Unauthorized file attachment in Frappe, a Python/JavaScript full-stack web framework, allows any authenticated low-privilege user to attach files to arbitrary doctypes through file-handling API endpoints such as add_attachments, bypassing per-document write permission enforcement. Affected are all Frappe v15 releases prior to 15.110.0 and all v16 releases prior to 16.20.0. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and network accessibility make exploitation straightforward for any valid account holder on a multi-tenant instance.
Missing authorization on the reportview endpoint in Frappe framework permits authenticated low-privileged users to access or manipulate report data beyond their permitted scope. Versions prior to 15.107.5 (v15 branch) and 16.18.2 (v16 branch) are affected, confirmed via GitHub Security Advisory GHSA-w8g7-j846-j248. No public exploit or CISA KEV listing exists at time of analysis; the CVSS 4.0 PR:L metric confirms exploitation is bounded by requiring a valid authenticated session.
Authenticated RabbitMQ users can bypass authorization controls on passive AMQP 0-9-1 declare operations, exposing internal broker topology metadata across all affected release branches (3.13.x, 4.0.x, 4.1.x, 4.2.x). The missing authorization check on passive queue.declare and exchange.declare allows any user with vhost connectivity to enumerate queue and exchange names and read live message and consumer counts without requiring elevated permissions. No public exploit code has been identified and the vulnerability is not in CISA KEV; however, the low exploitation complexity, authentication-only prerequisite, and broad affected version range meaningfully elevate real-world exposure risk in multi-tenant or shared-credential deployments.
Authorization bypass in the Eventin WordPress plugin (versions 4.0.26-4.1.15) enables unauthenticated attackers to mark unpaid ticket orders as completed by submitting a fabricated SureCart checkout ID or FluentCart cart hash to the payment_complete() REST endpoint. The wp_rest nonce required to reach this endpoint is embedded in the HTML of every public event page, eliminating any credential or session requirement. This is a confirmed regression - the same function and endpoint were previously patched by Arraytics, but the fix was lost in subsequent releases; no public exploit has been identified at time of analysis.
Unauthenticated media library attachment deletion affects the Easy Upload Files During Checkout WordPress plugin through version 3.0.1, enabling any remote visitor to permanently destroy arbitrary files from the site's media library with no credentials. The root cause is CWE-639: the ufdc_custom_init() hook processes a user-controlled 'eufdc-delete' parameter without nonce verification, capability checks, or attachment ownership validation, reducing authorization to a trivial parameter-guessing exercise against sequential WordPress attachment IDs. No public exploit code or CISA KEV listing has been identified, but the attack requires zero prerequisites beyond plugin presence, making it trivially reproducible.
Broken authorization in Snipe-IT's legacy single-seat license checkin endpoint allows authenticated users with only checkout (assign) rights to invoke the checkin (unassign) action, bypassing the intended permission boundary. Versions prior to 8.6.2 are affected; this is fixed in v8.6.2. No public exploit has been identified at time of analysis, and the flaw is not listed in the CISA KEV catalog, but the low-complexity, network-accessible nature of the bypass makes it straightforward to exploit for any authenticated user with checkout-level access.
Disk space exhaustion in n8n's data-table file upload endpoint allows an authenticated user to progressively fill the host's disk by repeatedly uploading files whose cumulative size is never checked against what already exists in the shared temporary directory. Affected versions span all n8n releases before 2.28.0 on the 2.x branch and before 1.123.58 on the 1.x branch. The flaw is rooted in a stateless per-request quota that ignores previously written files, enabling a low-privileged user to loop uploads between periodic cleanup cycles until disk space is exhausted, potentially disrupting the host and all co-resident services. No public exploit code or CISA KEV listing has been identified at time of analysis.
Missing authorization on Snipe-IT's asset request cancellation endpoint prior to version 8.6.0 allows any authenticated low-privileged user to cancel another user's pending asset requests by supplying a victim's user ID in the URL path segment. The cancel_by_admin path parameter is accepted without server-side privilege verification, constituting a CWE-862 (Missing Authorization) flaw - effectively a broken object-level authorization issue on an administrative action. No public exploit has been identified at time of analysis, and CVSS 4.0 scoring (5.3) reflects limited scope: integrity-only impact with no data exposure or availability loss.
