Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-4124

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-09 Apr, 2026 | 02:25
Updated At-13 Apr, 2026 | 15:15
Rejected At-
Credits

Ziggeo <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via 'ziggeo_ajax' AJAX Action

The Ziggeo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1. The wp_ajax_ziggeo_ajax handler only verifies a nonce (check_ajax_referer) but performs no capability checks via current_user_can(). Furthermore, the nonce ('ziggeo_ajax_nonce') is exposed to all logged-in users on every page via the wp_head and admin_head hooks . This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke multiple administrative operations including: saving arbitrary translation strings (translations_panel_save_strings via update_option('ziggeo_translations')), creating/updating/deleting event templates (event_editor_save_template/update_template/remove_template via update_option('ziggeo_events')), modifying SDK application settings (sdk_applications operations), and managing notifications (notification_handler via update_option('ziggeo_notifications')).

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:09 Apr, 2026 | 02:25
Updated At:13 Apr, 2026 | 15:15
Rejected At:
▼CVE Numbering Authority (CNA)
Ziggeo <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via 'ziggeo_ajax' AJAX Action

The Ziggeo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1. The wp_ajax_ziggeo_ajax handler only verifies a nonce (check_ajax_referer) but performs no capability checks via current_user_can(). Furthermore, the nonce ('ziggeo_ajax_nonce') is exposed to all logged-in users on every page via the wp_head and admin_head hooks . This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke multiple administrative operations including: saving arbitrary translation strings (translations_panel_save_strings via update_option('ziggeo_translations')), creating/updating/deleting event templates (event_editor_save_template/update_template/remove_template via update_option('ziggeo_events')), modifying SDK application settings (sdk_applications operations), and managing notifications (notification_handler via update_option('ziggeo_notifications')).

Affected Products
Vendor
oliverfriedmann
Product
Ziggeo
Default Status
unaffected
Versions
Affected
  • From 0 through 3.1.1 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Nabil Irawan
Timeline
EventDate
Disclosed2026-04-08 00:00:00
Event: Disclosed
Date: 2026-04-08 00:00:00
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/15477c00-0764-4850-8bce-d65b6b1cbe4c?source=cve
N/A
https://plugins.trac.wordpress.org/browser/ziggeo/trunk/core/ajax.php#L31
N/A
https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/core/ajax.php#L31
N/A
https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_translations_ajax.php#L13
N/A
https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_translations_ajax.php#L13
N/A
https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_editor_events_ajax.php#L13
N/A
https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_editor_events_ajax.php#L13
N/A
https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_sdk_ajax.php#L8
N/A
https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_sdk_ajax.php#L8
N/A
https://plugins.trac.wordpress.org/browser/ziggeo/trunk/core/header.php#L67
N/A
https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/core/header.php#L67
N/A
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3494290%40ziggeo&new=3494290%40ziggeo&sfp_email=&sfph_mail=
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/15477c00-0764-4850-8bce-d65b6b1cbe4c?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ziggeo/trunk/core/ajax.php#L31
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/core/ajax.php#L31
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_translations_ajax.php#L13
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_translations_ajax.php#L13
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_editor_events_ajax.php#L13
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_editor_events_ajax.php#L13
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_sdk_ajax.php#L8
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_sdk_ajax.php#L8
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ziggeo/trunk/core/header.php#L67
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/core/header.php#L67
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3494290%40ziggeo&new=3494290%40ziggeo&sfp_email=&sfph_mail=
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:09 Apr, 2026 | 04:17
Updated At:24 Apr, 2026 | 18:03

The Ziggeo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1. The wp_ajax_ziggeo_ajax handler only verifies a nonce (check_ajax_referer) but performs no capability checks via current_user_can(). Furthermore, the nonce ('ziggeo_ajax_nonce') is exposed to all logged-in users on every page via the wp_head and admin_head hooks . This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke multiple administrative operations including: saving arbitrary translation strings (translations_panel_save_strings via update_option('ziggeo_translations')), creating/updating/deleting event templates (event_editor_save_template/update_template/remove_template via update_option('ziggeo_events')), modifying SDK application settings (sdk_applications operations), and managing notifications (notification_handler via update_option('ziggeo_notifications')).

