Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-2518

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-22 May, 2026 | 04:29
Updated At-22 May, 2026 | 12:21
Rejected At-
Credits

FastX <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Installation and Activation

The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultp_install_callback' and 'ultp_activate_callback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate the PostX plugin.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:22 May, 2026 | 04:29
Updated At:22 May, 2026 | 12:21
Rejected At:
▼CVE Numbering Authority (CNA)
FastX <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Installation and Activation

The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultp_install_callback' and 'ultp_activate_callback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate the PostX plugin.

Affected Products
Vendor
wpxpo
Product
FastX
Default Status
unaffected
Versions
Affected
  • From 0 through 1.0.2 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Itthidej Aramsri
Timeline
EventDate
Disclosed2026-05-21 15:59:58
Event: Disclosed
Date: 2026-05-21 15:59:58
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/6f5c4194-4f97-4f85-af90-e983ba9ce3a6?source=cve
N/A
https://themes.trac.wordpress.org/browser/fastx/1.0.2/classes/Initialization.php#L264
N/A
https://themes.trac.wordpress.org/browser/fastx/1.0.2/classes/Initialization.php#L249
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/6f5c4194-4f97-4f85-af90-e983ba9ce3a6?source=cve
Resource: N/A
Hyperlink: https://themes.trac.wordpress.org/browser/fastx/1.0.2/classes/Initialization.php#L264
Resource: N/A
Hyperlink: https://themes.trac.wordpress.org/browser/fastx/1.0.2/classes/Initialization.php#L249
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:22 May, 2026 | 05:16
Updated At:22 May, 2026 | 05:16

The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultp_install_callback' and 'ultp_activate_callback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate the PostX plugin.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: Primary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-862Primarysecurity@wordfence.com
CWE ID: CWE-862
Type: Primary
Source: security@wordfence.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://themes.trac.wordpress.org/browser/fastx/1.0.2/classes/Initialization.php#L249security@wordfence.com
N/A
https://themes.trac.wordpress.org/browser/fastx/1.0.2/classes/Initialization.php#L264security@wordfence.com
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/6f5c4194-4f97-4f85-af90-e983ba9ce3a6?source=cvesecurity@wordfence.com
N/A
Hyperlink: https://themes.trac.wordpress.org/browser/fastx/1.0.2/classes/Initialization.php#L249
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://themes.trac.wordpress.org/browser/fastx/1.0.2/classes/Initialization.php#L264
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/6f5c4194-4f97-4f85-af90-e983ba9ce3a6?source=cve
Source: security@wordfence.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1291Records found
CVE-2024-31246
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.39% / 60.36%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 08:55
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress PostX plugin <= 3.2.3 - Author+ Post/Page Duplication vulnerability

Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PostX: from n/a through <= 3.2.3.

Action-Not Available
Vendor-wpxpoWPXPO
Product-postxPostX
CWE ID-CWE-862
Missing Authorization
CVE-2024-30234
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.48% / 65.34%
||
7 Day CHG~0.00%
Published-26 Mar, 2024 | 12:16
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WholesaleX plugin <= 1.3.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Wholesale Team WholesaleX.This issue affects WholesaleX: from n/a through 1.3.1.

Action-Not Available
Vendor-wpxpoWholesale Team
Product-wholesalexWholesaleX
CWE ID-CWE-862
Missing Authorization
CVE-2026-2001
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.32% / 55.20%
||
7 Day CHG~0.00%
Published-16 Feb, 2026 | 19:24
Updated-08 Apr, 2026 | 16:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WowRevenue <= 2.1.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation

The WowRevenue plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'Notice::install_activate_plugin' function in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected site's server which may make remote code execution possible.

Action-Not Available
Vendor-wpxpo
Product-WowRevenue – Product Bundles & Bulk Discounts
CWE ID-CWE-862
Missing Authorization
CVE-2025-12980
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.11% / 29.63%
||
7 Day CHG-0.02%
Published-21 Dec, 2025 | 02:20
Updated-08 Apr, 2026 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX <= 5.0.3 - Missing Authorization to Unauthenticated Sensitive Information Exposure

The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the '/ultp/v2/get_dynamic_content/' REST API endpoint in all versions up to, and including, 5.0.3. This makes it possible for unauthenticated attackers to retrieve sensitive user metadata, including password hashes.