Unauthorized file disclosure in Dell Unisphere for PowerMax 10.3.0.5 and prior is achievable by a remote low-privileged attacker via an XML External Entity (XXE) injection flaw (CWE-611). By submitting crafted XML containing external entity declarations to a vulnerable parsing endpoint, an authenticated attacker can cause the server to read and return sensitive local files or initiate server-side requests, resulting in High confidentiality impact. No public exploit code or CISA KEV listing has been identified at time of analysis; however, Dell has issued advisory DSA-2026-272 covering this and related vulnerabilities across the PowerMax product family.
{kit_id}/licenses allows authenticated low-privilege users to bind arbitrary licenses - including those belonging to other departments or users - into kits they control. The server validates kit-edit permissions but performs no ownership or access check against the referenced license object, a classic IDOR pattern (CWE-639). No public exploit exists and the vulnerability is not listed in CISA KEV; it is fixed in version 8.6.2.
Preview namespace collision in Capgo before 12.128.2 enables authenticated low-privileged tenants to hijack or deny preview routing for other tenants' applications by deliberately registering app IDs containing double underscores that decode identically to a victim's dot-separated app ID. The non-bijective hostname parsing - where `__` maps to `.` but `.` is also a valid app ID character - breaks namespace uniqueness across tenants, allowing cross-tenant preview misrouting. No public exploit has been identified at time of analysis, and no CISA KEV listing exists; real-world impact is confined to preview functionality, not production app delivery.
Plan quota enforcement is missing on the /files/upload/attachments endpoint in Capgo before 12.128.2, allowing upload-scoped API keys to bypass plan restrictions and create publicly readable Cloudflare R2 objects regardless of account standing. Apps that have been plan-blocked or suspended retain the ability to upload arbitrary attachments that persist outside bundle metadata and survive app deletion, enabling sustained storage and bandwidth abuse against the Capgo platform. No public exploit has been identified at time of analysis, and the vulnerability has not been confirmed as actively exploited.
Stored XSS in R-SOFT DMS file upload functionality allows authenticated attackers to embed arbitrary HTML and JavaScript within uploaded filenames, which subsequently execute in the browsers of any user viewing the file list or upload status pages. The vulnerability affects the document management system's filename rendering pipeline, which fails to sanitize input before output into HTML context. Fixed versions are available (v3.19-2832 and v3.17-2580); no public exploit identified at time of analysis, and the product is not listed in the CISA KEV catalog.
Out-of-bounds read in mtr's ipinfo_lookup() function allows a DNS-layer attacker to reliably crash the tool by serving a crafted TXT response during AS-number lookups. mtr through version 0.96 is affected; the root cause is that dn_expand() receives the total response length as its boundary argument rather than the safe, validated packet end - so a >512-byte response carrying a malicious compression pointer in the answer NAME field directs the read past the buffer. No public exploit code and no CISA KEV listing exist at time of analysis, though the crash is described as deterministic once the attacker controls the DNS response.
DSN string injection in grav-plugin-database prior to version 1.2.0 allows an administrator with Grav CMS plugin configuration access to manipulate PDO database connection strings by injecting unsanitized YAML field values. The vulnerable `Database::__call` method concatenates fields such as host, dbname, charset, server, database, directory, and filename directly into DSN strings without validation, enabling DSN attribute injection or path traversal to redirect database connections to unintended targets. No public exploit code or active exploitation has been identified at time of analysis; the fix is available in version 1.2.0.
Stored cross-site scripting and open redirect vulnerabilities in n8n's Form Node allow authenticated users with workflow creation permissions to inject malicious scripts or phishing redirects that execute in the browsers of end users who interact with published forms. Affected across both the 1.x branch (before 1.123.24) and the 2.x branch (before 2.10.4 and 2.12.0). The attack surface is the Form Node's HTML description fields, which accept unsanitized markup, combined with an overly permissive iframe sandbox policy - creating a persistent attack vector embedded within legitimate workflows. No public exploit code or CISA KEV listing has been identified at time of analysis.
Stored cross-site scripting in HestiaCP's DNS record management interface (all versions before 1.9.5) enables authenticated low-privilege users to execute arbitrary JavaScript in the browsers of any panel user who views the DNS record list, including administrators. The flaw in list_dns_rec.php allows injecting a script payload via a crafted DNS record value that breaks out of the data-sort-value HTML attribute due to missing htmlspecialchars() encoding - creating a persistent, privilege-escalating attack path from tenant-level access to admin session compromise. No public exploit or CISA KEV listing has been identified at time of analysis; vendor-released patch (v1.9.5) is available.
