Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-34886

Summary
Assigner-Patchstack
Assigner Org ID-21595511-bba5-4825-b968-b78d1f9984a3
Published At-15 Jun, 2026 | 20:17
Updated At-15 Jun, 2026 | 22:13
Rejected At-
Credits

WordPress Simple Membership plugin <= 4.7.1 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Simple Membership <= 4.7.1 versions.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Patchstack
Assigner Org ID:21595511-bba5-4825-b968-b78d1f9984a3
Published At:15 Jun, 2026 | 20:17
Updated At:15 Jun, 2026 | 22:13
Rejected At:
▼CVE Numbering Authority (CNA)
WordPress Simple Membership plugin <= 4.7.1 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Simple Membership <= 4.7.1 versions.

Affected Products
Vendor
wp.insider
Product
Simple Membership
Collection URL
https://wordpress.org/plugins
Package Name
simple-membership
Default Status
unaffected
Versions
Affected
  • From n/a through 4.7.1 (custom)
    • -> unaffectedfrom4.7.2
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-180CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
CAPEC ID: CAPEC-180
Description: CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
Solutions

Update the WordPress Simple Membership Plugin to the latest available version (at least 4.7.2).

Configurations

Workarounds

Exploits

Credits

finder
Jakub Herman | Patchstack Bug Bounty Program
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://patchstack.com/database/wordpress/plugin/simple-membership/vulnerability/wordpress-simple-membership-plugin-4-7-1-broken-access-control-vulnerability?_s_id=cve
vdb-entry
Hyperlink: https://patchstack.com/database/wordpress/plugin/simple-membership/vulnerability/wordpress-simple-membership-plugin-4-7-1-broken-access-control-vulnerability?_s_id=cve
Resource:
vdb-entry
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:audit@patchstack.com
Published At:15 Jun, 2026 | 21:16
Updated At:15 Jun, 2026 | 21:24

Unauthenticated Broken Access Control in Simple Membership <= 4.7.1 versions.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-862Primaryaudit@patchstack.com
CWE ID: CWE-862
Type: Primary
Source: audit@patchstack.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://patchstack.com/database/wordpress/plugin/simple-membership/vulnerability/wordpress-simple-membership-plugin-4-7-1-broken-access-control-vulnerability?_s_id=cveaudit@patchstack.com
N/A
Hyperlink: https://patchstack.com/database/wordpress/plugin/simple-membership/vulnerability/wordpress-simple-membership-plugin-4-7-1-broken-access-control-vulnerability?_s_id=cve
Source: audit@patchstack.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

170Records found

CVE-2026-57654
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.17% / 7.14%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 14:53
Updated-29 Jun, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Affiliates Manager plugin <= 2.9.49 - Broken Access Control vulnerability

Affiliate Broken Access Control in Affiliates Manager <= 2.9.49 versions.

Action-Not Available
Vendor-wp.insider
Product-Affiliates Manager
CWE ID-CWE-862
Missing Authorization
CVE-2026-25308
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 8.28%
||
7 Day CHG~0.00%
Published-19 Feb, 2026 | 08:26
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Simple Membership plugin <= 4.6.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in wp.insider Simple Membership simple-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Membership: from n/a through <= 4.6.9.

Action-Not Available
Vendor-wp.insider
Product-Simple Membership
CWE ID-CWE-862
Missing Authorization
CVE-2019-20599
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.33% / 25.26%
||
7 Day CHG~0.00%
Published-24 Mar, 2020 | 19:10
Updated-05 Aug, 2024 | 02:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. Voice Assistant mishandles the notification audibility of a secured app. The Samsung ID is SVE-2018-13326 (May 2019).

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidn/a
CWE ID-CWE-862
Missing Authorization
CVE-2026-39448
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-Not Assigned
Published-02 Jul, 2026 | 11:15
Updated-02 Jul, 2026 | 13:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress NOWPayments for WooCommerce plugin <= 1.4.0 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in NOWPayments for WooCommerce <= 1.4.0 versions.

Action-Not Available
Vendor-CoderPress
Product-NOWPayments for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2026-6372
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.20% / 10.00%
||
7 Day CHG~0.00%
Published-15 Apr, 2026 | 16:16
Updated-22 Apr, 2026 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Accept Cryptocurrencies with Plisio plugin <= 2.0.5 - Payment Bypass vulnerability

Missing Authorization vulnerability in Plisio Accept Cryptocurrencies with Plisio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accept Cryptocurrencies with Plisio: from n/a through 2.0.5.

