Authentication Bypass
Monthly
VillaTheme HAPPY happy-helpdesk-support-ticket-system is affected by missing authorization (CVSS 8.2).
Missing Authorization vulnerability in aDirectory aDirectory adirectory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects aDirectory: from n/a through <= 3.0.3. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in WP Legal Pages WPLegalPages wplegalpages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPLegalPages: from n/a through <= 3.5.4. [CVSS 7.5 HIGH]
sunshinephotocart Sunshine Photo Cart sunshine-photo-cart is affected by missing authorization (CVSS 6.5).
Missing Authorization vulnerability in vertim Schedula schedula-smart-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Schedula: from n/a through <= 1.0. [CVSS 5.3 MEDIUM]
Missing Authorization vulnerability in Arya Dhiratara Optimize More! – Images optimize-more-images allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Optimize More! [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in uixthemes Konte konte allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Konte: from n/a through <= 2.4.6. [CVSS 6.5 MEDIUM]
Seraphinite Solutions Seraphinite Accelerator seraphinite-accelerator is affected by missing authorization (CVSS 4.3).
Missing Authorization vulnerability in SecuPress SecuPress Free secupress.This issue affects SecuPress Free: from n/a through <= 2.2.5.3. [CVSS 5.3 MEDIUM]
Missing Authorization vulnerability in Anssi Laitila Shared Files shared-files.This issue affects Shared Files: from n/a through <= 1.7.19. [CVSS 5.3 MEDIUM]
Missing authorization in Dromara RuoYi-Vue-Plus up to version 5.5.3 allows authenticated remote attackers to delete workflow instances without proper access controls via the SaServletFilter component. Public exploit code exists for this vulnerability, and the vendor has not responded to disclosure attempts. The flaw enables low-impact compromise of workflow data integrity with network accessibility and minimal attack complexity.
Frappe Learning Management System versions 2.44.0 and below allow unauthenticated attackers to retrieve sensitive details about unpublished courses through API endpoints, exposing course content that should remain restricted. This information disclosure vulnerability affects all users of the affected versions, with no patch currently available pending the 2.45.0 release.
OpenClaw versions prior to 2026.2.14 allow authenticated users to bypass group authorization policies by leveraging direct message trust credentials in group contexts, enabling unauthorized access to restricted group conversations. An attacker with valid credentials could exploit improper policy enforcement in iMessage groupPolicy=allowlist configurations to gain unauthorized visibility into protected group communications. A patch is available in version 2026.2.14 and later.
OpenClaw versions before 2026.2.14 allow attackers with execution privileges to bypass command allowlist controls on node host deployments by exploiting a mismatch between validated and executed commands, potentially enabling execution of unapproved system commands. The vulnerability only affects configurations using node host execution paths with allowlist-based security policies and approval prompting. A patch is available in version 2026.2.14 which enforces consistency validation.
OpenClaw's Telnyx voice-call webhook handler fails to validate webhook signatures when the public key is not configured, allowing unauthenticated attackers to forge arbitrary Telnyx events. This affects only deployments with the Voice Call plugin installed, enabled, and publicly accessible, enabling attackers to inject malicious voice-call events into the system. A patch is available.
Cosign provides code signing and transparency for containers and binaries. [CVSS 3.7 LOW]
OpenClaw is a personal AI assistant. [CVSS 7.5 HIGH]
Improper access control in designinvento DirectoryPress up to version 3.6.26 allows authenticated users to modify data and cause service disruptions through misconfigured security levels. An attacker with valid credentials can exploit this vulnerability to manipulate application integrity and availability without requiring user interaction. No patch is currently available for this medium-severity vulnerability.
SeedProd Coming Soon Page plugin versions 6.19.7 and earlier contain a missing authorization vulnerability that allows unauthenticated attackers to modify application content by exploiting improperly configured access controls. An attacker can leverage this flaw to alter website settings without proper authentication, potentially defacing or redirecting traffic on affected sites. No patch is currently available for this vulnerability.
DevsBlink EduBlink versions 2.0.7 and earlier contain an authorization bypass that allows unauthenticated remote attackers to modify data through improperly configured access controls. The vulnerability enables integrity compromise without requiring authentication or user interaction, affecting all installations of the vulnerable software versions. No patch is currently available to address this issue.
Authenticated users can modify email configurations in YayMail for WooCommerce through version 4.3.2 due to missing authorization checks on access control settings. An attacker with low-level WordPress user privileges could alter email templates or settings without proper permissions. No patch is currently available for this vulnerability.
