Broken access control in Welcart e-Commerce WordPress plugin through version 2.11.24 allows authenticated users to bypass authorization checks and perform unauthorized actions with elevated privileges. This authentication bypass vulnerability (CWE-862) enables low-privileged authenticated attackers to access, modify, or delete data beyond their permission level, potentially compromising store operations, customer data, and site integrity. EPSS score of 0.05% (15th percentile) suggests low immediate exploitation probability, though no public exploit has been identified at time of analysis.
Broken access control in QuantumCloud ChatBot plugin for WordPress through version 7.7.3 allows authenticated attackers with low privileges to exploit misconfigured authorization checks, potentially leading to high-impact data breaches, unauthorized modifications, and service disruption. EPSS scoring indicates low exploitation probability (0.05%, 15th percentile), and no public exploit identified at time of analysis. The vulnerability stems from missing authorization controls (CWE-862), requiring only network access and low-privilege credentials with no user interaction, making it readily exploitable once an account is compromised.
WordPress Table Block by RioVizual plugin versions through 3.0.0 contains a broken access control vulnerability allowing authenticated attackers with low privileges to bypass authorization checks and perform high-impact actions including data theft, modification, and service disruption. The CVSS score of 8.8 reflects network-accessible exploitation with low complexity requiring only minimal authentication. EPSS score of 0.05% (15th percentile) suggests low immediate exploitation probability, with no public exploit identified at time of analysis.
Broken access control in MSN Partner Hub WordPress plugin allows authenticated attackers with low privileges to bypass authorization controls and gain unauthorized access to high-privilege functions. This CWE-862 missing authorization flaw affects versions through 2.9, enabling authenticated users to execute actions beyond their intended permission level. EPSS score of 0.05% (15th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.
Missing Authorization vulnerability in Reoon Technology Reoon Email Verifier reoon-email-verifier allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reoon Email Verifier: from n/a through <= 2.0.1.
Missing Authorization vulnerability in mrityunjay Smart WeTransfer smart-wetransfer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smart WeTransfer: from n/a through <= 1.3.
Missing Authorization vulnerability in Kiotviet KiotViet Sync kiotvietsync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KiotViet Sync: from n/a through <= 1.8.5.
Missing Authorization vulnerability in WPWebinarSystem WebinarPress wp-webinarsystem allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WebinarPress: from n/a through <= 1.33.28.
Missing Authorization vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Seriously Simple Podcasting: from n/a through <= 3.13.0.
Missing Authorization vulnerability in WP Lab WP-Lister Lite for eBay wp-lister-for-ebay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-Lister Lite for eBay: from n/a through <= 3.8.3.
Missing authorization controls in the Open Close WooCommerce Store plugin (versions ≤4.9.9) allow authenticated low-privileged users to bypass access restrictions and perform unauthorized high-impact operations, potentially modifying store configuration or accessing sensitive data. With CVSS 8.1 (High severity) but only 0.03% EPSS (9th percentile), this represents a significant vulnerability for affected WordPress/WooCommerce sites, though no public exploit or active exploitation (CISA KEV) has been identified at time of analysis. The authentication requirement (PR:L) substantially limits attack surface compared to unauthenticated vulnerabilities.
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Jthemes xSmart xsmart allows Code Injection.This issue affects xSmart: from n/a through <= 1.2.9.4.
Cross-Site Request Forgery (CSRF) vulnerability in Clifton Griffin Simple Content Templates for Blog Posts & Pages simple-post-template allows Cross Site Request Forgery.This issue affects Simple Content Templates for Blog Posts & Pages: from n/a through <= 2.2.61.
Cross-Site Request Forgery (CSRF) vulnerability in Jory Hogeveen Off-Canvas Sidebars & Menus (Slidebars) off-canvas-sidebars allows Cross Site Request Forgery.This issue affects Off-Canvas Sidebars & Menus (Slidebars): from n/a through <= 0.5.8.5.
Cross-Site Request Forgery (CSRF) vulnerability in Premmerce Premmerce Brands for WooCommerce premmerce-woocommerce-brands allows Cross Site Request Forgery.This issue affects Premmerce Brands for WooCommerce: from n/a through <= 1.2.13.
Cross-Site Request Forgery (CSRF) vulnerability in raychat Raychat raychat allows Cross Site Request Forgery.This issue affects Raychat: from n/a through <= 2.2.1.
Cross-Site Request Forgery (CSRF) vulnerability in Waituk Entrada entrada allows Cross Site Request Forgery.This issue affects Entrada: from n/a through <= 5.7.7.
Code injection in Zytec Dalian Zhuoyun Technology Central Authentication Service up to version 20251009 allows authenticated remote attackers to inject arbitrary code via manipulation of the get.layer, get.widget, and get.action parameters in the /index.php/auth/widget endpoint. Public exploit code is available, but real-world exploitation risk is low given the low CVSS score (2.1), requirement for prior authentication, and extremely low EPSS score (0.04%), suggesting limited practical exploitability despite proof-of-concept availability.