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Type: Primary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-862Primarysecurity@wordfence.com
CWE ID: CWE-862
Type: Primary
Source: security@wordfence.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_editor_events_ajax.php#L13security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_sdk_ajax.php#L8security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_translations_ajax.php#L13security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/core/ajax.php#L31security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/core/header.php#L67security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_editor_events_ajax.php#L13security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_sdk_ajax.php#L8security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_translations_ajax.php#L13security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/ziggeo/trunk/core/ajax.php#L31security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/ziggeo/trunk/core/header.php#L67security@wordfence.com
N/A
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3494290%40ziggeo&new=3494290%40ziggeo&sfp_email=&sfph_mail=security@wordfence.com
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/15477c00-0764-4850-8bce-d65b6b1cbe4c?source=cvesecurity@wordfence.com
N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_editor_events_ajax.php#L13
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_sdk_ajax.php#L8
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_translations_ajax.php#L13
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/core/ajax.php#L31
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/core/header.php#L67
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_editor_events_ajax.php#L13
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_sdk_ajax.php#L8
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_translations_ajax.php#L13
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ziggeo/trunk/core/ajax.php#L31
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/ziggeo/trunk/core/header.php#L67
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3494290%40ziggeo&new=3494290%40ziggeo&sfp_email=&sfph_mail=
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/15477c00-0764-4850-8bce-d65b6b1cbe4c?source=cve
Source: security@wordfence.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

422Records found

CVE-2025-22287
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.22% / 12.61%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 17:56
Updated-29 Apr, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress LTL Freight Quotes – FreightQuote Edition plugin <= 2.3.11 - Broken Access Control vulnerability

Missing Authorization vulnerability in enituretechnology LTL Freight Quotes – FreightQuote Edition ltl-freight-quotes-freightquote-edition allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LTL Freight Quotes – FreightQuote Edition: from n/a through <= 2.3.11.

Action-Not Available
Vendor-Eniture, LLC
Product-LTL Freight Quotes – FreightQuote Edition
CWE ID-CWE-862
Missing Authorization
CVE-2023-40011
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.43% / 34.78%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:24
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Cost Calculator Builder plugin <= 3.1.42 - Broken Access Control vulnerability

Missing Authorization vulnerability in StylemixThemes Cost Calculator Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cost Calculator Builder: from n/a through 3.1.42.

Action-Not Available
Vendor-StylemixThemes
Product-Cost Calculator Builder
CWE ID-CWE-862
Missing Authorization
CVE-2023-39990
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.39% / 30.97%
||
7 Day CHG~0.00%
Published-19 Jun, 2024 | 12:08
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Paid Memberships Pro plugin <= 1.2.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Paid Memberships Pro.This issue affects Paid Memberships Pro: from n/a through 1.2.3.

Action-Not Available
Vendor-strangerstudiosPaid Memberships Pro
Product-paid_memberships_proPaid Memberships Pro
CWE ID-CWE-862
Missing Authorization
CVE-2025-1681
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.33% / 25.03%
||
7 Day CHG~0.00%
Published-27 Feb, 2025 | 23:22
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cardealer <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Change and Delete JS and CSS Files

The Cardealer theme for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check and missing filename sanitization on the demo theme scheme AJAX functions in versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to change or delete arbitrary css and js files.

Action-Not Available
Vendor-ThemeMakers
Product-Car Dealer Automotive WordPress Theme – Responsive
CWE ID-CWE-862
Missing Authorization
CVE-2025-1668
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.28% / 19.94%
||
7 Day CHG~0.00%
Published-15 Mar, 2025 | 03:23
Updated-08 Apr, 2026 | 19:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
School Management System – WPSchoolPress <= 2.2.16 - Missing Authorization to Arbitrary User Deletion

The School Management System – WPSchoolPress plugin for WordPress is vulnerable to arbitrary user deletion due to a missing capability check on the wpsp_DeleteUser() function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access and above, to delete arbitrary user accounts.

