WebGeniusLab BigHearts contains a missing authorization vulnerability (CWE-862) that allows unauthenticated attackers to modify data due to incorrectly configured access control security levels. All versions of BigHearts through 3.1.14 are affected, enabling an attacker to bypass authorization checks and perform unauthorized data modification without requiring authentication or user interaction. With a CVSS score of 5.3 and network-accessible attack surface, this vulnerability poses a moderate integrity risk requiring prompt patching.
Improper access control in VW School Education through version 1.4.6 allows unauthenticated remote attackers to modify data by exploiting misconfigured security levels. The vulnerability enables integrity compromise without requiring authentication or user interaction, affecting educational institutions using affected versions.
Improper access control in VW Portfolio up to version 1.3.3 enables unauthenticated attackers to modify data through incorrectly configured security levels. The vulnerability allows integrity compromise without requiring authentication or user interaction, affecting all instances of the affected software versions. No patch is currently available.
Improper access control in VW Photography through version 1.3.8 permits unauthenticated attackers to modify application data due to missing authorization checks on sensitive functions. An attacker can exploit this vulnerability over the network without user interaction to alter content or settings, though confidentiality and availability are not impacted. No patch is currently available for this vulnerability.
VW Pet Shop through version 1.4.7 contains an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data due to improperly configured access controls. An attacker can exploit this to alter information within the application without requiring authentication or user interaction. Currently, no patch is available for this vulnerability.
VW Fitness through version 4.3.4 contains an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data through improperly configured access controls. An attacker can exploit this to perform unauthorized actions without requiring authentication or user interaction. No patch is currently available for affected installations.
WP Time Slots Booking Form through version 1.2.42 contains a missing authorization vulnerability that allows unauthenticated attackers to modify booking data through improperly configured access controls. An attacker can exploit this to alter time slot reservations and other critical booking information without authentication. No patch is currently available for this vulnerability.
Popup Like Box versions 3.7.7 and earlier contain an authorization bypass vulnerability that allows unauthenticated attackers to modify content through improperly configured access controls. The vulnerability affects the ays-facebook-popup-likebox plugin and requires no user interaction to exploit. While no patch is currently available, the impact is limited to integrity violations without affecting confidentiality or availability.
VW Education Lite versions 2.2.0 and earlier contain a missing authorization vulnerability (CWE-862) that allows unauthenticated attackers to modify data through incorrectly configured access control security levels. An attacker with network access can exploit this vulnerability without requiring authentication or user interaction to perform unauthorized modifications, resulting in integrity compromise but not confidentiality or availability impact. The CVSS 5.3 medium score reflects the network-accessible nature and lack of authentication requirements, though the integrity-only impact limits the overall severity.
Payment Gateway Pix For GiveWP versions 2.2.3 and earlier contain a missing authorization vulnerability that allows unauthenticated remote attackers to modify data through improper access control. An attacker can exploit this flaw to manipulate payment gateway functionality without proper authentication or user interaction. No patch is currently available for this vulnerability affecting GiveWP payment processing installations.
Post Timeline versions 2.4.1 and earlier contain a missing authorization flaw that allows unauthenticated remote attackers to modify data by exploiting improperly configured access controls. The vulnerability enables integrity compromise without requiring user interaction or special privileges. No patch is currently available for this issue.
Permalink Manager Lite versions prior to 2.5.3 lack proper authorization controls, allowing unauthenticated remote attackers to modify content through incorrectly configured access restrictions. This missing authorization check enables attackers to alter data without authentication, affecting the integrity of managed permalinks. No patch is currently available for this vulnerability.
The WBW Currency Switcher for WooCommerce plugin through version 2.2.5 contains an authorization bypass vulnerability that allows unauthenticated remote attackers to modify plugin settings and configurations without proper access controls. This vulnerability affects WordPress sites running the vulnerable plugin versions and could enable attackers to alter currency settings or manipulate store functionality. No patch is currently available for this vulnerability.
Forminator through version 1.50.2 contains an authorization bypass that allows unauthenticated attackers to modify data through incorrectly configured access controls. The vulnerability affects WordPress sites using the WPMU DEV Forminator plugin and requires no user interaction to exploit. No patch is currently available for this issue.
Studio99 WP Monitor versions through 1.0.3 contain a missing authorization vulnerability (CWE-862) that allows unauthenticated attackers to modify data or settings due to incorrectly configured access controls. The vulnerability has a CVSS score of 5.3 with a network attack vector requiring no privileges or user interaction, enabling integrity compromise without authentication. There is no indication of active exploitation in the wild or public proof-of-concept code at this time, though the low attack complexity and network accessibility make this a moderate priority for WordPress site administrators running this monitoring plugin.
