Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-6786

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-04 Jul, 2025 | 01:43
Updated At-08 Apr, 2026 | 16:33
Rejected At-
Credits

DocCheck Login <= 1.1.5 - Unauthorized Post Access

The DocCheck Login plugin for WordPress is vulnerable to unauthorized post access in all versions up to, and including, 1.1.5. This is due to plugin redirecting a user to login on a password protected post after the page has loaded. This makes it possible for unauthenticated attackers to read posts they should not have access to.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:04 Jul, 2025 | 01:43
Updated At:08 Apr, 2026 | 16:33
Rejected At:
▼CVE Numbering Authority (CNA)
DocCheck Login <= 1.1.5 - Unauthorized Post Access

The DocCheck Login plugin for WordPress is vulnerable to unauthorized post access in all versions up to, and including, 1.1.5. This is due to plugin redirecting a user to login on a password protected post after the page has loaded. This makes it possible for unauthenticated attackers to read posts they should not have access to.

Affected Products
Vendor
antwerpes
Product
DocCheck Login
Default Status
unaffected
Versions
Affected
  • From 0 through 1.1.5 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-284CWE-284 Improper Access Control
Type: CWE
CWE ID: CWE-284
Description: CWE-284 Improper Access Control
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Jonas Benjamin Friedli
Timeline
EventDate
Disclosed2025-07-03 12:24:08
Event: Disclosed
Date: 2025-07-03 12:24:08
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/0739b5ec-b1c4-4451-97c1-f8d5ed26a2d5?source=cve
N/A
https://wordpress.org/plugins/doccheck-login/
N/A
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3332723%40doccheck-login&new=3332723%40doccheck-login&sfp_email=&sfph_mail=
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/0739b5ec-b1c4-4451-97c1-f8d5ed26a2d5?source=cve
Resource: N/A
Hyperlink: https://wordpress.org/plugins/doccheck-login/
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3332723%40doccheck-login&new=3332723%40doccheck-login&sfp_email=&sfph_mail=
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:04 Jul, 2025 | 03:15
Updated At:08 Apr, 2026 | 17:20

The DocCheck Login plugin for WordPress is vulnerable to unauthorized post access in all versions up to, and including, 1.1.5. This is due to plugin redirecting a user to login on a password protected post after the page has loaded. This makes it possible for unauthenticated attackers to read posts they should not have access to.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-284Secondarysecurity@wordfence.com
CWE ID: CWE-284
Type: Secondary
Source: security@wordfence.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3332723%40doccheck-login&new=3332723%40doccheck-login&sfp_email=&sfph_mail=security@wordfence.com
N/A
https://wordpress.org/plugins/doccheck-login/security@wordfence.com
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/0739b5ec-b1c4-4451-97c1-f8d5ed26a2d5?source=cvesecurity@wordfence.com
N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3332723%40doccheck-login&new=3332723%40doccheck-login&sfp_email=&sfph_mail=
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://wordpress.org/plugins/doccheck-login/
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/0739b5ec-b1c4-4451-97c1-f8d5ed26a2d5?source=cve
Source: security@wordfence.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

230Records found

CVE-2025-4980
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.53% / 40.72%
||
7 Day CHG~0.00%
Published-20 May, 2025 | 14:00
Updated-12 Jun, 2025 | 16:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Netgear DGND3700 mini_http currentsetting.htm information disclosure

A vulnerability has been found in Netgear DGND3700 1.1.00.15_1.00.15NA and classified as problematic. This vulnerability affects unknown code of the file /currentsetting.htm of the component mini_http. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other products might be affected as well. The vendor was contacted early about this disclosure.

Action-Not Available
Vendor-NETGEAR, Inc.
Product-dgnd3700_firmwaredgnd3700DGND3700
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2025-4752
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.92% / 55.80%
||
7 Day CHG~0.00%
Published-16 May, 2025 | 06:00
Updated-03 Jun, 2025 | 15:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DI-7003GV2 install_base.data information disclosure

A vulnerability has been found in D-Link DI-7003GV2 24.04.18D1 R(68125) and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /install_base.data. The manipulation leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-D-Link Corporation
Product-di-7003g_firmwaredi-7003gDI-7003GV2
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2019-10962
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-5.3||MEDIUM
EPSS-1.68% / 74.03%
||
7 Day CHG~0.00%
Published-13 Jun, 2019 | 20:03
Updated-04 Aug, 2024 | 22:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

BD Alaris Gateway versions, 1.0.13,1.1.3 Build 10,1.1.3 MR Build 11,1.1.5, and 1.1.6, The web browser user interface on the Alaris Gateway Workstation does not prevent an attacker with knowledge of the IP address of the Alaris Gateway Workstation terminal to gain access to the status and configuration information of the device.