Action-Not Available
Vendor-igexsolutionsjdsofttech
Product-wpschoolpressSchool Management System – WPSchoolPress
CWE ID-CWE-862
Missing Authorization
CVE-2025-14446
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 11.51%
||
7 Day CHG~0.00%
Published-13 Dec, 2025 | 04:31
Updated-08 Apr, 2026 | 19:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Popup Builder <= 1.1.37 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Reset

The Popup Builder (Easy Notify Lite) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the easynotify_cp_reset() function in all versions up to, and including, 1.1.37. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset plugin settings to their default values.

Action-Not Available
Vendor-ghozylab
Product-Easy Notify Lite
CWE ID-CWE-862
Missing Authorization
CVE-2025-14718
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 21.37%
||
7 Day CHG~0.00%
Published-09 Jan, 2026 | 06:34
Updated-08 Apr, 2026 | 17:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.3 - Missing Authorization to Authenticated (Contributor+) Workflow Manipulation

The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Contributor-level access and above, to create, update, delete, and publish malicious workflows that may automatically delete any post upon publication or update, including posts created by administrators.

Action-Not Available
Vendor-publishpress
Product-Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories
CWE ID-CWE-862
Missing Authorization
CVE-2025-15043
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.19% / 8.58%
||
7 Day CHG~0.00%
Published-20 Jan, 2026 | 14:26
Updated-08 Apr, 2026 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
The Events Calendar <= 6.15.13 - Missing Authorization to Authenticated (Subscriber+) Data Migration Control

The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.13. This makes it possible for authenticated attackers, with subscriber level access and above, to start, cancel, or revert the Custom Tables V1 database migration, including dropping the custom database tables entirely via the revert action.

Action-Not Available
Vendor-The Events Calendar (StellarWP)
Product-The Events Calendar
CWE ID-CWE-862
Missing Authorization
CVE-2025-13468
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.33% / 24.89%
||
7 Day CHG~0.00%
Published-20 Nov, 2025 | 13:32
Updated-21 Nov, 2025 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Alumni Management System Delete admin_class.php delete_event authorization

A weakness has been identified in SourceCodester Alumni Management System 1.0. This issue affects the function delete_forum/delete_career/delete_comment/delete_gallery/delete_event of the file admin/admin_class.php of the component Delete Handler. Executing manipulation of the argument ID can lead to missing authorization. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited.

Action-Not Available
Vendor-SourceCodesteroretnom23
Product-alumni_management_systemAlumni Management System
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-13558
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.22% / 12.54%
||
7 Day CHG~0.00%
Published-25 Nov, 2025 | 04:37
Updated-08 Apr, 2026 | 16:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Blog2Social <= 8.7.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Trashing

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'deleteUserCcDraftPost' function in all versions up to, and including, 8.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the status of arbitrary posts to trash.

Action-Not Available
Vendor-pr-gateway
Product-Blog2Social: Social Media Auto Post & Scheduler
CWE ID-CWE-862
Missing Authorization
CVE-2025-12887
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.26% / 17.41%
||
7 Day CHG+0.01%
Published-03 Dec, 2025 | 12:29
Updated-08 Apr, 2026 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App <= 3.6.1 - Missing Authorization to Authenticated (Subscriber+) OAuth Token Update

The Post SMTP plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.1. This is due to the plugin not properly verifying that a user is authorized to update OAuth tokens on the 'handle_gmail_oauth_redirect' function. This makes it possible for authenticated attackers, with subscriber level access and above, to inject invalid or attacker-controlled OAuth credentials. CVE-2025-67563 appears to be a duplicate of this issue.

Action-Not Available
Vendor-saadiqbal
Product-Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App
CWE ID-CWE-862
Missing Authorization
CVE-2025-11734
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.19% / 9.26%
||
7 Day CHG~0.00%
Published-18 Nov, 2025 | 09:27
Updated-08 Apr, 2026 | 16:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links <= 1.2.5 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Trashing

The Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization in all versions up to, and including, 1.2.5. This is due to the plugin registering a REST API endpoint that only checks for a broad capability (aioseo_blc_broken_links_page) that is granted to contributor level users, without verifying the user's permission to perform actions on the specific post being targeted. This makes it possible for authenticated attackers, with contributor level access and above, to trash arbitrary posts via the DELETE /wp-json/aioseoBrokenLinkChecker/v1/post endpoint.

