Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-14079

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-05 Feb, 2026 | 09:13
Updated At-05 Feb, 2026 | 14:49
Rejected At-
Credits

ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.5. This is due to missing capability checks on the eh_crm_ticket_general function combined with a shared nonce that is exposed to low-privileged users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global WSDesk settings via the `eh_crm_ticket_general` AJAX action.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:05 Feb, 2026 | 09:13
Updated At:05 Feb, 2026 | 14:49
Rejected At:
▼CVE Numbering Authority (CNA)
ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.5. This is due to missing capability checks on the eh_crm_ticket_general function combined with a shared nonce that is exposed to low-privileged users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global WSDesk settings via the `eh_crm_ticket_general` AJAX action.

Affected Products
Vendor
elextensions
Product
ELEX WordPress HelpDesk & Customer Ticketing System
Default Status
unaffected
Versions
Affected
  • From * through 3.3.5 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Itthidej Aramsri
Timeline
EventDate
Vendor Notified2025-12-04 23:05:24
Disclosed2026-02-04 20:43:43
Event: Vendor Notified
Date: 2025-12-04 23:05:24
Event: Disclosed
Date: 2026-02-04 20:43:43
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/6fd3ea16-4706-4573-b905-93dff434968d?source=cve
N/A
https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/tags/3.3.4/includes/class-crm-ajax-functions-one.php#L15
N/A
https://plugins.trac.wordpress.org/changeset/3449609/
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/6fd3ea16-4706-4573-b905-93dff434968d?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/tags/3.3.4/includes/class-crm-ajax-functions-one.php#L15
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset/3449609/
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:05 Feb, 2026 | 10:16
Updated At:05 Feb, 2026 | 14:57

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.5. This is due to missing capability checks on the eh_crm_ticket_general function combined with a shared nonce that is exposed to low-privileged users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global WSDesk settings via the `eh_crm_ticket_general` AJAX action.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-862Primarysecurity@wordfence.com
CWE ID: CWE-862
Type: Primary
Source: security@wordfence.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/tags/3.3.4/includes/class-crm-ajax-functions-one.php#L15security@wordfence.com
N/A
https://plugins.trac.wordpress.org/changeset/3449609/security@wordfence.com
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/6fd3ea16-4706-4573-b905-93dff434968d?source=cvesecurity@wordfence.com
N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/tags/3.3.4/includes/class-crm-ajax-functions-one.php#L15
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset/3449609/
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/6fd3ea16-4706-4573-b905-93dff434968d?source=cve
Source: security@wordfence.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

657Records found
CVE-2025-10054
Matching Score-10
Assigner-Wordfence
ShareView Details
Matching Score-10
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.60%
||
7 Day CHG~0.00%
Published-21 Nov, 2025 | 12:28
Updated-26 Nov, 2025 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Role Removal

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_remove_agent' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to remove the role and capabilities of any user with an Administrator, WSDesk Supervisor, or WSDesk Agents role.

Action-Not Available
Vendor-elulaelextensions
Product-wsdeskELEX WordPress HelpDesk & Customer Ticketing System
CWE ID-CWE-862
Missing Authorization
CVE-2024-12171
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.21% / 43.03%
||
7 Day CHG~0.00%
Published-01 Feb, 2025 | 03:21
Updated-24 Feb, 2025 | 17:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ELEX WordPress HelpDesk & Customer Ticketing System <= 3.2.6 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'eh_crm_agent_add_user' AJAX action in all versions up to, and including, 3.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new administrative user accounts.

Action-Not Available
Vendor-elulaelextensions
Product-wsdeskELEX WordPress HelpDesk & Customer Ticketing System
CWE ID-CWE-862
Missing Authorization
CVE-2025-12751
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.65%
||
7 Day CHG~0.00%
Published-19 Nov, 2025 | 05:45
Updated-19 Nov, 2025 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WSChat – WordPress Live Chat <= 3.1.6 - Missing Authorization to Authenticated (Subscriber+) Settings Reset

The WSChat – WordPress Live Chat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'reset_settings' AJAX endpoint in all versions up to, and including, 3.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings.

