Unauthenticated remote attackers can access sensitive information in linkPizza-Manager WordPress plugin through incorrectly configured access controls that fail to enforce proper authorization checks. The vulnerability affects linkPizza-Manager versions up to 5.5.5 and allows an unauthenticated attacker to obtain partial confidentiality impact with no modification or availability impact. No public exploit code has been identified at time of analysis.
Missing authorization in MWP Development Diet Calorie Calculator plugin through version 1.1.1 allows unauthenticated remote attackers to gain unauthorized read access to sensitive data via improperly configured access control. The vulnerability affects all versions from inception through 1.1.1, with a network attack vector and minimal complexity. Although the CVSS base score is 5.3 (moderate), real-world risk is substantially lower: EPSS exploitation probability is only 0.02% (fourth percentile), no public exploit code or active exploitation has been identified, and the vulnerability is limited to information disclosure without integrity or availability impact.
Unauthenticated remote attackers can bypass access control in DOTonPAPER Pinpoint Booking System versions up to 2.9.9.6.5 to view sensitive booking data due to missing authorization checks on API endpoints. The vulnerability allows information disclosure with low confidentiality impact, and while CVSS rates it 5.3 (medium), the 0.02% EPSS score indicates minimal real-world exploitation probability despite the straightforward network-based attack vector.
Remote unauthenticated attackers can bypass access controls in Shahjada Download Manager through version 3.3.52, gaining unauthorized read access to restricted download content due to missing authorization checks. The vulnerability affects all versions up to and including 3.3.52, with an EPSS exploitation probability of 0.02% (4th percentile) indicating minimal real-world risk despite the network-accessible attack vector. No public exploit code or active exploitation has been confirmed.
Webmuehle Court Reservation WordPress plugin versions up to 1.10.11 fail to properly validate user permissions, allowing unauthenticated remote attackers to modify court reservation data through incorrectly configured access control checks. The vulnerability enables integrity attacks against the reservation system despite missing confidentiality and availability impact. With EPSS score of 0.02% and no KEV confirmation, real-world exploitation risk is minimal, though the authentication bypass vector presents a foundational security gap.
Missing authorization in iZooto web push plugin versions 3.7.20 and earlier allows unauthenticated remote attackers to modify data through incorrectly configured access control, compromised integrity without requiring authentication or user interaction. CVSS 5.3 reflects the integrity impact; EPSS 0.02% indicates extremely low real-world exploitation probability despite the straightforward attack vector (AV:N, AC:L, PR:N).
Missing authorization in ShipTime: Discounted Shipping Rates WordPress plugin (versions ≤1.1.1) allows unauthenticated remote attackers to access sensitive shipping rate information and configuration via incorrectly configured access control, resulting in limited confidentiality compromise. CVSS 5.3 with 0.02% EPSS indicates low real-world exploitation probability despite network-accessible attack vector. CISA SSVC framework rates this as non-exploited with partial technical impact, suggesting this is a configuration weakness rather than an actively weaponized vulnerability.
NitroPack WordPress plugin through version 1.19.3 allows remote unauthenticated attackers to modify plugin settings via incorrectly configured access control checks, enabling unauthorized changes to website optimization and caching configurations. The vulnerability requires only network access and no user interaction, affecting default installations. Despite the CVSS 5.3 score indicating integrity impact, real-world exploitation risk is extremely low (EPSS 0.02%, 4th percentile), suggesting limited practical exploitability or narrow attack scope in production environments.
Book Previewer for WooCommerce plugin versions up to 1.0.6 fail to enforce authorization checks on sensitive functionality, allowing unauthenticated remote attackers to access restricted content with low-complexity exploitation. The vulnerability stems from missing access control validation, enabling attackers to bypass intended security boundaries without user interaction. While CVSS rates this as moderate (5.3), EPSS exploitation probability remains minimal at 0.02% percentile, and no public exploit code or active exploitation has been confirmed.
