Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-8996

Summary
Assigner-drupal
Assigner Org ID-2c85b837-eb8b-40ed-9d74-228c62987387
Published At-15 Aug, 2025 | 16:27
Updated At-15 Aug, 2025 | 16:41
Rejected At-
Credits

Layout Builder Advanced Permissions - Moderately critical - Access bypass - SA-CONTRIB-2025-097

Missing Authorization vulnerability in Drupal Layout Builder Advanced Permissions allows Forceful Browsing.This issue affects Layout Builder Advanced Permissions: from 0.0.0 before 2.2.0.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:drupal
Assigner Org ID:2c85b837-eb8b-40ed-9d74-228c62987387
Published At:15 Aug, 2025 | 16:27
Updated At:15 Aug, 2025 | 16:41
Rejected At:
▼CVE Numbering Authority (CNA)
Layout Builder Advanced Permissions - Moderately critical - Access bypass - SA-CONTRIB-2025-097

Missing Authorization vulnerability in Drupal Layout Builder Advanced Permissions allows Forceful Browsing.This issue affects Layout Builder Advanced Permissions: from 0.0.0 before 2.2.0.

Affected Products
Vendor
The Drupal AssociationDrupal
Product
Layout Builder Advanced Permissions
Collection URL
https://www.drupal.org/project/layout_builder_perms
Repo
https://git.drupalcode.org/project/layout_builder_perms
Default Status
unaffected
Versions
Affected
  • From 0.0.0 before 2.2.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-87CAPEC-87 Forceful Browsing
CAPEC ID: CAPEC-87
Description: CAPEC-87 Forceful Browsing
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Eelke Blok (eelkeblok)
finder
Michael Whittaker (mrwhittaker)
remediation developer
Eelke Blok (eelkeblok)
remediation developer
Sorin Dediu (sdstyles)
remediation developer
Sean Blommaert (seanb)
coordinator
Anna Kalata (akalata)
coordinator
Damien McKenna (damienmckenna)
coordinator
Greg Knaddison (greggles)
coordinator
Juraj Nemec (poker10)
coordinator
Cathy Theys (yesct)
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.drupal.org/sa-contrib-2025-097
N/A
Hyperlink: https://www.drupal.org/sa-contrib-2025-097
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:mlhess@drupal.org
Published At:15 Aug, 2025 | 17:15
Updated At:21 Aug, 2025 | 19:59

Missing Authorization vulnerability in Drupal Layout Builder Advanced Permissions allows Forceful Browsing.This issue affects Layout Builder Advanced Permissions: from 0.0.0 before 2.2.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CPE Matches

layout_builder_advanced_permissions_project
layout_builder_advanced_permissions_project
>>layout_builder_advanced_permissions>>Versions before 2.2.0(exclusive)
cpe:2.3:a:layout_builder_advanced_permissions_project:layout_builder_advanced_permissions:*:*:*:*:*:drupal:*:*
Weaknesses
CWE IDTypeSource
CWE-862Secondarymlhess@drupal.org
CWE ID: CWE-862
Type: Secondary
Source: mlhess@drupal.org
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://www.drupal.org/sa-contrib-2025-097mlhess@drupal.org
Third Party Advisory
Hyperlink: https://www.drupal.org/sa-contrib-2025-097
Source: mlhess@drupal.org
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

1363Records found

CVE-2026-8495
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-9.8||CRITICAL
EPSS-0.37% / 28.86%
||
7 Day CHG~0.00%
Published-19 May, 2026 | 22:29
Updated-27 May, 2026 | 15:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037

Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing. This issue affects Date iCal: from 0.0.0 before 4.0.15.

Action-Not Available
Vendor-date_ical_projectThe Drupal Association
Product-date_icalDate iCal
CWE ID-CWE-862
Missing Authorization
CVE-2025-9954
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-7.5||HIGH
EPSS-0.28% / 19.79%
||
7 Day CHG~0.00%
Published-29 Oct, 2025 | 23:12
Updated-03 Dec, 2025 | 20:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Acquia DAM - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-105

Missing Authorization vulnerability in Drupal Acquia DAM allows Forceful Browsing.This issue affects Acquia DAM: from 0.0.0 before 1.1.5.

