Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-1483

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-20 Feb, 2025 | 09:21
Updated At-08 Apr, 2026 | 16:34
Rejected At-
Credits

LTL Freight Quotes – GlobalTranz Edition <= 2.3.12 - Missing Authorization to Unauthenticated Settings Update

The LTL Freight Quotes – GlobalTranz Edition plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the engtz_wd_save_dropship AJAX endpoint in all versions up to, and including, 2.3.12. This makes it possible for unauthenticated attackers to update the drop shipping settings.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:20 Feb, 2025 | 09:21
Updated At:08 Apr, 2026 | 16:34
Rejected At:
▼CVE Numbering Authority (CNA)
LTL Freight Quotes – GlobalTranz Edition <= 2.3.12 - Missing Authorization to Unauthenticated Settings Update

The LTL Freight Quotes – GlobalTranz Edition plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the engtz_wd_save_dropship AJAX endpoint in all versions up to, and including, 2.3.12. This makes it possible for unauthenticated attackers to update the drop shipping settings.

Affected Products
Vendor
Eniture, LLCenituretechnology
Product
LTL Freight Quotes – GlobalTranz Edition
Default Status
unaffected
Versions
Affected
  • From 0 through 2.3.12 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Colin Xu
Timeline
EventDate
Disclosed2025-02-19 00:00:00
Event: Disclosed
Date: 2025-02-19 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/0906e9b0-5093-4ddd-8868-8fcaad8e3a5b?source=cve
N/A
https://plugins.trac.wordpress.org/changeset/3243002/
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/0906e9b0-5093-4ddd-8868-8fcaad8e3a5b?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset/3243002/
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:20 Feb, 2025 | 10:15
Updated At:25 Feb, 2025 | 18:59

The LTL Freight Quotes – GlobalTranz Edition plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the engtz_wd_save_dropship AJAX endpoint in all versions up to, and including, 2.3.12. This makes it possible for unauthenticated attackers to update the drop shipping settings.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CPE Matches
wwexgroup
wwexgroup
>>ltl_freight_quotes>>Versions before 2.3.13(exclusive)
cpe:2.3:a:wwexgroup:ltl_freight_quotes:*:*:*:*:globaltranz:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-862Primarysecurity@wordfence.com
CWE ID: CWE-862
Type: Primary
Source: security@wordfence.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/changeset/3243002/security@wordfence.com
Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/0906e9b0-5093-4ddd-8868-8fcaad8e3a5b?source=cvesecurity@wordfence.com
Third Party Advisory
Hyperlink: https://plugins.trac.wordpress.org/changeset/3243002/
Source: security@wordfence.com
Resource:
Patch
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/0906e9b0-5093-4ddd-8868-8fcaad8e3a5b?source=cve
Source: security@wordfence.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

922Records found
CVE-2025-22291
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.09% / 24.96%
||
7 Day CHG~0.00%
Published-16 Feb, 2025 | 22:17
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress LTL Freight Quotes – Worldwide Express Edition plugin <= 5.0.20 - Arbitrary Content Deletion vulnerability

Missing Authorization vulnerability in enituretechnology LTL Freight Quotes – Worldwide Express Edition ltl-freight-quotes-worldwide-express-edition allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LTL Freight Quotes – Worldwide Express Edition: from n/a through <= 5.0.20.

Action-Not Available
Vendor-Eniture, LLC
Product-LTL Freight Quotes – Worldwide Express Edition
CWE ID-CWE-862
Missing Authorization
CVE-2026-3646
Matching Score-10
Assigner-Wordfence
ShareView Details
Matching Score-10
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.27% / 50.33%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 03:36
Updated-27 Apr, 2026 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LTL Freight Quotes – R+L Carriers Edition <= 3.3.13 - Missing Authorization to Unauthenticated Settings Update

The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin's webhook handler in all versions up to, and including, 3.3.13. This is due to missing authentication, authorization, and nonce verification on a standalone PHP file that directly processes GET parameters and updates WordPress options. This makes it possible for unauthenticated attackers to modify the plugin's subscription plan settings, effectively downgrading the store from a paid plan to the Trial Plan, changing the store type, and manipulating subscription expiration dates, potentially disabling premium features such as Dropship and Hazardous Material handling.

