Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-67474

Summary
Assigner-Patchstack
Assigner Org ID-21595511-bba5-4825-b968-b78d1f9984a3
Published At-09 Dec, 2025 | 14:13
Updated At-28 Apr, 2026 | 19:17
Rejected At-
Credits

WordPress ForumWP plugin <= 2.1.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Ultimate Member ForumWP forumwp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ForumWP: from n/a through <= 2.1.4.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Patchstack
Assigner Org ID:21595511-bba5-4825-b968-b78d1f9984a3
Published At:09 Dec, 2025 | 14:13
Updated At:28 Apr, 2026 | 19:17
Rejected At:
▼CVE Numbering Authority (CNA)
WordPress ForumWP plugin <= 2.1.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Ultimate Member ForumWP forumwp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ForumWP: from n/a through <= 2.1.4.

Affected Products
Vendor
Ultimate Member Group LtdUltimate Member
Product
ForumWP
Collection URL
https://wordpress.org/plugins
Package Name
forumwp
Default Status
unaffected
Versions
Affected
  • From 0 through 2.1.4 (custom)
    • -> unaffectedfrom2.1.5
Problem Types
TypeCWE IDDescription
CWECWE-862Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-180Exploiting Incorrectly Configured Access Control Security Levels
CAPEC ID: CAPEC-180
Description: Exploiting Incorrectly Configured Access Control Security Levels
Solutions
Configurations
Workarounds
Exploits
Credits
finder
daroo | Patchstack Bug Bounty Program
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://patchstack.com/database/Wordpress/Plugin/forumwp/vulnerability/wordpress-forumwp-plugin-2-1-4-broken-access-control-vulnerability?_s_id=cve
vdb-entry
Hyperlink: https://patchstack.com/database/Wordpress/Plugin/forumwp/vulnerability/wordpress-forumwp-plugin-2-1-4-broken-access-control-vulnerability?_s_id=cve
Resource:
vdb-entry
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:audit@patchstack.com
Published At:09 Dec, 2025 | 16:18
Updated At:20 Jan, 2026 | 15:19

Missing Authorization vulnerability in Ultimate Member ForumWP forumwp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ForumWP: from n/a through <= 2.1.4.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-862Secondaryaudit@patchstack.com
CWE ID: CWE-862
Type: Secondary
Source: audit@patchstack.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://patchstack.com/database/Wordpress/Plugin/forumwp/vulnerability/wordpress-forumwp-plugin-2-1-4-broken-access-control-vulnerability?_s_id=cveaudit@patchstack.com
N/A
Hyperlink: https://patchstack.com/database/Wordpress/Plugin/forumwp/vulnerability/wordpress-forumwp-plugin-2-1-4-broken-access-control-vulnerability?_s_id=cve
Source: audit@patchstack.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1267Records found
CVE-2023-4943
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 31.45%
||
7 Day CHG~0.00%
Published-20 Oct, 2023 | 06:35
Updated-08 Apr, 2026 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BEAR <= 1.1.3.3 - Missing Authorization to Product Manipulation

The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to a missing capability check on the woobe_bulkoperations_visibility function. This makes it possible for authenticated attackers (subscriber or higher) to manipulate products.

Action-Not Available
Vendor-PluginUs.Net (RealMag777)
Product-bear_-_woocommerce_bulk_editor_and_products_manager_professionalBEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
CWE ID-CWE-862
Missing Authorization
CVE-2025-66106
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.59%
||
7 Day CHG~0.00%
Published-21 Nov, 2025 | 12:30
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Featured Post Creative plugin <= 1.5.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in Essential Plugin Featured Post Creative featured-post-creative allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Post Creative: from n/a through <= 1.5.5.

Action-Not Available
Vendor-Essential Plugin
Product-Featured Post Creative
CWE ID-CWE-862
Missing Authorization
CVE-2025-66101
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.59%
||
7 Day CHG~0.00%
Published-21 Nov, 2025 | 12:30
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CBX Bookmark & Favorite plugin <= 2.0.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Sabuj Kundu CBX Bookmark & Favorite cbxwpbookmark allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CBX Bookmark & Favorite: from n/a through <= 2.0.1.

Action-Not Available
Vendor-Sabuj Kundu
Product-CBX Bookmark & Favorite
CWE ID-CWE-862
Missing Authorization
CVE-2023-49754
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 34.85%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:30
Updated-29 Apr, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Bulk Edit Post Titles plugin <= 5.0.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Yogesh Pawar Bulk Edit Post Titles bulk-edit-post-titles allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bulk Edit Post Titles: from n/a through <= 5.0.0.

