Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-1336

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-02 Mar, 2026 | 23:22
Updated At-03 Mar, 2026 | 01:53
Rejected At-
Credits

AI ChatBot with ChatGPT and Content Generator by AYS <= 2.7.5 - Missing Authorization to Unauthenticated API Key Modification

The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the store_data() and get_chatgpt_api_key() functions in all versions up to, and including, 2.7.5. This makes it possible for unauthenticated attackers to view, modify or delete the plugin's ChatGPT API key. The vulnerability was partially fixed in version 2.7.5 and fully fixed in version 2.7.6

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:02 Mar, 2026 | 23:22
Updated At:03 Mar, 2026 | 01:53
Rejected At:
▼CVE Numbering Authority (CNA)
AI ChatBot with ChatGPT and Content Generator by AYS <= 2.7.5 - Missing Authorization to Unauthenticated API Key Modification

The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the store_data() and get_chatgpt_api_key() functions in all versions up to, and including, 2.7.5. This makes it possible for unauthenticated attackers to view, modify or delete the plugin's ChatGPT API key. The vulnerability was partially fixed in version 2.7.5 and fully fixed in version 2.7.6

Affected Products
Vendor
AYS Pro Extensionsays-pro
Product
AI ChatBot with ChatGPT and Content Generator by AYS
Default Status
unaffected
Versions
Affected
  • From * through 2.7.5 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Nabil Irawan
Timeline
EventDate
Discovered2026-01-09 00:00:00
Vendor Notified2026-01-22 12:58:26
Disclosed2026-03-02 11:22:35
Event: Discovered
Date: 2026-01-09 00:00:00
Event: Vendor Notified
Date: 2026-01-22 12:58:26
Event: Disclosed
Date: 2026-03-02 11:22:35
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/53b3d441-4938-435f-85c3-707477f0293d?source=cve
N/A
https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.7.4/includes/chatgpt-assistant-db-actions/class-chatgpt-assistant-db-actions.php#L23
N/A
https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.7.4/admin/class-chatgpt-assistant-admin.php#L4060
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/53b3d441-4938-435f-85c3-707477f0293d?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.7.4/includes/chatgpt-assistant-db-actions/class-chatgpt-assistant-db-actions.php#L23
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.7.4/admin/class-chatgpt-assistant-admin.php#L4060
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:03 Mar, 2026 | 00:15
Updated At:03 Mar, 2026 | 21:52

The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the store_data() and get_chatgpt_api_key() functions in all versions up to, and including, 2.7.5. This makes it possible for unauthenticated attackers to view, modify or delete the plugin's ChatGPT API key. The vulnerability was partially fixed in version 2.7.5 and fully fixed in version 2.7.6

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-862Primarysecurity@wordfence.com
CWE ID: CWE-862
Type: Primary
Source: security@wordfence.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.7.4/admin/class-chatgpt-assistant-admin.php#L4060security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.7.4/includes/chatgpt-assistant-db-actions/class-chatgpt-assistant-db-actions.php#L23security@wordfence.com
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/53b3d441-4938-435f-85c3-707477f0293d?source=cvesecurity@wordfence.com
N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.7.4/admin/class-chatgpt-assistant-admin.php#L4060
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.7.4/includes/chatgpt-assistant-db-actions/class-chatgpt-assistant-db-actions.php#L23
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/53b3d441-4938-435f-85c3-707477f0293d?source=cve
Source: security@wordfence.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

697Records found
CVE-2025-53255
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.60%
||
7 Day CHG~0.00%
Published-27 Jun, 2025 | 13:21
Updated-30 Jun, 2025 | 18:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress HurryTimer plugin <= 2.13.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Nabil Lemsieh HurryTimer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HurryTimer: from n/a through 2.13.1.

