Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-28555

Summary
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At-28 Feb, 2026 | 21:47
Updated At-28 Feb, 2026 | 21:47
Rejected At-
Credits

wpForo Forum 2.4.14 Missing Authorization via Topic Close AJAX Handler

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wpforo_close_ajax handler. Attackers submit a valid nonce with an arbitrary topic ID to bypass the moderator permission requirement and disrupt forum discussions.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulnCheck
Assigner Org ID:83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At:28 Feb, 2026 | 21:47
Updated At:28 Feb, 2026 | 21:47
Rejected At:
▼CVE Numbering Authority (CNA)
wpForo Forum 2.4.14 Missing Authorization via Topic Close AJAX Handler

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wpforo_close_ajax handler. Attackers submit a valid nonce with an arbitrary topic ID to bypass the moderator permission requirement and disrupt forum discussions.

Affected Products
Vendor
gVectors Team
Product
wpForo Forum
Default Status
unaffected
Versions
Affected
  • From 2.4 before 2.4.16 (semver)
Unaffected
  • 2.4.16 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-862Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: Missing Authorization
Metrics
VersionBase scoreBase severityVector
4.05.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Version: 4.0
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Scott Moore - VulnCheck
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://wordpress.org/plugins/wpforo/
product
https://wordpress.org/plugins/wpforo/#developers
patch
https://www.vulncheck.com/advisories/wpforo-forum-missing-authorization-via-topic-close-ajax-handler
third-party-advisory
Hyperlink: https://wordpress.org/plugins/wpforo/
Resource:
product
Hyperlink: https://wordpress.org/plugins/wpforo/#developers
Resource:
patch
Hyperlink: https://www.vulncheck.com/advisories/wpforo-forum-missing-authorization-via-topic-close-ajax-handler
Resource:
third-party-advisory
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:disclosure@vulncheck.com
Published At:28 Feb, 2026 | 22:16
Updated At:28 Feb, 2026 | 22:16

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wpforo_close_ajax handler. Attackers submit a valid nonce with an arbitrary topic ID to bypass the moderator permission requirement and disrupt forum discussions.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 4.0
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-862Primarydisclosure@vulncheck.com
CWE ID: CWE-862
Type: Primary
Source: disclosure@vulncheck.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://wordpress.org/plugins/wpforo/disclosure@vulncheck.com
N/A
https://wordpress.org/plugins/wpforo/#developersdisclosure@vulncheck.com
N/A
https://www.vulncheck.com/advisories/wpforo-forum-missing-authorization-via-topic-close-ajax-handlerdisclosure@vulncheck.com
N/A
Hyperlink: https://wordpress.org/plugins/wpforo/
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://wordpress.org/plugins/wpforo/#developers
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://www.vulncheck.com/advisories/wpforo-forum-missing-authorization-via-topic-close-ajax-handler
Source: disclosure@vulncheck.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1049Records found
CVE-2025-12953
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-11 Nov, 2025 | 11:03
Updated-14 Nov, 2025 | 15:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Classified Listing – AI-Powered Classified ads & Business Directory Plugin <= 5.2.0 - Missing Authorization to Authenticated (Subscriber+) Listing Types Tampering

The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "rtcl_ajax_add_listing_type", "rtcl_ajax_update_listing_type", and "rtcl_ajax_delete_listing_type" function in all versions up to, and including, 5.2.0. This makes it possible for authenticated attackers, with subscriber level access and above, to add, update, or delete listing types.

Action-Not Available
Vendor-techlabpro1
Product-Classified Listing – AI-Powered Classified ads & Business Directory Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-13628
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 1.39%
||
7 Day CHG~0.00%
Published-09 Jan, 2026 | 07:22
Updated-13 Jan, 2026 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Coupon Modification

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons.

Action-Not Available
Vendor-Themeum
Product-Tutor LMS – eLearning and online course solution
CWE ID-CWE-862
Missing Authorization
CVE-2025-12782
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-04 Dec, 2025 | 06:48
Updated-11 Dec, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Beaver Builder – WordPress Page Builder <= 2.9.4 - Missing Authorization to Authenticated (Contributor+) Builder Status Tampering

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.9.4. This is due to the plugin not properly verifying a user's authorization in the disable() function. This makes it possible for authenticated attackers, with contributor level access and above, to disable the Beaver Builder layout on arbitrary posts and pages, causing content integrity issues and layout disruption on those pages.

