Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-1657

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-17 Feb, 2026 | 05:29
Updated At-17 Feb, 2026 | 14:33
Rejected At-
Credits

EventPrime <= 4.2.8.4 - Missing Authorization to Unauthenticated Image Upload via 'ep_upload_file_media' AJAX Endpoint

The EventPrime plugin for WordPress is vulnerable to unauthorized image file upload in all versions up to, and including, 4.2.8.4. This is due to the plugin registering the upload_file_media AJAX action as publicly accessible (nopriv-enabled) without implementing any authentication, authorization, or nonce verification despite a nonce being created. This makes it possible for unauthenticated attackers to upload image files to the WordPress uploads directory and create Media Library attachments via the ep_upload_file_media endpoint.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:17 Feb, 2026 | 05:29
Updated At:17 Feb, 2026 | 14:33
Rejected At:
▼CVE Numbering Authority (CNA)
EventPrime <= 4.2.8.4 - Missing Authorization to Unauthenticated Image Upload via 'ep_upload_file_media' AJAX Endpoint

The EventPrime plugin for WordPress is vulnerable to unauthorized image file upload in all versions up to, and including, 4.2.8.4. This is due to the plugin registering the upload_file_media AJAX action as publicly accessible (nopriv-enabled) without implementing any authentication, authorization, or nonce verification despite a nonce being created. This makes it possible for unauthenticated attackers to upload image files to the WordPress uploads directory and create Media Library attachments via the ep_upload_file_media endpoint.

Affected Products
Vendor
Metagauss Inc.metagauss
Product
EventPrime – Events Calendar, Bookings and Tickets
Default Status
unaffected
Versions
Affected
  • From * through 4.2.8.4 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Tharadol Suksamran
Timeline
EventDate
Vendor Notified2026-01-29 20:17:16
Disclosed2026-02-16 17:29:13
Event: Vendor Notified
Date: 2026-01-29 20:17:16
Event: Disclosed
Date: 2026-02-16 17:29:13
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/42aa82ff-0d37-4040-b8fc-84d29534a4b7?source=cve
N/A
https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-ep-ajax.php#L1659
N/A
https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-ep-ajax.php#L1659
N/A
https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-eventprime-event-calendar-management.php#L557
N/A
https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-eventprime-event-calendar-management.php#L557
N/A
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3455239%40eventprime-event-calendar-management%2Ftrunk&old=3452796%40eventprime-event-calendar-management%2Ftrunk&sfp_email=&sfph_mail=
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/42aa82ff-0d37-4040-b8fc-84d29534a4b7?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-ep-ajax.php#L1659
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-ep-ajax.php#L1659
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-eventprime-event-calendar-management.php#L557
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-eventprime-event-calendar-management.php#L557
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3455239%40eventprime-event-calendar-management%2Ftrunk&old=3452796%40eventprime-event-calendar-management%2Ftrunk&sfp_email=&sfph_mail=
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:17 Feb, 2026 | 06:16
Updated At:17 Feb, 2026 | 06:16

The EventPrime plugin for WordPress is vulnerable to unauthorized image file upload in all versions up to, and including, 4.2.8.4. This is due to the plugin registering the upload_file_media AJAX action as publicly accessible (nopriv-enabled) without implementing any authentication, authorization, or nonce verification despite a nonce being created. This makes it possible for unauthenticated attackers to upload image files to the WordPress uploads directory and create Media Library attachments via the ep_upload_file_media endpoint.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-862Primarysecurity@wordfence.com
CWE ID: CWE-862
Type: Primary
Source: security@wordfence.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-ep-ajax.php#L1659security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-eventprime-event-calendar-management.php#L557security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-ep-ajax.php#L1659security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-eventprime-event-calendar-management.php#L557security@wordfence.com
N/A
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3455239%40eventprime-event-calendar-management%2Ftrunk&old=3452796%40eventprime-event-calendar-management%2Ftrunk&sfp_email=&sfph_mail=security@wordfence.com
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/42aa82ff-0d37-4040-b8fc-84d29534a4b7?source=cvesecurity@wordfence.com
N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-ep-ajax.php#L1659
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-eventprime-event-calendar-management.php#L557
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-ep-ajax.php#L1659
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-eventprime-event-calendar-management.php#L557
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3455239%40eventprime-event-calendar-management%2Ftrunk&old=3452796%40eventprime-event-calendar-management%2Ftrunk&sfp_email=&sfph_mail=
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/42aa82ff-0d37-4040-b8fc-84d29534a4b7?source=cve
Source: security@wordfence.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