Action-Not Available
Vendor-Eniture, LLC
Product-LTL Freight Quotes – R+L Carriers Edition
CWE ID-CWE-862
Missing Authorization
CVE-2025-48155
Matching Score-10
Assigner-Patchstack
ShareView Details
Matching Score-10
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.23% / 45.75%
||
7 Day CHG~0.00%
Published-16 Jul, 2025 | 10:36
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Residential Address Detection plugin <= 2.5.9 - Broken Access Control Vulnerability

Missing Authorization vulnerability in enituretechnology Residential Address Detection residential-address-detection allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Residential Address Detection: from n/a through <= 2.5.9.

Action-Not Available
Vendor-Eniture, LLC
Product-Residential Address Detection
CWE ID-CWE-862
Missing Authorization
CVE-2025-30916
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.19% / 40.95%
||
7 Day CHG~0.00%
Published-03 Apr, 2025 | 13:27
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Residential Address Detection plugin <= 2.5.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in enituretechnology Residential Address Detection residential-address-detection allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Residential Address Detection: from n/a through <= 2.5.4.

Action-Not Available
Vendor-Eniture, LLC
Product-Residential Address Detection
CWE ID-CWE-862
Missing Authorization
CVE-2025-27270
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.20% / 42.18%
||
7 Day CHG~0.00%
Published-03 Mar, 2025 | 13:30
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Residential Address Detection Plugin <= 2.5.4 - Arbitrary Option Update to Privilege Escalation vulnerability

Missing Authorization vulnerability in enituretechnology Residential Address Detection residential-address-detection allows Privilege Escalation.This issue affects Residential Address Detection: from n/a through <= 2.5.4.

Action-Not Available
Vendor-Eniture, LLC
Product-Residential Address Detection
CWE ID-CWE-862
Missing Authorization
CVE-2025-26764
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 22.49%
||
7 Day CHG~0.00%
Published-22 Feb, 2025 | 15:52
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Distance Based Shipping Calculator plugin <= 2.0.22 - Settings Change vulnerability

Missing Authorization vulnerability in enituretechnology Distance Based Shipping Calculator distance-based-shipping-calculator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Distance Based Shipping Calculator: from n/a through <= 2.0.22.

Action-Not Available
Vendor-Eniture, LLC
Product-Distance Based Shipping Calculator
CWE ID-CWE-862
Missing Authorization
CVE-2025-26960
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 26.85%
||
7 Day CHG~0.00%
Published-25 Feb, 2025 | 14:17
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Small Package Quotes – Unishippers Edition plugin <= 2.4.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in enituretechnology Small Package Quotes – Unishippers Edition small-package-quotes-unishippers-edition allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Small Package Quotes – Unishippers Edition: from n/a through <= 2.4.9.

Action-Not Available
Vendor-Eniture, LLC
Product-Small Package Quotes – Unishippers Edition
CWE ID-CWE-862
Missing Authorization
CVE-2025-22285
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.38% / 60.03%
||
7 Day CHG~0.00%
Published-04 Apr, 2025 | 13:53
Updated-29 Apr, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Pallet Packaging for WooCommerce Plugin <= 1.1.15 - Broken Access Control vulnerability

Missing Authorization vulnerability in enituretechnology Pallet Packaging for WooCommerce pallet-packaging-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pallet Packaging for WooCommerce: from n/a through <= 1.1.15.

Action-Not Available
Vendor-Eniture, LLC
Product-Pallet Packaging for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2025-22289
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.08% / 23.60%
||
7 Day CHG~0.00%
Published-16 Feb, 2025 | 22:17
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress LTL Freight Quotes – Unishippers Edition plugin <= 2.5.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in enituretechnology LTL Freight Quotes – Unishippers Edition ltl-freight-quotes-unishippers-edition allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LTL Freight Quotes – Unishippers Edition: from n/a through <= 2.5.8.

