Authentication Bypass

Mattermost Plugins versions 11.3 and earlier fail to implement proper authorization checks on comment block modifications, allowing authenticated users with editor permissions to modify comments created by other board members without restriction. An authorized attacker can alter or tamper with comments from colleagues, potentially modifying project records, discussions, or audit trails. With a CVSS score of 4.3 and low attack complexity, this represents a moderate integrity risk in collaborative environments where comment authenticity is important, though exploitation requires prior authentication and editor-level access.

Mattermost fails to properly validate user permissions when filtering invite IDs during team creation, allowing authenticated users to bypass access controls and register unauthorized accounts using leaked or discovered invite tokens. Affected versions include Mattermost 11.3.0 and earlier in the 11.3.x branch, 11.2.2 and earlier in the 11.2.x branch, and 10.11.10 and earlier in the 10.11.x branch. An authenticated attacker with knowledge of valid invite IDs can circumvent intended access restrictions to create accounts that should be restricted, resulting in unauthorized account registration and potential lateral movement within the Mattermost instance.

An identity-based authorization bypass vulnerability (IDOR) allows authenticated attackers to modify other users' account data, including email addresses, and subsequently hijack accounts through password reset flows. The vulnerability affects an unspecified product with a CVSS 8.6 severity rating, requires only low privileges to exploit over the network, and enables complete account takeover. No active exploitation has been reported (not in KEV), no public proof-of-concept exists, and the EPSS score is unavailable.

A privilege escalation vulnerability in Tinycontrol network management devices (tcPDU and LAN Controllers) allows low-privileged users to retrieve administrator passwords by directly accessing resources that are hidden from the graphical interface. The vulnerability affects multiple product lines including tcPDU, LK3.5, LK3.9, and LK4 controllers across various hardware versions, with a high CVSS score of 8.6 indicating significant risk. No evidence of active exploitation exists (not in KEV), no public POC is available, and the EPSS score is not provided, but patches are available for all affected versions.

A critical authentication bypass vulnerability exists in GROWI's OpenAI assistant API endpoints where authorization checks are missing, allowing any authenticated user to access and manipulate other users' AI assistant conversations. The vulnerability affects GROWI versions 7.4.5 and earlier, enabling attackers with low-level credentials to compromise confidentiality and integrity of AI assistant threads and messages by simply knowing the assistant identifier. While not currently listed in CISA KEV and with no public exploit code identified, the vulnerability carries a high CVSS score of 8.3 due to its low exploitation complexity and significant data exposure potential.

A hard-coded credentials vulnerability exists in the INDEX Conferences & Exhibitions Organization YWF BPOF APGCS Android application (versions up to 1.0.2) where attackers can manipulate ACCESS_KEY and HASH_KEY arguments in the BuildConfig.java component to extract embedded credentials. The vulnerability requires local execution on the device and grants only confidentiality impact (CWE-798: Use of Hard-Coded Credentials), but the existence of a published exploit and vendor non-responsiveness elevate practical risk despite the low CVSS score of 3.3.

Smart Switch versions prior to 3.7.69.15 contain an improper authentication vulnerability that allows adjacent network attackers to trigger denial of service conditions without requiring user privileges or interaction. The vulnerability has a CVSS score of 6.9 with medium-to-high availability impact, making it a notable threat in local network environments where Smart Switch is deployed.

Smart Switch versions prior to 3.7.69.15 contain a replay attack vulnerability in the authentication mechanism that allows remote attackers to bypass security controls and execute privileged functions without valid credentials. The vulnerability requires user interaction to trigger but poses a significant risk as no patch is currently available. Organizations using affected Smart Switch deployments should implement network-level controls to restrict access until an update is released.

Samsung Smart Switch versions prior to 3.7.69.15 contain an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent security controls. This vulnerability could enable attackers to gain unauthorized access to the application without valid credentials. No patch is currently available for this high-severity issue.

Smart Switch prior to version 3.7.69.15 contains an improper cryptographic signature verification vulnerability that allows remote attackers to bypass authentication mechanisms. The vulnerability has a CVSS score of 5.3 with network-based attack vector and low complexity, requiring only user interaction. While no public exploit or KEV status has been confirmed, the authentication bypass capability presents a moderate risk for unauthorized access to affected devices.

