Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-34898

Summary
Assigner-Patchstack
Assigner Org ID-21595511-bba5-4825-b968-b78d1f9984a3
Published At-15 Jun, 2026 | 20:17
Updated At-16 Jun, 2026 | 12:40
Rejected At-
Credits

WordPress Event Tickets Manager for WooCommerce plugin <= 1.5.3 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Patchstack
Assigner Org ID:21595511-bba5-4825-b968-b78d1f9984a3
Published At:15 Jun, 2026 | 20:17
Updated At:16 Jun, 2026 | 12:40
Rejected At:
▼CVE Numbering Authority (CNA)
WordPress Event Tickets Manager for WooCommerce plugin <= 1.5.3 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions.

Affected Products
Vendor
WP Swings
Product
Event Tickets Manager for WooCommerce
Collection URL
https://wordpress.org/plugins
Package Name
event-tickets-manager-for-woocommerce
Default Status
unaffected
Versions
Affected
  • From n/a through 1.5.3 (custom)
    • -> unaffectedfrom1.5.4
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-180CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
CAPEC ID: CAPEC-180
Description: CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
Solutions

Update the WordPress Event Tickets Manager for WooCommerce Plugin to the latest available version (at least 1.5.4).

Configurations

Workarounds

Exploits

Credits

finder
Nguyen Ba Khanh | Patchstack Bug Bounty Program
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://patchstack.com/database/wordpress/plugin/event-tickets-manager-for-woocommerce/vulnerability/wordpress-event-tickets-manager-for-woocommerce-plugin-1-5-3-broken-access-control-vulnerability?_s_id=cve
vdb-entry
Hyperlink: https://patchstack.com/database/wordpress/plugin/event-tickets-manager-for-woocommerce/vulnerability/wordpress-event-tickets-manager-for-woocommerce-plugin-1-5-3-broken-access-control-vulnerability?_s_id=cve
Resource:
vdb-entry
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:audit@patchstack.com
Published At:15 Jun, 2026 | 21:16
Updated At:15 Jun, 2026 | 21:24

Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-862Primaryaudit@patchstack.com
CWE ID: CWE-862
Type: Primary
Source: audit@patchstack.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://patchstack.com/database/wordpress/plugin/event-tickets-manager-for-woocommerce/vulnerability/wordpress-event-tickets-manager-for-woocommerce-plugin-1-5-3-broken-access-control-vulnerability?_s_id=cveaudit@patchstack.com
N/A
Hyperlink: https://patchstack.com/database/wordpress/plugin/event-tickets-manager-for-woocommerce/vulnerability/wordpress-event-tickets-manager-for-woocommerce-plugin-1-5-3-broken-access-control-vulnerability?_s_id=cve
Source: audit@patchstack.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

179Records found

CVE-2025-13384
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.32% / 24.24%
||
7 Day CHG~0.00%
Published-22 Nov, 2025 | 07:29
Updated-08 Apr, 2026 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CP Contact Form with PayPal <= 1.3.56 - Missing Authorization to Unauthenticated Arbitrary Payment Confirmation

The CP Contact Form with PayPal plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.56. This is due to the plugin exposing an unauthenticated IPN-like endpoint (via the 'cp_contactformpp_ipncheck' query parameter) that processes payment confirmations without any authentication, nonce verification, or PayPal IPN signature validation. This makes it possible for unauthenticated attackers to mark form submissions as paid without making actual payments by sending forged payment notification requests with arbitrary POST data (payment_status, txn_id, payer_email).

Action-Not Available
Vendor-CodePeople
Product-CP Contact Form with PayPal
CWE ID-CWE-862
Missing Authorization
CVE-2025-13029
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-7.5||HIGH
EPSS-0.21% / 11.56%
||
7 Day CHG~0.00%
Published-31 Dec, 2025 | 06:00
Updated-02 Jan, 2026 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Knowband Mobile App Builder for wooCommerce < 3.0.0 – Unauthenticated Arbitrary User Deletion

The Knowband Mobile App Builder WordPress plugin before 3.0.0 does not have authorisation when deleting users via its REST API, allowing unauthenticated attackers to delete arbitrary users.

