Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-59217

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-09 Jul, 2026 | 16:51
Updated At-14 Jul, 2026 | 01:03
Rejected At-
Credits

Open WebUI: Upload `metadata.knowledge_id` bypasses the knowledge-base write-access check (read-only users can add files to KB)

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the file upload path accepted metadata.knowledge_id and auto-linked uploaded files to a target knowledge base without applying the write-access check used by /api/v1/knowledge//file/add, allowing read-only knowledge-base users to add arbitrary files. This issue is fixed in version 0.10.0.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:09 Jul, 2026 | 16:51
Updated At:14 Jul, 2026 | 01:03
Rejected At:
▼CVE Numbering Authority (CNA)
Open WebUI: Upload `metadata.knowledge_id` bypasses the knowledge-base write-access check (read-only users can add files to KB)

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the file upload path accepted metadata.knowledge_id and auto-linked uploaded files to a target knowledge base without applying the write-access check used by /api/v1/knowledge//file/add, allowing read-only knowledge-base users to add arbitrary files. This issue is fixed in version 0.10.0.

Affected Products
Vendor
open-webui
Product
open-webui
Versions
Affected
  • < 0.10.0
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862: Missing Authorization
CWECWE-863CWE-863: Incorrect Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862: Missing Authorization
Type: CWE
CWE ID: CWE-863
Description: CWE-863: Incorrect Authorization
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/open-webui/open-webui/security/advisories/GHSA-7r7x-gjvr-448g
x_refsource_CONFIRM
https://github.com/open-webui/open-webui/pull/26001
x_refsource_MISC
https://github.com/open-webui/open-webui/commit/b7626f05fb92b24ab923ad81a037071ebd5623d1
x_refsource_MISC
https://github.com/open-webui/open-webui/releases/tag/v0.10.0
x_refsource_MISC
Hyperlink: https://github.com/open-webui/open-webui/security/advisories/GHSA-7r7x-gjvr-448g
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/open-webui/open-webui/pull/26001
Resource:
x_refsource_MISC
Hyperlink: https://github.com/open-webui/open-webui/commit/b7626f05fb92b24ab923ad81a037071ebd5623d1
Resource:
x_refsource_MISC
Hyperlink: https://github.com/open-webui/open-webui/releases/tag/v0.10.0
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/open-webui/open-webui/security/advisories/GHSA-7r7x-gjvr-448g
exploit
Hyperlink: https://github.com/open-webui/open-webui/security/advisories/GHSA-7r7x-gjvr-448g
Resource:
exploit
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:09 Jul, 2026 | 17:17
Updated At:14 Jul, 2026 | 02:16

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the file upload path accepted metadata.knowledge_id and auto-linked uploaded files to a target knowledge base without applying the write-access check used by /api/v1/knowledge//file/add, allowing read-only knowledge-base users to add arbitrary files. This issue is fixed in version 0.10.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
N/A
Type: Secondary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

openwebui
openwebui
>>open_webui>>Versions before 0.10.0(exclusive)
cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-862Secondarysecurity-advisories@github.com
CWE-863Secondarysecurity-advisories@github.com
CWE ID: CWE-862
Type: Secondary
Source: security-advisories@github.com
CWE ID: CWE-863
Type: Secondary
Source: security-advisories@github.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/open-webui/open-webui/commit/b7626f05fb92b24ab923ad81a037071ebd5623d1security-advisories@github.com
Patch
https://github.com/open-webui/open-webui/pull/26001security-advisories@github.com
Issue Tracking
Patch
https://github.com/open-webui/open-webui/releases/tag/v0.10.0security-advisories@github.com
Product
Release Notes
https://github.com/open-webui/open-webui/security/advisories/GHSA-7r7x-gjvr-448gsecurity-advisories@github.com
Exploit
Mitigation
Vendor Advisory
https://github.com/open-webui/open-webui/security/advisories/GHSA-7r7x-gjvr-448g134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Mitigation
Vendor Advisory
Hyperlink: https://github.com/open-webui/open-webui/commit/b7626f05fb92b24ab923ad81a037071ebd5623d1
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/open-webui/open-webui/pull/26001
Source: security-advisories@github.com
Resource:
Issue Tracking
Patch
Hyperlink: https://github.com/open-webui/open-webui/releases/tag/v0.10.0
Source: security-advisories@github.com
Resource:
Product
Release Notes
Hyperlink: https://github.com/open-webui/open-webui/security/advisories/GHSA-7r7x-gjvr-448g
Source: security-advisories@github.com
Resource:
Exploit
Mitigation
Vendor Advisory
Hyperlink: https://github.com/open-webui/open-webui/security/advisories/GHSA-7r7x-gjvr-448g
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource:
Exploit
Mitigation
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

