Leadlovers Forms WordPress plugin versions 1.0.2 and earlier allow unauthenticated remote attackers to bypass access controls and read sensitive information through incorrectly configured authorization checks. The vulnerability exposes confidential data without requiring authentication or user interaction, affecting the forms plugin deployed across WordPress installations. While the EPSS score of 0.02% suggests minimal exploitation probability, the unauthenticated attack vector and lack of user interaction make this a straightforward access control flaw that could enable information disclosure.
Razorpay for WooCommerce plugin versions 4.8.2 and earlier allow unauthenticated attackers to bypass access controls through incorrectly configured authorization checks, enabling unauthorized modification of payment-related data. This missing authorization vulnerability affects all WooCommerce sites running the affected plugin and could allow attackers to manipulate sensitive payment information without authentication. The low EPSS score (0.02%, 4th percentile) and absence of active exploitation indicators suggest limited real-world attack activity despite the accessibility of the vulnerability vector (network, no authentication required).
Missing authorization in iGMS Direct Booking WordPress plugin versions 1.3 and earlier allows unauthenticated remote attackers to access sensitive information through incorrectly configured access control, affecting confidentiality but not integrity or availability. The vulnerability carries a CVSS score of 5.3 with network-based remote access and no authentication required, though EPSS exploitation probability is very low at 0.02% percentile, suggesting minimal real-world threat despite the authorization flaw.
Missing authorization in Unitech Web UnitechPay WordPress plugin through version 1.0.2 permits unauthenticated remote attackers to read sensitive information via incorrectly configured access controls, exposing data confidentiality without enabling modification or service disruption. The vulnerability carries a CVSS score of 5.3 with near-zero measured exploitation probability (EPSS 0.02%), indicating low real-world risk despite network-accessible attack surface.
Royale News WordPress theme through version 2.2.4 allows unauthenticated remote attackers to modify content via incorrectly configured access control, enabling unauthorized data integrity compromise despite the lack of direct confidentiality impact. EPSS probability remains low at 0.02% percentile, suggesting limited real-world exploitation likelihood despite the network-accessible vector. Patch status indicates remediation is available through the vendor advisory.
Missing authorization in themebeez Cream Blog WordPress theme versions up to 2.1.7 allows unauthenticated remote attackers to bypass access controls and read sensitive information due to incorrectly configured access control security levels. With a CVSS score of 5.3 and EPSS exploitation probability of 0.02% (4th percentile), this represents a low real-world exploitation risk despite the network-accessible attack vector. No public exploit code or active exploitation has been confirmed at the time of analysis.
Missing authorization in Roxnor Wp Ultimate Review plugin versions up to 2.3.8 allows unauthenticated remote attackers to access restricted functionality through incorrectly configured access control security levels, resulting in limited information disclosure. The vulnerability carries a low EPSS exploitation probability (0.02%, 4th percentile) and has not been confirmed as actively exploited, though the simple attack vector (network-accessible, no complexity, no authentication required) means opportunistic exploitation is feasible.
Improper access control in Payment Plugins for PayPal WooCommerce up to version 2.0.13 permits remote unauthenticated attackers to modify sensitive data through incorrectly configured authorization checks. The vulnerability (CVSS 5.3) allows integrity violations in payment-related operations via network requests without authentication or user interaction. With an EPSS score of 0.02%, exploitation likelihood remains minimal in measured threat activity, though the CWE-862 (missing authorization) classification indicates a fundamental security control failure in the plugin's privilege validation.
SpabRice Mogi theme versions through 1.2.3 fail to properly enforce authorization controls, allowing unauthenticated remote attackers to access restricted functionality due to incorrectly configured access control security levels. The vulnerability has a CVSS score of 5.3 with low confidentiality impact but no integrity or availability impact. EPSS exploitation probability is minimal at 0.02%, and no public exploit code or active exploitation has been identified.
Incorrectly configured access control in kutethemes Biolife WordPress theme version 3.2.3 and earlier allows unauthenticated remote attackers to bypass authorization checks and modify content via arbitrary shortcode execution. The vulnerability requires no authentication and can be exploited over the network with low complexity, affecting the integrity of web content served to visitors. EPSS score of 0.02% indicates minimal real-world exploitation probability despite network-accessible attack vector.