Action-Not Available
Vendor-n/aBecton, Dickinson and Company
Product-alaris_gateway_workstation_firmwarealaris_gateway_workstationBD Alaris Gateway Workstation
CWE ID-CWE-284
Improper Access Control
CVE-2024-25980
Matching Score-4
Assigner-Fedora Project
ShareView Details
Matching Score-4
Assigner-Fedora Project
CVSS Score-4.3||MEDIUM
EPSS-0.53% / 41.05%
||
7 Day CHG~0.00%
Published-19 Feb, 2024 | 16:32
Updated-23 Jan, 2025 | 16:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Msa-24-0003: h5p attempts report did not respect activity group settings

Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers.

Action-Not Available
Vendor-Moodle Pty LtdFedora Project
Product-moodlefedorah5p
CWE ID-CWE-284
Improper Access Control
CVE-2024-25981
Matching Score-4
Assigner-Fedora Project
ShareView Details
Matching Score-4
Assigner-Fedora Project
CVSS Score-4.3||MEDIUM
EPSS-0.58% / 43.49%
||
7 Day CHG~0.00%
Published-19 Feb, 2024 | 16:32
Updated-23 Jan, 2025 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Msa-24-0004: forum export did not respect activity group settings

Separate Groups mode restrictions were not honored when performing a forum export, which would export forum data for all groups. By default this only provided additional access to non-editing teachers.

Action-Not Available
Vendor-Moodle Pty LtdFedora Project
Product-moodlefedora
CWE ID-CWE-284
Improper Access Control
CVE-2025-4535
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.53% / 41.01%
||
7 Day CHG~0.00%
Published-11 May, 2025 | 08:00
Updated-08 Jul, 2025 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gosuncn Technology Group Audio-Visual Integrated Management Platform Configuration File config.properties information disclosure

A vulnerability, which was classified as problematic, was found in Gosuncn Technology Group Audio-Visual Integrated Management Platform 4.0. Affected is an unknown function of the file /config/config.properties of the component Configuration File Handler. The manipulation leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-gosuncntechGosuncn Technology Group
Product-group_audio-visual_integrated_managementAudio-Visual Integrated Management Platform
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2025-46118
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.50% / 39.21%
||
7 Day CHG~0.00%
Published-21 Jul, 2025 | 00:00
Updated-05 Aug, 2025 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139 and in Ruckus ZoneDirector prior to 10.5.1.0.279, where hard-coded credentials for the ftpuser account provide FTP access to the controller, enabling a remote attacker to upload or retrieve arbitrary files from writable firmware directories and thereby expose sensitive information or compromise the controller.

Action-Not Available
Vendor-ruckuswirelesscommscopen/a
Product-ruckus_r350ruckus_r310ruckus_r510ruckus_r560ruckus_r320ruckus_t670ruckus_t811-cm_\(non-sfp\)ruckus_t310sruckus_t750seruckus_t350cruckus_unleashedruckus_r850ruckus_e510ruckus_c110ruckus_r760ruckus_h320ruckus_t310nruckus_r610ruckus_t750ruckus_r350eruckus_t350seruckus_zonedirectorruckus_m510ruckus_t610ruckus_t350druckus_h550ruckus_r710ruckus_h510ruckus_r750ruckus_r770ruckus_t710ruckus_r550ruckus_r650ruckus_t811-cmzonedirector_1200ruckus_r670ruckus_r720ruckus_t710sruckus_m510-jpruckus_h350ruckus_r730ruckus_t310cn/a
CWE ID-CWE-284
Improper Access Control
CVE-2022-1563
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.3||MEDIUM
EPSS-0.72% / 49.53%
||
7 Day CHG~0.00%
Published-16 Jan, 2024 | 15:50
Updated-20 Jun, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPGraphQL WooCommerce <= 0.11.0 - Unauthenticated Coupon Codes Disclosure

The WPGraphQL WooCommerce WordPress plugin before 0.12.4 does not prevent unauthenticated attackers from enumerating a shop's coupon codes and values via GraphQL.

