Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-3640

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-19 Jun, 2026 | 06:51
Updated At-22 Jun, 2026 | 15:59
Rejected At-
Credits

STRABL <= 4.5 - Unauthenticated Arbitrary Webhook Creation via REST API Endpoint

The STRABL – A checkout solution plugin for WordPress is vulnerable to Missing Authentication in all versions up to and including 4.5. The plugin registers a REST API webhook endpoint at /wp-json/strabl/webhook/order with a permission_callback of __return_true, which allows all incoming requests without any authentication or authorization checks. No shared secret, signature validation, HMAC verification, or token-based authentication is implemented. This makes it possible for unauthenticated attackers to create fraudulent WooCommerce orders and mark them as completed by supplying paymentStatus=paid, manipulate existing order statuses by providing an externalOrderId, create new WordPress user accounts with the customer role, issue refunds on existing orders, cancel existing orders, and apply chargeback fees — all without making a legitimate payment or having any valid credentials.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:19 Jun, 2026 | 06:51
Updated At:22 Jun, 2026 | 15:59
Rejected At:
▼CVE Numbering Authority (CNA)
STRABL <= 4.5 - Unauthenticated Arbitrary Webhook Creation via REST API Endpoint

The STRABL – A checkout solution plugin for WordPress is vulnerable to Missing Authentication in all versions up to and including 4.5. The plugin registers a REST API webhook endpoint at /wp-json/strabl/webhook/order with a permission_callback of __return_true, which allows all incoming requests without any authentication or authorization checks. No shared secret, signature validation, HMAC verification, or token-based authentication is implemented. This makes it possible for unauthenticated attackers to create fraudulent WooCommerce orders and mark them as completed by supplying paymentStatus=paid, manipulate existing order statuses by providing an externalOrderId, create new WordPress user accounts with the customer role, issue refunds on existing orders, cancel existing orders, and apply chargeback fees — all without making a legitimate payment or having any valid credentials.

Affected Products
Vendor
strablengineering
Product
STRABL – A checkout solution
Default Status
unaffected
Versions
Affected
  • From 0 through 4.5 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Teerachai Somprasong
Timeline
EventDate
Vendor Notified2026-03-09 10:17:59
Disclosed2026-06-18 17:50:04
Event: Vendor Notified
Date: 2026-03-09 10:17:59
Event: Disclosed
Date: 2026-06-18 17:50:04
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/04eb82e4-1738-44c7-980e-8e33a7a3a23a?source=cve
N/A
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L60
N/A
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L60
N/A
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L64
N/A
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L64
N/A
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L88
N/A
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L88
N/A
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L550
N/A
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L550
N/A
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L199
N/A
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L199
N/A
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/CustomerRepository.php#L17
N/A
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/CustomerRepository.php#L17
N/A
https://plugins.trac.wordpress.org/changeset/3558301
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/04eb82e4-1738-44c7-980e-8e33a7a3a23a?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L60
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L60
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L64
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L64
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L88
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L88
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L550
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L550
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L199
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L199
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/CustomerRepository.php#L17
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/CustomerRepository.php#L17
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset/3558301
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:19 Jun, 2026 | 08:16
Updated At:22 Jun, 2026 | 18:16

The STRABL – A checkout solution plugin for WordPress is vulnerable to Missing Authentication in all versions up to and including 4.5. The plugin registers a REST API webhook endpoint at /wp-json/strabl/webhook/order with a permission_callback of __return_true, which allows all incoming requests without any authentication or authorization checks. No shared secret, signature validation, HMAC verification, or token-based authentication is implemented. This makes it possible for unauthenticated attackers to create fraudulent WooCommerce orders and mark them as completed by supplying paymentStatus=paid, manipulate existing order statuses by providing an externalOrderId, create new WordPress user accounts with the customer role, issue refunds on existing orders, cancel existing orders, and apply chargeback fees — all without making a legitimate payment or having any valid credentials.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
N/A
Type: Secondary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-862Secondarysecurity@wordfence.com
CWE ID: CWE-862
Type: Secondary
Source: security@wordfence.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/CustomerRepository.php#L17security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L199security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L550security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L60security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L64security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L88security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/CustomerRepository.php#L17security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L199security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L550security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L60security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L64security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L88security@wordfence.com
N/A
https://plugins.trac.wordpress.org/changeset/3558301security@wordfence.com
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/04eb82e4-1738-44c7-980e-8e33a7a3a23a?source=cvesecurity@wordfence.com
N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/CustomerRepository.php#L17
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L199
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L550
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L60
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L64
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L88
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/CustomerRepository.php#L17
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L199
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L550
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L60
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L64
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L88
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset/3558301
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/04eb82e4-1738-44c7-980e-8e33a7a3a23a?source=cve
Source: security@wordfence.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