Improper input validation in Samsung Email prior to version 6.2.13.1 enables local attackers to create arbitrary files within the application's Android sandbox, affecting integrity and availability of the email client. The attack is confined to the Samsung Email sandbox by Android's isolation model and cannot directly escalate to system-level or cross-application impact. No public exploit has been identified and the vulnerability is not listed in CISA KEV; Samsung has released a confirmed fix in version 6.2.13.1.
Incorrect default permissions in Samsung Mobile's WLAN security component expose TencentWifiSecurity settings to any local attacker on Android 14, 15, and 16 devices prior to SMR Jul-2026 Release 1. An unprivileged local user or application can read or modify TencentWifiSecurity configuration, resulting in limited information disclosure and integrity compromise of WiFi security settings. No public exploit code exists and this vulnerability is not listed in CISA KEV; however, the zero-privilege-required local access condition broadens practical exposure on shared, enterprise-managed, or already-compromised devices.
Improper access control in Samsung's SmartThingsKit component on Android 16 devices allows local attackers without elevated privileges to read sensitive information. The flaw, patched in SMR Jul-2026 Release 1, is limited to local exploitation and carries no integrity or availability impact. No public exploit has been identified at time of analysis, and Samsung has not reported active exploitation.
Stored XSS in PeerTube before version 8.2.2 allows any authenticated uploader to inject arbitrary HTML and JavaScript into the instance origin by embedding the byte sequence </script> inside video metadata fields. The server-side renderer serializes video metadata directly into schema.org JSON-LD script blocks using JSON.stringify without HTML-character escaping, causing the browser to terminate the script tag prematurely and parse attacker-controlled content as raw HTML. The payload executes automatically for every visitor to the affected video's watch page, and no public exploit has been identified at time of analysis.
Stored XSS in the Grav API plugin (getgrav/grav-plugin-api) before version 1.0.3 allows an authenticated attacker holding the api.media.write permission to upload a malicious SVG file that executes arbitrary JavaScript in an administrator's browser session. The POST /api/v1/media endpoint's HandlesMediaUploads::processUploadedFile() method validates only the file extension and never calls Security::sanitizeSVG(), so the uploaded file is stored and served verbatim with Content-Type: image/svg+xml. When an administrator opens the file directly or via an embedded object or iframe, the injected script runs in the admin's authenticated session context, enabling cookie theft and full session hijacking. No public exploit or active exploitation has been identified at time of analysis.
Path traversal in phpMyFAQ's PDF export pipeline allows authenticated FAQ editors to read arbitrary server-side files by storing HTML with crafted image paths that exploit a type-juggling flaw in concatenatePaths(). When the substring 'content' is absent from an attacker-controlled path, strpos() returns false, which PHP silently coerces to integer 0, causing the full unsanitized path to pass through to file_get_contents() without canonicalization. No active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis, but the root cause is a low-complexity PHP type-juggling antipattern that is straightforward to weaponize once the attack surface is understood.
Cross-tenant authorization bypass in Snipe-IT prior to v8.6.2 allows an authenticated user with only `reports.view` permission in one company to delete pending checkout acceptance records belonging to any other company by supplying arbitrary global IDs to the unaccepted-assets report delete endpoint. The root cause is a classic IDOR (CWE-639): the endpoint validates role but not company-scope ownership. No public exploit has been identified and this CVE is absent from the CISA KEV catalog, but multi-tenant deployments relying on organizational data isolation are directly impacted.
Second-order SQL injection in Mail Mint WordPress plugin (all versions ≤ 1.24.1) allows authenticated administrators to exfiltrate arbitrary data from the WordPress database via the 'recipients' parameter in the campaign REST API. The attack exploits a two-stage flaw: a malicious SQL payload bypasses int-cast input validation at write time and persists unsanitized, then fires during a subsequent campaign retrieval request that passes the raw value into an unparameterized query. No public exploit or CISA KEV listing has been identified at time of analysis; real-world risk is moderated by the required administrator-level authentication.
