.0.84 - Broken Access Control vulnerability

Missing Authorization vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded.This issue affects Ads by WPQuads: from n/a through <= 2.0.84.

Action-Not Available
Vendor-wpquadsAds by WPQuads
Product-adsAds by WPQuads
CWE ID-CWE-862
Missing Authorization
CVE-2024-47362
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.40% / 31.22%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Strong Testimonials plugin <= 3.1.16 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Chill Strong Testimonials strong-testimonials.This issue affects Strong Testimonials: from n/a through <= 3.1.16.

Action-Not Available
Vendor-wpchillWP Chill
Product-strong_testimonialsStrong Testimonials
CWE ID-CWE-862
Missing Authorization
CVE-2024-45760
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 24.47%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 16:17
Updated-04 Feb, 2025 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell OpenManage Server Administrator, versions 11.0.1.0 and prior, contains an improper access control vulnerability. A remote low privileged user could potentially exploit this vulnerability via the HTTP GET method leading to unauthorized action with elevated privileges.

Action-Not Available
Vendor-Dell Inc.
Product-openmanage_server_administratorDell OpenManage Server Administrator
CWE ID-CWE-862
Missing Authorization
CVE-2024-4351
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-1.02% / 58.96%
||
7 Day CHG~0.00%
Published-16 May, 2024 | 09:32
Updated-08 Apr, 2026 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tutor LMS Pro <= 2.7.0 - Missing Authorization to Privilege Escalation

The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on the 'authenticate' function in all versions up to, and including, 2.7.0. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to gain control of an existing administrator account.

Action-Not Available
Vendor-Themeum
Product-tutor_lmsTutor LMS Protutor_lms
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-43332
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.53% / 40.50%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Photo Engine plugin <= 6.4.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Jordy Meow Photo Engine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Photo Engine: from n/a through 6.4.0.

Action-Not Available
Vendor-meowappsJordy Meow
Product-photo_enginePhoto Engine
CWE ID-CWE-862
Missing Authorization
CVE-2024-43254
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.42% / 33.18%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Smart Online Order for Clover plugin <= 1.5.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders.This issue affects Smart Online Order for Clover: from n/a through <= 1.5.6.

Action-Not Available
Vendor-zaytechZAYTECH
Product-smart_online_order_for_cloverSmart Online Order for Clover
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 10
  • 11
  • Next
Details not found