Missing Authorization vulnerability in Automattic WP Job Manager - Resume Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager - Resume Manager: from n/a through 2.1.0.
Missing Authorization vulnerability in WordPress Page Builder Sandwich Team Page Builder Sandwich – Front-End Page Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Page Builder Sandwich – Front-End Page Builder: from n/a through 5.1.0.
The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized plugin setting update due to a missing capability check on the functions action_request_disable, action_change_template, and action_request_enable in all versions up to, and including, 2.4.43. This makes it possible for authenticated attackers, with contributor access or above, to enable/disable the Brizy editor and modify the template used.
A missing permission check in Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.
Missing Authorization vulnerability in Saleswonder Team: Tobias Get Better Reviews for WooCommerce more-better-reviews-for-woocommerce.This issue affects Get Better Reviews for WooCommerce: from n/a through <= 4.0.6.
Missing Authorization vulnerability in andy_moyle Church Admin church-admin.This issue affects Church Admin: from n/a through <= 4.4.4.
In JetBrains TeamCity before 2025.11.3 missing authorization allowed project developers to add parameters to build configurations
A missing permission check in Jenkins Release Helper Plugin 1.3.3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
The Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the disconnect_promolayer function in all versions up to, and including, 1.1.0. This makes it possible for authenticated attackers, with subscriber access or higher, to remove the Promolayer connection.
Missing Authorization vulnerability in WP Desk Flexible Checkout Fields for WooCommerce.This issue affects Flexible Checkout Fields for WooCommerce: from n/a through 4.1.2.
A missing permission check in Jenkins CloudBees AWS Credentials Plugin 189.v3551d5642995 and earlier allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token.
The ReviewX – Multi-criteria Rating & Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the reviewx_remove_guest_image function in all versions up to, and including, 1.6.27. This makes it possible for authenticated attackers, with subscriber access and above, to delete attachments.
The WP Scraper plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wp_scraper_multi_scrape_action() function in all versions up to, and including, 5.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary pages and posts.
The Quick Featured Images plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the set_thumbnail and delete_thumbnail functions in all versions up to, and including, 13.7.0. This makes it possible for authenticated attackers, with contributor-level access and above, to delete thumbnails and add thumbnails to posts they did not author.
Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, attacker can add notes in the review request with 'completed' status affecting the integrity of the application. Confidentiality and Availability are not impacted.
The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.
Missing Authorization vulnerability in Bosa Themes Bosa Elementor Addons and Templates for WooCommerce.This issue affects Bosa Elementor Addons and Templates for WooCommerce: from n/a through 1.0.12.
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tc_csca_patch_settings function in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with subscriber access and above, to add states or cities to the dropdown.
Missing Authorization vulnerability in actpro Extra Product Options for WooCommerce.This issue affects Extra Product Options for WooCommerce: from n/a through 3.0.6.
Missing Authorization vulnerability in Fastly.This issue affects Fastly: from n/a through 1.2.25.
Missing Authorization vulnerability in GoodLayers Modernize modernize allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Modernize: from n/a through <= 3.4.0.
Missing Authorization vulnerability in blazethemes News Kit Elementor Addons news-kit-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects News Kit Elementor Addons: from n/a through <= 1.4.2.
Missing Authorization vulnerability in Barry Event Rocket allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Event Rocket: from n/a through 3.3.
Missing Authorization vulnerability in CodeRevolution Aiomatic.This issue affects Aiomatic: from n/a through 1.9.3.
A missing permission check in Jenkins autonomiq Plugin 1.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
Missing Authorization vulnerability in SMTP2GO SMTP2GO smtp2go allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SMTP2GO: from n/a through <= 1.12.1.
Missing Authorization vulnerability in Photo Gallery Team Photo Gallery by 10Web.This issue affects Photo Gallery by 10Web: from n/a through 1.8.25.
Missing Authorization vulnerability in Adrian Ladó PlatiOnline Payments plationline allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PlatiOnline Payments: from n/a through <= 7.0.0.
Missing Authorization vulnerability in Themovation App, SaaS & Software Startup Tech Theme - Stratus stratusx allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects App, SaaS & Software Startup Tech Theme - Stratus: from n/a through <= 4.2.5.
The WP Popup Builder WordPress plugin before 1.2.9 does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary Popup
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.1.0 through 10.0.18, a lack of permission checks can result in unauthorized removal of some specific resources. This is fixed in version 10.0.19.
Missing Authorization vulnerability in favethemes Houzez houzez allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Houzez: from n/a through <= 4.0.4.
Missing Authorization vulnerability in Tyche Softwares Payment Gateway Based Fees and Discounts for WooCommerce.This issue affects Payment Gateway Based Fees and Discounts for WooCommerce: from n/a through 2.12.1.
Missing Authorization vulnerability in 8theme XStore.This issue affects XStore: from n/a through 9.3.8.
Missing Authorization vulnerability in CreativeMindsSolutions CM On Demand Search And Replace cm-on-demand-search-and-replace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CM On Demand Search And Replace: from n/a through <= 1.5.5.
Missing Authorization vulnerability in AF themes WP Post Author.This issue affects WP Post Author: from n/a through 3.6.4.
Missing Authorization vulnerability in Bowo Debug Log Manager.This issue affects Debug Log Manager: from n/a through 2.3.1.
Missing Authorization vulnerability in Roxnor Metform metform.This issue affects Metform: from n/a through <= 3.8.3.
The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 lacks authorization in various AJAX actions, allowing any logged-in users, such as subscribers to call them.
Missing Authorization vulnerability in SiteLock SiteLock Security – WP Hardening, Login Security & Malware Scans sitelock allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteLock Security – WP Hardening, Login Security & Malware Scans: from n/a through <= 5.0.2.
Missing Authorization vulnerability in approveme WP Forms Signature Contract Add-On wp-forms-signature-contract-add-on allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Forms Signature Contract Add-On: from n/a through <= 1.8.2.
Missing Authorization vulnerability in AF themes WP Post Author.This issue affects WP Post Author: from n/a through 3.6.4.
Missing Authorization vulnerability in RedNao Smart Forms.This issue affects Smart Forms: from n/a through 2.6.91.
Missing Authorization vulnerability in bookingalgorithms BA Book Everything ba-book-everything allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BA Book Everything: from n/a through <= 1.8.16.
Missing Authorization vulnerability in ThemeLocation Custom WooCommerce Checkout Fields Editor.This issue affects Custom WooCommerce Checkout Fields Editor: from n/a through 1.3.0.
Missing Authorization vulnerability in Eric Alli Google Typography.This issue affects Google Typography: from n/a through 1.1.2.
Missing Authorization vulnerability in bPlugins Tiktok Feed allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tiktok Feed: from n/a through 1.0.24.
Missing Authorization vulnerability in WooCommerce & WordPress Tutorials Custom Thank You Page Customize For WooCommerce by Binary Carpenter.This issue affects Custom Thank You Page Customize For WooCommerce by Binary Carpenter: from n/a through 1.4.12.
Missing Authorization vulnerability in Copy Content Protection Team Secure Copy Content Protection and Content Locking.This issue affects Secure Copy Content Protection and Content Locking: from n/a through 3.7.1.
A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. This effectively means that Read users could disable existing alerting rules.