Action-Not Available
Vendor-acquiaThe Drupal Association
Product-damAcquia DAM
CWE ID-CWE-862
Missing Authorization
CVE-2025-48009
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-3.1||LOW
EPSS-0.19% / 8.33%
||
7 Day CHG~0.00%
Published-21 May, 2025 | 16:22
Updated-10 Jun, 2025 | 15:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Single Content Sync - Moderately critical - Access bypass - SA-CONTRIB-2025-060

Missing Authorization vulnerability in Drupal Single Content Sync allows Functionality Misuse.This issue affects Single Content Sync: from 0.0.0 before 1.4.12.

Action-Not Available
Vendor-single_content_sync_projectThe Drupal Association
Product-single_content_syncSingle Content Sync
CWE ID-CWE-862
Missing Authorization
CVE-2025-48444
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-5.3||MEDIUM
EPSS-0.23% / 13.58%
||
7 Day CHG~0.00%
Published-11 Jun, 2025 | 14:19
Updated-20 Jun, 2025 | 14:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-064

Missing Authorization vulnerability in Drupal Quick Node Block allows Forceful Browsing.This issue affects Quick Node Block: from 0.0.0 before 2.0.0.

Action-Not Available
Vendor-quick_node_block_projectThe Drupal Association
Product-quick_node_blockQuick Node Block
CWE ID-CWE-862
Missing Authorization
CVE-2024-13243
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.5||MEDIUM
EPSS-0.26% / 17.59%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 18:49
Updated-04 Jun, 2025 | 16:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Entity Delete Log - Moderately critical - Access bypass - SA-CONTRIB-2024-007

Missing Authorization vulnerability in Drupal Entity Delete Log allows Forceful Browsing.This issue affects Entity Delete Log: from 0.0.0 before 1.1.1.

Action-Not Available
Vendor-entity_delete_log_projectThe Drupal Association
Product-entity_delete_logEntity Delete Log
CWE ID-CWE-862
Missing Authorization
CVE-2024-13303
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-5.3||MEDIUM
EPSS-0.29% / 20.90%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 20:24
Updated-02 Sep, 2025 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Download All Files - Critical - Access bypass - SA-CONTRIB-2024-069

Missing Authorization vulnerability in Drupal Download All Files allows Forceful Browsing.This issue affects Download All Files: from 0.0.0 before 2.0.2.

Action-Not Available
Vendor-download_all_files_projectThe Drupal Association
Product-download_all_filesDownload All Files
CWE ID-CWE-862
Missing Authorization
CVE-2024-13312
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-5.3||MEDIUM
EPSS-0.29% / 20.90%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 20:28
Updated-31 Jan, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076

Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.This issue affects Open Social: from 11.8.0 before 12.3.10, from 12.4.0 before 12.4.9.

Action-Not Available
Vendor-The Drupal Association
Product-Open Social
CWE ID-CWE-862
Missing Authorization
CVE-2017-6923
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.5||MEDIUM
EPSS-1.63% / 73.28%
||
7 Day CHG~0.00%
Published-22 Jan, 2019 | 16:00
Updated-16 Sep, 2024 | 17:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Access bypass in Drupal 8 views

In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.

Action-Not Available
Vendor-The Drupal Association
Product-drupalDrupal core
CWE ID-CWE-862
Missing Authorization
CVE-2025-9549
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.5||MEDIUM
EPSS-0.18% / 8.26%
||
7 Day CHG~0.00%
Published-10 Oct, 2025 | 22:24
Updated-05 Jan, 2026 | 15:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Facets - Moderately critical - Information Disclosure - SA-CONTRIB-2025-099

Missing Authorization vulnerability in Drupal Facets allows Forceful Browsing.This issue affects Facets: from 0.0.0 before 2.0.10, from 3.0.0 before 3.0.1.

Action-Not Available
Vendor-facets_projectThe Drupal Association
Product-facetsFacets
CWE ID-CWE-862
Missing Authorization
CVE-2025-7717
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-7.5||HIGH
EPSS-0.35% / 26.99%
||
7 Day CHG~0.00%
Published-21 Jul, 2025 | 16:37
Updated-26 Aug, 2025 | 20:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Download - Moderately critical - Access bypass - SA-CONTRIB-2025-089

Missing Authorization vulnerability in Drupal File Download allows Forceful Browsing.This issue affects File Download: from 0.0.0 before 1.9.0, from 2.0.0 before 2.0.1.