SQL Injection in the Cookie Banner for GDPR/CCPA - WPLP Cookie Consent WordPress plugin (versions up to and including 4.3.6) enables authenticated administrators to append arbitrary SQL to existing queries via the unsanitized 'scan_id' parameter in the cookie scanner module. Exploitation is constrained to administrator-level accounts (PR:H per CVSS vector), making this a privileged read-only database extraction flaw rather than a broad remote attack surface. No public exploit code or CISA KEV listing has been identified at time of analysis; a patch commit is referenced in the WordPress plugin repository changeset.
RabbitMQ Server prior to 4.2.6 fails to cancel or reauthorize existing AMQP 0-9-1 consumers when an OAuth token expires or when connection.update_secret reduces token scopes, allowing an authenticated consumer to continue receiving messages it is no longer authorized to access. The broker evaluates authorization only at consumer registration time, not at message delivery time, creating a persistent authorization bypass window for as long as the connection remains open. No public exploit exists at time of analysis, but the CVSS 4.0 vector assigns high subsequent-system confidentiality impact (SC:H), reflecting meaningful data-access risk in OAuth-governed or multi-tenant deployments.
CSV formula injection in Snipe-IT prior to version 8.5.0 enables a low-privileged authenticated user to store a malicious spreadsheet formula via the HTTP User-Agent header, which is then written unescaped into exported Activity Report CSV files. When an administrator or report viewer opens the exported file in spreadsheet software such as Microsoft Excel or LibreOffice Calc, the embedded formula executes within their local application environment, potentially enabling data exfiltration or arbitrary command execution on the viewer's workstation. No public exploit code has been identified at time of analysis, and a vendor-released patch is available in version 8.5.0.
Account takeover in ZITADEL's external identity provider auto-linking logic prior to version 4.15.3 allows an unauthenticated network attacker to hijack a victim's local ZITADEL account. The handler confirms that the local user's email is verified but fails to require the external IdP to also confirm ownership of that same email address before completing the link - meaning an attacker who registers a victim's email on a permissive external IdP (one that does not enforce email verification) can silently gain full access to the victim's ZITADEL account. No public exploit has been identified at time of analysis; the fix is available in the vendor-released patch v4.15.3.
Incorrect Authorization (CWE-863) in the Drupal Commerce Realex / Global Payments module exposes protected payment and order resources to forceful browsing, allowing unauthenticated remote attackers to access endpoints that should require authorization. All module versions from 0.0.0 through 3.0.2 (exclusive) are affected on Drupal Commerce deployments. No public exploit code has been identified and SSVC confirms no active exploitation at time of analysis, though the nature of a payment gateway module means successful access could expose order or transaction data.
Stored cross-site scripting (XSS) in Snipe-IT before 8.6.2 allows a low-privileged user with the assets.edit permission to plant a malicious javascript: URI inside a Markdown hyperlink in a custom textarea field. When any other user opens the affected asset detail page and clicks the crafted link, arbitrary JavaScript executes in their browser session. No public exploit code or active exploitation has been identified at time of analysis, and the vendor has released a patch in v8.6.2.
Incorrect Authorization (CWE-863) in the Drupal AI Agents contributed module enables Forceful Browsing, allowing network-reachable attackers to access restricted AI agent resources without proper permission checks. Three distinct release branches are affected: 0.0.0-1.1.4, 1.2.0-1.2.5, and 1.3.0-1.3.1. CISA SSVC classifies exploitation as none with partial technical impact, EPSS sits at the 4th percentile, and no public exploit has been identified at time of analysis - signals that collectively indicate limited immediate real-world risk despite the network-accessible attack vector.
Memory leak in ImageMagick's META reader (versions before 7.1.2-18) enables denial of service through resource exhaustion when processing specially crafted APP1JPEG image files. The flaw sits in the error-handling path of the META reader, meaning memory allocated during malformed APP1JPEG processing is never freed, allowing an attacker to repeatedly trigger the leak until the host process exhausts available memory. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog; the CVSS 4.0 score of 4.8 (Medium) reflects limited impact scope.
Improper authorization in Samsung Health prior to version 7.00.0.107 exposes connected device information to local, low-privileged attackers on the same Android device. The flaw likely involves an improperly protected Android IPC mechanism - such as a content provider or broadcast receiver - that fails to enforce access controls over paired wearable or peripheral device data. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog; combined with the local-only attack vector and limited data sensitivity, real-world risk is low.
