Monthly
Missing authorization on the bulk appointments REST API endpoint in Simply Schedule Appointments WordPress plugin (all versions up to and including 1.6.11.8) permits unauthenticated mass modification and disclosure of customer appointment data. The flaw is compounded by a static, user-independent nonce embedded in the HTML source of any page rendering the [ssa_booking] shortcode, meaning a single anonymous page visit yields a credential sufficient to target every appointment in the system. An attacker can overwrite customer PII, alter payment status, and hijack meeting URLs across all bookings, or enumerate full customer records via the bulk endpoint response - no account or session required. No public exploit code and no CISA KEV listing are identified at time of analysis.
Missing authorization on three AJAX handlers in the Visualizer: Tables and Charts Manager plugin for WordPress (by Themeisle) allows authenticated attackers with Subscriber-level access to create arbitrary chart posts and read or overwrite chart data owned by any site user, including administrators. The wp_ajax_visualizer-create-chart, wp_ajax_visualizer-edit-chart, and wp_ajax_visualizer-upload-data actions invoke renderChartPages() and uploadData() without any current_user_can() capability check; the nonce validation in uploadData() is further trivialized by the absence of an action argument, making it bypassable with any valid WordPress nonce. No public exploit has been identified at time of analysis, and a vendor-released patch is available in version 4.0.1.
Authorization bypass in the Equalize Digital Accessibility Checker WordPress plugin (all versions through 1.42.0) allows low-privileged authenticated users to corrupt accessibility audit integrity site-wide. Authenticated attackers holding subscriber-level accounts or higher can invoke AJAX endpoints in class-ajax.php to modify the ignore state, ignore reason, and ignore comment of any accessibility issue across the entire site, effectively hiding or dismissing audit findings they are not authorized to manage. The vulnerability is amplified by a mass-modification code path triggered when the largeBatch=true parameter is supplied, enabling bulk suppression of all findings sharing a common object identifier in a single request. No public exploit code or CISA KEV listing has been identified at time of analysis.
Authorization bypass in the WordPress '3D Viewer - 3D Model Viewer - Augmented Reality - Virtual Try On' plugin (all versions through 2.0.1) permits any subscriber-level authenticated user to overwrite the plugin's entire settings store via an exposed REST API endpoint with no privilege validation. The flaw stems from CWE-862 (Missing Authorization) in the REST route handler at /wp-json/ar_try_on/v1/settings, allowing arbitrary data to be written directly to the ar_try_on_settings database option. No public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV, but the low authentication bar (subscriber account) makes it accessible to a broad attacker pool on sites with open user registration.
Unauthorized access in the SMTP2GO for WordPress plugin (all versions through 1.16.0) allows authenticated attackers holding only subscriber-level accounts to either wipe all SMTP delivery log records from the WordPress database or export a full CSV of those logs - exposing recipient addresses, sender addresses, message subjects, and API response data. The flaw stems from missing authorization checks on administrative actions within the plugin's WordPress admin class (WordpressPluginAdmin.php), meaning low-privileged users can invoke privileged log-management operations without restriction. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, but the low privilege bar makes this accessible to any registered WordPress user.
Authorization bypass in the Geo Mashup WordPress plugin (all versions ≤ 1.13.19) exposes sensitive plugin configuration data to unauthenticated remote attackers, including Google Maps API keys and GeoNames service credentials. The flaw (CWE-862 Missing Authorization) exists at specific request-handling code paths in geo-mashup.php (lines 515, 528, and 1525), where the plugin returns configuration data without verifying requester authorization. No public exploit code or CISA KEV listing exists at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is trivially exploitable with no authentication, no complexity, and no user interaction required against any affected installation.
Privilege escalation in the Frontend Admin by DynamiApps WordPress plugin (versions up to and including 3.29.2) allows authenticated subscriber-level users to overwrite arbitrary user profile fields - including administrator passwords and email addresses - by supplying a chosen user_id parameter to a vulnerable Edit-User form. This authorization-bypass flaw (CWE-862) enables full administrator account takeover through direct password replacement or email-redirect password reset, and no public exploit identified at time of analysis. The vulnerability requires a specific misconfiguration where the form's Roles setting is left empty, which limits exploitable installs but is a common default state.
Unauthorized email sending in the Everest Forms WordPress plugin (all versions up to and including 3.4.7) permits any authenticated attacker with Subscriber-level access or higher to dispatch test emails to arbitrary external addresses from the hosting server. The root cause is a missing capability check on the AJAX-exposed send_test_email() function (CWE-862), enabling low-privilege users to invoke a privileged server action without authorization. No public exploit has been identified at time of analysis and this CVE does not appear in the CISA KEV catalog, though the low barrier of entry (any registered user) elevates practical risk on sites with open registration.
Authorization bypass in GitLab Enterprise Edition allows authenticated users holding only developer-role permissions to circumvent flow restrictions when foundational flows are enabled at the group level. Affecting all EE versions from 18.7 through 19.0 (prior to the respective patch releases), this flaw stems from missing authorization checks (CWE-862) and results in a low-integrity-impact, network-accessible exploitation path. No active exploitation has been identified (SSVC: Exploitation none), and GitLab has released patches across all affected branches as of 2026-05-27.
GitLab Enterprise Edition exposes sensitive deployment data to authenticated users holding only developer-role permissions due to missing authorization checks on deployment-related project resources (CWE-862). Affected versions span a wide range - all EE releases from 11.5 through 18.10.6, 18.11.0 through 18.11.3, and 19.0.0 - making this broadly applicable across unpatched GitLab EE deployments. No public exploit identified at time of analysis per CISA KEV, though SSVC intelligence indicates proof-of-concept code exists, and a HackerOne report (3556381) corroborates researcher discovery.