Missing authorization controls in acmethemes Education Base WordPress theme (versions through 3.0.8) allow unauthenticated remote attackers to modify content via incorrectly configured access control checks. The vulnerability affects the theme's access control security levels, enabling attackers to bypass authentication mechanisms and alter data on vulnerable installations. With an EPSS score of 0.02% and no confirmed active exploitation, the real-world risk remains low despite the network-accessible attack vector.
Authorization bypass in dFactory Download Attachments WordPress plugin versions up to 1.4.0 allows unauthenticated remote attackers to modify file access controls through user-controlled keys, enabling unauthorized file access or manipulation. The vulnerability exploits incorrectly configured access control security levels via an insecure direct object reference (IDOR) mechanism. With EPSS score of 0.02% and no confirmed active exploitation, this poses minimal immediate risk despite network-accessible attack surface.
Incorrectly configured access control in kutethemes KuteShop theme versions up to 4.2.9 allows unauthenticated remote attackers to modify data via missing authorization checks on sensitive operations. The vulnerability enables exploitation of insufficient access control mechanisms without authentication, though with limited impact confined to data integrity rather than confidentiality or availability.
Missing authorization in WpXmas-Snow WordPress plugin up to version 1.1 allows unauthenticated remote attackers to modify plugin content through incorrectly configured access control, resulting in unauthorized data integrity violations without requiring authentication or user interaction.
Wava Payment plugin for WordPress versions 0.3.7 and earlier allows unauthenticated remote attackers to access sensitive information through missing authorization controls on API endpoints. The vulnerability enables attackers to read confidential data by exploiting improperly configured access control levels without requiring authentication or user interaction. EPSS exploitation probability is minimal at 0.02%, but the ability to leak information without authentication warrants attention for WordPress sites using this payment plugin.
Missing authorization in iPOSpays Gateways WC WordPress plugin versions up to 1.3.7 allows unauthenticated remote attackers to modify sensitive data due to incorrectly configured access control, resulting in integrity compromise without authentication or user interaction. Exploitation requires only network access and is low-complexity, though current real-world exploitation likelihood remains minimal (EPSS 0.02%).
Missing authorization in Foysal Imran BizReview WordPress plugin versions up to 1.5.13 allows unauthenticated remote attackers to modify data via incorrectly configured access control, bypassing intended permission restrictions. The CVSS score of 5.3 reflects low integrity impact with no confidentiality or availability compromise. EPSS probability is extremely low at 0.02%, and no public exploit code or active exploitation has been identified, suggesting this is a configuration-level authorization flaw rather than a critical remote code execution vulnerability.
Missing authorization in Obadiah Super Custom Login WordPress plugin versions 1.1 and earlier allows unauthenticated remote attackers to bypass access controls and gain limited information disclosure. The vulnerability stems from incorrectly configured access control security levels that fail to enforce proper authorization checks, enabling attackers to exploit weak authentication mechanisms without requiring valid credentials or user interaction.
Missing authorization in Rustaurius Order Tracking plugin versions 3.4.3 and below allows unauthenticated remote attackers to modify order data through incorrectly configured access control, enabling unauthorized changes to order information without proper privilege validation. With an EPSS score of 0.02% and no confirmed active exploitation, real-world risk is currently low despite the moderate CVSS score of 5.3.
NM Gift Registry and Wishlist Lite WordPress plugin versions up to 5.13 allows unauthenticated remote attackers to modify data through missing authorization checks on access control settings. The vulnerability stems from incorrectly configured authorization levels that fail to validate user permissions before processing requests, enabling attackers to bypass authentication mechanisms and alter registry or wishlist information without proper credentials. EPSS score of 0.02% indicates minimal real-world exploitation probability despite the low attack complexity.
Missing authorization in Arraytics Booktics WordPress plugin through version 1.0.16 allows unauthenticated remote attackers to modify application data via incorrectly configured access control security levels. The vulnerability has a low EPSS score (0.02%, percentile 4) despite the network-accessible attack vector, suggesting limited real-world exploitation likelihood. No public exploit code or active CISA KEV status has been identified.