Action-Not Available
Vendor-wpxpo
Product-Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX
CWE ID-CWE-862
Missing Authorization
CVE-2024-5326
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-52.93% / 97.99%
||
7 Day CHG~0.00%
Published-30 May, 2024 | 10:59
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX <= 4.1.2 - Missing Authorization to Arbitrary Options Update

The Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'postx_presets_callback' function in all versions up to, and including, 4.1.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.

Action-Not Available
Vendor-wpxpo
Product-Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX
CWE ID-CWE-862
Missing Authorization
CVE-2026-1720
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.06% / 17.32%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 13:24
Updated-22 Apr, 2026 | 21:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation <= 1.4.24 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation

The WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the 'install_and_active_plugin' function in all versions up to, and including, 1.4.24. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins.

Action-Not Available
Vendor-wpxpo
Product-WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation
CWE ID-CWE-862
Missing Authorization
CVE-2026-0718
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 7.32%
||
7 Day CHG+0.01%
Published-16 Apr, 2026 | 07:39
Updated-22 Apr, 2026 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX <= 5.0.5 - Missing Authorization to Limited Post Meta Modification

The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ultp_shareCount_callback() function in all versions up to, and including, 5.0.5. This makes it possible for unauthenticated attackers to modify the share_count post meta for any post, including private or draft posts.

Action-Not Available
Vendor-wpxpo
Product-Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX
CWE ID-CWE-862
Missing Authorization
CVE-2024-10728
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-76.07% / 98.94%
||
7 Day CHG~0.00%
Published-16 Nov, 2024 | 04:29
Updated-08 Apr, 2026 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PostX <= 4.1.16 - Missing Authorization to Arbitrary Plugin Installation/Activation

The Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the 'install_required_plugin_callback' function in all versions up to, and including, 4.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.

Action-Not Available
Vendor-wpxpowpxpowpxpo
Product-postxPost Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostXpostx_-_gutenberg_blocks_for_post_grid
CWE ID-CWE-862
Missing Authorization
CVE-2024-37203
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 32.81%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Laybuy Payment Extension for WooCommerce plugin <= 5.3.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in Laybuy Laybuy Payment Extension for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Laybuy Payment Extension for WooCommerce: from n/a through 5.3.9.

Action-Not Available
Vendor-Laybuy
Product-Laybuy Payment Extension for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2024-3663
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 43.14%
||
7 Day CHG~0.00%
Published-22 May, 2024 | 06:50
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Scraper <= 5.7 - Missing Authorization to Arbitrary Page/Post Creation

The WP Scraper plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wp_scraper_multi_scrape_action() function in all versions up to, and including, 5.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary pages and posts.

Action-Not Available
Vendor-rico-macchi
Product-WP Scraper
CWE ID-CWE-862
Missing Authorization
CVE-2024-3609
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 44.48%
||
7 Day CHG~0.00%
Published-16 May, 2024 | 20:31
Updated-08 Apr, 2026 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ReviewX – Multi-criteria Rating & Reviews for WooCommerce <= 1.6.27 - Missing Authorization

The ReviewX – Multi-criteria Rating & Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the reviewx_remove_guest_image function in all versions up to, and including, 1.6.27. This makes it possible for authenticated attackers, with subscriber access and above, to delete attachments.

Action-Not Available
Vendor-ReviewXWPDeveloper
Product-reviewxReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema
CWE ID-CWE-862
Missing Authorization
CVE-2024-37096
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 34.93%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Popup box plugin <= 4.5.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Popup Box Team Popup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup box: from n/a through 4.5.1.

Action-Not Available
Vendor-AYS Pro Extensions
Product-Popup box
CWE ID-CWE-862
Missing Authorization
CVE-2024-37095
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 46.08%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Envira Photo Gallery plugin <= 1.8.7.3 - CSRF leading to notice dismissal vulnerability

Missing Authorization vulnerability in Envira Gallery Team Envira Photo Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Envira Photo Gallery: from n/a through 1.8.7.3.

Action-Not Available
Vendor-Envira Gallery, LLC (Envira Gallery)
Product-Envira Photo Gallery
CWE ID-CWE-862
Missing Authorization
CVE-2025-31408
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.34% / 56.41%
||
7 Day CHG~0.00%
Published-01 Apr, 2025 | 13:07
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Zoho Flow plugin <= 2.13.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Zoho Flow Zoho Flow zoho-flow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zoho Flow: from n/a through <= 2.13.3.

