The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember3_Hooks::generate_api_key' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the REST API Secret Key, which can be used to create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover.
A vulnerability has been identified in RAPIDLab 1200 systems / RAPIDPoint 400 systems / RAPIDPoint 500 systems (All versions_without_ use of Siemens Healthineers Informatics products), RAPIDLab 1200 Series (All versions < V3.3 _with_ Siemens Healthineers Informatics products), RAPIDPoint 500 systems (All versions >= V3.0 _with_ Siemens Healthineers Informatics products), RAPIDPoint 500 systems (V2.4.X_with_ Siemens Healthineers Informatics products), RAPIDPoint 500 systems (All versions =< V2.3 _with_ Siemens Healthineers Informatics products), RAPIDPoint 400 systems (All versions _with_ Siemens Healthineers Informatics products). Remote attackers with either local or remote credentialed access to the "Remote View" feature might be able to elevate their privileges, compromising confidentiality, integrity, and availability of the system. No special skills or user interaction are required to perform this attack. At the time of advisory publication, no public exploitation of this security vulnerability is known. Siemens Healthineers confirms the security vulnerability and provides mitigations to resolve the security issue.
The WishList Member plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Disclosure and Privilege Escalation in versions up to and including 3.30.1. This is due to the missing capability checks in the 'export_settings' function. This function returns the REST API Secret Key to the attacker in the AJAX JSON response. An attacker who obtains this key can authenticate to the WishList Member API, create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover.
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover.
Improper Privilege Management vulnerability in AA-Team WZone allows Privilege Escalation.This issue affects WZone: from n/a through 14.0.10.
The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember\Features\Team_Accounts::save_settings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin options, includes the REST API Secret Key, which can be used to create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover.
MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users.
Insecure Permission vulnerability in Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are executing several processes with elevated privileges.
An issue in the component IOMap64.sys of ASUSTeK Computer Inc ASUS GPU TweakII v1.4.5.2 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL requests.
Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu. ShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own. This issue affects Apache ShenYu: 2.5.0. Upgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958 .
Active Directory Domain Services Elevation of Privilege Vulnerability
Improper Privilege Management vulnerability in JR King/Eran Schoellhorn WP Masquerade allows Privilege Escalation.This issue affects WP Masquerade: from n/a through 1.1.0.
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 3.29.2. This is due to insecure form submission handling that accepts arbitrary form definitions from user input instead of securely loading them from the backend. When $_POST['_acf_form'] is an array (rather than a form ID), the validate_form() function bypasses database lookup and directly processes the attacker-controlled structure. The create_record() function preserves attacker-supplied record data if present, and the user action's run() function falls back to attacker-controlled field definitions from $form['fields'] when legitimate fields cannot be found. The role field's pre_update_value() validation reads $field['role_options'] from this attacker-controlled definition, allowing an attacker to specify ['administrator'] as an allowed role and bypass the security check. This makes it possible for unauthenticated attackers to create administrator accounts by injecting a custom form configuration with a spoofed role field.
Improper Privilege Management vulnerability in Booking Ultra Pro allows Privilege Escalation.This issue affects Booking Ultra Pro: from n/a through 1.1.12.
Improper privilege management during pre-MFA cookie handling in Devolutions Server allows a low-privileged authenticated user to impersonate another account by replaying the pre-MFA cookie.This does not bypass the target account MFA verification step. This issue affects the following versions : * Devolutions Server 2025.3.2.0 through 2025.3.5.0 * Devolutions Server 2025.2.15.0 and earlier
An issue was found with how API keys are created with the Fleet-Server service account. When an API key is created with a service account, it is possible that the API key could be created with higher privileges than intended. Using this vulnerability, a compromised Fleet-Server service account could escalate themselves to a super-user.