Function name collision in Rs Soroban SDK versions prior to 22.0.10, 23.5.2, and 25.1.1 causes the #[contractimpl] macro to invoke incorrect functions when both trait and inherent implementations share identical function names, allowing attackers to exploit logic flaws through public exploit code. Smart contract developers using affected versions risk silent execution of unintended code paths that could compromise contract integrity and security guarantees. Patches are available for all vulnerable versions.
opa-envoy-plugun is a plugin to enforce OPA policies with Envoy. Versions prior to 1.13.2-envoy-2 have a vulnerability in how the `input.parsed_path` field is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes (`//`) as authority components, and therefore dropping them from the parsed path. This creates a path in...
Hardcoded PostgreSQL credentials in Ruckus Network Director OVA < 4.5.0.54.
Unauthenticated attackers can bypass access controls in Alfresco Content Services to retrieve sensitive files from protected directories such as WEB-INF through the /share/page/resource/ endpoint. This vulnerability exposes critical configuration data and credentials without requiring authentication or user interaction. No patch is currently available for this remotely exploitable issue affecting Alfresco deployments.
SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. [CVSS 6.5 MEDIUM]
Execution After Redirect + missing auth in BiEticaret CMS.
Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. No authorization check is applied here. [CVSS 5.3 MEDIUM]
Dell PowerProtect Data Manager versions prior to 19.22 contain improper verification of communication channels in the REST API, allowing high-privileged remote attackers to bypass security protections. The vulnerability requires administrative credentials but carries no patch availability, creating ongoing risk for affected deployments.
Inadequate access control in WPAdverts through version 2.2.11 permits authenticated users to access sensitive information they should not be authorized to view. An attacker with valid login credentials could exploit misconfigured permission checks to read confidential data within the plugin. No patch is currently available for this vulnerability.
PI Web Solution Live sales notification for WooCommerce live-sales-notifications-for-woocommerce is affected by missing authorization (CVSS 5.3).
Improper access control in StellarWP iThemes Sync through version 3.2.8 allows authenticated attackers to modify data they should not have permission to access. An attacker with valid login credentials could exploit misconfigured authorization checks to perform unauthorized modifications within the plugin. No patch is currently available for this vulnerability.
Penci AI SmartContent Creator version 2.0 and earlier contains an authorization bypass vulnerability that allows authenticated users to perform unauthorized actions due to improperly configured access controls. An attacker with valid credentials could exploit this to modify data or functionality they should not have access to. No patch is currently available for this issue.
Unauthorized modification of content is possible in WPDeveloper NotificationX through version 3.2.1 due to improper access control checks that allow unauthenticated attackers to manipulate notification data. This vulnerability affects all installations of the plugin without authentication requirements, enabling attackers to alter or inject malicious content. No security patch is currently available.
Dell Unisphere for PowerMax 10.2 lacks proper authorization checks, allowing authenticated remote attackers to bypass access controls and gain unauthorized administrative capabilities. This missing authorization vulnerability (CWE-862) affects users who have any valid account credentials on affected systems. No patch is currently available, making this a critical risk for organizations operating vulnerable PowerMax installations.
AA-Team WZone through version 14.0.31 contains a missing authorization vulnerability that allows authenticated users to bypass access control restrictions. An attacker with valid credentials could exploit this misconfiguration to modify data or cause service unavailability. No patch is currently available for this issue.
Improper access control in uixthemes Sober through version 3.5.12 enables authenticated attackers to modify data or resources they should not have permission to access. An attacker with valid login credentials can bypass authorization checks to perform unauthorized actions. No patch is currently available for this vulnerability.
LeadConnector versions 3.0.21 and earlier contain an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data due to improperly configured access controls. An attacker can exploit this vulnerability without authentication or user interaction to tamper with application data, though confidentiality and availability are not affected. No patch is currently available for this vulnerability.
creativeinteractivemedia Real 3D FlipBook real3d-flipbook-lite is affected by missing authorization (CVSS 3.8).
MailerLite MailerLite official-mailerlite-sign-up-forms is affected by missing authorization (CVSS 4.3).
UpsellWP versions 2.2.3 and earlier contain an authorization bypass vulnerability that allows authenticated users to access checkout upsell features they should not have permission to modify. An attacker with low-privilege account access could exploit improper access control to manipulate order bump and upsell configurations, potentially affecting store operations and revenue.
blazethemes News Kit Elementor Addons news-kit-elementor-addons is affected by missing authorization (CVSS 4.3).
Inadequate access control in WPBookit Pro through version 1.6.18 permits unauthenticated attackers to modify data by bypassing authorization checks. The vulnerability allows remote attackers without credentials to perform unauthorized actions on the plugin, affecting all installations running the vulnerable versions. No patch is currently available to remediate this issue.
