Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-6721

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-19 Jul, 2025 | 05:32
Updated At-21 Jul, 2025 | 17:50
Rejected At-
Credits

Vchasno Kasa <= 1.0.3 - Missing Authorization to Unauthenticated Invoice Generation

The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the mrkv_vchasno_kasa_wc_do_metabox_action() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to generate invoices for arbitrary orders.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:19 Jul, 2025 | 05:32
Updated At:21 Jul, 2025 | 17:50
Rejected At:
▼CVE Numbering Authority (CNA)
Vchasno Kasa <= 1.0.3 - Missing Authorization to Unauthenticated Invoice Generation

The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the mrkv_vchasno_kasa_wc_do_metabox_action() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to generate invoices for arbitrary orders.

Affected Products
Vendor
bandido
Product
MORKVA Vchasno Kasa Integration
Default Status
unaffected
Versions
Affected
  • From * through 1.0.3 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Phong Nguyen
Timeline
EventDate
Vendor Notified2025-07-07 14:15:19
Disclosed2025-07-18 00:00:00
Event: Vendor Notified
Date: 2025-07-07 14:15:19
Event: Disclosed
Date: 2025-07-18 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/57ad3525-3257-4727-ba07-468bf13a94e2?source=cve
N/A
https://plugins.trac.wordpress.org/browser/mrkv-vchasno-kasa/trunk/classes/mrkv-setup.php#L395
N/A
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3328827%40mrkv-vchasno-kasa&new=3328827%40mrkv-vchasno-kasa&sfp_email=&sfph_mail=
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/57ad3525-3257-4727-ba07-468bf13a94e2?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/mrkv-vchasno-kasa/trunk/classes/mrkv-setup.php#L395
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3328827%40mrkv-vchasno-kasa&new=3328827%40mrkv-vchasno-kasa&sfp_email=&sfph_mail=
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:19 Jul, 2025 | 06:15
Updated At:22 Jul, 2025 | 13:06

The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the mrkv_vchasno_kasa_wc_do_metabox_action() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to generate invoices for arbitrary orders.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-862Primarysecurity@wordfence.com
CWE ID: CWE-862
Type: Primary
Source: security@wordfence.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/browser/mrkv-vchasno-kasa/trunk/classes/mrkv-setup.php#L395security@wordfence.com
N/A
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3328827%40mrkv-vchasno-kasa&new=3328827%40mrkv-vchasno-kasa&sfp_email=&sfph_mail=security@wordfence.com
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/57ad3525-3257-4727-ba07-468bf13a94e2?source=cvesecurity@wordfence.com
N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/mrkv-vchasno-kasa/trunk/classes/mrkv-setup.php#L395
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3328827%40mrkv-vchasno-kasa&new=3328827%40mrkv-vchasno-kasa&sfp_email=&sfph_mail=
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/57ad3525-3257-4727-ba07-468bf13a94e2?source=cve
Source: security@wordfence.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

255Records found
CVE-2022-4974
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-6.3||MEDIUM
EPSS-0.07% / 22.07%
||
7 Day CHG~0.00%
Published-16 Oct, 2024 | 06:43
Updated-16 Oct, 2024 | 18:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Freemius SDK <= 2.4.2 - Missing Authorization Checks

The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.