Action-Not Available
Vendor-Unknown
Product-Knowband Mobile App Builder
CWE ID-CWE-862
Missing Authorization
CVE-2026-34886
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.25% / 16.31%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 20:17
Updated-15 Jun, 2026 | 22:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Simple Membership plugin <= 4.7.1 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Simple Membership <= 4.7.1 versions.

Action-Not Available
Vendor-wp.insider
Product-Simple Membership
CWE ID-CWE-862
Missing Authorization
CVE-2025-12633
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.23% / 13.75%
||
7 Day CHG+0.01%
Published-12 Nov, 2025 | 07:27
Updated-08 Apr, 2026 | 16:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Booking Calendar | Appointment Booking | Bookit <= 2.5.0 - Missing Authorization to Unauthenticated Stripe Connection

The Booking Calendar | Appointment Booking | Bookit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bookit/v1/commerce/stripe/return' REST API Endpoint in all versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to connect their Stripe account and receive payments.

Action-Not Available
Vendor-The Events Calendar (StellarWP)
Product-Bookit — Booking & Appointment Calendar
CWE ID-CWE-862
Missing Authorization
CVE-2025-11890
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.27% / 19.07%
||
7 Day CHG+0.02%
Published-04 Nov, 2025 | 04:27
Updated-08 Apr, 2026 | 16:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Crypto Payment Gateway with Payeer for WooCommerce <= 1.0.3 - Unauthenticated Payment Bypass

The Crypto Payment Gateway with Payeer for WooCommerce plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 1.0.3. This is due to the plugin not properly verifying a payments status through server-side validation though the /wc-api/bp-payeer-gateway-callback endpoint. This makes it possible for unauthenticated attackers to update unpaid order statuses to paid resulting in a loss of revenue.

Action-Not Available
Vendor-beycanpress
Product-Crypto Payment Gateway with Payeer for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2023-33252
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.58% / 43.54%
||
7 Day CHG~0.00%
Published-21 May, 2023 | 00:00
Updated-21 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.

Action-Not Available
Vendor-n/a0kims Association
Product-snarkjsn/a
CWE ID-CWE-862
Missing Authorization
CVE-2025-11877
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.34% / 25.46%
||
7 Day CHG~0.00%
Published-07 Jan, 2026 | 08:21
Updated-08 Apr, 2026 | 17:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
User Activity Log <= 2.2 - Unauthenticated Limited Options Update via Failed Login

The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for unauthenticated attackers to push select site options from 0 to a non-zero value, allowing them to reopen registration or corrupt options like 'wp_user_roles', breaking wp-admin access. CVE-2025-13471 appears to be a duplicate of this CVE.

Action-Not Available
Vendor-solwininfotech
Product-User Activity Log
CWE ID-CWE-862
Missing Authorization
CVE-2026-32485
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.26% / 17.53%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 16:14
Updated-29 Apr, 2026 | 10:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP User Frontend plugin <= 4.2.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through <= 4.2.8.

Action-Not Available
Vendor-weDevs Pte. Ltd.
Product-WP User Frontend
CWE ID-CWE-862
Missing Authorization
CVE-2025-15285
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.40% / 31.66%
||
7 Day CHG~0.00%
Published-04 Feb, 2026 | 08:25
Updated-08 Apr, 2026 | 18:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SEO Flow by LupsOnline <= 2.2.1 - Unauthenticated Arbitrary Post/Category Modification

The SEO Flow by LupsOnline plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the checkBlogAuthentication() and checkCategoryAuthentication() functions in all versions up to, and including, 2.2.1. These authorization functions only implement basic API key authentication but fail to implement WordPress capability checks. This makes it possible for unauthenticated attackers to create, modify, and delete blog posts and categories.

Action-Not Available
Vendor-lupsonline
Product-SEO Flow by LupsOnline
CWE ID-CWE-862
Missing Authorization
CVE-2026-32546
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.22% / 12.19%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 16:15
Updated-29 Apr, 2026 | 10:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Restrict Content plugin <= 3.2.22 - Broken Access Control vulnerability

Missing Authorization vulnerability in StellarWP Restrict Content restrict-content allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Restrict Content: from n/a through <= 3.2.22.