Action-Not Available
Vendor-Eniture, LLC
Product-ltl_freight_quotesLTL Freight Quotes – Unishippers Edition
CWE ID-CWE-862
Missing Authorization
CVE-2025-22318
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.16% / 36.47%
||
7 Day CHG~0.00%
Published-21 Jan, 2025 | 13:40
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Standard Box Sizes plugin <= 1.6.13 - Broken Access Control vulnerability

Missing Authorization vulnerability in enituretechnology Standard Box Sizes – for WooCommerce standard-box-sizes.This issue affects Standard Box Sizes – for WooCommerce: from n/a through <= 1.6.13.

Action-Not Available
Vendor-Eniture, LLC
Product-Standard Box Sizes – for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2025-22287
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.24% / 47.61%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 17:56
Updated-29 Apr, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress LTL Freight Quotes – FreightQuote Edition plugin <= 2.3.11 - Broken Access Control vulnerability

Missing Authorization vulnerability in enituretechnology LTL Freight Quotes – FreightQuote Edition ltl-freight-quotes-freightquote-edition allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LTL Freight Quotes – FreightQuote Edition: from n/a through <= 2.3.11.

Action-Not Available
Vendor-Eniture, LLC
Product-LTL Freight Quotes – FreightQuote Edition
CWE ID-CWE-862
Missing Authorization
CVE-2025-26765
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.05% / 16.86%
||
7 Day CHG~0.00%
Published-16 Feb, 2025 | 22:17
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Distance Based Shipping Calculator plugin <= 2.0.22 - Broken Access Control vulnerability

Missing Authorization vulnerability in enituretechnology Distance Based Shipping Calculator distance-based-shipping-calculator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Distance Based Shipping Calculator: from n/a through <= 2.0.22.

Action-Not Available
Vendor-Eniture, LLC
Product-Distance Based Shipping Calculator
CWE ID-CWE-862
Missing Authorization
CVE-2025-30915
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 31.67%
||
7 Day CHG~0.00%
Published-03 Apr, 2025 | 13:27
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Small Package Quotes – Worldwide Express Edition plugin <= 5.2.19 - Broken Access Control vulnerability

Missing Authorization vulnerability in enituretechnology Small Package Quotes – Worldwide Express Edition small-package-quotes-wwe-edition allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Small Package Quotes – Worldwide Express Edition: from n/a through <= 5.2.19.

Action-Not Available
Vendor-Eniture, LLC
Product-Small Package Quotes – Worldwide Express Edition
CWE ID-CWE-862
Missing Authorization
CVE-2025-30887
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.49% / 65.99%
||
7 Day CHG~0.00%
Published-27 Mar, 2025 | 10:55
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WpEvently Plugin <= 4.2.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in magepeopleteam WpEvently mage-eventpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpEvently: from n/a through <= 4.2.9.

Action-Not Available
Vendor-MagePeople
Product-WpEvently
CWE ID-CWE-862
Missing Authorization
CVE-2025-31836
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.51% / 66.92%
||
7 Day CHG~0.00%
Published-01 Apr, 2025 | 14:51
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Review Manager plugin <= 2.5.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in matthewrubin Review Manager review-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Review Manager: from n/a through <= 2.5.0.

Action-Not Available
Vendor-matthewrubin
Product-Review Manager
CWE ID-CWE-862
Missing Authorization
CVE-2025-31065
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.23% / 45.75%
||
7 Day CHG~0.00%
Published-16 May, 2025 | 15:45
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Rozario <= 1.4 - Broken Access Control Vulnerability

Missing Authorization vulnerability in themeton Rozario allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Rozario: from n/a through 1.4.

Action-Not Available
Vendor-themeton
Product-Rozario
CWE ID-CWE-862
Missing Authorization
CVE-2025-31000
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.23% / 45.75%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 12:53
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Payment QR WooCommerce plugin <= 1.1.6 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Miguel Fuentes Payment QR WooCommerce payment-qr-woo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payment QR WooCommerce: from n/a through <= 1.1.6.