Action-Not Available
Vendor-mihail-barinovslidedecklukeseagerupfivcypressnorthronena100jburleigh1tobias_conrad/sonalsinha21stylingwebbenhiddenpearlsmikewire_rocksolidprelcthemeseiinvisnetactuaryzaskversacompalanfullergalooverboltonstudioscadudecastroalvesclosemarketing/jamesparkninjaelementinvaderpmbaldha/zeethemecodeiesvinod-dalvialphabposervicetranzlysovstacklivemeshthijziewoopopsmarviorochafullworksekanathmulticollabwp-makingrafacarvalhidodejanmarkovicnitin247svenl77mumarym1985gloriousthemessmgteamsj_opluginswarewpschoolcalendarmeowcrewgowebsmartyggeddesmartwpressdotrexcebbidaniyalahmedkoceanwpmattpramschufercloudspongestevejburgemajick/alleythemesxyulexweconnectcodebilaltasbuttonizerlostboy7badhonrockswpdeverbenmoreassyntpagebuildersandwichblockypagedrosendoultimateblocksscrollsequencedgwyerbeeneebwpjolitonyzeolimeepluginsfrostbournrisethemeclickervolttheafricanboss/olezhyk5mohammedrezqdjenhdreamfoxrebelcodeblackandwhitedigitalseancarricomarcqueraltwpt00lsmdedevldninjas/tprintyedisonaveco2oksakurapixeldvizheniamnelson4kokomowebwpdeliciouselbisnerosebet/samuelsilvaptwpeventpartners/theafricanbossstevehentystreamweaselspaulio21tribalnerdpmbaldhamuhammad-rehmanmte90ankitmarusslatlasjohnc1979wordpresscheflimbcodeimtiazrayhanggriesserseezeeivan_paulinmikebelsattestkaggdesignparetodigitaltherealwebdisruptsurbmahumblethemesarabianmidokrspmcurlyibenicwpmagicsblockmeisterkitthemessvovafirkanumasterblocksfrenifynicheaddonswalkerwpwpmoosepremmercepootlepresswebtechstreetinterfacelabgetsparrowcommercepunditmhmrajibtropicalistaspartacsjaveddarellahmed17wiserstepslitonice13damian-goramatthias-reuterstaxwpthecodechimepluginandplaywupopippozanardohqthemekairaejslondon/unitecmskartikparmarcarlosmoreiraptatakanozbandidoproteusthemespopeatingbavokoservicesaharonyanjosevegaplugins360mojofywpdeothemesbrandonfirebpluginskartikparmar/syntacticstauhidproelliotvsjwindcliffpaulickwphrmanagerwpvibesmaltathemesalex-yesamdanialexmosspassionatebrainssslzenwpscriptsequalizedigitalkylegilmandam6plprotectyouruploadscodeatlanticjurskijcodexinputwptripettojkohlbachwpsoulgallerycreatorivacydanish-alikaizencoderschetmacpowerfulwplistpluswhiteshadowanasbinmukimtobias_conradshelob9ivanchernyakovmaurolopes/dovypsetkawpeka-clubroyalnavneettoddhalfpennywpgeniuzflexithemesstarfishwpskshaikatcollizo4skywebba-agencysnazzythemesavidthemes/pasyuktickerablocksparedanielealessandravincoitmilmorbradvinwebmuehlewordpluscromer12foxmooneedeethemestydotsmohsinofflineprasadkirpekarmbrown24switcorpgfiremalekvappexpertsiouriahs-victorwptravelengineboriscolombier/smusman98edgegallerypluginpenguininitiativesrichard-b5starpluginstakanakuimaciejbak85jack-kitterhingcleverpluginsmvvapps/pootlepress/annastaacmbibby/bestpluginswordpresspatrickposnercreativethemeshqmaxsdesignrafalosinskiwpdevpowersprinceahmedpagupninjalibsdudoxplodedthemeslkoudalkhothemesmilukove/infosatechrenaudbodwebheadllcwpcohortwpexpertsiobouncingsproutclosemarketingethereumicoiolinekaldivisumodipcodehalmatsindyakinsergeiwgaugewpengineessekiagiladtakonivernallynn999npluginsvohotv/janthielemannmunirkamalxjohnykjanwyljetixwpthemeythemescyberhobowppluginexpertsvanyukovwpmunichmantrabrainandyabelowpatrickgarmannasirahmedjwebsolshabtimoomooagencycloudlivingshawoninfoinfornwebtycoon12344salttechnowpbitskkikuchi1220modulemastersthinleekwpconedevwoodyhaydayanssilaitiladaigo75kitforestw3scloudpeterschulznlultradevsjavmahshamim51wpcohort/oloyede-jamiumelapresssebetaguilerasoft9brada6sangarananfrageformularskymindsmberdingrankbeargkher/wptbmatstarsjaydeep-nimavatkenanfallonusmanaliqureshiakdevschillichallimajickbycrikfastaf/themelocationglowlogixmilukoveh3technologiescodexonicsintoxstudiokartechifybfintalcodesavorygreenjaymediafsruslanoceasdangub86iksstudiowpchilldavidandersonzerozendesigndiviframeworkRoyal Elementor AddonsBdThemesThe Events Calendar (StellarWP)Themeisle
Product-Panorama Viewer- Best Plugin to Display Panoramic Images/VideosWooCommerce Variation Swatches for ProductsEasy Post Views CountWoocommerce Customer Reviews with Artificial Intelligence analyzis, with IBM Watson Tone AnalyzerOcean ExtraCodeKit – Custom Codes EditorForm Vibes – Database Manager for FormsGFireM Advance SearchSTEWoo – Super Transactional Emails for WooCommerceBlockMeister – Block Pattern BuilderWordPress Directory Plugin For Business Listings – WP Local PlusAirpressWP Sessions Time Monitoring Full AutomaticEmails Blacklist for Everest FormsSmart Floating / Sticky Buttons – Call, Sharing, Chat Widgets & More – ButtonizerExpire tagsXT Ajax Add To Cart for WooCommerceBefore and After Product Images for WooCommerceVillarWP Search FilterFunnelmentalsFrontend group restriction for LearnDashSEO BoosterTeam Members – A WordPress Team Plugin with Gallery, Grid, Carousel, Slider, Table, List, and MorePro Broken Links MaintainerPremmerce Product Filter for WooCommerceDancePress (TRWA)Walker CoreBAVOKO SEO Tools – All-in-One WordPress SEOWP Security Safejav&#039;s – WooCommerce and Trello integration WooTrelloWP School CalendarBooking Addon for WooCommerceStation ProProduct Carousel For WooCommerce – WoorouSellCartPops – High Converting Add To Cart Popup For WooCommerceGiveaways for woocommerceBuddyPress WooCommerce My Account Integration. Create WooCommerce Member PagesGreenshift – animation and page builder blocksAtlas – Knowledge BaseWP GratifyBetter Messages – Integration for WC Vendors MarketplaceBlocksy CompanionQyrr – simply and modern QR-Code creationannasta Woocommerce Product FiltersWP Tools Gravity Forms Divi ModuleTablesome – Form DB & Automation – WPForms, Contact Form 7, Elementor, Forminator, Fluent, GravityClimateClick: Climate Action for allA no-code page builder for beautiful performance-based contentArendelleMarket ExporterConnected SermonsLightbox & Modal Popup WordPress Plugin – FooBoxStarfish Review Generation & Marketing for WordPressWooCommerce Disable Payment Methods based on cart conditionsSticky add to cart for WooPost Slider and Post Carousel with Post Vertical Scrolling Widget – A Responsive Post SliderSecurity Ninja – Secure Firewall & Secure Malware ScannerPopOverXYZ – Show Light Weight Beautiful Tool Tips On Any TextEasy Age VerifyNotification Bar, Announcement and Cookie Notice WordPress Plugin – FooBarPremmerce Variation Swatches for WooCommerceProduct Size Charts Plugin for WooCommercePost Carousel DiviAge Verification Screen for WooCommerceSuper Video Player- Best WordPress Video Display Plugin for mp4/OGGSimple Giveaways – Grow your business, email lists and traffic with contestsHQTheme ExtraGlossaryAutomizy Gravity FormsExtend Filter Products By Price WidgetOrder and Inventory Manager for WooCommerceAdvanced Database ReplacerStore Toolkit – WooCommerce Extensions, Quick Enhancements & Handy ToolsLivemesh Addons for Beaver BuilderAbeta Link PunchOutMaster Blocks – Gutenberg Site BuilderPremmerce Permalink Manager for WooCommerceShipping Method Display Style for WooCommerceSpanish Market Enhancements for WooCommerceFeedbackScout: The easiest way to collect, prioritise, manage and track customer feedback.Restaurant & Cafe Addon for ElementorPost Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)WordPress Slider Block GutensliderWP Lead StreamAquarella LiteReally Simple Featured Video – Featured video support for Posts, Pages & WooCommerce ProductsVidSEO | WordPress Video SEO embedder with transcripts (Youtube & Vimeo)WPMailer – The best mail builder, No More Core for your emails support Elementor, CF7 forms etc…Multi Page Auto Advance for Gravity FormsTreePress – Easy Family Trees & Ancestor ProfilesCookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy)3D Viewer – 3D Model Viewer PluginPurusDisplay Eventbrite EventsMedia Cloud for Bunny CDN, Amazon S3, Cloudflare R2, Google Cloud Storage, DigitalOcean and moreAPPExperts – Mobile App Builder for WordPress | WooCommerce to iOS and Android AppsWP Event Partners – WordPress Plugin for Event and Conference ManagementFloating Social Share Icons and Social Share buttons – Next Previous Post Links – FLPortfolio for Elementor & Image Gallery | PowerFolioWidgets for WooCommerce Products on ElementorStoreCustomizer – A plugin to Customize all WooCommerce PagesEmail Tracker – Email Tracking Plugin to track Emails for Open and Email Links Click (Compatible with WooCommerce)Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider)Custom WooCommerce Checkout Fields EditorEqualize Digital Accessibility Checker – Audit Your Website for WCAG, ADA, and Section 508 Accessibility ErrorsSalon Booking SystemWooCommerce EU VAT AssistantThe Events CalendarBulk Attachment DownloadListPlus – Unlimited Listing DirectoryMenu Item SchedulerWP Photo EffectsWordPress Reviews by ReviewPressAuto SEO META keywords (META tags keywords) optimization + WooCommerceJoli Table Of ContentsOne Click LoginEmail Header FooterBulk Auto Image Title Attribute (Image Title tag) optimizer (Image SEO)Woocommerce Customers Order HistoryImage Photo Gallery Final Tiles GridNitek Carousel Slider Cool TransitionsEasy Zillow ReviewsStreamCast – Radio Player for WordPressXT Variation Swatches for WooCommerceMenu Image, Icons made easyCryptocurrency Portfolio TrackerWS BootstrapWP Mobile Menu – The Mobile-Friendly Responsive MenuFast Checkout for WooCommerceSmart Variations Images & Swatches for WooCommerceMailChimp ManagerWp My Admin BarDeals of the Day WooCommerceHasiumResponsive Social Slider WidgetPage Builder Gutenberg Blocks – Kioken