Smart Switch versions prior to 3.7.69.15 contain an exposure of sensitive functionality vulnerability that allows remote attackers to set specific configurations without proper authorization. An unauthenticated attacker can leverage network access to manipulate configuration settings on affected devices, potentially leading to information disclosure and integrity compromise. This vulnerability requires user interaction according to the CVSS vector, suggesting a social engineering or phishing component may be necessary for successful exploitation.

An improper authorization vulnerability in Samsung Settings allows a local attacker with low privileges to disable configuration of background data usage for applications prior to the SMR Mar-2026 Release 1 patch. While the CVSS score of 4.8 is moderate, the vulnerability has limited impact as it only affects the integrity of data usage settings without enabling data exfiltration or system compromise. The local attack vector and requirement for user-level privileges significantly reduce real-world exploitation likelihood compared to remote or privilege-escalation vulnerabilities.

An insecure direct object reference vulnerability in Telesquare SKT LTE Router SDT-CS3B1 firmware version 1.2.0 allows remote attackers to bypass authentication and directly access sensitive resources by manipulating input parameters. With a publicly available proof-of-concept exploit and a critical CVSS score of 9.8, attackers can gain unauthorized access to sensitive information and system functionalities without any authentication or user interaction required.

An unauthenticated remote reboot vulnerability exists in the Telesquare SKT LTE Router SDT-CS3B1 firmware version 1.2.0, allowing attackers to trigger device restarts without any authentication by sending specially crafted POST requests to the lte.cgi endpoint. This vulnerability has a publicly available proof-of-concept exploit and enables denial of service attacks against affected routers. The vulnerability has been assigned a high CVSS score of 7.5 due to the complete availability impact and lack of authentication requirements.

A security vulnerability in INDEX-EDUCATION PRONOTE (CVSS 5.3) that allows the construction of direct urls. Remediation should follow standard vulnerability management procedures.

Tiandy Easy7 Integrated Management Platform 7.17.0 contains an authentication bypass in the Device Identifier Handler component that allows unauthenticated remote attackers to manipulate username and password parameters via the /WebService/UpdateLocalDevInfo.jsp endpoint. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.

An improper access control vulnerability in Serviio PRO 1.8's Configuration REST API allows unauthenticated remote attackers to change the mediabrowser login password without any authentication. Multiple public proof-of-concept exploits are available on Exploit-DB and PacketStorm, making this vulnerability trivially exploitable. The vulnerability affects Serviio PRO versions 1.6.1 through 1.8.0.0 PRO and represents a complete authentication bypass allowing full account takeover.

An information disclosure vulnerability in Serviio PRO 1.8 and earlier versions allows unauthenticated remote attackers to retrieve sensitive configuration data through the Configuration REST API due to missing authentication controls. Multiple public exploits are available, with proof-of-concept code published on Exploit-DB and PacketStorm, making this vulnerability easily exploitable by attackers with no special privileges or user interaction required.

Wowza Streaming Engine 4.5.0 contains a local privilege escalation vulnerability where authenticated users can gain SYSTEM-level access by replacing service executables due to overly permissive file permissions that grant the Everyone group full control. A public proof-of-concept exploit is available, making this vulnerability easily exploitable by any authenticated local user to completely compromise the system.

ZKTeco ZKBioSecurity 3.0 contains a local authentication bypass vulnerability in visLogin.jsp that allows low-privileged attackers to authenticate without valid credentials by spoofing IPv6 loopback addresses and leveraging hardcoded credentials. An authenticated local attacker can access sensitive information and perform unauthorized actions; public exploits are available (Packet Storm Security, Exploit-DB), indicating moderate real-world risk despite the 5.5 CVSS score reflecting local-only attack vector.

Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unauthenticated remote attackers to upload malicious WAR files and execute arbitrary code with SYSTEM privileges. Multiple public exploits are available (Exploit-DB, Packet Storm), making this a high-risk vulnerability for organizations using this biometric security management software.