Action-Not Available
Vendor-wpengineUnknown
Product-wpgraphqlwp-graphql-woocommerce
CWE ID-CWE-284
Improper Access Control
CVE-2024-2191
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.43% / 34.70%
||
7 Day CHG~0.00%
Published-26 Jun, 2024 | 23:31
Updated-17 Sep, 2024 | 16:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in GitLab

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows merge request title to be visible publicly despite being set as project members only.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-284
Improper Access Control
CVE-2025-4119
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.51% / 39.66%
||
7 Day CHG+0.02%
Published-30 Apr, 2025 | 13:31
Updated-16 May, 2025 | 16:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Weitong Mall Product Statistics queryTotal access control

A vulnerability classified as critical was found in Weitong Mall 1.0.0. This vulnerability affects unknown code of the file /queryTotal of the component Product Statistics Handler. The manipulation of the argument isDelete with the input 1 leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-weitongWeitong
Product-mallMall
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-5003
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.31% / 22.93%
||
7 Day CHG~0.00%
Published-28 Mar, 2026 | 17:30
Updated-24 Apr, 2026 | 16:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PromtEngineer localGPT Web api_server.py handle_index information disclosure

A vulnerability was found in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. This affects the function handle_index of the file rag_system/api_server.py of the component Web Interface. Performing a manipulation results in information disclosure. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-PromtEngineer
Product-localGPT
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2025-36909
Matching Score-4
Assigner-Google Devices
ShareView Details
Matching Score-4
Assigner-Google Devices
CVSS Score-5.3||MEDIUM
EPSS-0.13% / 3.09%
||
7 Day CHG~0.00%
Published-04 Sep, 2025 | 05:00
Updated-05 Sep, 2025 | 16:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Information disclosure

Action-Not Available
Vendor-Google LLC
Product-androidAndroid
CWE ID-CWE-284
Improper Access Control
CVE-2024-1823
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.68% / 47.88%
||
7 Day CHG~0.00%
Published-23 Feb, 2024 | 15:31
Updated-07 Dec, 2024 | 02:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CodeAstro Simple Voting System Backend users.php access control

A vulnerability classified as critical was found in CodeAstro Simple Voting System 1.0. Affected by this vulnerability is an unknown functionality of the file users.php of the component Backend. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254611.

Action-Not Available
Vendor-CodeAstro
Product-simple_voting_systemSimple Voting Systemsimple_voting_system
CWE ID-CWE-284
Improper Access Control
CVE-2025-3790
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.58% / 43.65%
||
7 Day CHG~0.00%
Published-18 Apr, 2025 | 13:00
Updated-15 Oct, 2025 | 14:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
baseweb JSite Apache Druid Monitoring Console index.html access control

A vulnerability classified as critical has been found in baseweb JSite 1.0. This affects an unknown part of the file /druid/index.html of the component Apache Druid Monitoring Console. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-jsitebaseweb
Product-jsiteJSite
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2026-5215
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.84% / 53.44%
||
7 Day CHG~0.00%
Published-31 Mar, 2026 | 21:15
Updated-02 Apr, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DNS-1550-04 network_mgr.cgi cgi_get_ipv6 access control

A vulnerability was identified in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. The impacted element is the function cgi_get_ipv6 of the file /cgi-bin/network_mgr.cgi. Such manipulation leads to improper access controls. The exploit is publicly available and might be used.

Action-Not Available
Vendor-D-Link Corporation
Product-dns-320lwdns-322l_firmwaredns-1100-4_firmwaredns-345dnr-326_firmwaredns-327ldns-326_firmwarednr-326dns-327l_firmwaredns-321_firmwaredns-322ldns-320_firmwaredns-120dns-321dns-343dns-315l_firmwaredns-315ldns-340ldnr-202ldns-320lw_firmwaredns-325_firmwaredns-1550-04_firmwaredns-120_firmwaredns-320ldns-1200-05dns-726-4_firmwaredns-1200-05_firmwaredns-726-4dns-320l_firmwaredns-1550-04dns-325dns-323_firmwaredns-343_firmwaredns-340l_firmwaredns-323dns-326dnr-202l_firmwaredns-345_firmwaredns-320dns-1100-4DNS-321DNS-323DNS-1550-04DNS-1100-4DNS-327LDNR-202LDNS-320LWDNR-322LDNS-345DNS-320DNS-1200-05DNS-340LDNS-320LDNS-326DNR-326DNS-315LDNS-726-4DNS-325DNS-120DNS-343
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2026-5311
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.99% / 58.25%
||
7 Day CHG~0.00%
Published-01 Apr, 2026 | 19:45
Updated-07 Apr, 2026 | 15:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DNS-1550-04 file_center.cgi Webdav_Access_List access control