Action-Not Available
Vendor-Plisio
Product-Accept Cryptocurrencies with Plisio
CWE ID-CWE-862
Missing Authorization
CVE-2026-56025
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.24% / 14.81%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 14:52
Updated-26 Jun, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Paymob for WooCommerce plugin <= 4.1.2 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Paymob for WooCommerce <= 4.1.2 versions.

Action-Not Available
Vendor-Paymob
Product-Paymob for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2026-54830
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.24% / 14.81%
||
7 Day CHG~0.00%
Published-25 Jun, 2026 | 13:12
Updated-29 Jun, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Five Star Restaurant Reservations plugin <= 2.7.19 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Five Star Restaurant Reservations <= 2.7.19 versions.

Action-Not Available
Vendor-Etoile Web Design Incorporated
Product-Five Star Restaurant Reservations
CWE ID-CWE-862
Missing Authorization
CVE-2026-54835
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.24% / 14.81%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 14:52
Updated-29 Jun, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Five Star Restaurant Menu plugin <= 2.5.2 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Five Star Restaurant Menu <= 2.5.2 versions.

Action-Not Available
Vendor-Rustaurius
Product-Five Star Restaurant Menu
CWE ID-CWE-862
Missing Authorization
CVE-2026-48151
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.22% / 12.96%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 16:57
Updated-28 May, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema

Budibase is an open-source low-code platform. Prior to 3.39.0, the webhook schema-building endpoint is registered under builderRoutes, but the generic authorization middleware skips authorization for all paths matching /api/webhooks/schema. As a result, an unauthenticated caller can update the body schema for a known webhook and mutate the corresponding automation trigger output schema. This vulnerability is fixed in 3.39.0.

Action-Not Available
Vendor-Budibase
Product-budibase
CWE ID-CWE-862
Missing Authorization
CVE-2023-43700
Matching Score-4
Assigner-SICK AG
ShareView Details
Matching Score-4
Assigner-SICK AG
CVSS Score-7.7||HIGH
EPSS-0.63% / 45.66%
||
7 Day CHG~0.00%
Published-09 Oct, 2023 | 11:56
Updated-19 Sep, 2024 | 14:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing Authorization in RDT400 in SICK APU allows an unprivileged remote attacker to modify data via HTTP requests that no not require authentication.

Action-Not Available
Vendor-SICK AG
Product-apu0200apu0200_firmwareAPU0200rdt400
CWE ID-CWE-862
Missing Authorization
CVE-2026-48873
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.24% / 14.81%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 20:18
Updated-16 Jun, 2026 | 13:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Montonio for WooCommerce plugin <= 10.1.2 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Montonio for WooCommerce <= 10.1.2 versions.

Action-Not Available
Vendor-Montonio
Product-Montonio for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2026-48835
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.30% / 22.26%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 20:18
Updated-16 Jun, 2026 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Contact Form by WPForms plugin <= 1.10.0.4 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Contact Form by WPForms <= 1.10.0.4 versions.

Action-Not Available
Vendor-Awesome Motive Inc.
Product-Contact Form by WPForms
CWE ID-CWE-862
Missing Authorization
CVE-2025-39532
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.31% / 23.10%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 15:46
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Spice Blocks plugin <= 2.0.7.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in spicethemes Spice Blocks spice-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spice Blocks: from n/a through <= 2.0.7.7.

Action-Not Available
Vendor-spicethemes
Product-Spice Blocks
CWE ID-CWE-862
Missing Authorization
CVE-2026-45438
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.29% / 20.65%
||
7 Day CHG~0.00%
Published-25 May, 2026 | 22:18
Updated-26 May, 2026 | 10:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Smart Coupons for WooCommerce plugin < 2.3.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in WebToffee Smart Coupons for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Smart Coupons for WooCommerce: from n/a before 2.3.0.

