2026-07-17
Privilege escalation and full site takeover affects the AI Copilot WordPress plugin before 1.5.4, which fails to bind OAuth access tokens to a specific WordPress user and treats any valid token as an administrator session. An unauthenticated attacker who completes the plugin's public OAuth flow can invoke privileged MCP (Model Context Protocol) tools as an administrator, creating new users and escalating roles. Publicly available exploit code exists and the flaw carries a CVSS 9.8; no active exploitation has been confirmed (not in CISA KEV).
Arbitrary code execution in Cursor for Windows 3.2.16 lets remote attackers run code on a developer's machine by planting a malicious git.exe in a repository's root directory. Because Cursor resolves and executes the workspace-resident git.exe at IDE startup and on a recurring timer, simply cloning and opening a crafted repository triggers execution under the current user's privileges with no explicit user action beyond opening the project. Publicly available exploit code exists and the flaw was reported by VulnCheck; there is no CISA KEV listing or active-exploitation confirmation in the data.
Privilege escalation in the User Registration & Membership WordPress plugin before 5.2.3 lets unauthenticated visitors self-assign an arbitrary published membership tier during public registration, gaining that tier's user role - including administrator where such a tier exists. The plugin never validates that the tier submitted in the registration form is one the form actually offers, so an attacker simply tampers with the submitted tier value. Publicly available exploit code exists (reported by WPScan), though active exploitation has not been confirmed.
Session token theft in SigNoz through 0.133.0 lets unauthenticated attackers hijack any user account on instances configured with Google OAuth, SAML, or OIDC single sign-on. Because the unauthenticated sessions-context endpoint accepts an attacker-controlled 'ref' parameter that is embedded unvalidated into the SSO state/redirect, an attacker crafts a login URL that returns the victim's access and refresh tokens to an attacker-controlled host once the victim completes SSO. Reported by VulnCheck (CWE-601, open redirect), publicly available exploit code exists, though it is not listed in CISA KEV and EPSS was not provided.
The PhonePe Payment Solutions WordPress plugin before 3.1.0 does not properly verify the authenticity of incoming payment callbacks: the secret used to validate the callback signature is empty on sites configured through the current setup flow, so the expected signature reduces to an unkeyed hash of the request body that anyone can compute. This allows unauthenticated attackers to forge a payment-success notification and mark unpaid WooCommerce orders as paid without any payment being made.
Broken access control in Maybe Finance (self-hosted personal finance app) through 0.6.0 lets any authenticated low-privilege member-role user read and rewrite instance-wide hosting settings because Settings::HostingsController applies the ensure_admin before_action only to clear_cache, leaving show and update exposed. A member can exfiltrate the operator's Synth API key rendered in plaintext in a form field, replace it with an attacker-controlled value, enable open public registration, and disable email-confirmation enforcement to disrupt the instance. Publicly available exploit code exists (reported by VulnCheck); this is not listed in CISA KEV, so there is no public exploit identified beyond the released POC.
Cross-organization data disclosure in TheHive through 4.1.24 allows any authenticated user to download attachments belonging to other organizations by supplying a known content-hash identifier. The flaw is a broken object-level authorization (BOLA/IDOR) in the attachment download endpoints, where AttachmentSrv.visible acts as a pass-through datastore traversal without enforcing organization scoping. Publicly available exploit code exists (published by VulnCheck / geo-chen), though there is no public exploit identified as actively exploited in the wild (not in CISA KEV).
Improper authorization in Dendrite (the Go-based Matrix homeserver) through version 0.13.8 lets any authenticated local user delete another user's third-party identifier (3PID) bindings via the POST /account/3pid/delete endpoint, because the Forget3PID handler removes the supplied address/medium without verifying ownership. By stripping a victim's email or MSISDN binding and rebinding it through an identity server, an attacker can hijack the victim's account-recovery/password-reset flow. Publicly available exploit code exists; there is no CISA KEV listing, so this is not confirmed as actively exploited.