Leadrebel plugin version 1.0.2 and earlier allows unauthenticated remote attackers to access sensitive information through incorrectly configured access control, exposing confidential data without authorization. The vulnerability stems from missing authorization checks on functionality that should be restricted, enabling attackers to bypass authentication mechanisms and retrieve non-public information. While the CVSS score is moderate (5.3) and real-world exploitation probability is low (EPSS 0.02%), the issue represents a fundamental authentication bypass in access control logic.
TrueBooker appointment booking plugin through version 1.1.5 fails to enforce proper authorization controls, allowing unauthenticated remote attackers to modify sensitive data via incorrectly configured access control mechanisms. The vulnerability has a low CVSS score (5.3) reflecting limited direct impact, but represents a critical authentication bypass in a widely deployed WordPress plugin affecting booking system integrity.
Missing authorization in ProWCPlugins Product Price by Formula for WooCommerce plugin (versions up to 2.5.6) allows unauthenticated remote attackers to read sensitive configuration data through incorrectly configured access control. The vulnerability exposes limited information confidentiality without enabling modification or denial of service, and carries a low real-world exploitation probability (EPSS 0.02%) despite a moderate CVSS score.
Missing authorization in Automattic WP Job Manager through version 2.4.1 allows unauthenticated remote attackers to modify plugin data through incorrectly configured access control, enabling unauthorized changes to job listings and related content without proper privilege validation. The vulnerability has a low real-world exploitation probability (EPSS 0.02%) despite the network-accessible attack vector, suggesting limited practical exploitability in typical WordPress deployments.
Missing authorization in Ultimate Member WordPress plugin versions up to 2.11.3 allows unauthenticated remote attackers to bypass access controls and read sensitive information due to incorrectly configured security levels. The vulnerability has a low CVSS score (5.3) with minimal real-world exploitation risk (EPSS 0.02%), though it enables confidentiality impact through access control circumvention.
Missing authorization in Coding Panda Panda Pods Repeater Field WordPress plugin versions up to 1.5.12 allows unauthenticated remote attackers to modify data via incorrectly configured access control, affecting confidentiality and integrity of plugin-managed content without requiring user interaction or elevated privileges.
Leadlovers Forms WordPress plugin versions 1.0.2 and earlier allow unauthenticated remote attackers to bypass access controls and read sensitive information through incorrectly configured authorization checks. The vulnerability exposes confidential data without requiring authentication or user interaction, affecting the forms plugin deployed across WordPress installations. While the EPSS score of 0.02% suggests minimal exploitation probability, the unauthenticated attack vector and lack of user interaction make this a straightforward access control flaw that could enable information disclosure.
Razorpay for WooCommerce plugin versions 4.8.2 and earlier allow unauthenticated attackers to bypass access controls through incorrectly configured authorization checks, enabling unauthorized modification of payment-related data. This missing authorization vulnerability affects all WooCommerce sites running the affected plugin and could allow attackers to manipulate sensitive payment information without authentication. The low EPSS score (0.02%, 4th percentile) and absence of active exploitation indicators suggest limited real-world attack activity despite the accessibility of the vulnerability vector (network, no authentication required).
Missing authorization in iGMS Direct Booking WordPress plugin versions 1.3 and earlier allows unauthenticated remote attackers to access sensitive information through incorrectly configured access control, affecting confidentiality but not integrity or availability. The vulnerability carries a CVSS score of 5.3 with network-based remote access and no authentication required, though EPSS exploitation probability is very low at 0.02% percentile, suggesting minimal real-world threat despite the authorization flaw.
Missing authorization in Unitech Web UnitechPay WordPress plugin through version 1.0.2 permits unauthenticated remote attackers to read sensitive information via incorrectly configured access controls, exposing data confidentiality without enabling modification or service disruption. The vulnerability carries a CVSS score of 5.3 with near-zero measured exploitation probability (EPSS 0.02%), indicating low real-world risk despite network-accessible attack surface.
Royale News WordPress theme through version 2.2.4 allows unauthenticated remote attackers to modify content via incorrectly configured access control, enabling unauthorized data integrity compromise despite the lack of direct confidentiality impact. EPSS probability remains low at 0.02% percentile, suggesting limited real-world exploitation likelihood despite the network-accessible vector. Patch status indicates remediation is available through the vendor advisory.