Action-Not Available
Vendor-Nabil Lemsieh
Product-HurryTimer
CWE ID-CWE-862
Missing Authorization
CVE-2025-53304
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.60%
||
7 Day CHG~0.00%
Published-27 Jun, 2025 | 13:21
Updated-30 Jun, 2025 | 18:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Contact Form – 7 : Hide Success Message plugin <= 1.1.4 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Rohil Contact Form &#8211; 7 : Hide Success Message allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Contact Form &#8211; 7 : Hide Success Message: from n/a through 1.1.4.

Action-Not Available
Vendor-Rohil
Product-Contact Form &#8211; 7 : Hide Success Message
CWE ID-CWE-862
Missing Authorization
CVE-2025-53348
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.09%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 16:25
Updated-11 Sep, 2025 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Kalium Theme <= 3.18.3 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Laborator Kalium. This issue affects Kalium: from n/a through 3.18.3.

Action-Not Available
Vendor-Laborator
Product-Kalium
CWE ID-CWE-862
Missing Authorization
CVE-2025-53986
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.38%
||
7 Day CHG~0.00%
Published-16 Jul, 2025 | 10:36
Updated-16 Jul, 2025 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Hestia theme <= 3.2.10 - Broken Access Control Vulnerability

Missing Authorization vulnerability in ThemeIsle Hestia allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Hestia: from n/a through 3.2.10.

Action-Not Available
Vendor-Themeisle
Product-Hestia
CWE ID-CWE-862
Missing Authorization
CVE-2022-4169
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.48% / 64.81%
||
7 Day CHG~0.00%
Published-28 Nov, 2022 | 17:33
Updated-07 Feb, 2025 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Theme and plugin translation for Polylang is vulnerable to authorization bypass in versions up to, and including, 3.2.16 due to missing capability checks in the process_polylang_theme_translation_wp_loaded() function. This makes it possible for unauthenticated attackers to update plugin and theme translation settings and to import translation strings.

Action-Not Available
Vendor-theme_and_plugin_translation_for_polylang_projectmarcinkazmierski
Product-theme_and_plugin_translation_for_polylangTheme and plugin translation for Polylang (TTfP)
CWE ID-CWE-862
Missing Authorization
CVE-2026-1932
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.02% / 5.20%
||
7 Day CHG~0.00%
Published-14 Feb, 2026 | 05:54
Updated-18 Feb, 2026 | 18:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Appointment Booking Calendar Plugin <= 1.0.2 - Missing Authorization to Unauthenticated Arbitrary Appointment Status Modification

The Appointment Booking Calendar Plugin – Bookr plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update-appointment REST API endpoint in all versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to modify the status of any appointment.

Action-Not Available
Vendor-bssoftware
Product-Appointment Booking Calendar Plugin – Bookr
CWE ID-CWE-862
Missing Authorization
CVE-2025-49406
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.09%
||
7 Day CHG~0.00%
Published-20 Aug, 2025 | 08:03
Updated-20 Aug, 2025 | 18:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Houzez Theme <= 4.1.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in favethemes Houzez allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Houzez: from n/a through 4.1.1.

Action-Not Available
Vendor-favethemes
Product-Houzez
CWE ID-CWE-862
Missing Authorization
CVE-2025-49236
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.06% / 17.96%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 12:53
Updated-06 Jun, 2025 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Raychat <= 2.1.0 - Broken Access Control Vulnerability

Missing Authorization vulnerability in raychat Raychat allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Raychat: from n/a through 2.1.0.

Action-Not Available
Vendor-raychat
Product-Raychat
CWE ID-CWE-862
Missing Authorization
CVE-2025-49987
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.60%
||
7 Day CHG~0.00%
Published-20 Jun, 2025 | 15:04
Updated-23 Jun, 2025 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CRM ERP Business Solution plugin <= 1.13 - Broken Access Control Vulnerability

Missing Authorization vulnerability in WPFactory CRM ERP Business Solution allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CRM ERP Business Solution: from n/a through 1.13.

Action-Not Available
Vendor-WPFactory
Product-CRM ERP Business Solution
CWE ID-CWE-862
Missing Authorization
CVE-2024-23521
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.11% / 29.69%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 15:34
Updated-07 Aug, 2024 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Happyforms plugin <= 1.25.10 - Broken Access Control vulnerability

Missing Authorization vulnerability in Happyforms.This issue affects Happyforms: from n/a through 1.25.10.