Action-Not Available
Vendor-Yogesh Pawar
Product-Bulk Edit Post Titles
CWE ID-CWE-862
Missing Authorization
CVE-2025-66096
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.59%
||
7 Day CHG~0.00%
Published-21 Nov, 2025 | 12:29
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Table Block by Tableberg plugin <= 0.6.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in Imtiaz Rayhan Table Block by Tableberg tableberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Table Block by Tableberg: from n/a through <= 0.6.9.

Action-Not Available
Vendor-Imtiaz Rayhan
Product-Table Block by Tableberg
CWE ID-CWE-862
Missing Authorization
CVE-2025-66108
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.59%
||
7 Day CHG~0.00%
Published-21 Nov, 2025 | 12:30
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress TNC Toolbox: Web Performance plugin <= 2.0.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Merlot Digital (by TNC) TNC Toolbox: Web Performance tnc-toolbox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TNC Toolbox: Web Performance: from n/a through <= 2.0.4.

Action-Not Available
Vendor-Merlot Digital (by TNC)
Product-TNC Toolbox: Web Performance
CWE ID-CWE-862
Missing Authorization
CVE-2025-64245
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.83%
||
7 Day CHG~0.00%
Published-16 Dec, 2025 | 08:12
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Import external attachments plugin <= 1.5.12 - Broken Access Control vulnerability

Missing Authorization vulnerability in ryanpcmcquen Import external attachments import-external-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Import external attachments: from n/a through <= 1.5.12.

Action-Not Available
Vendor-ryanpcmcquen
Product-Import external attachments
CWE ID-CWE-862
Missing Authorization
CVE-2025-64243
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.83%
||
7 Day CHG~0.00%
Published-16 Dec, 2025 | 08:12
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Directory Pro plugin <= 2.5.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in e-plugins Directory Pro directory-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directory Pro: from n/a through <= 2.5.6.

Action-Not Available
Vendor-e-plugins
Product-Directory Pro
CWE ID-CWE-862
Missing Authorization
CVE-2025-64274
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.59%
||
7 Day CHG~0.00%
Published-13 Nov, 2025 | 09:24
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPKoi Templates for Elementor plugin <= 3.4.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in wpkoithemes WPKoi Templates for Elementor wpkoi-templates-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPKoi Templates for Elementor: from n/a through <= 3.4.4.

Action-Not Available
Vendor-wpkoithemes
Product-WPKoi Templates for Elementor
CWE ID-CWE-862
Missing Authorization
CVE-2025-62935
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.59%
||
7 Day CHG~0.00%
Published-27 Oct, 2025 | 01:34
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Open Close WooCommerce Store plugin <= 5.0.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in StackWC Open Close WooCommerce Store woc-open-close allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Open Close WooCommerce Store: from n/a through <= 5.0.0.

Action-Not Available
Vendor-StackWC
Product-Open Close WooCommerce Store
CWE ID-CWE-862
Missing Authorization
CVE-2025-64247
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.83%
||
7 Day CHG~0.00%
Published-16 Dec, 2025 | 08:12
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Read More & Accordion plugin <= 3.5.5.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in edmon.parker Read More & Accordion expand-maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Read More & Accordion: from n/a through <= 3.5.5.1.

Action-Not Available
Vendor-edmon.parker
Product-Read More & Accordion
CWE ID-CWE-862
Missing Authorization
CVE-2025-63077
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 8.69%
||
7 Day CHG-0.02%
Published-09 Dec, 2025 | 14:52
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Happy Addons for Elementor plugin <= 3.20.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in HappyMonster Happy Addons for Elementor happy-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Happy Addons for Elementor: from n/a through <= 3.20.3.

Action-Not Available
Vendor-HappyMonster
Product-Happy Addons for Elementor
CWE ID-CWE-862
Missing Authorization
CVE-2025-64248
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.83%
||
7 Day CHG~0.00%
Published-16 Dec, 2025 | 08:12
Updated-28 Apr, 2026 | 18:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Request a Quote plugin <= 2.5.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in emarket-design Request a Quote request-a-quote allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Request a Quote: from n/a through <= 2.5.3.

Action-Not Available
Vendor-emarket-design
Product-Request a Quote
CWE ID-CWE-862
Missing Authorization
CVE-2025-64229
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.59%
||
7 Day CHG~0.00%
Published-29 Oct, 2025 | 08:38
Updated-28 Apr, 2026 | 18:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Client Invoicing by Sprout Invoices plugin <= 20.8.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.7.

