Authentication Bypass
Monthly
Rasedul Haque Rumi BD Courier Order Ratio Checker bd-courier-order-ratio-checker is affected by missing authorization (CVSS 8.8).
Missing authorization controls in Easy Form Builder versions 3.9.6 and earlier enable authenticated attackers to exploit improperly configured access restrictions and gain unauthorized capabilities. An attacker with valid credentials can bypass intended security boundaries to read, modify, or delete form data and configurations they should not have access to. No patch is currently available for this vulnerability affecting the Easy Form Builder plugin.
AbsolutePlugins Absolute Addons For Elementor absolute-addons is affected by missing authorization (CVSS 4.3).
Mikado-Themes Wanderland version 1.5 and earlier contains an authorization bypass that allows unauthenticated remote attackers to access restricted functionality due to improperly configured access controls. The vulnerability enables information disclosure with no patch currently available.
The Don Peppe WordPress theme version 1.3 and earlier contains inadequate access control validation that permits authenticated users to access sensitive information they should not have permission to view. An attacker with valid login credentials could exploit this misconfiguration to retrieve confidential data, though the impact is limited to information disclosure without the ability to modify or delete content.
Select-Themes Prowess through version 1.8.1 contains an authorization bypass vulnerability that allows unauthenticated remote attackers to access sensitive information due to improperly configured access controls. An attacker can exploit this flaw to read confidential data without requiring authentication or user interaction. No patch is currently available for this vulnerability.
The Apimo Connector plugin for WordPress versions 2.6.4 and earlier contains an authorization bypass that allows unauthenticated attackers to access sensitive information through improperly configured access controls. An attacker can exploit this vulnerability over the network without user interaction to read confidential data from the affected application. No patch is currently available for this vulnerability.
Mikado-Themes Verdure verdure is affected by authorization bypass through user-controlled key (CVSS 5.4).
Elated-Themes Sweet Jane sweetjane is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Dolcino dolcino is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Justicia justicia is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Roam through version 2.1.1 contains an authorization bypass vulnerability where attackers with valid user credentials can manipulate access control mechanisms to gain unauthorized access to sensitive functionality. This authentication-required vulnerability allows authenticated users to circumvent properly configured security levels through user-controlled parameters. No patch is currently available for this issue.
Mikado-Themes Overton overton is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Innovio innovio is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Holmes holmes is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Fleur fleur is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Fiorello fiorello is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Curly curly is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Cocco cocco is affected by authorization bypass through user-controlled key (CVSS 5.4).
Tasos Fel Civic Cookie Control civic-cookie-control-8 is affected by missing authorization (CVSS 5.3).
Powerscale Onefs versions up to 9.13.0.0 is affected by improper restriction of excessive authentication attempts (CVSS 8.1).
NSquared Simply Schedule Appointments simply-schedule-appointments is affected by missing authorization (CVSS 6.5).
Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PostX: from n/a through <= 5.0.3. [CVSS 7.5 HIGH]
Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broadstreet Ads: from n/a through <= 1.52.1. [CVSS 7.6 HIGH]
Leap13 Premium Addons for Elementor premium-addons-for-elementor is affected by missing authorization (CVSS 5.4).
Missing Authorization vulnerability in e-plugins Real Estate Pro real-estate-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Real Estate Pro: from n/a through <= 2.1.5. [CVSS 7.3 HIGH]
Missing Authorization vulnerability in e-plugins ListingHub listinghub allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingHub: from n/a through <= 1.2.7. [CVSS 7.3 HIGH]
Missing Authorization vulnerability in e-plugins Listihub listihub allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Listihub: from n/a through <= 1.0.6. [CVSS 7.3 HIGH]
Missing Authorization vulnerability in e-plugins fitness-trainer fitness-trainer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects fitness-trainer: from n/a through <= 1.7.1. [CVSS 7.3 HIGH]
Missing Authorization vulnerability in e-plugins Final User final-user allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Final User: from n/a through <= 1.2.5. [CVSS 7.3 HIGH]
e-plugins Hospital Doctor Directory hospital-doctor-directory is affected by missing authorization (CVSS 7.3).
Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Listing: from n/a through <= 1.4.2. [CVSS 7.3 HIGH]
e-plugins Institutions Directory institutions-directory is affected by missing authorization (CVSS 7.3).