Action-Not Available
Vendor-WebToffee
Product-Smart Coupons for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2026-57923
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-5.3||MEDIUM
EPSS-0.16% / 5.41%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 12:38
Updated-27 Jun, 2026 | 19:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains YouTrack before 2026.2.16593 improper authorisation in the app configurations endpoint allowed modifying project settings

Action-Not Available
Vendor-JetBrains s.r.o.
Product-youtrackYouTrack
CWE ID-CWE-862
Missing Authorization
CVE-2026-56061
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.25% / 15.68%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 14:52
Updated-29 Jun, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Subscriptions for WooCommerce plugin <= 1.9.5 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Subscriptions for WooCommerce <= 1.9.5 versions.

Action-Not Available
Vendor-WP Swings
Product-Subscriptions for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2026-54475
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.38% / 29.64%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 09:48
Updated-02 Jul, 2026 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Temporary destination ownership takeover

Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing a different connection to consume from another connection's temporary destination. This issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-activemq_brokeractivemqApache ActiveMQ AllApache ActiveMQApache ActiveMQ Broker
CWE ID-CWE-862
Missing Authorization
CVE-2026-54828
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.24% / 14.81%
||
7 Day CHG~0.00%
Published-25 Jun, 2026 | 13:12
Updated-25 Jun, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Motors plugin <= 1.4.109 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Motors <= 1.4.109 versions.

Action-Not Available
Vendor-StylemixThemes
Product-Motors
CWE ID-CWE-862
Missing Authorization
CVE-2025-31041
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.50% / 39.28%
||
7 Day CHG+0.04%
Published-11 Apr, 2025 | 08:42
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress AnyTrack Affiliate Link Manager plugin <= 1.0.4 - Broken Access Control Vulnerability

Missing Authorization vulnerability in AnyTrack AnyTrack Affiliate Link Manager anytrack-affiliate-link-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyTrack Affiliate Link Manager: from n/a through <= 1.0.4.

Action-Not Available
Vendor-AnyTrack
Product-AnyTrack Affiliate Link Manager
CWE ID-CWE-862
Missing Authorization
CVE-2025-30639
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.28% / 20.13%
||
7 Day CHG~0.00%
Published-14 Aug, 2025 | 10:34
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress IDonatePro Plugin <= 2.1.9 - Broken Access Control Vulnerability

Missing Authorization vulnerability in ThemeAtelier IDonatePro idonate-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects IDonatePro: from n/a through <= 2.1.9.

Action-Not Available
Vendor-ThemeAtelier
Product-IDonatePro
CWE ID-CWE-862
Missing Authorization
CVE-2025-30107
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.30% / 22.18%
||
7 Day CHG~0.00%
Published-18 Mar, 2025 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On IROAD V9 devices, Managing Settings and Obtaining Sensitive Data and Sabotaging the Car Battery can be performed by unauthorized parties. A vulnerability in the dashcam's configuration management allows unauthorized users to modify settings, disable critical functions, and turn off battery protection, potentially causing physical damage to the vehicle.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-862
Missing Authorization
CVE-2026-54832
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.24% / 14.81%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 14:52
Updated-26 Jun, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Gutenverse Companion plugin <= 2.5.0 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Gutenverse Companion <= 2.5.0 versions.

Action-Not Available
Vendor-Jegstudio
Product-Gutenverse Companion
CWE ID-CWE-862
Missing Authorization
CVE-2025-30944
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.36% / 28.43%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Tablesome Table Premium <= 1.1.23 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Essekia Tablesome Table Premium tablesome-premium allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Tablesome Table Premium: from n/a through <= 1.1.23.

Action-Not Available
Vendor-Essekia
Product-Tablesome Table Premium
CWE ID-CWE-862
Missing Authorization
CVE-2025-30855
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.28% / 20.21%
||
7 Day CHG+0.02%
Published-31 Mar, 2025 | 06:07
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Ads by WPQuads plugin <= 2.0.87.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ads by WPQuads: from n/a through <= 2.0.87.1.

Action-Not Available
Vendor-Ads by WPQuads
Product-Ads by WPQuads
CWE ID-CWE-862
Missing Authorization
CVE-2025-26968
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.34% / 26.28%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 15:17
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Cloak Front End Email <= 1.9.5 - Broken Access Control Vulnerability

Missing Authorization vulnerability in webbernaut Cloak Front End Email allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cloak Front End Email: from n/a through 1.9.5.