685Records found
CVE-2025-67570
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.49%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 14:14
Updated-20 Jan, 2026 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPForms Google Sheet Connector plugin <= 4.0.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in GSheetConnector by WesternDeal WPForms Google Sheet Connector gsheetconnector-wpforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPForms Google Sheet Connector: from n/a through <= 4.0.0.

Action-Not Available
Vendor-GSheetConnector by WesternDeal
Product-WPForms Google Sheet Connector
CWE ID-CWE-862
Missing Authorization
CVE-2025-67573
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.49%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 14:14
Updated-20 Jan, 2026 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Sailing theme < 4.4.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in ThimPress Sailing sailing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sailing: from n/a through < 4.4.6.

Action-Not Available
Vendor-ThimPress (PhysCode)
Product-Sailing
CWE ID-CWE-862
Missing Authorization
CVE-2024-43331
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.54% / 67.23%
||
7 Day CHG~0.00%
Published-22 Aug, 2024 | 11:29
Updated-19 Mar, 2025 | 18:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP SMS plugin <= 6.9.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in VeronaLabs WP SMS.This issue affects WP SMS: from n/a through 6.9.3.

Action-Not Available
Vendor-veronalabsVeronaLabsveronalabs
Product-wp_smsWP SMSwp_sms
CWE ID-CWE-862
Missing Authorization
CVE-2025-67568
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.49%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 14:14
Updated-20 Jan, 2026 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Basel theme <= 5.9.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in xtemos Basel basel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Basel: from n/a through <= 5.9.1.

Action-Not Available
Vendor-XTemos Studio
Product-Basel
CWE ID-CWE-862
Missing Authorization
CVE-2024-43270
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.21% / 42.42%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-05 Nov, 2024 | 21:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Backup and Restore WordPress plugin <= 1.50 - Unauthenticated Broken Access Control vulnerability

Missing Authorization vulnerability in WPBackItUp Backup and Restore WordPress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Backup and Restore WordPress: from n/a through 1.50.

Action-Not Available
Vendor-WPBackItUpwpbackitup
Product-Backup and Restore WordPresswp_backitup
CWE ID-CWE-862
Missing Authorization
CVE-2025-67572
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.49%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 14:14
Updated-20 Jan, 2026 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress PenNews theme < 6.7.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in PenciDesign PenNews pennews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PenNews: from n/a through < 6.7.4.

Action-Not Available
Vendor-PenciDesign
Product-PenNews
CWE ID-CWE-862
Missing Authorization
CVE-2025-67569
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.49%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 14:14
Updated-20 Jan, 2026 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress AdForest theme <= 6.0.11 - Broken Access Control vulnerability

Missing Authorization vulnerability in scriptsbundle AdForest adforest allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AdForest: from n/a through <= 6.0.11.

Action-Not Available
Vendor-ScriptsBundle
Product-AdForest
CWE ID-CWE-862
Missing Authorization
CVE-2025-62740
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.49%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 14:52
Updated-20 Jan, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP-CRM System plugin <= 3.4.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CRM System: from n/a through <= 3.4.5.

Action-Not Available
Vendor-Mario Peshev
Product-WP-CRM System
CWE ID-CWE-862
Missing Authorization
CVE-2025-66120
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.89%
||
7 Day CHG~0.00%
Published-16 Dec, 2025 | 08:12
Updated-20 Jan, 2026 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CatFolders plugin <= 2.5.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in CatFolders CatFolders catfolders allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CatFolders: from n/a through <= 2.5.3.

