Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-5296

Summary
Assigner-GitLab
Assigner Org ID-ceab7361-8a18-47b1-92ba-4d7d25f6715a
Published At-27 May, 2026 | 17:55
Updated At-27 May, 2026 | 19:01
Rejected At-
Credits

Missing Authorization in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that when foundational flows were enabled at the group level, could have allowed an authenticated user with developer-role permissions to bypass flow restrictions under certain conditions.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitLab
Assigner Org ID:ceab7361-8a18-47b1-92ba-4d7d25f6715a
Published At:27 May, 2026 | 17:55
Updated At:27 May, 2026 | 19:01
Rejected At:
▼CVE Numbering Authority (CNA)
Missing Authorization in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that when foundational flows were enabled at the group level, could have allowed an authenticated user with developer-role permissions to bypass flow restrictions under certain conditions.

Affected Products
Vendor
GitLab Inc.GitLab
Product
GitLab
Repo
git://git@gitlab.com:gitlab-org/gitlab.git
CPEs
  • cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Default Status
unaffected
Versions
Affected
  • From 18.7 before 18.10.7 (semver)
  • From 18.11 before 18.11.4 (semver)
  • From 19.0 before 19.0.1 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862: Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862: Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Upgrade to versions 18.10.7, 18.11.4, 19.0.1 or above.

Configurations
Workarounds
Exploits
Credits
finder
Thanks [rogerace](https://hackerone.com/rogerace) for reporting this vulnerability through our HackerOne bug bounty program
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://gitlab.com/gitlab-org/gitlab/-/work_items/595423
N/A
https://hackerone.com/reports/3626303
technical-description
exploit
permissions-required
https://about.gitlab.com/releases/2026/05/27/patch-release-gitlab-19-0-1-released/
N/A
Hyperlink: https://gitlab.com/gitlab-org/gitlab/-/work_items/595423
Resource: N/A
Hyperlink: https://hackerone.com/reports/3626303
Resource:
technical-description
exploit
permissions-required
Hyperlink: https://about.gitlab.com/releases/2026/05/27/patch-release-gitlab-19-0-1-released/
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@gitlab.com
Published At:27 May, 2026 | 19:16
Updated At:27 May, 2026 | 20:46

GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that when foundational flows were enabled at the group level, could have allowed an authenticated user with developer-role permissions to bypass flow restrictions under certain conditions.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CPE Matches
GitLab Inc.
gitlab
>>gitlab>>Versions from 18.7.0(inclusive) to 18.10.7(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
GitLab Inc.
gitlab
>>gitlab>>Versions from 18.11.0(inclusive) to 18.11.4(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
GitLab Inc.
gitlab
>>gitlab>>19.0.0
cpe:2.3:a:gitlab:gitlab:19.0.0:*:*:*:enterprise:*:*:*
Weaknesses
CWE IDTypeSource
CWE-862Primarycve@gitlab.com
CWE ID: CWE-862
Type: Primary
Source: cve@gitlab.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://about.gitlab.com/releases/2026/05/27/patch-release-gitlab-19-0-1-released/cve@gitlab.com
Release Notes
Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/work_items/595423cve@gitlab.com
Broken Link
https://hackerone.com/reports/3626303cve@gitlab.com
Permissions Required
Hyperlink: https://about.gitlab.com/releases/2026/05/27/patch-release-gitlab-19-0-1-released/
Source: cve@gitlab.com
Resource:
Release Notes
Vendor Advisory
Hyperlink: https://gitlab.com/gitlab-org/gitlab/-/work_items/595423
Source: cve@gitlab.com
Resource:
Broken Link
Hyperlink: https://hackerone.com/reports/3626303
Source: cve@gitlab.com
Resource:
Permissions Required

Change History

0
Information is not available yet

Similar CVEs

1426Records found
CVE-2025-58193
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 17.41%
||
7 Day CHG~0.00%
Published-27 Aug, 2025 | 17:45
Updated-12 May, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Uncanny Automator Plugin <= 6.7.0.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Uncanny Owl Uncanny Automator uncanny-automator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uncanny Automator: from n/a through <= 6.7.0.1.