925Records found
CVE-2026-4986
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.3||MEDIUM
EPSS-0.20% / 9.57%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 06:00
Updated-09 Jun, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPForms Lite < 1.10.0.5 – Unauthenticated PayPal Webhook Forgery

The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them, allowing unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transactions.

Action-Not Available
Vendor-Unknown
Product-WPForms
CWE ID-CWE-862
Missing Authorization
CVE-2024-37220
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.37% / 28.79%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Optinly plugin <= 1.0.18 - Broken Access Control vulnerability

Missing Authorization vulnerability in OptinlyHQ Optinly allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Optinly: from n/a through 1.0.18.

Action-Not Available
Vendor-OptinlyHQoptinly
Product-Optinlyoptinly
CWE ID-CWE-862
Missing Authorization
CVE-2022-2108
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.67% / 47.18%
||
7 Day CHG+0.02%
Published-18 Jul, 2022 | 16:12
Updated-08 Apr, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Wbcom Designs – BuddyPress Group Reviews <= 2.8.3 - Unauthorized AJAX Actions due to Nonce Bypass

The plugin Wbcom Designs – BuddyPress Group Reviews for WordPress is vulnerable to unauthorized settings changes and review modification due to missing capability checks and improper nonce checks in several functions related to said actions in versions up to, and including, 2.8.3. This makes it possible for unauthenticated attackers to modify reviews and plugin settings on the affected site.

Action-Not Available
Vendor-wbcomdesignswbcomdesigns
Product-buddypress_group_reviewsWbcom Designs – BuddyPress Group Reviews
CWE ID-CWE-862
Missing Authorization
CVE-2024-9586
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.43% / 34.63%
||
7 Day CHG~0.00%
Published-11 Oct, 2024 | 05:33
Updated-08 Apr, 2026 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Linkz.ai <= 1.1.8 - Missing Authorization to Unauthenticated Plugin Settings Update

The Linkz.ai plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'check_auth' and 'check_logout' functions in versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to update plugin settings.

Action-Not Available
Vendor-linkz.aivittor1olinkz.ai
Product-linkz.aiLinkz.ai – Automatic link previews on hoverlinkz.ai
CWE ID-CWE-862
Missing Authorization
CVE-2024-35174
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.33% / 24.37%
||
7 Day CHG~0.00%
Published-17 May, 2024 | 10:18
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Flo Forms plugin <= 1.0.42 - Broken Access Control vulnerability

Missing Authorization vulnerability in Flothemes Flo Forms.This issue affects Flo Forms: from n/a through 1.0.42.

Action-Not Available
Vendor-Flothemesflothemes
Product-Flo Formsflo_forms
CWE ID-CWE-862
Missing Authorization
CVE-2024-35685
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.31% / 22.88%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 10:46
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Radcliffe 2 theme <= 2.0.17 - Broken Access Control vulnerability

Missing Authorization vulnerability in Anders Norén Radcliffe 2.This issue affects Radcliffe 2: from n/a through 2.0.17.

Action-Not Available
Vendor-Anders Norénanders_noren
Product-Radcliffe 2radcliffe_2
CWE ID-CWE-862
Missing Authorization
CVE-2024-35665
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.38% / 29.80%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 14:10
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Insert Post Ads plugin <= 1.3.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in namithjawahar Insert Post Ads.This issue affects Insert Post Ads: from n/a through 1.3.2.

Action-Not Available
Vendor-namithjawaharnamithjawahar
Product-Insert Post Adsinsert_post_ads
CWE ID-CWE-862
Missing Authorization
CVE-2024-35659
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 25.27%
||
7 Day CHG~0.00%
Published-08 Jun, 2024 | 16:09
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress KiviCare plugin <= 3.6.6 - Insecure Direct Object References (IDOR) vulnerability

Missing Authorization vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KiviCare: from n/a through <= 3.6.6.