CVE-2026-4180 is an authentication bypass vulnerability in the D-Link DIR-816 router (version 1.10CNB05) affecting the redirect.asp file in the goahead component, allowing remote attackers to gain unauthorized access without authentication. A public proof-of-concept exploit is available and the affected product is no longer supported by D-Link, making this vulnerability permanently unpatched.

CVE-2026-4171 is an authorization bypass vulnerability in CodeGenieApp serverless-express affecting versions up to 4.17.1, where manipulation of the userId parameter in the API Endpoint component allows authenticated attackers to access or modify resources belonging to other users. A public proof-of-concept exploit exists, the vendor has not responded to early disclosure, and the vulnerability carries a CVSS score of 6.3 with exploitation rated as Probable (EPSS indicator); while not currently in CISA KEV, the combination of public POC availability and low attack complexity represents moderate real-world risk.

Unauthenticated attackers can modify arbitrary WordPress posts through the User Frontend plugin (versions up to 4.2.8) due to missing authorization checks in the draft_post() function, allowing them to unpublish or alter post content. The vulnerability affects all installations of the affected plugin versions without requiring authentication or user interaction. No patch is currently available.

CVE-2026-1947 is an Insecure Direct Object Reference vulnerability in NEX-Forms WordPress plugin (versions ≤9.1.9) that allows unauthenticated remote attackers to overwrite arbitrary form entries without any authentication. The vulnerability has a CVSS score of 7.5 and while not currently in KEV or having public POCs, it represents a significant data integrity risk for WordPress sites using this forms plugin.

An Insecure Direct Object Reference (IDOR) vulnerability exists in the Wicked Folders plugin for WordPress (versions up to 4.1.0) within the delete_folders() function, allowing authenticated attackers with Contributor-level privileges to delete arbitrary folders created by other users due to missing validation on user-controlled folder identifiers. The vulnerability has a CVSS score of 4.3 (low-to-moderate severity) with a network attack vector requiring low privilege access and no user interaction. While the CVSS rating is moderate, the practical impact is data loss affecting legitimate users' organizational structures.

The Thim Kit for Elementor plugin for WordPress versions up to 1.3.7 allows unauthenticated attackers to access private and draft LearnPress course content through an improperly secured REST API endpoint that accepts arbitrary post status parameters. The vulnerability stems from missing input validation on the 'thim-ekit/archive-course/get-courses' endpoint, enabling information disclosure to any remote attacker without authentication or user interaction. No patch is currently available for this medium-severity flaw affecting WordPress installations using the vulnerable plugin.

The NEX-Forms Ultimate Forms Plugin for WordPress contains a missing capability check vulnerability in the deactivate_license() function, allowing authenticated attackers with Subscriber-level privileges to deactivate the plugin license without proper authorization. This authorization bypass affects all versions up to and including 9.1.9 and has a CVSS score of 4.3 (Low severity), indicating limited direct impact but meaningful privilege escalation concerns for multi-user WordPress installations.

Microsoft Edge (Chromium-based) for Android contains a spoofing vulnerability that allows attackers to manipulate the presentation of content or identity through a network-based attack requiring user interaction. The vulnerability affects Microsoft Edge on Android devices and has a CVSS score of 5.0, indicating moderate severity with low impact on confidentiality, integrity, and availability. While the CVSS vector indicates User Interaction is Required and Attack Complexity is High, the vulnerability is not currently listed as actively exploited in known vulnerability databases, though the Reliability Rating of Confirmed suggests vendor verification.

Critical authentication bypass vulnerability in Runtipi (versions prior to 4.8.1), a personal homeserver orchestrator, where attackers with stolen credentials can brute-force TOTP codes due to missing rate limiting. The vulnerability allows complete bypass of two-factor authentication in approximately 33 minutes, effectively compromising account security. While not currently in CISA KEV or showing high EPSS scores, the vulnerability has a CVSS 8.1 rating and a patch is available in version 4.8.1.

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting.

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting.