BlocksPage Builder Sandwich – Front End WordPress Page Builder PluginLivemesh SiteOrigin WidgetsViralikeCustom Registration and Custom Login Forms with New RecaptchaBattle Suit for DiviJDs PortfolioSV Proven ExpertVO Store Locator – WP Store Locator PluginReset Course Progress For LearnDashFront End PMRecurWP – WordPress Recurly Payment GatewayGlorious Services & SupportShubanIvory Search – WordPress Search PluginServer InfoBlog Sidebar WidgetAgy – Age verification for WooCommerceGoogle Analytics plugin for WordPress by GA4WPWP EasyPay – Square for WordPressWP Munich Blocks – Gutenberg Blocks for WordPressPremmerce Wishlist for WooCommerceNokkeBroadcast LiteWP Conference ScheduleEasy Newsletter SignupsAlley Business ToolkitReplyable – Subscribe to Comments and Reply by EmailNumber ChatCountry Based Payments for WooCommerceWebinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnitionSchema Plugin For Divi, Gutenberg & ShortcodesPower Ups for ElementorWordPress Everse Starter Sites – Elementor TemplatesContact Form 7 Multi-Step FormsAccept Stripe Donation and Payments – AidWPInternal Link Juicer: SEO Auto Linker for WordPressWoo UkrposhtaPage Builder for Gutenberg – StarterBlocksGet feedback from visitors – WP Feedback Suite PluginNEXUSBanner Management For WooCommerceScheduled Notification BarUltimate Blocks – WordPress Blocks PluginGenealogical Tree – WordPress Family TreeLearnMoreMaster Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & AnimationsProduct Author for WooCommerceLightbox – EverlightBox GalleryImpexium Single Sign OnLive TV Player – Worldwide Live TV Channels Player for WordPressPrice Bands for WooCommerceVit Website ReviewsRevolution for ElementorGloriousThemes Starter SitesWordPress Robots.txt optimizer (+ XML Sitemap) – Boost SEO, Traffic & RankingsGallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native galleryGo Fetch Jobs (for WP Job Manager)Geo MashupFive-Star Ratings ShortcodeActivity Log For MainWPContent Aware Sidebars – Fastest Widget Area PluginBaniInsert or Embed Articulate Content into WordPressRadio Station by netmix® – Manage and play your Show Schedule in WordPress!Anfrageformular – Multi Step Drag & Drop Formular Builder – LeadgenerierungTabs with Recommended Posts (Widget)Performance KitWP BugBotTag Groups is the Advanced Way to Display Your Taxonomy TermsRW Divi Unite GalleryWP Get PersonalAdvance Menu ManagerBulk WooCommerce Category CreatorWP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes)LawPress – Law Firm Website ManagementTinyMCE AnnotateElationElements for LifterLMSGFireM FieldsHooked Editable ContentConsultPress LiteFooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & CarouselCategorify – WordPress Media Library Category & File ManagerRestrict User Access – Ultimate Membership & Content ProtectionJustified GalleryLocal Delivery Drivers for WooCommerceStreamWeasels Twitch IntegrationFocus on Reviews for WooCommerceWP Frontend Admin – Display WP Admin Pages in the FrontendSimple Sitemap – Create a Responsive HTML SitemapOpenseaAdd Pinterest conversion tags for Pinterest Ads + Site verificationWordPress Coupon Plugin for Bloggers and Marketers – WP OffersCryptocurrency Product for WooCommerceFast WordPressExtra Fees Plugin for WooCommercePrint My Blog – Print, PDF, & eBook Converter WordPress PluginStreak CRM For Gmail For Contact Form 7 – WordPress PluginSpotlight Social Feeds – Block, Shortcode, and WidgetWP-HR Manager: The Human Resources Plugin for WordPressCAPTCHA 4WP – Antispam CAPTCHA solution for WordPressDeMomentSomTres Grid ArchiveTarot Card OracleIntegrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files into Your WordPress SiteWooCommerce Customers Table: View, Search, Bulk EditorChat Button- Leads and Order over ChatAll in One Invite CodesWP Meta and Date RemoverRating-Widget: Star Review SystemSurbma | GDPR Proof Cookie Consent & Notice BarEasy Code SnippetsComments Not Replied ToImage Carousel For DiviCuisine PalaceWP Radio – Worldwide Online Radio Stations Directory for WordPressElastaDivi CollageSparrow: Product Reviews and Ratings for WooCommerceSV Tracking ManagerUltra Elementor AddonsWooCommerce Next Order CouponWP Contact SliderLive Scores for SportsPressPast Events ExtensionTiered Pricing Table for WooCommerceAnyWhere ElementorWP Coupons and Deals – WordPress Coupon PluginSky Login RedirectWPTools Masonry Gallery & Posts For DiviNugget by Ingot: Easy, automated and native A/B testing for everyoneWP Post BlockEverseProduct Options and Price Calculation Formulas for WooCommerce – Uni CPOFeatured Images in RSS for Mailchimp & MoreFiboSearch – Ajax Search for WooCommercePost Snippets – Custom WordPress Code Snippets CustomizerWP Smart Export (Free)Coinbase Commerce – Crypto Gateway for WooCommerceWP Dev Powers – Display Screen Dimensions to Admin PluginSSL Atlas – Free SSL Certificate & HTTPS Redirect for WordPressWP fail2ban – Advanced Security PluginXT Floating Cart for WooCommerceAuthorize.Net Payment Gateway For WooCommerceDivi Forms Styler – Gravity Forms, Fluent Forms & Contact Form 7Multipurpose Gutenberg BlockFood Store – Online Food Delivery & PickupEthereumICOACF for WooCommerce ProductPremmerce Redirect ManagerDesign for Contact Form 7 Style WordPress Plugin – CF7 WOW StylerKVoucherSheetPress – Manage WordPress Meta data with Google SheetsLive Drag and Drop Builder for Contact Form 7Ultimate Widgets LightPodcast Box – Best Podcasting Plugin for WordPressBlocked in China | Check if your site is available in the Chinese mainlandWP Author BioWooCommerce upcoming ProductsPremmerce Brands for WooCommerceVideo Player for YouTubeDelete All Comments of wordpressDigital Goods for WooCommerce CheckoutBulk Edit Posts and Products in SpreadsheetMarijuana Age VerifyWordPress News Plugin – TopNewsWpPremmerce WooCommerce Customers ManagerCP Simple NewsletterWP Frontend ProfileEasy Smooth Scroll Links – Smooth Scrolling AnchorPremmerce SEO for WooCommerceLittleBot InvoicesFrontend Admin by DynamiAppsInbound BrewCheckout with Venmo on EDDUltimate Post Kit Addons For Elementor – (Post Grid, Post Carousel, Post Slider, Category List, Post Tabs, Timeline, Post Ticker, Tag Cloud)WC Shop Sync – Square Payment Gateway for WooCommerce, Inventory Sync Between Square and WooCommerce, Ultimate WooCommerce Square PluginBulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO)Restrict – membership, site, content and user access restrictions for WordPressTK SmugMug Slideshow ShortcodeWP-Cron Status CheckerStrumenti Partita IVA per WoocommerceElementor Addons by LivemeshPrimary Addon for ElementorbbResolutionsNinja Libs Amazon SESWP SPID ItaliaMusic Player for Elementor – Audio Player & Podcast PlayerKnowledge Base documentation & wiki plugin – BasePress DocsModern Addons for Elementor Page BuilderBetter Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBossWP Group PromoterWidgets on PagesSpreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table.SVG Flags – Beautiful Scalable Flags For All Countries!Anti-Spam by Fullworks : GDPR Compliant Spam ProtectionBulk Edit Categories and Tags – Create Thousands Quickly on the EditorDelete old Posts automaticallyPremmerceTop Bar – PopUps – by WPOptinLMS Plugin – eLearning, Online Courses by AttestPost to Google My Business (Google Business Profile)EthPress – Web3 LoginUnakitLicense Manager for WooCommerceSync eCommerce NEOTK Google Fonts GDPR CompliantWP Affiliate DisclosureBlockspare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites – Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding NeededSpeculorDomain Mapping System | Create Microsites with Multiple Alias Domains (multisite optional)Ultimate Gutenberg – Custom Block TemplatesWidgets on Pages and PostsPayment gateway per Product for WooCommerceWP Notification BellConeBlog – Elementor Blog WidgetsWP Free SSL – Free SSL Certificate for WordPress and force HTTPSWP Table Builder – WordPress Table PluginMedia Library File DownloadEasy Social Feed – Social Photos Gallery – Post Feed – Like BoxCheckout with Zelle on WoocommerceWP EmailyUnlimited Elements For Elementor (Free Widgets, Addons, Templates)Frontend Admin – Add and edit posts, pages, users and more all from the frontendNicheBaseLimb Gallery | Create Beautiful Image & Video GalleriesRevivePress – Keep your Old Content EvergreenPixel Manager for WooCommerce – Track Google Analytics, Google Ads, TikTok and morePostcode RedirectW3SCloud Contact Form 7 to Zoho CRMShared Files – Frontend File Upload Form & Secure File SharingGrid & Styler For Contact Form 7 And DiviBlock, Suspend, Report for BuddyPressКнопка ЮMoneyChange Price Title for WooCommerceForceFieldHide Shipping Method For WooCommerceWordPress SEO ChecklistEvents Addon for ElementorSend Prebuilt EmailsWP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect to Force HTTPS, Security+Appointment & Event Booking Calendar Plugin – Webba BookingDelete Duplicate PostsAlt ManagerJoli FAQ SEO – WordPress FAQ PluginChange Prices with Time for WooCommerceAdvanced Page Visit Counter – Most Wanted Analytics Plugin for WordPressKRSP Frontend File UploaderPay For Post with WooCommerceWooCommerce Bulk Edit Coupons – WP Sheet EditorPosts List Designer by Category – List Category Posts Or Recent PostsLocalSEOMapGFireM Action AfterBookPress – For Book AuthorsAdd Expires Headers & Optimized MinifyCoupon Affiliates – Affiliate Plugin for WooCommerceWP Activity LogDivi Content RestrictorCartoon