Action-Not Available
Vendor-The Events Calendar (StellarWP)
Product-Restrict Content
CWE ID-CWE-862
Missing Authorization
CVE-2019-16236
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.38% / 81.87%
||
7 Day CHG~0.00%
Published-11 Sep, 2019 | 18:57
Updated-05 Aug, 2024 | 01:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dino before 2019-09-10 does not check roster push authorization in module/roster/module.vala.

Action-Not Available
Vendor-dinon/aCanonical Ltd.Fedora ProjectDebian GNU/Linux
Product-ubuntu_linuxdebian_linuxfedoradinon/a
CWE ID-CWE-862
Missing Authorization
CVE-2023-30586
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-1.35% / 68.04%
||
7 Day CHG~0.00%
Published-30 Jun, 2023 | 23:40
Updated-08 May, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model. The attack complexity is high. However, the crypto.setEngine() API can be used to bypass the permission model when called with a compatible OpenSSL engine. The OpenSSL engine can, for example, disable the permission model in the host process by manipulating the process's stack memory to locate the permission model Permission::enabled_ in the host process's heap memory. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Action-Not Available
Vendor-Node.js (OpenJS Foundation)
Product-node.jsNode
CWE ID-CWE-862
Missing Authorization
CVE-2023-30581
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-1.05% / 60.07%
||
7 Day CHG~0.00%
Published-22 Nov, 2023 | 23:28
Updated-03 Nov, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js

Action-Not Available
Vendor-Node.js (OpenJS Foundation)
Product-node.jsNode
CWE ID-CWE-862
Missing Authorization
CVE-2026-29072
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.2||HIGH
EPSS-0.23% / 13.89%
||
7 Day CHG~0.00%
Published-19 Mar, 2026 | 21:49
Updated-23 Mar, 2026 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse missing permission check for policy creation in discourse-policy

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, users who do not belong to the allowed policy creation groups can create functional policy acceptance widgets in posts under the right conditions. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, disable the discourse-policy plugin by disabling the `policy_enabled` site setting.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-862
Missing Authorization
CVE-2026-54844
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.24% / 14.81%
||
7 Day CHG~0.00%
Published-25 Jun, 2026 | 13:12
Updated-29 Jun, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CheckView Automated Testing plugin <= 2.1.0 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in CheckView Automated Testing <= 2.1.0 versions.

Action-Not Available
Vendor-CheckView
Product-CheckView Automated Testing
CWE ID-CWE-862
Missing Authorization
CVE-2023-25014
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.6||HIGH
EPSS-0.50% / 39.20%
||
7 Day CHG~0.00%
Published-02 Feb, 2023 | 00:00
Updated-26 Mar, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to delete all frontend users.

Action-Not Available
Vendor-in2coden/a
Product-femanagern/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-862
Missing Authorization
CVE-2023-23988
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.68% / 47.71%
||
7 Day CHG~0.00%
Published-17 May, 2024 | 06:33
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress My Tickets plugin <= 1.9.11 - Payment Bypass Vulnerability

Missing Authorization vulnerability in Joseph C Dolson My Tickets.This issue affects My Tickets: from n/a through 1.9.11.

Action-Not Available
Vendor-Joseph C Dolson
Product-My Tickets
CWE ID-CWE-862
Missing Authorization
CVE-2026-27836
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.41% / 32.89%
||
7 Day CHG~0.00%
Published-27 Feb, 2026 | 19:54
Updated-04 Mar, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
phpMyFAQ Allows Unauthenticated Account Creation via WebAuthn Prepare Endpoint

phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint (`/api/webauthn/prepare`) creates new active user accounts without any authentication, CSRF protection, captcha, or configuration checks. This allows unauthenticated attackers to create unlimited user accounts even when registration is disabled. Version 4.0.18 fixes the issue.

Action-Not Available
Vendor-Thorsten Rinne (phpMyFAQ)
Product-phpmyfaqphpMyFAQ
CWE ID-CWE-862
Missing Authorization
CVE-2024-10542
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-15.24% / 96.36%
||
7 Day CHG~0.00%
Published-26 Nov, 2024 | 05:33
Updated-08 Apr, 2026 | 17:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.43.2 - Authorization Bypass via Reverse DNS Spoofing to Unauthenticated Arbitrary Plugin Installation

The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 6.43.2. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.