PX4 Autopilot prior to version 1.17.0-rc2 contains a boolean logic error in MAVLink FTP session validation that uses AND (&&) instead of OR (||) operators, allowing attackers to bypass session isolation checks and execute file operations on invalid or closed file descriptors. An unauthenticated attacker on the adjacent network can exploit this vulnerability to destabilize the FTP subsystem, trigger denial-of-service conditions through invalid file descriptor operations, and potentially compromise the integrity of drone flight control systems. While the CVSS score of 4.3 indicates low to moderate severity with availability impact, the safety-critical nature of autopilot systems and the unauthenticated attack vector warrant immediate attention.

CVE-2026-32704 is a security vulnerability (CVSS 6.5). Risk factors: public PoC available.

Socomec DIRIS A-40 power monitoring devices contain an authentication bypass vulnerability in their HTTP API that allows network-adjacent attackers to gain unauthorized access without credentials. The vulnerability affects all versions of the DIRIS A-40 product due to lack of authentication enforcement on the web API listening on TCP port 80, enabling attackers to read sensitive data, modify configurations, and potentially disrupt power monitoring operations. This is a moderate-severity flaw (CVSS 6.3) with low attack complexity that poses real risk in industrial/operational technology environments where these devices are deployed.

Critical authentication bypass vulnerability in Unraid's auth-request.php file that allows remote attackers to gain unauthorized access without credentials through path traversal exploitation. The vulnerability affects all versions of Unraid (CPE indicates no version restrictions) and can be exploited over the network with low complexity, potentially compromising system confidentiality, integrity, and availability. No KEV listing or EPSS data was provided, suggesting this may be a recently disclosed vulnerability without known active exploitation.

CVE-2026-3562 is an authentication bypass vulnerability in Philips Hue Bridge's HAP (HomeKit Accessory Protocol) implementation, specifically within the ed25519_sign_open function that fails to properly verify Ed25519 cryptographic signatures. Network-adjacent attackers can exploit this flaw without authentication to execute arbitrary code on affected Hue Bridge installations. The CVSS score of 6.3 reflects moderate severity with local network access requirements, though the authentication bypass nature elevates real-world risk for smart home environments.

CVE-2026-3559 is an authentication bypass vulnerability in Philips Hue Bridge devices affecting the HomeKit Accessory Protocol implementation, where a static nonce in the SRP authentication mechanism allows network-adjacent attackers to gain unauthorized access without credentials. With a CVSS score of 8.1 and requiring only local network access, attackers can achieve high confidentiality and integrity impact on the affected smart home infrastructure. No active exploitation (not in KEV), POC availability, or EPSS data is currently available.

The Philips Hue Bridge HomeKit Accessory Protocol (HAP) service on TCP port 8080 lacks authentication in transient pairing mode, allowing network-adjacent attackers to bypass authentication and gain unauthorized access without requiring credentials (CVE-2026-3558, CVSS 8.1). This vulnerability affects all versions of Philips Hue Bridge and has been tracked as ZDI-CAN-28374. Real-world risk is elevated due to the low attack complexity, network-adjacent accessibility, and high impact on confidentiality and integrity of the smart lighting system.

IBM CICS Transaction Gateway for Multiplatforms versions 9.3 and 10.1 contain an improper access control vulnerability (CWE-284) that allows local users to transfer or view files without authentication or authorization checks. An attacker with local system access can exploit this flaw to read sensitive data or modify files, resulting in confidentiality and integrity compromise with a CVSS base score of 5.1. This vulnerability affects a critical middleware component used in enterprise transaction processing environments.

Parse Server versions prior to 8.6.40 and 9.6.0-alpha.14 contain an authentication bypass vulnerability in their GraphQL WebSocket subscription endpoint that circumvents Express middleware security controls. An unauthenticated attacker can connect directly to the WebSocket endpoint to execute arbitrary GraphQL operations, perform schema introspection despite disabled public introspection, and send complex queries that bypass rate limiting and complexity validation. This is a network-accessible vulnerability requiring no authentication that exposes sensitive schema information and enables potential denial-of-service attacks.

The soroban-sdk Rust SDK contains a cryptographic comparison vulnerability in Fr (scalar field) types for BN254 and BLS12-381 curves that fails to reduce unreduced field elements modulo the field modulus r before equality comparison. This allows attackers to supply crafted Fr values that are mathematically equal but compare as unequal when unreduced, potentially bypassing security-critical authorization or validation logic in smart contracts. The vulnerability affects versions prior to 22.0.11, 23.5.3, and 25.3.0; with a CVSS score of 5.3 (Medium), it poses moderate risk primarily to contract integrity rather than confidentiality.