Action-Not Available
Vendor-file_download_projectThe Drupal Association
Product-file_downloadFile Download
CWE ID-CWE-862
Missing Authorization
CVE-2025-48916
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.5||MEDIUM
EPSS-0.19% / 9.36%
||
7 Day CHG~0.00%
Published-13 Jun, 2025 | 15:35
Updated-10 Jul, 2025 | 12:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bookable Calendar - Less critical - Access bypass - SA-CONTRIB-2025-070

Missing Authorization vulnerability in Drupal Bookable Calendar allows Forceful Browsing.This issue affects Bookable Calendar: from 0.0.0 before 2.2.13.

Action-Not Available
Vendor-joshfabeanThe Drupal Association
Product-bookable_calendarBookable Calendar
CWE ID-CWE-862
Missing Authorization
CVE-2025-48013
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-5.3||MEDIUM
EPSS-0.23% / 13.58%
||
7 Day CHG~0.00%
Published-11 Jun, 2025 | 14:20
Updated-20 Jun, 2025 | 14:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-065

Missing Authorization vulnerability in Drupal Quick Node Block allows Forceful Browsing.This issue affects Quick Node Block: from 0.0.0 before 2.0.0.

Action-Not Available
Vendor-quick_node_block_projectThe Drupal Association
Product-quick_node_blockQuick Node Block
CWE ID-CWE-862
Missing Authorization
CVE-2025-8361
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-7.6||HIGH
EPSS-0.25% / 16.58%
||
7 Day CHG~0.00%
Published-15 Aug, 2025 | 16:26
Updated-21 Aug, 2025 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Config Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-093

Missing Authorization vulnerability in Drupal Config Pages allows Forceful Browsing.This issue affects Config Pages: from 0.0.0 before 2.18.0.

Action-Not Available
Vendor-config_pages_projectThe Drupal Association
Product-config_pagesConfig Pages
CWE ID-CWE-862
Missing Authorization
CVE-2025-47709
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.5||MEDIUM
EPSS-0.21% / 10.80%
||
7 Day CHG~0.00%
Published-14 May, 2025 | 17:03
Updated-10 Jun, 2025 | 15:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-055

Missing Authorization vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Forceful Browsing.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0.

Action-Not Available
Vendor-miniorangeThe Drupal Association
Product-miniorange_2faEnterprise MFA - TFA for Drupal
CWE ID-CWE-862
Missing Authorization
CVE-2025-31685
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-9.1||CRITICAL
EPSS-0.36% / 28.34%
||
7 Day CHG+0.02%
Published-31 Mar, 2025 | 21:43
Updated-29 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2025-014

Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.This issue affects Open Social: from 0.0.0 before 12.3.11, from 12.4.0 before 12.4.10.

Action-Not Available
Vendor-The Drupal Association
Product-Open Social
CWE ID-CWE-862
Missing Authorization
CVE-2025-31678
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-8.2||HIGH
EPSS-0.35% / 27.16%
||
7 Day CHG+0.03%
Published-31 Mar, 2025 | 21:38
Updated-04 Jun, 2025 | 15:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AI (Artificial Intelligence) - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-004

Missing Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Forceful Browsing.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.3.

Action-Not Available
Vendor-artificial_intelligence_projectThe Drupal Association
Product-artificial_intelligenceAI (Artificial Intelligence)
CWE ID-CWE-862
Missing Authorization
CVE-2025-31691
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-9.8||CRITICAL
EPSS-0.40% / 32.06%
||
7 Day CHG+0.03%
Published-31 Mar, 2025 | 21:49
Updated-02 Sep, 2025 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OAuth2 Server - Moderately critical - Access bypass - SA-CONTRIB-2025-020

Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing.This issue affects OAuth2 Server: from 0.0.0 before 2.1.0.

Action-Not Available
Vendor-oauth2_server_projectThe Drupal Association
Product-oauth2_serverOAuth2 Server
CWE ID-CWE-862
Missing Authorization
CVE-2025-31686
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-8.1||HIGH
EPSS-0.38% / 30.14%
||
7 Day CHG+0.03%
Published-31 Mar, 2025 | 21:44
Updated-29 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open Social - Less critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-015

Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.This issue affects Open Social: from 0.0.0 before 12.3.11, from 12.4.0 before 12.4.10.