Action-Not Available
Vendor-BoldGrid (InMotion Hosting, Inc.)
Product-Client Invoicing by Sprout Invoices
CWE ID-CWE-862
Missing Authorization
CVE-2025-64246
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.83%
||
7 Day CHG~0.00%
Published-16 Dec, 2025 | 08:12
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Accessibility by AudioEye plugin <= 1.0.49 - Broken Access Control vulnerability

Missing Authorization vulnerability in netopsae Accessibility by AudioEye accessibility-by-audioeye allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accessibility by AudioEye: from n/a through <= 1.0.49.

Action-Not Available
Vendor-netopsae
Product-Accessibility by AudioEye
CWE ID-CWE-862
Missing Authorization
CVE-2025-62993
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 8.69%
||
7 Day CHG-0.02%
Published-09 Dec, 2025 | 14:52
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Notification for Telegram plugin <= 3.5.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in rainafarai Notification for Telegram notification-for-telegram allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Notification for Telegram: from n/a through <= 3.5.1.

Action-Not Available
Vendor-rainafarai
Product-Notification for Telegram
CWE ID-CWE-862
Missing Authorization
CVE-2025-63056
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 10.12%
||
7 Day CHG-0.01%
Published-09 Dec, 2025 | 14:52
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Contact Form by BestWebSoft plugin <= 4.3.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in bestwebsoft Contact Form by BestWebSoft contact-form-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by BestWebSoft: from n/a through <= 4.3.6.

Action-Not Available
Vendor-BestWebSoft
Product-Contact Form by BestWebSoft
CWE ID-CWE-862
Missing Authorization
CVE-2025-64238
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.83%
||
7 Day CHG~0.00%
Published-16 Dec, 2025 | 08:12
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPS Bidouille plugin <= 1.33.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in NicolasKulka WPS Bidouille wps-bidouille allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPS Bidouille: from n/a through <= 1.33.1.

Action-Not Available
Vendor-NicolasKulka
Product-WPS Bidouille
CWE ID-CWE-862
Missing Authorization
CVE-2025-62869
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 8.69%
||
7 Day CHG-0.02%
Published-09 Dec, 2025 | 14:52
Updated-28 Apr, 2026 | 18:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Gravitec.net – Web Push Notifications plugin <= 2.9.17 - Broken Access Control vulnerability

Missing Authorization vulnerability in Gravitec.net - Web Push Notifications Gravitec.net – Web Push Notifications gravitec-net-web-push-notifications allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gravitec.net – Web Push Notifications: from n/a through <= 2.9.17.

Action-Not Available
Vendor-Gravitec.net - Web Push Notifications
Product-Gravitec.net – Web Push Notifications
CWE ID-CWE-862
Missing Authorization
CVE-2025-64244
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.83%
||
7 Day CHG~0.00%
Published-16 Dec, 2025 | 08:12
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Restrict Elementor Widgets, Columns and Sections plugin <= 1.12 - Broken Access Control vulnerability

Missing Authorization vulnerability in Codexpert, Inc Restrict Elementor Widgets, Columns and Sections restrict-elementor-widgets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Restrict Elementor Widgets, Columns and Sections: from n/a through <= 1.12.

Action-Not Available
Vendor-Codexpert, Inc
Product-Restrict Elementor Widgets, Columns and Sections
CWE ID-CWE-862
Missing Authorization
CVE-2025-64139
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.18%
||
7 Day CHG~0.00%
Published-29 Oct, 2025 | 13:29
Updated-04 Nov, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Start Windocks Containers Plugin 1.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Action-Not Available
Vendor-Jenkins
Product-start_windocks_containerJenkins Start Windocks Containers Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-64219
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.59%
||
7 Day CHG~0.00%
Published-29 Oct, 2025 | 08:38
Updated-28 Apr, 2026 | 18:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Business Directory plugin <= 6.4.18 - Broken Access Control vulnerability

Missing Authorization vulnerability in Strategy11 Team Business Directory business-directory-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Business Directory: from n/a through <= 6.4.18.

Action-Not Available
Vendor-Strategy11 Team
Product-Business Directory
CWE ID-CWE-862
Missing Authorization
CVE-2025-62882
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.59%
||
7 Day CHG~0.00%
Published-27 Oct, 2025 | 01:33
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Seriously Simple Podcasting plugin <= 3.13.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Seriously Simple Podcasting: from n/a through <= 3.13.0.