LibreChat versions 0.8.2 through 0.8.2-rc3 contain an authentication bypass vulnerability in the Model Context Protocol (MCP) OAuth callback endpoint that allows attackers to steal OAuth tokens by tricking victims into completing an OAuth flow, resulting in account takeover of the victim's MCP-linked services like Atlassian and Outlook. No active exploitation is known (not in KEV), no POC is publicly available, and EPSS data is not yet available for this newly disclosed vulnerability.

An insufficient authorization check in a file replace API allows authenticated users with basic list and replace permissions to delete other users' files by abusing the deleteNewFile flag, bypassing the intended delete permission requirement. This affects any system implementing this vulnerable API pattern where permission checks are not properly enforced at the API endpoint level. While the CVSS score of 4.1 is moderate, the vulnerability requires high privilege level (authenticated user with PERM_REPLACE and PERM_LIST) and results in integrity impact through unauthorized file deletion across user boundaries.

Cryptographic authentication bypass vulnerability in the SM9 implementation of the Go gmsm library (github.com/emmansun/gmsm) that allows attackers to forge valid ciphertexts without knowing any secret keys. An attacker who only knows a target user's ID can craft malicious ciphertexts that decrypt successfully to attacker-controlled plaintext, completely bypassing cryptographic integrity checks. A proof-of-concept exploit is publicly available, and while not currently in CISA KEV, the vulnerability has a CVSS score of 7.5 (High).

Path traversal via dagRunId in DAG execution endpoints.

Apache Livy versions 0.7.0 and 0.8.0 contain an improper input validation vulnerability (CWE-20) that allows authenticated users to bypass file access controls by injecting malicious Spark configuration values when connecting to Apache Spark 3.1 or later. An attacker with access to Livy's REST or JDBC interface can craft requests with arbitrary Spark configuration parameters to gain unauthorized access to files they do not have permissions to read or modify. This vulnerability is of moderate severity (CVSS 6.3) but requires valid authentication and is fixed in version 0.9.0 and later.

CVE-2026-31882 is an authentication bypass vulnerability in Dagu workflow automation engine v2.2.3 and earlier when configured with HTTP Basic authentication, allowing unauthenticated attackers to access all Server-Sent Events (SSE) endpoints and read sensitive workflow data including execution logs, configurations, and potentially exposed credentials. A working proof-of-concept is included in the advisory, and the vendor has released patch v2.2.4 to address the issue.

Missing authentication vulnerability in ABB AWIN industrial gateways (GW100 rev.2 and GW120) that allows attackers on adjacent networks to access critical functions without credentials. With a CVSS score of 8.3 and no EPSS data or KEV listing, this appears to be a newly disclosed vulnerability with no evidence of active exploitation or public POC availability.

Missing authentication vulnerability in ABB AWIN GW100 rev.2 and GW120 gateway devices that allows unauthenticated attackers on the local network to trigger a denial-of-service condition. Affected versions include AWIN GW100 rev.2 (2.0-0, 2.0-1) and AWIN GW120 (1.2-0, 1.2-1). While the CVSS score of 6.5 indicates medium severity, the local attack vector (AV:A) and lack of user interaction requirement suggest this is exploitable by any adjacent network attacker without authentication.

CVE-2025-13777 is an authentication bypass vulnerability in ABB AWIN Gateway devices (GW100 rev.2 and GW120) that allows attackers on adjacent networks to capture and replay authentication credentials without requiring privileges or user interaction. With a CVSS score of 8.3 and no evidence of active exploitation (not in KEV), this vulnerability enables attackers to gain unauthorized access and potentially compromise system confidentiality, integrity, and availability.

A Missing Authorization vulnerability exists in CyberChimps Responsive Blocks responsive-block-editor-addons plugin through version 2.2.0, where incorrectly configured access control allows unauthenticated attackers to perform unauthorized actions. The vulnerability has a CVSS score of 5.3 with a network attack vector and no privileges required, meaning remote attackers can exploit this without authentication to modify content or settings. While the integrity impact is limited (CWE-862: Missing Authorization), the lack of authentication requirements and the plugin's wide deployment in WordPress environments present a moderate real-world risk.