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.14.1), RUGGEDCOM ROX RX1400 (All versions < V2.14.1), RUGGEDCOM ROX RX1500 (All versions < V2.14.1), RUGGEDCOM ROX RX1501 (All versions < V2.14.1), RUGGEDCOM ROX RX1510 (All versions < V2.14.1), RUGGEDCOM ROX RX1511 (All versions < V2.14.1), RUGGEDCOM ROX RX1512 (All versions < V2.14.1), RUGGEDCOM ROX RX1524 (All versions < V2.14.1), RUGGEDCOM ROX RX1536 (All versions < V2.14.1), RUGGEDCOM ROX RX5000 (All versions < V2.14.1). The command line interface of affected devices insufficiently restrict file read and write operations for low privileged users. This could allow an authenticated remote attacker to escalate privileges and gain root access to the device.
Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.
A vulnerability in the web UI of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to elevate privileges and create, read, update, or delete records and settings in multiple functions. This vulnerability is due to insufficient authorization of the System User and System Operator role capabilities. An attacker could exploit this vulnerability by directly accessing a web resource. A successful exploit could allow the attacker to create, read, update, or delete records and settings in multiple functions without the necessary permissions on the web UI.
<p>A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p> <p><strong>UPDATE</strong> August 10, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. This security update changes the Point and Print default behavior; please see <a href="https://support.microsoft.com/help/5005652">KB5005652</a>.</p>
Yubico ykman-gui (aka YubiKey Manager GUI) before 1.2.6 on Windows, when Edge is not used, allows privilege escalation because browser windows can open as Administrator.
Improper privilege management vulnerability in cgi component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
A privilege escalation vulnerability exists in the oslo.privsep functionality of OpenStack git master 05194e7618 and prior. Overly permissive functionality within tools leveraging this library within a container can lead increased privileges.
A vulnerability in Suprema BioStar (aka Bio Star) 2 v2.8.16 allows attackers to escalate privileges to System Administrator via a crafted PUT request to the update profile page.
Smart eVision has an improper privilege management vulnerability. A remote attacker with general user privilege can exploit this vulnerability to escalate to administrator privilege, and then perform arbitrary system command or disrupt service.
Multiple privilege escalation vulnerabilities in RaspAP 1.5 to 2.6.5 could allow an authenticated remote attacker to inject arbitrary commands to /installers/common.sh component that can result in remote command execution with root privileges.
XXL-JOB all versions as of 11 July 2022 are vulnerable to Insecure Permissions resulting in the ability to execute admin function with low Privilege account.
Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges. This results in full administrative compromise of the Grav API. This vulnerability is fixed in API 1.0.0-beta.17.
An issue was discovered in ClusterLabs Hawk (aka HA Web Konsole) through 2.3.0-15. It ships the binary hawk_invoke (built from tools/hawk_invoke.c), intended to be used as a setuid program. This allows the hacluster user to invoke certain commands as root (with an attempt to limit this to safe combinations). This user is able to execute an interactive "shell" that isn't limited to the commands specified in hawk_invoke, allowing escalation to root.
An issue was discovered in Alcatel-Lucent ALE NOE deskphones through 86x8_NOE-R300.1.40.12.4180 and SIP deskphones through 86x8_SIP-R200.1.01.10.728. Because of improper privilege management, an authenticated attacker is able to create symlinks to sensitive and protected data in locations that are used for debugging files. Given that the process of gathering debug logs is carried out with root privileges, any file referenced in the symlink is consequently written to the debug archive, thereby granting accessibility to the attacker.
An improper access control vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows remote attackers to compromise the security of the software. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.4.
The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.3. This is due to the group blog settings handler accepting the `groupblog-blogid`, `default-member`, and `groupblog-silent-add` parameters from user input without proper authorization checks. The `groupblog-blogid` parameter allows any group admin (including Subscribers who create their own group) to associate their group with any blog on the Multisite network, including the main site (blog ID 1). The `default-member` parameter accepts any WordPress role, including `administrator`, without validation against a whitelist. When combined with `groupblog-silent-add`, any user who joins the attacker's group is automatically added to the targeted blog with the injected role. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate any user (including themselves via a second account) to Administrator on the main site of the Multisite network.