1578Records found

CVE-2025-24649
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.37% / 28.85%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 17:24
Updated-11 May, 2026 | 23:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Admin and Site Enhancements (ASE) Plugin <= 7.6.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Bowo Admin and Site Enhancements (ASE) admin-site-enhancements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Admin and Site Enhancements (ASE): from n/a through <= 7.6.2.

Action-Not Available
Vendor-Bowo
Product-Admin and Site Enhancements (ASE)
CWE ID-CWE-862
Missing Authorization
CVE-2023-30486
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.71% / 49.49%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:31
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Square theme <= 2.0.0 - Broken Access Control

Missing Authorization vulnerability in HashThemes Square allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Square: from n/a through 2.0.0.

Action-Not Available
Vendor-HashThemes
Product-Square
CWE ID-CWE-862
Missing Authorization
CVE-2023-3053
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.50% / 39.72%
||
7 Day CHG~0.00%
Published-02 Jun, 2023 | 23:37
Updated-08 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Page Builder by AZEXO <= 1.27.133 - Missing Authorization to Post Creation

The Page Builder by AZEXO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'azh_add_post' function in versions up to, and including, 1.27.133. This makes it possible for authenticated attackers to create a post with any post type and post status.

Action-Not Available
Vendor-azexoazexo
Product-page_builder_with_image_map_by_azexoPage Builder with Image Map by AZEXO
CWE ID-CWE-862
Missing Authorization
CVE-2023-30476
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.39% / 31.10%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:31
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Blogger Buzz theme <= 1.2.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Sparkle Themes Blogger Buzz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Blogger Buzz: from n/a through 1.2.2.

Action-Not Available
Vendor-Sparkle Themes
Product-Blogger Buzz
CWE ID-CWE-862
Missing Authorization
CVE-2023-29422
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.37% / 29.43%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:31
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Dynamics 365 Integration plugin <= 1.3.13 - Broken Access Control vulnerability

Missing Authorization vulnerability in AlexaCRM Dynamics 365 Integration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dynamics 365 Integration: from n/a through 1.3.13.

Action-Not Available
Vendor-AlexaCRM
Product-Dynamics 365 Integration
CWE ID-CWE-862
Missing Authorization
CVE-2023-30783
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.40% / 32.56%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:31
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Smart WooCommerce Search plugin <= 2.5.0 - Broken Access Control

Missing Authorization vulnerability in YummyWP Smart WooCommerce Search allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smart WooCommerce Search: from n/a through 2.5.0.

Action-Not Available
Vendor-YummyWP
Product-Smart WooCommerce Search
CWE ID-CWE-862
Missing Authorization
CVE-2023-29431
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.39% / 31.10%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:31
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress qTranslate X Cleanup and WPML Import plugin <= 3.0.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in OntheGoSystems qTranslate X Cleanup and WPML Import allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects qTranslate X Cleanup and WPML Import: from n/a through 3.0.1.

Action-Not Available
Vendor-OntheGoSystems
Product-qTranslate X Cleanup and WPML Import
CWE ID-CWE-862
Missing Authorization
CVE-2023-30522
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.45% / 36.23%
||
7 Day CHG~0.00%
Published-12 Apr, 2023 | 17:05
Updated-07 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Fogbugz Plugin 2.2.17 and earlier allows attackers with Item/Read permission to trigger builds of jobs specified in a 'jobname' request parameter.