UrlEvents Calendar RegistrationSecure IP LoginsShare This ImageDashy – Google Analytics advanced dashboardAmelaWordPress Dev Powers – ACF Color Coded Field Types PluginGutenberg Blocks – ACF Blocks SuiteScrollsequence – Cinematic Scroll Image Animation PluginPayment Gateway for PayFabricRankBearAwesome SSLFeatured Products First for WooCommerce – A Extension of WooCommerce (WooCommerce Addon Plugin)South Pole: Climate action nowPremmerce User RolesAdd Twitter Pixel for Twitter adsQuote for WooCommerce Lite – Add to Quote Plugin Lets Customers Request Custom Quotes for Products using the Request a Quote Plugin for WooCommerceAvailability datepicker – Integrate with Contact Form 7 and DiviWooCommerce PayPlugWPBITS Addons For Elementor Page BuilderWP SMS Plugin – WordPress SMS Two Factor Authentication – 2FA, Two Factor, OTP SMS and EmailFullscreen MenuFuse Social Floating SidebarVideopackmyCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for GamificationBlock Styler For Gravity FormsPremmerce Wholesale Pricing for WooCommerceBook BuyBack PricesProduct Customer List for WooCommerceGift Message for WooCommerceEasy PrayerPremmerce Multi-currency for WoocommerceQuick Paypal PaymentsMigrate WordPress Website & Backups – Prime MoverIks Menu – WordPress Category Accordion Menu & FAQsContact List – Premium Staff Listing, Business Directory Plugin & Address BookWordPress form builder plugin for contact forms, surveys and quizzes – TripettoUltimeterEthereum WalletSurveyFunnel – Survey Plugin for WordPressClickerVolt – Affiliate Links & Click Tracking for Performance MarketersWordPress Translation plugin for Post, Pages & WooCommerce products. Tranzly IO AI DeepL automatic WordPress Translator.azw woocommerce file uploadsDeMomentSomTres AddressWordPress Persistent LoginDrop Shadow BoxesGenerate Images – Magic Post ThumbnailAdFoxly – Ad Manager, AdSense Ads & Ads.txtRemove Add to Cart WooCommerceDynamic Pricing and Discount Rules for WooCommerceRadio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPressWCC SEO Keyword ResearchFAQ Manager For Divi, Gutenberg Block & ShortcodeAny Popup – Popup Forms, Optins & AdsWadi SurveySlideDeck: Responsive WordPress Slider PluginDocument Viewer- Plugin to Display MS Office DocsXT Quick View for WooCommercePlace Order Without Payment for WooCommerceBetter SharingTeam Collaboration Plugin for WordPress Editorial teams- MulticollabWP Travel Engine – Tour Booking Plugin – Tour Operator SoftwareBetter Elementor AddonsQuick Event ManagerRun Contests, Raffles, and Giveaways with ContestsWPSKT Templates – 100% free Elementor & Gutenberg templatesDelivery for WooCommerceQuick Contact FormFAQ / Accordion / Docs – Helpie WordPress FAQ Accordion pluginRocket Maintenance Mode & Coming Soon PageEther and ERC20 tokens WooCommerce Payment GatewayWPVisitorInfo – Show Visitor Information & Conditional Data Based On That InformationHM Multiple RolesUltimate Carousel For DiviAFI – The Easiest Integration PluginWP MooseFraud Prevention For WooCommerce and EDDBest Responsive Comparison Table for Gutenberg Editor – NicheTableAdd Tiktok Pixel for Tiktok ads (+Woocommerce)Contact Widgets For Elementor all the contact links you need in one placeProtect Uploads with Login – Protect Your UploadsBulk Edit and Create User Profiles – WP Sheet EditorDa ReactionsMass Pages/Posts CreatorWholesale for WooCommerce — This Wholesale Plugin Helps B2B and B2C Businesses Streamline Wholesale Products, Pricing, and User Roles, Automating their WooCommerce Wholesale StoresQuick Affiliate StoreWordPress Animation Plugin – Animated EverythingWPBakery Page Builder Addons by LivemeshProduct Attachment for WooCommerceAnnouncement & Notification Banner – BulletinAll-in-One Video GallerySocial Gallery LiteRun time Image resizingWUPO Group Attributes for WooCommerceMapGeo – Interactive Geo MapsPinblocks — Gutenberg blocks with Pinterest widgetsDivi Torque Lite – Divi Theme and Extra ThemeSocialMark – Easy Watermark/Logo on Social Media Post Link Share PreviewSQL Reporting Services – SSRS Plugin for WordPressGet Directions MapCaxton – Create Pro page layouts in GutenbergAnt Admin Notices for TeamBetter Messages – WCFM IntegrationZip Code RedirectRedirection for Contact Form 7Custom Login Page CustomizerGet Better Reviews for WooCommerceNew User ApproveTurbo WidgetsMobile View for Responsive web design optimization (UX design) + Mobile Friendly TestThank You Page for WooCommerceBuilder for WooCommerce product reviews shortcodes – ReviewShortkk Star Ratings – Rate Post & Collect User FeedbacksLogo Showcase – Responsive Logo Carousel, Logo Slider & Logo GridRaCar Clear Cart for WooCommerceDeMomentSomTres Media Tools AutoWordPress Google TranslateEasy Tiktok FeedModern Designs for Gravity FormsEasy Math Captcha for CF7Filr – Secure document libraryPreloader for DiviMeridiaWidget Detector for ElementorBrandAutomatic YouTube GalleryRest Routes – Custom Endpoints for WordPress REST APIPurosaYatri ToolsWoowGallery – image gallery / content gallery / ecommerce gallery / social gallery / video gallery / album photo galleryWP Required Taxonomies – Categories and Tags MandatoryWordPress Books GalleryWP Disable SitemapAdd Linkedin insight tags for Linkedin adsProduct Image Watermark for WooFooter Plugin for DiviOverlay Image Divi ModuleDuplicate Variations for WoocommerceWooCommerce Google Analytics Integration By Advanced WC AnalyticsDrip Feed Content Extended for LearndashError Log MonitorBlog Grid & Post Grid – Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry, Category Post Grid By News & Blog Designer PackPremmerce Product Search for WooCommerceYASR – Yet Another Star Rating Plugin for WordPressMultisite Robots.txt ManagerInternal Linking for SEO traffic & Ranking – Auto internal links (100% automatic)Woo Admin Product NotesRoyal Elementor Addons and TemplatesSnazzyAdmin WP Admin ThemeSocial KitwGauge – Free VersionElementor Addon ElementsWooCommerce Country Catalogs – Product Country RestrictionsWordPress SEO Audit Plugin – WP Site AuditorWP Tools Divi Product CarouselAds.txt & App-ads.txt Manager for WordPressSimple SponsorshipsKikote – Location Picker at Checkout & Google Address AutoFill Plugin for WooCommerceWP Page TemplatesGuest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front EditorWordPress WooCommerce Sync for Google SheetBooking Calendar | Appointment Booking | BookitFlat Rate Shipping Plugin For WooCommerceGuestofy – Restaurant Reservations Plugin, Room Planer, Reservation FormWP Link BioWordPress Dev Powers – Element Selector jQuery Powers PluginFull Page Blog DesignerTwentyFourth WP ScraperBlock Slider – Responsive Image Slider, Video Slider & Post SliderEnhanced Ecommerce Google Analytics for WooCommerceWidget for Contact form 7Stackable – Page Builder Gutenberg BlocksSimple Feature Requests Free – User Feedback BoardBlockyPage – Gutenberg Based Page BuilderWP AutoMedicGallery PhotoBlocksContact Form 7 – Capsule CRM – IntegrationEvent Tickets and RegistrationEasy Settings for LearnDashWordPress Auto SEO Plugin – Upfiv SEO WizardWP Relevant AdsForms to Zapier, Integromat, IFTTT, Workato, Automate.io, elastic.io, Built.io, APIANT, WebhookUser Menus – Nav Menu VisibilityLittleBot ACH for Stripe + PlaidUnder ConstructionMaster Accordion ( Former WP Awesome FAQ Plugin )XT Points & Rewards for WooCommerceCF7 Constant Contact Fields MappingWP Data Access – WordPress App, Table and Form Builder pluginPassster – Password Protect Pages and ContentOut of stock display for woocommerceClean Social IconsCheckout with Cash App on EDDAutoSave NetSSL Certificate – Free SSL, HTTPS by SSL ZenGateway for PayLate on WooCommerceCourt Reservation – Manage Your Court Bookings OnlineAffiliate Link Builder Plugin for Amazon Associates – Review EngineAdvanced Custom Fields options import/exportRT Easy Builder – Advanced addons for ElementorThe best plugin for restrict content, support all Custom Post Types and Elementor – Password ProtectedChoice Payment Gateway for WooCommerceURL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPressWooCommerce Shipping gateway per ProductWP Tools Divi Blog CarouselSimple Social Page Widget & ShortcodeUltimate Bulk SEO Noindex Nofollow – Speed up Penalty Recovery Ultimate SEO BoosterEducation Addon for ElementorAdvanced Classifieds & Directory ProCode ManagerHuCommerce | Magyar WooCommerce kiegészítésekFree Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC BookingFeedpress Generator – External RSS Frontend CustomizerSTAX Header BuilderWP Google Street View (with 360° virtual tour) & Google maps + Local SEOUltimate Divi Modules Suite – Divi Sumo LiteWordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and ScheduleFIT: Featured Image ToolkitConversion de moneda WoocommerceWP Adminify – Custom WordPress Dashboard, Login and Admin CustomizerGo Viral – social share, social sharebar, social locker, social chat, open graph, reactions, share & view countersWooCommerce Bulk Edit Products – WP Sheet EditorWP SierraWordPress Gallery Plugin – Edge Photo GalleryPootle Pagebuilder – WordPress Page builderTickera – WordPress Event Ticketing
CWE ID-CWE-862
Missing Authorization
CVE-2025-6720
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.09% / 25.59%
||
7 Day CHG+0.03%
Published-19 Jul, 2025 | 05:32
Updated-22 Jul, 2025 | 13:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vchasno Kasa <= 1.0.3 - Unauthenticated Log File Clearing