Action-Not Available
Vendor-fastlinemediabeaverbuilder
Product-beaver_builderBeaver Builder Page Builder – Drag and Drop Website Builder
CWE ID-CWE-862
Missing Authorization
CVE-2025-1299
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 2.87%
||
7 Day CHG-0.00%
Published-24 Jul, 2025 | 06:33
Updated-28 Jul, 2025 | 13:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 18.0.5, all versions starting from 18.1 before 18.1.3, all versions starting from 18.2 before 18.2.1 that, under circumstances, could have allowed an unauthorized user to read deployment job logs by sending a crafted request.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-862
Missing Authorization
CVE-2025-12675
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-05 Nov, 2025 | 07:27
Updated-06 Nov, 2025 | 19:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
KiotViet Sync <= 1.8.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update

The KiotViet Sync plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveConfig() function in all versions up to, and including, 1.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's config.

Action-Not Available
Vendor-mykiot
Product-KiotViet Sync
CWE ID-CWE-862
Missing Authorization
CVE-2025-13794
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-16 Dec, 2025 | 05:25
Updated-16 Dec, 2025 | 17:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Auto Featured Image <= 4.2.1 - Missing Authorization to Authenticated (Contributor+) Post Thumbnail Modification

The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulk_action_generate_handler function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete or generate featured images on posts they do not own.

Action-Not Available
Vendor-Themeisle
Product-Auto Featured Image (Auto Post Thumbnail)
CWE ID-CWE-862
Missing Authorization
CVE-2025-13354
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-03 Dec, 2025 | 13:52
Updated-05 Dec, 2025 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Taxonomy Term Manipulation

The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.40.1. This is due to the plugin not properly verifying that a user is authorized to perform an action in the "taxopress_merge_terms_batch" function. This makes it possible for authenticated attackers, with subscriber level access and above, to merge or delete arbitrary taxonomy terms.

Action-Not Available
Vendor-taxopressstevejburge
Product-taxopressTag, Category, and Taxonomy Manager – AI Autotagger with OpenAI
CWE ID-CWE-862
Missing Authorization
CVE-2025-13416
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 8.24%
||
7 Day CHG~0.00%
Published-05 Feb, 2026 | 08:25
Updated-05 Feb, 2026 | 14:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ProfileGrid – User Profiles, Groups and Communities <= 5.9.7.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Suspension

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() function in all versions up to, and including, 5.9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to suspend arbitrary users from groups, including administrators, via the pm_deactivate_user_from_group AJAX action.

Action-Not Available
Vendor-Metagauss Inc.
Product-ProfileGrid – User Profiles, Groups and Communities
CWE ID-CWE-862
Missing Authorization
CVE-2025-12783
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-12 Dec, 2025 | 03:20
Updated-15 Dec, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Premmerce Brands for WooCommerce <= 1.2.13 - Missing Authorization To Authenticated (Subscriber+) Brand Permalink Settings Update

The Premmerce Brands for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveBrandsSettings function in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify brand permalink settings.

Action-Not Available
Vendor-premmerce
Product-Premmerce Brands for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2025-1326
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.91%
||
7 Day CHG+0.11%
Published-02 May, 2025 | 03:21
Updated-06 May, 2025 | 15:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Homey - Booking and Rentals WordPress Theme <= 2.4.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Reservation & Post Deletion

The Homey theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the homey_reservation_del() function in all versions up to, and including, 2.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary reservations and posts.

Action-Not Available
Vendor-favethemesFave Themes
Product-homeyHomey
CWE ID-CWE-862
Missing Authorization
CVE-2025-12634
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-25 Nov, 2025 | 07:28
Updated-25 Nov, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Refund Request for WooCommerce <= 1.0 - Missing Authorization to Authenticated (Subscriber+) Refund Status Update

The Refund Request for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_refund_status' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update refund statuses to approved or rejected.