Unauthenticated information disclosure in TheHive through 4.1.24 exposes sensitive configuration data - including the datastore attachment protection password, SSO settings, MFA capabilities, and clustered node addresses - to any network-reachable attacker via a single GET request to /api/status. The root cause is a missing authentication gate in the StatusCtrl.scala handler, a CWE-306 class defect. A public proof-of-concept is available on GitHub demonstrating trivial exploitation; no CISA KEV listing at time of analysis, though the exposed credentials materially increase lateral movement risk beyond the moderate CVSS score suggests.
Server-side request forgery in Dendrite through 0.13.8 allows unauthenticated remote attackers to weaponize the server as a port-scanning proxy against internal networks by supplying arbitrary host and port values via the unvalidated `serverName` parameter on the legacy media download endpoint. The server initiates outbound TLS connections to attacker-controlled destinations, and distinguishable error response classes combined with leaked internal IP addresses in error messages expose internal network topology. A publicly available proof-of-concept exploit exists; this vulnerability is not currently listed in CISA KEV.
The NEX-Forms WordPress plugin before 9.2.3 does not sanitise and escape some submitted form data before storing it and outputting it back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against high privilege users such as administrators when they view the submitted entries.
Unauthenticated privilege escalation in the Bricksforge WordPress plugin (versions ≤ 3.1.8.6) lets remote attackers create a new administrator account by abusing the Pro Forms User Registration action. The plugin fails to validate the fieldIds parameter, so attacker-supplied field IDs are injected into the trusted form-field whitelist, enabling mass-assignment of a privileged role. No public exploit has been identified at time of analysis, but the flaw is trivially exploitable (CVSS 9.8) on any site exposing a Pro Forms registration element.
Privilege escalation in the Aimogen Pro (Aiomatic) all-in-one AI toolkit plugin for WordPress affects all versions through 2.8.4 and lets unauthenticated attackers create administrator accounts. The 'aiomatic_call_google_ai_function' AJAX handler lacks a capability check, allowing the 'aimogen_wp_god_mode' tool to clear function blacklists and invoke arbitrary PHP functions. No public exploit identified at time of analysis, but the pre-auth nature and 9.8 CVSS make this a full-site-takeover risk.
Server-side request forgery in poco-ai/poco-claw up to version 0.5.4 allows remote unauthenticated attackers to coerce the application server into issuing arbitrary HTTP requests to attacker-controlled destinations via the unvalidated callback_url parameter in the run_task API function. The flaw is exposed through the task execution endpoint at executor/app/api/v1/task.py and carries a publicly available proof-of-concept exploit referenced on GitHub. No vendor patch has been released; the associated GitHub issue was closed automatically due to inactivity, indicating no active maintenance response and indefinite risk exposure.
SQL injection in the Login Form of code-projects Hospital Bed Management System 1.0 exposes unauthenticated remote attackers to database manipulation via the Username parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms trivial, unauthenticated network exploitation with no user interaction, and the E:P modifier reflects a publicly available proof-of-concept on Gitee. While not listed in CISA KEV, the low barrier to exploitation combined with a public POC elevates practical urgency for any organization running this software, despite the product's niche footprint.
Out-of-bounds read in CIPster's EtherNet/IP symbolic path parser exposes industrial control systems to remote availability disruption and potential memory disclosure. The flaw resides in `CipAppPath::deserialize_symbolic` (source/src/cip/cipepath.cc), where unsafe `memcpy` calls copy attacker-controlled byte counts from a network-supplied CIP symbolic path segment into a fixed-size stack buffer without bounds enforcement, reachable by a remote unauthenticated attacker sending a crafted EtherNet/IP explicit messaging request. No active exploitation is confirmed (not in CISA KEV), but a POC exploit archive has been publicly released and the CVSS 4.0 E:P modifier corroborates exploit availability.