Missing authorization in ILLID Share This Image WordPress plugin through version 2.12 allows unauthenticated remote attackers to access restricted functionality due to incorrectly configured access control, resulting in low-impact information disclosure. The vulnerability carries a moderate CVSS score of 5.3 but very low real-world exploitation probability (EPSS 0.02%, percentile 4%), suggesting this is a configuration or design flaw with limited practical impact rather than a critical security issue.
BoldGrid Client Invoicing by Sprout Invoices versions 20.8.10 and earlier fails to enforce authorization controls, allowing unauthenticated remote attackers to modify data through incorrectly configured access control. The vulnerability affects WordPress installations running the vulnerable plugin and has an EPSS score of 0.02% (4th percentile), indicating very low exploitation likelihood despite the network-accessible attack surface. No public exploit code or active exploitation has been documented.
Missing authorization in WP Chill Revive.so plugin versions up to 2.0.7 allows unauthenticated remote attackers to bypass access controls and read sensitive information via incorrectly configured access control security levels. The vulnerability has an EPSS score of 0.02% (4th percentile), indicating minimal real-world exploitation probability despite the moderate CVSS 5.3 score. No public exploit code or active exploitation has been confirmed.
Missing authorization in Themefic Tourfic WordPress plugin versions up to 2.21.4 allows unauthenticated remote attackers to access sensitive information through incorrectly configured access controls. The vulnerability exposes data confidentiality without enabling modification or denial of service, affecting WordPress sites running the vulnerable plugin. Despite a moderate CVSS score of 5.3, the extremely low EPSS score of 0.02% indicates minimal real-world exploitation probability.
Missing authorization in the fullworks Display Eventbrite Events WordPress plugin through version 6.5.6 allows unauthenticated remote attackers to modify plugin data via incorrectly configured access control mechanisms. The vulnerability enables integrity attacks (CWE-862: Missing Authorization) without requiring authentication or user interaction, affecting the plugin's REST API or admin functions. EPSS score of 0.02% indicates extremely low real-world exploitation probability despite the network-accessible attack vector.
Missing authorization in WP Delicious WordPress plugin versions up to 1.9.5 enables unauthenticated remote attackers to bypass access controls and read sensitive information due to incorrectly configured access restrictions. The vulnerability allows unauthorized information disclosure with low CVSS impact (5.3) but affects a widely deployed WordPress plugin; exploitation likelihood is minimal (EPSS 0.02%, percentile 4%) and no public exploit code has been identified.
Missing authorization in weDevs weDocs WordPress plugin through version 2.1.18 allows unauthenticated remote attackers to modify content by exploiting incorrectly configured access control security levels. The vulnerability enables unauthorized modification of protected documents via a network request without authentication, though with limited information disclosure impact. EPSS score of 0.02% indicates minimal real-world exploitation probability despite the moderate CVSS rating.
Broken access control in wpWax Directorist WordPress plugin versions up to 8.5.10 allows unauthenticated remote attackers to modify data through incorrectly configured authorization checks. The vulnerability exploits missing permission validation on plugin functionality, enabling unauthorized state changes without authentication or user interaction. With EPSS at 0.02% and no public exploit code identified, real-world risk remains low despite network-accessible exploitation.
Missing authorization in Craig Hewitt Seriously Simple Podcasting plugin allows unauthenticated attackers to read sensitive podcast information through incorrectly configured access controls. The vulnerability affects versions 3.14.2 and earlier of the WordPress plugin. CVSS 5.3 with 0.02% EPSS score indicates limited real-world exploitation likelihood despite the network-accessible attack vector. No public exploit code or active CISA KEV listing confirms this as a lower-priority authorization disclosure issue.
Missing authorization in RealMag777 FOX woocommerce-currency-switcher plugin for WordPress allows unauthenticated remote attackers to bypass access controls and gain read access to sensitive data through incorrectly configured security levels. The vulnerability affects FOX versions up to and including 1.4.5, with a CVSS score of 5.3 and extremely low exploitation probability (EPSS 0.02%), suggesting limited real-world attack incentive despite the missing authorization flaw.