Action-Not Available
Vendor-Zoho Flow
Product-Zoho Flow
CWE ID-CWE-862
Missing Authorization
CVE-2025-32229
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.39% / 59.97%
||
7 Day CHG~0.00%
Published-04 Apr, 2025 | 15:59
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Variable Inspector plugin <= 2.6.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Bowo Variable Inspector variable-inspector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Variable Inspector: from n/a through <= 2.6.3.

Action-Not Available
Vendor-Bowo
Product-Variable Inspector
CWE ID-CWE-862
Missing Authorization
CVE-2024-3602
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 43.14%
||
7 Day CHG~0.00%
Published-20 Jun, 2024 | 02:08
Updated-08 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer <= 1.1.0 - Missing Authorization

The Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the disconnect_promolayer function in all versions up to, and including, 1.1.0. This makes it possible for authenticated attackers, with subscriber access or higher, to remove the Promolayer connection.

Action-Not Available
Vendor-promolayerpromolayerpopupbuilder
Product-popup_builderPromolayer – Popup Builder & Abandonment Preventer
CWE ID-CWE-862
Missing Authorization
CVE-2024-3711
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.27% / 50.73%
||
7 Day CHG~0.00%
Published-23 May, 2024 | 05:32
Updated-08 Apr, 2026 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Brizy – Page Builder <= 2.4.43 - Missing Authorization

The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized plugin setting update due to a missing capability check on the functions action_request_disable, action_change_template, and action_request_enable in all versions up to, and including, 2.4.43. This makes it possible for authenticated attackers, with contributor access or above, to enable/disable the Brizy editor and modify the template used.

Action-Not Available
Vendor-brizythemefusecom
Product-brizyBrizy – Page Builder
CWE ID-CWE-862
Missing Authorization
CVE-2025-32233
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 56.05%
||
7 Day CHG~0.00%
Published-04 Apr, 2025 | 15:59
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Revive.so plugin <= 2.0.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Chill Revive.so revive-so allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Revive.so: from n/a through <= 2.0.3.

Action-Not Available
Vendor-WP Chill
Product-Revive.so
CWE ID-CWE-862
Missing Authorization
CVE-2024-3606
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 40.27%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:52
Updated-08 Apr, 2026 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ProfileGrid – User Profiles, Memberships, Groups and Communities <= 5.8.3 - Missing Authorization

The ProfileGrid – User Profiles, Memberships, Groups and Communities plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the pm_upload_cover_image function in all versions up to, and including, 5.8.3. This makes it possible for authenticated attackers, with subscriber access or higher, to delete attachments.

Action-Not Available
Vendor-Metagauss Inc.
Product-profilegridProfileGrid – User Profiles, Groups and Communities
CWE ID-CWE-862
Missing Authorization
CVE-2024-34824
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 30.05%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 09:27
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SportsPress – Sports Club & League Manager plugin <= 2.7.20 - Broken Access Control vulnerability

Missing Authorization vulnerability in ThemeBoy SportsPress – Sports Club & League Manager.This issue affects SportsPress – Sports Club & League Manager: from n/a through 2.7.20.

Action-Not Available
Vendor-themeboyThemeBoy
Product-sportspressSportsPress – Sports Club & League Manager
CWE ID-CWE-862
Missing Authorization
CVE-2024-30216
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 25.65%
||
7 Day CHG~0.00%
Published-09 Apr, 2024 | 01:02
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization check in SAP S/4 HANA (Cash Management)

Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, attacker can add notes in the review request with 'completed' status affecting the integrity of the application. Confidentiality and Availability are not impacted.

Action-Not Available
Vendor-SAP SE
Product-SAP S/4 HANA (Cash Management)
CWE ID-CWE-862
Missing Authorization
CVE-2024-3581
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 45.40%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:51
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MaxGalleria <= 6.4.2 - Missing Authorization

The MaxGalleria plugin for WordPress is vulnerable to unauthorized image upload due to a missing capability check on the add_media_library_images_to_gallery function in all versions up to, and including, 6.4.2. This makes it possible for authenticated attackers, with subscriber access or above, to upload arbitrary images to a gallery.

Action-Not Available
Vendor-maxfoundrymaxfoundry
Product-MaxGalleriamaxgalleria
CWE ID-CWE-862
Missing Authorization
CVE-2024-35723
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 44.49%
||
7 Day CHG~0.00%
Published-10 Jun, 2024 | 07:50
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Dashboard To-Do List plugin <= 1.2.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Andrew Dashboard To-Do List dashboard-to-do-list.This issue affects Dashboard To-Do List: from n/a through <= 1.2.0.