Action-Not Available
Vendor-sunarc
Product-Refund Request for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2025-12640
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 9.68%
||
7 Day CHG~0.00%
Published-08 Jan, 2026 | 02:21
Updated-08 Jan, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager <= 3.1.5 - Missing Authorization to Authenticated (Author+) Media Replacement

The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Replacement in all versions up to, and including, 3.1.5. This is due to missing object-level authorization checks in the handle_folders_file_upload() function. This makes it possible for authenticated attackers, with Author-level access and above, to replace arbitrary media files from the WordPress Media Library.

Action-Not Available
Vendor-galdub
Product-Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
CWE ID-CWE-862
Missing Authorization
CVE-2025-12751
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-19 Nov, 2025 | 05:45
Updated-19 Nov, 2025 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WSChat – WordPress Live Chat <= 3.1.6 - Missing Authorization to Authenticated (Subscriber+) Settings Reset

The WSChat – WordPress Live Chat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'reset_settings' AJAX endpoint in all versions up to, and including, 3.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings.

Action-Not Available
Vendor-elextensions
Product-WSChat – WordPress Live Chat
CWE ID-CWE-862
Missing Authorization
CVE-2025-12027
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.59%
||
7 Day CHG~0.00%
Published-19 Feb, 2026 | 03:25
Updated-19 Feb, 2026 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mesmerize Companion <= 1.6.158 - Missing Authorization Authenticated (Subscriber+) Settings Update

The Mesmerize Companion plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the "openPageInCustomizer" and "openPageInDefaultEditor" functions in all versions up to, and including, 1.6.158. This makes it possible for authenticated attackers - with subscriber level access and above, on websites with the Mesmerize theme activated - to mark arbitrary pages as maintainable, wrap their content in custom sections, change page template metadata, and toggle the default editor flag without proper authorization.

Action-Not Available
Vendor-horearadu
Product-Mesmerize Companion
CWE ID-CWE-862
Missing Authorization
CVE-2025-12370
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-05 Dec, 2025 | 05:31
Updated-07 Jan, 2026 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Takeads <= 1.0.13 - Missing Authorization to Plugin Settings Deletion

The Takeads plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.13. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete the plugin's configuration options.

Action-Not Available
Vendor-takeads
Product-Takeads
CWE ID-CWE-862
Missing Authorization
CVE-2025-14045
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.84%
||
7 Day CHG~0.00%
Published-12 Dec, 2025 | 03:20
Updated-15 Dec, 2025 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
URL Media Uploader <= 1.0.1 - Missing Authorization to Authenticated (Contributor+) Safe File Upload

The URL Media Uploader plugin for WordPress is vulnerable to unauthorized safe file uploads due to a missing capability check on the url_media_uploader_url_upload_ajax_handler() function in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload safe media files.

Action-Not Available
Vendor-apprhyme
Product-URL Media Uploader
CWE ID-CWE-862
Missing Authorization
CVE-2025-12180
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.75%
||
7 Day CHG~0.00%
Published-01 Nov, 2025 | 05:40
Updated-04 Nov, 2025 | 15:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Qi Blocks <= 1.4.3 - Missing Authorization to Authenticated (Contributor+) Plugin Settings Update

The Qi Blocks plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.3. This is due to the plugin storing arbitrary CSS styles submitted via the `qi-blocks/v1/update-styles` REST API endpoint without proper sanitization in the `update_global_styles_callback()` function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary CSS, which can be used to perform actions such as hiding content, overlaying fake UI elements, or exfiltrating sensitive information via CSS injection techniques.

Action-Not Available
Vendor-qodeinteractive
Product-Qi Blocks
CWE ID-CWE-862
Missing Authorization
CVE-2025-12169
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-21 Nov, 2025 | 05:32
Updated-03 Dec, 2025 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.0 - Missing Authorization to Authenitcated (Subscriber+) to Scheduled Trigger Deletion

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_eh_crm_settings_empty_scheduled_actions' AJAX Action in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the scheduled triggers option.