Action-Not Available
Vendor-The Drupal Association
Product-Open Social
CWE ID-CWE-862
Missing Authorization
CVE-2025-31681
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-9.8||CRITICAL
EPSS-0.40% / 32.06%
||
7 Day CHG+0.03%
Published-31 Mar, 2025 | 21:39
Updated-02 Jun, 2025 | 18:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticator Login - Critical - Access bypass - SA-CONTRIB-2025-009

Missing Authorization vulnerability in Drupal Authenticator Login allows Forceful Browsing.This issue affects Authenticator Login: from 0.0.0 before 2.0.6.

Action-Not Available
Vendor-authenticator_login_projectThe Drupal Association
Product-authenticator_loginAuthenticator Login
CWE ID-CWE-862
Missing Authorization
CVE-2025-69355
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 5.06%
||
7 Day CHG~0.00%
Published-06 Jan, 2026 | 16:36
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Tickera plugin <= 3.5.6.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tickera: from n/a through <= 3.5.6.4.

Action-Not Available
Vendor-Tickera
Product-Tickera
CWE ID-CWE-862
Missing Authorization
CVE-2025-69348
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 4.75%
||
7 Day CHG~0.00%
Published-06 Jan, 2026 | 16:36
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress The Events Calendar Countdown Addon plugin <= 1.4.15 - Broken Access Control vulnerability

Missing Authorization vulnerability in CoolHappy The Events Calendar Countdown Addon countdown-for-the-events-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar Countdown Addon: from n/a through <= 1.4.15.

Action-Not Available
Vendor-CoolHappy
Product-The Events Calendar Countdown Addon
CWE ID-CWE-862
Missing Authorization
CVE-2025-26656
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 13.14%
||
7 Day CHG~0.00%
Published-11 Mar, 2025 | 00:35
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization check in S/4HANA (Manage Purchasing Info Records)

OData Service in Manage Purchasing Info Records does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on integrity of the application.

Action-Not Available
Vendor-SAP SE
Product-S/4HANA (Manage Purchasing Info Records)
CWE ID-CWE-862
Missing Authorization
CVE-2026-9015
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.30% / 21.77%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 07:43
Updated-28 May, 2026 | 13:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Equalize Digital Accessibility Checker <= 1.42.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Accessibility Issue Modification via edac_insert_ignore_data AJAX Action

The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the ignore state, ignore reason, and ignore comment of arbitrary accessibility issues across the entire site — including mass modification of all rows sharing an 'object' identifier when largeBatch=true is supplied — corrupting accessibility audit integrity by hiding or dismissing findings outside their authorization scope.

Action-Not Available
Vendor-equalizedigital
Product-Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance
CWE ID-CWE-862
Missing Authorization
CVE-2026-8610
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 21.16%
||
7 Day CHG~0.00%
Published-20 May, 2026 | 01:25
Updated-20 May, 2026 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TypeSquare Webfonts for ConoHa <= 2.0.4 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification via 'fontThemeUseType' Parameter

The TypeSquare Webfonts for ConoHa plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin's site-wide font settings, including the typesquare_auth option (fontThemeUseType), show_post_form, and typesquare_fonttheme, by submitting a POST request to any wp-admin page. For fontThemeUseType values 1 and 3, no nonce verification is performed either, meaning those branches are additionally exploitable via cross-site request forgery.

Action-Not Available
Vendor-conoha
Product-TypeSquare Webfonts for ConoHa
CWE ID-CWE-862
Missing Authorization
CVE-2026-8692
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 13.16%
||
7 Day CHG~0.00%
Published-22 May, 2026 | 07:50
Updated-22 May, 2026 | 12:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vedrixa Forms <= 1.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Form Structure Modification via wefb_save_form_structure AJAX Action

The Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite the structure of any form — adding, removing, or altering fields — by writing attacker-controlled data to the plugin's FORMS database table. The 'ajax-nonce' nonce used by this handler is injected into the public frontend via wp_localize_script(), so any authenticated user who visits a page containing a form shortcode can obtain it without any elevated access.