Action-Not Available
Vendor-Miguel Fuentes
Product-Payment QR WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2023-4027
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.37% / 59.32%
||
7 Day CHG~0.00%
Published-17 Aug, 2024 | 07:34
Updated-08 Apr, 2026 | 16:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Radio Player <= 2.0.73 - Missing Authorization to Settings Update

The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_settings function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to update plugin settings.

Action-Not Available
Vendor-softlabbdprinceahmedsoftlab
Product-radio_playerRadio Player – Live Shoutcast, Icecast and Any Audio Stream Playerradio_player
CWE ID-CWE-862
Missing Authorization
CVE-2025-31386
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.31% / 54.67%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 09:32
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Simple:Press plugin <= 6.11.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in simplepress Simple:Press simplepress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple:Press: from n/a through <= 6.11.5.

Action-Not Available
Vendor-simplepress
Product-Simple:Press
CWE ID-CWE-862
Missing Authorization
CVE-2025-31765
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.45% / 64.14%
||
7 Day CHG~0.00%
Published-01 Apr, 2025 | 14:51
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress GDPR Cookie Notice plugin <= 1.2.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in themeqx GDPR Cookie Notice gdpr-cookie-notice allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GDPR Cookie Notice: from n/a through <= 1.2.0.

Action-Not Available
Vendor-themeqx
Product-GDPR Cookie Notice
CWE ID-CWE-862
Missing Authorization
CVE-2025-30790
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.45% / 64.14%
||
7 Day CHG~0.00%
Published-27 Mar, 2025 | 10:54
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Chatbox Manager plugin <= 1.2.2 - Broken Access Control Vulnerability

Missing Authorization vulnerability in alexvtn Chatbox Manager wa-chatbox-manager allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Chatbox Manager: from n/a through <= 1.2.2.

Action-Not Available
Vendor-alexvtn
Product-Chatbox Manager
CWE ID-CWE-862
Missing Authorization
CVE-2025-28920
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.14% / 33.16%
||
7 Day CHG~0.00%
Published-11 Mar, 2025 | 21:01
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Responsive Google Map plugin <= 3.1.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in Jogesh Responsive Google Map responsive-google-map allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Google Map: from n/a through <= 3.1.5.

Action-Not Available
Vendor-Jogesh
Product-Responsive Google Map
CWE ID-CWE-862
Missing Authorization
CVE-2023-30521
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-5.3||MEDIUM
EPSS-1.09% / 78.29%
||
7 Day CHG~0.00%
Published-12 Apr, 2023 | 17:05
Updated-07 Feb, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Assembla merge request builder Plugin 1.1.13 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

Action-Not Available
Vendor-Jenkins
Product-assembla_merge_request_builderJenkins Assembla merge request builder Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-26867
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.29% / 52.86%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 16:48
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Bulk theme <= 1.0.11 - Broken Access Control vulnerability

Missing Authorization vulnerability in Themes4WP Bulk allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Bulk: from n/a through 1.0.11.

Action-Not Available
Vendor-Themes4WP
Product-Bulk
CWE ID-CWE-862
Missing Authorization
CVE-2023-49845
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.21% / 42.62%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:29
Updated-29 Apr, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Redirects plugin <= 1.2.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in mattdeclaire Redirects redirects allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Redirects: from n/a through <= 1.2.1.

Action-Not Available
Vendor-mattdeclaireloud_dog
Product-Redirectsredirects
CWE ID-CWE-862
Missing Authorization
CVE-2025-2568
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.57% / 69.15%
||
7 Day CHG~0.00%
Published-08 Apr, 2025 | 11:11
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce 1.0.4 - 1.2.1 - Missing Authorization to Unauthenticated Limited Arbitrary Options Update

The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the 'vayu_blocks_get_toggle_switch_values_callback' and 'vayu_blocks_save_toggle_switch_callback' function in versions 1.0.4 to 1.2.1. This makes it possible for unauthenticated attackers to read plugin options and update any option with a key name ending in '_value'.