Cross-Site Request Forgery in the Drupal Salesforce Suite contrib module (all versions from 0.0.0 up to and including 5.1.3) lets an attacker forge state-changing requests that are executed with the privileges of an authenticated Drupal user who is tricked into loading attacker-controlled content. The Drupal security team (SA-CONTRIB-2026-063) rates it critical, and a fixed release is available; no public exploit code has been identified and EPSS is very low (0.10%, 1st percentile), indicating no observed exploitation activity. Note that the published CVSS vector (UI:N) is atypical for CSRF, which normally depends on victim interaction, so the real-world impact profile should be verified against the vendor advisory.
CSP header injection in the `secure_headers` RubyGems library (≤ 7.2.0) allows an attacker who can influence input to the `:sandbox`, `:plugin_types`, or `:report_to` per-request override APIs to inject an arbitrary `script-src 'unsafe-inline' *` directive that wins over the application's configured strict `script-src` under the W3C CSP first-occurrence rule, achieving full XSS reachability. The three affected directive builders (`build_sandbox_list_directive`, `build_media_type_list_directive`, `build_report_to_directive`) emit caller-supplied bytes verbatim into the CSP header value, unlike the sibling `build_source_list_directive` which has sanitized `;`, `\r`, and `\n` since CVE-2020-5217. A fully browser-verified proof of concept is publicly available; exploitation is not confirmed in CISA KEV but the attack is concrete and code-complete.
Stored Cross-Site Scripting in the Highlighting Code Block WordPress plugin (versions ≤ 2.2.0) allows authenticated attackers holding administrator-level permissions to inject persistent malicious scripts via the plugin's admin settings panel, with those scripts executing in the browsers of any user who subsequently visits an affected page. Exploitation is constrained to WordPress multi-site network installations or single-site deployments where the unfiltered_html capability has been explicitly disabled - conditions that are non-default and substantially narrow the attacker population. No public exploit code or active exploitation has been identified at time of analysis; Wordfence, the reporting source, has published a fix commit to the plugin's SVN repository, though a specific patched release version is not yet confirmed.
Stored Cross-Site Scripting in the Ajax Load More WordPress plugin (versions through 7.0.1) allows authenticated administrators to inject persistent malicious scripts into pages served to other users. The vulnerability stems from insufficient input sanitization and output escaping in admin-facing settings fields. Exploitation is constrained to WordPress multisite environments or sites with unfiltered_html disabled, and no public exploit or KEV listing exists at time of analysis, keeping real-world risk moderate despite the network-accessible vector.
Stored Cross-Site Scripting in the WPvivid Backup for MainWP WordPress plugin (all versions up to and including 0.9.33) allows authenticated administrators to inject persistent malicious scripts via plugin settings fields, which then execute in any user's browser upon visiting an affected page. Exploitation is constrained to WordPress multi-site environments or single-site installs where the unfiltered_html capability has been explicitly disabled, and requires an attacker to already hold administrator-level credentials. No public exploit code has been identified at time of analysis, and the CVSS 4.4 Medium score reflects both the high privilege bar and the specialized deployment conditions required.
File carve operations in osquery prior to 5.23.1 expose sensitive data due to world-readable temporary directory permissions, allowing a local unprivileged attacker to read carve contents during the collection window. If the carve targets a directory the attacker controls, the impact extends to arbitrary local file reads. No public exploit identified at time of analysis; the vendor-confirmed fix ships in osquery 5.23.1.
Authorization bypass in the Invoice123 WordPress plugin (versions up to and including 1.7.0) permits authenticated attackers holding only subscriber-level accounts to overwrite the plugin's external API key, modify invoice configuration settings, and directly alter WooCommerce tax rate records in the database. The root cause is absent capability checks in the plugin's admin-page handlers, meaning low-privilege users can invoke privileged administrative actions over the network. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Authorization bypass in the Easy Appointments WordPress plugin (all versions up to and including 3.12.27) permits any authenticated user holding the Author role or above to mass-cancel every future appointment across the entire site by exploiting a missing capability check on the plugin's AJAX cancellation handler. The attack is made trivially accessible because the nonce required to authenticate the cancellation request is rendered directly on the Appointments admin page, which is gated only by the `edit_posts` capability that Authors possess by default. No public exploit has been identified at time of analysis, but the low privilege barrier and deterministic exploit path present a high-consequence business-disruption risk for any organization running booking workflows on affected installations.