Missing Authorization vulnerability in e-plugins Lawyer Directory lawyer-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lawyer Directory: from n/a through <= 1.3.4. [CVSS 7.3 HIGH]
Workreap Core WordPress plugin has an authentication bypass allowing unauthenticated users to access protected functionality through an alternate authentication path.
designthemes Reservation Plugin dt-reservation-plugin is affected by missing authorization (CVSS 6.5).
Missing Authorization vulnerability in solacewp Solace solace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Solace: from n/a through <= 2.1.16. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in vrpr WDV One Page Docs wdv-one-page-docs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WDV One Page Docs: from n/a through <= 1.2.4. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in Scalenut Scalenut scalenut allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Scalenut: from n/a through <= 1.1.3. [CVSS 7.5 HIGH]
Missing Authorization vulnerability in averta Depicter Slider depicter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Depicter Slider: from n/a through <= 4.0.4. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in Icegram Icegram icegram allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Icegram: from n/a through <= 3.1.35. [CVSS 6.5 MEDIUM]
Ninja Team GDPR CCPA Compliance Support ninja-gdpr-compliance is affected by missing authorization (CVSS 6.5).
Merv Barrett Easy Property Listings easy-property-listings is affected by missing authorization (CVSS 6.5).
Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Listing: from n/a through <= 1.4.2. [CVSS 7.6 HIGH]
e-plugins Institutions Directory institutions-directory is affected by missing authorization (CVSS 7.6).
e-plugins Hospital Doctor Directory hospital-doctor-directory is affected by missing authorization (CVSS 7.6).
Missing Authorization vulnerability in Chris Simmons WP BackItUp wp-backitup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP BackItUp: from n/a through <= 2.0.0. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in WANotifier WANotifier notifier allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WANotifier: from n/a through <= 2.7.12. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in cleverplugins SEO Booster seo-booster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SEO Booster: from n/a through <= 6.1.8. [CVSS 6.5 MEDIUM]
Order Listener for WooCommerce has a missing authorization vulnerability enabling unauthenticated access to order data and administrative functions.
Missing Authorization vulnerability in Codeless Slider Templates slider-templates allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Slider Templates: from n/a through <= 1.0.3. [CVSS 6.5 MEDIUM]
Event Espresso Event Espresso 4 Decaf event-espresso-decaf is affected by missing authorization (CVSS 6.5).
Missing Authorization vulnerability in renatoatshown Shown Connector shown-connector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shown Connector: from n/a through <= 1.2.10. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in e-plugins Lawyer Directory lawyer-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lawyer Directory: from n/a through <= 1.3.3. [CVSS 7.6 HIGH]
Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through <= 4.4.6. [CVSS 8.2 HIGH]
peachpayments Peach Payments Gateway wc-peach-payments-gateway is affected by missing authorization (CVSS 6.5).
Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tickera: from n/a through <= 3.5.6.2. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in merkulove Crumber crumber-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Crumber: from n/a through <= 1.0.10. [CVSS 5.4 MEDIUM]
merkulove Comparimager for Elementor comparimager-elementor is affected by missing authorization (CVSS 5.4).
Missing Authorization vulnerability in merkulove Scroller scroller allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Scroller: from n/a through <= 2.0.2. [CVSS 5.4 MEDIUM]
Missing Authorization vulnerability in merkulove Uper for Elementor uper-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uper for Elementor: from n/a through <= 1.0.5. [CVSS 5.4 MEDIUM]
Missing Authorization vulnerability in merkulove Audier For Elementor audier-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Audier For Elementor: from n/a through <= 1.0.9. [CVSS 5.4 MEDIUM]
merkulove Motionger for Elementor motionger-elementor is affected by missing authorization (CVSS 8.8).
Missing Authorization vulnerability in merkulove Searcher for Elementor searcher-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Searcher for Elementor: from n/a through <= 1.0.3. [CVSS 8.8 HIGH]
Missing Authorization vulnerability in merkulove Carter for Elementor carter-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Carter for Elementor: from n/a through <= 1.0.2. [CVSS 8.8 HIGH]
Missing Authorization vulnerability in merkulove Imager for Elementor imager-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Imager for Elementor: from n/a through <= 2.0.4. [CVSS 8.8 HIGH]
Missing Authorization vulnerability in wproyal Bard bard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bard: from n/a through <= 2.229. [CVSS 8.8 HIGH]
Payment Gateway bKash for WooCommerce has a missing authorization vulnerability allowing attackers to exploit incorrect access controls for privilege escalation.