Image Slider By Ays versions 2.7.1 and earlier contain a missing authorization flaw that allows unauthenticated remote attackers to modify content through improper access control validation. The vulnerability affects the plugin's core functionality and could enable unauthorized changes to website content without proper authentication checks. No patch is currently available.
YMC Filter & Grids through version 3.5.1 contains an authorization bypass that allows unauthenticated remote attackers to modify data due to improperly configured access controls. The vulnerability affects the smart-filter component and could enable unauthorized alterations to filtered content or grid configurations without requiring user interaction or privileges.
RadiusTheme Team versions up to 5.0.13 contain an access control misconfiguration that allows unauthenticated remote attackers to modify data through improper authorization checks. The vulnerability enables integrity compromise without requiring authentication or user interaction, affecting all installations running the affected version range. No patch is currently available.
A Missing Authorization vulnerability (CWE-862) exists in Xpro Addons For Beaver Builder - Lite versions up to 1.5.6, allowing unauthenticated attackers to exploit incorrectly configured access control mechanisms and perform unauthorized modifications. The vulnerability has a CVSS score of 5.3 with a network attack vector requiring no privileges or user interaction, indicating an integrity impact without confidentiality or availability compromise. While the CVSS is moderate, the lack of authentication requirement and network accessibility make this a meaningful risk for WordPress sites using this plugin.
Checkout for PayPal versions up to 1.0.46 contain an authorization bypass vulnerability allowing unauthenticated attackers to modify checkout data due to improper access control enforcement. An attacker can exploit this over the network without user interaction to tamper with payment transactions. Currently no patch is available for this vulnerability.
Ridhi through version 1.1.2 contains a missing authorization vulnerability that allows unauthenticated remote attackers to modify data due to improper access control configuration. An attacker can exploit this flaw without authentication or user interaction to alter information in affected installations. No patch is currently available for this vulnerability.
Improperly configured access controls in raratheme Digital Download through version 1.1.4 enable unauthenticated attackers to modify content without authorization. This missing authorization vulnerability allows remote attackers to alter data integrity in affected installations. No patch is currently available for this vulnerability.
Improper access control in raratheme App Landing Page version 1.2.2 and earlier permits unauthenticated attackers to modify application data through exploitation of inadequately configured security levels. This network-accessible vulnerability requires no user interaction and could allow attackers to alter critical application content without authorization. No patch is currently available for affected installations.
Numinous theme versions up to 1.3.0 contain an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data through improperly configured access controls. The vulnerability affects the theme's security implementation and could enable unauthorized changes to application data without authentication. No patch is currently available for this issue.
Rara Academic theme versions up to 1.2.2 contain an authorization bypass vulnerability that allows unauthenticated remote attackers to modify content due to improper access control configuration. The vulnerability enables unauthorized data manipulation without requiring authentication or user interaction. No patch is currently available for affected installations.
Improper access control in raratheme Book Landing Page through version 1.2.7 permits unauthenticated attackers to modify content or data without proper authorization checks. The vulnerability stems from missing authentication validation on protected operations, allowing remote exploitation without user interaction. No patch is currently available.
Pranayama Yoga version 1.2.2 and earlier contains a missing authorization flaw that allows unauthenticated remote attackers to modify application data by exploiting improper access control configurations. The vulnerability has no available patch and could enable unauthorized changes to yoga class information or user content without authentication. With a CVSS score of 5.3, this affects any Pranayama Yoga installation using the vulnerable versions.
Improper access control in Kalon through version 1.2.9 enables unauthenticated remote attackers to modify data or configurations by exploiting misconfigured authorization checks. The vulnerability carries medium severity with a CVSS score of 5.3 and currently has no available patch.
Travel Diaries through version 1.2.4 contains an authorization bypass that allows unauthenticated attackers to modify application data due to improperly configured access controls. The vulnerability affects all installations of the plugin and requires no user interaction to exploit, enabling attackers to alter sensitive travel diary information without proper authentication.
Improper access control in The Minimal WordPress theme versions up to 1.2.9 enables unauthenticated remote attackers to modify content or settings through incorrectly configured authorization checks. The vulnerability carries a medium severity rating with no available patch at this time.
Elegant Pink theme versions up to 1.3.3 contain an access control flaw that allows unauthenticated remote attackers to modify data through incorrectly configured authorization checks. The vulnerability enables integrity compromise without requiring authentication, though no patch is currently available.
Improper access control in raratheme Influencer through version 1.1.7 allows unauthenticated remote attackers to modify data or resources due to incorrectly configured authorization checks. The vulnerability requires no user interaction and can be exploited over the network, though no patch is currently available.
WPLifeCycle versions 3.3.1 and earlier contain an authorization bypass that allows unauthenticated remote attackers to modify data through improperly configured access controls. The vulnerability affects the free PHP version and could enable unauthorized changes to application data without requiring authentication or user interaction. A patch is not currently available for this issue.