The Lawyer Landing Page plugin through version 1.2.7 contains an authorization bypass vulnerability that allows unauthenticated attackers to modify data due to improper access control configuration. This network-accessible vulnerability could enable attackers to alter content or settings without proper authentication credentials. A patch is not currently available for affected installations.

Improper access control in wptravelengine Travel Booking versions up to 1.3.9 permits unauthenticated attackers to modify data through incorrectly configured authorization checks. An attacker can exploit this vulnerability to tamper with travel booking information without requiring valid credentials or user interaction. No patch is currently available for this medium-severity vulnerability.

Really Simple SSL versions 9.5.7 and earlier contain an authorization bypass flaw that allows unauthenticated remote attackers to modify security settings through improper access control mechanisms. The vulnerability has a medium severity rating with a CVSS score of 5.3 and currently lacks a publicly available patch. Organizations using affected versions should review their SSL security configurations and consider upgrading when patches become available.

Improper access control in Wombat Plugins Advanced Product Fields for WooCommerce through version 1.6.18 allows unauthenticated attackers to modify product addon data due to misconfigured authorization checks. This affects WooCommerce stores using the vulnerable plugin, enabling attackers to alter product information without proper permissions. No patch is currently available.

This is a missing authorization vulnerability in ThemeFusion Avada Core (versions prior to 5.15.0) that allows unauthenticated attackers to modify data through incorrectly configured access control security levels. The vulnerability has a CVSS score of 5.3 with network attack vector and no privilege requirements, meaning any remote attacker can exploit it without authentication. While the integrity impact is limited (data modification rather than disclosure or system compromise), the lack of authentication requirements and network accessibility make this a practical security concern for websites using vulnerable Avada versions.

This vulnerability is a missing authorization flaw in ThemeFusion Fusion Builder that allows unauthenticated attackers to exploit incorrectly configured access controls to modify content or settings. The issue affects Fusion Builder versions prior to 3.15.0, and the network-accessible nature combined with no authentication requirement means any remote attacker can exploit it without special privileges. While the CVSS score of 5.3 indicates moderate severity with integrity impact but no confidentiality or availability loss, the lack of authentication requirement elevates real-world risk for WordPress sites using affected versions.

Fusion Builder, a WordPress plugin by ThemeFusion, contains a missing authorization vulnerability (CWE-862) that allows authenticated attackers with low privileges to bypass access controls and perform unauthorized actions. Versions prior to 3.15.0 are affected, and attackers can exploit incorrectly configured access control to read, modify, or delete sensitive data. The CVSS 6.3 score reflects moderate severity with network accessibility and low attack complexity, though no public evidence of active KEV inclusion or widespread exploitation has been documented at this time.

Atarim visual collaboration through version 4.3.2 contains an authorization bypass vulnerability that allows authenticated users to modify data they should not have access to due to incorrectly configured access controls. An attacker with valid credentials can exploit this misconfiguration to perform unauthorized modifications within the application. No patch is currently available for this vulnerability.

Inadequate authorization controls in WPForms Contact Form plugin version 1.9.9.3 and earlier permit authenticated users to bypass access restrictions and view sensitive form data. An attacker with low-privileged credentials could leverage misconfigured access controls to access information they should not be permitted to view. No patch is currently available for this vulnerability.

Missing Authorization vulnerability in Elementor Elementor Website Builder elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elementor Website Builder: from n/a through <= 3.35.5.

E2Pdf versions through 1.28.15 contain a missing authorization vulnerability that allows authenticated users to modify data they should not have access to due to incorrectly configured access control security levels. An attacker with low-level user privileges can exploit this via network access without user interaction to escalate their capabilities and modify unauthorized PDF-related resources. While the CVSS score of 4.3 is moderate and integrity impact is low, the vulnerability represents a classic authorization bypass that could allow privilege escalation or lateral movement within multi-user E2Pdf deployments.