Action-Not Available
Vendor-arwebdesignAndrew
Product-dashboard_to-do_listDashboard To-Do List
CWE ID-CWE-862
Missing Authorization
CVE-2024-35628
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 36.74%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 14:29
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Photo Gallery by 10Web plugin <= 1.8.25 - Broken Access Control vulnerability

Missing Authorization vulnerability in Photo Gallery Team Photo Gallery by 10Web.This issue affects Photo Gallery by 10Web: from n/a through 1.8.25.

Action-Not Available
Vendor-AYS Pro Extensions
Product-Photo Gallery by 10Web
CWE ID-CWE-862
Missing Authorization
CVE-2024-35724
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 44.49%
||
7 Day CHG~0.00%
Published-10 Jun, 2024 | 07:49
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Bosa Elementor Addons and Templates for WooCommerce plugin <= 1.0.12 - Broken Access Control vulnerability

Missing Authorization vulnerability in Bosa Themes Bosa Elementor Addons and Templates for WooCommerce.This issue affects Bosa Elementor Addons and Templates for WooCommerce: from n/a through 1.0.12.

Action-Not Available
Vendor-bosathemesBosa Themes
Product-bosa_elementor_addons_and_templates_for_woocommerceBosa Elementor Addons and Templates for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2024-34803
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.37%
||
7 Day CHG~0.00%
Published-03 Jun, 2024 | 10:18
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Fastly plugin <= 1.2.25 - Broken Access Control vulnerability

Missing Authorization vulnerability in Fastly.This issue affects Fastly: from n/a through 1.2.25.

Action-Not Available
Vendor-Fastly
Product-Fastly
CWE ID-CWE-862
Missing Authorization
CVE-2024-3520
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 40.27%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:51
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Country State City Dropdown CF7 <= 2.7.1 - Missing Authorization

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tc_csca_patch_settings function in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with subscriber access and above, to add states or cities to the dropdown.

Action-Not Available
Vendor-trustyplugins
Product-Country State City Dropdown CF7
CWE ID-CWE-862
Missing Authorization
CVE-2026-6703
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 12.12%
||
7 Day CHG+0.01%
Published-21 Apr, 2026 | 06:43
Updated-22 Apr, 2026 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Responsive Blocks <= 2.2.1 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via AJAX Actions

The Responsive Blocks – Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to modify global site-wide plugin configuration options, including toggling custom CSS, disabling blocks, changing layout defaults such as content width, container padding, and container gap, and altering auto-block-recovery behavior.

Action-Not Available
Vendor-CyberChimps Inc.
Product-Responsive Blocks – Page Builder for Blocks & Patterns
CWE ID-CWE-862
Missing Authorization
CVE-2024-33593
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 32.81%
||
7 Day CHG~0.00%
Published-29 Apr, 2024 | 10:09
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Smart Forms plugin <= 2.6.91 - Broken Access Control vulnerability

Missing Authorization vulnerability in RedNao Smart Forms.This issue affects Smart Forms: from n/a through 2.6.91.

Action-Not Available
Vendor-RedNao
Product-Smart Forms
CWE ID-CWE-862
Missing Authorization
CVE-2024-33585
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 32.81%
||
7 Day CHG-0.00%
Published-29 Apr, 2024 | 12:43
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Payment Gateway Based Fees and Discounts for WooCommerce plugin <= 2.12.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Tyche Softwares Payment Gateway Based Fees and Discounts for WooCommerce.This issue affects Payment Gateway Based Fees and Discounts for WooCommerce: from n/a through 2.12.1.

Action-Not Available
Vendor-Tyche SoftwaresWordPress.org
Product-Payment Gateway Based Fees and Discounts for WooCommercepayment_gateway_based_fees_and_discounts_for_woocommerce
CWE ID-CWE-862
Missing Authorization
CVE-2025-32237
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.39% / 59.97%
||
7 Day CHG~0.00%
Published-04 Apr, 2025 | 15:59
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress MasterStudy LMS plugin <= 3.5.28 - Broken Access Control vulnerability

Missing Authorization vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MasterStudy LMS: from n/a through <= 3.5.28.

Action-Not Available
Vendor-Stylemix
Product-MasterStudy LMS
CWE ID-CWE-862
Missing Authorization
CVE-2025-32232
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.39% / 59.97%
||
7 Day CHG~0.00%
Published-04 Apr, 2025 | 15:59
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress StaffList plugin <= 3.2.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in ERA404 StaffList stafflist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects StaffList: from n/a through <= 3.2.7.