Action-Not Available
Vendor-happyformsHappyformshappyforms
Product-happyformsHappyformshappyforms
CWE ID-CWE-862
Missing Authorization
CVE-2025-49441
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.06% / 17.96%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 12:54
Updated-06 Jun, 2025 | 14:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Interactive Regional Map of Florida <= 1.0 - Broken Access Control Vulnerability

Missing Authorization vulnerability in WP Map Plugins Interactive Regional Map of Florida allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Interactive Regional Map of Florida: from n/a through 1.0.

Action-Not Available
Vendor-WP Map Plugins
Product-Interactive Regional Map of Florida
CWE ID-CWE-862
Missing Authorization
CVE-2025-49990
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.60%
||
7 Day CHG~0.00%
Published-20 Jun, 2025 | 15:04
Updated-23 Jun, 2025 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ContentStudio plugin <= 1.3.4 - Broken Access Control Vulnerability

Missing Authorization vulnerability in contentstudio ContentStudio allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects ContentStudio: from n/a through 1.3.4.

Action-Not Available
Vendor-contentstudio
Product-ContentStudio
CWE ID-CWE-862
Missing Authorization
CVE-2025-49320
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.06% / 17.96%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 12:53
Updated-06 Jun, 2025 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress FraudLabs Pro for WooCommerce <= 2.22.11 - Broken Access Control Vulnerability

Missing Authorization vulnerability in fraudlabspro FraudLabs Pro for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FraudLabs Pro for WooCommerce: from n/a through 2.22.11.

Action-Not Available
Vendor-fraudlabspro
Product-FraudLabs Pro for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2025-49270
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.06% / 17.96%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 12:53
Updated-06 Jun, 2025 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP-CRM System <= 3.4.2 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Mario Peshev WP-CRM System allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WP-CRM System: from n/a through 3.4.2.

Action-Not Available
Vendor-Mario Peshev
Product-WP-CRM System
CWE ID-CWE-862
Missing Authorization
CVE-2025-49997
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.60%
||
7 Day CHG~0.00%
Published-20 Jun, 2025 | 15:04
Updated-23 Jun, 2025 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Giveaways and Contests by RafflePress plugin <= 1.12.17 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Syed Balkhi Giveaways and Contests by RafflePress allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Giveaways and Contests by RafflePress: from n/a through 1.12.17.

Action-Not Available
Vendor-Awesome Motive Inc.
Product-Giveaways and Contests by RafflePress
CWE ID-CWE-862
Missing Authorization
CVE-2025-49338
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.96%
||
7 Day CHG~0.00%
Published-31 Dec, 2025 | 15:35
Updated-20 Jan, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Flowbox plugin <= 1.1.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in Flowbox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flowbox: from n/a through 1.1.5.

Action-Not Available
Vendor-Flowbox
Product-Flowbox
CWE ID-CWE-862
Missing Authorization
CVE-2025-49872
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.06% / 17.52%
||
7 Day CHG+0.01%
Published-17 Jun, 2025 | 15:01
Updated-20 Jun, 2025 | 13:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress myCred plugin <= 2.9.4.2 - Broken Access Control Vulnerability

Missing Authorization vulnerability in WPExperts.io myCred allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects myCred: from n/a through 2.9.4.2.

Action-Not Available
Vendor-WPExperts.io
Product-myCred
CWE ID-CWE-862
Missing Authorization
CVE-2025-49509
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.06% / 17.52%
||
7 Day CHG~0.00%
Published-10 Jun, 2025 | 12:40
Updated-12 Jun, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Audio Editor & Recorder plugin <= 2.2.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Roland Beaussant Audio Editor & Recorder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Audio Editor & Recorder: from n/a through 2.2.1.