Missing Authorization vulnerability in Ninetheme Electron electron allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Electron: from n/a through <= 1.8.2. [CVSS 8.8 HIGH]
Missing Authorization vulnerability in Jthemes xSmart xsmart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects xSmart: from n/a through <= 1.2.9.4. [CVSS 8.8 HIGH]
Missing Authorization vulnerability in cozythemes HomeLancer homelancer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HomeLancer: from n/a through <= 1.0.1. [CVSS 8.8 HIGH]
Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.4. [CVSS 8.1 HIGH]
The anti-theft protection mechanism can be bypassed by attackers due to weak response generation algorithms for the head unit. It is possible to reveal all 32 corresponding responses by sniffing CAN traffic or by pre-calculating the values, which allow to bypass the protection. [CVSS 4.0 MEDIUM]
SmarterTools SmarterMail prior to build 9511 contains a critical authentication bypass in the password reset API (CVE-2026-23760) that allows unauthenticated attackers to reset system administrator passwords without verification. With EPSS 65% and KEV listing, this trivially exploitable vulnerability enables complete email server takeover, compromising all hosted mailboxes and organizational communications.
NervesHub OTA firmware management has a weak random number generation vulnerability that allows attackers to predict firmware update tokens and push malicious updates.
Solvera Software Services Trade Inc. Teknoera is affected by authorization bypass through user-controlled key (CVSS 7.5).
EXERT Computer Technologies Software Ltd. Co. Education Management System is affected by authorization bypass through user-controlled key (CVSS 7.5).
Meetinghub Paperless Meetings is affected by missing authentication for critical function (CVSS 5.3).
Horilla HRMS 1.4.0 contains insufficient server-side authorization checks that permit low-privileged employees to self-approve documents they have submitted, bypassing intended administrative-only controls. Public exploit code exists for this vulnerability, enabling standard users to alter HR application state and potentially submit unvetted credentials or certifications. The integrity of HR document workflows is compromised as employees can modify approval statuses reserved for administrators.
Horilla HRMS versions prior to 1.5.0 allow authenticated attackers to bypass two-factor authentication due to improper OTP validation that treats missing OTP fields as valid when the OTP has expired. Public exploit code exists for this vulnerability, enabling attackers with user credentials to gain unauthorized access to accounts, particularly administrative accounts with access to sensitive HR data and employee records. An attacker exploiting this flaw could manipulate employee information and compromise system-wide operations.
Horilla HRMS versions 1.4.0 and above allow unauthenticated access to unpublished job postings through the /recruitment/recruitment-details/ endpoint, exposing draft job titles, descriptions, and application workflows. An attacker can leverage public exploit code to view sensitive internal hiring information and access recruitment processes for unpublished positions. The vulnerability affects all users with network access to affected Horilla instances and has been patched in version 1.5.0.
Horilla is a free and open source Human Resource Management System (HRMS). [CVSS 4.3 MEDIUM]
The sm-crypto JavaScript library has a private key recovery vulnerability in its SM2 implementation, allowing attackers to extract secret keys from signatures.
Mastodon is a free, open-source social network server based on ActivityPub. [CVSS 6.5 MEDIUM]
Suspended remote users in Mastodon can bypass suspension restrictions and have their posts appear in timelines through boosting and post processing logic errors. This affects all Mastodon versions for older posts, with additional bypass capabilities in versions 4.5.0-4.5.4, 4.4.5-4.4.11, 4.3.13-4.3.17, and 4.2.26-4.2.29, allowing suspended users to inject new content into the system. No patch is currently available for this integrity issue.
DataEase data visualization tool prior to 2.10.19 uses MD5-hashed passwords without salting, allowing attackers to crack credentials and gain unauthorized access.