Action-Not Available
Vendor-Semper Plugins, LLC (AIOSEO)
Product-Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links
CWE ID-CWE-862
Missing Authorization
CVE-2022-36404
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 11.32%
||
7 Day CHG~0.00%
Published-03 Nov, 2022 | 19:27
Updated-28 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Simple SEO plugin <= 1.8.12 - Broken Access Control vulnerability

Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in David Cole Simple SEO (WordPress plugin) plugin <= 1.8.12 versions.

Action-Not Available
Vendor-coledsDavid Cole
Product-simple_seoSimple SEO (WordPress plugin)
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-862
Missing Authorization
CVE-2025-10749
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 15.83%
||
7 Day CHG~0.00%
Published-24 Oct, 2025 | 08:24
Updated-08 Apr, 2026 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft Azure Storage for WordPress <= 4.5.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Media Deletion

The Microsoft Azure Storage for WordPress plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Deletion in all versions up to, and including, 4.5.1. This is due to missing capability checks on the 'azure-storage-media-replace' AJAX action. This makes it possible for authenticated attackers with subscriber-level access and above to delete arbitrary media files from the WordPress Media Library via the replace_attachment parameter granted they can access the nonce which is exposed to all authenticated users.

Action-Not Available
Vendor-10up
Product-Microsoft Azure Storage for WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2025-0526
Matching Score-4
Assigner-Octopus Deploy
ShareView Details
Matching Score-4
Assigner-Octopus Deploy
CVSS Score-2.3||LOW
EPSS-0.32% / 24.15%
||
7 Day CHG~0.00%
Published-11 Feb, 2025 | 10:09
Updated-02 Jul, 2025 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.

Action-Not Available
Vendor-Octopus Deploy Pty. Ltd.Microsoft Corporation
Product-windowsoctopus_serverOctopus Server
CWE ID-CWE-862
Missing Authorization
CVE-2024-9520
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.3||MEDIUM
EPSS-0.32% / 24.30%
||
7 Day CHG~0.00%
Published-10 Oct, 2024 | 02:06
Updated-08 Apr, 2026 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
UserPlus <= 2.0 - Missing Authorization via Multiple Functions

The UserPlus plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.0. This makes it possible for authenticated attackers with subscriber-level permissions or above, to add, modify, or delete user meta and plugin options.

Action-Not Available
Vendor-wpuserplususerplus
Product-userplusUser registration & user profile – UserPlus
CWE ID-CWE-862
Missing Authorization
CVE-2024-9584
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 22.18%
||
7 Day CHG~0.00%
Published-25 Oct, 2024 | 17:32
Updated-08 Apr, 2026 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Image Map Pro <= 6.0.20 - Missing Authorization to Authenticated (Contributor+) Map Project Add/Update/Delete

The Image Map Pro plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the AJAX functions in versions up to, and including, 6.0.20. This makes it possible for authenticated attackers with contributor-level privileges or above, to add, update or delete map projects.

Action-Not Available
Vendor-webcraftpluginsimagemappro
Product-image_map_proImage Map Pro – Drag-and-drop Builder for Interactive Images
CWE ID-CWE-862
Missing Authorization
CVE-2024-9860
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 22.05%
||
7 Day CHG~0.00%
Published-12 Oct, 2024 | 02:05
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bridge Core <= 3.3 - Missing Authorization to Authenticated (Subscriber+) Demo Import

The Bridge Core plugin for WordPress is vulnerable to unauthorized modification of data or loss of data due to a missing capability check on the 'import_action' and 'install_plugin_per_demo' functions in versions up to, and including, 3.3. This makes it possible for authenticated attackers with subscriber-level permissions or above, to delete or change plugin settings, import demo data, and install limited plugins.