A security flaw has been discovered in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected is the function Webdav_Access_List of the file /cgi-bin/file_center.cgi. Performing a manipulation of the argument cmd results in improper access controls. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.

Action-Not Available
Vendor-D-Link Corporation
Product-dns-320lwdns-322l_firmwaredns-1100-4_firmwaredns-345dnr-326_firmwaredns-327ldns-326_firmwarednr-326dns-327l_firmwaredns-321_firmwaredns-322ldns-320_firmwaredns-120dns-321dns-343dns-315l_firmwaredns-315ldns-340ldnr-202ldns-320lw_firmwaredns-325_firmwaredns-1550-04_firmwaredns-120_firmwaredns-320ldns-1200-05dns-726-4_firmwaredns-1200-05_firmwaredns-726-4dns-320l_firmwaredns-1550-04dns-325dns-323_firmwaredns-343_firmwaredns-340l_firmwaredns-323dns-326dnr-202l_firmwaredns-345_firmwaredns-320dns-1100-4DNS-321DNS-323DNS-1550-04DNS-1100-4DNS-327LDNR-202LDNS-320LWDNR-322LDNS-345DNS-320DNS-1200-05DNS-340LDNS-320LDNS-326DNR-326DNS-315LDNS-726-4DNS-325DNS-120DNS-343
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2024-1472
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.46% / 36.75%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 18:56
Updated-08 Apr, 2026 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Maintenance <= 6.1.6 - Information Exposure

The WP Maintenance plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.1.6 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's maintenance mode obtain post and page content via REST API.

Action-Not Available
Vendor-restezconnectesflorent73
Product-wp_maintenanceWP Maintenance
CWE ID-CWE-284
Improper Access Control
CVE-2024-1478
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.53% / 41.04%
||
7 Day CHG~0.00%
Published-05 Mar, 2024 | 01:55
Updated-08 Apr, 2026 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Maintenance Mode <= 3.0.1 - Information Exposure

The Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.1 via the REST API. This makes it possible for unauthenticated attackers to obtain post and page content via API thus bypassing the content protection provided by the plugin.

Action-Not Available
Vendor-helderkhelderkhelderk
Product-maintenance_modeMaintenance Modemaintenance_mode
CWE ID-CWE-284
Improper Access Control
CVE-2024-1492
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.46% / 36.35%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 18:56
Updated-08 Apr, 2026 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPify Woo Czech <= 4.0.8 - Missing Authorization

The WPify Woo Czech plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the maybe_send_to_packeta function in all versions up to, and including, 4.0.8. This makes it possible for unauthenticated attackers to obtain shipping details for orders as long as the order number is known.

Action-Not Available
Vendor-wpifywpifywpify
Product-woo_czechWPify Woo Czechwpify_woo_czech
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2024-1418
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.43% / 34.20%
||
7 Day CHG~0.00%
Published-04 Apr, 2024 | 05:34
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CGC Maintenance Mode <= 1.2 - Sensitive Information Exposure

The CGC Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2 via the REST API. This makes it possible for unauthenticated attackers to view protected posts via REST API even when maintenance mode is enabled.

Action-Not Available
Vendor-mordauk
Product-CGC Maintenance Mode
CWE ID-CWE-284
Improper Access Control
CVE-2024-1476
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.48% / 37.91%
||
7 Day CHG~0.00%
Published-28 Feb, 2024 | 08:33
Updated-08 Apr, 2026 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Under Construction / Maintenance Mode from Acurax <= 2.6 - Information Exposure

The Under Construction / Maintenance Mode from Acurax plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6 via the REST API. This makes it possible for unauthenticated attackers to obtain the contents of posts and pages when maintenance mode is active thus bypassing the protection provided by the plugin.