Action-Not Available
Vendor-elulaelextensions
Product-wsdeskELEX WordPress HelpDesk & Customer Ticketing System
CWE ID-CWE-862
Missing Authorization
CVE-2025-12563
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-06 Nov, 2025 | 04:36
Updated-06 Nov, 2025 | 19:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Blog2Social: Social Media Auto Post & Scheduler <= 8.6.0 - Incorrect Authorization to Video File Upload

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to limited file upload due to an incorrect capability check on theuploadVideo() function in all versions up to, and including, 8.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload mp4 files to the 'wp-content/uploads/<YYYY>/<MM>/' directory.

Action-Not Available
Vendor-pr-gateway
Product-Blog2Social: Social Media Auto Post & Scheduler
CWE ID-CWE-862
Missing Authorization
CVE-2025-12354
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-05 Dec, 2025 | 06:07
Updated-08 Dec, 2025 | 18:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Live CSS Preview <= 2.0.0 - Missing Authorization to Authenticated (Subscriber+) Settings Update

The Live CSS Preview plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_frontend_save' AJAX endpoint in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's css setting.

Action-Not Available
Vendor-dojodigital
Product-Live CSS Preview
CWE ID-CWE-862
Missing Authorization
CVE-2025-12015
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-13 Nov, 2025 | 08:27
Updated-14 Nov, 2025 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed <= 2.0.0 - Missing Authorization to Authenticated (Subscriber+) Afosto Disconnect

The Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_wpqai_disconnect_quicq_afosto' AJAX endpoint in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect Afosto

Action-Not Available
Vendor-sanderkah
Product-Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed
CWE ID-CWE-862
Missing Authorization
CVE-2025-12372
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.91%
||
7 Day CHG~0.00%
Published-18 Nov, 2025 | 08:27
Updated-18 Nov, 2025 | 21:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
The Permalinks Cascade <= 2.2 - Missing Authorization To Authenticated (Subscriber+) Plugin Settings Update

The Permalinks Cascade plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action in the handleTPCAdminAjaxRequest function. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized administrative actions such as enabling or disabling automatic pinging settings and modifying page exclusion settings.

Action-Not Available
Vendor-_luigi
Product-The Permalinks Cascade
CWE ID-CWE-862
Missing Authorization
CVE-2025-11773
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-21 Nov, 2025 | 07:31
Updated-21 Nov, 2025 | 15:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO <= 2.4.6 - Missing Authorization to Authenticated (Subscriber+) Contract Address Update

The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saveDeployedContract' function in all versions up to, and including, 2.4.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the WordPress option `tokenico_deployed_contracts`, poisoning the smart contract addresses displayed.

Action-Not Available
Vendor-beycanpress
Product-Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO
CWE ID-CWE-862
Missing Authorization
CVE-2025-1233
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 42.03%
||
7 Day CHG~0.00%
Published-05 Apr, 2025 | 05:32
Updated-07 Apr, 2025 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lafka Plugin <= 7.1.0 - Missing Authorization to Authenticated (Subscriber+) Theme Option Update

The Lafka Plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'lafka_options_upload' AJAX function in all versions up to, and including, 7.1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the theme option that overrides the site.

Action-Not Available
Vendor-AlThemist
Product-Lafka Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-12085
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-21 Nov, 2025 | 05:32
Updated-03 Dec, 2025 | 18:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Trash Empty

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_empty_trash' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to empty the ticket trash.

Action-Not Available
Vendor-elulaelextensions
Product-wsdeskELEX WordPress HelpDesk & Customer Ticketing System
CWE ID-CWE-862
Missing Authorization
CVE-2025-12498
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.91%
||
7 Day CHG~0.00%
Published-08 Nov, 2025 | 06:39
Updated-12 Nov, 2025 | 16:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
EventPrime – Events Calendar, Bookings and Tickets <= 4.2.0.0 - Missing Authorization to Authenticated (Subscriber+) Booking Note Creation

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized booking note creation due to a missing capability check on the 'booking_add_notes' function in all versions up to, and including, 4.2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add a note to the backend view of any booking.

Action-Not Available
Vendor-Metagauss Inc.
Product-EventPrime – Events Calendar, Bookings and Tickets
CWE ID-CWE-862
Missing Authorization
CVE-2025-12081
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 8.24%
||
7 Day CHG~0.00%
Published-19 Feb, 2026 | 03:25
Updated-19 Feb, 2026 | 17:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ACF Photo Gallery Field <= 3.0 - Missing Authorization to Authenticated (Subscriber+) Attachment Metadata Modification

The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "acf_photo_gallery_edit_save" function in all versions up to, and including, 3.0. This makes it possible for authenticated attackers, with subscriber level access and above, to modify the title, caption, and custom metadata of arbitrary media attachments.