Action-Not Available
Vendor-elextensions
Product-WSChat – WordPress Live Chat
CWE ID-CWE-862
Missing Authorization
CVE-2025-12085
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.65%
||
7 Day CHG~0.00%
Published-21 Nov, 2025 | 05:32
Updated-03 Dec, 2025 | 18:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Trash Empty

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_empty_trash' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to empty the ticket trash.

Action-Not Available
Vendor-elulaelextensions
Product-wsdeskELEX WordPress HelpDesk & Customer Ticketing System
CWE ID-CWE-862
Missing Authorization
CVE-2024-12266
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.30% / 52.93%
||
7 Day CHG~0.00%
Published-24 Dec, 2024 | 04:22
Updated-24 Dec, 2024 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ELEX WooCommerce Dynamic Pricing and Discounts <= 2.1.7 - Missing Authorization

The ELEX WooCommerce Dynamic Pricing and Discounts plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the elex_dp_export_rules() and elex_dp_import_rules() functions in all versions up to, and including, 2.1.7. This makes it possible for unauthenticated attackers to import and export product rules along with obtaining phpinfo() data

Action-Not Available
Vendor-elextensions
Product-ELEX WooCommerce Dynamic Pricing and Discounts
CWE ID-CWE-862
Missing Authorization
CVE-2025-12023
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.65%
||
7 Day CHG~0.00%
Published-21 Nov, 2025 | 05:32
Updated-03 Dec, 2025 | 18:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Ticket Restore

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eh_crm_restore_data() function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to restore tickets.

Action-Not Available
Vendor-elulaelextensions
Product-wsdeskELEX WordPress HelpDesk & Customer Ticketing System
CWE ID-CWE-862
Missing Authorization
CVE-2025-12169
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.65%
||
7 Day CHG~0.00%
Published-21 Nov, 2025 | 05:32
Updated-03 Dec, 2025 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.0 - Missing Authorization to Authenitcated (Subscriber+) to Scheduled Trigger Deletion

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_eh_crm_settings_empty_scheduled_actions' AJAX Action in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the scheduled triggers option.

Action-Not Available
Vendor-elulaelextensions
Product-wsdeskELEX WordPress HelpDesk & Customer Ticketing System
CWE ID-CWE-862
Missing Authorization
CVE-2025-12022
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.65%
||
7 Day CHG~0.00%
Published-21 Nov, 2025 | 05:32
Updated-03 Dec, 2025 | 18:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Trash Restore

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_restore_trash' AJAX endpoint in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to restore all deleted tickets.

Action-Not Available
Vendor-elulaelextensions
Product-wsdeskELEX WordPress HelpDesk & Customer Ticketing System
CWE ID-CWE-862
Missing Authorization
CVE-2024-4858
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 41.33%
||
7 Day CHG~0.00%
Published-25 May, 2024 | 02:50
Updated-04 Apr, 2025 | 16:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Testimonial Carousel For Elementor <= 10.2.0 - Missing Authorization to Limited Setting Update

The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_testimonials_option_callback' function in versions up to, and including, 10.2.0. This makes it possible for unauthenticated attackers to update the OpenAI API key, disabling the feature.

Action-Not Available
Vendor-uappuappuapp_group
Product-testimonial_carousel_for_elementorTestimonial Carousel For Elementortestimonial_carousel_for_elementor
CWE ID-CWE-862
Missing Authorization
CVE-2024-50421
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.07% / 21.91%
||
7 Day CHG~0.00%
Published-29 Oct, 2024 | 21:34
Updated-01 Nov, 2024 | 12:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress PDF Invoices & Packing Slips for WooCommerce plugin <= 3.8.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Overnight WooCommerce PDF Invoices & Packing Slips allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce PDF Invoices & Packing Slips: from n/a through 3.8.6.