Action-Not Available
Vendor-Acurax Technologies
Product-under_construction_\/_maintenance_modeUnder Construction / Maintenance Mode from Acuraxunder_construction_\/_maintenance_mode
CWE ID-CWE-284
Improper Access Control
CVE-2024-1370
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.45% / 35.68%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:26
Updated-08 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Maintenance Page <= 1.0.8 - Missing Authorization to Sensitive Information Exposure

The Maintenance Page plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the subscribe_download function hooked via AJAX action in all versions up to, and including, 1.0.8. This makes it possible for authenticated attackers, with subscriber access or higher, to download a csv containing subscriber emails.

Action-Not Available
Vendor-themegrillthemegrill
Product-maintenance_pageMaintenance Page
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2024-1473
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.53% / 41.07%
||
7 Day CHG~0.00%
Published-20 Mar, 2024 | 06:48
Updated-08 Apr, 2026 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Coming Soon & Maintenance Mode by Colorlib <= 1.0.99 - Information Exposure

The Coming Soon & Maintenance Mode by Colorlib plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.99 via the REST API. This makes it possible for unauthenticated attackers to obtain post and page contents via REST API thus bypassing maintenance mode protection provided by the plugin.

Action-Not Available
Vendor-colorlibcolorlibpluginscolorlib
Product-coming_soon_\&_maintenance_modeComing Soon & Maintenance Mode by Colorlibcoming_soon_\&_maintenance_mode
CWE ID-CWE-284
Improper Access Control
CVE-2024-1462
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.53% / 40.85%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:26
Updated-08 Apr, 2026 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Maintenance Page <= 1.0.8 - Security Mechanism Bypass via REST API

The Maintenance Page plugin for WordPress is vulnerable to Basic Information Exposure in all versions up to, and including, 1.0.8 via the REST API. This makes it possible for unauthenticated attackers to view post titles and content when the site is in maintenance mode.

Action-Not Available
Vendor-themegrillthemegrillthemegrill
Product-maintenance_pageMaintenance Pagemaintenance_page
CWE ID-CWE-284
Improper Access Control
CVE-2024-1475
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.46% / 36.75%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 18:56
Updated-08 Apr, 2026 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Coming Soon Maintenance Mode <= 1.0.5 - Information Exposure

The Coming Soon Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.5 via the REST API. This makes it possible for unauthenticated attackers to obtain post and page content thus bypassing the protection provided by the plugin.

Action-Not Available
Vendor-A WP Life
Product-coming_soon_maintenance_modeComing Soon Maintenance Mode
CWE ID-CWE-284
Improper Access Control
CVE-2024-13457
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.31% / 22.93%
||
7 Day CHG+0.01%
Published-30 Jan, 2025 | 06:41
Updated-08 Apr, 2026 | 16:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Event Tickets <= 5.18.1 - Insecure Direct Object Reference to Sensitive Information Exposure

The Event Tickets and Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.18.1 via the tc-order-id parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view order details of orders they did not place, which includes ticket prices, user emails and order date.

Action-Not Available
Vendor-The Events Calendar (StellarWP)Liquid Web, LLC
Product-event_ticketsEvent Tickets and Registration
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2024-13693
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.31% / 22.44%
||
7 Day CHG~0.00%
Published-25 Feb, 2025 | 09:21
Updated-08 Apr, 2026 | 16:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Enfold <= 6.0.9 - Missing Authorization to Sensitive Information Disclosure in avia-export-class.php

The Enfold theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check in avia-export-class.php in all versions up to, and including, 6.0.9. This makes it possible for unauthenticated attackers to export all avia settings which may included sensitive information such as the Mailchimp API Key, reCAPTCHA Secret Key, or Envato private token if they are set.

Action-Not Available
Vendor-kriesiKriesi
Product-enfoldEnfold - Responsive Multi-Purpose Theme
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2024-1294
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.68% / 47.83%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 18:56
Updated-08 Apr, 2026 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sunshine Photo Cart: Free Client Galleries for Photographers <= 3.0.24 - Unauthenticated Sensitive Information Exposure via Invoice

The Sunshine Photo Cart: Free Client Galleries for Photographers plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.24 via the 'invoice'. This makes it possible for unauthenticated attackers to extract sensitive data including customer email and physical addresses.