Action-Not Available
Vendor-iqonicIqonic Design
Product-kivicareKiviCare
CWE ID-CWE-862
Missing Authorization
CVE-2024-35667
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.38% / 29.80%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 14:09
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Shopping Cart & eCommerce Store plugin <= 5.5.19 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP EasyCart.This issue affects WP EasyCart: from n/a through 5.5.19.

Action-Not Available
Vendor-WP EasyCart
Product-WP EasyCart
CWE ID-CWE-862
Missing Authorization
CVE-2024-6755
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.32% / 23.23%
||
7 Day CHG~0.00%
Published-24 Jul, 2024 | 02:33
Updated-08 Apr, 2026 | 17:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Social Auto Poster <= 5.3.14 - Missing Authorization to Unauthenticated Arbitrary Post Deletion

The Social Auto Poster plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the ‘wpw_auto_poster_quick_delete_multiple’ function in all versions up to, and including, 5.3.14. This makes it possible for unauthenticated attackers to delete arbitrary posts.

Action-Not Available
Vendor-WPWeb Elite
Product-social_auto_posterSocial Auto Postersocial_auto_poster
CWE ID-CWE-862
Missing Authorization
CVE-2026-32395
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.20% / 9.72%
||
7 Day CHG~0.00%
Published-13 Mar, 2026 | 11:42
Updated-29 Apr, 2026 | 10:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Xpro Addons For Beaver Builder – Lite plugin <= 1.5.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in Xpro Xpro Addons For Beaver Builder – Lite xpro-addons-beaver-builder-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Xpro Addons For Beaver Builder – Lite: from n/a through <= 1.5.6.

Action-Not Available
Vendor-Xpro
Product-Xpro Addons For Beaver Builder – Lite
CWE ID-CWE-862
Missing Authorization
CVE-2024-35683
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.38% / 29.80%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 13:39
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Leyka plugin <= 3.31.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Teplitsa of social technologies Leyka.This issue affects Leyka: from n/a through 3.31.1.

Action-Not Available
Vendor-Teplitsa of social technologies
Product-Leyka
CWE ID-CWE-862
Missing Authorization
CVE-2024-3599
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.53% / 40.57%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:52
Updated-08 Apr, 2026 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) <= 3.0.2 - Missing Authorization to Unauthenticated Arbitrary Post Deletion

The WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the gdpr_policy_process_delete() function in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to delete arbitrary posts.

Action-Not Available
Vendor-wpekawplegalpages
Product-wp_cookie_consentCookie Banner for GDPR / CCPA – WPLP Cookie Consent
CWE ID-CWE-862
Missing Authorization
CVE-2026-32486
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 8.44%
||
7 Day CHG~0.00%
Published-13 Mar, 2026 | 11:42
Updated-29 Apr, 2026 | 09:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Travel Booking theme <= 1.3.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in wptravelengine Travel Booking travel-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Booking: from n/a through <= 1.3.9.

Action-Not Available
Vendor-wptravelengine
Product-Travel Booking
CWE ID-CWE-862
Missing Authorization
CVE-2026-32381
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.22% / 12.75%
||
7 Day CHG~0.00%
Published-13 Mar, 2026 | 11:42
Updated-29 Apr, 2026 | 09:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress App Landing Page theme <= 1.2.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in raratheme App Landing Page app-landing-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects App Landing Page: from n/a through <= 1.2.2.

Action-Not Available
Vendor-raratheme
Product-App Landing Page
CWE ID-CWE-862
Missing Authorization
CVE-2024-35748
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.31% / 22.92%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 18:41
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WooCommerce Dropshipping plugin <= 5.0.4 - Unauthenticated Arbitrary Email Sending vulnerability

Missing Authorization vulnerability in OPMC WooCommerce Dropshipping.This issue affects WooCommerce Dropshipping: from n/a through 5.0.4.

Action-Not Available
Vendor-opmcOPMC
Product-woocommerce_dropshippingWooCommerce Dropshipping
CWE ID-CWE-862
Missing Authorization
CVE-2024-35692
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.28% / 19.42%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 09:21
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress GDPR/CCPA Cookie Consent Banner plugin <= 3.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Termly Cookie Consent.This issue affects Cookie Consent: from n/a through 3.2.