Ado::Sessions through version 0.935 for Perl generates cryptographically weak session identifiers by seeding SHA-1 with the built-in rand function, system time, and process ID, allowing attackers to predict valid session IDs and hijack user sessions. The vulnerability affects unmaintained code no longer available on CPAN, though it remains on BackPAN. EPSS exploitation probability is minimal at 0.02%, and no public exploit code has been identified, but the automatable nature of session prediction and partial technical impact warrant assessment for legacy deployments.
Amon2::Plugin::Web::CSRFDefender versions 7.00 through 7.03 for Perl generate cryptographically weak session IDs when /dev/urandom is unavailable, falling back to SHA-1 hashing seeded with predictable values (system PID, epoch time, and the unseeded rand() function). This allows attackers to forge valid session identifiers and potentially conduct session hijacking or CSRF attacks. The module is deprecated by its author, and CISA has not confirmed active exploitation; however, the automatable nature of the attack (as per SSVC) combined with the availability of fix version 7.04 indicates moderate practical risk despite the low EPSS score of 0.02%.
OpenTelemetry Go OTLP HTTP exporters allow memory exhaustion when sending telemetry to attacker-controlled or network-intercepted collector endpoints. The trace, metric, and log exporters read unbounded HTTP response bodies into in-memory buffers without size limits, enabling an attacker to force large transient heap allocations and crash the instrumented process via out-of-memory conditions. Attack requires network control of the collector endpoint or man-in-the-middle position (CVSS 5.3, CVSS:3.1/AV:A/AC:H). Upstream fix available (PR #8108); no active exploitation confirmed.
Reflected cross-site scripting in Sonatype Nexus Repository 3.0.0 through 3.90.2 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser via a specially crafted URL, requiring user interaction to trigger the attack. With a CVSS 4.0 score of 5.1 and limited technical impact (session integrity only), this vulnerability poses a moderate risk to organizations using affected versions; no public exploit code or active exploitation has been identified.
Remote code execution in MATCHA INVOICE 2.6.6 and earlier allows authenticated administrators to upload arbitrary files with dangerous types, enabling arbitrary code execution on the affected server. The vulnerability affects ICZ Corporation's MATCHA INVOICE product across all versions up to and including 2.6.6. While CVSS 4.7 reflects the requirement for administrative authentication, the RCE impact and file upload mechanism present a significant post-authentication risk in environments where administrative accounts may be compromised or insider threats exist. No public exploit code or CISA KEV confirmation identified at time of analysis.
Stored cross-site scripting (XSS) in MATCHA SNS 1.3.9 and earlier allows authenticated users to inject arbitrary scripts that execute in the browsers of other users accessing affected pages, potentially leading to session hijacking, credential theft, or malware distribution. CVSS 5.4 reflects the requirement for user interaction and authenticated access; no public exploit code or active exploitation has been identified at the time of analysis.
Hayabusa versions before 3.8.0 contain a stored cross-site scripting (XSS) vulnerability in HTML report generation that allows authenticated attackers to inject arbitrary JavaScript into the Computer field of JSON-exported logs, which executes in a forensic examiner's browser when viewing the generated HTML report. The vulnerability requires user interaction (report viewing) and results in information disclosure or session compromise, affecting forensic analysis workflows that process untrusted or adversary-controlled log data.
Vim 9.2.0315 and earlier contains a command injection vulnerability in the netbeans interface that allows a malicious netbeans server to execute arbitrary Ex commands via unsanitized strings in defineAnnoType and specialKeys protocol messages. An authenticated local attacker with user-level privileges and ability to interact with a netbeans connection can achieve code execution with the privileges of the Vim process. The vulnerability is fixed in Vim 9.2.0316.
Remnawave Backend prior to version 2.7.5 allows authenticated users to bypass HWID device registration limits through a race condition in the device registration logic, enabling subscription resale and excessive traffic consumption. The vulnerability requires valid authentication credentials but affects the integrity of subscription management controls across the system. A vendor-released patch is available in version 2.7.5.