The WPS Bookings for WooCommerce WordPress plugin before 3.11.7 does not verify that a booking order belongs to the requesting user before cancelling it, allowing any authenticated user, such as a Subscriber or Customer, to cancel and void other customers' booking orders.
The Royal Addons for Elementor WordPress plugin before 1.7.1063 does not check the post status of menu items or the templates they reference in one of its REST endpoints, allowing unauthenticated users to retrieve the rendered HTML content of private or draft Elementor templates linked from non-public navigation menu items.
The User Registration & Membership WordPress plugin before 5.2.3 does not perform a capability check for unauthenticated callers on one of its membership payment actions and acts on a caller-supplied user identifier, allowing unauthenticated attackers to delete recently-registered, payment-pending user accounts.
Post-leave room state disclosure in Dendrite through 0.13.8 allows authenticated local users to retrieve unfiltered current room state from rooms they have previously exited. The syncapi /context endpoint in syncapi/routing/context.go performs an incomplete membership check - evaluating only the RoomExists field while ignoring IsInRoom, HasBeenInRoom, and Membership - effectively treating departed users as current members for this endpoint alone. A publicly available proof-of-concept exists per VulnCheck and the geo-chen research disclosure; no active exploitation has been confirmed via CISA KEV at time of analysis.
Session forgery in the clawvet self-hosted API server (apps/api) before 0.7.5 lets a remote unauthenticated attacker fully impersonate any user and steal their secret apiKey. The server ships a hard-coded fallback JWT secret ('clawvet-dev-secret-change-me') in auth.ts and .env.example, while an unauthenticated GET /api/v1/scans endpoint leaks victim userId values; combining these, an attacker forges a valid HS256 cg_session cookie offline and calls GET /api/v1/auth/me to exfiltrate the victim's email, subscription plan, and API key. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the technique is fully described and trivially reproducible; only the self-hosted API is affected, not the published clawvet npm CLI package.
Two-factor authentication bypass in Grav CMS before 2.0.4 lets an attacker who already knows a victim's password overwrite that user's TOTP secret and log in with full 2FA protection stripped away. During the pending TOTP challenge window the login plugin's regenerate2FASecret task verifies only that the user exists — not that the caller is authorized — and requires no CSRF nonce, so the attacker sets an attacker-chosen secret, computes a valid code, and completes login. VulnCheck-reported and CVSS 4.0 scored 9.1; no public exploit identified at time of analysis.
Remote code execution is possible in the ProfilePress WordPress plugin (Paid Membership, Ecommerce, User Registration) in all versions through 4.16.18, where the DigitalProducts UploadHandler unconditionally registers an upload_mimes filter that whitelists executable extensions (.exe, .apk, .msi) across every WordPress upload context site-wide. Authenticated attackers with author-level access or above (per CVSS PR:L) can leverage this expanded MIME allowlist to upload executable files, leading to code execution. There is no public exploit identified at time of analysis, and this CVE is not listed in CISA KEV.
Sensitive configuration file disclosure in Grav CMS before 2.0.4 lets unauthenticated remote attackers bypass the bundled .htaccess protections by requesting blocked file types with uppercase or mixed-case extensions (e.g., .YAML, .PHP). The shipped rules omit the Apache [NC] flag, so extension matching is case-sensitive and fails to block case variants on case-insensitive filesystems (Windows/NTFS, macOS/HFS+, Docker volume mounts), exposing files that may hold API keys and credentials. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Authorization bypass in OpenClaw versions 2026.1.20 through 2026.5.26 allows low-trust, authenticated callers to invoke the device.pair.approve feature and perform device-pairing approvals that should require stronger role-management authorization. Because the feature can be reached through configured input paths, an attacker holding only limited privileges can escalate their effective authority over device pairing, with high impact to confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the flaw was reported by VulnCheck and carries a CVSS 4.0 base score of 8.7.