Inadequate access control in WP Food plugin versions below 2.7.1 allows unauthenticated remote attackers to modify data without proper authorization checks. This vulnerability affects WordPress installations using the vulnerable WP Food plugin and could enable attackers to alter plugin functionality or data integrity. No patch is currently available for this issue.

WebGeniusLab BigHearts contains a missing authorization vulnerability (CWE-862) that allows unauthenticated attackers to modify data due to incorrectly configured access control security levels. All versions of BigHearts through 3.1.14 are affected, enabling an attacker to bypass authorization checks and perform unauthorized data modification without requiring authentication or user interaction. With a CVSS score of 5.3 and network-accessible attack surface, this vulnerability poses a moderate integrity risk requiring prompt patching.

Improper access control in VW School Education through version 1.4.6 allows unauthenticated remote attackers to modify data by exploiting misconfigured security levels. The vulnerability enables integrity compromise without requiring authentication or user interaction, affecting educational institutions using affected versions.

Improper access control in VW Portfolio up to version 1.3.3 enables unauthenticated attackers to modify data through incorrectly configured security levels. The vulnerability allows integrity compromise without requiring authentication or user interaction, affecting all instances of the affected software versions. No patch is currently available.

Improper access control in VW Photography through version 1.3.8 permits unauthenticated attackers to modify application data due to missing authorization checks on sensitive functions. An attacker can exploit this vulnerability over the network without user interaction to alter content or settings, though confidentiality and availability are not impacted. No patch is currently available for this vulnerability.

VW Pet Shop through version 1.4.7 contains an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data due to improperly configured access controls. An attacker can exploit this to alter information within the application without requiring authentication or user interaction. Currently, no patch is available for this vulnerability.

VW Fitness through version 4.3.4 contains an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data through improperly configured access controls. An attacker can exploit this to perform unauthorized actions without requiring authentication or user interaction. No patch is currently available for affected installations.

WP Time Slots Booking Form through version 1.2.42 contains a missing authorization vulnerability that allows unauthenticated attackers to modify booking data through improperly configured access controls. An attacker can exploit this to alter time slot reservations and other critical booking information without authentication. No patch is currently available for this vulnerability.

Popup Like Box versions 3.7.7 and earlier contain an authorization bypass vulnerability that allows unauthenticated attackers to modify content through improperly configured access controls. The vulnerability affects the ays-facebook-popup-likebox plugin and requires no user interaction to exploit. While no patch is currently available, the impact is limited to integrity violations without affecting confidentiality or availability.

VW Education Lite versions 2.2.0 and earlier contain a missing authorization vulnerability (CWE-862) that allows unauthenticated attackers to modify data through incorrectly configured access control security levels. An attacker with network access can exploit this vulnerability without requiring authentication or user interaction to perform unauthorized modifications, resulting in integrity compromise but not confidentiality or availability impact. The CVSS 5.3 medium score reflects the network-accessible nature and lack of authentication requirements, though the integrity-only impact limits the overall severity.

Payment Gateway Pix For GiveWP versions 2.2.3 and earlier contain a missing authorization vulnerability that allows unauthenticated remote attackers to modify data through improper access control. An attacker can exploit this flaw to manipulate payment gateway functionality without proper authentication or user interaction. No patch is currently available for this vulnerability affecting GiveWP payment processing installations.

Authenticated users with insufficient access control restrictions in Admin and Site Enhancements (ASE) versions 8.4.0 and earlier can bypass authorization checks to read and modify sensitive data. The vulnerability stems from improperly configured access control levels that fail to enforce proper privilege boundaries. An attacker with valid credentials can exploit this to gain unauthorized access to protected functionality without elevated permissions.

Post Timeline versions 2.4.1 and earlier contain a missing authorization flaw that allows unauthenticated remote attackers to modify data by exploiting improperly configured access controls. The vulnerability enables integrity compromise without requiring user interaction or special privileges. No patch is currently available for this issue.

Pochipp versions below 1.18.9 contain an authorization bypass vulnerability that allows authenticated users to access resources or perform actions beyond their assigned permissions due to improper access control validation. An attacker with valid credentials could exploit this to view sensitive data or modify system configuration they should not have access to. No patch is currently available.

bPlugins PDF Poster through version 2.4.0 contains an authorization bypass vulnerability that allows authenticated users to modify or disrupt PDF operations due to improperly configured access controls. An attacker with valid credentials could exploit this flaw to manipulate data integrity or cause service disruption without proper authorization checks.