Action-Not Available
Vendor-Jenkins
Product-fogbugzJenkins Fogbugz Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2023-29927
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.40% / 32.48%
||
7 Day CHG~0.00%
Published-16 May, 2023 | 00:00
Updated-23 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Versions of Sage 300 through 2022 implement role-based access controls that are only enforced client-side. Low-privileged Sage users, particularly those on a workstation setup in the "Windows Peer-to-Peer Network" or "Client Server Network" Sage 300 configurations, could recover the SQL connection strings being used by Sage 300 and interact directly with the underlying database(s) to create, update, and delete all company records, bypassing the program’s role-based access controls.

Action-Not Available
Vendor-sagen/a
Product-sage_300n/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-49937
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 12.45%
||
7 Day CHG+0.01%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Smash Balloon Social Post Feed plugin <= 4.3.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Syed Balkhi Smash Balloon Social Post Feed custom-facebook-feed allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smash Balloon Social Post Feed: from n/a through <= 4.3.2.

Action-Not Available
Vendor-Awesome Motive Inc.
Product-Smash Balloon Social Post Feed
CWE ID-CWE-862
Missing Authorization
CVE-2023-28990
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.46% / 36.89%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:23
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Viral Mag theme <= 1.0.9 - Authenticated Arbitrary Plugin Activation Vulnerability

Missing Authorization vulnerability in HashThemes Viral Mag allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Viral Mag: from n/a through 1.0.9.

Action-Not Available
Vendor-HashThemes
Product-Viral Mag
CWE ID-CWE-862
Missing Authorization
CVE-2023-29296
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-4.3||MEDIUM
EPSS-0.58% / 44.08%
||
7 Day CHG~0.00%
Published-15 Jun, 2023 | 00:00
Updated-05 Mar, 2025 | 18:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
[Cloud] Customer suspects IDOR vulnerability

Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to modify a minor functionality of another user's data. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Adobe Inc.
Product-magentocommerceMagento Commerce
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-28416
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.38% / 30.27%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:31
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Chankhe theme <= 1.0.5 - Authenticated Arbitrary Plugin Activation vulnerability

Missing Authorization vulnerability in Sparkle Themes Chankhe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chankhe: from n/a through 1.0.5.

Action-Not Available
Vendor-Sparkle Themes
Product-Chankhe
CWE ID-CWE-862
Missing Authorization
CVE-2023-29295
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-4.3||MEDIUM
EPSS-0.58% / 44.08%
||
7 Day CHG~0.00%
Published-15 Jun, 2023 | 00:00
Updated-05 Mar, 2025 | 18:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure Direct Object Reference (IDOR) in Create Quote Function

Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass a minor functionality. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Adobe Inc.
Product-magentocommerceMagento Commerce
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-49922
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 12.45%
||
7 Day CHG+0.01%
Published-22 Oct, 2025 | 14:32
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPeMatico RSS Feed Fetcher plugin <= 2.8.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in etruel WPeMatico RSS Feed Fetcher wpematico allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPeMatico RSS Feed Fetcher: from n/a through <= 2.8.3.

Action-Not Available
Vendor-etruel
Product-WPeMatico RSS Feed Fetcher
CWE ID-CWE-862
Missing Authorization
CVE-2023-2869
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.50% / 39.72%
||
7 Day CHG~0.00%
Published-12 Jul, 2023 | 04:38
Updated-08 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP-Members Membership <= 3.4.7.3 - Missing Authorization to Settings Update

The WP-Members Membership plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the do_field_reorder function in versions up to, and including, 3.4.7.3. This makes it possible for authenticated attackers with subscriber-level access to reorder form elements on login forms.

Action-Not Available
Vendor-butlerblogcbutlerjr
Product-wp-membersWP-Members Membership Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2023-28532
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.37% / 29.43%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:31
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Real Estate Directory theme <= 1.0.5 - Authenticated Arbitrary Plugin Activation

Missing Authorization vulnerability in wpdirectorykit.com Real Estate Directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Real Estate Directory: from n/a through 1.0.5.