Action-Not Available
Vendor-CatFolders
Product-CatFolders
CWE ID-CWE-862
Missing Authorization
CVE-2020-1996
Matching Score-4
Assigner-Palo Alto Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Palo Alto Networks, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.70% / 71.58%
||
7 Day CHG~0.00%
Published-13 May, 2020 | 19:07
Updated-17 Sep, 2024 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PAN-OS: Panorama management server log injection

A missing authorization vulnerability in the management server component of PAN-OS Panorama allows a remote unauthenticated user to inject messages into the management server ms.log file. This vulnerability can be leveraged to obfuscate an ongoing attack or fabricate log entries in the ms.log file This issue affects: All versions of PAN-OS 7.1 and 8.0; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.9.

Action-Not Available
Vendor-Palo Alto Networks, Inc.
Product-pan-osPAN-OS
CWE ID-CWE-862
Missing Authorization
CVE-2023-2299
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.11% / 29.58%
||
7 Day CHG~0.00%
Published-03 Jun, 2023 | 04:35
Updated-10 Jun, 2025 | 12:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized medication of data via the /wp-json/vcita-wordpress/v1/actions/auth REST-API endpoint in versions up to, and including, 4.2.10 due to a missing capability check on the processAction function. This makes it possible for unauthenticated attackers modify the plugin's settings.

Action-Not Available
Vendor-vcitavcita
Product-online_booking_\&_scheduling_calendarOnline Booking & Scheduling Calendar for WordPress by vcita
CWE ID-CWE-862
Missing Authorization
CVE-2020-15109
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.21% / 42.62%
||
7 Day CHG~0.00%
Published-04 Aug, 2020 | 23:00
Updated-04 Aug, 2024 | 13:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ability to change order address without triggering address validations in solidus

In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipment costs associated with the new shipment. All stores with at least two shipping zones and different costs of shipment per zone are impacted. This problem comes from how checkout permitted attributes are structured. We have a single list of attributes that are permitted across the whole checkout, no matter the step that is being submitted. See the linked reference for more information. As a workaround, if it is not possible to upgrade to a supported patched version, please use this gist in the references section.

Action-Not Available
Vendor-nebulabsolidusio
Product-solidussolidus
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-862
Missing Authorization
CVE-2022-2461
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-22.48% / 95.70%
||
7 Day CHG+9.22%
Published-06 Sep, 2022 | 17:18
Updated-05 May, 2025 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.8.1. This is due to insufficient permissions checking on the 'tp_translation' AJAX action and default settings which makes it possible for unauthenticated attackers to influence the data shown on the site.

Action-Not Available
Vendor-transposhoferwald
Product-transposh_wordpress_translationTransposh WordPress Translation
CWE ID-CWE-862
Missing Authorization
CVE-2024-34813
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.21% / 42.63%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 10:38
Updated-02 Aug, 2024 | 02:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WooCommerce Wishlist plugin <= 1.7.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in MoreConvert MC Woocommerce Wishlist.This issue affects MC Woocommerce Wishlist: from n/a through 1.7.8.

Action-Not Available
Vendor-MoreConvert
Product-MC Woocommerce Wishlist
CWE ID-CWE-862
Missing Authorization
CVE-2025-66121
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.89%
||
7 Day CHG~0.00%
Published-16 Dec, 2025 | 08:12
Updated-20 Jan, 2026 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SiteGround Security plugin <= 1.5.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in SiteGround SiteGround Security sg-security allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteGround Security: from n/a through <= 1.5.8.

Action-Not Available
Vendor-SiteGround
Product-SiteGround Security
CWE ID-CWE-862
Missing Authorization
CVE-2025-66129
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.89%
||
7 Day CHG~0.00%
Published-16 Dec, 2025 | 08:12
Updated-20 Jan, 2026 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Pochipp plugin <= 1.18.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in wppochipp Pochipp pochipp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pochipp: from n/a through <= 1.18.0.