Action-Not Available
Vendor-Roland Beaussant
Product-Audio Editor & Recorder
CWE ID-CWE-862
Missing Authorization
CVE-2025-49348
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.54%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 14:52
Updated-20 Jan, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Hype plugin <= 1.0.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in Hype Hype pico allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hype: from n/a through <= 1.0.5.

Action-Not Available
Vendor-Hype
Product-Hype
CWE ID-CWE-862
Missing Authorization
CVE-2025-49993
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.60%
||
7 Day CHG~0.00%
Published-20 Jun, 2025 | 15:04
Updated-23 Jun, 2025 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Cookie-Script.com plugin <= 1.2.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Cookie Script Cookie-Script.com allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cookie-Script.com: from n/a through 1.2.1.

Action-Not Available
Vendor-Cookie Script
Product-Cookie-Script.com
CWE ID-CWE-862
Missing Authorization
CVE-2025-49349
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.96%
||
7 Day CHG~0.00%
Published-31 Dec, 2025 | 14:48
Updated-20 Jan, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Reuters Direct plugin <= 3.0.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Reuters News Agency Reuters Direct allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reuters Direct: from n/a through 3.0.0.

Action-Not Available
Vendor-Reuters News Agency
Product-Reuters Direct
CWE ID-CWE-862
Missing Authorization
CVE-2022-38367
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.78% / 73.48%
||
7 Day CHG~0.00%
Published-05 Sep, 2022 | 17:30
Updated-03 Aug, 2024 | 10:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Netic User Export add-on before 2.0.6 for Atlassian Jira does not perform authorization checks. This might allow an unauthenticated user to export all users from Jira by making an HTTP request to the affected endpoint.

Action-Not Available
Vendor-neticn/a
Product-user_export_for_jiran/a
CWE ID-CWE-862
Missing Authorization
CVE-2025-49986
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.60%
||
7 Day CHG~0.00%
Published-20 Jun, 2025 | 15:04
Updated-23 Jun, 2025 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Video List Manager plugin <= 1.7 - Broken Access Control Vulnerability

Missing Authorization vulnerability in thanhtungtnt Video List Manager allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Video List Manager: from n/a through 1.7.

Action-Not Available
Vendor-thanhtungtnt
Product-Video List Manager
CWE ID-CWE-862
Missing Authorization
CVE-2020-1996
Matching Score-4
Assigner-Palo Alto Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Palo Alto Networks, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.70% / 71.83%
||
7 Day CHG~0.00%
Published-13 May, 2020 | 19:07
Updated-17 Sep, 2024 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PAN-OS: Panorama management server log injection

A missing authorization vulnerability in the management server component of PAN-OS Panorama allows a remote unauthenticated user to inject messages into the management server ms.log file. This vulnerability can be leveraged to obfuscate an ongoing attack or fabricate log entries in the ms.log file This issue affects: All versions of PAN-OS 7.1 and 8.0; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.9.

Action-Not Available
Vendor-Palo Alto Networks, Inc.
Product-pan-osPAN-OS
CWE ID-CWE-862
Missing Authorization
CVE-2025-49324
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.06% / 17.96%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 12:53
Updated-06 Jun, 2025 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Job Board Manager <= 2.1.60 - Broken Access Control Vulnerability

Missing Authorization vulnerability in PickPlugins Job Board Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Job Board Manager: from n/a through 2.1.60.

Action-Not Available
Vendor-PickPlugins
Product-Job Board Manager
CWE ID-CWE-862
Missing Authorization
CVE-2025-49864
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.06% / 17.52%
||
7 Day CHG+0.01%
Published-17 Jun, 2025 | 15:01
Updated-20 Jun, 2025 | 13:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress AFS Analytics plugin <= 4.21 - Broken Access Control Vulnerability

Missing Authorization vulnerability in AFS Analytics AFS Analytics allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects AFS Analytics: from n/a through 4.21.