Action-Not Available
Vendor-wpdirectorykit.com
Product-Real Estate Directory
CWE ID-CWE-862
Missing Authorization
CVE-2023-28619
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 15.30%
||
7 Day CHG~0.00%
Published-24 Dec, 2025 | 12:43
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Resoto theme <= 1.0.8 - Broken Access Control to Arbitrary Plugin Activation

Missing Authorization vulnerability in bnayawpguy Resoto allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Resoto: from n/a through 1.0.8.

Action-Not Available
Vendor-bnayawpguy
Product-Resoto
CWE ID-CWE-862
Missing Authorization
CVE-2023-29288
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-4.3||MEDIUM
EPSS-0.58% / 44.08%
||
7 Day CHG~0.00%
Published-15 Jun, 2023 | 00:00
Updated-05 Mar, 2025 | 18:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe Commerce | Incorrect Authorization (CWE-863)

Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A privileged attacker could leverage this vulnerability to modify a minor functionality of another user's data. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Adobe Inc.
Product-magentocommerceAdobe Commerce
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-28494
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.31% / 23.41%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 07:06
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Contact Form Email plugin <= 1.3.31 - Missing Authorization Leading To Feedback Submission Vulnerability

Missing Authorization vulnerability in CodePeople Contact Form Email allows Functionality Misuse.This issue affects Contact Form Email: from n/a through 1.3.31.

Action-Not Available
Vendor-CodePeople
Product-Contact Form Emailcontact_form_email
CWE ID-CWE-862
Missing Authorization
CVE-2023-28492
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.31% / 23.11%
||
7 Day CHG~0.00%
Published-03 Jun, 2024 | 22:09
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Calendar Event Multi View plugin <= 1.4.10 - Missing Authorization Leading To Feedback Submission vulnerability

Missing Authorization vulnerability in CodePeople CP Multi View Event Calendar allows Functionality Misuse.This issue affects CP Multi View Event Calendar: from n/a through 1.4.10.

Action-Not Available
Vendor-CodePeople
Product-CP Multi View Event Calendar
CWE ID-CWE-862
Missing Authorization
CVE-2023-27384
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-4.3||MEDIUM
EPSS-0.52% / 40.56%
||
7 Day CHG~0.00%
Published-23 May, 2023 | 00:00
Updated-17 Jan, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Operation restriction bypass vulnerability in MultiReport of Cybozu Garoon 5.15.0 allows a remote authenticated attacker to alter the data of MultiReport.

Action-Not Available
Vendor-Cybozu, Inc.
Product-garoonCybozu Garoon
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-27304
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-4.3||MEDIUM
EPSS-0.52% / 40.56%
||
7 Day CHG~0.00%
Published-23 May, 2023 | 00:00
Updated-17 Jan, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Operation restriction bypass vulnerability in Message and Bulletin of Cybozu Garoon 4.6.0 to 5.9.2 allows a remote authenticated attacker to alter the data of Message and/or Bulletin.

Action-Not Available
Vendor-Cybozu, Inc.
Product-garoonCybozu Garoon
CWE ID-CWE-862
Missing Authorization
CVE-2023-27526
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-4.3||MEDIUM
EPSS-0.88% / 54.95%
||
7 Day CHG~0.00%
Published-06 Sep, 2023 | 12:44
Updated-26 Sep, 2024 | 15:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Superset: Improper Authorization check on import charts

A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0. 

Action-Not Available
Vendor-The Apache Software Foundation
Product-supersetApache Superset
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-49857
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 8.44%
||
7 Day CHG~0.00%
Published-17 Jun, 2025 | 15:01
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress myCred plugin <= 2.9.4.2 - Broken Access Control Vulnerability

Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects myCred: from n/a through <= 2.9.4.2.

Action-Not Available
Vendor-Saad Iqbal
Product-myCred
CWE ID-CWE-862
Missing Authorization
CVE-2023-2783
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.44% / 35.44%
||
7 Day CHG~0.00%
Published-16 Jun, 2023 | 08:39
Updated-06 Dec, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
App Framework does not checks for the secret provided in the incoming webhook request

Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost App Framework
CWE ID-CWE-862
Missing Authorization
CVE-2025-49974
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.44%
||
7 Day CHG~0.00%
Published-20 Jun, 2025 | 15:04
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress UpStream: a Project Management Plugin for WordPress plugin <= 2.1.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in upstreamplugin UpStream: a Project Management Plugin for WordPress upstream allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UpStream: a Project Management Plugin for WordPress: from n/a through <= 2.1.1.