Action-Not Available
Vendor-cleantalkcleantalkcleantalk
Product-anti-spamSpam protection, Honeypot, Anti-Spam by CleanTalkantispam
CWE ID-CWE-862
Missing Authorization
CVE-2021-38789
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.29% / 66.65%
||
7 Day CHG~0.00%
Published-19 Jan, 2022 | 18:40
Updated-04 Aug, 2024 | 01:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Allwinner R818 SoC Android Q SDK V1.0 is affected by an incorrect access control vulnerability that does not check the caller's permission, in which a third-party app could change system settings.

Action-Not Available
Vendor-allwinnertechn/a
Product-r818android_q_sdkn/a
CWE ID-CWE-862
Missing Authorization
CVE-2024-10567
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.37% / 29.08%
||
7 Day CHG+0.01%
Published-04 Dec, 2024 | 08:22
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TI WooCommerce Wishlist <= 2.9.1 - Missing Authorization to Unauthenticated Plugin Setup Wizard Access

The TI WooCommerce Wishlist plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wizard' function in all versions up to, and including, 2.9.1. This makes it possible for unauthenticated attackers to create new pages, modify plugin settings, and perform limited options updates.

Action-Not Available
Vendor-templateinvadersWooCommerce
Product-TI WooCommerce Wishlistwoocommerce
CWE ID-CWE-862
Missing Authorization
CVE-2026-27386
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.25% / 15.68%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 05:53
Updated-28 Apr, 2026 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress DesignThemes Directory Addon plugin <= 1.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in designthemes DesignThemes Directory Addon designthemes-directory-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DesignThemes Directory Addon: from n/a through <= 1.8.

Action-Not Available
Vendor-designthemes
Product-DesignThemes Directory Addon
CWE ID-CWE-862
Missing Authorization
CVE-2024-8700
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-7.5||HIGH
EPSS-0.39% / 30.57%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-27 Aug, 2025 | 12:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Event Calendar <= 1.0.4 - Unauthenticated Arbitrary Calendar Deletion

The Event Calendar WordPress plugin through 1.0.4 does not check for authorization on delete actions, allowing unauthenticated users to delete arbitrary calendars.

Action-Not Available
Vendor-total-softUnknown
Product-event_calendarEvent Calendar
CWE ID-CWE-862
Missing Authorization
CVE-2026-25396
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.26% / 17.52%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 16:14
Updated-29 Apr, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Commerce Coinbase For WooCommerce plugin <= 1.6.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in CoderPress Commerce Coinbase For WooCommerce commerce-coinbase-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Commerce Coinbase For WooCommerce: from n/a through <= 1.6.6.

Action-Not Available
Vendor-CoderPress
Product-Commerce Coinbase For WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2026-25312
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.21% / 10.75%
||
7 Day CHG~0.00%
Published-19 Mar, 2026 | 07:20
Updated-29 Apr, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress EventPrime plugin <= 4.2.8.3 - Payment Bypass vulnerability

Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through <= 4.2.8.3.

Action-Not Available
Vendor-Metagauss Inc.
Product-EventPrime
CWE ID-CWE-862
Missing Authorization
CVE-2024-7714
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.83% / 52.91%
||
7 Day CHG~0.00%
Published-27 Sep, 2024 | 06:00
Updated-27 Aug, 2025 | 12:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AI Assistant with ChatGPT by AYS <= 2.0.9 - Unauthenticated AJAX Calls

The AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 lacks sufficient access controls allowing an unauthenticated user to disconnect the AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 from OpenAI, thereby disabling the AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0. Multiple actions are accessible: 'ays_chatgpt_disconnect', 'ays_chatgpt_connect', and 'ays_chatgpt_save_feedback'

Action-Not Available
Vendor-UnknownAYS Pro Extensions
Product-chatgpt_assistantAI ChatBot with ChatGPT and Content Generator by AYSai_chatbot_with_chatgpt
CWE ID-CWE-862
Missing Authorization
CVE-2026-22479
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.32% / 24.14%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 05:53
Updated-28 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Easy Post Submission plugin <= 2.4.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in ThemeRuby Easy Post Submission easy-post-submission allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Post Submission: from n/a through <= 2.4.0.