Action-Not Available
Vendor-Uncanny Owl Inc.
Product-Uncanny Automator
CWE ID-CWE-862
Missing Authorization
CVE-2025-58251
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 12.31%
||
7 Day CHG~0.00%
Published-22 Sep, 2025 | 18:23
Updated-12 May, 2026 | 01:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Sticky Header Effects for Elementor Plugin <= 2.1.2 - Broken Access Control Vulnerability

Missing Authorization vulnerability in POSIMYTH Sticky Header Effects for Elementor sticky-header-effects-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sticky Header Effects for Elementor: from n/a through <= 2.1.2.

Action-Not Available
Vendor-POSIMYTH
Product-Sticky Header Effects for Elementor
CWE ID-CWE-862
Missing Authorization
CVE-2025-57936
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 12.31%
||
7 Day CHG~0.00%
Published-22 Sep, 2025 | 18:25
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Subresource Integrity (SRI) Manager Plugin <= 0.4.0 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Meitar Subresource Integrity (SRI) Manager wp-sri allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subresource Integrity (SRI) Manager: from n/a through <= 0.4.0.

Action-Not Available
Vendor-Meitar
Product-Subresource Integrity (SRI) Manager
CWE ID-CWE-862
Missing Authorization
CVE-2025-57884
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 17.41%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 11:59
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Greenshift Plugin <= 12.1.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in wpsoul Greenshift greenshift-animation-and-page-builder-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Greenshift: from n/a through <= 12.1.1.

Action-Not Available
Vendor-wpsoul
Product-Greenshift
CWE ID-CWE-862
Missing Authorization
CVE-2025-57894
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 17.41%
||
7 Day CHG~0.00%
Published-22 Aug, 2025 | 11:59
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPPizza Plugin <= 3.19.8 - Broken Access Control Vulnerability

Missing Authorization vulnerability in ollybach WPPizza wppizza allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPPizza: from n/a through <= 3.19.8.

Action-Not Available
Vendor-ollybach
Product-WPPizza
CWE ID-CWE-862
Missing Authorization
CVE-2025-58622
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 17.01%
||
7 Day CHG~0.00%
Published-03 Sep, 2025 | 14:36
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Mobile Contact Line Plugin <= 2.4.0 - Broken Access Control Vulnerability

Missing Authorization vulnerability in yydevelopment Mobile Contact Line mobile-contact-line allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mobile Contact Line: from n/a through <= 2.4.0.

Action-Not Available
Vendor-yydevelopment
Product-Mobile Contact Line
CWE ID-CWE-862
Missing Authorization
CVE-2025-58813
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 17.01%
||
7 Day CHG~0.00%
Published-05 Sep, 2025 | 13:45
Updated-13 May, 2026 | 00:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Consultstreet Theme <= 3.0.0 - Broken Access Control Vulnerability

Missing Authorization vulnerability in themearile Consultstreet consultstreet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Consultstreet: from n/a through <= 3.0.0.

Action-Not Available
Vendor-themearile
Product-Consultstreet
CWE ID-CWE-862
Missing Authorization
CVE-2025-58783
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 17.01%
||
7 Day CHG~0.00%
Published-05 Sep, 2025 | 13:44
Updated-13 May, 2026 | 00:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Gutentor plugin <= 3.5.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in gutentor Gutentor gutentor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gutentor: from n/a through <= 3.5.5.

Action-Not Available
Vendor-gutentor
Product-Gutentor
CWE ID-CWE-862
Missing Authorization
CVE-2025-55716
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 17.41%
||
7 Day CHG~0.00%
Published-14 Aug, 2025 | 18:21
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Statistics Plugin <= 14.15 - Broken Access Control Vulnerability

Missing Authorization vulnerability in VeronaLabs WP Statistics wp-statistics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Statistics: from n/a through <= 14.15.