Action-Not Available
Vendor-ERA404
Product-StaffList
CWE ID-CWE-862
Missing Authorization
CVE-2024-32517
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 34.93%
||
7 Day CHG~0.00%
Published-17 Apr, 2024 | 07:38
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Custom Thank You Page Customize For WooCommerce by Binary Carpenter plugin <= 1.4.12 - Broken Access Control vulnerability

Missing Authorization vulnerability in WooCommerce & WordPress Tutorials Custom Thank You Page Customize For WooCommerce by Binary Carpenter.This issue affects Custom Thank You Page Customize For WooCommerce by Binary Carpenter: from n/a through 1.4.12.

Action-Not Available
Vendor-WooCommerce & WordPress Tutorials
Product-Custom Thank You Page Customize For WooCommerce by Binary Carpenter
CWE ID-CWE-862
Missing Authorization
CVE-2024-32784
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.37%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 13:02
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CookieHub plugin <= 1.1.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in CookieHub.This issue affects CookieHub: from n/a through 1.1.0.

Action-Not Available
Vendor-CookieHub
Product-CookieHub
CWE ID-CWE-862
Missing Authorization
CVE-2024-32143
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.55% / 68.06%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 17:03
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Podlove Podcast Publisher plugin <= 4.1.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Podlove Podlove Podcast Publisher.This issue affects Podlove Podcast Publisher: from n/a through 4.1.0.

Action-Not Available
Vendor-podlovePodlovepodlove
Product-podlove_podcast_publisherPodlove Podcast Publisherpodlove_podcast_publisher
CWE ID-CWE-862
Missing Authorization
CVE-2024-3249
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 43.14%
||
7 Day CHG~0.00%
Published-25 Jun, 2024 | 06:57
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Zita Elementor Site Library <= 1.6.2 - Missing Authorization to Page Creation and Options Modification

The Zita Elementor Site Library plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_xml_data, xml_data_import, import_option_data, import_widgets, and import_customizer_settings functions in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to create pages, update certain options, including WooCommerce page titles and Elementor settings, import widgets, and update the plugin's customizer settings and the WordPress custom CSS. NOTE: This vulnerability was partially fixed in version 1.6.2.

Action-Not Available
Vendor-wpzita
Product-Zita Site Library for Elementor
CWE ID-CWE-862
Missing Authorization
CVE-2024-3233
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 40.27%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:52
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ivory Search – WordPress Search Plugin <= 5.5.5 - Missing Authorization to Authenticated (Subscriber+) Index Creation

The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_create_index() function in all versions up to, and including, 5.5.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger index creation.

Action-Not Available
Vendor-vinod-dalvivinod-dalvi
Product-Ivory Search – WordPress Search Pluginivory_search
CWE ID-CWE-862
Missing Authorization
CVE-2024-32689
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 34.93%
||
7 Day CHG~0.00%
Published-18 Apr, 2024 | 10:33
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Social Comments plugin <= 1.7.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in GenialSouls WP Social Comments.This issue affects WP Social Comments: from n/a through 1.7.3.

Action-Not Available
Vendor-GenialSoulsgenialsouls
Product-WP Social Commentswp_social_comments
CWE ID-CWE-862
Missing Authorization
CVE-2024-3243
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 32.22%
||
7 Day CHG~0.00%
Published-16 Apr, 2024 | 12:51
Updated-08 Apr, 2026 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Customer Reviews for WooCommerce <= 5.46.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the send_test_email() function in all versions up to, and including, 5.46.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to send arbitrary test emails.

Action-Not Available
Vendor-cusrevivoleivole
Product-customer_reviews_for_woocommerceCustomer Reviews for WooCommercecustomer_reviews_for_woocommerce
CWE ID-CWE-862
Missing Authorization
CVE-2024-3206
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 44.46%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:51
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Different Menu in Different Pages – Control Menu Visibility (All in One) <= 2.3.2 - Missing Authorization to Menu Duplication

The Different Menu in Different Pages – Control Menu Visibility (All in One) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the ajax() function in all versions up to, and including, 2.3.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to duplicate menus.