Action-Not Available
Vendor-termlyTermlytermly
Product-gdpr_cookie_consent_bannerCookie Consentgdpr_cookie_consent_banner
CWE ID-CWE-862
Missing Authorization
CVE-2026-32380
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.22% / 12.75%
||
7 Day CHG~0.00%
Published-13 Mar, 2026 | 11:42
Updated-29 Apr, 2026 | 09:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Numinous theme <= 1.3.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in raratheme Numinous numinous allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Numinous: from n/a through <= 1.3.0.

Action-Not Available
Vendor-raratheme
Product-Numinous
CWE ID-CWE-862
Missing Authorization
CVE-2024-35729
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 25.27%
||
7 Day CHG~0.00%
Published-10 Jun, 2024 | 07:44
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Tickera plugin <= 3.5.2.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tickera: from n/a through <= 3.5.2.6.

Action-Not Available
Vendor-tickeraTickeratickera
Product-tickeraTickeratickera
CWE ID-CWE-862
Missing Authorization
CVE-2024-35661
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.36% / 28.24%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 18:33
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Upload Fields for WPForms plugin <= 1.0.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in SoftLab Upload Fields for WPForms.This issue affects Upload Fields for WPForms: from n/a through 1.0.2.

Action-Not Available
Vendor-softlabbdSoftLab
Product-upload_fields_for_wpformsUpload Fields for WPForms
CWE ID-CWE-862
Missing Authorization
CVE-2026-32583
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.70% / 48.29%
||
7 Day CHG~0.00%
Published-16 Mar, 2026 | 15:11
Updated-22 Apr, 2026 | 21:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Modern Events Calendar plugin <= 7.29.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Webnus Inc. Modern Events Calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Modern Events Calendar: from n/a through 7.29.0.

Action-Not Available
Vendor-Webnus Inc.
Product-Modern Events Calendar
CWE ID-CWE-862
Missing Authorization
CVE-2024-34802
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 26.12%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 18:35
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress AdFoxly plugin <= 1.8.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in AdFoxly AdFoxly – Ad Manager, AdSense Ads & Ads.Txt.This issue affects AdFoxly – Ad Manager, AdSense Ads & Ads.Txt: from n/a through 1.8.5.

Action-Not Available
Vendor-WP FOXLY
Product-adfoxlyAdFoxly – Ad Manager, AdSense Ads & Ads.txtadfoxly
CWE ID-CWE-862
Missing Authorization
CVE-2024-34821
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.41% / 32.46%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 16:03
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Contact List plugin <= 2.9.87 - Broken Access Control vulnerability

Missing Authorization vulnerability in Anssi Laitila Contact List contact-list.This issue affects Contact List: from n/a through <= 2.9.87.

Action-Not Available
Vendor-contactlistproAnssi Laitilatammersoft
Product-contact_listContact Listcontact_list
CWE ID-CWE-862
Missing Authorization
CVE-2025-7821
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.22% / 12.83%
||
7 Day CHG~0.00%
Published-23 Aug, 2025 | 04:25
Updated-08 Apr, 2026 | 17:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WC Plus <= 1.2.0 - Missing Authorization to Unauthenticated Settings Manipulation

The WC Plus plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pluswc_logo_favicon_logo_base' AJAX action in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update the site's favicon logo base.

Action-Not Available
Vendor-wcplus
Product-WC Plus
CWE ID-CWE-862
Missing Authorization
CVE-2026-32336
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.21% / 11.57%
||
7 Day CHG~0.00%
Published-13 Mar, 2026 | 11:41
Updated-29 Apr, 2026 | 09:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Rara Business theme <= 1.3.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in raratheme Rara Business rara-business allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rara Business: from n/a through <= 1.3.0.

Action-Not Available
Vendor-raratheme
Product-Rara Business
CWE ID-CWE-862
Missing Authorization
CVE-2024-34753
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 25.59%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 16:01
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Radio Player plugin <= 2.0.73 - Broken Access Control vulnerability

Missing Authorization vulnerability in SoftLab Radio Player.This issue affects Radio Player: from n/a through 2.0.73.

Action-Not Available
Vendor-softlabbdSoftLabsoftlab
Product-radio_playerRadio Playerradio_player
CWE ID-CWE-862
Missing Authorization
CVE-2024-34822
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.38% / 29.79%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 15:26
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress weMail plugin <= 1.14.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in weDevs weMail.This issue affects weMail: from n/a through 1.14.2.