The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the clear_all_log() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to clear log files.

Action-Not Available
Vendor-bandido
Product-MORKVA Vchasno Kasa Integration
CWE ID-CWE-862
Missing Authorization
CVE-2025-0466
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.3||MEDIUM
EPSS-0.07% / 22.88%
||
7 Day CHG~0.00%
Published-04 Feb, 2025 | 06:00
Updated-27 Aug, 2025 | 12:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sensei LMS < 4.24.4 - Unauthenticated sensei_email/sensei_message Disclosure

The Sensei LMS WordPress plugin before 4.24.4 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak sensei_email and sensei_message Information.

Action-Not Available
Vendor-UnknownAutomattic Inc.
Product-sensei_lmsSensei LMS
CWE ID-CWE-862
Missing Authorization
CVE-2023-1296
Matching Score-4
Assigner-HashiCorp Inc.
ShareView Details
Matching Score-4
Assigner-HashiCorp Inc.
CVSS Score-2.7||LOW
EPSS-0.29% / 51.86%
||
7 Day CHG+0.04%
Published-14 Mar, 2023 | 14:45
Updated-27 Feb, 2025 | 15:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nomad ACLs Can Not Deny Access to Workload's Own Variables

HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies applied to a workload’s variables. Fixed in 1.4.6 and 1.5.1.

Action-Not Available
Vendor-HashiCorp, Inc.
Product-nomadNomad EnterpriseNomad
CWE ID-CWE-682
Incorrect Calculation
CWE ID-CWE-862
Missing Authorization
CVE-2023-1167
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.20% / 42.47%
||
7 Day CHG~0.00%
Published-05 Apr, 2023 | 00:00
Updated-10 Feb, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper authorization in Gitlab EE affecting all versions from 12.3.0 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1 allows an unauthorized access to security reports in MR.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-862
Missing Authorization
CVE-2021-39190
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.10% / 28.21%
||
7 Day CHG~0.00%
Published-22 Sep, 2022 | 16:30
Updated-23 Apr, 2025 | 16:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SCCM plugin for GLPI vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

The SCCM plugin for GLPI is a plugin to synchronize computers from SCCM (version 1802) to GLPI. In versions prior to 2.3.0, the Configuration page is publicly accessible in read-only mode. This issue is patched in version 2.3.0. No known workarounds exist.

Action-Not Available
Vendor-teclib-editionGLPI Project
Product-system_center_configuration_managersccm
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-862
Missing Authorization
CVE-2024-26138
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.24% / 46.94%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 16:52
Updated-22 Apr, 2025 | 16:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
License information is public, exposing instance id and license holder details

The XWiki licensor application, which manages and enforce application licenses for paid extensions, includes the document `Licenses.Code.LicenseJSON` that provides information for admins regarding active licenses. This document is public and thus exposes this information publicly. The information includes the instance's id as well as first and last name and email of the license owner. This is a leak of information that isn't supposed to be public. The instance id allows associating data on the active installs data with the concrete XWiki instance. Active installs assures that "there's no way to find who's having a given UUID" (referring to the instance id). Further, the information who the license owner is and information about the obtained licenses can be used for targeted phishing attacks. Also, while user information is normally public, email addresses might only be displayed obfuscated, depending on the configuration. This has been fixed in Application Licensing 1.24.2. There are no known workarounds besides upgrading.

Action-Not Available
Vendor-XWiki SAS
Product-application_licensingapplication-licensingapplication_licensing
CWE ID-CWE-862
Missing Authorization
CVE-2023-0678
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-72.20% / 98.69%
||
7 Day CHG~0.00%
Published-04 Feb, 2023 | 00:00
Updated-26 Mar, 2025 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization in phpipam/phpipam

Missing Authorization in GitHub repository phpipam/phpipam prior to v1.5.1.

