Missing authorization in the AI Content Writing Assistant WordPress plugin (versions up to 1.1.7) allows unauthenticated or low-privileged users to access restricted functionality through incorrectly configured access controls. The vulnerability exploits broken access control logic (CWE-862) that fails to properly validate user permissions before granting access to sensitive operations. While EPSS scoring indicates low exploitation probability (0.04th percentile), the authentication bypass nature of the flaw creates a direct pathway for unauthorized feature access.
Missing authorization controls in themesawesome History Timeline WordPress plugin versions through 1.0.6 permit exploitation of incorrectly configured access control, allowing unauthenticated or low-privileged users to bypass security restrictions and access protected functionality. The vulnerability stems from improper enforcement of access control checks (CWE-862), classified as a broken access control flaw. No public exploit code or active exploitation has been confirmed, though the low EPSS score (0.04%) suggests limited practical exploitation likelihood in real-world deployments.
Broken access control in Strategy11 Team Tasty Recipes Lite WordPress plugin through version 1.1.5 allows unauthenticated attackers to exploit incorrectly configured security levels to access or modify protected functionality. The vulnerability stems from missing authorization checks that fail to properly validate user permissions before exposing sensitive operations. EPSS exploitation probability is low at 0.04%, and no public exploit code or confirmed active exploitation has been identified.
Missing authorization controls in WordPress Accordion Slider Gallery plugin version 2.7 and earlier allow unauthenticated or low-privileged users to bypass access restrictions and exploit misconfigured security levels. The vulnerability stems from improper access control validation (CWE-862) that fails to enforce authentication checks on sensitive plugin functions, potentially enabling unauthorized users to access restricted functionality or administrative features.
Missing authorization in Sticky Notes for WP Dashboard plugin (versions up to 1.2.4) allows attackers to bypass access controls and exploit incorrectly configured security levels. The vulnerability stems from improper enforcement of authorization checks (CWE-862), potentially enabling unauthorized users to access or manipulate sticky notes functionality. With an EPSS score of 0.04% (11th percentile), this represents a low real-world exploitation probability despite the authorization flaw, suggesting either limited attack surface or constrained practical utility.
Orders Chat for WooCommerce plugin versions up to 1.2.0 fail to properly enforce access controls on chat functionality, allowing attackers to bypass authentication checks and access or manipulate order chat data through incorrectly configured security levels. This broken access control vulnerability (CWE-862) affects WordPress installations using the vulnerable plugin, with no public exploit code identified but confirmed exploitability of authorization bypass mechanics. EPSS probability is low at 0.04%, suggesting limited real-world exploitation likelihood despite the authorization flaw.
Cross-site request forgery (CSRF) in the Post Snippets WordPress plugin through version 4.0.11 allows unauthenticated attackers to perform unauthorized administrative actions on vulnerable sites by tricking authenticated administrators into visiting malicious web pages. The vulnerability affects all versions up to and including 4.0.11, though no CVSS vector or EPSS exploitation probability above baseline has been assigned, suggesting limited real-world exploit infrastructure exists at this time.
Cross-Site Request Forgery (CSRF) vulnerability in Gmedia Photo Gallery WordPress plugin through version 1.25.0 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. An unauthenticated remote attacker can craft malicious web pages or emails that, when visited by a logged-in admin or user, execute unwanted operations such as modifying gallery settings, uploading images, or changing plugin configuration. The vulnerability has an extremely low exploitation probability (EPSS 0.02%, 5th percentile) but represents a class of attacks that can bypass user intent entirely when user awareness is low.
Cross-site request forgery (CSRF) in the Robots.txt Rewrite WordPress plugin (versions up to 1.6.1) allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators by tricking them into visiting a malicious webpage. The vulnerability affects the plugin's administrative functions and carries a low exploitation probability (EPSS 0.02%), with no public exploit code or active exploitation reported at time of analysis.
FormFacade WordPress plugin version 1.4.1 and earlier contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. The vulnerability requires user interaction (clicking a malicious link) but can lead to modification of plugin settings or data depending on affected functionality. EPSS exploitation probability is low at 0.02%, and no public exploit code or active exploitation has been identified.
Cross-site request forgery (CSRF) in MERGADO Mergado Pack WordPress plugin through version 4.2.1 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators, such as modifying plugin settings or triggering unintended functionality, by tricking them into visiting a malicious webpage. No public exploit code or active exploitation has been reported; EPSS score of 0.02% reflects very low real-world exploitation likelihood.
Cross-Site Request Forgery (CSRF) vulnerability in iNext Woo Pincode Checker WordPress plugin versions up to 2.3.1 allows unauthenticated attackers to perform unauthorized actions on behalf of site administrators or users. The plugin fails to implement proper nonce validation on sensitive operations, enabling an attacker to craft malicious web pages that, when visited by an authenticated user, execute unintended requests against the vulnerable plugin. This is a low-severity finding with an EPSS score of 0.02% (5th percentile), indicating minimal real-world exploitation probability despite the theoretical attack surface.
Cross-Site Request Forgery (CSRF) vulnerability in Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce plugin version 2.2.0 and earlier allows unauthenticated attackers to perform unwanted actions on behalf of authenticated users through forged requests. The vulnerability affects the WordPress plugin used to enable live shopping and shoppable video streams in WooCommerce stores. No public exploit code has been identified, and the EPSS score of 0.02% indicates low exploitation probability despite the CSRF attack vector.