Action-Not Available
Vendor-VeronaLabs
Product-WP Statistics
CWE ID-CWE-862
Missing Authorization
CVE-2024-9705
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 33.10%
||
7 Day CHG~0.00%
Published-06 Dec, 2024 | 08:24
Updated-08 Apr, 2026 | 18:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Coming Soon & Maintenance <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Template Name Update

The Ultimate Coming Soon & Maintenance plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ucsm_update_template_name_lite' function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the name of the plugin's templates.

Action-Not Available
Vendor-rsthemerstheme2017
Product-ultimate_coming_soon_\&_maintenanceUltimate Coming Soon & Maintenance
CWE ID-CWE-862
Missing Authorization
CVE-2025-53293
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.62%
||
7 Day CHG~0.00%
Published-27 Jun, 2025 | 13:21
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Dashboard Widget Sidebar plugin <= 1.2.3 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Morten Dalgaard Johansen Dashboard Widget Sidebar dashboard-widget-sidebar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dashboard Widget Sidebar: from n/a through <= 1.2.3.

Action-Not Available
Vendor-Morten Dalgaard Johansen
Product-Dashboard Widget Sidebar
CWE ID-CWE-862
Missing Authorization
CVE-2025-53323
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.62%
||
7 Day CHG~0.00%
Published-27 Jun, 2025 | 13:21
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Pre-Publish Post Checklist plugin <= 3.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in danbriapps Pre-Publish Post Checklist pre-publish-post-checklist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pre-Publish Post Checklist: from n/a through <= 3.1.

Action-Not Available
Vendor-danbriapps
Product-Pre-Publish Post Checklist
CWE ID-CWE-862
Missing Authorization
CVE-2025-54005
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 12.68%
||
7 Day CHG+0.01%
Published-16 Dec, 2025 | 08:12
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SKT Page Builder plugin <= 4.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in sonalsinha21 SKT Page Builder skt-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SKT Page Builder: from n/a through <= 4.9.

Action-Not Available
Vendor-sonalsinha21
Product-SKT Page Builder
CWE ID-CWE-862
Missing Authorization
CVE-2025-54047
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.62%
||
7 Day CHG~0.00%
Published-16 Jul, 2025 | 10:36
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Cost Calculator plugin <= 7.4 - Broken Access Control Vulnerability

Missing Authorization vulnerability in QuanticaLabs Cost Calculator ql-cost-calculator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cost Calculator: from n/a through <= 7.4.

Action-Not Available
Vendor-QuanticaLabs
Product-Cost Calculator
CWE ID-CWE-862
Missing Authorization
CVE-2025-53200
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.62%
||
7 Day CHG~0.00%
Published-27 Jun, 2025 | 13:20
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ChatBot plugin <= 6.7.3 - Broken Access Control Vulnerability

Missing Authorization vulnerability in QuantumCloud ChatBot chatbot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ChatBot: from n/a through <= 6.7.3.

Action-Not Available
Vendor-QuantumCloud
Product-ChatBot
CWE ID-CWE-862
Missing Authorization
CVE-2025-52554
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.9||MEDIUM
EPSS-0.33% / 55.89%
||
7 Day CHG~0.00%
Published-03 Jul, 2025 | 20:08
Updated-04 Sep, 2025 | 16:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
n8n Improper Authorization in Workflow Execution Stop Endpoint Allows Terminating Other Users’ Workflows

n8n is a workflow automation platform. Prior to version 1.99.1, an authorization vulnerability was discovered in the /rest/executions/:id/stop endpoint of n8n. An authenticated user can stop workflow executions that they do not own or that have not been shared with them, leading to potential business disruption. This issue has been patched in version 1.99.1. A workaround involves restricting access to the /rest/executions/:id/stop endpoint via reverse proxy or API gateway.

Action-Not Available
Vendor-n8nn8n-io
Product-n8nn8n
CWE ID-CWE-862
Missing Authorization
CVE-2022-45394
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.34% / 56.79%
||
7 Day CHG~0.00%
Published-15 Nov, 2022 | 00:00
Updated-30 Apr, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Delete log Plugin 1.0 and earlier allows attackers with Item/Read permission to delete build logs.