Action-Not Available
Vendor-WP Overnightwpovernight
Product-WooCommerce PDF Invoices & Packing Slipswoocommerce_pdf_invoices\&_packing_slips
CWE ID-CWE-862
Missing Authorization
CVE-2024-47302
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.42% / 61.49%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-19 Nov, 2024 | 17:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Fluent Support plugin <= 1.8.0 - Broken Access Control on Email Verification vulnerability

Missing Authorization vulnerability in WPManageNinja LLC Fluent Support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fluent Support: from n/a through 1.8.0.

Action-Not Available
Vendor-wpmanageninjaWPManageNinja LLCwpmanageninja
Product-fluent_supportFluent Supportfluent_support
CWE ID-CWE-862
Missing Authorization
CVE-2022-38367
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.78% / 73.24%
||
7 Day CHG~0.00%
Published-05 Sep, 2022 | 17:30
Updated-03 Aug, 2024 | 10:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Netic User Export add-on before 2.0.6 for Atlassian Jira does not perform authorization checks. This might allow an unauthenticated user to export all users from Jira by making an HTTP request to the affected endpoint.

Action-Not Available
Vendor-neticn/a
Product-user_export_for_jiran/a
CWE ID-CWE-862
Missing Authorization
CVE-2024-47311
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.46% / 63.83%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-19 Nov, 2024 | 17:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Wheel of Life plugin <= 1.1.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in Kraft Plugins Wheel of Life allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wheel of Life: from n/a through 1.1.8.

Action-Not Available
Vendor-kraftpluginsKraft Pluginskraftplugins
Product-wheel_of_lifeWheel of Lifewheel_of_life
CWE ID-CWE-862
Missing Authorization
CVE-2024-49694
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.13% / 32.77%
||
7 Day CHG+0.04%
Published-31 Dec, 2024 | 13:55
Updated-31 Dec, 2024 | 15:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress My Wp Brand – Hide menu & Hide Plugin plugin <= 1.1.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in imw3 My Wp Brand – Hide menu & Hide Plugin.This issue affects My Wp Brand – Hide menu & Hide Plugin: from n/a through 1.1.2.

Action-Not Available
Vendor-imw3
Product-My Wp Brand – Hide menu & Hide Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2024-43277
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 38.99%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-05 Nov, 2024 | 21:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress UsersWP plugin <= 1.2.15 - Broken Access Control vulnerability

Missing Authorization vulnerability in AyeCode Ltd UsersWP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UsersWP: from n/a through 1.2.15.

Action-Not Available
Vendor-AyeCode Ltdayecode
Product-UsersWPuserswp
CWE ID-CWE-862
Missing Authorization
CVE-2024-43219
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 38.99%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-05 Nov, 2024 | 22:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Persian WooCommerce plugin <= 7.1.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in ووکامرس فارسی Persian WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Persian WooCommerce: from n/a through 7.1.6.

Action-Not Available
Vendor-ووکامرس فارسیWooCommerce
Product-Persian WooCommercepersian-woocommerce
CWE ID-CWE-862
Missing Authorization
CVE-2024-43323
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 56.44%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-19 Nov, 2024 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ReviewX plugin <= 1.6.28 - Broken Access Control vulnerability

Missing Authorization vulnerability in ReviewX ReviewX allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ReviewX: from n/a through 1.6.28.

Action-Not Available
Vendor-WPDeveloperReviewX
Product-reviewxReviewXreviewx
CWE ID-CWE-862
Missing Authorization
CVE-2026-24530
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 10.67%
||
7 Day CHG~0.00%
Published-23 Jan, 2026 | 14:28
Updated-28 Jan, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WebP Conversion plugin <= 2.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in sheepfish WebP Conversion webp-conversion allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WebP Conversion: from n/a through <= 2.1.