Action-Not Available
Vendor-navzme
Product-ACF Photo Gallery Field
CWE ID-CWE-862
Missing Authorization
CVE-2025-11887
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.77%
||
7 Day CHG+0.01%
Published-24 Oct, 2025 | 08:23
Updated-27 Oct, 2025 | 13:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Supervisor <= 1.3.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update

The Supervisor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX functions in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update various plugin settings.

Action-Not Available
Vendor-tiagohillebrandt
Product-Supervisor
CWE ID-CWE-862
Missing Authorization
CVE-2025-12377
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.43%
||
7 Day CHG~0.00%
Published-13 Nov, 2025 | 11:29
Updated-19 Dec, 2025 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gallery Plugin for WordPress – Envira Photo Gallery <= 1.12.0 - Missing Authorization to Authenticated (Author+) Multiple Gallery Actions

The Gallery Plugin for WordPress – Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.12.0. This makes it possible for authenticated attackers, with Author-level access and above, to perform multiple actions, such as removing images from arbitrary galleries. The vulnerability was partially patched in version 1.12.0.

Action-Not Available
Vendor-Awesome Motive Inc.
Product-Gallery Plugin for WordPress – Envira Photo Gallery
CWE ID-CWE-862
Missing Authorization
CVE-2025-12014
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.77%
||
7 Day CHG+0.01%
Published-24 Oct, 2025 | 08:24
Updated-27 Oct, 2025 | 13:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NGINX Cache Optimizer <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Dynamic Caching Exclusion Update

The NGINX Cache Optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'nginxcacheoptimizer-blacklist-update' AJAX action in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add URLs to the Exclude URLs From Dynamic Caching setting.

Action-Not Available
Vendor-getclouder
Product-NGINX Cache Optimizer
CWE ID-CWE-862
Missing Authorization
CVE-2025-12113
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-12 Nov, 2025 | 07:27
Updated-14 Nov, 2025 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images <= 1.8.3 - Missing Authorization to Authenticated (Subscriber+) API Key Deletion

The Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the atgai_delete_api_key() function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the API key connected to the site.

Action-Not Available
Vendor-webtoffee
Product-Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images
CWE ID-CWE-862
Missing Authorization
CVE-2025-12469
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.67%
||
7 Day CHG~0.00%
Published-05 Nov, 2025 | 09:27
Updated-04 Dec, 2025 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce <= 3.6.4.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending

The FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.4.1. This is due to the plugin not properly verifying that a user is authorized to perform administrative actions in the `bwfan_test_email` AJAX handler. The nonce used for verification is publicly exposed to all visitors (including unauthenticated users) via the frontend JavaScript localization, and the `check_nonce()` function accepts low-privilege authenticated users who possess this nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send arbitrary emails from the site with attacker-controlled subject and body content.

Action-Not Available
Vendor-funnelkitamans2k
Product-funnelkit_automationsFunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2025-11726
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 12.28%
||
7 Day CHG~0.00%
Published-02 Dec, 2025 | 07:24
Updated-11 Dec, 2025 | 20:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Beaver Builder – WordPress Page Builder <= 2.9.4 - Missing Authorization to Authenticated (Contributor+) Global Preset Modification

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.9.4. This is due to insufficient capability checks in the REST API endpoints under the 'fl-controls/v1' namespace that control site-wide Global Presets. This makes it possible for authenticated attackers with contributor-level access and above to add, modify, or delete global color and background presets that affect all Beaver Builder content site-wide.

Action-Not Available
Vendor-fastlinemediabeaverbuilder
Product-beaver_builderBeaver Builder Page Builder – Drag and Drop Website Builder
CWE ID-CWE-862
Missing Authorization
CVE-2025-12167
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-08 Nov, 2025 | 03:27
Updated-12 Nov, 2025 | 16:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contact Form 7 AWeber Extension <= 0.1.42 - Missing Authorization to Authenticated (Subscriber+) Log Reset

The Contact Form 7 AWeber Extension plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_aweber_logreset' AJAX endpoint in all versions up to, and including, 0.1.42. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the AWeber logs.