Privilege escalation in the getgrav grav-plugin-api before 1.0.6 allows a low-privileged manager holding the api.users.write permission to become a super-admin. The createApiKey, generate2fa, and disable2fa endpoints never re-check super-admin status, so an attacker can mint API keys bound to super-admin accounts or strip 2FA from super-admin users and take over the entire Grav instance. No public exploit identified at time of analysis, but the vendor GHSA advisory and VulnCheck confirm the flaw.
Stored cross-site scripting in the ChronoForms extension for Joomla lets unauthenticated attackers persist malicious JavaScript that executes in the browser of anyone who later views the affected page. The flaw carries a CVSS 4.0 base score of 8.7 and requires no authentication (PR:N), though a victim must load the poisoned content (UI:P). There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Authorization bypass in the Grav API plugin (getgrav/grav-plugin-api) before 1.0.6 lets any valid API key perform actions far beyond its intended scope. Although keys can be provisioned with a restricted scopes array (e.g. read-only), the ApiKeyAuthenticator class never reads or enforces those scopes and instead returns the owning user's full account object, so a limited key can execute any write, delete, or administrative operation the owner is entitled to. Reported by VulnCheck with no public exploit identified at time of analysis, but the flaw is trivially exploitable by any key holder against default configurations.
Arbitrary file write in GitHub Enterprise Server (all releases before 3.22) lets an attacker who already has code execution inside the Dependabot updater container escape the intended dependency-file directory via path traversal and symlink manipulation, planting attacker-controlled files anywhere in a repository - including GitHub Actions workflows under .github/workflows/. Because path validation checked the declared rather than the effective (symlink-resolved) path, an injected workflow can run with the repository's Actions secrets when the repo uses pull_request_target or auto-merge. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; CVSS 4.0 base score is 8.6 (High).
Cross-tenant data disclosure in Google Cloud Firebase Studio (versions prior to the 2026-04-15 fix) let an authenticated user retrieve other tenants' deployed source code and sensitive data by issuing unauthorized GCS signed-URL requests. The flaw stems from a missing authorization check (CWE-862) on the object-signing path rather than a code-execution bug, so impact is confidentiality-centric. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Server-side request forgery in Grav CMS before 2.0.4 allows authenticated users holding the api.webhooks.write permission to register webhooks with dangerous cURL protocol handlers (file://, dict://, gopher://) that fire when webhook events trigger. By abusing these unrestricted protocols an attacker can read local files, enumerate process and service information, and pivot to internal-only network services from the trust position of the Grav server. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; risk is driven by the CWE-918 primitive rather than confirmed in-the-wild activity.
Economic resource exhaustion in the ZenHive mpp Elixir library (versions 0.2.0 through 0.5.x) lets an unauthenticated remote client inflate a sponsoring fee-payer's gas cost per payment by roughly 7.4x, draining the sponsor wallet over sustained abuse. When deployed with fee_payer: true, MPP.Tempo.Transaction.cosign_fee_payer/3 re-signs client-supplied base fields of the 0x76 AASigned envelope verbatim - including an oversized EIP-2930 access list - without validating length or contents, so intrinsic gas is charged for fabricated entries that touch nothing on-chain. No public exploit identified at time of analysis, but the attack is fully detailed in the vendor advisory and fixed in 0.6.0.
Fee-payer wallet draining in ZenHive mpp (Elixir) 0.2.0-0.5.x lets an unauthenticated remote client empty the sponsor's wallet in a single request when the server runs with fee_payer: true. Because MPP.Tempo.Transaction.cosign_fee_payer/3 co-signs the client-supplied gas ceilings (max_fee_per_gas / max_priority_fee_per_gas) of the 0x76 AASigned envelope without bounds checking, an attacker sets arbitrarily large per-gas rates that are billed against the server's wallet, after which it can no longer sponsor legitimate payments. No public exploit identified at time of analysis; the issue was reported by the Erlang Ecosystem Foundation (EEF) and patched in 0.6.0.