Action-Not Available
Vendor-sheepfish
Product-WebP Conversion
CWE ID-CWE-862
Missing Authorization
CVE-2023-30488
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 40.89%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:31
Updated-09 Dec, 2024 | 18:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Featured Post Creative plugin <= 1.2.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP OnlineSupport, Essential Plugin Featured Post Creative allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Post Creative: from n/a through 1.2.7.

Action-Not Available
Vendor-WP OnlineSupport, Essential Pluginessentialplugin
Product-Featured Post Creativefeatured_post_creative
CWE ID-CWE-862
Missing Authorization
CVE-2022-3489
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.3||MEDIUM
EPSS-0.14% / 34.18%
||
7 Day CHG~0.00%
Published-07 Nov, 2022 | 00:00
Updated-01 May, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Hide <= 0.0.2 - Unauthenticated Settings Update

The WP Hide WordPress plugin through 0.0.2 does not have authorisation and CSRF checks in place when updating the custom_wpadmin_slug settings, allowing unauthenticated attackers to update it with a crafted request

Action-Not Available
Vendor-webergeUnknown
Product-wp_hideWp-Hide
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-862
Missing Authorization
CVE-2024-47358
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.59% / 68.54%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-12 Nov, 2024 | 20:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Popup Maker plugin <= 1.19.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Popup Maker allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Popup Maker: from n/a through 1.19.2.

Action-Not Available
Vendor-code-atlanticPopup Makercode-atlantic
Product-popup_makerPopup Makerpopup_maker
CWE ID-CWE-862
Missing Authorization
CVE-2024-37926
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 38.99%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-01 Nov, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Accessibility Helper (WAH) plugin <= 0.6.2.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in Alex Volkov WP Accessibility Helper (WAH) allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP Accessibility Helper (WAH): from n/a through 0.6.2.9.

Action-Not Available
Vendor-Alex Volkovvolkov
Product-WP Accessibility Helper (WAH)wp_accessibility_helper
CWE ID-CWE-862
Missing Authorization
CVE-2024-37463
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 56.44%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-07 Feb, 2025 | 15:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CRM Perks Forms plugin <= 1.1.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in CRM Perks CRM Perks Forms allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects CRM Perks Forms: from n/a through 1.1.5.

Action-Not Available
Vendor-crmperksCRM Perkscrmperks
Product-crm_perks_formsCRM Perks Formscrm_perks_forms
CWE ID-CWE-862
Missing Authorization
CVE-2026-24525
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 10.67%
||
7 Day CHG~0.00%
Published-23 Jan, 2026 | 14:28
Updated-28 Jan, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CLP Varnish Cache plugin <= 1.0.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in CloudPanel CLP Varnish Cache clp-varnish-cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CLP Varnish Cache: from n/a through <= 1.0.2.

Action-Not Available
Vendor-CloudPanel
Product-CLP Varnish Cache
CWE ID-CWE-862
Missing Authorization
CVE-2024-37468
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.16% / 36.86%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-01 Nov, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Newsmatic theme <= 1.3.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in blazethemes Newsmatic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Newsmatic: from n/a through 1.3.1.

Action-Not Available
Vendor-blazethemesblazethemes
Product-Newsmaticnewsmatic
CWE ID-CWE-862
Missing Authorization
CVE-2024-37456
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 38.99%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-01 Nov, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Simple Newsletter Plugin – Noptin plugin <= 3.4.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Noptin Newsletter Noptin allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Noptin: from n/a through 3.4.2.

Action-Not Available
Vendor-Noptin Newsletternoptin
Product-Noptinnoptin
CWE ID-CWE-862
Missing Authorization
CVE-2024-37506
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 38.99%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-01 Nov, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Donation Forms by Charitable plugin <= 1.8.1.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in Charitable Donations & Fundraising Team Charitable allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Charitable: from n/a through 1.8.1.7.