Action-Not Available
Vendor-QODEqode
Product-Bridge Corebridge_core
CWE ID-CWE-862
Missing Authorization
CVE-2023-37989
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.43% / 34.27%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Easyship WooCommerce Shipping Rates plugin <= 0.9.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Easyship Easyship WooCommerce Shipping Rates allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easyship WooCommerce Shipping Rates: from n/a through 0.9.0.

Action-Not Available
Vendor-Easyship
Product-Easyship WooCommerce Shipping Rates
CWE ID-CWE-862
Missing Authorization
CVE-2024-9587
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.35% / 27.30%
||
7 Day CHG~0.00%
Published-11 Oct, 2024 | 05:33
Updated-08 Apr, 2026 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Linkz.ai <= 1.1.8 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update via AJAX

The Linkz.ai plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_linkz' function in versions up to, and including, 1.1.8. This makes it possible for authenticated attackers with contributor-level privileges or above, to update plugin settings.

Action-Not Available
Vendor-linkz.aivittor1o
Product-linkz.aiLinkz.ai – Automatic link previews on hover
CWE ID-CWE-862
Missing Authorization
CVE-2024-9629
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.37% / 29.25%
||
7 Day CHG~0.00%
Published-28 Oct, 2024 | 17:31
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contact Form 7 + Telegram <= 0.8.5 - Missing Authorization to Authenticated (Subscriber+) Subscription Approve/Pause/Refuse

The Contact Form 7 + Telegram plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'wpcf7_Telegram::ajax' function in versions up to, and including, 0.8.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to approve, pause and refuse subscriptions.

Action-Not Available
Vendor-hokku
Product-Message Bridge for Contact Form 7 and Telegram
CWE ID-CWE-862
Missing Authorization
CVE-2024-8121
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.32% / 24.18%
||
7 Day CHG~0.00%
Published-04 Sep, 2024 | 06:49
Updated-08 Apr, 2026 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
The Ultimate WordPress Toolkit – WP Extended <= 3.0.8 - Missing Authorization to Admin Username Change

The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to unauthorized modification of user names due to a missing capability check on the wpext_change_admin_name() function in all versions up to, and including, 3.0.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change an admin's username to a username of their liking as long as the default 'admin' was used.

Action-Not Available
Vendor-wpextendedwpextended
Product-wp_extendedThe Ultimate WordPress Toolkit – WP Extended
CWE ID-CWE-862
Missing Authorization
CVE-2023-38395
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.26% / 16.90%
||
7 Day CHG~0.00%
Published-12 Jun, 2024 | 09:38
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Clone Menu plugin <= 1.0.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Afzal Multani WP Clone Menu.This issue affects WP Clone Menu: from n/a through 1.0.1.

Action-Not Available
Vendor-afzalmultaniAfzal Multani
Product-wp_clone_menuWP Clone Menu
CWE ID-CWE-862
Missing Authorization
CVE-2026-32389
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.22% / 12.85%
||
7 Day CHG~0.00%
Published-25 May, 2026 | 22:42
Updated-26 May, 2026 | 10:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress NanoCare theme < 1.2.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Linethemes NanoCare allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects NanoCare: from n/a before 1.2.2.

Action-Not Available
Vendor-Linethemes
Product-NanoCare
CWE ID-CWE-862
Missing Authorization
CVE-2022-41695
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.37% / 28.84%
||
7 Day CHG~0.00%
Published-17 Jan, 2024 | 17:09
Updated-28 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Traffic Manager Plugin <= 1.4.5 is vulnerable to Broken Access Control

Missing Authorization vulnerability in SedLex Traffic Manager.This issue affects Traffic Manager: from n/a through 1.4.5.

Action-Not Available
Vendor-sedlexSedLex
Product-traffic_managerTraffic Manager
CWE ID-CWE-862
Missing Authorization
CVE-2023-38394
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.35% / 27.07%
||
7 Day CHG~0.00%
Published-19 Jun, 2024 | 14:14
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Jupiter X Core plugin <= 3.3.0 - Multiple Auth. Broken Access Control vulnerability

Missing Authorization vulnerability in Artbees JupiterX Core.This issue affects JupiterX Core: from 3.0.0 through 3.3.0.