Action-Not Available
Vendor-weDevs Pte. Ltd.
Product-wemailweMail
CWE ID-CWE-862
Missing Authorization
CVE-2024-8682
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.26% / 16.96%
||
7 Day CHG~0.00%
Published-05 Mar, 2025 | 08:21
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JNews - WordPress Newspaper Magazine Blog AMP Theme <= 11.6.6 - Unauthorized User Registration

The JNews - WordPress Newspaper Magazine Blog AMP Theme theme for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 11.6.6. This is due to the plugin not properly validate if the user can register option is enabled prior to creating a user though the register_handler() function. This makes it possible for unauthenticated attackers to register as a user even when user registration is disabled.

Action-Not Available
Vendor-https://themeforest.net/item/jnews-one-stop-solution-for-web-publishing/20566392
Product-JNews - WordPress Newspaper Magazine Blog AMP Theme
CWE ID-CWE-862
Missing Authorization
CVE-2024-33908
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.40% / 32.12%
||
7 Day CHG~0.00%
Published-06 May, 2024 | 19:15
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WidgetKit plugin <= 2.5.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Themesgrove WidgetKit.This issue affects WidgetKit: from n/a through 2.5.0.

Action-Not Available
Vendor-Themesgrove
Product-WidgetKit
CWE ID-CWE-862
Missing Authorization
CVE-2024-34438
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.26% / 16.58%
||
7 Day CHG~0.00%
Published-20 Feb, 2026 | 15:46
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Shared Files plugin <= 1.7.19 - Broken Access Control vulnerability

Missing Authorization vulnerability in Anssi Laitila Shared Files shared-files.This issue affects Shared Files: from n/a through <= 1.7.19.

Action-Not Available
Vendor-Anssi Laitila
Product-Shared Files
CWE ID-CWE-862
Missing Authorization
CVE-2024-34813
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.32% / 23.17%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 10:38
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WooCommerce Wishlist plugin <= 1.7.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in Moreconvert Team MC Woocommerce Wishlist smart-wishlist-for-more-convert.This issue affects MC Woocommerce Wishlist: from n/a through <= 1.7.8.

Action-Not Available
Vendor-Moreconvert Team
Product-MC Woocommerce Wishlist
CWE ID-CWE-862
Missing Authorization
CVE-2024-34763
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.37% / 28.41%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 16:57
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Builder for WooCommerce reviews shortcodes – ReviewShort plugin <= 1.01.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in Saleswonder Team: Tobias Builder for WooCommerce reviews shortcodes – ReviewShort woo-product-reviews-shortcode.This issue affects Builder for WooCommerce reviews shortcodes – ReviewShort: from n/a through <= 1.01.5.

Action-Not Available
Vendor-Saleswonder Team: Tobias
Product-Builder for WooCommerce reviews shortcodes – ReviewShort
CWE ID-CWE-862
Missing Authorization
CVE-2024-34768
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.36% / 28.10%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 16:42
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Fastly plugin <= 1.2.25 - Broken Access Control vulnerability

Missing Authorization vulnerability in Fastly.This issue affects Fastly: from n/a through 1.2.25.

Action-Not Available
Vendor-Fastly
Product-Fastly
CWE ID-CWE-862
Missing Authorization
CVE-2024-34819
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.41% / 32.47%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 16:10
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress MC Woocommerce Wishlist plugin <= 1.7.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Moreconvert Team MC Woocommerce Wishlist smart-wishlist-for-more-convert.This issue affects MC Woocommerce Wishlist: from n/a through <= 1.7.2.

Action-Not Available
Vendor-moreconvertMoreconvert Teammoreconvert
Product-woocommerce_wishlistMC Woocommerce Wishlistwoocommerce_wishlist
CWE ID-CWE-862
Missing Authorization
CVE-2024-6088
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.62% / 45.03%
||
7 Day CHG~0.00%
Published-02 Jul, 2024 | 11:01
Updated-08 Apr, 2026 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LearnPress – WordPress LMS Plugin <= 4.2.6.8.1 - Missing Authorization to Unauthenticated User Registration Bypass

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized user registration due to a missing capability check on the 'register' function in all versions up to, and including, 4.2.6.8.1. This makes it possible for unauthenticated attackers to bypass disabled user registration to create a new account with the default role.