Missing authorization in themebeez Cream Blog WordPress theme versions up to 2.1.7 allows unauthenticated remote attackers to bypass access controls and read sensitive information due to incorrectly configured access control security levels. With a CVSS score of 5.3 and EPSS exploitation probability of 0.02% (4th percentile), this represents a low real-world exploitation risk despite the network-accessible attack vector. No public exploit code or active exploitation has been confirmed at the time of analysis.
Missing authorization in Roxnor Wp Ultimate Review plugin versions up to 2.3.8 allows unauthenticated remote attackers to access restricted functionality through incorrectly configured access control security levels, resulting in limited information disclosure. The vulnerability carries a low EPSS exploitation probability (0.02%, 4th percentile) and has not been confirmed as actively exploited, though the simple attack vector (network-accessible, no complexity, no authentication required) means opportunistic exploitation is feasible.
Improper access control in Payment Plugins for PayPal WooCommerce up to version 2.0.13 permits remote unauthenticated attackers to modify sensitive data through incorrectly configured authorization checks. The vulnerability (CVSS 5.3) allows integrity violations in payment-related operations via network requests without authentication or user interaction. With an EPSS score of 0.02%, exploitation likelihood remains minimal in measured threat activity, though the CWE-862 (missing authorization) classification indicates a fundamental security control failure in the plugin's privilege validation.
SpabRice Mogi theme versions through 1.2.3 fail to properly enforce authorization controls, allowing unauthenticated remote attackers to access restricted functionality due to incorrectly configured access control security levels. The vulnerability has a CVSS score of 5.3 with low confidentiality impact but no integrity or availability impact. EPSS exploitation probability is minimal at 0.02%, and no public exploit code or active exploitation has been identified.
Incorrectly configured access control in kutethemes Biolife WordPress theme version 3.2.3 and earlier allows unauthenticated remote attackers to bypass authorization checks and modify content via arbitrary shortcode execution. The vulnerability requires no authentication and can be exploited over the network with low complexity, affecting the integrity of web content served to visitors. EPSS score of 0.02% indicates minimal real-world exploitation probability despite network-accessible attack vector.
Missing authorization controls in acmethemes Education Base WordPress theme (versions through 3.0.8) allow unauthenticated remote attackers to modify content via incorrectly configured access control checks. The vulnerability affects the theme's access control security levels, enabling attackers to bypass authentication mechanisms and alter data on vulnerable installations. With an EPSS score of 0.02% and no confirmed active exploitation, the real-world risk remains low despite the network-accessible attack vector.
Authorization bypass in dFactory Download Attachments WordPress plugin versions up to 1.4.0 allows unauthenticated remote attackers to modify file access controls through user-controlled keys, enabling unauthorized file access or manipulation. The vulnerability exploits incorrectly configured access control security levels via an insecure direct object reference (IDOR) mechanism. With EPSS score of 0.02% and no confirmed active exploitation, this poses minimal immediate risk despite network-accessible attack surface.
Incorrectly configured access control in kutethemes KuteShop theme versions up to 4.2.9 allows unauthenticated remote attackers to modify data via missing authorization checks on sensitive operations. The vulnerability enables exploitation of insufficient access control mechanisms without authentication, though with limited impact confined to data integrity rather than confidentiality or availability.
Missing authorization in WpXmas-Snow WordPress plugin up to version 1.1 allows unauthenticated remote attackers to modify plugin content through incorrectly configured access control, resulting in unauthorized data integrity violations without requiring authentication or user interaction.
Wava Payment plugin for WordPress versions 0.3.7 and earlier allows unauthenticated remote attackers to access sensitive information through missing authorization controls on API endpoints. The vulnerability enables attackers to read confidential data by exploiting improperly configured access control levels without requiring authentication or user interaction. EPSS exploitation probability is minimal at 0.02%, but the ability to leak information without authentication warrants attention for WordPress sites using this payment plugin.