Action-Not Available
Vendor-registrationformbuilder
Product-Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder
CWE ID-CWE-862
Missing Authorization
CVE-2026-9224
Matching Score-4
Assigner-Devolutions Inc.
ShareView Details
Matching Score-4
Assigner-Devolutions Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 4.75%
||
7 Day CHG~0.00%
Published-22 May, 2026 | 15:25
Updated-22 May, 2026 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-862
Missing Authorization
CVE-2025-26871
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.38% / 29.47%
||
7 Day CHG~0.00%
Published-25 Feb, 2025 | 14:17
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Essential Blocks plugin <= 4.8.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPDeveloper Essential Blocks for Gutenberg essential-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Blocks for Gutenberg: from n/a through <= 4.8.3.

Action-Not Available
Vendor-WPDeveloper
Product-essential_blocksEssential Blocks for Gutenberg
CWE ID-CWE-862
Missing Authorization
CVE-2025-24649
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.37% / 28.58%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:24
Updated-11 May, 2026 | 23:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Admin and Site Enhancements (ASE) Plugin <= 7.6.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Bowo Admin and Site Enhancements (ASE) admin-site-enhancements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Admin and Site Enhancements (ASE): from n/a through <= 7.6.2.

Action-Not Available
Vendor-Bowo
Product-Admin and Site Enhancements (ASE)
CWE ID-CWE-862
Missing Authorization
CVE-2025-24693
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.39% / 30.82%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:24
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Advanced Notifications plugin <= 1.2.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in Yehi Advanced Notifications advanced-notifications allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Notifications: from n/a through <= 1.2.7.

Action-Not Available
Vendor-Yehi
Product-Advanced Notifications
CWE ID-CWE-862
Missing Authorization
CVE-2025-24736
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 24.10%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:25
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Post Duplicator plugin <= 2.35 - Broken Access Control vulnerability

Missing Authorization vulnerability in metaphorcreations Post Duplicator post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Duplicator: from n/a through <= 2.35.

Action-Not Available
Vendor-metaphorcreationsmetaphorcreations
Product-post_duplicatorPost Duplicator
CWE ID-CWE-862
Missing Authorization
CVE-2025-24603
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.58%
||
7 Day CHG~0.00%
Published-27 Jan, 2025 | 14:22
Updated-11 May, 2026 | 23:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce plugin <= 3.4.10 - Broken Access Control vulnerability

Missing Authorization vulnerability in Dmitry V. (CEO of "UKR Solution") Print Barcode Labels for your WooCommerce products/orders a4-barcode-generator.This issue affects Print Barcode Labels for your WooCommerce products/orders: from n/a through <= 3.4.10.

Action-Not Available
Vendor-Dmitry V. (CEO of "UKR Solution")
Product-Print Barcode Labels for your WooCommerce products/orders
CWE ID-CWE-862
Missing Authorization
CVE-2025-24618
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.48% / 38.03%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:24
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ElementInvader Addons for Elementor Plugin <= 1.3.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ElementInvader Addons for Elementor: from n/a through <= 1.3.1.

Action-Not Available
Vendor-elementinvaderElement Invader
Product-elementinvader_addons_for_elementorElementInvader Addons for Elementor
CWE ID-CWE-862
Missing Authorization
CVE-2025-24972
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.35% / 27.07%
||
7 Day CHG+0.03%
Published-26 Mar, 2025 | 14:15
Updated-27 Mar, 2025 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse may bypass user preference when adding users to chat groups

Discourse is an open-source discussion platform. Prior to versions `3.3.4` on the `stable` branch and `3.4.0.beta5` on the `beta` branch, in specific circumstances, users could be added to group direct messages despite disabling direct messaging in their preferences. Versions `3.3.4` and `3.4.0.beta5` contain a patch for the issue. A workaround is available. If a user disables chat in their preferences then they cannot be added to new group chats.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discourse
CWE ID-CWE-862
Missing Authorization
CVE-2025-24744
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.80%
||
7 Day CHG~0.00%
Published-27 Jan, 2025 | 14:22
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Bridge Core plugin <= 3.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in NotFound Bridge Core. This issue affects Bridge Core: from n/a through 3.3.

Action-Not Available
Vendor-NotFound
Product-Bridge Core
CWE ID-CWE-862
Missing Authorization
CVE-2025-25120
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 20.95%
||
7 Day CHG~0.00%
Published-07 Feb, 2025 | 10:11
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Slide Banners plugin <= 1.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Melodic Media Slide Banners slide-banners allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Slide Banners: from n/a through <= 1.3.