Broken Link Notifier plugin versions 1.3.5 and earlier contain an authorization bypass vulnerability that allows unauthenticated attackers to modify data through improperly configured access controls. An attacker can exploit this flaw to alter link notifications without proper authentication, potentially disrupting the plugin's functionality or manipulating stored information. No patch is currently available for this vulnerability.
Cookiebot versions 4.6.4 and earlier contain an access control bypass that allows authenticated attackers to exploit misconfigured security levels and gain unauthorized access to sensitive information. An attacker with low-level user credentials can leverage this vulnerability to read restricted data without proper authorization. No patch is currently available for this vulnerability.
The echo-knowledge-base plugin through version 16.011.0 fails to properly enforce access controls, enabling authenticated users to modify content they should not have permission to change. An attacker with valid login credentials could exploit misconfigured authorization rules to alter documentation or FAQ entries within the knowledge base system.
CryoutCreations Serious Slider cryout-serious-slider is affected by missing authorization (CVSS 4.3).
Insufficient access control in ikreatethemes Business Roy versions up to 1.1.4 enables authenticated users to modify data they should not have permission to access. An attacker with valid credentials could exploit misconfigured security levels to perform unauthorized changes within the application. No patch is currently available for this vulnerability.
Sparklewpthemes Fitness FSE plugin versions up to 1.0.6 contains a missing authorization check that allows authenticated users to modify content they should not have access to. An attacker with low-level user privileges can exploit this access control misconfiguration to alter website data without proper permission.
Unauthorized data modification in Hello FSE WordPress theme version 1.0.6 and earlier results from improper access control enforcement. Authenticated users can exploit this vulnerability to make unauthorized changes to website content or settings without proper permission checks.
WP Wand AI Content Generation plugin for WordPress versions up to 1.3.07 contains an authorization bypass that allows authenticated users to modify or disable plugin functionality through improper access control enforcement. An attacker with user-level credentials can exploit this vulnerability to cause service disruption or data integrity issues. No patch is currently available.
Inadequate access control in scripteo Ads Pro plugin version 5.0 and earlier enables authenticated attackers to modify data and cause service disruptions through misconfigured security levels. An attacker with valid credentials can exploit this vulnerability to bypass authorization checks and alter plugin functionality without administrative privileges. No patch is currently available.
Elementor Image Optimizer by Elementor image-optimization is affected by missing authorization (CVSS 4.3).
Elementor Ally versions up to 4.0.2 contain an authorization bypass vulnerability that allows unauthenticated remote attackers to modify content through improperly configured access controls. The vulnerability has a network attack vector with low complexity and no user interaction required, potentially enabling unauthorized alterations to website content. No patch is currently available.
WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite is affected by missing authorization (CVSS 4.3).
Inadequate access control in raratheme Spa and Salon plugin versions 1.3.2 and earlier permits unauthorized users to modify sensitive data through improperly configured security levels. An unauthenticated remote attacker can exploit this vulnerability to perform unauthorized actions without authentication. No patch is currently available for this vulnerability.
Kodezen Academy LMS versions up to 3.5.3 contain an access control misconfiguration that allows authenticated users to modify data they should not have permission to access. An attacker with valid credentials can exploit this missing authorization check to perform unauthorized changes, though no public exploit code or active exploitation has been reported. No patch is currently available for this vulnerability.
codepeople Calculated Fields Form calculated-fields-form is affected by missing authorization (CVSS 6.5).
NooTheme CitiLights versions below 3.7.2 contain an authorization bypass that allows unauthenticated remote attackers to modify data through improperly configured access controls. The vulnerability enables unauthorized state changes without requiring user interaction or elevated privileges. A patch is not currently available for this vulnerability.
BoldGrid Client Invoicing by Sprout Invoices sprout-invoices is affected by missing authorization (CVSS 5.3).
FooGallery through version 3.1.11 contains a missing authorization check that allows authenticated users to modify gallery content they should not have access to. An attacker with valid login credentials can exploit improperly configured access controls to alter galleries, potentially defacing or corrupting gallery data. No patch is currently available.
Improper access control in Alt Text AI versions up to 1.10.15 enables unauthenticated remote attackers to cause denial of service through misconfigured authorization checks. The vulnerability allows an attacker to disrupt service availability without requiring authentication or user interaction. No patch is currently available for this issue.
Ays Pro AI ChatBot with ChatGPT and Content Generator by AYS ays-chatgpt-assistant is affected by missing authorization (CVSS 5.3).
Coachify plugin versions 1.1.5 and earlier contain an authorization bypass that allows unauthenticated remote attackers to exploit misconfigured access controls. This vulnerability enables denial of service attacks without requiring user interaction or authentication.
Ays Pro Secure Copy Content Protection and Content Locking secure-copy-content-protection is affected by missing authorization (CVSS 4.3).