Action-Not Available
Vendor-Artbees
Product-JupiterX Core
CWE ID-CWE-862
Missing Authorization
CVE-2026-35620
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.3||MEDIUM
EPSS-0.44% / 35.51%
||
7 Day CHG~0.00%
Published-10 Apr, 2026 | 16:03
Updated-23 Jun, 2026 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw < 2026.3.24 - Missing Authorization in /send and /allowlist Chat Commands

OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist chat command handlers. The /send command allows non-owner command-authorized senders to change owner-only session delivery policy settings, and the /allowlist mutating commands fail to enforce operator.admin scope. Attackers with operator.write scope can invoke /send on|off|inherit to persistently mutate the current session's sendPolicy, and execute /allowlist add commands to modify config-backed allowFrom entries and pairing-store allowlist entries without proper admin authorization.

Action-Not Available
Vendor-OpenClaw
Product-openclawOpenClaw
CWE ID-CWE-862
Missing Authorization
CVE-2023-37886
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.41% / 32.70%
||
7 Day CHG~0.00%
Published-25 Mar, 2024 | 04:29
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress RealHomes theme <= 4.0.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in InspiryThemes RealHomes.This issue affects RealHomes: from n/a through 4.0.2.

Action-Not Available
Vendor-inspirythemesInspiryThemes
Product-realhomesRealHomes
CWE ID-CWE-862
Missing Authorization
CVE-2023-38483
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.43% / 34.27%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Instant CSS plugin <= 1.1.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Dylan Blokhuis Instant CSS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Instant CSS: from n/a through 1.1.4.

Action-Not Available
Vendor-Dylan Blokhuis
Product-Instant CSS
CWE ID-CWE-862
Missing Authorization
CVE-2025-23961
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.27% / 19.08%
||
7 Day CHG~0.00%
Published-16 Jan, 2025 | 20:08
Updated-11 May, 2026 | 22:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WordPress Graphs & Charts Plugin <= 2.0.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in wptasker WordPress Graphs & Charts graph-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Graphs & Charts: from n/a through <= 2.0.8.

Action-Not Available
Vendor-wptasker
Product-WordPress Graphs & Charts
CWE ID-CWE-862
Missing Authorization
CVE-2026-0548
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 15.89%
||
7 Day CHG~0.00%
Published-20 Jan, 2026 | 14:26
Updated-08 Apr, 2026 | 16:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tutor LMS – eLearning and online course solution <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site.

Action-Not Available
Vendor-Themeum
Product-Tutor LMS – eLearning and online course solution
CWE ID-CWE-862
Missing Authorization
CVE-2023-36676
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.46% / 36.61%
||
7 Day CHG~0.00%
Published-19 Jun, 2024 | 13:52
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Spectra plugin <= 2.6.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in Brainstorm Force Spectra.This issue affects Spectra: from n/a through 2.6.6.

Action-Not Available
Vendor-Brainstorm Force
Product-spectraSpectra
CWE ID-CWE-862
Missing Authorization
CVE-2024-5993
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.46% / 37.03%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 08:33
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cliengo - Chatbot <= 3.0.2 - Missing Authorization to Authorized (Subscriber+) Chatbot Settings Update

The Cliengo – Chatbot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_session' function in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the session token of the chatbot.

Action-Not Available
Vendor-cliengo
Product-Cliengo – Chatbot
CWE ID-CWE-862
Missing Authorization
CVE-2024-5863
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.45% / 36.27%
||
7 Day CHG~0.00%
Published-28 Jun, 2024 | 03:29
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Easy Image Collage <= 1.13.5 - Missing Authorization to Authenticated (Contributor+) Data Clearance

The Easy Image Collage plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ajax_image_collage() function in all versions up to, and including, 1.13.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to erase all of the content in arbitrary posts.