Missing authorization on the bulk appointments REST API endpoint in Simply Schedule Appointments WordPress plugin (all versions up to and including 1.6.11.8) permits unauthenticated mass modification and disclosure of customer appointment data. The flaw is compounded by a static, user-independent nonce embedded in the HTML source of any page rendering the [ssa_booking] shortcode, meaning a single anonymous page visit yields a credential sufficient to target every appointment in the system. An attacker can overwrite customer PII, alter payment status, and hijack meeting URLs across all bookings, or enumerate full customer records via the bulk endpoint response - no account or session required. No public exploit code and no CISA KEV listing are identified at time of analysis.
Missing authorization on three AJAX handlers in the Visualizer: Tables and Charts Manager plugin for WordPress (by Themeisle) allows authenticated attackers with Subscriber-level access to create arbitrary chart posts and read or overwrite chart data owned by any site user, including administrators. The wp_ajax_visualizer-create-chart, wp_ajax_visualizer-edit-chart, and wp_ajax_visualizer-upload-data actions invoke renderChartPages() and uploadData() without any current_user_can() capability check; the nonce validation in uploadData() is further trivialized by the absence of an action argument, making it bypassable with any valid WordPress nonce. No public exploit has been identified at time of analysis, and a vendor-released patch is available in version 4.0.1.
Authorization bypass in the Equalize Digital Accessibility Checker WordPress plugin (all versions through 1.42.0) allows low-privileged authenticated users to corrupt accessibility audit integrity site-wide. Authenticated attackers holding subscriber-level accounts or higher can invoke AJAX endpoints in class-ajax.php to modify the ignore state, ignore reason, and ignore comment of any accessibility issue across the entire site, effectively hiding or dismissing audit findings they are not authorized to manage. The vulnerability is amplified by a mass-modification code path triggered when the largeBatch=true parameter is supplied, enabling bulk suppression of all findings sharing a common object identifier in a single request. No public exploit code or CISA KEV listing has been identified at time of analysis.
Authorization bypass in the WordPress '3D Viewer - 3D Model Viewer - Augmented Reality - Virtual Try On' plugin (all versions through 2.0.1) permits any subscriber-level authenticated user to overwrite the plugin's entire settings store via an exposed REST API endpoint with no privilege validation. The flaw stems from CWE-862 (Missing Authorization) in the REST route handler at /wp-json/ar_try_on/v1/settings, allowing arbitrary data to be written directly to the ar_try_on_settings database option. No public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV, but the low authentication bar (subscriber account) makes it accessible to a broad attacker pool on sites with open user registration.
Unauthorized access in the SMTP2GO for WordPress plugin (all versions through 1.16.0) allows authenticated attackers holding only subscriber-level accounts to either wipe all SMTP delivery log records from the WordPress database or export a full CSV of those logs - exposing recipient addresses, sender addresses, message subjects, and API response data. The flaw stems from missing authorization checks on administrative actions within the plugin's WordPress admin class (WordpressPluginAdmin.php), meaning low-privileged users can invoke privileged log-management operations without restriction. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, but the low privilege bar makes this accessible to any registered WordPress user.
Authorization bypass in the Geo Mashup WordPress plugin (all versions ≤ 1.13.19) exposes sensitive plugin configuration data to unauthenticated remote attackers, including Google Maps API keys and GeoNames service credentials. The flaw (CWE-862 Missing Authorization) exists at specific request-handling code paths in geo-mashup.php (lines 515, 528, and 1525), where the plugin returns configuration data without verifying requester authorization. No public exploit code or CISA KEV listing exists at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is trivially exploitable with no authentication, no complexity, and no user interaction required against any affected installation.
Privilege escalation in the Frontend Admin by DynamiApps WordPress plugin (versions up to and including 3.29.2) allows authenticated subscriber-level users to overwrite arbitrary user profile fields - including administrator passwords and email addresses - by supplying a chosen user_id parameter to a vulnerable Edit-User form. This authorization-bypass flaw (CWE-862) enables full administrator account takeover through direct password replacement or email-redirect password reset, and no public exploit identified at time of analysis. The vulnerability requires a specific misconfiguration where the form's Roles setting is left empty, which limits exploitable installs but is a common default state.
Unauthorized email sending in the Everest Forms WordPress plugin (all versions up to and including 3.4.7) permits any authenticated attacker with Subscriber-level access or higher to dispatch test emails to arbitrary external addresses from the hosting server. The root cause is a missing capability check on the AJAX-exposed send_test_email() function (CWE-862), enabling low-privilege users to invoke a privileged server action without authorization. No public exploit has been identified at time of analysis and this CVE does not appear in the CISA KEV catalog, though the low barrier of entry (any registered user) elevates practical risk on sites with open registration.
Authorization bypass in GitLab Enterprise Edition allows authenticated users holding only developer-role permissions to circumvent flow restrictions when foundational flows are enabled at the group level. Affecting all EE versions from 18.7 through 19.0 (prior to the respective patch releases), this flaw stems from missing authorization checks (CWE-862) and results in a low-integrity-impact, network-accessible exploitation path. No active exploitation has been identified (SSVC: Exploitation none), and GitLab has released patches across all affected branches as of 2026-05-27.
GitLab Enterprise Edition exposes sensitive deployment data to authenticated users holding only developer-role permissions due to missing authorization checks on deployment-related project resources (CWE-862). Affected versions span a wide range - all EE releases from 11.5 through 18.10.6, 18.11.0 through 18.11.3, and 19.0.0 - making this broadly applicable across unpatched GitLab EE deployments. No public exploit identified at time of analysis per CISA KEV, though SSVC intelligence indicates proof-of-concept code exists, and a HackerOne report (3556381) corroborates researcher discovery.