Altium Designer version 24.9.0 does not validate self-signed server certificates for cloud connections. [CVSS 5.3 MEDIUM]
Claude Code versions prior to 2.0.65 allow attackers to steal Anthropic API keys from users by crafting malicious repositories that redirect API calls to attacker-controlled servers before the trust confirmation dialog appears. When a victim opens an infected repository, the tool automatically reads malicious configuration settings and sends API requests containing credentials before displaying any security prompt, enabling credential theft. Users should upgrade to version 2.0.65 or later, though auto-update users have already received the patch.
EVerest is an EV charging software stack. Prior to version 2025.9.0, once the validity of the received V2G message has been verified, it is checked whether the submitted session ID matches the registered one. [CVSS 4.3 MEDIUM]
Blitar Tourism 1.0 contains an authentication bypass vulnerability that allows attackers to bypass login by injecting SQL code through the username parameter. [CVSS 8.2 HIGH]
Rasedul Haque Rumi BD Courier Order Ratio Checker bd-courier-order-ratio-checker is affected by missing authorization (CVSS 8.8).
Missing authorization controls in Easy Form Builder versions 3.9.6 and earlier enable authenticated attackers to exploit improperly configured access restrictions and gain unauthorized capabilities. An attacker with valid credentials can bypass intended security boundaries to read, modify, or delete form data and configurations they should not have access to. No patch is currently available for this vulnerability affecting the Easy Form Builder plugin.
AbsolutePlugins Absolute Addons For Elementor absolute-addons is affected by missing authorization (CVSS 4.3).
Mikado-Themes Wanderland version 1.5 and earlier contains an authorization bypass that allows unauthenticated remote attackers to access restricted functionality due to improperly configured access controls. The vulnerability enables information disclosure with no patch currently available.
The Don Peppe WordPress theme version 1.3 and earlier contains inadequate access control validation that permits authenticated users to access sensitive information they should not have permission to view. An attacker with valid login credentials could exploit this misconfiguration to retrieve confidential data, though the impact is limited to information disclosure without the ability to modify or delete content.
Select-Themes Prowess through version 1.8.1 contains an authorization bypass vulnerability that allows unauthenticated remote attackers to access sensitive information due to improperly configured access controls. An attacker can exploit this flaw to read confidential data without requiring authentication or user interaction. No patch is currently available for this vulnerability.
The Apimo Connector plugin for WordPress versions 2.6.4 and earlier contains an authorization bypass that allows unauthenticated attackers to access sensitive information through improperly configured access controls. An attacker can exploit this vulnerability over the network without user interaction to read confidential data from the affected application. No patch is currently available for this vulnerability.
Mikado-Themes Verdure verdure is affected by authorization bypass through user-controlled key (CVSS 5.4).
Elated-Themes Sweet Jane sweetjane is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Dolcino dolcino is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Justicia justicia is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Roam through version 2.1.1 contains an authorization bypass vulnerability where attackers with valid user credentials can manipulate access control mechanisms to gain unauthorized access to sensitive functionality. This authentication-required vulnerability allows authenticated users to circumvent properly configured security levels through user-controlled parameters. No patch is currently available for this issue.
Mikado-Themes Overton overton is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Innovio innovio is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Holmes holmes is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Fleur fleur is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Fiorello fiorello is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Curly curly is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Cocco cocco is affected by authorization bypass through user-controlled key (CVSS 5.4).
Tasos Fel Civic Cookie Control civic-cookie-control-8 is affected by missing authorization (CVSS 5.3).
Powerscale Onefs versions up to 9.13.0.0 is affected by improper restriction of excessive authentication attempts (CVSS 8.1).
NSquared Simply Schedule Appointments simply-schedule-appointments is affected by missing authorization (CVSS 6.5).
Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PostX: from n/a through <= 5.0.3. [CVSS 7.5 HIGH]
Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broadstreet Ads: from n/a through <= 1.52.1. [CVSS 7.6 HIGH]
Leap13 Premium Addons for Elementor premium-addons-for-elementor is affected by missing authorization (CVSS 5.4).