Action-Not Available
Vendor-castosCraig Hewitt
Product-seriously_simple_podcastingSeriously Simple Podcasting
CWE ID-CWE-862
Missing Authorization
CVE-2025-64142
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.18%
||
7 Day CHG~0.00%
Published-29 Oct, 2025 | 13:29
Updated-04 Nov, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Nexus Task Runner Plugin 0.9.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

Action-Not Available
Vendor-Jenkins
Product-nexus_task_runnerJenkins Nexus Task Runner Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-62928
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 17.03%
||
7 Day CHG~0.00%
Published-27 Oct, 2025 | 01:34
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SEO Meta Description Updater plugin <= 1.2.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Joby Joseph SEO Meta Description Updater seo-meta-description-updater allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SEO Meta Description Updater: from n/a through <= 1.2.0.

Action-Not Available
Vendor-Joby Joseph
Product-SEO Meta Description Updater
CWE ID-CWE-862
Missing Authorization
CVE-2025-62932
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.59%
||
7 Day CHG~0.00%
Published-27 Oct, 2025 | 01:34
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Table Block by RioVizual plugin <= 3.0.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in wprio Table Block by RioVizual riovizual allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Table Block by RioVizual: from n/a through <= 3.0.0.

Action-Not Available
Vendor-wprio
Product-Table Block by RioVizual
CWE ID-CWE-862
Missing Authorization
CVE-2025-63018
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.78%
||
7 Day CHG~0.00%
Published-22 Jan, 2026 | 16:51
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Bard theme <= 2.229 - Broken Access Control vulnerability

Missing Authorization vulnerability in wproyal Bard bard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bard: from n/a through <= 2.229.

Action-Not Available
Vendor-Royal Elementor Addons
Product-Bard
CWE ID-CWE-862
Missing Authorization
CVE-2025-64242
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.83%
||
7 Day CHG~0.00%
Published-16 Dec, 2025 | 08:12
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Easy Property Listings plugin <= 3.5.22 - Broken Access Control vulnerability

Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Property Listings: from n/a through <= 3.5.22.

Action-Not Available
Vendor-Merv Barrett
Product-Easy Property Listings
CWE ID-CWE-862
Missing Authorization
CVE-2025-62995
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 8.69%
||
7 Day CHG-0.02%
Published-09 Dec, 2025 | 14:52
Updated-28 Apr, 2026 | 19:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress MultiParcels Shipping For WooCommerce plugin <= 1.30.12 - Broken Access Control vulnerability

Missing Authorization vulnerability in multiparcels MultiParcels Shipping For WooCommerce multiparcels-shipping-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MultiParcels Shipping For WooCommerce: from n/a through <= 1.30.12.

Action-Not Available
Vendor-multiparcels
Product-MultiParcels Shipping For WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2025-63015
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 8.69%
||
7 Day CHG-0.02%
Published-09 Dec, 2025 | 14:52
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WooCommerce Payment Gateway – Paysera plugin <= 3.10.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in paysera WooCommerce Payment Gateway - Paysera woo-payment-gateway-paysera allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Payment Gateway - Paysera: from n/a through <= 3.10.0.

Action-Not Available
Vendor-paysera
Product-WooCommerce Payment Gateway - Paysera
CWE ID-CWE-862
Missing Authorization
CVE-2023-4948
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 20.32%
||
7 Day CHG~0.00%
Published-14 Sep, 2023 | 03:24
Updated-08 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WooCommerce CVR Payment Gateway < 6.1.0 - Missing Authorization to Authenticated (Contributor+) CVR Update

The WooCommerce CVR Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the refresh_order_cvr_data AJAX action in versions up to 6.1.0. This makes it possible for authenticated attackers with contributor-level access and above, to update CVR numbers for orders.

Action-Not Available
Vendor-yancoYan&Co
Product-woocommerce_cvr_payment_gatewayWooCommerce CVR Payment Gateway
CWE ID-CWE-862
Missing Authorization
CVE-2023-4947
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 34.57%
||
7 Day CHG~0.00%
Published-20 Oct, 2023 | 06:35
Updated-08 Apr, 2026 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WooCommerce EAN Payment Gateway < 6.1.0 - Missing Authorization to Authenticated (Contributor+) EAN Update

The WooCommerce EAN Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the refresh_order_ean_data AJAX action in versions up to 6.1.0. This makes it possible for authenticated attackers with contributor-level access and above, to update EAN numbers for orders.