Action-Not Available
Vendor-AFS Analytics
Product-AFS Analytics
CWE ID-CWE-862
Missing Authorization
CVE-2024-38769
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 39.01%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-20 Mar, 2025 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Arconix Shortcodes plugin <= 2.1.11 - Broken Access Control vulnerability

Missing Authorization vulnerability in Tyche Softwares Arconix Shortcodes allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Arconix Shortcodes: from n/a through 2.1.11.

Action-Not Available
Vendor-tychesoftwaresTyche Softwarestychesoftwares
Product-arconix_shortcodesArconix Shortcodesarconix_shortcodes
CWE ID-CWE-862
Missing Authorization
CVE-2024-37468
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.16% / 36.82%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-01 Nov, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Newsmatic theme <= 1.3.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in blazethemes Newsmatic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Newsmatic: from n/a through 1.3.1.

Action-Not Available
Vendor-blazethemesblazethemes
Product-Newsmaticnewsmatic
CWE ID-CWE-862
Missing Authorization
CVE-2024-37921
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 39.01%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-01 Nov, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Chained Quiz plugin <= 1.3.2.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in Kiboko Labs Chained Quiz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chained Quiz: from n/a through 1.3.2.8.

Action-Not Available
Vendor-Kiboko Labskibokolabs
Product-Chained Quizchained_quiz
CWE ID-CWE-862
Missing Authorization
CVE-2025-48155
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.38%
||
7 Day CHG~0.00%
Published-16 Jul, 2025 | 10:36
Updated-16 Jul, 2025 | 20:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Residential Address Detection plugin <= 2.5.9 - Broken Access Control Vulnerability

Missing Authorization vulnerability in enituretechnology Residential Address Detection allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Residential Address Detection: from n/a through 2.5.9.

Action-Not Available
Vendor-Eniture, LLC
Product-Residential Address Detection
CWE ID-CWE-862
Missing Authorization
CVE-2025-48346
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.06% / 17.96%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 14:55
Updated-21 May, 2025 | 20:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Embed and Integrate Etsy Shop <= 1.0.4 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Etsy360 Embed and Integrate Etsy Shop allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Embed and Integrate Etsy Shop: from n/a through 1.0.4.

Action-Not Available
Vendor-Etsy360
Product-Embed and Integrate Etsy Shop
CWE ID-CWE-862
Missing Authorization
CVE-2025-48337
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.06% / 17.96%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 11:15
Updated-06 Jun, 2025 | 15:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress QuickCab plugin <= 1.3.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in QuickcabWP QuickCab.This issue affects QuickCab: from n/a through 1.3.3.

Action-Not Available
Vendor-QuickcabWP
Product-QuickCab
CWE ID-CWE-862
Missing Authorization
CVE-2024-1516
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.23% / 45.73%
||
7 Day CHG~0.00%
Published-28 Feb, 2024 | 08:33
Updated-11 Feb, 2025 | 20:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The WP eCommerce plugin for WordPress is vulnerable to unauthorized arbitrary post creation due to a missing capability check on the check_for_saas_push() function in all versions up to, and including, 3.15.1. This makes it possible for unauthenticated attackers to create arbitrary posts with arbitrary content.

Action-Not Available
Vendor-zaojustinsaintonwp-ecommerce
Product-wp_ecommerceWP eCommercewp-e-commerce
CWE ID-CWE-862
Missing Authorization
CVE-2024-1562
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.15% / 35.39%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 03:36
Updated-07 Mar, 2025 | 19:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The WooCommerce Google Sheet Connector plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the execute_post_data function in all versions up to, and including, 1.3.11. This makes it possible for unauthenticated attackers to update plugin settings.

Action-Not Available
Vendor-gsheetconnectorwesterndealgsheetconnector
Product-woocommerce_google_sheet_connectorWooCommerce Google Sheet Connectorwoocommerce_google_sheet_connector
CWE ID-CWE-862
Missing Authorization
CVE-2025-48282
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.06% / 17.96%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 14:45
Updated-21 May, 2025 | 20:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Majestic Support <= 1.1.0 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Majestic Support Majestic Support allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Majestic Support: from n/a through 1.1.0.