Action-Not Available
Vendor-sunshinephotocartsunshinephotocartsunshinephotocart
Product-sunshine_photo_cartSunshine Photo Cart – Client Photo Gallery & Photo Proofing for Photographerssunshine_photo_cart
CWE ID-CWE-284
Improper Access Control
CVE-2024-12294
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.40% / 31.55%
||
7 Day CHG~0.00%
Published-11 Dec, 2024 | 10:57
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Last Viewed Posts by WPBeginner <= 1.0.1 - Unauthenticated Sensitive Information Exposure

The Last Viewed Posts by WPBeginner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.1 via the 'get_legacy_cookies' function. This makes it possible for unauthenticated attackers to extract sensitive data including titles and permalinks of private, password-protected, pending, and draft posts.

Action-Not Available
Vendor-jottlieb
Product-Last Viewed Posts by WPBeginner
CWE ID-CWE-284
Improper Access Control
CVE-2024-13067
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.81% / 52.37%
||
7 Day CHG~0.00%
Published-31 Dec, 2024 | 09:00
Updated-03 Apr, 2025 | 16:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CodeAstro Online Food Ordering System All Users Page all_users.php access control

A vulnerability was found in CodeAstro Online Food Ordering System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/all_users.php of the component All Users Page. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-CodeAstro
Product-online_food_ordering_systemOnline Food Ordering System
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2024-12896
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.46% / 36.86%
||
7 Day CHG~0.00%
Published-22 Dec, 2024 | 23:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Intelbras VIP S4320 G2 Web Interface webCapsConfig information disclosure

A vulnerability was found in Intelbras VIP S3020 G2, VIP S4020 G2, VIP S4020 G3 and VIP S4320 G2 up to 20241222 and classified as problematic. Affected by this issue is some unknown functionality of the file /web_caps/webCapsConfig of the component Web Interface. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor assesses that "the information disclosed in the URL is not sensitive or poses any risk to the user".

Action-Not Available
Vendor-Intelbras
Product-VIP S4020 G3VIP S4320 G2VIP S4020 G2VIP S3020 G2
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2024-12984
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.58% / 43.53%
||
7 Day CHG~0.00%
Published-27 Dec, 2024 | 14:31
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Amcrest IP2M-841B Web Interface webCapsConfig information disclosure

A vulnerability classified as problematic has been found in Amcrest IP2M-841B, IP2M-841W, IPC-IP2M-841B, IPC-IP3M-943B, IPC-IP3M-943S, IPC-IP3M-HX2B and IPC-IPM-721S up to 20241211. This affects an unknown part of the file /web_caps/webCapsConfig of the component Web Interface. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Amcrest Industries LLC.
Product-IPC-IP3M-HX2BIPC-IPM-721SIP2M-841BIPC-IP3M-943BIP2M-841WIPC-IP3M-943SIPC-IP2M-841B
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2024-11868
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-1.11% / 61.90%
||
7 Day CHG~0.00%
Published-10 Dec, 2024 | 12:24
Updated-08 Apr, 2026 | 18:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LearnPress – WordPress LMS Plugin <= 4.2.7.3 - Course Material Sensitive Information Exposure via REST API

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.3 via class-lp-rest-material-controller.php. This makes it possible for unauthenticated attackers to extract potentially sensitive paid course material.

Action-Not Available
Vendor-ThimPress (PhysCode)
Product-learnpressLearnPress – WordPress LMS Plugin for Create and Sell Online Courseslearnpress
CWE ID-CWE-284
Improper Access Control
CVE-2024-11961
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.86% / 53.99%
||
7 Day CHG~0.00%
Published-28 Nov, 2024 | 15:00
Updated-11 Dec, 2024 | 19:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Guangzhou Huayi Intelligent Technology Jeewms WmOmNoticeHController.java preHandle information disclosure

A vulnerability was found in Guangzhou Huayi Intelligent Technology Jeewms 3.7. It has been rated as problematic. This issue affects the function preHandle of the file src/main/java/com/zzjee/wm/controller/WmOmNoticeHController.java. The manipulation of the argument request leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-huayi-tecGuangzhou Huayi Intelligent Technologyguangzhou_huayi_intelligent_technology
Product-jeewmsJeewmsjeewms
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2024-10916
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-1.46% / 70.46%
||
7 Day CHG~0.00%
Published-06 Nov, 2024 | 15:00
Updated-08 Nov, 2024 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L HTTP GET Request info.xml information disclosure