Action-Not Available
Vendor-ThimPress (PhysCode)
Product-learnpressLearnPress – WordPress LMS Plugin for Create and Sell Online Courseslearnpress
CWE ID-CWE-862
Missing Authorization
CVE-2024-34799
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.37% / 28.46%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 16:35
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress BookingPress plugin <= 1.0.82 - Appointment Duration Manipulation vulnerability

Missing Authorization vulnerability in Repute Infosystems BookingPress.This issue affects BookingPress: from n/a through 1.0.82.

Action-Not Available
Vendor-reputeinfosystemsRepute Infosystems
Product-bookingpressBookingPress
CWE ID-CWE-862
Missing Authorization
CVE-2024-33920
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.36% / 27.68%
||
7 Day CHG~0.00%
Published-03 May, 2024 | 08:30
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Democracy Poll plugin <= 6.0.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Kama Democracy Poll.This issue affects Democracy Poll: from n/a through 6.0.3.

Action-Not Available
Vendor-Kama
Product-Democracy Poll
CWE ID-CWE-862
Missing Authorization
CVE-2024-34442
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.37% / 29.02%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 13:34
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress weDocs plugin <= 2.1.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in weDevs weDocs.This issue affects weDocs: from n/a through 2.1.4.

Action-Not Available
Vendor-weDevs Pte. Ltd.
Product-weDocswedocs
CWE ID-CWE-862
Missing Authorization
CVE-2024-32820
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.33% / 24.37%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 12:35
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Social Share Icons & Social Share Buttons plugin <= 3.6.2 - Broken Access Control lead to Notice Dismissal vulnerability

Missing Authorization vulnerability in Social Share Pro Social Share Icons & Social Share Buttons.This issue affects Social Share Icons & Social Share Buttons: from n/a through 3.6.2.

Action-Not Available
Vendor-Social Share Prosocialshare
Product-Social Share Icons & Social Share Buttonssocial_share_icons_\&_social_share_buttons
CWE ID-CWE-862
Missing Authorization
CVE-2024-33587
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.38% / 30.12%
||
7 Day CHG~0.00%
Published-29 Apr, 2024 | 12:40
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Secure Copy Content Protection and Content Locking plugin <= 3.9.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Copy Content Protection Team Secure Copy Content Protection and Content Locking.This issue affects Secure Copy Content Protection and Content Locking: from n/a through 3.9.0.

Action-Not Available
Vendor-AYS Pro Extensions
Product-Secure Copy Content Protection and Content Lockingsecure_copy_content_protection_and_content_locking
CWE ID-CWE-862
Missing Authorization
CVE-2024-32725
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.30% / 21.32%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 16:52
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress 5 Stars Rating Funnel plugin 1.2.67 - Broken Access Control vulnerability

Missing Authorization vulnerability in Saleswonder Team: Tobias 5 Stars Rating Funnel 5-stars-rating-funnel.This issue affects 5 Stars Rating Funnel: from n/a through <= 1.2.67.

Action-Not Available
Vendor-Saleswonder Team: Tobias5_stars_rating_funnel_project
Product-5 Stars Rating Funnel5_stars_rating_funnel
CWE ID-CWE-862
Missing Authorization
CVE-2024-32798
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.34% / 25.71%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 12:51
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Travel Engine plugin <= 5.8.0 - Price Manipulation vulnerability

Missing Authorization vulnerability in WP Travel Engine.This issue affects WP Travel Engine: from n/a through 5.8.0.

Action-Not Available
Vendor-wptravelengineWP Travel Enginewptravelengine
Product-wp_travel_engineWP Travel Enginewp_travel_engine
CWE ID-CWE-862
Missing Authorization
CVE-2024-32715
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.30% / 21.16%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 16:53
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Olive One Click Demo Import plugin <= 1.1.1 - Arbitrary File Download vulnerability

Missing Authorization vulnerability in Olive Themes Olive One Click Demo Import.This issue affects Olive One Click Demo Import: from n/a through 1.1.1.

Action-Not Available
Vendor-olivethemesOlive Themesolivethemes
Product-olive_one_click_demo_importOlive One Click Demo Importolive_one_click_demo_import
CWE ID-CWE-862
Missing Authorization
CVE-2024-32792
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.28% / 19.82%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 12:57
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Hummingbird plugin <= 3.7.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform Hummingbird hummingbird-performance.This issue affects Hummingbird: from n/a through <= 3.7.3.