Unauthorized post publication in Kadence Blocks (Gutenberg Blocks with AI by Kadence WP) versions up to and including 3.5.32 allows authenticated WordPress contributors to immediately publish posts, pages, and custom post types - entirely bypassing the platform's standard contributor review workflow. The flaw stems from a misconfigured capability check in the `get_items_permission_check` permission callback on the `process_pattern` REST API endpoint (CWE-863: Incorrect Authorization). No active exploitation is confirmed via CISA KEV, no public POC has been identified, and the CVSS score of 4.3 reflects a limited integrity-only impact with no confidentiality or availability consequences.
Incorrect authorization in Snipe-IT's UsersController before version 8.6.2 allows any authenticated user holding only the users.view permission to access restricted inventory and procurement metadata - including assigned licenses, accessories, consumables, and associated cost and order data - from modules their direct permissions would otherwise deny. The flaw exists in both the show() and printInventory() controller methods, which enforce authorization only for the user-viewing scope before eagerly loading and rendering related asset relationships without further permission checks. No public exploit exists and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and common assignment of users.view to helpdesk staff makes this a realistic insider access-control bypass in enterprise deployments.
Unauthorized schema disclosure in Grist Core prior to 1.7.15 allows any user with partial read access - explicitly including anonymous public users on publicly viewable documents - to retrieve table and column metadata for any widget by querying the GET /forms endpoint. The endpoint failed both to validate that the requested section was a form widget and to apply the document's configured access rules before returning metadata, meaning hidden schema structure (table names, column names, types) is fully exposed regardless of the restrictions in place. No public exploit has been identified and the vulnerability is not in CISA KEV; a vendor-released patch exists in version 1.7.15.
Insecure Direct Object Reference in the FlowForms - Conversational Form Builder WordPress plugin (all versions through 1.1.1) allows authenticated contributors to modify, publish, or revert any form on the site - including forms owned by administrators - by supplying an arbitrary form ID to the unvalidated REST API update_form endpoint. Wordfence reported this flaw, and a fix changeset exists in the WordPress plugin SVN repository, though an explicit patched release version is not independently confirmed. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.
Sensitive information exposure in the Import and Export Users and Customers WordPress plugin (all versions ≤ 2.4.0) allows any authenticated subscriber-level user to enumerate and extract the post_title and raw post_content of arbitrary posts regardless of visibility status or post type. Affected content includes drafts, private posts, password-protected entries, future-scheduled posts, trashed items, and non-public custom post types such as WooCommerce orders and internal CRM records. The exploit barrier is exceptionally low: the required security nonce is leaked as inline JavaScript on any wp-admin page reachable by subscribers. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis.
Unauthorized GravityWrite disconnection in the GW AI Website Builder WordPress plugin (versions ≤ 1.0.1) is achievable by any authenticated subscriber-level user due to a missing capability check on the gwaiwebu_gravitywrite_disconnect_handler() AJAX function. The flaw allows low-privilege WordPress accounts to sever the plugin's integration with the GravityWrite AI service, degrading AI-powered site-building functionality for all users. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; impact is confined to service integrity disruption rather than data exfiltration or code execution.
Incorrect authorization enforcement in Snipe-IT's API location creation endpoint allows an authenticated low-privilege user to create a child location under a parent location belonging to a different company, bypassing the intended multi-tenant isolation boundary. The vulnerability affects all Snipe-IT versions prior to 8.6.2 when both Full Multiple Companies Support and the scope_locations_fmcs option are simultaneously enabled. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; real-world risk is constrained by the non-default configuration prerequisites and the requirement for authenticated access.
Unauthorized modification of cookie scan schedule configuration in the GDPR Cookie Consent WordPress plugin (versions up to 4.3.6) is achievable by any authenticated subscriber-level user. The vulnerability stems from a dual failure - absent capability check and absent nonce verification - on the wp_ajax_gcc_save_schedule_scan AJAX action, allowing low-privileged users to overwrite the gdpr_scan_schedule_data option that is administratively intended to require manage_options capability. No public exploit has been identified and the flaw is not listed in CISA KEV; a patched version (4.3.7) is available via the plugin's SVN repository.