Insufficient access control in WP Sessions Time Monitoring Full Automatic version 1.1.3 and earlier permits unauthenticated attackers to modify data through improperly configured authorization checks. This vulnerability affects WordPress site administrators and users relying on the plugin to properly restrict access to session monitoring features. An attacker could exploit this to alter activity logs or session data without proper authentication.
Improper access control in Chocolate House through version 1.1.5 allows unauthenticated remote attackers to modify data by bypassing authorization checks. The vulnerability affects all versions up to 1.1.5, and no patch is currently available. An attacker could exploit misconfigured security levels to gain unauthorized write access without authentication.
MAS Videos through version 1.3.2 contains an authorization bypass that allows unauthenticated attackers to modify data due to improper access control validation. An attacker can exploit this vulnerability over the network without user interaction to manipulate protected resources. No patch is currently available for this vulnerability.
The raratheme Restaurant and Cafe plugin through version 1.2.5 contains an authorization bypass vulnerability that allows unauthenticated attackers to modify data through improperly configured access controls. An attacker can exploit this flaw to perform unauthorized actions without authentication or user interaction. No patch is currently available for this vulnerability.
Improper access control in raratheme Travel Agency versions up to 1.5.5 permits unauthenticated attackers to modify data through misconfigured authorization checks. This vulnerability allows unauthorized changes to travel agency information without requiring authentication or user interaction, potentially compromising business operations and data integrity.
Perfect Portfolio version 1.2.4 and earlier contains a missing authorization control that allows unauthenticated attackers to modify content through improperly configured access restrictions. An attacker can exploit this vulnerability to alter data integrity without requiring authentication or user interaction. No patch is currently available for this vulnerability.
Benevolent theme versions through 1.3.9 contain an authorization bypass that allows unauthenticated remote attackers to modify data due to improperly configured access controls. The vulnerability affects the CMS's ability to enforce proper permission checks, enabling unauthorized content manipulation without authentication. No patch is currently available for this medium-severity issue.
Business One Page up to version 1.3.2 contains an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data due to improperly configured access controls. An attacker can exploit this weakness to alter sensitive information without requiring valid credentials or user interaction. No patch is currently available for this vulnerability.
Bakes And Cakes plugin versions up to 1.2.9 contain an authorization bypass vulnerability that allows unauthenticated attackers to modify data due to improper access control configuration. An attacker could exploit this over the network without authentication to perform unauthorized state changes. No patch is currently available for this vulnerability.
The Construction Landing Page plugin through version 1.4.1 contains a missing authorization vulnerability that allows unauthenticated attackers to modify data through improperly configured access controls. An attacker can exploit this flaw to perform unauthorized changes to the application without authentication or user interaction. No patch is currently available for this vulnerability.
Improperly configured access controls in the Preschool and Kindergarten plugin (versions up to 1.2.5) allow unauthenticated attackers to modify content or settings without proper authorization. This missing authorization vulnerability affects websites using the vulnerable plugin and could enable unauthorized data tampering. No security patch is currently available for this vulnerability.
Rara Business WordPress theme version 1.3.0 and earlier contains an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data through improperly configured access controls. The vulnerability requires no user interaction and can be exploited over the network, though no patch is currently available. Affected installations should implement additional access control measures or upgrade when patches become available.
Incorrect access control in The Conference WordPress theme versions up to 1.2.5 allows unauthenticated remote attackers to modify content by exploiting misconfigured authorization checks. An attacker can leverage this vulnerability to alter data without proper authentication, impacting the integrity of the affected website.
JobScout versions 1.1.7 and earlier contain an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data through improperly configured access controls. The vulnerability enables attackers to perform unauthorized actions without proper authentication or user interaction. No patch is currently available for this vulnerability.
Easy Form versions 2.7.9 and earlier are vulnerable to missing authorization controls that allow unauthenticated attackers to modify data through incorrectly configured access restrictions. An attacker can exploit this vulnerability remotely without authentication to perform unauthorized data manipulation operations. No patch is currently available for this vulnerability.
Advanced Related Posts plugin through version 1.9.1 contains insufficient authorization controls that allow unauthenticated remote attackers to modify plugin settings and data. The vulnerability stems from improperly configured access restrictions in the plugin's functionality, enabling attackers to alter post relationships without proper authentication or permission validation.
Latest Post Shortcode plugin through version 14.2.1 contains an authorization bypass that allows unauthenticated attackers to modify content through improperly configured access controls. The vulnerability affects websites running the vulnerable plugin versions and could enable unauthorized data manipulation without requiring user interaction or authentication. No patch is currently available for this issue.