Action-Not Available
Vendor-yancoYan&Co
Product-woocommerce_ean_payment_gatewayWooCommerce EAN Payment Gateway
CWE ID-CWE-862
Missing Authorization
CVE-2023-49758
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 38.22%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:30
Updated-29 Apr, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Booking System plugin <= 2.0.19.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Roland Murg WP Booking System wp-booking-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Booking System: from n/a through <= 2.0.19.2.

Action-Not Available
Vendor-Roland Murg
Product-WP Booking System
CWE ID-CWE-862
Missing Authorization
CVE-2024-9364
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 43.01%
||
7 Day CHG~0.00%
Published-18 Oct, 2024 | 04:32
Updated-08 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SendGrid for WordPress <= 1.4 - Missing Authorization to Authenticated (Subscriber+) Log Deletion

The SendGrid for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wp_mailplus_clear_logs' function in all versions up to, and including, 1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's log files.

Action-Not Available
Vendor-smackcoderssmackcoders
Product-sendgridSendGrid for WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2024-9187
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 32.31%
||
7 Day CHG~0.00%
Published-12 Oct, 2024 | 05:39
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Read more By Adam <= 1.1.8 - Missing Authorization to Authenticated (Subscriber+) Read More Button Deletion

The Read more By Adam plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteRm() function in all versions up to, and including, 1.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete read more buttons.

Action-Not Available
Vendor-Adam Skaat (Edmonsoft)
Product-Read more By Adam
CWE ID-CWE-862
Missing Authorization
CVE-2025-62131
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.83%
||
7 Day CHG~0.00%
Published-31 Dec, 2025 | 16:04
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Tasty Recipes Lite plugin <= 1.1.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in Strategy11 Team Tasty Recipes Lite tasty-recipes-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tasty Recipes Lite: from n/a through <= 1.1.5.

Action-Not Available
Vendor-Strategy11 Team
Product-Tasty Recipes Lite
CWE ID-CWE-862
Missing Authorization
CVE-2025-62751
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 16.39%
||
7 Day CHG~0.00%
Published-31 Dec, 2025 | 16:02
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Vireo theme <= 1.0.24 - Broken Access Control vulnerability

Missing Authorization vulnerability in extendthemes Vireo vireo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Vireo: from n/a through <= 1.0.24.

Action-Not Available
Vendor-extendthemesextendthemes
Product-vireoVireo
CWE ID-CWE-862
Missing Authorization
CVE-2023-49196
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 38.22%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:30
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Pagelayer plugin <= 1.7.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in Pagelayer Team PageLayer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PageLayer: from n/a through 1.7.7.

Action-Not Available
Vendor-Pagelayer Team
Product-PageLayer
CWE ID-CWE-862
Missing Authorization
CVE-2024-9626
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 32.31%
||
7 Day CHG~0.00%
Published-26 Oct, 2024 | 01:58
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Editorial Assistant by Sovrn <= 1.3.3 - Missing Authorization to Authenticated (Subscriber+) Attachment Upload and Set Post Featured Image

The Editorial Assistant by Sovrn plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_zemanta_set_featured_image' function in versions up to, and including, 1.3.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload attachment files (such as jpg, png, txt, zip), and set the post featured image.

Action-Not Available
Vendor-zemanta
Product-Editorial Assistant by Sovrn
CWE ID-CWE-862
Missing Authorization
CVE-2025-62099
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 2.91%
||
7 Day CHG~0.00%
Published-31 Dec, 2025 | 16:41
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Signature Add-On for Gravity Forms plugin <= 1.8.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in approveme Signature Add-On for Gravity Forms gravity-signature-forms-add-on allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Signature Add-On for Gravity Forms: from n/a through <= 1.8.6.

Action-Not Available
Vendor-approveme
Product-Signature Add-On for Gravity Forms
CWE ID-CWE-862
Missing Authorization
CVE-2026-6703
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 10.18%
||
7 Day CHG~0.00%
Published-21 Apr, 2026 | 06:43
Updated-22 Apr, 2026 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Responsive Blocks <= 2.2.1 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via AJAX Actions

The Responsive Blocks – Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to modify global site-wide plugin configuration options, including toggling custom CSS, disabling blocks, changing layout defaults such as content width, container padding, and container gap, and altering auto-block-recovery behavior.