Action-Not Available
Vendor-themehunk
Product-Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2025-24596
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.27% / 50.92%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:24
Updated-12 May, 2026 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WooCommerce Product Table Lite plugin <= 3.8.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in WC Product Table WooCommerce Product Table Lite wc-product-table-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Product Table Lite: from n/a through <= 3.8.7.

Action-Not Available
Vendor-wcproducttableWC Product Table
Product-woocommerce_product_tableWooCommerce Product Table Lite
CWE ID-CWE-862
Missing Authorization
CVE-2025-24747
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.25% / 48.50%
||
7 Day CHG~0.00%
Published-27 Jan, 2025 | 14:22
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Houzez theme <= 3.4.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in favethemes Houzez houzez.This issue affects Houzez: from n/a through <= 3.4.0.

Action-Not Available
Vendor-favethemes
Product-Houzez
CWE ID-CWE-862
Missing Authorization
CVE-2025-24633
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.14% / 33.16%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:24
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Build Private Store For Woocommerce plugin <= 1.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in silverplugins217 Build Private Store For Woocommerce build-private-store-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Build Private Store For Woocommerce: from n/a through <= 1.0.

Action-Not Available
Vendor-silverplugins217
Product-Build Private Store For Woocommerce
CWE ID-CWE-862
Missing Authorization
CVE-2023-38479
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 38.83%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Simple Googlebot Visit plugin <= 1.2.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Codents Simple Googlebot Visit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Googlebot Visit: from n/a through 1.2.4.

Action-Not Available
Vendor-Codents
Product-Simple Googlebot Visit
CWE ID-CWE-862
Missing Authorization
CVE-2023-30519
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-5.3||MEDIUM
EPSS-1.15% / 78.85%
||
7 Day CHG~0.00%
Published-12 Apr, 2023 | 17:05
Updated-07 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Quay.io trigger Plugin 0.1 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

Action-Not Available
Vendor-Jenkins
Product-quay.io_triggerJenkins Quay.io trigger Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2023-3869
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.22% / 44.77%
||
7 Day CHG~0.00%
Published-20 Oct, 2023 | 07:29
Updated-08 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
wpDiscuz <= 7.6.3 - Insecure Direct Object Reference to Comment Rating Increase/Decrease

The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the voteOnComment function in versions up to, and including, 7.6.3. This makes it possible for unauthenticated attackers to increase or decrease the rating of a comment.

Action-Not Available
Vendor-gvectorsadvancedcoding
Product-wpdiscuzComments – wpDiscuz
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-862
Missing Authorization
CVE-2023-30488
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.15% / 35.14%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:31
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Featured Post Creative plugin <= 1.2.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP OnlineSupport, Essential Plugin Featured Post Creative allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Post Creative: from n/a through 1.2.7.

Action-Not Available
Vendor-WP OnlineSupport, Essential Pluginessentialplugin
Product-Featured Post Creativefeatured_post_creative
CWE ID-CWE-862
Missing Authorization
CVE-2023-46635
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.23% / 45.86%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 12:00
Updated-29 Apr, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress YITH WooCommerce Product Add-Ons plugin <= 4.2.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in YITHEMES YITH WooCommerce Product Add-Ons yith-woocommerce-product-add-ons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YITH WooCommerce Product Add-Ons: from n/a through <= 4.2.0.

Action-Not Available
Vendor-Your Inspiration Solutions S.L.U. (YITH) (YITHEMES)
Product-YITH WooCommerce Product Add-Ons
CWE ID-CWE-862
Missing Authorization
CVE-2026-8684
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.10% / 26.39%
||
7 Day CHG~0.00%
Published-22 May, 2026 | 07:50
Updated-22 May, 2026 | 12:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MotoPress Hotel Booking <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary Booking Notes Modification via mphb_update_booking_notes AJAX Action

The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite or delete the internal notes (_mphb_booking_internal_notes) of any booking by supplying an arbitrary booking ID. The nonce for this action is output in the HTML source of every public page through wp_localize_script (MPHB._data.nonces), so any unauthenticated visitor can obtain a valid nonce and perform the action without any account or prior interaction.