Action-Not Available
Vendor-phpipamphpipam
Product-phpipamphpipam/phpipam
CWE ID-CWE-862
Missing Authorization
CVE-2025-7499
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.05% / 14.19%
||
7 Day CHG+0.01%
Published-16 Aug, 2025 | 07:25
Updated-18 Aug, 2025 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BetterDocs <= 4.1.1 - Missing Authorization to Private And Password-Protected Posts Information Disclosure

The BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_response function in all versions up to and including 4.1.1. This makes it possible for unauthenticated attackers to retrieve passwords for password-protected documents as well as the metadata of private and draft documents.

Action-Not Available
Vendor-WPDeveloper
Product-BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers
CWE ID-CWE-862
Missing Authorization
CVE-2024-23504
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.27% / 50.14%
||
7 Day CHG~0.00%
Published-14 Jun, 2024 | 05:37
Updated-01 Aug, 2024 | 23:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Ninja Tables plugin <= 5.0.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPManageNinja LLC Ninja Tables.This issue affects Ninja Tables: from n/a through 5.0.5.

Action-Not Available
Vendor-WPManageNinja LLCwpmanageninja
Product-Ninja Tablesninja_tables
CWE ID-CWE-862
Missing Authorization
CVE-2025-54739
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 9.59%
||
7 Day CHG+0.01%
Published-14 Aug, 2025 | 18:21
Updated-15 Aug, 2025 | 13:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Nexter Blocks Plugin <= 4.5.4 - Broken Access Control Vulnerability

Missing Authorization vulnerability in POSIMYTH Nexter Blocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Nexter Blocks: from n/a through 4.5.4.

Action-Not Available
Vendor-POSIMYTH
Product-Nexter Blocks
CWE ID-CWE-862
Missing Authorization
CVE-2024-1380
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-89.19% / 99.52%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:26
Updated-31 Jan, 2025 | 13:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Relevanssi – A Better Search plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relevanssi_export_log_check() function in all versions up to, and including, 4.22.0. This makes it possible for unauthenticated attackers to export the query log data. The vendor has indicated that they may look into adding a capability check for proper authorization control, however, this vulnerability is theoretically patched as is.

Action-Not Available
Vendor-relevanssimsaarirelevanssi
Product-relevanssiRelevanssi – A Better Searchrelevanssi
CWE ID-CWE-862
Missing Authorization
CVE-2024-2043
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.33% / 55.61%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:52
Updated-21 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The EleForms – All In One Form Integration including DB for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when downloading form submissions in all versions up to, and including, 2.9.9.7. This makes it possible for unauthenticated attackers to view form submissions.

Action-Not Available
Vendor-theinnovscscode
Product-eleformsEleForms – All In One Form Integration including DB for Elementor
CWE ID-CWE-862
Missing Authorization
CVE-2024-1686
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.37% / 58.14%
||
7 Day CHG~0.00%
Published-27 Feb, 2024 | 05:33
Updated-15 Jan, 2025 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Thank You Page Customizer for WooCommerce – Increase Your Sales plugin for WordPress is vulnerable to missing authorization e in all versions up to, and including, 1.1.2 via the apply_layout function due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve arbitrary order data which may contain PII.

Action-Not Available
Vendor-mrt3vnVillaTheme
Product-woocommerce_thank_you_page_customizerThank You Page Customizer for WooCommerce – Increase Your Sales
CWE ID-CWE-862
Missing Authorization
CVE-2024-1798
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.84% / 73.84%
||
7 Day CHG~0.00%
Published-27 Jul, 2024 | 01:51
Updated-19 Sep, 2024 | 13:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tutor LMS – Migration Tool <= 2.2.0 - Missing Authorization in tutor_lp_export_xml

The Tutor LMS – Migration Tool plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the tutor_lp_export_xml function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to export courses, including private and password protected courses.

Action-Not Available
Vendor-Themeum
Product-tutor_lms_-_migration_toolTutor LMS – Migration Tooltutorlms-migrationtool
CWE ID-CWE-862
Missing Authorization
CVE-2024-13303
Matching Score-4
Assigner-Drupal.org
ShareView Details
Matching Score-4
Assigner-Drupal.org
CVSS Score-5.3||MEDIUM
EPSS-0.07% / 21.86%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 20:24
Updated-10 Jan, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Download All Files - Critical - Access bypass - SA-CONTRIB-2024-069

Missing Authorization vulnerability in Drupal Download All Files allows Forceful Browsing.This issue affects Download All Files: from 0.0.0 before 2.0.2.

Action-Not Available
Vendor-The Drupal Association
Product-Download All Files
CWE ID-CWE-862
Missing Authorization
CVE-2024-13312
Matching Score-4
Assigner-Drupal.org
ShareView Details
Matching Score-4
Assigner-Drupal.org
CVSS Score-5.3||MEDIUM
EPSS-0.07% / 21.86%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 20:28
Updated-31 Jan, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076

Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.This issue affects Open Social: from 11.8.0 before 12.3.10, from 12.4.0 before 12.4.9.

Action-Not Available
Vendor-The Drupal Association
Product-Open Social
CWE ID-CWE-862
Missing Authorization
CVE-2024-12713
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.10% / 28.49%
||
7 Day CHG~0.00%
Published-08 Jan, 2025 | 03:18
Updated-11 Jul, 2025 | 21:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SureForms – Drag and Drop Form Builder for WordPress <= 1.2.2 - Missing Authorization to Unauthenticated Protected Post Disclosure

The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.2 via the handle_export_form() function due to a missing capability check. This makes it possible for unauthenticated attackers to export data from password protected, private, or draft posts that they should not have access to.

Action-Not Available
Vendor-Brainstorm Force
Product-sureformsSureForms – Drag and Drop Form Builder for WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2024-12265
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.07% / 20.97%
||
7 Day CHG~0.00%
Published-12 Dec, 2024 | 05:24
Updated-12 Dec, 2024 | 15:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Web3 Cryptocurrency Payments by DePay for WooCommerce <= 2.12.17 - Missing Authorization to Information Exposure

The Web3 Crypto Payments by DePay for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/depay/wc/debug REST API endpoint in all versions up to, and including, 2.12.17. This makes it possible for unauthenticated attackers to retrieve debug infromation.

Action-Not Available
Vendor-depayfi
Product-Web3 Crypto Payments by DePay for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2024-12184
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.08% / 25.24%
||
7 Day CHG~0.00%
Published-01 Feb, 2025 | 03:21
Updated-24 Feb, 2025 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Contact Forms by Cimatti <= 1.9.4 - Missing Authorization to Unauthenticated Form Submission Download

The WordPress Contact Forms by Cimatti plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the accua_forms_download_submitted_file() function in all versions up to, and including, 1.9.4. This makes it possible for unauthenticated attackers to download other user submitted forms.

Action-Not Available
Vendor-cimatticimatti
Product-wordpress_contact_formsWordPress Contact Forms by Cimatti
CWE ID-CWE-862
Missing Authorization
CVE-2024-12316
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.12% / 31.34%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 11:11
Updated-22 Jan, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jupiter X Core <= 4.8.5 - Missing Authorization to Unauthenticated Popup Template Export

The Jupiter X Core plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_popup_action() function in all versions up to, and including, 4.8.5. This makes it possible for unauthenticated attackers to export popup templates.

Action-Not Available
Vendor-artbeesartbees
Product-jupiter_x_coreJupiter X Core
CWE ID-CWE-862
Missing Authorization
CVE-2024-1126
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.21% / 43.00%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:27
Updated-15 Jan, 2025 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_attendees_email_by_event_id() function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to to retrieve the attendees list for any event.