Action-Not Available
Vendor-Jenkins
Product-delete_logJenkins Delete log Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2022-45352
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.04% / 14.46%
||
7 Day CHG~0.00%
Published-25 Mar, 2024 | 11:21
Updated-28 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Betheme premium theme <= 26.6.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a through 26.6.1.

Action-Not Available
Vendor-Muffin Group
Product-bethemeBetheme
CWE ID-CWE-862
Missing Authorization
CVE-2022-45349
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 20.11%
||
7 Day CHG~0.00%
Published-25 Mar, 2024 | 11:18
Updated-28 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Betheme premium theme <= 26.6.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a through 26.6.1.

Action-Not Available
Vendor-Muffin Group
Product-bethemeBetheme
CWE ID-CWE-862
Missing Authorization
CVE-2025-49293
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.62%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 12:53
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Crawlomatic Multisite Scraper Post Generator plugin <= 2.6.8.2 - Broken Access Control Vulnerability

Missing Authorization vulnerability in CodeRevolution Crawlomatic Multisite Scraper Post Generator crawlomatic-multipage-scraper-post-generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Crawlomatic Multisite Scraper Post Generator: from n/a through <= 2.6.8.2.

Action-Not Available
Vendor-CodeRevolution
Product-Crawlomatic Multisite Scraper Post Generator
CWE ID-CWE-862
Missing Authorization
CVE-2025-49857
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.62%
||
7 Day CHG~0.00%
Published-17 Jun, 2025 | 15:01
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress myCred plugin <= 2.9.4.2 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects myCred: from n/a through <= 2.9.4.2.

Action-Not Available
Vendor-Saad Iqbal
Product-myCred
CWE ID-CWE-862
Missing Authorization
CVE-2025-49973
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.62%
||
7 Day CHG~0.00%
Published-20 Jun, 2025 | 15:04
Updated-12 May, 2026 | 00:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes plugin <= 1.0.10 - Broken Access Control Vulnerability

Missing Authorization vulnerability in GrandPlugins Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes image-sizes-controller allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes: from n/a through <= 1.0.10.

Action-Not Available
Vendor-GrandPlugins
Product-Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes
CWE ID-CWE-862
Missing Authorization
CVE-2025-49976
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.62%
||
7 Day CHG~0.00%
Published-20 Jun, 2025 | 15:04
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WANotifier plugin <= 2.7.12 - Broken Access Control vulnerability

Missing Authorization vulnerability in WANotifier Notifier notifier allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Notifier: from n/a through <= 2.7.12.

Action-Not Available
Vendor-WANotifier
Product-Notifier
CWE ID-CWE-862
Missing Authorization
CVE-2025-49937
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.26%
||
7 Day CHG-0.00%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Smash Balloon Social Post Feed plugin <= 4.3.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Syed Balkhi Smash Balloon Social Post Feed custom-facebook-feed allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smash Balloon Social Post Feed: from n/a through <= 4.3.2.

Action-Not Available
Vendor-Awesome Motive Inc.
Product-Smash Balloon Social Post Feed
CWE ID-CWE-862
Missing Authorization
CVE-2024-37201
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 32.95%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 14:18
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Woocommerce Customers Order History plugin <= 5.2.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in javmah Woocommerce Customers Order History allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Woocommerce Customers Order History: from n/a through 5.2.2.

Action-Not Available
Vendor-javmah
Product-Woocommerce Customers Order History
CWE ID-CWE-862
Missing Authorization
CVE-2025-49396
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 17.41%
||
7 Day CHG~0.00%
Published-20 Aug, 2025 | 08:03
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Themify Builder Plugin <= 7.6.7 - Broken Access Control Vulnerability

Missing Authorization vulnerability in themifyme Themify Builder themify-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Themify Builder: from n/a through <= 7.6.7.

Action-Not Available
Vendor-themifyme
Product-Themify Builder
CWE ID-CWE-862
Missing Authorization
CVE-2024-9364
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 43.25%
||
7 Day CHG~0.00%
Published-18 Oct, 2024 | 04:32
Updated-08 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SendGrid for WordPress <= 1.4 - Missing Authorization to Authenticated (Subscriber+) Log Deletion

The SendGrid for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wp_mailplus_clear_logs' function in all versions up to, and including, 1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's log files.