Action-Not Available
Vendor-Melodic Media
Product-Slide Banners
CWE ID-CWE-862
Missing Authorization
CVE-2022-43482
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.49% / 38.83%
||
7 Day CHG~0.00%
Published-18 Nov, 2022 | 19:03
Updated-28 Apr, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Appointment Booking Calendar plugin <= 1.3.69 - Missing Authorization vulnerability

Missing Authorization vulnerability in Appointment Booking Calendar plugin <= 1.3.69 on WordPress.

Action-Not Available
Vendor-CodePeople
Product-appointment_booking_calendarAppointment Booking Calendar (WordPress plugin)
CWE ID-CWE-862
Missing Authorization
CVE-2025-24753
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.39% / 30.93%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:25
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Kadence Blocks plugin <= 3.3.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in StellarWP Gutenberg Blocks by Kadence Blocks kadence-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gutenberg Blocks by Kadence Blocks: from n/a through <= 3.3.1.

Action-Not Available
Vendor-Kadence WPThe Events Calendar (StellarWP)
Product-gutenberg_blocks_with_aiGutenberg Blocks by Kadence Blocks
CWE ID-CWE-862
Missing Authorization
CVE-2025-24591
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.48% / 38.03%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:24
Updated-11 May, 2026 | 23:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress GDPR CCPA Compliance & Cookie Consent Banner plugin <= 2.7.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Ninja Team GDPR CCPA Compliance Support ninja-gdpr-compliance allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GDPR CCPA Compliance Support: from n/a through <= 2.7.1.

Action-Not Available
Vendor-NinjaTeam
Product-gdpr_ccpa_compliance_\&_cookie_consent_bannerGDPR CCPA Compliance Support
CWE ID-CWE-862
Missing Authorization
CVE-2026-8682
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 14.01%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 06:45
Updated-28 May, 2026 | 13:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
3D Viewer <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification via settings REST endpoint

The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin settings by writing arbitrary data to the ar_try_on_settings option in the database via the /wp-json/ar_try_on/v1/settings REST endpoint.

Action-Not Available
Vendor-hasanazizul
Product-3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On
CWE ID-CWE-862
Missing Authorization
CVE-2026-8689
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 15.31%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 07:43
Updated-28 May, 2026 | 13:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Visualizer: Tables and Charts Manager for WordPress <= 3.11.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Chart Creation and Modification via renderChartPages() and uploadData() Functions

The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.11.14. This is due to a missing capability check on the renderChartPages() and uploadData() functions, where the wp_ajax_visualizer-create-chart and wp_ajax_visualizer-edit-chart AJAX actions invoke renderChartPages() without any current_user_can() check, and wp_ajax_visualizer-upload-data invokes uploadData() which also lacks a capability check and validates its nonce without an action argument, making it trivially bypassable. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary chart posts and access or modify chart data belonging to other users, including administrators.

Action-Not Available
Vendor-Themeisle
Product-Visualizer: Tables and Charts Manager for WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2025-24754
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.58%
||
7 Day CHG~0.00%
Published-27 Jan, 2025 | 13:59
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Houzez theme <= 3.4.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in favethemes Houzez houzez.This issue affects Houzez: from n/a through <= 3.4.0.

Action-Not Available
Vendor-favethemes
Product-Houzez
CWE ID-CWE-862
Missing Authorization
CVE-2025-24613
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.39% / 30.82%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:24
Updated-12 May, 2026 | 23:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress FV Thoughtful Comments plugin <= 0.3.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in FolioVision FV Thoughtful Comments thoughtful-comments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FV Thoughtful Comments: from n/a through <= 0.3.5.

Action-Not Available
Vendor-FolioVision
Product-FV Thoughtful Comments
CWE ID-CWE-862
Missing Authorization
CVE-2025-24743
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.25% / 16.26%
||
7 Day CHG~0.00%
Published-27 Jan, 2025 | 14:22
Updated-11 May, 2026 | 23:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress RomethemeKit For Elementor plugin <= 1.5.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Rometheme RTMKit rometheme-for-elementor.This issue affects RTMKit: from n/a through <= 1.5.2.