Action-Not Available
Vendor-ThemeRuby
Product-Easy Post Submission
CWE ID-CWE-862
Missing Authorization
CVE-2024-6750
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.3||HIGH
EPSS-0.29% / 20.28%
||
7 Day CHG~0.00%
Published-24 Jul, 2024 | 02:33
Updated-08 Apr, 2026 | 16:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Social Auto Poster <= 5.3.14 - Missing Authorization via Multiple Functions

The Social Auto Poster plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.3.14. This makes it possible for unauthenticated attackers to add, modify, or delete post meta and plugin options.

Action-Not Available
Vendor-WPWeb Elite
Product-social_auto_posterSocial Auto Poster
CWE ID-CWE-862
Missing Authorization
CVE-2026-1916
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.36% / 27.68%
||
7 Day CHG~0.00%
Published-25 Feb, 2026 | 08:25
Updated-08 Apr, 2026 | 17:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPGSI: Spreadsheet Integration <= 3.8.3 - Missing Authorization to Unauthenticated Arbitrary Post Creation and Deletion via Forged Base64 Token

The WPGSI: Spreadsheet Integration plugin for WordPress is vulnerable to unauthorized modification and loss of data due to missing capability checks and an insecure authentication mechanism on the `wpgsi_callBackFuncAccept` and `wpgsi_callBackFuncUpdate` REST API functions in all versions up to, and including, 3.8.3. Both REST endpoints use `permission_callback => '__return_true'`, allowing unauthenticated access. The plugin's custom token-based validation relies on a Base64-encoded JSON object containing the user ID and email address, but is not cryptographically signed. This makes it possible for unauthenticated attackers to forge tokens using publicly enumerable information (admin user ID and email) to create, modify, and delete arbitrary WordPress posts and pages, granted they know the administrator's email address and an active integration ID with remote updates enabled.

Action-Not Available
Vendor-javmah
Product-WPGSI: Spreadsheet Integration
CWE ID-CWE-862
Missing Authorization
CVE-2022-4943
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.54% / 41.58%
||
7 Day CHG~0.00%
Published-20 Oct, 2023 | 07:29
Updated-08 Apr, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
miniOrange's Google Authenticator <= 5.6.5 - Missing Authorization to Plugin Settings Change

The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. This makes it possible for unauthenticated attackers to change the plugin's settings.

Action-Not Available
Vendor-miniorangecyberlord92
Product-google_authenticatorminiOrange 2FA – Two-Factor Authentication for WordPress (SMS, Email & Google Authenticator)
CWE ID-CWE-862
Missing Authorization
CVE-2023-47224
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.40% / 32.44%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 12:00
Updated-29 Apr, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Travel plugin <= 7.8.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Travel WP Travel wp-travel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Travel: from n/a through <= 7.8.0.

Action-Not Available
Vendor-WP Travel
Product-WP Travel
CWE ID-CWE-862
Missing Authorization
CVE-2021-25093
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-7.5||HIGH
EPSS-1.20% / 64.31%
||
7 Day CHG~0.00%
Published-01 Feb, 2022 | 12:21
Updated-10 Oct, 2024 | 16:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Link Library < 7.2.8 - Unauthenticated Arbitrary Links Deletion

The Link Library WordPress plugin before 7.2.8 does not have authorisation in place when deleting links, allowing unauthenticated users to delete arbitrary links via a crafted request

Action-Not Available
Vendor-ylefebvreUnknown
Product-link_libraryLink Library
CWE ID-CWE-862
Missing Authorization
CVE-2026-11912
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.43% / 34.74%
||
7 Day CHG~0.00%
Published-20 Jun, 2026 | 08:29
Updated-22 Jun, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple File List <= 6.3.7 - Missing Authorization to Unauthenticated File Modification via simplefilelist_edit_job AJAX Action

The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization checks in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete and modify files on the serve. This vulnerability is exploitable even when the administrator has not enabled the AllowFrontManage setting, because the is_admin() check unconditionally short-circuits the guard before that setting is evaluated.

Action-Not Available
Vendor-eemitch
Product-Simple File List
CWE ID-CWE-862
Missing Authorization
CVE-2025-69358
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.31% / 23.18%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 16:14
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress EventPrime plugin <= 4.2.6.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through <= 4.2.6.0.