Action-Not Available
Vendor-jetmonsters
Product-MotoPress Hotel Booking
CWE ID-CWE-862
Missing Authorization
CVE-2023-29173
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.15% / 35.14%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:31
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Product Category Tree plugin <= 2.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in AWESOME TOGI Product Category Tree allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Category Tree: from n/a through 2.5.

Action-Not Available
Vendor-AWESOME TOGI
Product-Product Category Treeproduct_category_tree
CWE ID-CWE-862
Missing Authorization
CVE-2025-23764
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.25% / 48.90%
||
7 Day CHG~0.00%
Published-16 Jan, 2025 | 20:08
Updated-11 May, 2026 | 22:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Copy Move Posts plugin <= 1.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in ujjavaljani Copy Move Posts copy-move-posts.This issue affects Copy Move Posts: from n/a through <= 1.6.

Action-Not Available
Vendor-ujjavaljani
Product-Copy Move Posts
CWE ID-CWE-862
Missing Authorization
CVE-2023-46605
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 38.83%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 12:00
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Convertful – Your Ultimate On-Site Conversion Tool plugin <= 2.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in Ruslan Suhar Convertful – Your Ultimate On-Site Conversion Tool allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Convertful – Your Ultimate On-Site Conversion Tool: from n/a through 2.5.

Action-Not Available
Vendor-Ruslan Suhar
Product-Convertful – Your Ultimate On-Site Conversion Tool
CWE ID-CWE-862
Missing Authorization
CVE-2023-29429
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.20% / 41.39%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:31
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress User Registration plugin <= 2.3.2.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPEverest User Registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through 2.3.2.1.

Action-Not Available
Vendor-wpeverestWPEverestwpeverest
Product-user_registrationUser Registrationuser_registration
CWE ID-CWE-862
Missing Authorization
CVE-2020-10116
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 40.40%
||
7 Day CHG~0.00%
Published-17 Mar, 2020 | 14:36
Updated-04 Aug, 2024 | 10:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

cPanel before 84.0.20 allows attackers to bypass intended restrictions on features and demo accounts via WebDisk UAPI calls (SEC-541).

Action-Not Available
Vendor-n/acPanel (WebPros International, LLC)
Product-cpaneln/a
CWE ID-CWE-862
Missing Authorization
CVE-2025-23187
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-5.3||MEDIUM
EPSS-0.16% / 36.72%
||
7 Day CHG~0.00%
Published-11 Feb, 2025 | 00:33
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN)

Due to missing authorization check in an RFC enabled function module in transaction SDCCN, an unauthenticated attacker could generate technical meta-data. This leads to a low impact on integrity. There is no impact on confidentiality or availability.

Action-Not Available
Vendor-SAP SE
Product-SAP NetWeaver and ABAP Platform (SDCCN)
CWE ID-CWE-862
Missing Authorization
CVE-2021-4359
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.60% / 69.73%
||
7 Day CHG+0.48%
Published-07 Jun, 2023 | 01:51
Updated-08 Apr, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frontend File Manager Plugin <= 18.2 - Unauthenticated Arbitrary Post Deletion

The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary Post Deletion in versions up to, and including, 18.2. This is due to lacking authentication protections and lacking a security nonce on the wpfm_delete_file AJAX action. This makes it possible for unauthenticated attackers to delete any posts and pages on the site.

Action-Not Available
Vendor-najeebmedianmedia
Product-frontend_file_manager_pluginFrontend File Manager Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2026-8681
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.02% / 5.80%
||
7 Day CHG~0.00%
Published-16 May, 2026 | 02:26
Updated-18 May, 2026 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Essential Chat Support <= 1.0.1 - Missing Authorization to Unauthenticated Settings Reset via 'ecs_reset_settings' Parameter

The Essential Chat Support plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to reset all plugin configuration settings — including general settings, display rules, custom CSS, and WooCommerce tab settings — to their defaults by sending a POST request with ecs_reset_settings=1.