Cross-site request forgery vulnerability in Appointify WordPress plugin versions up to 1.0.8 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious requests. The vulnerability affects a WordPress plugin used for appointment scheduling, enabling attackers to manipulate plugin functionality without explicit user consent. With an EPSS score of 0.02% (5th percentile), exploitation likelihood is minimal despite the technical severity classification.
Missing authorization in the Alexander AnyComment WordPress plugin through version 0.3.6 allows unauthenticated attackers to exploit incorrectly configured access control security levels, resulting in unauthorized access to protected functionality. The vulnerability stems from broken access control mechanisms (CWE-862) rather than authentication bypass, meaning authenticated sessions may also be affected depending on their privilege level. With an EPSS score of 0.02% and no reported active exploitation, this represents a low-probability real-world risk despite the critical nature of access control flaws.
WP Messiah BoomDevs WordPress Coming Soon plugin through version 1.0.4 exposes sensitive system information to unauthorized access, allowing attackers to retrieve embedded sensitive data without authentication. The vulnerability stems from improper access controls on sensitive data endpoints, classified as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere). With an EPSS score of 0.01% (2nd percentile), exploitation likelihood is minimal despite the information disclosure nature of the defect.
Direct Payments WP WordPress plugin through version 1.3.2 exposes embedded sensitive system information to unauthorized parties via CWE-497 exposure mechanisms, allowing attackers to retrieve confidential data without requiring authentication. The vulnerability affects all versions up to and including 1.3.2, with an EPSS score of 0.01% indicating minimal observed exploitation probability despite the information disclosure nature of the flaw.
Missing authorization in Northern Beaches Websites WP Custom Admin Interface plugin (versions up to 7.40) allows unauthenticated attackers to bypass access controls and exploit incorrectly configured security levels, potentially gaining unauthorized administrative access or performing privileged actions without proper authentication. The vulnerability affects WordPress installations using this plugin and carries a very low EPSS score (0.01%, 2nd percentile) despite the authorization flaw, suggesting limited real-world exploitation likelihood in practice.
Hide Plugins WordPress plugin through version 1.0.4 fails to enforce proper authorization checks, allowing unauthenticated or low-privileged users to access plugin management functions intended for administrators. The missing access control (CWE-862) permits attackers to exploit incorrectly configured security levels, potentially enabling unauthorized plugin visibility or manipulation. While EPSS indicates low real-world exploitation probability (0.01%, 2nd percentile), the vulnerability represents a direct authorization bypass that could escalate privileges in certain WordPress configurations.
The Signature Add-On for Gravity Forms plugin (version 1.8.6 and earlier) contains a missing authorization vulnerability that allows attackers to bypass access controls and exploit incorrectly configured security levels. The vulnerability stems from improper implementation of authorization checks, enabling unauthorized users to access protected functionality or data that should be restricted based on user roles and permissions. This authentication bypass affects WordPress installations using the vulnerable plugin versions and is tracked as CWE-862 (Missing Authorization).
Missing authorization in the Easy Upload Files During Checkout WordPress plugin through version 3.0.0 allows unauthenticated attackers to exploit incorrectly configured access controls to bypass security restrictions and upload files. The vulnerability, classified as a broken access control flaw (CWE-862), affects the plugin's core file upload functionality during checkout operations. While EPSS scoring indicates very low exploitation probability (0.01%, 2nd percentile), the absence of CVSS data and patch version information limits quantification of attack complexity and remediation specificity.
Authorization bypass in Order Cancellation & Returns for WooCommerce plugin (versions ≤1.1.11) allows unauthenticated or low-privileged users to access and manipulate order cancellation and return functionality through user-controlled parameters. The vulnerability stems from improper access control checks that fail to validate user permissions against the requested resource, enabling attackers to operate on orders belonging to other customers without proper authorization. EPSS score of 0.01% indicates low observed exploitation likelihood despite the straightforward attack vector.
Missing authorization in the Direct Payments WP WordPress plugin version 1.3.2 and earlier allows attackers to bypass access control mechanisms and exploit incorrectly configured security levels, potentially gaining unauthorized access to payment functionality. This authentication bypass vulnerability affects all users of the plugin up to version 1.3.2, with an EPSS score of 0.01% indicating very low real-world exploitation probability despite the missing CVSS rating.
Cross-Site Request Forgery (CSRF) vulnerability in inkthemes WP Gmail SMTP plugin through version 1.0.7 allows attackers to perform unauthorized actions on behalf of authenticated administrators without their knowledge or consent. The vulnerability affects the WordPress plugin across all versions up to and including 1.0.7, enabling attackers to potentially modify email configuration settings or other administrative functions via crafted web requests. No public exploit code has been identified at the time of analysis, and the EPSS score of 0.01% indicates minimal real-world exploitation likelihood despite the theoretical attack surface.
Cross-site request forgery (CSRF) in the Co-marquage service-public.fr WordPress plugin up to version 0.5.77 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious requests. The vulnerability lacks a CVSS score and shows minimal exploitation probability (0.01% EPSS), with no public exploit code or active exploitation indicators identified.
Cross-site request forgery (CSRF) in Pardakht Delkhah WordPress plugin through version 3.0.0 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by tricking them into visiting malicious pages. The vulnerability affects all versions up to and including 3.0.0, though no CVSS score or public exploit code has been published. This represents a low-probability exploitation risk (EPSS 0.01%) despite the attack vector being network-accessible, likely due to the social engineering requirement inherent to CSRF attacks.