Sensitive token exposure in the Grav CMS API plugin (getgrav/grav-plugin-api) before 1.0.0-rc.16 allows attackers to hijack valid admin sessions after JWT access tokens leak from URLs. Because JwtAuthenticator::extractBearerToken accepts tokens via the ?token= query string on every API route, those tokens are written verbatim into web server access logs, Referer headers, browser history, and upstream proxy/CDN logs, and any captured token grants full admin API access. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 4.0 score of 8.2 reflects the high value of the leaked admin credentials.
Wallet-draining denial of service in ZenHive mpp (Elixir library) versions 0.2.0 through 0.5.x affects deployments configured as a Tempo fee payer (fee_payer: true), where the MPP.Methods.Tempo method co-signs and broadcasts a client-supplied EVM transaction without verifying the client's gas_limit is high enough to complete execution. An unauthenticated remote client can submit a signed transferWithMemo transaction with gas_limit set just below the required amount, causing an on-chain out-of-gas revert that still charges the sponsor's fee-payer wallet while the attacker pays nothing. There is no public exploit identified at time of analysis and this is not on CISA KEV, but repeated low-cost requests can exhaust the sponsor wallet and stop the server from funding gas for legitimate payment requests.
Authorization bypass in OpenClaw before 2026.5.18 lets a low-trust, authenticated caller escape the exec allowlist by abusing weak glob matching, executing or persisting actions beyond their intended authorization. Reported by VulnCheck and tracked as a path-traversal-class flaw (CWE-22), it carries a CVSS 4.0 score of 7.7 with high confidentiality, integrity, and availability impact but requires the affected exec feature to be enabled. No public exploit identified at time of analysis; there is a GitHub security advisory and a corresponding VulnCheck advisory.
Authorization bypass in OpenClaw before 2026.6.5 lets a low-trust, authenticated caller execute node exec actions beyond their approved permissions by exploiting mismatched gateway and node environment configurations. The flaw (CWE-863, Incorrect Authorization) enables privilege escalation within the approval workflow and can be used to persist or run unauthorized actions. Reported by VulnCheck with a CVSS 4.0 base of 7.7; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authorization bypass in OpenClaw before 2026.5.18 lets low-privileged, authenticated callers escalate their actions through the device-pair approval feature, executing or persisting operations beyond their intended trust level. The flaw stems from improper authorization checks (CWE-863) on device-pairing input paths, and per the CVSS 4.0 vector it fully compromises confidentiality, integrity, and availability of the affected system. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Privilege escalation via authorization bypass in OpenClaw's QQBot exec approvals feature affects builds from 2026.5.14-beta.1 up to (but not including) 2026.5.27, letting a lower-trust or non-allowlisted sender execute or persist actions beyond their intended authorization. The CVSS 4.0 vector requires low existing privileges (PR:L) and a present attack requirement (AT:P), meaning the exec approvals feature must be enabled and reachable for exploitation. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a fixed release (2026.5.27) and a vendor security advisory are available.
Authorization bypass in OpenClaw before 2026.6.5 lets a low-privileged, authenticated caller reach admin-scoped tools and perform privileged actions they should not be authorized for. The flaw stems from insufficient policy checks on configured input paths (CWE-862, Missing Authorization), so a lower-trust principal can escalate the scope of operations available to it. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue was reported by VulnCheck with a CVSS 4.0 base score of 7.7.
Privilege escalation and unauthorized action execution in OpenClaw before 2026.6.6 arises from incomplete environment-variable filtering in its host exec path, which fails to strip rustup startup variables before spawning processes. A low-privilege caller (PR:L) with access to lower-trust invocation paths or configured input paths can influence the child process environment to run or persist actions above their intended authorization level, yielding high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Privilege escalation in OpenClaw's isolated cron job feature (versions 2026.6.1 through 2026.6.8) lets a lower-trust authenticated caller reclaim execution tools that authorization policy had explicitly denied, enabling actions and persistence beyond their intended trust level. The flaw is an incorrect-authorization (CWE-863) issue rooted in misconfigured input path handling within the cron subsystem, and carries a CVSS 4.0 score of 7.7. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authorization bypass in OpenClaw's ClickClack agent-mode dispatch (versions 2026.5.10-beta.1 through 2026.6.4) allows a lower-trust caller to invoke actions that should be blocked by the toolsAllow policy, because that policy check can be skipped during dispatch. With CVSS PR:L, an already low-privileged authenticated caller (or an attacker-controlled input path) can escalate the scope of actions when the agent-mode feature is enabled and reachable. No public exploit identified at time of analysis; the issue was reported by VulnCheck and fixed in 2026.6.5.