Action-Not Available
Vendor-WPMU DEV - Your All-in-One WordPress PlatformIncsub, LLC
Product-hummingbirdHummingbird
CWE ID-CWE-862
Missing Authorization
CVE-2026-3581
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.29% / 20.06%
||
7 Day CHG~0.00%
Published-16 Apr, 2026 | 05:29
Updated-22 Apr, 2026 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Basic Google Maps Placemarks <= 1.10.7 - Missing Authorization to Unauthenticated Default Map Coordinate Update

The Basic Google Maps Placemarks plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.10.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to modify stored map latitude and longitude options.

Action-Not Available
Vendor-iandunn
Product-Basic Google Maps Placemarks
CWE ID-CWE-862
Missing Authorization
CVE-2024-32826
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.38% / 29.79%
||
7 Day CHG~0.00%
Published-26 Apr, 2024 | 11:09
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress VK Block Patterns plugin <= 1.31.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Vektor,Inc. VK Block Patterns.This issue affects VK Block Patterns: from n/a through 1.31.0.

Action-Not Available
Vendor-Vektor,Inc.
Product-VK Block Patterns
CWE ID-CWE-862
Missing Authorization
CVE-2024-32799
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.36% / 28.24%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 12:50
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Easy Property Listings plugin <= 3.5.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Merv Barrett Easy Property Listings.This issue affects Easy Property Listings: from n/a through 3.5.3.

Action-Not Available
Vendor-realestateconnectedMerv Barrettrealestateconnected
Product-easy_property_listingsEasy Property Listingseasy_property_listings
CWE ID-CWE-862
Missing Authorization
CVE-2024-32679
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.39% / 30.21%
||
7 Day CHG~0.00%
Published-23 Apr, 2024 | 14:12
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Shared Files plugin <= 1.7.16 - Broken Access Control vulnerability

Missing Authorization vulnerability in Anssi Laitila Shared Files shared-files.This issue affects Shared Files: from n/a through <= 1.7.16.

Action-Not Available
Vendor-Anssi Laitilatammersoft
Product-Shared Filesshared_files
CWE ID-CWE-862
Missing Authorization
CVE-2026-4281
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.47% / 37.24%
||
7 Day CHG~0.00%
Published-26 Mar, 2026 | 03:37
Updated-24 Apr, 2026 | 16:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FormLift for Infusionsoft Web Forms <= 7.5.21 - Missing Authorization to Unauthenticated Infusionsoft Connection Hijack via OAuth Connection Flow

The FormLift for Infusionsoft Web Forms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 7.5.21. This is due to missing capability checks on the connect() and listen_for_tokens() methods of the FormLift_Infusionsoft_Manager class, both of which are hooked to 'plugins_loaded' and execute on every page load. The connect() function generates an OAuth connection password and leaks it in the redirect Location header without verifying the requesting user is authenticated or authorized. The listen_for_tokens() function only validates the temporary password but performs no user authentication before calling update_option() to save attacker-controlled OAuth tokens and app domain. This makes it possible for unauthenticated attackers to hijack the site's Infusionsoft connection by first triggering the OAuth flow to obtain the temporary password, then using that password to set arbitrary OAuth tokens and app domain via update_option(), effectively redirecting the plugin's API communication to an attacker-controlled server.

Action-Not Available
Vendor-trainingbusinesspros
Product-FormLift for Infusionsoft Web Forms
CWE ID-CWE-862
Missing Authorization
CVE-2024-3268
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.33% / 24.26%
||
7 Day CHG~0.00%
Published-21 May, 2024 | 11:33
Updated-08 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
YouTube Video Gallery by YouTube Showcase – Video Gallery Plugin for WordPress <= 3.3.6 - Missing Authorization to Arbitrary Post/Page Creation

The YouTube Video Gallery by YouTube Showcase – Video Gallery Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the emd_form_builder_lite_submit_form function in all versions up to, and including, 3.3.6. This makes it possible for unauthenticated attackers to create arbitrary posts or pages.

Action-Not Available
Vendor-emarketdesignemarket-design
Product-youtube_video_galleryVideo Gallery – YouTube Gallery & Responsive Video Playlist
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • ...
  • 18
  • 19
  • Next
Details not found