User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network.
User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
Forms Rb plugin for WordPress versions up to 1.1.9 contains an authorization bypass vulnerability allowing authenticated contributors and above to read, modify, and delete form submission records and configuration belonging to forms they do not own. The vulnerability stems from insufficient authorization checks in API endpoints (CWE-862), affecting all installations with the plugin active. CVSS score of 4.3 reflects low attack complexity and network accessibility, though impact is limited to integrity and information disclosure within WordPress administrative contexts.
Authenticated users with Subscriber-level access can bypass PayPal payment verification in the Motors - Car Dealership & Classified Listings WordPress plugin (versions up to 1.4.103) by directly modifying their stm_payment_status user meta field to 'completed', gaining access to paid Dealer membership features without completing any transaction. The vulnerability exists in the stm_save_user_extra_fields() function, which fails to validate permission for sensitive meta field modifications during profile updates. While CVSS 4.3 reflects low severity, the integrity impact is direct-payment systems are completely circumvented for any authenticated user.
Authenticated attackers with Subscriber-level WordPress access can overwrite the Coinbase Commerce API key in versions up to 1.1.2 of the Coinbase Commerce for Contact Form 7 WordPress plugin due to missing capability checks and nonce verification in the save_settings() function. The vulnerability allows privilege escalation and potential compromise of payment processing by replacing the legitimate API key with an attacker-controlled value via a crafted POST request to /wp-admin/admin-post, affecting all WordPress sites running this plugin with that version or earlier.
Authenticated attackers with Subscriber-level access can modify arbitrary WordPress post content, metadata, author assignment, and post type through missing authorization checks in the Rate Star Review Vote AJAX handler, allowing full post content takeover via the 'rating_id' parameter when the 'form' parameter is set to 'update'. The vulnerability affects all versions up to 1.6.4 and requires only basic user authentication (not administrator privileges), making it exploitable by any registered site user.
Argument injection in Fortinet FortiDeceptor 5.0 through 6.0.2 allows authenticated administrators with read-only permissions to read arbitrary log files via crafted HTTP requests, exposing sensitive system and audit logs. The vulnerability requires valid admin credentials but no elevated privileges, making it accessible to lower-privileged authenticated users. No public exploit code or active exploitation has been confirmed at time of analysis.
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page.
Cross-Site Request Forgery in WooCommerce Minimum Weight plugin for WordPress up to version 3.0.1 allows unauthenticated attackers to modify minimum order weight settings by tricking site administrators into clicking malicious links or visiting attacker-controlled pages. The vulnerability stems from missing nonce verification in the settings update handler, enabling forged POST requests to alter critical e-commerce configuration without admin consent. No public exploit code or active exploitation has been identified at time of analysis.
Cross-Site Request Forgery in WP-Redirection plugin for WordPress versions up to 1.0.3 allows unauthenticated attackers to trick logged-in administrators into modifying redirection rules by clicking a crafted link, enabling unauthorized creation, modification, or deletion of URL redirects without consent. The vulnerability stems from missing nonce validation in the admin settings form handler, affecting all installations running vulnerable versions.
Unauthenticated attackers can modify or delete arbitrary user notification records in Devolutions Server due to missing session validation in notification management endpoints. The vulnerability affects Devolutions Server 2025.3.19.0 and earlier, plus versions 2026.1.6.0 through 2026.1.15.0. CVSS 4.3 indicates low-to-moderate risk, but the EPSS percentile of 4% suggests this is not a high-priority target for automated exploitation despite the authentication bypass tag.
Code injection in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform allows authenticated attackers to execute arbitrary code for subscribed channel users by sending specially crafted inputs. The vulnerability has low integrity impact with no confidentiality or availability consequences. CVSS 4.3 (low severity) reflects the requirement for authenticated access, but the ability to affect other users elevates practical risk in multi-tenant environments.
Missing authorization in the PAM module of Devolutions Server allows authenticated users with a PAM license to retrieve OTP secret keys and recovery codes without additional permissions, leading to account compromise through crafted API requests. Affected versions include Devolutions Server 2025.3.16.0 and earlier, plus 2026.1.6.0 through 2026.1.11.0. No public exploit code or active exploitation has been identified; however, the low CVSS score and minimal EPSS percentile suggest limited real-world attack incentive despite the confidentiality impact.
OX Dovecot Pro allows authenticated attackers to cause uncontrolled memory consumption and denial of service via excessive open braces in IMAP commands, bypassing the incomplete fix from CVE-2026-27857 which only blocked closing braces. An attacker with valid IMAP credentials can exhaust server memory up to the configured vsz_limit, crashing the IMAP process and disrupting mail service.
Cross-Site Request Forgery (CSRF) in the Skysa Text Ticker App plugin for WordPress affects all versions up to 1.4, allowing unauthenticated attackers to modify plugin settings including scrolling message text and URLs by tricking site administrators into clicking a malicious link. The vulnerability stems from missing nonce validation in the SkysaApps_Admin_AppPage function, enabling attackers to alter ticker content without authentication but requiring user interaction via social engineering.
Cross-Site Request Forgery in the Zawgyi Embed WordPress plugin versions up to 2.1.1 allows unauthenticated attackers to modify the plugin's zawgyi_forceCSS setting by tricking a site administrator into clicking a malicious link. The vulnerability stems from missing nonce validation in the zawgyi_adminpage function, enabling attackers to submit forged POST requests to the plugin's settings page without the administrator's knowledge.
SAP Financial Consolidation permits authenticated attackers to forcibly terminate other users' sessions, temporarily denying them access to the application. The vulnerability has limited impact, affecting only availability through session disconnection while leaving the application itself and all data integrity and confidentiality intact. CVSS score of 4.3 reflects low severity, and no public exploit code or active exploitation has been identified.
Insufficient authorization checks in SAP Incentive and Commission Management allow authenticated users to invoke remote-enabled function modules and perform unauthorized table update operations, compromising data integrity. The vulnerability requires valid user credentials and network access but has limited scope - no confidentiality or availability impact. CVSS 4.3 (low) reflects the authentication requirement and integrity-only impact; no active exploitation or public POC identified at analysis time.