Sensitive information exposure in the LearnPress LMS plugin for WordPress (versions up to and including 4.4.1) lets unauthenticated attackers pull correct-answer markers, complete option lists, explanations, and full question content for any quiz on the site through the check_answer logic in its frontend REST API. This exposes graded assessment material for paid courses the attacker never enrolled in or paid for, defeating the plugin's course-access model. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, but the network-facing, no-authentication nature makes it trivially reproducible against affected sites.
Sensitive file disclosure in the Wazuh Manager (versions 4.0.0-4.10.3 and 4.11.0-4.14.4) allows a malicious enrolling agent to exfiltrate manager secrets by abusing the group parameter during enrollment. The authd enrollment daemon fails to filter path traversal ("..") sequences in the agent-selected group name, so remoted later builds shared-configuration paths that reach /var/ossec/etc and stream files such as client.keys, ossec.conf, and internal certificates to the attacker-controlled agent. There is no public exploit identified at time of analysis, but the network-reachable, unauthenticated CVSS 7.5 profile makes this a meaningful confidentiality risk for exposed manager enrollment services.
Session hijacking in SEPPmail Secure Email Gateway and SEPPmail Cloud before 15.0.4.2 lets an attacker who can observe traffic replay a victim's GINA web portal session because the session token is exposed both in the URL and in an HTTP header. Because the token travels in the request URL, it can leak into proxy logs, browser history, and Referer headers, enabling account takeover of the secure-message portal. There is no public exploit identified at time of analysis and the CVSS 4.0 exploit-maturity metric is 'Unproven' (E:U); the vendor CVSS 4.0 base score is 7.5.
Sensitive information disclosure in iKAS Technology Inc.'s E-Commerce platform (all versions through build 03062026) allows remote unauthenticated attackers to retrieve embedded sensitive data returned in server responses. Classified under CWE-201, the flaw causes confidential data to be inserted into data sent to clients, exposing it without authentication or user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported by Turkey's national CSIRT (TR-CERT/USOM).
Sensitive information disclosure in Proliz Software's OBS (a student information management system) affects all versions before v3.6.0, allowing remote unauthenticated attackers to reach functionality that is not properly restricted by access-control lists (CWE-201) and retrieve confidential data. The CVSS 7.5 vector (AV:N/AC:L/PR:N/UI:N, C:H only) confirms network-reachable, no-privilege access with high confidentiality impact but no integrity or availability effect. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Sensitive file and internal resource disclosure in Netcad Software NetGIS (versions 5.0.66 up to but not including 7.2.2) arises from an XML External Entity (XXE) flaw where the application resolves external entity references in serialized/XML data submitted by clients. Remote attackers can craft malicious XML payloads to read local files, exfiltrate data, or reach internal network resources on the server. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported by Turkey's national CERT (TR-CERT/USOM).
Remote denial of service in the h2o HTTP server (all versions prior to commit 9265bdd) allows unauthenticated attackers to exhaust server memory by combining HPACK header-decompression amplification with Slowloris-style HTTP/2 stream stalling. By opening many streams that stall mid-request, an attacker forces the server to retain large volumes of amplified decoded header state, degrading or crashing the service. There is no public exploit identified at time of analysis, and the CVSS 7.5 (A:H only) reflects an availability-only impact with no confidentiality or integrity effect.