Action-Not Available
Vendor-wppochipp
Product-Pochipp
CWE ID-CWE-862
Missing Authorization
CVE-2025-66130
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.89%
||
7 Day CHG~0.00%
Published-16 Dec, 2025 | 08:12
Updated-20 Jan, 2026 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Views Counter plugin <= 2.1.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in etruel WP Views Counter wpecounter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Views Counter: from n/a through <= 2.1.2.

Action-Not Available
Vendor-etruel
Product-WP Views Counter
CWE ID-CWE-862
Missing Authorization
CVE-2023-1261
Matching Score-4
Assigner-Silicon Labs
ShareView Details
Matching Score-4
Assigner-Silicon Labs
CVSS Score-8.2||HIGH
EPSS-0.08% / 22.67%
||
7 Day CHG~0.00%
Published-21 Mar, 2023 | 20:26
Updated-26 Feb, 2025 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing MAC layer security in Wi-SUN SDK

Missing MAC layer security in Silicon Labs Wi-SUN SDK v1.5.0 and earlier allows malicious node to route malicious messages through network.

Action-Not Available
Vendor-silabssilabs.com
Product-wi-sun_software_development_kitWi-SUN SDK
CWE ID-CWE-862
Missing Authorization
CVE-2024-35692
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.14% / 33.91%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 09:21
Updated-02 Aug, 2024 | 03:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress GDPR/CCPA Cookie Consent Banner plugin <= 3.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Termly Cookie Consent.This issue affects Cookie Consent: from n/a through 3.2.

Action-Not Available
Vendor-termlyTermlytermly
Product-gdpr_cookie_consent_bannerCookie Consentgdpr_cookie_consent_banner
CWE ID-CWE-862
Missing Authorization
CVE-2025-64296
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.49%
||
7 Day CHG~0.00%
Published-29 Oct, 2025 | 04:08
Updated-20 Jan, 2026 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Facebook for WooCommerce plugin <= 3.5.7 - Broken Access Control to Notice Dismissal vulnerability

Missing Authorization vulnerability in Facebook Facebook for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Facebook for WooCommerce: from n/a through 3.5.7.

Action-Not Available
Vendor-Facebook
Product-Facebook for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2025-64294
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.49%
||
7 Day CHG~0.00%
Published-03 Nov, 2025 | 13:09
Updated-20 Jan, 2026 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Snow Effect plugin <= 1.1.15 - Broken Access Control to Notice Dismissal vulnerability

Missing Authorization vulnerability in d3wp WP Snow Effect allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP Snow Effect: from n/a through 1.1.15.

Action-Not Available
Vendor-d3wp
Product-WP Snow Effect
CWE ID-CWE-862
Missing Authorization
CVE-2025-64370
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.49%
||
7 Day CHG~0.00%
Published-13 Nov, 2025 | 09:24
Updated-20 Jan, 2026 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress YOP Poll plugin <= 6.5.38 - Broken Access Control vulnerability

Missing Authorization vulnerability in YOP YOP Poll yop-poll allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YOP Poll: from n/a through <= 6.5.38.

Action-Not Available
Vendor-YOP
Product-YOP Poll
CWE ID-CWE-862
Missing Authorization
CVE-2025-64277
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.49%
||
7 Day CHG~0.00%
Published-13 Nov, 2025 | 09:24
Updated-20 Jan, 2026 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ChatBot plugin <= 7.3.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in QuantumCloud ChatBot chatbot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ChatBot: from n/a through <= 7.3.9.

Action-Not Available
Vendor-QuantumCloud
Product-ChatBot
CWE ID-CWE-862
Missing Authorization
CVE-2020-10116
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 40.47%
||
7 Day CHG~0.00%
Published-17 Mar, 2020 | 14:36
Updated-04 Aug, 2024 | 10:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

cPanel before 84.0.20 allows attackers to bypass intended restrictions on features and demo accounts via WebDisk UAPI calls (SEC-541).