Missing authorization in iPOSpays Gateways WC WordPress plugin versions up to 1.3.7 allows unauthenticated remote attackers to modify sensitive data due to incorrectly configured access control, resulting in integrity compromise without authentication or user interaction. Exploitation requires only network access and is low-complexity, though current real-world exploitation likelihood remains minimal (EPSS 0.02%).
Missing authorization in Foysal Imran BizReview WordPress plugin versions up to 1.5.13 allows unauthenticated remote attackers to modify data via incorrectly configured access control, bypassing intended permission restrictions. The CVSS score of 5.3 reflects low integrity impact with no confidentiality or availability compromise. EPSS probability is extremely low at 0.02%, and no public exploit code or active exploitation has been identified, suggesting this is a configuration-level authorization flaw rather than a critical remote code execution vulnerability.
Missing authorization in Obadiah Super Custom Login WordPress plugin versions 1.1 and earlier allows unauthenticated remote attackers to bypass access controls and gain limited information disclosure. The vulnerability stems from incorrectly configured access control security levels that fail to enforce proper authorization checks, enabling attackers to exploit weak authentication mechanisms without requiring valid credentials or user interaction.
Missing authorization in Rustaurius Order Tracking plugin versions 3.4.3 and below allows unauthenticated remote attackers to modify order data through incorrectly configured access control, enabling unauthorized changes to order information without proper privilege validation. With an EPSS score of 0.02% and no confirmed active exploitation, real-world risk is currently low despite the moderate CVSS score of 5.3.
NM Gift Registry and Wishlist Lite WordPress plugin versions up to 5.13 allows unauthenticated remote attackers to modify data through missing authorization checks on access control settings. The vulnerability stems from incorrectly configured authorization levels that fail to validate user permissions before processing requests, enabling attackers to bypass authentication mechanisms and alter registry or wishlist information without proper credentials. EPSS score of 0.02% indicates minimal real-world exploitation probability despite the low attack complexity.
Missing authorization in Arraytics Booktics WordPress plugin through version 1.0.16 allows unauthenticated remote attackers to modify application data via incorrectly configured access control security levels. The vulnerability has a low EPSS score (0.02%, percentile 4) despite the network-accessible attack vector, suggesting limited real-world exploitation likelihood. No public exploit code or active CISA KEV status has been identified.
Missing authorization in ILLID Share This Image WordPress plugin through version 2.12 allows unauthenticated remote attackers to access restricted functionality due to incorrectly configured access control, resulting in low-impact information disclosure. The vulnerability carries a moderate CVSS score of 5.3 but very low real-world exploitation probability (EPSS 0.02%, percentile 4%), suggesting this is a configuration or design flaw with limited practical impact rather than a critical security issue.
BoldGrid Client Invoicing by Sprout Invoices versions 20.8.10 and earlier fails to enforce authorization controls, allowing unauthenticated remote attackers to modify data through incorrectly configured access control. The vulnerability affects WordPress installations running the vulnerable plugin and has an EPSS score of 0.02% (4th percentile), indicating very low exploitation likelihood despite the network-accessible attack surface. No public exploit code or active exploitation has been documented.
Missing authorization in WP Chill Revive.so plugin versions up to 2.0.7 allows unauthenticated remote attackers to bypass access controls and read sensitive information via incorrectly configured access control security levels. The vulnerability has an EPSS score of 0.02% (4th percentile), indicating minimal real-world exploitation probability despite the moderate CVSS 5.3 score. No public exploit code or active exploitation has been confirmed.
Missing authorization in Themefic Tourfic WordPress plugin versions up to 2.21.4 allows unauthenticated remote attackers to access sensitive information through incorrectly configured access controls. The vulnerability exposes data confidentiality without enabling modification or denial of service, affecting WordPress sites running the vulnerable plugin. Despite a moderate CVSS score of 5.3, the extremely low EPSS score of 0.02% indicates minimal real-world exploitation probability.
Missing authorization in the fullworks Display Eventbrite Events WordPress plugin through version 6.5.6 allows unauthenticated remote attackers to modify plugin data via incorrectly configured access control mechanisms. The vulnerability enables integrity attacks (CWE-862: Missing Authorization) without requiring authentication or user interaction, affecting the plugin's REST API or admin functions. EPSS score of 0.02% indicates extremely low real-world exploitation probability despite the network-accessible attack vector.