The Shopwell theme for Shopify versions 1.0.11 and earlier contains improper access control that allows unauthenticated remote attackers to view sensitive information through incorrectly configured authorization checks. This vulnerability exposes confidential data without requiring authentication or user interaction. No patch is currently available.
Fahad Mahmood Endless Posts Navigation endless-posts-navigation is affected by missing authorization (CVSS 5.3).
PublishPress PublishPress Authors publishpress-authors is affected by missing authorization (CVSS 4.3).
ExpressTech Systems Quiz And Survey Master quiz-master-next is affected by missing authorization (CVSS 4.3).
ExpressTech Systems Quiz And Survey Master quiz-master-next is affected by authorization bypass through user-controlled key (CVSS 5.3).
Improper access control in MiKa OSM through version 6.1.12 allows authenticated users to modify data or settings they should not have permission to access. An attacker with valid credentials could exploit misconfigured security levels to escalate privileges or alter system configuration. No patch is currently available for this vulnerability.
Insufficient access control in SupportCandy plugin versions 3.4.4 and earlier allows unauthenticated remote attackers to modify data through improperly configured security permissions. This vulnerability affects WordPress installations using the vulnerable plugin, enabling attackers to perform unauthorized actions without requiring authentication. No patch is currently available for this issue.
Cool Plugins Elementor Contact Form DB sb-elementor-contact-form-db is affected by missing authorization (CVSS 5.3).
hcaptcha hCaptcha for WP hcaptcha-for-forms-and-more is affected by missing authorization (CVSS 5.3).
WP Messiah TOP Table Of Contents top-table-of-contents is affected by missing authorization (CVSS 4.3).
FluentForm versions 6.1.14 and earlier contain an access control bypass that allows authenticated users to perform unauthorized modifications. An attacker with valid credentials can exploit improperly configured security levels to alter data they should not have access to. No patch is currently available.
Improper access control in 10up Autoshare for Twitter through version 2.3.1 enables authenticated users to modify or disable sharing functionality without proper authorization checks. An attacker with limited privileges could exploit this vulnerability to disrupt social media publishing workflows or cause service unavailability for legitimate users. No patch is currently available for this medium-severity vulnerability.
Improper access control in wp.insider Simple Membership plugin versions 4.6.9 and earlier allows authenticated users to bypass security level restrictions and modify content they should not have access to. An attacker with valid credentials can exploit misconfigured access controls to escalate privileges within the plugin. No patch is currently available for this vulnerability.
N-Media Frontend File Manager nmedia-user-file-uploader is affected by authorization bypass through user-controlled key (CVSS 5.3).
Improper access control in madalin.ungureanu Client Portal versions up to 1.2.1 allows authenticated users to modify data they should not have access to due to incorrectly configured security levels. An attacker with valid credentials can exploit this missing authorization check to perform unauthorized modifications, though no patch is currently available.
Kraft Plugins Wheel of Life version 1.2.0 and earlier contains a missing authorization vulnerability that allows unauthenticated remote attackers to modify data through incorrectly configured access controls. The vulnerability enables integrity attacks against affected installations without requiring user interaction. No patch is currently available.
BBR Plugins Better Business Reviews better-business-reviews is affected by missing authorization (CVSS 5.4).
DirectoryPress through version 3.6.25 contains an access control bypass that allows unauthenticated attackers to modify data due to improperly configured authorization checks. An attacker can exploit this vulnerability over the network without authentication or user interaction to alter information in affected installations. No patch is currently available for this vulnerability.
cmsmasters CMSMasters Content Composer cmsmasters-content-composer is affected by missing authorization (CVSS 7.1).
Aruba.it Dev Aruba HiSpeed Cache aruba-hispeed-cache is affected by missing authorization (CVSS 6.5).
WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite is affected by missing authorization (CVSS 5.3).
Missing Authorization vulnerability in WPFunnels Mail Mint mail-mint allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mail Mint: from n/a through <= 1.19.4.
Dell PowerProtect Data Manager versions prior to 19.22 contain improper verification of REST API communication channels that allows high-privileged remote attackers to bypass security protections. The vulnerability requires administrative credentials and network access, enabling authenticated attackers to circumvent established security controls. No patch is currently available.
An authentication bypass vulnerability has been found in Thesamur's AutoGPT. This vulnerability allows an attacker to bypass authentication mechanisms.
A security flaw has been discovered in Beetel 777VR1 up to 01.00.09. This issue affects some unknown processing of the component WPA2 PSK. Performing a manipulation results in hard-coded credentials. The attacker must have access to the local network to execute the attack. The complexity of an attack is rather high. The exploitability is assessed as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did ...