Action-Not Available
Vendor-n/acPanel (WebPros International, LLC)
Product-cpaneln/a
CWE ID-CWE-862
Missing Authorization
CVE-2025-64639
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.89%
||
7 Day CHG~0.00%
Published-16 Dec, 2025 | 08:12
Updated-20 Jan, 2026 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Compress for MainWP plugin <= 6.50.07 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Compress WP Compress for MainWP wp-compress-mainwp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Compress for MainWP: from n/a through <= 6.50.07.

Action-Not Available
Vendor-WP Compress
Product-WP Compress for MainWP
CWE ID-CWE-862
Missing Authorization
CVE-2025-62145
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.89%
||
7 Day CHG~0.00%
Published-31 Dec, 2025 | 15:01
Updated-20 Jan, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress DMCA Protection Badge plugin <= 2.2.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in NewClarity DMCA Protection Badge allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DMCA Protection Badge: from n/a through 2.2.0.

Action-Not Available
Vendor-NewClarity
Product-DMCA Protection Badge
CWE ID-CWE-862
Missing Authorization
CVE-2025-63047
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.49%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 14:52
Updated-20 Jan, 2026 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ListingPro theme <= 2.9.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in CridioStudio ListingPro listingpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingPro: from n/a through <= 2.9.9.

Action-Not Available
Vendor-CridioStudio
Product-ListingPro
CWE ID-CWE-862
Missing Authorization
CVE-2024-30459
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.13% / 33.06%
||
7 Day CHG~0.00%
Published-08 May, 2024 | 13:22
Updated-02 Aug, 2024 | 01:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress AI WP Writer plugin <= 3.6.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in AIpost AI WP Writer.This issue affects AI WP Writer: from n/a through 3.6.5.

Action-Not Available
Vendor-AIpost
Product-AI WP Writer
CWE ID-CWE-862
Missing Authorization
CVE-2025-63031
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.89%
||
7 Day CHG~0.00%
Published-31 Dec, 2025 | 15:09
Updated-20 Jan, 2026 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress EasyTest plugin <= 1.0.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Grids EasyTest allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EasyTest: from n/a through 1.0.1.

Action-Not Available
Vendor-WP Grids
Product-EasyTest
CWE ID-CWE-862
Missing Authorization
CVE-2025-14608
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 8.23%
||
7 Day CHG~0.00%
Published-14 Feb, 2026 | 03:25
Updated-17 Feb, 2026 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Last Modified Info <= 1.9.5 - Insecure Direct Object Reference to Authenticated (Author+) Post Metadata Modification

The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata in the 'bulk_save' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to update the last modified metadata and lock the modification date of arbitrary posts, including those created by Administrators via the 'post_ids' parameter.

Action-Not Available
Vendor-infosatech
Product-WP Last Modified Info
CWE ID-CWE-862
Missing Authorization
CVE-2024-3961
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.30% / 52.47%
||
7 Day CHG~0.00%
Published-21 Jun, 2024 | 03:49
Updated-01 Aug, 2024 | 20:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ConvertKit <= 2.4.9 - Missing Authorization

The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_subscriber function in all versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers to subscribe users to tags. Financial damages may occur to site owners if their API quota is exceeded.

Action-Not Available
Vendor-convertkitconvertkitconvertkit
Product-convertkit_-_email_marketing\,_email_newsletter_and_landing_pagesConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pagesconvertkit_-_email_marketing\,_email_newsletter_and_landing_pages
CWE ID-CWE-862
Missing Authorization
CVE-2025-58979
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 8.78%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 16:33
Updated-11 Sep, 2025 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress BerqWP Plugin <= 2.2.53 - Broken Access Control Vulnerability

Missing Authorization vulnerability in BerqWP BerqWP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BerqWP: from n/a through 2.2.53.

Action-Not Available
Vendor-BerqWP
Product-BerqWP
CWE ID-CWE-862
Missing Authorization
CVE-2025-62865
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.49%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 14:52
Updated-20 Jan, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Post Cloner plugin <= 1.0.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Evan Herman Post Cloner post-cloner allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Cloner: from n/a through <= 1.0.0.