Action-Not Available
Vendor-Metagauss Inc.
Product-eventprimeEventPrime – Events Calendar, Bookings and Ticketseventprime
CWE ID-CWE-862
Missing Authorization
CVE-2024-11334
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 37.38%
||
7 Day CHG~0.00%
Published-21 Nov, 2024 | 05:33
Updated-26 Nov, 2024 | 17:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
My Contador lesr <= 2.0 - Missing Authorization to Unauthenticated User Registration CSV Export

The My Contador lesr plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exportar_registros() function in all versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to export user data.

Action-Not Available
Vendor-nes360luydjmi
Product-my_contador_lesrMy Contador lesr
CWE ID-CWE-862
Missing Authorization
CVE-2024-11133
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.09% / 25.63%
||
7 Day CHG~0.00%
Published-03 Feb, 2025 | 19:22
Updated-03 Feb, 2025 | 20:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Eventer <= 3.9.9 - Missing Authorization to Unauthenticated Event Ticket Download

The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'handle_pdf_download_request' function in all versions up to, and including, 3.9.9. This makes it possible for unauthenticated attackers to download event tickets.

Action-Not Available
Vendor-imithemes
Product-Eventer - WordPress Event & Booking Manager Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2024-1109
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.24% / 46.93%
||
7 Day CHG~0.00%
Published-07 Feb, 2024 | 11:02
Updated-01 Aug, 2024 | 18:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Podlove Podcast Publisher plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the init_download() and init() functions in all versions up to, and including, 4.0.11. This makes it possible for unauthenticated attackers to export the plugin's tracking data and podcast information.

Action-Not Available
Vendor-podloveeteubert
Product-podlove_podcast_publisherPodlove Podcast Publisher
CWE ID-CWE-862
Missing Authorization
CVE-2024-1122
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 40.40%
||
7 Day CHG~0.00%
Published-09 Feb, 2024 | 04:31
Updated-27 Aug, 2024 | 17:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_data() function in all versions up to, and including, 3.3.50. This makes it possible for unauthenticated attackers to export event data.

Action-Not Available
Vendor-themewinterthemewinter
Product-eventinEvent Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
CWE ID-CWE-862
Missing Authorization
CVE-2024-1120
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.25% / 48.01%
||
7 Day CHG~0.00%
Published-01 Mar, 2024 | 09:31
Updated-11 Mar, 2025 | 16:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The NextMove Lite – Thank You Page for WooCommerce and Finale Lite – Sales Countdown Timer & Discount for WooCommerce plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the download_tools_settings() function in all versions up to, and including, 2.17.0. This makes it possible for unauthenticated attackers to export system information that can aid attackers in an attack.

Action-Not Available
Vendor-xlpluginsdjeetxlpluginsxlplugins
Product-finalenextmoveNextMove Lite – Thank You Page for WooCommerceFinale Lite – Sales Countdown Timer & Discount for WooCommercenextmove_litefinale_lite
CWE ID-CWE-862
Missing Authorization
CVE-2025-47485
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-07 May, 2025 | 14:19
Updated-08 May, 2025 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Cozy Blocks <= 2.1.22 - Broken Access Control Vulnerability

Missing Authorization vulnerability in CozyThemes Cozy Blocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cozy Blocks: from n/a through 2.1.22.

Action-Not Available
Vendor-CozyThemes
Product-Cozy Blocks
CWE ID-CWE-862
Missing Authorization
CVE-2025-49241
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 12:53
Updated-06 Jun, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress oik <= 4.15.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in bobbingwide oik allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects oik: from n/a through 4.15.1.

Action-Not Available
Vendor-bobbingwide
Product-oik
CWE ID-CWE-862
Missing Authorization
CVE-2024-1121
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.39% / 59.29%
||
7 Day CHG~0.00%
Published-05 Feb, 2024 | 21:21
Updated-01 Aug, 2024 | 18:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Advanced Forms for ACF plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_json_file() function in all versions up to, and including, 1.9.3.2. This makes it possible for unauthenticated attackers to export form settings.

Action-Not Available
Vendor-hookturnphilkurthhookturn
Product-advanced_forms_for_acfAdvanced Forms for ACFadvanced_forms_for_acf
CWE ID-CWE-862
Missing Authorization
CVE-2024-11712
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.17% / 39.04%
||
7 Day CHG~0.00%
Published-14 Dec, 2024 | 06:45
Updated-05 Feb, 2025 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Job Portal <= 2.2.2 - Missing Authorization to Unauthenticated Arbitrary Resume Download

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getResumeFileDownloadById() function in all versions up to, and including, 2.2.2. This makes it possible for unauthenticated attackers to download other users resumes.

Action-Not Available
Vendor-WP Job Portal
Product-wp_job_portalWP Job Portal – A Complete Recruitment System for Company or Job Board website
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CWE ID-CWE-862
Missing Authorization
CVE-2024-10486
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-2.91% / 85.84%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 21:31
Updated-19 Nov, 2024 | 21:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Google for WooCommerce <= 2.8.6 - Information Disclosure via Publicly Accessible PHP Info File

The Google for WooCommerce plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.8.6. This is due to publicly accessible print_php_information.php file. This makes it possible for unauthenticated attackers to retrieve information about Webserver and PHP configuration, which can be used to aid other attacks.

Action-Not Available
Vendor-Automattic Inc.
Product-Google for WooCommercewoocommerce
CWE ID-CWE-862
Missing Authorization
CVE-2024-10813
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 55.96%
||
7 Day CHG~0.00%
Published-23 Nov, 2024 | 03:25
Updated-12 Jul, 2025 | 00:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Product Table for WooCommerce by CodeAstrology (wooproducttable.com) <= 3.5.1 - Information Exposure

The Product Table for WooCommerce by CodeAstrology (wooproducttable.com) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.1 via the var_dump_table parameter. This makes it possible for unauthenticated attackers var data.

Action-Not Available
Vendor-codeastrologycodersaifulcodeastrology
Product-woo_product_tableProduct Table for WooCommerce by CodeAstrology (wooproducttable.com)woo_product_table
CWE ID-CWE-862
Missing Authorization
CVE-2023-23975
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.16% / 37.46%
||
7 Day CHG+0.02%
Published-09 Dec, 2024 | 11:31
Updated-09 Dec, 2024 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Quick Event Manager plugin <= 9.7.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Fullworks Quick Event Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quick Event Manager: from n/a through 9.7.4.

Action-Not Available
Vendor-Fullworksfullworksplugins
Product-Quick Event Managerquick_event_manager
CWE ID-CWE-862
Missing Authorization
CVE-2025-49989
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.00%
||
7 Day CHG~0.00%
Published-20 Jun, 2025 | 15:04
Updated-23 Jun, 2025 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress App Builder plugin <= 5.5.3 - Broken Access Control Vulnerability

Missing Authorization vulnerability in App Cheap App Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects App Builder: from n/a through 5.5.3.

Action-Not Available
Vendor-App Cheap
Product-App Builder
CWE ID-CWE-862
Missing Authorization
CVE-2024-1095
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.55% / 66.82%
||
7 Day CHG~0.00%
Published-05 Mar, 2024 | 01:55
Updated-08 Jan, 2025 | 18:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Build & Control Block Patterns – Boost up Gutenberg Editor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the settings_export() function in all versions up to, and including, 1.3.5.4. This makes it possible for unauthenticated attackers to export the plugin's settings.