Action-Not Available
Vendor-brechtvds
Product-Easy Image Collage
CWE ID-CWE-862
Missing Authorization
CVE-2024-5987
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.26% / 17.79%
||
7 Day CHG~0.00%
Published-29 Aug, 2024 | 05:30
Updated-08 Apr, 2026 | 17:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Accessibility Helper <= 0.6.2.8 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update

The WP Accessibility Helper (WAH) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_contrast_variations' and 'save_empty_contrast_variations' functions in all versions up to, and including, 0.6.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit or delete contrast settings. Please note these issues were patched in 0.6.2.8, though it broke functionality and the vendor has not responded to our follow-ups.

Action-Not Available
Vendor-volkovvol4ikman
Product-wp_accessibility_helperWP Accessibility Helper (WAH)
CWE ID-CWE-862
Missing Authorization
CVE-2024-6754
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.26% / 17.75%
||
7 Day CHG~0.00%
Published-24 Jul, 2024 | 02:33
Updated-08 Apr, 2026 | 17:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Social Auto Poster <= 5.3.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Update via wpw_auto_poster_update_tweet_template

The Social Auto Poster plugin for WordPress is vulnerable to unauthorized modification of data to a missing capability check on the ‘wpw_auto_poster_update_tweet_template’ function in all versions up to, and including, 5.3.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary post metadata.

Action-Not Available
Vendor-WPWeb Elite
Product-social_auto_posterSocial Auto Poster
CWE ID-CWE-862
Missing Authorization
CVE-2023-36695
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.32% / 24.23%
||
7 Day CHG~0.00%
Published-13 Jun, 2024 | 23:46
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Sublanguage plugin <= 2.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in Maxime Schoeni Sublanguage.This issue affects Sublanguage: from n/a through 2.9.

Action-Not Available
Vendor-maximeschoeniMaxime Schoeni
Product-sublanguageSublanguage
CWE ID-CWE-862
Missing Authorization
CVE-2025-23917
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.46% / 36.91%
||
7 Day CHG~0.00%
Published-16 Jan, 2025 | 20:07
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Chamber Dashboard Business Directory Plugin <= 3.3.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in Chandrika Guntur, Morgan Kay Chamber Dashboard Business Directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chamber Dashboard Business Directory: from n/a through 3.3.8.

Action-Not Available
Vendor-Chandrika Guntur, Morgan Kay
Product-Chamber Dashboard Business Directory
CWE ID-CWE-862
Missing Authorization
CVE-2026-32385
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.22% / 12.28%
||
7 Day CHG~0.00%
Published-13 Mar, 2026 | 11:42
Updated-29 Apr, 2026 | 09:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress RegistrationMagic plugin <= 6.0.7.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RegistrationMagic: from n/a through <= 6.0.7.6.

Action-Not Available
Vendor-Metagauss Inc.
Product-RegistrationMagic
CWE ID-CWE-862
Missing Authorization
CVE-2026-32331
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.20% / 10.13%
||
7 Day CHG~0.00%
Published-13 Mar, 2026 | 11:41
Updated-29 Apr, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Textmetrics plugin <= 3.6.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Israpil Textmetrics webtexttool allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Textmetrics: from n/a through <= 3.6.4.

Action-Not Available
Vendor-Israpil
Product-Textmetrics
CWE ID-CWE-862
Missing Authorization
CVE-2023-36680
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.45% / 36.17%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Image Regenerate & Select Crop plugin <= 7.1.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Iulia Cazan Image Regenerate & Select Crop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Regenerate & Select Crop: from n/a through 7.1.0.

Action-Not Available
Vendor-Iulia Cazan
Product-Image Regenerate & Select Crop
CWE ID-CWE-862
Missing Authorization
CVE-2023-36519
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.55% / 41.92%
||
7 Day CHG+0.10%
Published-13 Dec, 2024 | 14:23
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SW Product Bundles plugin <= 2.0.15 - Broken Access Control vulnerability

Missing Authorization vulnerability in wpthemego SW Product Bundles allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SW Product Bundles: from n/a through 2.0.15.

Action-Not Available
Vendor-wpthemego
Product-SW Product Bundles
CWE ID-CWE-862
Missing Authorization
CVE-2023-36526
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.45% / 36.16%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Duplicate Post Page Menu & Custom Post Type plugin <= 2.4.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Inqsys Technology Duplicate Post Page Menu & Custom Post Type allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Duplicate Post Page Menu & Custom Post Type: from n/a through 2.4.1.