A vulnerability classified as problematic has been found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. This affects an unknown part of the file /xml/info.xml of the component HTTP GET Request Handler. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-D-Link Corporation
Product-dns-340ldns-325_firmwaredns-320dns-320lw_firmwaredns-320_firmwaredns-320lwdns-340l_firmwaredns-325DNS-320LWDNS-325DNS-320DNS-340Ldns-340l_firmwaredns-320_firmwaredns-320lw_firmwaredns-325_firmware
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2024-10937
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.35% / 27.08%
||
7 Day CHG+0.01%
Published-05 Dec, 2024 | 08:23
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins <= 2.0.58 - Sensitive Information Exposure

The Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.58 via the wp_ajax_nopriv_related_post_ajax_get_post_ids AJAX action. This makes it possible for unauthenticated attackers to extract sensitive data including titles of posts in draft status.

Action-Not Available
Vendor-pickpluginspickplugins
Product-Related Posts By PickPluginspost_grid_combo
CWE ID-CWE-284
Improper Access Control
CVE-2024-1088
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.58% / 43.33%
||
7 Day CHG~0.00%
Published-05 Mar, 2024 | 01:56
Updated-08 Apr, 2026 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Password Protected Store for WooCommerce <= 2.2 - Information Exposure via REST API

The Password Protected Store for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive data including post titles and content.

Action-Not Available
Vendor-rajkakadiyarajkakadiyageek_code_lab
Product-password_protected_store_for_woocommercePassword Protected Store for WooCommercepassword_protected_store
CWE ID-CWE-284
Improper Access Control
CVE-2024-0969
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.48% / 38.07%
||
7 Day CHG~0.00%
Published-05 Feb, 2024 | 21:22
Updated-08 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ARMember <= 4.0.24 - Improper Access Control to Sensitive Information Exposure via REST API

The ARMember plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.21 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's "Default Restriction" feature and view restricted post content.

Action-Not Available
Vendor-reputeinfosystemsreputeinfosystemsreputeinfosystems
Product-armemberARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signuparforms
CWE ID-CWE-284
Improper Access Control
CVE-2024-0412
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.81% / 52.41%
||
7 Day CHG~0.00%
Published-11 Jan, 2024 | 16:31
Updated-03 Jun, 2025 | 14:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DeShang DSShop HTTP GET Request install.php access control

A vulnerability was found in DeShang DSShop up to 3.1.0. It has been declared as problematic. This vulnerability affects unknown code of the file public/install.php of the component HTTP GET Request Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-250432.

Action-Not Available
Vendor-csdeshangDeShang
Product-dsshopDSShop
CWE ID-CWE-284
Improper Access Control
CVE-2024-0972
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.44% / 35.53%
||
7 Day CHG~0.00%
Published-06 Jun, 2024 | 03:53
Updated-08 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BuddyPress Members Only <= 3.4.8 - Improper Access Control to Sensitive Information Exposure via REST API

The BuddyPress Members Only plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.9 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's "All Other Sections On Your Site Will be Opened to Guest" feature (when unset) and view restricted page and post content.

Action-Not Available
Vendor-membersonlyzhuyizhuyi
Product-buddypress_members_onlyBuddyPress Members Onlybuddypress_members_only
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2024-0687
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.55% / 41.75%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:27
Updated-08 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Restrict User Access – Ultimate Membership & Content Protection <= 2.5 - Information Exposure

The Restrict User Access – Ultimate Membership & Content Protection plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.5 via API. This makes it possible for unauthenticated attackers to obtain the contents of posts and pages via API.

Action-Not Available
Vendor-dev.instituteintoxstudio
Product-restrict_user_accessRestrict User Access – Ultimate Membership & Content Protection
CWE ID-CWE-284
Improper Access Control
CVE-2024-0413
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.81% / 52.41%
||
7 Day CHG~0.00%
Published-11 Jan, 2024 | 17:00
Updated-25 Oct, 2024 | 20:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DeShang DSKMS install.php access control

A vulnerability was found in DeShang DSKMS up to 3.1.2. It has been rated as problematic. This issue affects some unknown processing of the file public/install.php. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-250433 was assigned to this vulnerability.