Action-Not Available
Vendor-upstreamplugin
Product-UpStream: a Project Management Plugin for WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2023-2764
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.51% / 39.98%
||
7 Day CHG~0.00%
Published-09 Jun, 2023 | 05:33
Updated-08 Apr, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Draw Attention <= 2.0.11 - Missing Authorization to Arbitrary Post Featured Image Modification

The Draw Attention plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_set_featured_image function in versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change the featured image of arbitrary posts with an image that exists in the media library.

Action-Not Available
Vendor-N Squared Digital, LLC
Product-draw_attentionInteractive Image Map Plugin – Draw Attention
CWE ID-CWE-862
Missing Authorization
CVE-2023-27460
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.38% / 29.94%
||
7 Day CHG~0.00%
Published-03 Jun, 2024 | 22:01
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CP Contact Form with PayPal plugin <= 1.3.34 - Missing Authorization Leading To Feedback Submission vulnerability

Missing Authorization vulnerability in CodePeople, paypaldev CP Contact Form with Paypal allows Functionality Misuse.This issue affects CP Contact Form with Paypal: from n/a through 1.3.34.

Action-Not Available
Vendor-CodePeople, paypaldev
Product-CP Contact Form with Paypal
CWE ID-CWE-862
Missing Authorization
CVE-2023-28165
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.37% / 29.43%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:31
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Backup Bank: WordPress Backup Plugin plugin <= 4.0.28 - Broken Access Control vulnerability

Missing Authorization vulnerability in Tech Banker Backup Bank: WordPress Backup Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Backup Bank: WordPress Backup Plugin: from n/a through 4.0.28.

Action-Not Available
Vendor-Tech Banker
Product-Backup Bank: WordPress Backup Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-49982
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.44%
||
7 Day CHG~0.00%
Published-20 Jun, 2025 | 15:04
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Customer Area plugin <= 8.3.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in aguilatechnologies WP Customer Area customer-area allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Customer Area: from n/a through <= 8.3.4.

Action-Not Available
Vendor-aguilatechnologies
Product-WP Customer Area
CWE ID-CWE-862
Missing Authorization
CVE-2025-49976
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.44%
||
7 Day CHG~0.00%
Published-20 Jun, 2025 | 15:04
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WANotifier plugin <= 2.7.12 - Broken Access Control vulnerability

Missing Authorization vulnerability in WANotifier Notifier notifier allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Notifier: from n/a through <= 2.7.12.

Action-Not Available
Vendor-WANotifier
Product-Notifier
CWE ID-CWE-862
Missing Authorization
CVE-2023-2714
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.53% / 41.12%
||
7 Day CHG~0.00%
Published-20 May, 2023 | 02:03
Updated-08 Apr, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Groundhogg <= 2.7.9.8 - Missing Authorization to Update License

The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'check_license' functions in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change the license key and support license key, but it can only be changed to a valid license key.

Action-Not Available
Vendor-trainingbusinessprosGroundhogg (Groundhogg Inc.)
Product-groundhoggGroundhogg — CRM, Newsletters, and Marketing Automation
CWE ID-CWE-862
Missing Authorization
CVE-2023-2627
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.25% / 15.95%
||
7 Day CHG~0.00%
Published-27 Jun, 2023 | 13:17
Updated-03 Dec, 2024 | 17:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
KiviCare Management System < 3.2.1 - Subscriber+ Unauthorised AJAX Calls

The KiviCare WordPress plugin before 3.2.1 does not have proper CSRF and authorisation checks in various AJAX actions, allowing any authenticated users, such as subscriber to call them. Attacks include but are not limited to: Add arbitrary Clinic Admin/Doctors/etc and update plugin's settings

Action-Not Available
Vendor-iqonicUnknown
Product-kivicareKiviCare
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-2715
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.56% / 42.93%
||
7 Day CHG~0.00%
Published-20 May, 2023 | 02:03
Updated-08 Apr, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Groundhogg <= 2.7.9.8 - Missing Authorization to Admin Account and Ticket Creation

The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_ticket' function in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers to create a support ticket that sends the website's data to the plugin developer, and it is also possible to create an admin access with an auto login link that is also sent to the plugin developer with the ticket. It only works if the plugin is activated with a valid license.