An issue was discovered in the Tightrope Media Carousel digital signage product 7.0.4.104. Due to insecure default permissions on the C:\TRMS\Services directory, an attacker who has gained access to the system can elevate their privileges from a restricted account to full SYSTEM by replacing the Carousel.Service.exe file with a custom malicious executable. This service is independent of the associated IIS web site, which means that this service can be manipulated by an attacker without losing access to vulnerabilities in the web interface (which would potentially be used in conjunction with this attack, to control the service). Once the attacker has replaced Carousel.Service.exe, the server can be restarted using the command "shutdown -r -t 0" from a web shell, causing the system to reboot and launching the malicious Carousel.Service.exe as SYSTEM on startup. If this malicious Carousel.Service.exe is configured to launch a reverse shell back to the attacker, then upon reboot the attacker will have a fully privileged remote command-line environment to manipulate the system further.
Successful exploitation of this vulnerability could give an authenticated Metasys user an unintended level of access to the server file system, allowing them to access or modify system files by sending specifically crafted web messages to the Metasys system. This issue affects: Johnson Controls Metasys version 11.0 and prior versions.
Successful exploitation of this vulnerability could give an authenticated Facility Explorer SNC Series Supervisory Controller (F4-SNC) user an unintended level of access to the controller’s file system, allowing them to access or modify system files by sending specifically crafted web messages to the F4-SNC.
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.19), Mendix Applications using Mendix 8 (All versions < V8.17.0), Mendix Applications using Mendix 8 (V8.12) (All versions < V8.12.5), Mendix Applications using Mendix 8 (V8.6) (All versions < V8.6.9), Mendix Applications using Mendix 9 (All versions < V9.0.5). Authenticated, non-administrative users could modify their privileges by manipulating the user role under certain circumstances, allowing them to gain administrative privileges.
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the send endpoint. Attackers with operator.write credentials can exploit insufficient access controls to reach sensitive administrative functionality and modify persistence mechanisms.
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record. The API Platform security expression is_granted('EDIT', object) only verifies record ownership, and the roles field is included in the writable serialization group, enabling any user to set arbitrary roles such as ROLE_ADMIN. Successful exploitation grants full administrative control of the platform, including access to all courses, user data, grades, and administrative settings. This issue has been fixed in version 2.0.0-RC.3.
In Directus 8.x through 8.8.1, an attacker can switch to the administrator role (via the PATCH method) without any control by the back end. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request.
Neko is a a self-hosted virtual browser that runs in Docker and uses WebRTC In versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1, any authenticated user can immediately obtain full administrative control of the entire Neko instance (member management, room settings, broadcast control, session termination, etc.). This results in a complete compromise of the instance. The vulnerability has been patched in v3.0.11 and v3.1.2. If upgrading is not immediately possible, the following mitigations can reduce risk: Restrict access to trusted users only (avoid granting accounts to untrusted parties); ensure all user passwords are strong and only shared with trusted individuals; run the instance only when needed; avoid leaving it continuously exposed; place the instance behind authentication layers such as a reverse proxy with additional access controls; disable or restrict access to the /api/profile endpoint if feasible; and/or monitor for suspicious privilege changes or unexpected administrative actions. Note that these are temporary mitigations and do not fully eliminate the vulnerability. Upgrading is strongly recommended.
pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run() in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in set_config_value() is a hardcoded check for general.storage_folder — all other security-critical settings including reconnect.script are writable without any allowlist or path restriction. This issue has been patched in version 0.5.0b3.dev97.
An issue was discovered in COINS Construction Cloud 11.12. Due to logical flaws in the human ressources interface, it is vulnerable to privilege escalation by HR personnel.
There is functionality in the Store Locator Plus for WordPress plugin through 5.5.14 that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin.
The HM Multiple Roles WordPress plugin before 1.3 does not have any access control to prevent low privilege users to set themselves as admin via their profile page
The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower has improper privilege management, which may allow an attacker with user privileges to perform requests with administrative privileges.
An authenticated user might execute malicious code under the user context and take control of the system. S+ Operations or S+ Historian database is affected by multiple vulnerabilities such as the possibility to allow remote authenticated users to gain high privileges.
An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via the Sin-up process function in the account settings.
Netskope Client through 77 allows low-privileged users to elevate their privileges to NT AUTHORITY\SYSTEM.
The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with customer-level permissions or above to change user passwords and potentially take over administrator accounts. The vulnerability is in the pro plugin, which has the same slug.