Action-Not Available
Vendor-Inqsys Technology
Product-Duplicate Post Page Menu & Custom Post Type
CWE ID-CWE-862
Missing Authorization
CVE-2024-55876
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.55% / 42.14%
||
7 Day CHG~0.00%
Published-12 Dec, 2024 | 18:59
Updated-30 Apr, 2025 | 16:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XWiki's scheduler in subwiki allows scheduling operations for any main wiki user

XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document `Scheduler.WebHome` in a subwiki. Then, click on any operation (*e.g.,* Trigger) on any job. If the operation is successful, then the instance is vulnerable. This has been patched in XWiki 15.10.9 and 16.3.0. As a workaround, those who have subwikis where the Job Scheduler is enabled can edit the objects on `Scheduler.WebPreferences` to match the patch.

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platform
CWE ID-CWE-862
Missing Authorization
CVE-2024-56244
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.27% / 19.32%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 12:01
Updated-11 May, 2026 | 22:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Ashe Extra plugin <= 1.2.92 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Royal Ashe Extra ashe-extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ashe Extra: from n/a through <= 1.2.92.

Action-Not Available
Vendor-Royal Elementor Addons
Product-Ashe Extra
CWE ID-CWE-862
Missing Authorization
CVE-2024-5648
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.45% / 36.14%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 08:33
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LearnDash LMS - Reports Free <= 1.8.2.1 - Missing Authorization to Plugin Settings Update

The LearnDash LMS – Reports plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions (i.e. wrld_set_configuration, wrld_exclude_settings_save, apply_time_tracking_settings, wp_ajax_wrld_gutenberg_block_visit, etc..) in all versions up to, and including, 1.8.2.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to update various plugin settings.

Action-Not Available
Vendor-The Events Calendar (StellarWP)
Product-LearnDash LMS – Reports
CWE ID-CWE-862
Missing Authorization
CVE-2024-55072
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.27% / 18.45%
||
7 Day CHG+0.02%
Published-27 Mar, 2025 | 00:00
Updated-30 Apr, 2025 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Broken Object Level Authorization vulnerability in the component /api/users/{user-id} of hay-kot mealie v2.2.0 allows users to edit their own profile in order to give themselves more permissions or to change their household.

Action-Not Available
Vendor-mealien/a
Product-mealien/a
CWE ID-CWE-862
Missing Authorization
CVE-2025-22696
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.28% / 19.74%
||
7 Day CHG+0.01%
Published-04 Feb, 2025 | 14:21
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Document Block – Upload & Embed Docs, PDF, PPT, XLS or Any Documents plugin <= 1.1.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPDeveloper Document Block – Upload & Embed Docs document.This issue affects Document Block – Upload & Embed Docs: from n/a through <= 1.1.0.

Action-Not Available
Vendor-WPDeveloper
Product-Document Block – Upload & Embed Docs
CWE ID-CWE-862
Missing Authorization
CVE-2024-56004
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.39% / 30.55%
||
7 Day CHG~0.00%
Published-16 Dec, 2024 | 14:13
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Easy Site Importer plugin <= 1.0.1 - Settings Change vulnerability

Missing Authorization vulnerability in awfowler Easy Site Importer easy-site-importer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Site Importer: from n/a through <= 1.0.1.

Action-Not Available
Vendor-awfowler
Product-Easy Site Importer
CWE ID-CWE-862
Missing Authorization
CVE-2024-56253
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.31% / 22.53%
||
7 Day CHG~0.00%
Published-02 Jan, 2025 | 12:01
Updated-11 May, 2026 | 22:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Data Tables Generator by Supsystic plugin <= 1.10.36 - Broken Access Control vulnerability

Missing Authorization vulnerability in supsystic Data Tables Generator by Supsystic data-tables-generator-by-supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Data Tables Generator by Supsystic: from n/a through <= 1.10.36.

Action-Not Available
Vendor-supsystic
Product-Data Tables Generator by Supsystic
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • ...
  • 8
  • 9
  • Next
Details not found