VillaTheme HAPPY happy-helpdesk-support-ticket-system is affected by missing authorization (CVSS 8.2).
Missing Authorization vulnerability in aDirectory aDirectory adirectory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects aDirectory: from n/a through <= 3.0.3. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in WP Legal Pages WPLegalPages wplegalpages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPLegalPages: from n/a through <= 3.5.4. [CVSS 7.5 HIGH]
sunshinephotocart Sunshine Photo Cart sunshine-photo-cart is affected by missing authorization (CVSS 6.5).
Missing Authorization vulnerability in vertim Schedula schedula-smart-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Schedula: from n/a through <= 1.0. [CVSS 5.3 MEDIUM]
Missing Authorization vulnerability in Arya Dhiratara Optimize More! – Images optimize-more-images allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Optimize More! [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in uixthemes Konte konte allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Konte: from n/a through <= 2.4.6. [CVSS 6.5 MEDIUM]
Seraphinite Solutions Seraphinite Accelerator seraphinite-accelerator is affected by missing authorization (CVSS 4.3).
Missing Authorization vulnerability in SecuPress SecuPress Free secupress.This issue affects SecuPress Free: from n/a through <= 2.2.5.3. [CVSS 5.3 MEDIUM]
Missing Authorization vulnerability in Anssi Laitila Shared Files shared-files.This issue affects Shared Files: from n/a through <= 1.7.19. [CVSS 5.3 MEDIUM]
Missing authorization in Dromara RuoYi-Vue-Plus up to version 5.5.3 allows authenticated remote attackers to delete workflow instances without proper access controls via the SaServletFilter component. Public exploit code exists for this vulnerability, and the vendor has not responded to disclosure attempts. The flaw enables low-impact compromise of workflow data integrity with network accessibility and minimal attack complexity.
Frappe Learning Management System versions 2.44.0 and below allow unauthenticated attackers to retrieve sensitive details about unpublished courses through API endpoints, exposing course content that should remain restricted. This information disclosure vulnerability affects all users of the affected versions, with no patch currently available pending the 2.45.0 release.
OpenClaw versions prior to 2026.2.14 allow authenticated users to bypass group authorization policies by leveraging direct message trust credentials in group contexts, enabling unauthorized access to restricted group conversations. An attacker with valid credentials could exploit improper policy enforcement in iMessage groupPolicy=allowlist configurations to gain unauthorized visibility into protected group communications. A patch is available in version 2026.2.14 and later.
OpenClaw versions before 2026.2.14 allow attackers with execution privileges to bypass command allowlist controls on node host deployments by exploiting a mismatch between validated and executed commands, potentially enabling execution of unapproved system commands. The vulnerability only affects configurations using node host execution paths with allowlist-based security policies and approval prompting. A patch is available in version 2026.2.14 which enforces consistency validation.
OpenClaw's Telnyx voice-call webhook handler fails to validate webhook signatures when the public key is not configured, allowing unauthenticated attackers to forge arbitrary Telnyx events. This affects only deployments with the Voice Call plugin installed, enabled, and publicly accessible, enabling attackers to inject malicious voice-call events into the system. A patch is available.
Cosign provides code signing and transparency for containers and binaries. [CVSS 3.7 LOW]
OpenClaw is a personal AI assistant. [CVSS 7.5 HIGH]
Improper access control in designinvento DirectoryPress up to version 3.6.26 allows authenticated users to modify data and cause service disruptions through misconfigured security levels. An attacker with valid credentials can exploit this vulnerability to manipulate application integrity and availability without requiring user interaction. No patch is currently available for this medium-severity vulnerability.
SeedProd Coming Soon Page plugin versions 6.19.7 and earlier contain a missing authorization vulnerability that allows unauthenticated attackers to modify application content by exploiting improperly configured access controls. An attacker can leverage this flaw to alter website settings without proper authentication, potentially defacing or redirecting traffic on affected sites. No patch is currently available for this vulnerability.
DevsBlink EduBlink versions 2.0.7 and earlier contain an authorization bypass that allows unauthenticated remote attackers to modify data through improperly configured access controls. The vulnerability enables integrity compromise without requiring authentication or user interaction, affecting all installations of the vulnerable software versions. No patch is currently available to address this issue.
Authenticated users can modify email configurations in YayMail for WooCommerce through version 4.3.2 due to missing authorization checks on access control settings. An attacker with low-level WordPress user privileges could alter email templates or settings without proper permissions. No patch is currently available for this vulnerability.