Action-Not Available
Vendor-webbernaut
Product-Cloak Front End Email
CWE ID-CWE-862
Missing Authorization
CVE-2026-49070
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.24% / 14.81%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 20:19
Updated-15 Jun, 2026 | 21:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Knit Pay plugin <= 9.4.0.0 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Knit Pay <= 9.4.0.0 versions.

Action-Not Available
Vendor-Knit Pay
Product-Knit Pay
CWE ID-CWE-862
Missing Authorization
CVE-2026-42669
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.20% / 10.22%
||
7 Day CHG~0.00%
Published-02 Jun, 2026 | 10:40
Updated-02 Jun, 2026 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress EventPrime plugin <= 4.3.2.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in EventPrime allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects EventPrime: from n/a through 4.3.2.0.

Action-Not Available
Vendor-Metagauss Inc.
Product-EventPrime
CWE ID-CWE-862
Missing Authorization
CVE-2026-48883
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.24% / 14.81%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 20:19
Updated-15 Jun, 2026 | 22:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPC Product Bundles for WooCommerce plugin <= 8.5.3 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in WPC Product Bundles for WooCommerce <= 8.5.3 versions.

Action-Not Available
Vendor-WPClever
Product-WPC Product Bundles for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2026-47100
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.46% / 36.45%
||
7 Day CHG~0.00%
Published-19 May, 2026 | 14:00
Updated-19 May, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Funnel Builder for WooCommerce Checkout < 3.15.0.3 Missing Authorization via AJAX

Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting. Attackers can inject malicious JavaScript through the External Scripts setting that executes in the browsers of all checkout page visitors.

Action-Not Available
Vendor-FunnelKit
Product-Funnel Builder for WooCommerce Checkout
CWE ID-CWE-862
Missing Authorization
CVE-2022-24190
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.67% / 47.55%
||
7 Day CHG~0.00%
Published-28 Nov, 2022 | 00:00
Updated-29 Apr, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The user_token header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to accept their own bind request, without the end-users approval or interaction.

Action-Not Available
Vendor-sz-fujian/a
Product-ourphoton/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-862
Missing Authorization
CVE-2022-23945
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-3.77% / 88.61%
||
7 Day CHG~0.00%
Published-25 Jan, 2022 | 13:00
Updated-03 Aug, 2024 | 03:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache ShenYu missing authentication allows gateway registration

Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.

Action-Not Available
Vendor-The Apache Software Foundation
Product-shenyuApache ShenYu (incubating)
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2025-22318
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.30% / 21.37%
||
7 Day CHG~0.00%
Published-21 Jan, 2025 | 13:40
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Standard Box Sizes plugin <= 1.6.13 - Broken Access Control vulnerability

Missing Authorization vulnerability in enituretechnology Standard Box Sizes – for WooCommerce standard-box-sizes.This issue affects Standard Box Sizes – for WooCommerce: from n/a through <= 1.6.13.

Action-Not Available
Vendor-Eniture, LLC
Product-Standard Box Sizes – for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2023-39966
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.70% / 48.52%
||
7 Day CHG~0.00%
Published-10 Aug, 2023 | 17:46
Updated-04 Oct, 2024 | 18:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
1Panel arbitrary file write vulnerability exists in the background

1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, an arbitrary file write vulnerability could lead to direct control of the server. In the `api/v1/file.go` file, there is a function called `SaveContentthat,It `recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations. Version 1.5.0 contains a patch for this issue.

Action-Not Available
Vendor-FIT2CLOUD Inc.1Panel (FIT2CLOUD Inc.)
Product-1panel1Panel1panel
CWE ID-CWE-862
Missing Authorization
CVE-2021-44795
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-5.3||MEDIUM
EPSS-0.92% / 55.85%
||
7 Day CHG~0.00%
Published-27 Jan, 2022 | 12:27
Updated-18 May, 2026 | 13:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Modifying User Permissions via Unauthorized Access in Single Connect

Single Connect does not perform an authorization check when using the "sc-assigned-credential-ui" module. A remote attacker could exploit this vulnerability to modify users permissions. The exploitation of this vulnerability might allow a remote attacker to delete permissions from other users without authenticating.