Action-Not Available
Vendor-WP Charitable LLC.
Product-Charitablecharitable
CWE ID-CWE-862
Missing Authorization
CVE-2024-35665
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 38.99%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 14:10
Updated-02 Aug, 2024 | 03:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Insert Post Ads plugin <= 1.3.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in namithjawahar Insert Post Ads.This issue affects Insert Post Ads: from n/a through 1.3.2.

Action-Not Available
Vendor-namithjawaharnamithjawahar
Product-Insert Post Adsinsert_post_ads
CWE ID-CWE-862
Missing Authorization
CVE-2024-35729
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.30% / 53.12%
||
7 Day CHG~0.00%
Published-10 Jun, 2024 | 07:44
Updated-09 Aug, 2024 | 20:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Tickera – WordPress Event Ticketing plugin <= 3.5.2.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in Tickera.This issue affects Tickera: from n/a through 3.5.2.6.

Action-Not Available
Vendor-tickeraTickeratickera
Product-tickeraTickeratickera
CWE ID-CWE-862
Missing Authorization
CVE-2024-35692
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.14% / 33.98%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 09:21
Updated-02 Aug, 2024 | 03:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress GDPR/CCPA Cookie Consent Banner plugin <= 3.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Termly Cookie Consent.This issue affects Cookie Consent: from n/a through 3.2.

Action-Not Available
Vendor-termlyTermlytermly
Product-gdpr_cookie_consent_bannerCookie Consentgdpr_cookie_consent_banner
CWE ID-CWE-862
Missing Authorization
CVE-2024-34799
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.15% / 35.02%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 16:35
Updated-20 Mar, 2025 | 11:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress BookingPress plugin <= 1.0.82 - Appointment Duration Manipulation vulnerability

Missing Authorization vulnerability in Repute Infosystems BookingPress.This issue affects BookingPress: from n/a through 1.0.82.

Action-Not Available
Vendor-reputeinfosystemsRepute Infosystems
Product-bookingpressBookingPress
CWE ID-CWE-862
Missing Authorization
CVE-2024-34768
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.21% / 42.67%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 16:42
Updated-02 Aug, 2024 | 02:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Fastly plugin <= 1.2.25 - Broken Access Control vulnerability

Missing Authorization vulnerability in Fastly.This issue affects Fastly: from n/a through 1.2.25.

Action-Not Available
Vendor-Fastly
Product-Fastly
CWE ID-CWE-862
Missing Authorization
CVE-2024-44038
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.59% / 68.54%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-19 Nov, 2024 | 17:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Sunshine Photo Cart plugin <= 3.2.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Sunshine Sunshine Photo Cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sunshine Photo Cart: from n/a through 3.2.9.

Action-Not Available
Vendor-sunshinephotocartWP Sunshinesunshinephotocart
Product-sunshine_photo_cartSunshine Photo Cartsunshine_photo_cart
CWE ID-CWE-862
Missing Authorization
CVE-2026-1310
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.06% / 19.50%
||
7 Day CHG~0.00%
Published-28 Jan, 2026 | 06:43
Updated-29 Jan, 2026 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple calendar for Elementor <= 1.6.6 - Missing Authorization to Unauthenticated Arbitrary Calendar Entry Deletion

The Simple calendar for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.6. This is due to missing capability checks on the `miga_ajax_editor_cal_delete` function that is hooked to the `miga_editor_cal_delete` AJAX action with both authenticated and unauthenticated access enabled. This makes it possible for unauthenticated attackers to delete arbitrary calendar entries by sending a request with a valid nonce and the calendar entry ID.

Action-Not Available
Vendor-migaweb
Product-Simple calendar for Elementor
CWE ID-CWE-862
Missing Authorization
CVE-2026-1944
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.05% / 15.83%
||
7 Day CHG~0.00%
Published-14 Feb, 2026 | 06:42
Updated-14 Feb, 2026 | 07:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CallbackKiller service widget <= 1.2 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Update

The CallbackKiller service widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cbk_save() function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to modify the plugin's site ID settings via the 'cbk_save_v1' AJAX action.