CSV injection in Axosoft Scrum and Bug Tracking 22.1.1.11545 allows authenticated remote attackers to inject malicious CSV formulas via the Title argument on the Edit Ticket Page, potentially enabling formula execution or data exfiltration when exported. Public exploit code exists and the vendor has not responded to disclosure notifications despite early contact.
Improper authorization in TIME-SEA-PLUS PayController.java alipayIsSucceed function allows authenticated remote attackers to disclose sensitive information related to order status handling. The vulnerability affects versions up to commit fb299162f18498dd9cf17da906886d80a077d53b, with publicly available exploit code disclosed but low real-world exploitation probability (EPSS 0.03%). Attack requires valid user credentials and network access but does not enable privilege escalation or data modification.
Reflected cross-site scripting (XSS) in Suishang Enterprise-Level B2B2C Multi-User Mall System 1.0 allows remote attackers to inject malicious scripts via the keywords parameter in the /i/359 endpoint. The vulnerability requires user interaction (clicking a malicious link) and results in limited integrity impact. Although exploit code has been publicly disclosed and the vendor did not respond to early disclosure, the EPSS score of 0.03% and low CVSS impact (2.1) suggest minimal real-world exploitation probability.
Reflected cross-site scripting (XSS) in Suishang Enterprise-Level B2B2C Multi-User Mall System 1.0 allows remote attackers to inject malicious scripts via the category_id parameter in the /Point/index/activity_state endpoint. The vulnerability requires user interaction (UI:P) to trigger and has low integrity impact, but publicly available exploit code exists. The vendor did not respond to disclosure notifications.
Cross-site scripting (XSS) vulnerability in abhicodebox ModernShop 20250922 allows remote attackers to inject malicious scripts via the 'q' parameter in the /search endpoint, requiring user interaction to execute. The vulnerability has a published exploit and low CVSS score (2.1) due to user interaction requirement, but affects the integrity of victim sessions with EPSS exploitation probability of 0.03% indicating minimal real-world exploitation likelihood.
SQL injection in shawon100 RUET OJ through the ID parameter of /details.php allows authenticated remote attackers to manipulate database queries with low confidentiality, integrity, and availability impact. The vulnerability affects commits up to 18fa45b0a669fa1098a0b8fc629cf6856369d9a5, with publicly available exploit code released. Despite moderate CVSS 2.1, the low EPSS score of 0.02% and requirement for prior authentication significantly limit real-world exploitation likelihood.
SQL injection in RUET OJ via the Name parameter in /contestproblem.php allows authenticated remote attackers to execute arbitrary SQL queries with limited impact on confidentiality and integrity. The vulnerability affects the rolling-release codebase up to commit 18fa45b0a669fa1098a0b8fc629cf6856369d9a5, requires valid login credentials to exploit, and carries a very low CVSS score (2.1) despite publicly available exploit code, indicating minimal real-world risk due to authentication barriers and constrained database access.
SQL injection in RUET OJ /description.php endpoint allows authenticated remote attackers to manipulate the ID parameter and inject arbitrary SQL commands, achieving limited confidentiality and integrity compromise. The vulnerability affects the rolling-release version up to commit 18fa45b0a669fa1098a0b8fc629cf6856369d9a5, with publicly available exploit code disclosed. Despite the public disclosure, the extremely low EPSS score (0.02%) and high authentication barrier suggest minimal real-world exploitation risk, though the unresponsive vendor posture leaves the codebase unpatched.
Path traversal vulnerability in OpenWGA 7.11.12 Build 737 TMLScript API WGA.File component allows high-privileged remote attackers to manipulate file paths and access unauthorized resources. The vulnerability has publicly available exploit code and an extremely low EPSS score (0.07%, percentile 22%), suggesting limited real-world exploitation despite network accessibility, likely due to the requirement for high-level authentication that restricts practical attack surface.
Unrestricted file upload vulnerability in Muzuro Ecommerce System and ashymuzuro Full-Ecommerce-Website up to version 1.1.0 allows remote authenticated high-privilege administrators to upload arbitrary files via the Add Product Page (/admin/index.php?add_product), with exploit code publicly disclosed. Despite low CVSS score (2.0) due to high privilege requirement, the vulnerability enables direct code execution risk in admin-controlled uploads and received no vendor response to disclosure.
Stored cross-site scripting (XSS) in OpenWGA 7.11.12 Build 737 Admin UI allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users who view the affected interface. Exploitation requires user interaction (clicking a crafted link or visiting a manipulated page), limiting real-world impact despite remote accessibility. Public exploit disclosure exists, but EPSS scoring (0.03%, 7th percentile) and low CVSS severity (2.0) indicate minimal active exploitation likelihood in real deployments.
Stored cross-site scripting (XSS) in Iqbolshoh php-business-website admin/contact.php allows authenticated attackers with user interaction to inject malicious scripts via the twitter parameter, affecting data integrity for other users. The vulnerability affects a rolling-release project up to commit 10677743a8dfc281f85291a27cf63a0bce043c24, has published exploit code available, but carries low real-world risk due to authentication requirement (PR:L), user interaction dependency (UI:P), and limited impact scope (VI:L only). EPSS exploitation probability is 0.03% (7th percentile), indicating minimal practical exploitation likelihood despite public POC availability.