Action-Not Available
Vendor-krontechKron
Product-single_connectSingle Connect
CWE ID-CWE-862
Missing Authorization
CVE-2026-39524
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.25% / 15.68%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 20:18
Updated-16 Jun, 2026 | 14:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Masteriyo - LMS plugin <= 2.1.5 - Payment Bypass vulnerability

Unauthenticated Broken Access Control in Masteriyo - LMS <= 2.1.5 versions.

Action-Not Available
Vendor-ThemeGrill
Product-Masteriyo - LMS
CWE ID-CWE-862
Missing Authorization
CVE-2025-14070
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.39% / 30.92%
||
7 Day CHG~0.00%
Published-07 Jan, 2026 | 09:21
Updated-08 Apr, 2026 | 18:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Reviewify <= 1.0.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary WooCommerce Coupon Creation

The Reviewify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'send_test_email' AJAX action in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to create arbitrary WooCommerce discount coupons, potentially causing financial loss to the store.

Action-Not Available
Vendor-xfinitysoft
Product-Reviewify — Review Discounts & Photo/Video Reviews for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2026-40774
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.24% / 14.81%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 20:18
Updated-15 Jun, 2026 | 22:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Booking Package plugin <= 1.7.06 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Booking Package <= 1.7.06 versions.

Action-Not Available
Vendor-SaasProject
Product-Booking Package
CWE ID-CWE-862
Missing Authorization
CVE-2026-39503
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.25% / 15.68%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 20:17
Updated-16 Jun, 2026 | 14:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Easy Digital Downloads plugin <= 3.6.5 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Easy Digital Downloads <= 3.6.5 versions.

Action-Not Available
Vendor-Awesome Motive Inc.
Product-Easy Digital Downloads
CWE ID-CWE-862
Missing Authorization
CVE-2021-4346
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-1.24% / 65.50%
||
7 Day CHG~0.00%
Published-07 Jun, 2023 | 01:51
Updated-08 Apr, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
uListing <= 1.6.6 - Unauthenticated Arbitrary Account Changes

The uListing plugin for WordPress is vulnerable to Unauthenticated Arbitrary Account Changes in versions up to, and including, 1.6.6. This is due to missing login checks on the stm_listing_profile_edit AJAX action. This makes it possible for unauthenticated attackers to edit any account on the blog, such as changing the admin account's email address.

Action-Not Available
Vendor-stylemixthemesstylemix
Product-ulistingDirectory Listings WordPress plugin – uListing
CWE ID-CWE-862
Missing Authorization
CVE-2026-33427
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-2.7||LOW
EPSS-0.21% / 11.02%
||
7 Day CHG~0.00%
Published-20 Mar, 2026 | 23:20
Updated-24 Mar, 2026 | 19:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse Authorization Page Displays Unvalidated Redirect Domain

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an unauthenticated attacker can cause a legitimate Discourse authorization page to display an attacker-controlled domain, facilitating social engineering attacks against users. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-862
Missing Authorization
CVE-2025-13384
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.32% / 24.24%
||
7 Day CHG~0.00%
Published-22 Nov, 2025 | 07:29
Updated-08 Apr, 2026 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CP Contact Form with PayPal <= 1.3.56 - Missing Authorization to Unauthenticated Arbitrary Payment Confirmation

The CP Contact Form with PayPal plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.56. This is due to the plugin exposing an unauthenticated IPN-like endpoint (via the 'cp_contactformpp_ipncheck' query parameter) that processes payment confirmations without any authentication, nonce verification, or PayPal IPN signature validation. This makes it possible for unauthenticated attackers to mark form submissions as paid without making actual payments by sending forged payment notification requests with arbitrary POST data (payment_status, txn_id, payer_email).

Action-Not Available
Vendor-CodePeople
Product-CP Contact Form with PayPal
CWE ID-CWE-862
Missing Authorization
CVE-2025-13029
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-7.5||HIGH
EPSS-0.21% / 11.56%
||
7 Day CHG~0.00%
Published-31 Dec, 2025 | 06:00
Updated-02 Jan, 2026 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Knowband Mobile App Builder for wooCommerce < 3.0.0 – Unauthenticated Arbitrary User Deletion

The Knowband Mobile App Builder WordPress plugin before 3.0.0 does not have authorisation when deleting users via its REST API, allowing unauthenticated attackers to delete arbitrary users.