Action-Not Available
Vendor-Majestic Support
Product-Majestic Support
CWE ID-CWE-862
Missing Authorization
CVE-2024-1389
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.22% / 44.60%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 18:56
Updated-24 Apr, 2025 | 15:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pms_stripe_connect_handle_authorization_return function in all versions up to, and including, 2.11.1. This makes it possible for unauthenticated attackers to change the Stripe payment keys.

Action-Not Available
Vendor-cozmoslabsiovamihaiiovamihai
Product-membership_\&_content_restriction_-_paid_member_subscriptionsPaid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restrictionpaid_membership_subscriptions_effortless_memberships_recurring_payments_and_content_restriction
CWE ID-CWE-862
Missing Authorization
CVE-2024-1584
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.21% / 43.65%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:51
Updated-05 Jun, 2025 | 20:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpa_check_authentication' function in all versions up to, and including, 5.2.1. This makes it possible for unauthenticated attackers to modify the site's Google Analytics tracking ID.

Action-Not Available
Vendor-analytifyhiddenpearls
Product-analytify_-_google_analytics_dashboardAnalytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)
CWE ID-CWE-862
Missing Authorization
CVE-2024-1778
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 38.86%
||
7 Day CHG~0.00%
Published-23 Feb, 2024 | 06:48
Updated-16 Jan, 2025 | 14:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the zt_dcfcf_change_bookmark() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to alter bookmark statuses.

Action-Not Available
Vendor-zestardzestardtechnologies
Product-admin_side_data_storage_for_contact_form_7Admin side data storage for Contact Form 7
CWE ID-CWE-862
Missing Authorization
CVE-2024-1771
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.08% / 24.43%
||
7 Day CHG~0.00%
Published-06 Mar, 2024 | 05:33
Updated-11 Mar, 2025 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Total theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the total_order_sections() function in all versions up to, and including, 2.1.59. This makes it possible for authenticated attackers, with subscriber-level access and above, to repeat sections on the homepage.

Action-Not Available
Vendor-hashthemeshashthemeshashthemes
Product-totalTotaltotal
CWE ID-CWE-862
Missing Authorization
CVE-2024-1860
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.20% / 41.97%
||
7 Day CHG~0.00%
Published-28 Feb, 2024 | 09:33
Updated-22 Apr, 2025 | 15:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the antihacker_add_whitelist() function in all versions up to, and including, 4.51. This makes it possible for unauthenticated attackers to add their IP Address to the whitelist circumventing protection

Action-Not Available
Vendor-billminozzisminozzisminozzi
Product-anti_hackerDisable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scandisable_json_api_login_lockdown_xml_rpc_pingback_stop_user_enumeration_anit_hacker_scan
CWE ID-CWE-862
Missing Authorization
CVE-2024-37220
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 39.01%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-01 Nov, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Optinly plugin <= 1.0.18 - Broken Access Control vulnerability

Missing Authorization vulnerability in OptinlyHQ Optinly allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Optinly: from n/a through 1.0.18.

Action-Not Available
Vendor-OptinlyHQoptinly
Product-Optinlyoptinly
CWE ID-CWE-862
Missing Authorization
CVE-2025-48166
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.38%
||
7 Day CHG~0.00%
Published-16 Jul, 2025 | 10:36
Updated-16 Jul, 2025 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Stop and Block bots plugin Anti bots <= 1.48 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Bill Minozzi Stop and Block bots plugin Anti bots allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Stop and Block bots plugin Anti bots: from n/a through 1.48.

Action-Not Available
Vendor-Bill Minozzi
Product-Stop and Block bots plugin Anti bots
CWE ID-CWE-862
Missing Authorization
CVE-2024-1763
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.20% / 42.28%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:26
Updated-20 Mar, 2025 | 11:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wp_social/v1/ REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to enable and disable certain providers for the social share and login features.