Function name collision in Rs Soroban SDK versions prior to 22.0.10, 23.5.2, and 25.1.1 causes the #[contractimpl] macro to invoke incorrect functions when both trait and inherent implementations share identical function names, allowing attackers to exploit logic flaws through public exploit code. Smart contract developers using affected versions risk silent execution of unintended code paths that could compromise contract integrity and security guarantees. Patches are available for all vulnerable versions.
opa-envoy-plugun is a plugin to enforce OPA policies with Envoy. Versions prior to 1.13.2-envoy-2 have a vulnerability in how the `input.parsed_path` field is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes (`//`) as authority components, and therefore dropping them from the parsed path. This creates a path in...
Hardcoded PostgreSQL credentials in Ruckus Network Director OVA < 4.5.0.54.
Unauthenticated attackers can bypass access controls in Alfresco Content Services to retrieve sensitive files from protected directories such as WEB-INF through the /share/page/resource/ endpoint. This vulnerability exposes critical configuration data and credentials without requiring authentication or user interaction. No patch is currently available for this remotely exploitable issue affecting Alfresco deployments.
SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. [CVSS 6.5 MEDIUM]
Execution After Redirect + missing auth in BiEticaret CMS.
Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. No authorization check is applied here. [CVSS 5.3 MEDIUM]
Dell PowerProtect Data Manager versions prior to 19.22 contain improper verification of communication channels in the REST API, allowing high-privileged remote attackers to bypass security protections. The vulnerability requires administrative credentials but carries no patch availability, creating ongoing risk for affected deployments.
Inadequate access control in WPAdverts through version 2.2.11 permits authenticated users to access sensitive information they should not be authorized to view. An attacker with valid login credentials could exploit misconfigured permission checks to read confidential data within the plugin. No patch is currently available for this vulnerability.
PI Web Solution Live sales notification for WooCommerce live-sales-notifications-for-woocommerce is affected by missing authorization (CVSS 5.3).
Improper access control in StellarWP iThemes Sync through version 3.2.8 allows authenticated attackers to modify data they should not have permission to access. An attacker with valid login credentials could exploit misconfigured authorization checks to perform unauthorized modifications within the plugin. No patch is currently available for this vulnerability.
Penci AI SmartContent Creator version 2.0 and earlier contains an authorization bypass vulnerability that allows authenticated users to perform unauthorized actions due to improperly configured access controls. An attacker with valid credentials could exploit this to modify data or functionality they should not have access to. No patch is currently available for this issue.
Unauthorized modification of content is possible in WPDeveloper NotificationX through version 3.2.1 due to improper access control checks that allow unauthenticated attackers to manipulate notification data. This vulnerability affects all installations of the plugin without authentication requirements, enabling attackers to alter or inject malicious content. No security patch is currently available.
Dell Unisphere for PowerMax 10.2 lacks proper authorization checks, allowing authenticated remote attackers to bypass access controls and gain unauthorized administrative capabilities. This missing authorization vulnerability (CWE-862) affects users who have any valid account credentials on affected systems. No patch is currently available, making this a critical risk for organizations operating vulnerable PowerMax installations.
AA-Team WZone through version 14.0.31 contains a missing authorization vulnerability that allows authenticated users to bypass access control restrictions. An attacker with valid credentials could exploit this misconfiguration to modify data or cause service unavailability. No patch is currently available for this issue.
Improper access control in uixthemes Sober through version 3.5.12 enables authenticated attackers to modify data or resources they should not have permission to access. An attacker with valid login credentials can bypass authorization checks to perform unauthorized actions. No patch is currently available for this vulnerability.
LeadConnector versions 3.0.21 and earlier contain an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data due to improperly configured access controls. An attacker can exploit this vulnerability without authentication or user interaction to tamper with application data, though confidentiality and availability are not affected. No patch is currently available for this vulnerability.
creativeinteractivemedia Real 3D FlipBook real3d-flipbook-lite is affected by missing authorization (CVSS 3.8).
MailerLite MailerLite official-mailerlite-sign-up-forms is affected by missing authorization (CVSS 4.3).
UpsellWP versions 2.2.3 and earlier contain an authorization bypass vulnerability that allows authenticated users to access checkout upsell features they should not have permission to modify. An attacker with low-privilege account access could exploit improper access control to manipulate order bump and upsell configurations, potentially affecting store operations and revenue.
blazethemes News Kit Elementor Addons news-kit-elementor-addons is affected by missing authorization (CVSS 4.3).
Inadequate access control in WPBookit Pro through version 1.6.18 permits unauthenticated attackers to modify data by bypassing authorization checks. The vulnerability allows remote attackers without credentials to perform unauthorized actions on the plugin, affecting all installations running the vulnerable versions. No patch is currently available to remediate this issue.