Action-Not Available
Vendor-CyberChimps Inc.
Product-Responsive Blocks – Page Builder for Blocks & Patterns
CWE ID-CWE-862
Missing Authorization
CVE-2024-9705
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 32.87%
||
7 Day CHG~0.00%
Published-06 Dec, 2024 | 08:24
Updated-08 Apr, 2026 | 18:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Coming Soon & Maintenance <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Template Name Update

The Ultimate Coming Soon & Maintenance plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ucsm_update_template_name_lite' function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the name of the plugin's templates.

Action-Not Available
Vendor-rsthemerstheme2017
Product-ultimate_coming_soon_\&_maintenanceUltimate Coming Soon & Maintenance
CWE ID-CWE-862
Missing Authorization
CVE-2025-62104
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 8.51%
||
7 Day CHG~0.00%
Published-23 Apr, 2026 | 11:02
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ACF Galerie 4 plugin <= 1.4.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Navneil Naicker ACF Galerie 4 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ACF Galerie 4: from n/a through 1.4.2.

Action-Not Available
Vendor-Navneil Naicker
Product-ACF Galerie 4
CWE ID-CWE-862
Missing Authorization
CVE-2025-62073
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.59%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress MeetingHub plugin <= 1.23.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in Sovlix MeetingHub meetinghub.This issue affects MeetingHub: from n/a through <= 1.23.9.

Action-Not Available
Vendor-Sovlix
Product-MeetingHub
CWE ID-CWE-862
Missing Authorization
CVE-2024-9531
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 32.87%
||
7 Day CHG~0.00%
Published-24 Oct, 2024 | 07:35
Updated-08 Apr, 2026 | 16:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.4 - Missing Authorization to Forged Vendor Profile Deletion Email Sending

The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mvx_sent_deactivation_request' function in all versions up to, and including, 4.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send a canned email to the site's administrator asking to delete the profile of an arbitrary vendor.

Action-Not Available
Vendor-multivendorxwcmp
Product-multivendorxMultiVendorX – WooCommerce Multivendor Marketplace Solutions
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-862
Missing Authorization
CVE-2025-62072
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.59%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Front End Users plugin <= 3.2.33 - Broken Access Control vulnerability

Missing Authorization vulnerability in Rustaurius Front End Users front-end-only-users.This issue affects Front End Users: from n/a through <= 3.2.33.

Action-Not Available
Vendor-Rustaurius
Product-Front End Users
CWE ID-CWE-862
Missing Authorization
CVE-2024-8860
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.92%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 07:06
Updated-08 Apr, 2026 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tourfic <= 2.14.5 - Missing Authorization in Multiple Functions

The Tourfic plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tf_order_status_email_resend_function, tf_visitor_details_edit_function, tf_checkinout_details_edit_function, tf_order_status_edit_function, tf_order_bulk_action_edit_function, tf_remove_room_order_ids, and tf_delete_old_review_fields functions in all versions up to, and including, 2.14.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to resend order status emails, update visitor/order details, edit check-in/out details, edit order status, perform bulk order status updates, remove room order IDs, and delete old review fields, respectively.

Action-Not Available
Vendor-themefic
Product-Tourfic – Travel Booking, Hotel Booking & Car Rental WordPress Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2021-34648
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.22% / 44.19%
||
7 Day CHG~0.00%
Published-22 Sep, 2021 | 17:53
Updated-31 Mar, 2025 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ninja Forms <= 3.5.7 Unprotected REST-API to Email Injection

The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the /ninja-forms-submissions/email-action REST API which can be used to socially engineer victims.

Action-Not Available
Vendor-Saturday Drive, INC
Product-ninja_formsNinja Forms
CWE ID-CWE-863
Incorrect Authorization
CWE ID-CWE-862
Missing Authorization
CVE-2025-62070
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.59%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WowRevenue plugin <= 1.2.13 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPXPO WowRevenue revenue.This issue affects WowRevenue: from n/a through <= 1.2.13.

Action-Not Available
Vendor-WPXPO
Product-WowRevenue
CWE ID-CWE-862
Missing Authorization
CVE-2024-9109
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.36%
||
7 Day CHG~0.00%
Published-25 Oct, 2024 | 05:35
Updated-08 Apr, 2026 | 18:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
UPS Live Rates and Access Points <= 2.3.12 - Missing Authorization to Plugin API key reset

The WooCommerce UPS Shipping – Live Rates and Access Points plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_oauth_data function in all versions up to, and including, 2.3.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's API key.

Action-Not Available
Vendor-octolizeoctolize
Product-woocommerce_ups_shippingShipping Live Rates and Access Points for UPS for WooCommerce
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 25
  • 26
  • Next
Details not found