Action-Not Available
Vendor-recorp
Product-Different Menu in Different Pages – Conditional Menu
CWE ID-CWE-862
Missing Authorization
CVE-2024-32818
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 44.49%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 12:37
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress MDTF – Meta Data and Taxonomies Filter plugin <= 1.3.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF).This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.3.

Action-Not Available
Vendor-PluginUs.Net (RealMag777)
Product-wordpress_meta_data_and_taxonomies_filterWordPress Meta Data and Taxonomies Filter (MDTF)
CWE ID-CWE-862
Missing Authorization
CVE-2024-32783
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.37%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 13:03
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Advanced Testimonial Carousel for Elementor plugin <= 3.0.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in wpcreativeidea Advanced Testimonial Carousel for Elementor.This issue affects Advanced Testimonial Carousel for Elementor: from n/a through 3.0.0.

Action-Not Available
Vendor-wpcreativeidea
Product-Advanced Testimonial Carousel for Elementor
CWE ID-CWE-862
Missing Authorization
CVE-2024-32522
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 32.81%
||
7 Day CHG~0.00%
Published-17 Apr, 2024 | 07:31
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Open Close WooCommerce Store plugin <= 4.9.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Jaed Mosharraf & Pluginbazar Team Open Close WooCommerce Store.This issue affects Open Close WooCommerce Store: from n/a through 4.9.1.

Action-Not Available
Vendor-Jaed Mosharraf & Pluginbazar Team
Product-Open Close WooCommerce Store
CWE ID-CWE-862
Missing Authorization
CVE-2024-32455
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.62%
||
7 Day CHG~0.00%
Published-16 Apr, 2024 | 18:57
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Fatal Error Notify plugin <= 1.5.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Very Good Plugins Fatal Error Notify.This issue affects Fatal Error Notify: from n/a through 1.5.2.

Action-Not Available
Vendor-Very Good Plugins
Product-Fatal Error Notify
CWE ID-CWE-862
Missing Authorization
CVE-2024-32144
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.07% / 20.59%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 15:48
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Welcart e-Commerce plugin <= 2.9.14 - Broken Access Control vulnerability

Missing Authorization vulnerability in Welcart Inc. Welcart e-Commerce.This issue affects Welcart e-Commerce: from n/a through 2.9.14.

Action-Not Available
Vendor-welcartWelcart Inc.
Product-welcart_e-commerceWelcart e-Commerce
CWE ID-CWE-862
Missing Authorization
CVE-2024-32525
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 34.93%
||
7 Day CHG~0.00%
Published-17 Apr, 2024 | 07:17
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Theme My Login plugin <= 7.1.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in Theme My Login.This issue affects Theme My Login: from n/a through 7.1.6.

Action-Not Available
Vendor-Theme My Loginthememylogin
Product-Theme My Loginthememylogin
CWE ID-CWE-862
Missing Authorization
CVE-2024-32701
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 44.49%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 17:19
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress InstaWP Connect plugin <= 0.1.0.24 - Broken Access Control vulnerability

Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.24.

Action-Not Available
Vendor-instawpInstaWP
Product-instawp_connectInstaWP Connect
CWE ID-CWE-862
Missing Authorization
CVE-2024-32148
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 28.77%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 14:44
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Pardot plugin <= 2.1.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Salesforce Pardot.This issue affects Pardot: from n/a through 2.1.0.

Action-Not Available
Vendor-Salesforce
Product-Pardot
CWE ID-CWE-862
Missing Authorization
CVE-2025-11255
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.56%
||
7 Day CHG~0.00%
Published-25 Oct, 2025 | 06:49
Updated-08 Apr, 2026 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Password Policy Manager | Password Manager <= 2.0.5 - Missing Authorization to Authenticated (Subscriber+) Configuration Log Out

The Password Policy Manager | Password Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'moppm_ajax' AJAX endpoint in all versions up to, and including, 2.0.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to log out the site's connection to miniorange.

Action-Not Available
Vendor-cyberlord92
Product-Password Policy Manager | Password Manager
CWE ID-CWE-862
Missing Authorization
CVE-2025-32277
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 55.01%
||
7 Day CHG~0.00%
Published-04 Apr, 2025 | 15:59
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress RepairBuddy plugin <= 3.8213 - Broken Access Control vulnerability

Missing Authorization vulnerability in Ateeq Rafeeq RepairBuddy computer-repair-shop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RepairBuddy: from n/a through <= 3.8213.

Action-Not Available
Vendor-Ateeq Rafeeq
Product-RepairBuddy
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 25
  • 26
  • Next
Details not found