Action-Not Available
Vendor-krellbat
Product-CallbackKiller service widget
CWE ID-CWE-862
Missing Authorization
CVE-2026-1303
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 6.86%
||
7 Day CHG~0.00%
Published-14 Feb, 2026 | 06:42
Updated-14 Feb, 2026 | 07:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MailChimp Campaigns <= 3.2.4 - Missing Authorization to Authenticated (Subscriber+) MailChimp App Disconnection

The MailChimp Campaigns plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.2.4. This is due to missing capability checks on the `mailchimp_campaigns_manager_disconnect_app` function that is hooked to the AJAX action of the same name. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect the site from its MailChimp synchronization app, disrupting automated email campaigns and marketing integrations.

Action-Not Available
Vendor-matthieuscarset
Product-MailChimp Campaigns
CWE ID-CWE-862
Missing Authorization
CVE-2024-43331
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.54% / 67.21%
||
7 Day CHG~0.00%
Published-22 Aug, 2024 | 11:29
Updated-19 Mar, 2025 | 18:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP SMS plugin <= 6.9.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in VeronaLabs WP SMS.This issue affects WP SMS: from n/a through 6.9.3.

Action-Not Available
Vendor-veronalabsVeronaLabsveronalabs
Product-wp_smsWP SMSwp_sms
CWE ID-CWE-862
Missing Authorization
CVE-2026-1833
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 8.23%
||
7 Day CHG~0.00%
Published-11 Feb, 2026 | 08:26
Updated-11 Feb, 2026 | 15:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WaMate Confirm <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Phone Number Blocking/Unblocking

The WaMate Confirm – Order Confirmation plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to block and unblock phone numbers, which should be restricted to administrators.

Action-Not Available
Vendor-sm_rasmy
Product-WaMate Confirm – Order Confirmation
CWE ID-CWE-862
Missing Authorization
CVE-2024-33920
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.08% / 22.63%
||
7 Day CHG~0.00%
Published-03 May, 2024 | 08:30
Updated-02 Aug, 2024 | 02:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Democracy Poll plugin <= 6.0.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Kama Democracy Poll.This issue affects Democracy Poll: from n/a through 6.0.3.

Action-Not Available
Vendor-Kama
Product-Democracy Poll
CWE ID-CWE-862
Missing Authorization
CVE-2024-43120
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 38.99%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-05 Nov, 2024 | 21:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress TypeSquare Webfonts plugin <= 2.0.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in XSERVER Inc. TypeSquare Webfonts allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects TypeSquare Webfonts: from n/a through 2.0.7.

Action-Not Available
Vendor-XSERVER Inc.gmo
Product-TypeSquare Webfontstypesquare_webfonts_for_conoha
CWE ID-CWE-862
Missing Authorization
CVE-2024-33545
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.26% / 49.06%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 12:10
Updated-01 Nov, 2024 | 14:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WZone plugin <= 14.0.10 - Unauthenticated Broken Access Control vulnerability

Missing Authorization vulnerability in AA-Team WZone.This issue affects WZone: from n/a through 14.0.10.

Action-Not Available
Vendor-aa-teamAA-Team
Product-wzoneWZone
CWE ID-CWE-862
Missing Authorization
CVE-2026-0820
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 10.74%
||
7 Day CHG~0.00%
Published-17 Jan, 2026 | 03:24
Updated-26 Jan, 2026 | 15:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RepairBuddy <= 4.1116 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Signature Upload to Orders

The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wc_upload_and_save_signature_handler function in all versions up to, and including, 4.1116. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary signatures to any order in the system, potentially modifying order metadata and triggering unauthorized status changes.

Action-Not Available
Vendor-sweetdaisy86
Product-RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2024-32802
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.21% / 42.67%
||
7 Day CHG~0.00%
Published-17 May, 2024 | 09:38
Updated-02 Aug, 2024 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Better Messages plugin <= 2.4.32 - Broken Authentication vulnerability

Missing Authorization vulnerability in WordPlus BP Better Messages allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects BP Better Messages: from n/a through 2.4.32.