Permalink Manager Lite versions prior to 2.5.3 lack proper authorization controls, allowing unauthenticated remote attackers to modify content through incorrectly configured access restrictions. This missing authorization check enables attackers to alter data without authentication, affecting the integrity of managed permalinks. No patch is currently available for this vulnerability.

The WBW Currency Switcher for WooCommerce plugin through version 2.2.5 contains an authorization bypass vulnerability that allows unauthenticated remote attackers to modify plugin settings and configurations without proper access controls. This vulnerability affects WordPress sites running the vulnerable plugin versions and could enable attackers to alter currency settings or manipulate store functionality. No patch is currently available for this vulnerability.

Forminator through version 1.50.2 contains an authorization bypass that allows unauthenticated attackers to modify data through incorrectly configured access controls. The vulnerability affects WordPress sites using the WPMU DEV Forminator plugin and requires no user interaction to exploit. No patch is currently available for this issue.

Brizy through version 2.7.23 contains a missing authorization flaw that allows authenticated users to access resources or perform actions beyond their assigned permissions due to improperly configured access controls. An attacker with valid credentials can exploit this vulnerability to view sensitive information from other users or accounts. No patch is currently available for this issue.

Improper access control in WPC Smart Wishlist for WooCommerce through version 5.0.8 permits authenticated users to modify wishlist data they should not have authorization to access. An attacker with valid WordPress credentials could exploit misconfigured permission checks to alter or manipulate wishlist information belonging to other users.

WPC Product Bundles for WooCommerce versions through 8.4.5 contains a missing authorization flaw that allows authenticated users to exploit misconfigured access controls and access sensitive information. An attacker with valid WordPress credentials could leverage this vulnerability to view restricted data within the plugin. No patch is currently available for this medium-severity issue affecting WooCommerce installations.

Studio99 WP Monitor versions through 1.0.3 contain a missing authorization vulnerability (CWE-862) that allows unauthenticated attackers to modify data or settings due to incorrectly configured access controls. The vulnerability has a CVSS score of 5.3 with a network attack vector requiring no privileges or user interaction, enabling integrity compromise without authentication. There is no indication of active exploitation in the wild or public proof-of-concept code at this time, though the low attack complexity and network accessibility make this a moderate priority for WordPress site administrators running this monitoring plugin.

Image Slider By Ays versions 2.7.1 and earlier contain a missing authorization flaw that allows unauthenticated remote attackers to modify content through improper access control validation. The vulnerability affects the plugin's core functionality and could enable unauthorized changes to website content without proper authentication checks. No patch is currently available.

YMC Filter & Grids through version 3.5.1 contains an authorization bypass that allows unauthenticated remote attackers to modify data due to improperly configured access controls. The vulnerability affects the smart-filter component and could enable unauthorized alterations to filtered content or grid configurations without requiring user interaction or privileges.

RadiusTheme Team versions up to 5.0.13 contain an access control misconfiguration that allows unauthenticated remote attackers to modify data through improper authorization checks. The vulnerability enables integrity compromise without requiring authentication or user interaction, affecting all installations running the affected version range. No patch is currently available.

A Missing Authorization vulnerability (CWE-862) exists in Xpro Addons For Beaver Builder - Lite versions up to 1.5.6, allowing unauthenticated attackers to exploit incorrectly configured access control mechanisms and perform unauthorized modifications. The vulnerability has a CVSS score of 5.3 with a network attack vector requiring no privileges or user interaction, indicating an integrity impact without confidentiality or availability compromise. While the CVSS is moderate, the lack of authentication requirement and network accessibility make this a meaningful risk for WordPress sites using this plugin.

PublishPress Capabilities versions up to 2.31.0 contain an authorization bypass that allows authenticated users to exploit misconfigured access controls and gain unauthorized information disclosure. An attacker with valid credentials could leverage this vulnerability to access sensitive data they are not permitted to view. No patch is currently available for this vulnerability.