Action-Not Available
Vendor-smackcoderssmackcoders
Product-sendgridSendGrid for WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2025-49246
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.62%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 12:53
Updated-12 May, 2026 | 00:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Testimonials Showcase plugin <= 1.9.16 - Broken Access Control Vulnerability

Missing Authorization vulnerability in cmoreira Testimonials Showcase testimonials-showcase allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Testimonials Showcase: from n/a through <= 1.9.16.

Action-Not Available
Vendor-cmoreira
Product-Testimonials Showcase
CWE ID-CWE-862
Missing Authorization
CVE-2024-9824
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 34.86%
||
7 Day CHG~0.00%
Published-12 Oct, 2024 | 05:39
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ImagePress - Image Gallery <= 1.2.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion and Post Title Update

The ImagePress – Image Gallery plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'ip_delete_post' and 'ip_update_post_title' functions in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts and update post titles.

Action-Not Available
Vendor-butterflymedia
Product-ImagePress – Image Gallery
CWE ID-CWE-862
Missing Authorization
CVE-2024-9531
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 33.10%
||
7 Day CHG~0.00%
Published-24 Oct, 2024 | 07:35
Updated-08 Apr, 2026 | 16:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.4 - Missing Authorization to Forged Vendor Profile Deletion Email Sending

The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mvx_sent_deactivation_request' function in all versions up to, and including, 4.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send a canned email to the site's administrator asking to delete the profile of an arbitrary vendor.

Action-Not Available
Vendor-multivendorxwcmp
Product-multivendorxMultiVendorX – WooCommerce Multivendor Marketplace Solutions
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-862
Missing Authorization
CVE-2025-49248
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.62%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 12:53
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Team Showcase plugin < 25.05.13 - Broken Access Control Vulnerability

Missing Authorization vulnerability in cmoreira Team Showcase team-showcase-cm allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Team Showcase: from n/a through < 25.05.13.

Action-Not Available
Vendor-cmoreira
Product-Team Showcase
CWE ID-CWE-862
Missing Authorization
CVE-2025-48079
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.62%
||
7 Day CHG~0.00%
Published-16 May, 2025 | 15:45
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ProfileGrid plugin <= 5.9.5.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ProfileGrid : from n/a through <= 5.9.5.1.

Action-Not Available
Vendor-Metagauss Inc.
Product-ProfileGrid
CWE ID-CWE-862
Missing Authorization
CVE-2025-49052
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 17.41%
||
7 Day CHG~0.00%
Published-14 Aug, 2025 | 10:34
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Netease Music plugin <= 3.2.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Dariolee Netease Music netease-music allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Netease Music: from n/a through <= 3.2.1.

Action-Not Available
Vendor-Dariolee
Product-Netease Music
CWE ID-CWE-862
Missing Authorization
CVE-2025-48350
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 17.41%
||
7 Day CHG~0.00%
Published-28 Aug, 2025 | 12:37
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress AutoWP plugin <= 2.2.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in Basar Ventures AutoWP autowp-ai-content-writer-rewriter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AutoWP: from n/a through <= 2.2.7.

Action-Not Available
Vendor-Basar Ventures
Product-AutoWP
CWE ID-CWE-862
Missing Authorization
CVE-2024-9587
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.05% / 16.55%
||
7 Day CHG~0.00%
Published-11 Oct, 2024 | 05:33
Updated-08 Apr, 2026 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Linkz.ai <= 1.1.8 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update via AJAX

The Linkz.ai plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_linkz' function in versions up to, and including, 1.1.8. This makes it possible for authenticated attackers with contributor-level privileges or above, to update plugin settings.