Action-Not Available
Vendor-Unknown
Product-Knowband Mobile App Builder
CWE ID-CWE-862
Missing Authorization
CVE-2026-34898
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.25% / 15.68%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 20:17
Updated-16 Jun, 2026 | 12:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Event Tickets Manager for WooCommerce plugin <= 1.5.3 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions.

Action-Not Available
Vendor-WP Swings
Product-Event Tickets Manager for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2025-12633
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.23% / 13.75%
||
7 Day CHG+0.01%
Published-12 Nov, 2025 | 07:27
Updated-08 Apr, 2026 | 16:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Booking Calendar | Appointment Booking | Bookit <= 2.5.0 - Missing Authorization to Unauthenticated Stripe Connection

The Booking Calendar | Appointment Booking | Bookit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bookit/v1/commerce/stripe/return' REST API Endpoint in all versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to connect their Stripe account and receive payments.

Action-Not Available
Vendor-The Events Calendar (StellarWP)
Product-Bookit — Booking & Appointment Calendar
CWE ID-CWE-862
Missing Authorization
CVE-2025-11890
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.27% / 19.07%
||
7 Day CHG+0.02%
Published-04 Nov, 2025 | 04:27
Updated-08 Apr, 2026 | 16:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Crypto Payment Gateway with Payeer for WooCommerce <= 1.0.3 - Unauthenticated Payment Bypass

The Crypto Payment Gateway with Payeer for WooCommerce plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 1.0.3. This is due to the plugin not properly verifying a payments status through server-side validation though the /wc-api/bp-payeer-gateway-callback endpoint. This makes it possible for unauthenticated attackers to update unpaid order statuses to paid resulting in a loss of revenue.

Action-Not Available
Vendor-beycanpress
Product-Crypto Payment Gateway with Payeer for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2023-33252
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.58% / 43.54%
||
7 Day CHG~0.00%
Published-21 May, 2023 | 00:00
Updated-21 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.

Action-Not Available
Vendor-n/a0kims Association
Product-snarkjsn/a
CWE ID-CWE-862
Missing Authorization
CVE-2025-11877
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.34% / 25.46%
||
7 Day CHG~0.00%
Published-07 Jan, 2026 | 08:21
Updated-08 Apr, 2026 | 17:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
User Activity Log <= 2.2 - Unauthenticated Limited Options Update via Failed Login

The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for unauthenticated attackers to push select site options from 0 to a non-zero value, allowing them to reopen registration or corrupt options like 'wp_user_roles', breaking wp-admin access. CVE-2025-13471 appears to be a duplicate of this CVE.

Action-Not Available
Vendor-solwininfotech
Product-User Activity Log
CWE ID-CWE-862
Missing Authorization
CVE-2026-32485
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.26% / 17.53%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 16:14
Updated-29 Apr, 2026 | 10:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP User Frontend plugin <= 4.2.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through <= 4.2.8.

Action-Not Available
Vendor-weDevs Pte. Ltd.
Product-WP User Frontend
CWE ID-CWE-862
Missing Authorization
CVE-2025-15285
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.40% / 31.66%
||
7 Day CHG~0.00%
Published-04 Feb, 2026 | 08:25
Updated-08 Apr, 2026 | 18:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SEO Flow by LupsOnline <= 2.2.1 - Unauthenticated Arbitrary Post/Category Modification

The SEO Flow by LupsOnline plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the checkBlogAuthentication() and checkCategoryAuthentication() functions in all versions up to, and including, 2.2.1. These authorization functions only implement basic API key authentication but fail to implement WordPress capability checks. This makes it possible for unauthenticated attackers to create, modify, and delete blog posts and categories.

Action-Not Available
Vendor-lupsonline
Product-SEO Flow by LupsOnline
CWE ID-CWE-862
Missing Authorization
CVE-2026-32546
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.22% / 12.19%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 16:15
Updated-29 Apr, 2026 | 10:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Restrict Content plugin <= 3.2.22 - Broken Access Control vulnerability

Missing Authorization vulnerability in StellarWP Restrict Content restrict-content allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Restrict Content: from n/a through <= 3.2.22.

Action-Not Available
Vendor-The Events Calendar (StellarWP)
Product-Restrict Content
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found