Broken Link Notifier plugin versions 1.3.5 and earlier contain an authorization bypass vulnerability that allows unauthenticated attackers to modify data through improperly configured access controls. An attacker can exploit this flaw to alter link notifications without proper authentication, potentially disrupting the plugin's functionality or manipulating stored information. No patch is currently available for this vulnerability.
Cookiebot versions 4.6.4 and earlier contain an access control bypass that allows authenticated attackers to exploit misconfigured security levels and gain unauthorized access to sensitive information. An attacker with low-level user credentials can leverage this vulnerability to read restricted data without proper authorization. No patch is currently available for this vulnerability.
The echo-knowledge-base plugin through version 16.011.0 fails to properly enforce access controls, enabling authenticated users to modify content they should not have permission to change. An attacker with valid login credentials could exploit misconfigured authorization rules to alter documentation or FAQ entries within the knowledge base system.
CryoutCreations Serious Slider cryout-serious-slider is affected by missing authorization (CVSS 4.3).
Insufficient access control in ikreatethemes Business Roy versions up to 1.1.4 enables authenticated users to modify data they should not have permission to access. An attacker with valid credentials could exploit misconfigured security levels to perform unauthorized changes within the application. No patch is currently available for this vulnerability.
Sparklewpthemes Fitness FSE plugin versions up to 1.0.6 contains a missing authorization check that allows authenticated users to modify content they should not have access to. An attacker with low-level user privileges can exploit this access control misconfiguration to alter website data without proper permission.
Unauthorized data modification in Hello FSE WordPress theme version 1.0.6 and earlier results from improper access control enforcement. Authenticated users can exploit this vulnerability to make unauthorized changes to website content or settings without proper permission checks.
WP Wand AI Content Generation plugin for WordPress versions up to 1.3.07 contains an authorization bypass that allows authenticated users to modify or disable plugin functionality through improper access control enforcement. An attacker with user-level credentials can exploit this vulnerability to cause service disruption or data integrity issues. No patch is currently available.
Inadequate access control in scripteo Ads Pro plugin version 5.0 and earlier enables authenticated attackers to modify data and cause service disruptions through misconfigured security levels. An attacker with valid credentials can exploit this vulnerability to bypass authorization checks and alter plugin functionality without administrative privileges. No patch is currently available.
Elementor Image Optimizer by Elementor image-optimization is affected by missing authorization (CVSS 4.3).
Elementor Ally versions up to 4.0.2 contain an authorization bypass vulnerability that allows unauthenticated remote attackers to modify content through improperly configured access controls. The vulnerability has a network attack vector with low complexity and no user interaction required, potentially enabling unauthorized alterations to website content. No patch is currently available.
WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite is affected by missing authorization (CVSS 4.3).
Inadequate access control in raratheme Spa and Salon plugin versions 1.3.2 and earlier permits unauthorized users to modify sensitive data through improperly configured security levels. An unauthenticated remote attacker can exploit this vulnerability to perform unauthorized actions without authentication. No patch is currently available for this vulnerability.
Kodezen Academy LMS versions up to 3.5.3 contain an access control misconfiguration that allows authenticated users to modify data they should not have permission to access. An attacker with valid credentials can exploit this missing authorization check to perform unauthorized changes, though no public exploit code or active exploitation has been reported. No patch is currently available for this vulnerability.
codepeople Calculated Fields Form calculated-fields-form is affected by missing authorization (CVSS 6.5).
NooTheme CitiLights versions below 3.7.2 contain an authorization bypass that allows unauthenticated remote attackers to modify data through improperly configured access controls. The vulnerability enables unauthorized state changes without requiring user interaction or elevated privileges. A patch is not currently available for this vulnerability.
BoldGrid Client Invoicing by Sprout Invoices sprout-invoices is affected by missing authorization (CVSS 5.3).
FooGallery through version 3.1.11 contains a missing authorization check that allows authenticated users to modify gallery content they should not have access to. An attacker with valid login credentials can exploit improperly configured access controls to alter galleries, potentially defacing or corrupting gallery data. No patch is currently available.
Improper access control in Alt Text AI versions up to 1.10.15 enables unauthenticated remote attackers to cause denial of service through misconfigured authorization checks. The vulnerability allows an attacker to disrupt service availability without requiring authentication or user interaction. No patch is currently available for this issue.
Ays Pro AI ChatBot with ChatGPT and Content Generator by AYS ays-chatgpt-assistant is affected by missing authorization (CVSS 5.3).
Coachify plugin versions 1.1.5 and earlier contain an authorization bypass that allows unauthenticated remote attackers to exploit misconfigured access controls. This vulnerability enables denial of service attacks without requiring user interaction or authentication.
Ays Pro Secure Copy Content Protection and Content Locking secure-copy-content-protection is affected by missing authorization (CVSS 4.3).