Action-Not Available
Vendor-linkz.aivittor1o
Product-linkz.aiLinkz.ai – Automatic link previews on hover
CWE ID-CWE-862
Missing Authorization
CVE-2024-9891
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 33.10%
||
7 Day CHG~0.00%
Published-16 Oct, 2024 | 02:05
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiline files upload for contact form 7 <= 2.8.1 - Missing Authorization to Authenticated (Subscriber+) Plugin Deactivation

The Multiline files upload for contact form 7 plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the mfcf7_zl_custom_handle_deactivation_plugin_form_submission() function in all versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate the plugin and send a custom reason from the site.

Action-Not Available
Vendor-zluck
Product-MultiLine Files for Contact Form 7
CWE ID-CWE-862
Missing Authorization
CVE-2025-48334
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.17% / 38.52%
||
7 Day CHG~0.00%
Published-30 May, 2025 | 08:42
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Woo Slider Pro <= 1.12 - Arbitrary Content Deletion Vulnerability

Missing Authorization vulnerability in BinaryCarpenter Woo Slider Pro woo-slider-pro-drag-drop-slider-builder-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Woo Slider Pro: from n/a through <= 1.12.

Action-Not Available
Vendor-binarycarpenterBinaryCarpenter
Product-woo_slider_proWoo Slider Pro
CWE ID-CWE-862
Missing Authorization
CVE-2025-48247
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.62%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 14:44
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Shortlinks by Pretty Links plugin <= 3.6.15 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Blair Williams Shortlinks by Pretty Links pretty-link allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shortlinks by Pretty Links: from n/a through <= 3.6.15.

Action-Not Available
Vendor-Blair Williams
Product-Shortlinks by Pretty Links
CWE ID-CWE-862
Missing Authorization
CVE-2024-9626
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 32.50%
||
7 Day CHG~0.00%
Published-26 Oct, 2024 | 01:58
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Editorial Assistant by Sovrn <= 1.3.3 - Missing Authorization to Authenticated (Subscriber+) Attachment Upload and Set Post Featured Image

The Editorial Assistant by Sovrn plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_zemanta_set_featured_image' function in versions up to, and including, 1.3.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload attachment files (such as jpg, png, txt, zip), and set the post featured image.

Action-Not Available
Vendor-zemanta
Product-Editorial Assistant by Sovrn
CWE ID-CWE-862
Missing Authorization
CVE-2025-48268
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.62%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 14:45
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Bot for Telegram on WooCommerce plugin <= 1.2.6 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Guru Team Bot for Telegram on WooCommerce bot-for-telegram-on-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bot for Telegram on WooCommerce: from n/a through <= 1.2.6.

Action-Not Available
Vendor-Guru Team
Product-Bot for Telegram on WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2022-2657
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 28.54%
||
7 Day CHG~0.00%
Published-05 Sep, 2022 | 12:35
Updated-03 Aug, 2024 | 00:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multivendor Marketplace Solution for WooCommerce < 3.8.12 - Unauthorised AJAX Calls

The Multivendor Marketplace Solution for WooCommerce WordPress plugin before 3.8.12 is lacking authorisation and CSRF in multiple AJAX actions, which could allow any authenticated users, such as subscriber to call them and suspend vendors (reporter by the submitter) or update arbitrary order status (identified by WPScan when verifying the issue) for example. Other unauthenticated attacks are also possible, either directly or via CSRF

Action-Not Available
Vendor-wc-marketplaceUnknown
Product-multivendor_marketplace_solution_for_woocommerce_-_wc_marketplaceMultivendor Marketplace Solution for WooCommerce – WC Marketplace
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-47471
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.62%
||
7 Day CHG~0.00%
Published-07 May, 2025 | 14:19
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Envo Extra plugin <= 1.9.9 - Broken Access Control Vulnerability

Missing Authorization vulnerability in EnvoThemes Envo Extra envo-extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Envo Extra: from n/a through <= 1.9.9.