Action-Not Available
Vendor-themeperchrazib_razib_
Product-build_\&_control_block_patternBuild & Control Block Patterns – Boost up Gutenberg Editorbuild_and_control_block_patterns
CWE ID-CWE-862
Missing Authorization
CVE-2024-10866
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.12% / 31.67%
||
7 Day CHG~0.00%
Published-07 Jan, 2025 | 07:22
Updated-07 Jan, 2025 | 15:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Export Import Menus <= 1.9.1 - Missing Authorization to Unauthenticated Menu Export

The Export Import Menus plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the dsp_export_import_menus() function in all versions up to, and including, 1.9.1. This makes it possible for unauthenticated attackers to export menu data and settings.

Action-Not Available
Vendor-akshay-menariya
Product-Export Import Menus
CWE ID-CWE-862
Missing Authorization
CVE-2024-0972
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.22% / 44.73%
||
7 Day CHG-0.01%
Published-06 Jun, 2024 | 03:53
Updated-01 Aug, 2024 | 18:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BuddyPress Members Only <= 3.3.5 - Improper Access Control to Sensitive Information Exposure via REST API

The BuddyPress Members Only plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.5 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's "All Other Sections On Your Site Will be Opened to Guest" feature (when unset) and view restricted page and post content.

Action-Not Available
Vendor-membersonlyzhuyizhuyi
Product-buddypress_members_onlyBuddyPress Members Onlybuddypress_members_only
CWE ID-CWE-862
Missing Authorization
CVE-2024-13719
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 10.69%
||
7 Day CHG~0.00%
Published-19 Feb, 2025 | 07:32
Updated-19 Feb, 2025 | 21:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PeproDev Ultimate Invoice <= 2.0.8 - Insecure Direct Object Reference to Unauthenticated Order Information Exposure

The PeproDev Ultimate Invoice plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.8 via the invoicing viewer due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view invoices for completed orders which can contain PII of users.

Action-Not Available
Vendor-peprodev
Product-PeproDev Ultimate Invoice
CWE ID-CWE-862
Missing Authorization
CVE-2025-49268
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 12:53
Updated-06 Jun, 2025 | 16:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Verge3D <= 4.9.4 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Soft8Soft LLC Verge3D allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Verge3D: from n/a through 4.9.4.

Action-Not Available
Vendor-Soft8Soft LLC
Product-Verge3D
CWE ID-CWE-862
Missing Authorization
CVE-2024-1079
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.58% / 67.87%
||
7 Day CHG~0.00%
Published-07 Feb, 2024 | 07:32
Updated-22 Aug, 2024 | 15:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Quiz Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_show_results() function in all versions up to, and including, 6.5.2.4. This makes it possible for unauthenticated attackers to fetch arbitrary quiz results which can contain PII.

Action-Not Available
Vendor-AYS Pro Extensions
Product-quiz_makerQuiz Maker
CWE ID-CWE-862
Missing Authorization
CVE-2024-0236
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.3||MEDIUM
EPSS-0.47% / 63.72%
||
7 Day CHG~0.00%
Published-16 Jan, 2024 | 15:57
Updated-20 Jun, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
EventON (Free < 2.2.8, Premium < 4.5.5) - Unauthenticated Virtual Event Password Disclosure

The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve the settings of arbitrary virtual events, including any meeting password set (for example for Zoom)

Action-Not Available
Vendor-myeventonUnknown
Product-eventonEventON
CWE ID-CWE-862
Missing Authorization
CVE-2025-47563
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-16 May, 2025 | 15:45
Updated-19 May, 2025 | 13:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CURCY plugin <= 2.3.7 - Arbitrary Shortcode Execution vulnerability

Missing Authorization vulnerability in villatheme CURCY allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects CURCY: from n/a through 2.3.7.

Action-Not Available
Vendor-VillaTheme
Product-CURCY
CWE ID-CWE-862
Missing Authorization
CVE-2025-47942
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.60%
||
7 Day CHG~0.00%
Published-21 May, 2025 | 21:15
Updated-23 May, 2025 | 15:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Learners on edX Platform can download python_lib.zip

The Open edX Platform is a learning management platform. Prior to commit 6740e75c0fdc7ba095baf88e9f5e4f3e15cfd8ba, edxapp has no built-in protection against downloading the python_lib.zip asset from courses, which is a concern since it often contains custom grading code or answers to course problems. This potentially affects any course using custom Python-graded problem blocks. The openedx/configuration repo has had a patch since 2016 in the form of an nginx rule, but this was only intended as a temporary mitigation. As the configuration repo has been deprecated and we have not been able to locate any similar protection in Tutor, it is likely that most deployments have no protection against python_lib.zip being downloaded. The recommended mitigation, implemented in commit 6740e75c0fdc7ba095baf88e9f5e4f3e15cfd8ba, restricts python_lib.zip downloads to just the course team and site staff/superusers.

Action-Not Available
Vendor-openedx
Product-edx-platform
CWE ID-CWE-862
Missing Authorization
CVE-2025-48444
Matching Score-4
Assigner-Drupal.org
ShareView Details
Matching Score-4
Assigner-Drupal.org
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.64%
||
7 Day CHG~0.00%
Published-11 Jun, 2025 | 14:19
Updated-20 Jun, 2025 | 14:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-064

Missing Authorization vulnerability in Drupal Quick Node Block allows Forceful Browsing.This issue affects Quick Node Block: from 0.0.0 before 2.0.0.

Action-Not Available
Vendor-quick_node_block_projectThe Drupal Association
Product-quick_node_blockQuick Node Block
CWE ID-CWE-862
Missing Authorization
CVE-2024-0235
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.3||MEDIUM
EPSS-81.29% / 99.13%
||
7 Day CHG~0.00%
Published-16 Jan, 2024 | 15:57
Updated-20 Jun, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
EventON (Free < 2.2.8, Premium < 4.5.5) - Unauthenticated Email Address Disclosure

The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog

Action-Not Available
Vendor-myeventonUnknown
Product-eventonEventON
CWE ID-CWE-862
Missing Authorization
CVE-2025-48117
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-16 May, 2025 | 15:45
Updated-19 May, 2025 | 13:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WooCommerce POS <= 1.7.8 - Broken Access Control Vulnerability

Missing Authorization vulnerability in kilbot WooCommerce POS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WooCommerce POS: from n/a through 1.7.8.

Action-Not Available
Vendor-kilbot
Product-WooCommerce POS
CWE ID-CWE-862
Missing Authorization
CVE-2025-48013
Matching Score-4
Assigner-Drupal.org
ShareView Details
Matching Score-4
Assigner-Drupal.org
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.64%
||
7 Day CHG~0.00%
Published-11 Jun, 2025 | 14:20
Updated-20 Jun, 2025 | 14:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-065

Missing Authorization vulnerability in Drupal Quick Node Block allows Forceful Browsing.This issue affects Quick Node Block: from 0.0.0 before 2.0.0.

Action-Not Available
Vendor-quick_node_block_projectThe Drupal Association
Product-quick_node_blockQuick Node Block
CWE ID-CWE-862
Missing Authorization
CVE-2023-6496
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.33% / 55.39%
||
7 Day CHG~0.00%
Published-11 Jan, 2024 | 08:32
Updated-17 Jun, 2025 | 21:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Manage Notification E-mails plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.8.5 via the card_famne_export_settings function. This makes it possible for unauthenticated attackers to obtain plugin settings.

Action-Not Available
Vendor-freeamigosvirgial
Product-manage_notification_e-mailsManage Notification E-mails
CWE ID-CWE-862
Missing Authorization
CVE-2023-5331
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 38.34%
||
7 Day CHG~0.00%
Published-09 Oct, 2023 | 10:40
Updated-05 Sep, 2024 | 19:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Information Leak via IDOR in file_id in Draft Posts

Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • Next
Details not found