Action-Not Available
Vendor-trainingbusinessprosGroundhogg (Groundhogg Inc.)
Product-groundhoggGroundhogg — CRM, Newsletters, and Marketing Automation
CWE ID-CWE-862
Missing Authorization
CVE-2023-26521
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.31% / 23.41%
||
7 Day CHG~0.00%
Published-03 Jun, 2024 | 21:37
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Search in Place plugin <= 1.0.104 - Missing Authorization Leading To Feedback Submission vulnerability

Missing Authorization vulnerability in CodePeople Search in Place allows Functionality Misuse.This issue affects Search in Place: from n/a through 1.0.104.

Action-Not Available
Vendor-CodePeople
Product-Search in Place
CWE ID-CWE-862
Missing Authorization
CVE-2023-26523
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.31% / 23.41%
||
7 Day CHG~0.00%
Published-03 Jun, 2024 | 21:42
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Calculated Fields Form plugin <= 1.1.120 - Missing Authorization Leading To Feedback Submission Vulnerability

Missing Authorization vulnerability in CodePeople Calculated Fields Form allows Functionality Misuse.This issue affects Calculated Fields Form: from n/a through 1.1.120.

Action-Not Available
Vendor-CodePeople
Product-Calculated Fields Formcalculated_fields_form
CWE ID-CWE-862
Missing Authorization
CVE-2023-25993
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.42% / 33.95%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:31
Updated-28 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Top 10 – Popular posts plugin for WordPress plugin <= 3.2.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in WebberZone Top 10 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Top 10: from n/a through 3.2.3.

Action-Not Available
Vendor-webberzoneWebberZone
Product-top_10Top 10
CWE ID-CWE-862
Missing Authorization
CVE-2025-49246
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 15.20%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 12:53
Updated-12 May, 2026 | 00:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Testimonials Showcase plugin <= 1.9.16 - Broken Access Control Vulnerability

Missing Authorization vulnerability in cmoreira Testimonials Showcase testimonials-showcase allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Testimonials Showcase: from n/a through <= 1.9.16.

Action-Not Available
Vendor-cmoreira
Product-Testimonials Showcase
CWE ID-CWE-862
Missing Authorization
CVE-2023-26002
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 15.46%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 12:54
Updated-28 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress 6Storage Rentals <= 2.19.5 - Broken Access Control Vulnerability

Missing Authorization vulnerability in 6Storage 6Storage Rentals allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects 6Storage Rentals: from n/a through 2.19.5.

Action-Not Available
Vendor-6Storage
Product-6Storage Rentals
CWE ID-CWE-862
Missing Authorization
CVE-2023-25037
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.54% / 41.89%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:31
Updated-28 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Booking Calendar Contact Form plugin <= 1.2.34 - Broken Access Control vulnerability

Missing Authorization vulnerability in CodePeople Booking Calendar Contact Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking Calendar Contact Form: from n/a through 1.2.34.

Action-Not Available
Vendor-CodePeople
Product-Booking Calendar Contact Form
CWE ID-CWE-862
Missing Authorization
CVE-2023-2576
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.47% / 37.85%
||
7 Day CHG~0.00%
Published-13 Jul, 2023 | 02:08
Updated-30 Oct, 2024 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. This allowed a developer to remove the CODEOWNERS rules and merge to a protected branch.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-25068
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 9.15%
||
7 Day CHG~0.00%
Published-20 Dec, 2025 | 23:58
Updated-28 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Magazine Edge theme <= 1.13 - Authenticated Arbitrary Plugin Activation

Missing Authorization vulnerability in Mapro Collins Magazine Edge allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Magazine Edge: from n/a through 1.13.