Action-Not Available
Vendor-EnvoThemes
Product-Envo Extra
CWE ID-CWE-862
Missing Authorization
CVE-2024-8432
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 45.62%
||
7 Day CHG~0.00%
Published-24 Sep, 2024 | 01:56
Updated-08 Apr, 2026 | 16:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Appointment & Event Booking Calendar Plugin – Webba Booking <= 5.0.48 - Missing Authorization to Authenticated (Subscriber+) CSS Settings Update

The Appointment & Event Booking Calendar Plugin – Webba Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_appearance() function in all versions up to, and including, 5.0.48. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the booking form's CSS.

Action-Not Available
Vendor-webba-bookingwebba-agency
Product-webba_bookingEasy Appointment Booking & Scheduling System – Webba Booking Calendar
CWE ID-CWE-862
Missing Authorization
CVE-2024-9067
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 45.61%
||
7 Day CHG~0.00%
Published-10 Oct, 2024 | 02:06
Updated-08 Apr, 2026 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress <= 1.3.0 - Missing Authorization to Arbitrary (Subscriber+) Attachment Deletion

The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'delete_attachment' function in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments.

Action-Not Available
Vendor-kainelabsyouzify
Product-youzifyYouzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2025-47887
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.96%
||
7 Day CHG~0.00%
Published-14 May, 2025 | 20:35
Updated-12 Jun, 2025 | 13:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing permission checks in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.

Action-Not Available
Vendor-Jenkins
Product-cadence_vmanagerJenkins Cadence vManager Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-47528
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.62%
||
7 Day CHG~0.00%
Published-07 May, 2025 | 14:20
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Ovation Elements plugin <= 1.1.2 - Broken Access Control Vulnerability

Missing Authorization vulnerability in pewilliams Ovation Elements ovation-elements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ovation Elements: from n/a through <= 1.1.2.

Action-Not Available
Vendor-pewilliams
Product-Ovation Elements
CWE ID-CWE-862
Missing Authorization
CVE-2024-8199
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 34.03%
||
7 Day CHG~0.00%
Published-27 Aug, 2024 | 15:32
Updated-08 Apr, 2026 | 17:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More <= 1.1.2 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update

The Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_api_key' function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update API Key options.

Action-Not Available
Vendor-Smash Balloon, LLC (Smash Balloon)Awesome Motive Inc.
Product-reviews_feedReviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More
CWE ID-CWE-862
Missing Authorization
CVE-2024-8860
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 17.41%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 07:06
Updated-08 Apr, 2026 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tourfic <= 2.14.5 - Missing Authorization in Multiple Functions

The Tourfic plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tf_order_status_email_resend_function, tf_visitor_details_edit_function, tf_checkinout_details_edit_function, tf_order_status_edit_function, tf_order_bulk_action_edit_function, tf_remove_room_order_ids, and tf_delete_old_review_fields functions in all versions up to, and including, 2.14.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to resend order status emails, update visitor/order details, edit check-in/out details, edit order status, perform bulk order status updates, remove room order IDs, and delete old review fields, respectively.

Action-Not Available
Vendor-themefic
Product-Tourfic – Travel Booking, Hotel Booking & Car Rental WordPress Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2024-8552
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.41% / 61.45%
||
7 Day CHG~0.00%
Published-26 Sep, 2024 | 02:03
Updated-08 Apr, 2026 | 16:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Download Monitor <= 5.0.9 - Missing Authorization to Authenticated (Subscriber+) Shop Enable

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enable_shop() function in all versions up to, and including, 5.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable shop functionality.

Action-Not Available
Vendor-wpchillwpchill
Product-download_monitorDownload Monitor
CWE ID-CWE-862
Missing Authorization
CVE-2025-47534
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.62%
||
7 Day CHG~0.00%
Published-16 May, 2025 | 15:45
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Wordpress Auto Spinner plugin <= 3.25.0 - Broken Access Control Vulnerability

Missing Authorization vulnerability in ValvePress Wordpress Auto Spinner wp-auto-spinner allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wordpress Auto Spinner: from n/a through <= 3.25.0.

Action-Not Available
Vendor-ValvePress
Product-Wordpress Auto Spinner
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • ...
  • 11
  • 12
  • 13
  • ...
  • 28
  • 29
  • Next
Details not found