Action-Not Available
Vendor-WordPlus
Product-BP Better Messages
CWE ID-CWE-862
Missing Authorization
CVE-2024-33596
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 38.99%
||
7 Day CHG~0.00%
Published-29 Apr, 2024 | 08:27
Updated-02 Aug, 2024 | 02:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Five Star Restaurant Reservations plugin <= 2.6.16 - Broken Access Control vulnerability

Missing Authorization vulnerability in Five Star Plugins Five Star Restaurant Reservations.This issue affects Five Star Restaurant Reservations: from n/a through 2.6.16.

Action-Not Available
Vendor-Five Star Pluginsfivestarplugins
Product-Five Star Restaurant Reservationsfive_star_restaurant_reservations
CWE ID-CWE-862
Missing Authorization
CVE-2024-32799
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.26% / 49.06%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 12:50
Updated-05 Feb, 2025 | 15:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Easy Property Listings plugin <= 3.5.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Merv Barrett Easy Property Listings.This issue affects Easy Property Listings: from n/a through 3.5.3.

Action-Not Available
Vendor-realestateconnectedMerv Barrettrealestateconnected
Product-easy_property_listingsEasy Property Listingseasy_property_listings
CWE ID-CWE-862
Missing Authorization
CVE-2024-33587
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.15% / 35.84%
||
7 Day CHG~0.00%
Published-29 Apr, 2024 | 12:40
Updated-02 Aug, 2024 | 02:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Secure Copy Content Protection and Content Locking plugin <= 3.9.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Copy Content Protection Team Secure Copy Content Protection and Content Locking.This issue affects Secure Copy Content Protection and Content Locking: from n/a through 3.9.0.

Action-Not Available
Vendor-AYS Pro Extensions
Product-Secure Copy Content Protection and Content Lockingsecure_copy_content_protection_and_content_locking
CWE ID-CWE-862
Missing Authorization
CVE-2024-32715
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.10% / 28.39%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 16:53
Updated-29 May, 2025 | 20:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Olive One Click Demo Import plugin <= 1.1.1 - Arbitrary File Download vulnerability

Missing Authorization vulnerability in Olive Themes Olive One Click Demo Import.This issue affects Olive One Click Demo Import: from n/a through 1.1.1.

Action-Not Available
Vendor-olivethemesOlive Themesolivethemes
Product-olive_one_click_demo_importOlive One Click Demo Importolive_one_click_demo_import
CWE ID-CWE-862
Missing Authorization
CVE-2024-32727
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.13% / 33.12%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 15:02
Updated-02 Aug, 2024 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress RomethemeForm For Elementor plugin <= 1.1.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Rometheme RomethemeForm For Elementor.This issue affects RomethemeForm For Elementor: from n/a through 1.1.2.

Action-Not Available
Vendor-Romethemerometheme
Product-RomethemeForm For Elementorromethemeform_for_elementor
CWE ID-CWE-862
Missing Authorization
CVE-2024-32678
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.08% / 24.36%
||
7 Day CHG~0.00%
Published-24 Apr, 2024 | 15:21
Updated-02 Aug, 2024 | 02:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress TrackShip for WooCommerce plugin <= 1.7.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in TrackShip TrackShip for WooCommerce.This issue affects TrackShip for WooCommerce: from n/a through 1.7.5.

Action-Not Available
Vendor-TrackShip
Product-TrackShip for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2024-31274
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 40.31%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 11:18
Updated-01 Nov, 2024 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress EmbedPress plugin <= 3.9.11 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPDeveloper EmbedPress.This issue affects EmbedPress: from n/a through 3.9.11.

Action-Not Available
Vendor-WPDeveloper
Product-embedpressEmbedPressembedpress
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 13
  • 14
  • Next
Details not found