Action-Not Available
Vendor-Mapro Collins
Product-Magazine Edge
CWE ID-CWE-862
Missing Authorization
CVE-2023-25039
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.50% / 39.35%
||
7 Day CHG~0.00%
Published-25 Mar, 2024 | 11:46
Updated-28 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Google Maps CP plugin <= 1.0.43 - Missing Authorization Leading To Feedback Submission Vulnerability

Missing Authorization vulnerability in CodePeople Google Maps CP.This issue affects Google Maps CP: from n/a through 1.0.43.

Action-Not Available
Vendor-CodePeople
Product-google_maps_cpGoogle Maps CP
CWE ID-CWE-862
Missing Authorization
CVE-2026-9240
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 9.49%
||
7 Day CHG~0.00%
Published-09 Jul, 2026 | 09:31
Updated-09 Jul, 2026 | 16:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Colissimo Officiel : Méthodes de livraison pour WooCommerce <= 2.9.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order Shipment Modification via lpc_order_affect AJAX action

The Colissimo Officiel : Méthodes de livraison pour WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updateShippingMethod() function (registered to the wp_ajax_lpc_order_affect AJAX action) in versions up to, and including, 2.9.0. This is due to the handler performing no current_user_can() capability check and no nonce verification before reading an attacker-supplied order_id and modifying that order's shipping method, pickup-point meta, and shipping address. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create or modify the shipment information (shipping method, pickup relay data, and shipping address) of arbitrary WooCommerce orders, including orders placed by other users.

Action-Not Available
Vendor-iscpcolissimo
Product-Colissimo shipping methods for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2025-49293
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 15.20%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 12:53
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Crawlomatic Multisite Scraper Post Generator plugin <= 2.6.8.2 - Broken Access Control Vulnerability

Missing Authorization vulnerability in CodeRevolution Crawlomatic Multisite Scraper Post Generator crawlomatic-multipage-scraper-post-generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Crawlomatic Multisite Scraper Post Generator: from n/a through <= 2.6.8.2.

Action-Not Available
Vendor-CodeRevolution
Product-Crawlomatic Multisite Scraper Post Generator
CWE ID-CWE-862
Missing Authorization
CVE-2023-25030
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.27% / 18.93%
||
7 Day CHG+0.03%
Published-12 Jun, 2024 | 09:39
Updated-28 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Buy Me a Coffee plugin <= 3.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in Buy Me a Coffee.This issue affects Buy Me a Coffee: from n/a through 3.7.

Action-Not Available
Vendor-buymeacoffeeBuy Me a Coffee
Product-buy_me_a_coffeeBuy Me a Coffee
CWE ID-CWE-862
Missing Authorization
CVE-2023-25026
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.54% / 41.89%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 11:31
Updated-28 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress PayPal Brasil para WooCommerce plugin <= 1.4.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in PayPal PayPal Brasil para WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PayPal Brasil para WooCommerce: from n/a through 1.4.2.

Action-Not Available
Vendor-PayPal
Product-PayPal Brasil para WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2023-2561
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.41% / 33.16%
||
7 Day CHG~0.00%
Published-12 Jul, 2023 | 04:38
Updated-08 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gallery Metabox <= 1.5 - Missing Authorization via gallery_remove

The Gallery Metabox for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the gallery_remove function in versions up to, and including, 1.5. This makes it possible for subscriber-level attackers to modify galleries attached to posts and pages with this plugin.

Action-Not Available
Vendor-gallery-metabox_projectbillerickson
Product-gallery-metaboxGallery Metabox
CWE ID-CWE-862
Missing Authorization
CVE-2025-48878
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 9.03%
||
7 Day CHG~0.00%
Published-10 Nov, 2025 | 20:43
Updated-21 Nov, 2025 | 13:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Combodo iTop vulnerable to IDOR with ModuleInstallation object

Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user (e.g. with Service desk agent profile) to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue.

Action-Not Available
Vendor-combodoCombodo
Product-itopiTop
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 31
  • 32
  • Next
Details not found