Action-Not Available
Vendor-rnzo
Product-Contact Form 7 AWeber Extension
CWE ID-CWE-862
Missing Authorization
CVE-2025-12168
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 9.68%
||
7 Day CHG~0.00%
Published-17 Jan, 2026 | 04:34
Updated-26 Jan, 2026 | 15:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Phrase TMS Integration for WordPress <= 4.7.5 - Missing Authorization to Authenticated (Subscriber+) Log Deletion

The Phrase TMS Integration for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_delete_log' AJAX endpoint in all versions up to, and including, 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete log files.

Action-Not Available
Vendor-memsource
Product-Phrase TMS Integration for WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2025-12133
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-05 Dec, 2025 | 05:31
Updated-08 Dec, 2025 | 18:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
EPROLO Dropshipping <= 2.3.1 - Missing Authorization to Authenticated (Subscriber+) Tracking Data Modification

The EPROLO Dropshipping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data AJAX endpoints in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify and delete tracking data.

Action-Not Available
Vendor-paulepro2019
Product-EPROLO Dropshipping
CWE ID-CWE-862
Missing Authorization
CVE-2025-12022
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-21 Nov, 2025 | 05:32
Updated-03 Dec, 2025 | 18:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Trash Restore

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_restore_trash' AJAX endpoint in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to restore all deleted tickets.

Action-Not Available
Vendor-elulaelextensions
Product-wsdeskELEX WordPress HelpDesk & Customer Ticketing System
CWE ID-CWE-862
Missing Authorization
CVE-2025-12389
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-04 Nov, 2025 | 04:27
Updated-04 Nov, 2025 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Import Export For WooCommerce <= 1.6.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update

The Import Export For WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_setting() function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's record setting.

Action-Not Available
Vendor-sidngr
Product-Import Export For WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2025-12356
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.59%
||
7 Day CHG~0.00%
Published-18 Feb, 2026 | 05:29
Updated-18 Feb, 2026 | 20:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tickera – WordPress Event Ticketing <= 3.5.6.4 - Missing Authorization to Authenticated (Subscriber+) Event/Post Status Update

The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_change_ticket_status' AJAX endpoint in all versions up to, and including, 3.5.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update post/event statuses.

Action-Not Available
Vendor-tickera
Product-Tickera – Sell Tickets & Manage Events
CWE ID-CWE-862
Missing Authorization
CVE-2025-12165
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-05 Dec, 2025 | 05:31
Updated-08 Dec, 2025 | 18:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Webcake – Landing Page Builder <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Settings Update

The Webcake – Landing Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webcake_save_config' AJAX endpoint in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's settings.

Action-Not Available
Vendor-huyme
Product-Webcake – Landing Page Builder
CWE ID-CWE-862
Missing Authorization
CVE-2023-4938
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 22.13%
||
7 Day CHG~0.00%
Published-18 Oct, 2023 | 07:31
Updated-05 Feb, 2025 | 19:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to a missing capability check on the woobe_bulkoperations_apply_default_combination function. This makes it possible for authenticated attackers (subscriber or higher) to manipulate products.

Action-Not Available
Vendor-PluginUs.Net (RealMag777)
Product-bear_-_woocommerce_bulk_editor_and_products_manager_professionalBEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
CWE ID-CWE-862
Missing Authorization
CVE-2025-12526
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-11 Nov, 2025 | 03:30
Updated-12 Nov, 2025 | 20:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Private Google Calendars <= 20250811 - Missing Authorization to Authenticated (Subscriber+) Settings Reset

The Private Google Calendars plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pgc_remove' action in all versions up to, and including, 20250811. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings.

Action-Not Available
Vendor-michielve
Product-Private Google Calendars
CWE ID-CWE-862
Missing Authorization
CVE-2025-12156
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-04 Nov, 2025 | 04:27
Updated-04 Nov, 2025 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One 2.0.7 - 2.2.6 - Missing Authorization to Authenticated (Subscriber+) Post Creation

The Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_post_data() function in versions 2.0.7 to 2.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create and publish arbitrary posts.