Action-Not Available
Vendor-Metagauss Inc.
Product-EventPrime
CWE ID-CWE-862
Missing Authorization
CVE-2025-69297
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.24% / 14.81%
||
7 Day CHG~0.00%
Published-20 Feb, 2026 | 15:46
Updated-28 Apr, 2026 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Aardvark Plugin plugin <= 2.19 - Broken Access Control vulnerability

Missing Authorization vulnerability in GhostPool Aardvark Plugin aardvark-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Aardvark Plugin: from n/a through <= 2.19.

Action-Not Available
Vendor-GhostPool
Product-Aardvark Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-69298
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.24% / 14.81%
||
7 Day CHG~0.00%
Published-20 Feb, 2026 | 15:46
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Gauge theme <= 6.56.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in GhostPool Gauge gauge allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gauge: from n/a through <= 6.56.4.

Action-Not Available
Vendor-GhostPool
Product-Gauge
CWE ID-CWE-862
Missing Authorization
CVE-2022-41930
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.82% / 52.60%
||
7 Day CHG~0.00%
Published-23 Nov, 2022 | 00:00
Updated-22 Apr, 2025 | 16:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
org.xwiki.platform:xwiki-platform-user-profile-ui missing authorization to enable or disable users

org.xwiki.platform:xwiki-platform-user-profile-ui is missing authorization to enable or disable users. Any user (logged in or not) with access to the page XWiki.XWikiUserProfileSheet can enable or disable any user profile. This might allow to a disabled user to re-enable themselves, or to an attacker to disable any user of the wiki. The problem has been patched in XWiki 13.10.7, 14.5RC1 and 14.4.2. Workarounds: The problem can be patched immediately by editing the page `XWiki.XWikiUserProfileSheet` in the wiki and by performing the changes contained in https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa.

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platform
CWE ID-CWE-862
Missing Authorization
CVE-2022-39289
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.75% / 50.55%
||
7 Day CHG~0.00%
Published-07 Oct, 2022 | 00:00
Updated-22 Apr, 2025 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Database log access in ZoneMinder

ZoneMinder is a free, open source Closed-circuit television software application. In affected versions the ZoneMinder API Exposes Database Log contents to user without privileges, allows insertion, modification, deletion of logs without System Privileges. Users are advised yo upgrade as soon as possible. Users unable to upgrade should disable database logging.

Action-Not Available
Vendor-zoneminderZoneMinder
Product-zoneminderzoneminder
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-862
Missing Authorization
CVE-2026-0692
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.28% / 19.93%
||
7 Day CHG~0.00%
Published-14 Feb, 2026 | 04:35
Updated-08 Apr, 2026 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BlueSnap Payment Gateway for WooCommerce <= 3.4.0 - Missing Authorization to Unauthenticated Arbitrary Order Status Manipulation

The BlueSnap Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.4.0. This is due to the plugin relying on WooCommerce's `WC_Geolocation::get_ip_address()` function to validate IPN requests, which trusts user-controllable headers like X-Real-IP and X-Forwarded-For to determine the client IP address. This makes it possible for unauthenticated attackers to bypass IP allowlist restrictions by spoofing a whitelisted BlueSnap IP address and send forged IPN (Instant Payment Notification) data to manipulate order statuses (mark orders as paid, failed, refunded, or on-hold) without proper authorization.

Action-Not Available
Vendor-bluesnap
Product-BlueSnap Payment Gateway for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2024-56008
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.42% / 33.54%
||
7 Day CHG~0.00%
Published-18 Dec, 2024 | 11:38
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Spreadr Woocommerce plugin <= 1.0.4 - Arbitrary Content Deletion vulnerability

Missing Authorization vulnerability in spreadr Spreadr Woocommerce spreadr-for-woocomerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Spreadr Woocommerce: from n/a through <= 1.0.4.

Action-Not Available
Vendor-spreadr
Product-Spreadr Woocommerce
CWE ID-CWE-862
Missing Authorization
CVE-2024-53473
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.61% / 44.75%
||
7 Day CHG+0.01%
Published-07 Dec, 2024 | 00:00
Updated-03 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WeGIA 3.2.0 before 3998672 does not verify permission to change a password.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-862
Missing Authorization
CVE-2022-36883
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-7.5||HIGH
EPSS-5.56% / 91.91%
||
7 Day CHG+0.11%
Published-27 Jul, 2022 | 14:21
Updated-03 Aug, 2024 | 10:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.