Action-Not Available
Vendor-csdeshangDeShang
Product-dskmsDSKMS
CWE ID-CWE-284
Improper Access Control
CVE-2024-0899
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.56% / 42.50%
||
7 Day CHG~0.00%
Published-09 Apr, 2024 | 18:59
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions <= 230815 - Information Exposure

The s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 230815 via the API. This makes it possible for unauthenticated attackers to see the contents of those posts and pages.

Action-Not Available
Vendor-clavaquewp_sharks
Product-s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptionss2member
CWE ID-CWE-284
Improper Access Control
CVE-2024-0978
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.46% / 36.75%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 18:56
Updated-08 Apr, 2026 | 18:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
My Private Site <= 3.0.14 - Improper Access Control to Sensitive Information Exposure via REST API

The My Private Site plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.14 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's site privacy feature and view restricted page and post content.

Action-Not Available
Vendor-zatzlabsdgewirtzzatzlabs
Product-my_private_siteMy Private Sitemy_private_site
CWE ID-CWE-284
Improper Access Control
CVE-2023-7223
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.64% / 46.39%
||
7 Day CHG~0.00%
Published-09 Jan, 2024 | 15:31
Updated-17 Jun, 2025 | 20:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Totolink T6 cstecgi.cgi access control

A vulnerability classified as problematic has been found in Totolink T6 4.1.9cu.5241_B20210923. This affects an unknown part of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument topicurl with the input showSyslog leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249867. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-TOTOLINK
Product-t6t6_firmwareT6
CWE ID-CWE-284
Improper Access Control
CVE-2023-6447
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.3||MEDIUM
EPSS-0.56% / 42.74%
||
7 Day CHG~0.00%
Published-22 Jan, 2024 | 19:14
Updated-17 Jun, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
EventPrime < 3.3.6 - Unauthenticated Event Access

The EventPrime WordPress plugin before 3.3.6 lacks authentication and authorization, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id/event name.

Action-Not Available
Vendor-UnknownMetagauss Inc.
Product-eventprimeEventPrime
CWE ID-CWE-284
Improper Access Control
CVE-2023-6785
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.55% / 41.75%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:26
Updated-08 Apr, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Download Manager <= 3.2.84 - Missing Authorization

The Download Manager plugin for WordPress is vulnerable to unauthorized file download of files added via the plugin in all versions up to, and including, 3.2.84. This makes it possible for unauthenticated attackers to download files added with the plugin (even when privately published).

Action-Not Available
Vendor-WordPress Download Manager ProW3 Eden, Inc.Shahjada (codename065)
Product-download_managerDownload Manager
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2024-0414
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.81% / 52.41%
||
7 Day CHG~0.00%
Published-11 Jan, 2024 | 17:00
Updated-03 Jun, 2025 | 14:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DeShang DSCMS install.php access control

A vulnerability classified as problematic has been found in DeShang DSCMS up to 3.1.2/7.1. Affected is an unknown function of the file public/install.php. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-250434 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-csdeshangDeShang
Product-dscmsDSCMS
CWE ID-CWE-284
Improper Access Control
CVE-2024-0965
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.48% / 38.09%
||
7 Day CHG~0.00%
Published-08 Feb, 2024 | 08:32
Updated-08 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Page Access Restriction <= 1.0.21 - Improper Access Control to Sensitive Information Exposure via REST API

The Simple Page Access Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.21 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's page restriction and view page content.

Action-Not Available
Vendor-pluginsandsnippetspluginsandsnippets
Product-simple_page_access_restrictionSimple Page Access Restriction
CWE ID-CWE-284
Improper Access Control
CVE-2023-48441
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-5.3||MEDIUM
EPSS-0.78% / 51.55%
||
7 Day CHG~0.00%
Published-15 Dec, 2023 | 10:17
Updated-19 Sep, 2025 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe Experience Manager | Improper Access Control (CWE-284)

Adobe Experience Manager versions 6.5.18 and earlier are affected by an Improper Access Control vulnerability. An attacker could leverage this vulnerability to achieve a low-confidentiality impact within the application. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_managerAdobe Experience Manager
CWE ID-CWE-284
Improper Access Control
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • Next
Details not found