Action-Not Available
Vendor-aitool
Product-Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One
CWE ID-CWE-862
Missing Authorization
CVE-2025-11975
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 26.44%
||
7 Day CHG~0.00%
Published-31 Oct, 2025 | 02:26
Updated-04 Nov, 2025 | 15:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) <= 1.1.23.0 - Missing Authorization to Authenticated (Subscriber+) Sync Rule Creation

The FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_changes() function in all versions up to, and including, 1.1.23.0. This makes it possible for unauthenticated attackers to add and edit sync rules.

Action-Not Available
Vendor-fusewp
Product-FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.)
CWE ID-CWE-862
Missing Authorization
CVE-2025-12091
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.91%
||
7 Day CHG~0.00%
Published-06 Dec, 2025 | 05:49
Updated-08 Dec, 2025 | 21:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Search, Filters & Merchandising for WooCommerce <= 3.0.63 - Missing Authorization to Authenticated (Subscriber+) Plugin Deactivation

The Search, Filters & Merchandising for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wcis_save_email' endpoint in all versions up to, and including, 3.0.63. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate the plugin.

Action-Not Available
Vendor-instantsearchplus
Product-Search, Filters & Merchandising for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2025-11255
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.77%
||
7 Day CHG+0.01%
Published-25 Oct, 2025 | 06:49
Updated-27 Oct, 2025 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Password Policy Manager | Password Manager <= 2.0.5 - Missing Authorization to Authenticated (Subscriber+) Configuration Log Out

The Password Policy Manager | Password Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'moppm_ajax' AJAX endpoint in all versions up to, and including, 2.0.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to log out the site's connection to miniorange.

Action-Not Available
Vendor-cyberlord92
Product-Password Policy Manager | Password Manager
CWE ID-CWE-862
Missing Authorization
CVE-2025-11587
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 13.83%
||
7 Day CHG+0.01%
Published-29 Oct, 2025 | 12:31
Updated-22 Dec, 2025 | 17:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Call Now Button <= 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Settings Update

The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate function in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to link the plugin to their nowbuttons.com account and add malicious buttons to the site. The vulnerability is only exploitable on fresh installs where the plugin has not been previously configured with an API key.

Action-Not Available
Vendor-jgrietveld
Product-Call Now Button – The #1 Click to Call Button for WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2025-11373
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.84%
||
7 Day CHG~0.00%
Published-05 Nov, 2025 | 06:35
Updated-06 Nov, 2025 | 19:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel <= 4.0.4 - Missing Authorization to Authenticated (Contributor+) Safe File Type Upload

The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability checks in the "depicter-media-upload" AJAX route in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload limited files on the affected site's server.

Action-Not Available
Vendor-Depicter (Averta)
Product-Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel
CWE ID-CWE-862
Missing Authorization
CVE-2025-11257
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.77%
||
7 Day CHG+0.01%
Published-24 Oct, 2025 | 08:24
Updated-27 Oct, 2025 | 13:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LLM Hubspot Blog Import <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Hubspot Import

The LLM Hubspot Blog Import plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_save_blogs' AJAX endpoint in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger an import of all Hubspot data.

Action-Not Available
Vendor-limelightmarketing
Product-LLM Hubspot Blog Import
CWE ID-CWE-862
Missing Authorization
CVE-2025-11448
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.71%
||
7 Day CHG~0.00%
Published-08 Nov, 2025 | 09:28
Updated-12 Nov, 2025 | 16:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gallery Plugin for WordPress – Envira Photo Gallery <= 1.11.0 - Missing Authorization to Authenticated (Contributor+) Gallery Conversion

The Gallery Plugin for WordPress – Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/envira-convert/v1/bulk-convert' REST API endpoint in all versions up to, and including, 1.11.0. This makes it possible for authenticated attackers, with contributor-level access and above, to convert galleries to Envira galleries.

Action-Not Available
Vendor-Awesome Motive Inc.
Product-Gallery Plugin for WordPress – Envira Photo Gallery
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • ...
  • 17
  • 18
  • 19
  • 20
  • 21
  • Next
Details not found