Action-Not Available
Vendor-Jenkins
Product-gitJenkins Git Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2024-5130
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.48% / 38.19%
||
7 Day CHG~0.00%
Published-06 Jun, 2024 | 18:43
Updated-15 Oct, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in lunary-ai/lunary

An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. The vulnerability is due to the lack of proper authorization checks in the dataset deletion endpoint. Specifically, the endpoint does not verify if the provided project ID belongs to the current user, thereby allowing any dataset to be deleted without proper authentication. This issue was fixed in version 1.2.8.

Action-Not Available
Vendor-Lunary LLC
Product-lunarylunary-ai/lunarylunary
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-862
Missing Authorization
CVE-2022-3322
Matching Score-4
Assigner-Cloudflare, Inc.
ShareView Details
Matching Score-4
Assigner-Cloudflare, Inc.
CVSS Score-6.7||MEDIUM
EPSS-0.25% / 15.82%
||
7 Day CHG~0.00%
Published-28 Oct, 2022 | 09:25
Updated-05 May, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lock WARP switch bypass on WARP mobile client using iOS quick action

Lock Warp switch is a feature of Zero Trust platform which, when enabled, prevents users of enrolled devices from disabling WARP client. Due to insufficient policy verification by WARP iOS client, this feature could be bypassed by using the "Disable WARP" quick action.

Action-Not Available
Vendor-Cloudflare, Inc.
Product-warp_mobile_clientWARP
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CVE-2021-20693
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-7.5||HIGH
EPSS-1.15% / 62.92%
||
7 Day CHG~0.00%
Published-26 Apr, 2021 | 00:20
Updated-03 Aug, 2024 | 17:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control vulnerability in Gurunavi App for Android ver.10.0.10 and earlier and for iOS ver.11.1.2 and earlier allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.

Action-Not Available
Vendor-gurunaviGurunavi, Inc.
Product-gurunaviGurunavi App
CWE ID-CWE-862
Missing Authorization
CVE-2024-48645
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.56% / 42.39%
||
7 Day CHG~0.00%
Published-21 Oct, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Minecraft mod "Command Block IDE" up to and including version 0.4.9, a missing authorization (CWE-862) allows any user to modify "function" files used by the game when installed on a dedicated server.

Action-Not Available
Vendor-n/aarm32x
Product-n/acommand_block_ide
CWE ID-CWE-862
Missing Authorization
CVE-2018-25019
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-7.5||HIGH
EPSS-1.53% / 71.68%
||
7 Day CHG~0.00%
Published-01 Nov, 2021 | 08:45
Updated-05 Aug, 2024 | 12:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LearnDash < 2.5.4 - Unauthenticated Arbitrary File Upload

The LearnDash LMS WordPress plugin before 2.5.4 does not have any authorisation and validation of the file to be uploaded in the learndash_assignment_process_init() function, which could allow unauthenticated users to upload arbitrary files to the web server

Action-Not Available
Vendor-UnknownLearnDash
Product-learndashLearnDash LMS
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2025-58938
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.26% / 17.72%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 07:21
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress IDonatePro plugin <= 2.1.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in ThemeAtelier IDonatePro idonate-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects IDonatePro: from n/a through <= 2.1.9.

Action-Not Available
Vendor-ThemeAtelier
Product-IDonatePro
CWE ID-CWE-862
Missing Authorization
CVE-2024-44208
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-7.5||HIGH
EPSS-0.39% / 30.84%
||
7 Day CHG~0.00%
Published-28 Oct, 2024 | 21:08
Updated-02 Apr, 2026 | 18:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15. An app may be able to bypass certain Privacy preferences.

Action-Not Available
Vendor-Apple Inc.
Product-macosmacOSmacos
CWE ID-CWE-862
Missing Authorization
CVE-2024-44069
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.47% / 37.37%
||
7 Day CHG~0.00%
Published-19 Aug, 2024 | 00:00
Updated-10 Oct, 2025 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= calls to change the temperature units of the web dashboard. NOTE: the supplier reportedly does "not consider the bug a security issue" but the specific motivation for letting arbitrary persons change the value (Celsius, Fahrenheit, or Kelvin), seen by the device owner, is unclear.

Action-Not Available
Vendor-pi-holen/a
Product-pi-holen/a
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found