Action-Not Available
Vendor-wpmetxpeedstudiowpmet
Product-wp_social_login_and_register_social_counterWp Social Login and Register Social Counterwp_social_login_and_register_social_counter
CWE ID-CWE-862
Missing Authorization
CVE-2024-37276
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.16% / 36.82%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-01 Nov, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Featured Image from URL (FIFU) plugin <= 4.8.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in fifu.App Featured Image from URL allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Image from URL: from n/a through 4.8.1.

Action-Not Available
Vendor-fifu.appfifu
Product-Featured Image from URLfeatured_image_from_url
CWE ID-CWE-862
Missing Authorization
CVE-2024-1689
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.25% / 47.84%
||
7 Day CHG~0.00%
Published-07 Jun, 2024 | 02:02
Updated-29 Oct, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WooCommerce Tools <= 1.2.9 - Missing Authorization to Authenticated (Subscriber+) Plugin Module Deactivation

The WooCommerce Tools plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woocommerce_tool_toggle_module() function in all versions up to, and including, 1.2.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to deactivate arbitrary plugin modules.

Action-Not Available
Vendor-themefarmerthemefarmer
Product-woocommerce_toolsWooCommerce Tools
CWE ID-CWE-862
Missing Authorization
CVE-2024-1733
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.22% / 44.57%
||
7 Day CHG~0.00%
Published-16 Mar, 2024 | 05:39
Updated-18 Apr, 2025 | 15:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Word Replacer Pro plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the word_replacer_ultra() function in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to update arbitrary content on the affected WordPress site.

Action-Not Available
Vendor-charlestsmithcharlestsmithpdfcrowd
Product-word_replacer_proWord Replacer Proword_replacer_pro
CWE ID-CWE-862
Missing Authorization
CVE-2022-36340
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.18% / 39.34%
||
7 Day CHG~0.00%
Published-23 Sep, 2022 | 18:31
Updated-20 Feb, 2025 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress MailOptin plugin <= 1.2.49.0 - Unauthenticated Optin Campaign Cache Deletion vulnerability

Unauthenticated Optin Campaign Cache Deletion vulnerability in MailOptin plugin <= 1.2.49.0 at WordPress.

Action-Not Available
Vendor-mailoptinMailOptin Popup Builder Team
Product-mailoptinMailOptin (WordPress plugin)
CWE ID-CWE-862
Missing Authorization
CVE-2024-13316
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.33% / 55.30%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 08:21
Updated-01 Aug, 2025 | 02:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Scratch & Win – Giveaways and Contests <= 2.8.0 - Missing Authorization to Unauthenticated Coupon Creation

The Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the apmswn_create_discount() function in all versions up to, and including, 2.8.0. This makes it possible for unauthenticated attackers to create coupons.

Action-Not Available
Vendor-akashmalikakashmalik
Product-scratch_\&_winScratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more
CWE ID-CWE-862
Missing Authorization
CVE-2024-1352
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.28% / 50.98%
||
7 Day CHG~0.00%
Published-09 Apr, 2024 | 18:59
Updated-17 Jan, 2025 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access & modification of data due to a missing capability check on the rtcl_import_location() rtcl_import_category() functions in all versions up to, and including, 3.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create terms.

Action-Not Available
Vendor-radiusthemetechlabpro1techlabpro1
Product-classified_listingClassified Listing – Classified ads & Business Directory Pluginclassified_listing_plugin
CWE ID-CWE-862
Missing Authorization
CVE-2024-1350
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.16% / 36.82%
||
7 Day CHG~0.00%
Published-17 Apr, 2024 | 10:10
Updated-01 Aug, 2024 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Honeypot for WP Comment plugin <= 2.2.3 - Arbitrary File Deletion vulnerability

Missing Authorization vulnerability in Prasidhda Malla Honeypot for WP Comment.This issue affects Honeypot for WP Comment: from n/a through 2.2.3.

Action-Not Available
Vendor-Prasidhda Mallaprasidhdamalla
Product-Honeypot for WP Commenthoneypot_for_wp_comment
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • ...
  • 5
  • 6
  • 7
  • ...
  • 13
  • 14
  • Next
Details not found