Action-Not Available
Vendor-essentialplugin
Product-Essential Chat Support
CWE ID-CWE-862
Missing Authorization
CVE-2026-9014
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.07% / 21.59%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 05:31
Updated-27 May, 2026 | 10:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Promoter <= 1.3 - Missing Authorization to Unauthenticated Statistics Reset via wpp-reset_stats AJAX Action

The WP Promoter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_stats() function in versions up to, and including, 1.3. The function is hooked to both the wp_ajax_wpp-reset_stats and wp_ajax_nopriv_wpp-reset_stats actions and contains no authentication, authorization, or nonce validation. This makes it possible for unauthenticated attackers to reset the plugin's bar and popup statistics by deleting the wpp_bar and wpp_popup options.

Action-Not Available
Vendor-rahulbhangale
Product-WP Promoter
CWE ID-CWE-862
Missing Authorization
CVE-2025-2290
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.32% / 55.79%
||
7 Day CHG~0.00%
Published-19 Mar, 2025 | 04:21
Updated-08 Apr, 2026 | 16:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LifterLMS <= 8.0.1 - Missing Authorization to Unauthenticated Post Trashing

The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to Unauthenticated Post Trashing due to a missing capability check on the delete_access_plan function and the related AJAX calls in all versions up to, and including, 8.0.1. This makes it possible for unauthenticated attackers to change status to "Trash" for every published post, therefore limiting the availability of the website's content.

Action-Not Available
Vendor-lifterlmschrisbadgett
Product-lifterlmsLifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
CWE ID-CWE-862
Missing Authorization
CVE-2023-28536
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 41.22%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:31
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Branded Social Images plugin <= 1.1.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Acato Branded Social Images allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Branded Social Images: from n/a through 1.1.0.

Action-Not Available
Vendor-Acatoacato
Product-Branded Social Imagesbranded_social_images
CWE ID-CWE-862
Missing Authorization
CVE-2026-8382
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.08% / 23.04%
||
7 Day CHG+0.02%
Published-31 May, 2026 | 02:28
Updated-01 Jun, 2026 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advanced Custom Fields (ACF®) <= 6.8.1 - Unauthenticated Arbitrary Post Modification via Front-End Form '_post_title' and '_post_content' Parameters

The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance by injecting values into the _post_title and _post_content parameters of a form submission request.

Action-Not Available
Vendor-wpengine
Product-Advanced Custom Fields (ACF®)
CWE ID-CWE-862
Missing Authorization
CVE-2025-22686
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.06% / 17.68%
||
7 Day CHG~0.00%
Published-03 Feb, 2025 | 14:23
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CF7 Google Sheets Connector plugin <= 5.0.17 - Broken Access Control vulnerability

Missing Authorization vulnerability in WesternDeal CF7 Google Sheets Connector cf7-google-sheets-connector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CF7 Google Sheets Connector: from n/a through <= 5.0.17.

Action-Not Available
Vendor-WesternDeal
Product-CF7 Google Sheets Connector
CWE ID-CWE-862
Missing Authorization
CVE-2023-34003
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.09% / 26.26%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 10:19
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WooCommerce Box Office plugin <= 1.1.51 - Unauthenticated Save Ticket Barcode vulnerability

Missing Authorization vulnerability in Woo WooCommerce Box Office.This issue affects WooCommerce Box Office: from n/a through 1.1.51.

Action-Not Available
Vendor-WooCommerce
Product-box_officeWooCommerce Box Officebox_office
CWE ID-CWE-862
Missing Authorization
CVE-2025-22629
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.17% / 38.04%
||
7 Day CHG~0.00%
Published-27 Mar, 2025 | 15:29
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress iNET Webkit Plugin <= 1.2.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in iNET iNET Webkit inet-webkit allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects iNET Webkit: from n/a through <= 1.2.2.

Action-Not Available
Vendor-iNET
Product-iNET Webkit
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 18
  • 19
  • Next
Details not found