Action-Not Available
Vendor-Evan Herman
Product-Post Cloner
CWE ID-CWE-862
Missing Authorization
CVE-2024-39654
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.17% / 38.62%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-01 Nov, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Sign-up Sheets plugin <= 2.2.12 - Broken Access Control vulnerability

Missing Authorization vulnerability in Fetch Designs Sign-up Sheets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sign-up Sheets: from n/a through 2.2.12.

Action-Not Available
Vendor-Fetch Designsfetchdesigns
Product-Sign-up Sheetssign-up_sheets
CWE ID-CWE-862
Missing Authorization
CVE-2024-38769
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 38.94%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:17
Updated-20 Mar, 2025 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Arconix Shortcodes plugin <= 2.1.11 - Broken Access Control vulnerability

Missing Authorization vulnerability in Tyche Softwares Arconix Shortcodes allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Arconix Shortcodes: from n/a through 2.1.11.

Action-Not Available
Vendor-tychesoftwaresTyche Softwarestychesoftwares
Product-arconix_shortcodesArconix Shortcodesarconix_shortcodes
CWE ID-CWE-862
Missing Authorization
CVE-2024-3893
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.08% / 23.71%
||
7 Day CHG~0.00%
Published-25 Apr, 2024 | 07:33
Updated-14 Apr, 2025 | 13:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the rtcl_fb_gallery_image_delete AJAX action in all versions up to, and including, 3.0.10.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachements.

Action-Not Available
Vendor-radiusthemetechlabpro1techlabpro1
Product-classified_listingClassified Listing – Classified ads & Business Directory Pluginclassified_listing_plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-26104
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-5.3||MEDIUM
EPSS-0.17% / 38.24%
||
7 Day CHG~0.00%
Published-08 Mar, 2022 | 13:36
Updated-03 Aug, 2024 | 04:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Financial Consolidation - version 10.1, does not perform necessary authorization checks for updating homepage messages, resulting for an unauthorized user to alter the maintenance system message.

Action-Not Available
Vendor-SAP SE
Product-financial_consolidationSAP Financial Consolidation
CWE ID-CWE-862
Missing Authorization
CVE-2024-37220
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 38.94%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-01 Nov, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Optinly plugin <= 1.0.18 - Broken Access Control vulnerability

Missing Authorization vulnerability in OptinlyHQ Optinly allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Optinly: from n/a through 1.0.18.

Action-Not Available
Vendor-OptinlyHQoptinly
Product-Optinlyoptinly
CWE ID-CWE-862
Missing Authorization
CVE-2024-37427
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.12% / 31.50%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-01 Nov, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Timetics plugin <= 1.0.21 - Broken Access Control vulnerability

Missing Authorization vulnerability in Arraytics Timetics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Timetics: from n/a through 1.0.21.

Action-Not Available
Vendor-Arrayticsarraytics
Product-Timeticstimetics
CWE ID-CWE-862
Missing Authorization
CVE-2024-37926
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 38.94%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-01 Nov, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Accessibility Helper (WAH) plugin <= 0.6.2.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in Alex Volkov WP Accessibility Helper (WAH) allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP Accessibility Helper (WAH): from n/a through 0.6.2.9.

Action-Not Available
Vendor-Alex Volkovvolkov
Product-WP Accessibility Helper (WAH)wp_accessibility_helper
CWE ID-CWE-862
Missing Authorization
CVE-2025-62085
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.49%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 14:52
Updated-20 Jan, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress BERTHA AI plugin <= 1.13 - Broken Access Control vulnerability

Missing Authorization vulnerability in berthaai BERTHA AI bertha-ai-free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BERTHA AI: from n/a through <= 1.13.

Action-Not Available
Vendor-berthaai
Product-BERTHA AI
CWE ID-CWE-862
Missing Authorization
CVE-2024-37506
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 38.94%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-01 Nov, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Donation Forms by Charitable plugin <= 1.8.1.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in Charitable Donations & Fundraising Team Charitable allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Charitable: from n/a through 1.8.1.7.