Authentication bypass in LobeHub webapi allows unauthenticated attackers to forge X-lobe-chat-auth headers using a publicly disclosed XOR key, gaining unauthorized access to protected routes including chat, model listing, and image generation endpoints. The vulnerability affects LobeHub versions up to 2.1.47 and has a confirmed proof-of-concept; however, the CVSS vector indicates PR:L (low privilege required), suggesting the advertised attack may require some initial authentication. Vendor-released patch version 2.1.48 is available.
WPSchoolPress plugin through version 2.2.35 allows authenticated high-privilege users to bypass authorization controls and access sensitive information they should not be able to view due to incorrectly configured access control security levels. The CVSS score of 4.9 reflects the confidentiality impact limited to authenticated high-privilege attackers with no integrity or availability risk, though the EPSS score of 0.02% suggests exploitation in real-world scenarios remains minimal at time of analysis. No public exploit code or active exploitation has been identified.
Server-Side Request Forgery (SSRF) in Nelio Content WordPress plugin through version 4.3.1 allows authenticated attackers to make arbitrary HTTP requests from the vulnerable server, potentially accessing internal services and exfiltrating sensitive data. The vulnerability requires authenticated access (PR:L) and high attack complexity (AC:H), limiting real-world risk despite affecting all versions up to 4.3.1. No public exploit code or active exploitation has been confirmed; EPSS score of 0.02% (4th percentile) indicates very low exploitation probability.
Cookie prefix protections can be bypassed in Hono's parse() function due to overly aggressive character trimming that diverges from RFC 6265bis browser behavior. An attacker who can set cookies (via MITM, injection, or other means) can use non-breaking space (U+00A0) prefixed cookie names to shadow legitimate cookies, potentially overriding security-sensitive cookies including those protected by __Secure- and __Host- prefixes. Patch available in Hono v4.12.12.
Out-of-bounds read in The Sleuth Kit through 4.14.0 allows local attackers with user interaction to disclose sensitive information via a crafted ISO9660 image, exploiting the parse_susp() function's failure to validate field lengths before copying SUSP extension data into stack buffers. The vulnerability can also trigger infinite parsing loops with malformed zero-length SUSP entries. Patch available from upstream repository.
Out-of-bounds read in Sleuth Kit through version 4.14.0 allows local attackers to disclose heap memory or crash the application via a malicious APFS disk image with crafted length fields in the keybag parser. The vulnerability requires user interaction to process the malicious image but affects all Sleuth Kit tools that parse APFS volumes, with a public fix available on GitHub.
Stored cross-site scripting (XSS) in CI4MS prior to 0.31.4.0 allows authenticated administrators with blacklist privileges to inject arbitrary JavaScript through unsanitized note parameters, which executes in the browsers of other administrators viewing the user management page. The vulnerability requires high-privilege authenticated access and user interaction (admin viewing the affected page), limiting real-world impact despite the network-accessible attack vector.
Open redirect vulnerability in Hide My WP Ghost WordPress plugin versions below 7.0.00 allows unauthenticated remote attackers to redirect users to arbitrary external websites, enabling phishing attacks. The vulnerability requires user interaction (clicking a malicious link) and affects the plugin's URL handling. With an EPSS score of 0.02% and no confirmed active exploitation, this represents a low real-world exploitation risk despite the moderate CVSS score of 4.7.
Kamailio versions prior to 6.0.5 and 5.8.7 contain an out-of-bounds read in the auth module that allows remote attackers with high privileges to trigger a denial of service via a specially crafted SIP packet when successful user authentication without a database backend is followed by additional identity checks. The vulnerability requires high privilege level and high attack complexity but can reliably crash the Kamailio process, impacting SIP service availability.
Stored cross-site scripting in the Inquiry Form to Posts or Pages WordPress plugin up to version 1.0 allows authenticated administrators to inject arbitrary JavaScript via the 'Form Header' field, executing when users access the plugin settings page or view pages containing the [inquiry_form] shortcode. The vulnerability stems from insufficient input sanitization during option storage and missing output escaping in two rendering locations. CVSS 4.4 reflects the high privilege requirement (administrator-only access) and limited impact, though the stored nature and cross-site scope elevate concern for sites with multiple administrators or role delegation.