Missing authorization in WP Delicious WordPress plugin versions up to 1.9.5 enables unauthenticated remote attackers to bypass access controls and read sensitive information due to incorrectly configured access restrictions. The vulnerability allows unauthorized information disclosure with low CVSS impact (5.3) but affects a widely deployed WordPress plugin; exploitation likelihood is minimal (EPSS 0.02%, percentile 4%) and no public exploit code has been identified.
Missing authorization in weDevs weDocs WordPress plugin through version 2.1.18 allows unauthenticated remote attackers to modify content by exploiting incorrectly configured access control security levels. The vulnerability enables unauthorized modification of protected documents via a network request without authentication, though with limited information disclosure impact. EPSS score of 0.02% indicates minimal real-world exploitation probability despite the moderate CVSS rating.
Broken access control in wpWax Directorist WordPress plugin versions up to 8.5.10 allows unauthenticated remote attackers to modify data through incorrectly configured authorization checks. The vulnerability exploits missing permission validation on plugin functionality, enabling unauthorized state changes without authentication or user interaction. With EPSS at 0.02% and no public exploit code identified, real-world risk remains low despite network-accessible exploitation.
Missing authorization in Craig Hewitt Seriously Simple Podcasting plugin allows unauthenticated attackers to read sensitive podcast information through incorrectly configured access controls. The vulnerability affects versions 3.14.2 and earlier of the WordPress plugin. CVSS 5.3 with 0.02% EPSS score indicates limited real-world exploitation likelihood despite the network-accessible attack vector. No public exploit code or active CISA KEV listing confirms this as a lower-priority authorization disclosure issue.
Missing authorization in RealMag777 FOX woocommerce-currency-switcher plugin for WordPress allows unauthenticated remote attackers to bypass access controls and gain read access to sensitive data through incorrectly configured security levels. The vulnerability affects FOX versions up to and including 1.4.5, with a CVSS score of 5.3 and extremely low exploitation probability (EPSS 0.02%), suggesting limited real-world attack incentive despite the missing authorization flaw.
Ado::Sessions through version 0.935 for Perl generates cryptographically weak session identifiers by seeding SHA-1 with the built-in rand function, system time, and process ID, allowing attackers to predict valid session IDs and hijack user sessions. The vulnerability affects unmaintained code no longer available on CPAN, though it remains on BackPAN. EPSS exploitation probability is minimal at 0.02%, and no public exploit code has been identified, but the automatable nature of session prediction and partial technical impact warrant assessment for legacy deployments.
Amon2::Plugin::Web::CSRFDefender versions 7.00 through 7.03 for Perl generate cryptographically weak session IDs when /dev/urandom is unavailable, falling back to SHA-1 hashing seeded with predictable values (system PID, epoch time, and the unseeded rand() function). This allows attackers to forge valid session identifiers and potentially conduct session hijacking or CSRF attacks. The module is deprecated by its author, and CISA has not confirmed active exploitation; however, the automatable nature of the attack (as per SSVC) combined with the availability of fix version 7.04 indicates moderate practical risk despite the low EPSS score of 0.02%.
OpenTelemetry Go OTLP HTTP exporters allow memory exhaustion when sending telemetry to attacker-controlled or network-intercepted collector endpoints. The trace, metric, and log exporters read unbounded HTTP response bodies into in-memory buffers without size limits, enabling an attacker to force large transient heap allocations and crash the instrumented process via out-of-memory conditions. Attack requires network control of the collector endpoint or man-in-the-middle position (CVSS 5.3, CVSS:3.1/AV:A/AC:H). Upstream fix available (PR #8108); no active exploitation confirmed.
Reflected cross-site scripting in Sonatype Nexus Repository 3.0.0 through 3.90.2 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser via a specially crafted URL, requiring user interaction to trigger the attack. With a CVSS 4.0 score of 5.1 and limited technical impact (session integrity only), this vulnerability poses a moderate risk to organizations using affected versions; no public exploit code or active exploitation has been identified.