Action-Not Available
Vendor-WP Charitable LLC.
Product-Charitablecharitable
CWE ID-CWE-862
Missing Authorization
CVE-2025-63001
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.89%
||
7 Day CHG~0.00%
Published-31 Dec, 2025 | 14:56
Updated-20 Jan, 2026 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Hotel Booking plugin <= 3.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in nicdark Hotel Booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Booking: from n/a through 3.8.

Action-Not Available
Vendor-nicdark
Product-Hotel Booking
CWE ID-CWE-862
Missing Authorization
CVE-2024-34802
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.26% / 49.03%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 18:35
Updated-02 Aug, 2024 | 02:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress AdFoxly plugin <= 1.8.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in AdFoxly AdFoxly – Ad Manager, AdSense Ads & Ads.Txt.This issue affects AdFoxly – Ad Manager, AdSense Ads & Ads.Txt: from n/a through 1.8.5.

Action-Not Available
Vendor-WP FOXLY
Product-adfoxlyAdFoxly – Ad Manager, AdSense Ads & Ads.txtadfoxly
CWE ID-CWE-862
Missing Authorization
CVE-2024-34768
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.21% / 42.63%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 16:42
Updated-02 Aug, 2024 | 02:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Fastly plugin <= 1.2.25 - Broken Access Control vulnerability

Missing Authorization vulnerability in Fastly.This issue affects Fastly: from n/a through 1.2.25.

Action-Not Available
Vendor-Fastly
Product-Fastly
CWE ID-CWE-862
Missing Authorization
CVE-2024-34799
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.15% / 34.96%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 16:35
Updated-20 Mar, 2025 | 11:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress BookingPress plugin <= 1.0.82 - Appointment Duration Manipulation vulnerability

Missing Authorization vulnerability in Repute Infosystems BookingPress.This issue affects BookingPress: from n/a through 1.0.82.

Action-Not Available
Vendor-reputeinfosystemsRepute Infosystems
Product-bookingpressBookingPress
CWE ID-CWE-862
Missing Authorization
CVE-2023-46639
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.16% / 36.39%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 12:00
Updated-02 Jan, 2025 | 17:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress kk Star Ratings plugin <= 5.4.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in FeedbackWP kk Star Ratings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects kk Star Ratings: from n/a through 5.4.5.

Action-Not Available
Vendor-FeedbackWP
Product-kk Star Ratings
CWE ID-CWE-862
Missing Authorization
CVE-2025-62138
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.89%
||
7 Day CHG~0.00%
Published-31 Dec, 2025 | 13:51
Updated-20 Jan, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Advanced PDF plugin <= 1.1.7 - Other vulnerability Type vulnerability

Missing Authorization vulnerability in CedCommerce WP Advanced PDF allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Advanced PDF: from n/a through 1.1.7.

Action-Not Available
Vendor-CedCoss Technologies Pvt. Ltd.
Product-WP Advanced PDF
CWE ID-CWE-862
Missing Authorization
CVE-2024-35685
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.21% / 42.63%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 10:46
Updated-02 Aug, 2024 | 03:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Radcliffe 2 theme <= 2.0.17 - Broken Access Control vulnerability

Missing Authorization vulnerability in Anders Norén Radcliffe 2.This issue affects Radcliffe 2: from n/a through 2.0.17.

Action-Not Available
Vendor-Anders Norénanders_noren
Product-Radcliffe 2radcliffe_2
CWE ID-CWE-862
Missing Authorization
CVE-2024-35174
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.15% / 36.23%
||
7 Day CHG~0.00%
Published-17 May, 2024 | 10:18
Updated-02 Aug, 2024 | 03:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Flo Forms plugin <= 1.0.42 - Broken Access Control vulnerability

Missing Authorization vulnerability in Flothemes Flo Forms.This issue affects Flo Forms: from n/a through 1.0.42.

Action-Not Available
Vendor-Flothemesflothemes
Product-Flo Formsflo_forms
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • ...
  • 13
  • 14
  • Next
Details not found