The Shopwell theme for Shopify versions 1.0.11 and earlier contains improper access control that allows unauthenticated remote attackers to view sensitive information through incorrectly configured authorization checks. This vulnerability exposes confidential data without requiring authentication or user interaction. No patch is currently available.
Fahad Mahmood Endless Posts Navigation endless-posts-navigation is affected by missing authorization (CVSS 5.3).
PublishPress PublishPress Authors publishpress-authors is affected by missing authorization (CVSS 4.3).
ExpressTech Systems Quiz And Survey Master quiz-master-next is affected by missing authorization (CVSS 4.3).
ExpressTech Systems Quiz And Survey Master quiz-master-next is affected by authorization bypass through user-controlled key (CVSS 5.3).
Improper access control in MiKa OSM through version 6.1.12 allows authenticated users to modify data or settings they should not have permission to access. An attacker with valid credentials could exploit misconfigured security levels to escalate privileges or alter system configuration. No patch is currently available for this vulnerability.
Insufficient access control in SupportCandy plugin versions 3.4.4 and earlier allows unauthenticated remote attackers to modify data through improperly configured security permissions. This vulnerability affects WordPress installations using the vulnerable plugin, enabling attackers to perform unauthorized actions without requiring authentication. No patch is currently available for this issue.
Cool Plugins Elementor Contact Form DB sb-elementor-contact-form-db is affected by missing authorization (CVSS 5.3).
hcaptcha hCaptcha for WP hcaptcha-for-forms-and-more is affected by missing authorization (CVSS 5.3).
WP Messiah TOP Table Of Contents top-table-of-contents is affected by missing authorization (CVSS 4.3).
FluentForm versions 6.1.14 and earlier contain an access control bypass that allows authenticated users to perform unauthorized modifications. An attacker with valid credentials can exploit improperly configured security levels to alter data they should not have access to. No patch is currently available.
Improper access control in 10up Autoshare for Twitter through version 2.3.1 enables authenticated users to modify or disable sharing functionality without proper authorization checks. An attacker with limited privileges could exploit this vulnerability to disrupt social media publishing workflows or cause service unavailability for legitimate users. No patch is currently available for this medium-severity vulnerability.
Improper access control in wp.insider Simple Membership plugin versions 4.6.9 and earlier allows authenticated users to bypass security level restrictions and modify content they should not have access to. An attacker with valid credentials can exploit misconfigured access controls to escalate privileges within the plugin. No patch is currently available for this vulnerability.
N-Media Frontend File Manager nmedia-user-file-uploader is affected by authorization bypass through user-controlled key (CVSS 5.3).
Improper access control in madalin.ungureanu Client Portal versions up to 1.2.1 allows authenticated users to modify data they should not have access to due to incorrectly configured security levels. An attacker with valid credentials can exploit this missing authorization check to perform unauthorized modifications, though no patch is currently available.
Kraft Plugins Wheel of Life version 1.2.0 and earlier contains a missing authorization vulnerability that allows unauthenticated remote attackers to modify data through incorrectly configured access controls. The vulnerability enables integrity attacks against affected installations without requiring user interaction. No patch is currently available.
BBR Plugins Better Business Reviews better-business-reviews is affected by missing authorization (CVSS 5.4).
DirectoryPress through version 3.6.25 contains an access control bypass that allows unauthenticated attackers to modify data due to improperly configured authorization checks. An attacker can exploit this vulnerability over the network without authentication or user interaction to alter information in affected installations. No patch is currently available for this vulnerability.
cmsmasters CMSMasters Content Composer cmsmasters-content-composer is affected by missing authorization (CVSS 7.1).
Aruba.it Dev Aruba HiSpeed Cache aruba-hispeed-cache is affected by missing authorization (CVSS 6.5).
WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite is affected by missing authorization (CVSS 5.3).
Missing Authorization vulnerability in WPFunnels Mail Mint mail-mint allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mail Mint: from n/a through <= 1.19.4.
Dell PowerProtect Data Manager versions prior to 19.22 contain improper verification of REST API communication channels that allows high-privileged remote attackers to bypass security protections. The vulnerability requires administrative credentials and network access, enabling authenticated attackers to circumvent established security controls. No patch is currently available.
An authentication bypass vulnerability has been found in Thesamur's AutoGPT. This vulnerability allows an attacker to bypass authentication mechanisms.
A security flaw has been discovered in Beetel 777VR1 up to 01.00.09. This issue affects some unknown processing of the component WPA2 PSK. Performing a manipulation results in hard-coded credentials. The attacker must have access to the local network to execute the attack. The complexity of an attack is rather high. The exploitability is assessed as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did ...