Action-Not Available
Vendor-Rometheme
Product-RTMKit
CWE ID-CWE-862
Missing Authorization
CVE-2025-24653
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.80%
||
7 Day CHG~0.00%
Published-27 Jan, 2025 | 14:22
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Admin and Site Enhancements (ASE) Pro Plugin <= 7.6.1.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in NotFound Admin and Site Enhancements (ASE) Pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Admin and Site Enhancements (ASE) Pro: from n/a through 7.6.1.1.

Action-Not Available
Vendor-NotFound
Product-Admin and Site Enhancements (ASE) Pro
CWE ID-CWE-862
Missing Authorization
CVE-2025-69344
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 4.74%
||
7 Day CHG~0.00%
Published-07 Jan, 2026 | 11:51
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Oneline Lite theme <= 6.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in themehunk Oneline Lite oneline-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Oneline Lite: from n/a through <= 6.6.

Action-Not Available
Vendor-themehunk
Product-Oneline Lite
CWE ID-CWE-862
Missing Authorization
CVE-2025-24584
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.58%
||
7 Day CHG~0.00%
Published-27 Jan, 2025 | 13:59
Updated-11 May, 2026 | 23:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Ultimate Store Kit Elementor Addons plugin <= 2.3.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in bdthemes Ultimate Store Kit Elementor Addons ultimate-store-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Store Kit Elementor Addons: from n/a through <= 2.3.0.

Action-Not Available
Vendor-BdThemes
Product-Ultimate Store Kit Elementor Addons
CWE ID-CWE-862
Missing Authorization
CVE-2025-69023
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 4.75%
||
7 Day CHG~0.00%
Published-30 Dec, 2025 | 10:47
Updated-28 Apr, 2026 | 20:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Discussion Board plugin <= 2.5.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in Marketing Fire Discussion Board wp-discussion-board allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Discussion Board: from n/a through <= 2.5.7.

Action-Not Available
Vendor-Marketing Fire
Product-Discussion Board
CWE ID-CWE-862
Missing Authorization
CVE-2026-9050
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 4.87%
||
7 Day CHG~0.00%
Published-01 Jun, 2026 | 23:28
Updated-02 Jun, 2026 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Slider Revolution 6.0.0-6.7.55 and 7.0.0-7.0.14 - Missing Authorization to Authenticated (Contributor+) Arbitrary Plugin Deactivation

The Slider Revolution plugin for WordPress in versions 6.0.0-6.7.55 and 7.0.0-7.0.14 is vulnerable to unauthorized modification of data. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Contributor-level access and above, to deactivate any active plugin installed on the site.

Action-Not Available
Vendor-Revolution Slider
Product-Slider Revolution
CWE ID-CWE-862
Missing Authorization
CVE-2026-9234
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 9.76%
||
7 Day CHG~0.00%
Published-02 Jun, 2026 | 07:48
Updated-02 Jun, 2026 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JTL-Connector for WooCommerce <= 2.4.1 - Missing Authorization to Authenticated (Subscriber+) Settings Modification via Multiple Functions

The JTL-Connector for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.4.1. This is due to missing capability checks and nonce verification on the admin_post_settings_save_woo-jtl-connector action (handled by JtlConnectorAdmin::save()) and on the wp_ajax_downloadJTLLogs and wp_ajax_clearJTLLogs AJAX actions (handled by the global downloadJTLLogs() and clearJTLLogs() functions). This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary plugin settings, download a ZIP archive of the connector's developer log files, and delete those log files.

Action-Not Available
Vendor-ntbyk
Product-JTL-Connector for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2026-8976
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 20.77%
||
7 Day CHG~0.00%
Published-05 Jun, 2026 | 23:28
Updated-08 Jun, 2026 | 14:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RSS Aggregator by Feedzy <= 5.1.7 - Missing Authorization to Authenticated (Contributor+) Import Job Creation, Execution, Purge, Log Clearing, and Information Disclosure via Multiple AJAX Sub-Actions

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create and execute RSS import jobs, purge (force-delete) all posts associated with any import job, clear import error logs, and enumerate taxonomy terms and post meta_key names. The nonce required to reach these sub-handlers is leaked to any user with the edit_posts capability via the feedzyjs localized script injected into the block editor, meaning no privileged nonce theft or separate exploit step is required for Contributor-level users.

Action-Not Available
Vendor-Themeisle
Product-RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 27
  • 28
  • Next
Details not found