Missing Authorization vulnerability in e-plugins Real Estate Pro real-estate-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Real Estate Pro: from n/a through <= 2.1.5. [CVSS 7.3 HIGH]
Missing Authorization vulnerability in e-plugins ListingHub listinghub allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingHub: from n/a through <= 1.2.7. [CVSS 7.3 HIGH]
Missing Authorization vulnerability in e-plugins Listihub listihub allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Listihub: from n/a through <= 1.0.6. [CVSS 7.3 HIGH]
Missing Authorization vulnerability in e-plugins fitness-trainer fitness-trainer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects fitness-trainer: from n/a through <= 1.7.1. [CVSS 7.3 HIGH]
Missing Authorization vulnerability in e-plugins Final User final-user allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Final User: from n/a through <= 1.2.5. [CVSS 7.3 HIGH]
e-plugins Hospital Doctor Directory hospital-doctor-directory is affected by missing authorization (CVSS 7.3).
Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Listing: from n/a through <= 1.4.2. [CVSS 7.3 HIGH]
e-plugins Institutions Directory institutions-directory is affected by missing authorization (CVSS 7.3).
Missing Authorization vulnerability in e-plugins Lawyer Directory lawyer-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lawyer Directory: from n/a through <= 1.3.4. [CVSS 7.3 HIGH]
Workreap Core WordPress plugin has an authentication bypass allowing unauthenticated users to access protected functionality through an alternate authentication path.
designthemes Reservation Plugin dt-reservation-plugin is affected by missing authorization (CVSS 6.5).
Missing Authorization vulnerability in solacewp Solace solace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Solace: from n/a through <= 2.1.16. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in vrpr WDV One Page Docs wdv-one-page-docs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WDV One Page Docs: from n/a through <= 1.2.4. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in Scalenut Scalenut scalenut allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Scalenut: from n/a through <= 1.1.3. [CVSS 7.5 HIGH]
Missing Authorization vulnerability in averta Depicter Slider depicter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Depicter Slider: from n/a through <= 4.0.4. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in Icegram Icegram icegram allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Icegram: from n/a through <= 3.1.35. [CVSS 6.5 MEDIUM]
Ninja Team GDPR CCPA Compliance Support ninja-gdpr-compliance is affected by missing authorization (CVSS 6.5).
Merv Barrett Easy Property Listings easy-property-listings is affected by missing authorization (CVSS 6.5).
Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Listing: from n/a through <= 1.4.2. [CVSS 7.6 HIGH]
e-plugins Institutions Directory institutions-directory is affected by missing authorization (CVSS 7.6).
e-plugins Hospital Doctor Directory hospital-doctor-directory is affected by missing authorization (CVSS 7.6).
Missing Authorization vulnerability in Chris Simmons WP BackItUp wp-backitup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP BackItUp: from n/a through <= 2.0.0. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in WANotifier WANotifier notifier allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WANotifier: from n/a through <= 2.7.12. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in cleverplugins SEO Booster seo-booster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SEO Booster: from n/a through <= 6.1.8. [CVSS 6.5 MEDIUM]
Order Listener for WooCommerce has a missing authorization vulnerability enabling unauthenticated access to order data and administrative functions.
Missing Authorization vulnerability in Codeless Slider Templates slider-templates allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Slider Templates: from n/a through <= 1.0.3. [CVSS 6.5 MEDIUM]
Event Espresso Event Espresso 4 Decaf event-espresso-decaf is affected by missing authorization (CVSS 6.5).
Missing Authorization vulnerability in renatoatshown Shown Connector shown-connector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shown Connector: from n/a through <= 1.2.10. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in e-plugins Lawyer Directory lawyer-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lawyer Directory: from n/a through <= 1.3.3. [CVSS 7.6 HIGH]
Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through <= 4.4.6. [CVSS 8.2 HIGH]
peachpayments Peach Payments Gateway wc-peach-payments-gateway is affected by missing authorization (CVSS 6.5).
Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tickera: from n/a through <= 3.5.6.2. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in merkulove Crumber crumber-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Crumber: from n/a through <= 1.0.10. [CVSS 5.4 MEDIUM]
merkulove Comparimager for Elementor comparimager-elementor is affected by missing authorization (CVSS 5.4).
Missing Authorization vulnerability in merkulove Scroller scroller allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Scroller: from n/a through <= 2.0.2. [CVSS 5.4 MEDIUM]
Missing Authorization vulnerability in merkulove Uper for Elementor uper-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uper for Elementor: from n/a through <= 1.0.5. [CVSS 5.4 MEDIUM]
Missing Authorization vulnerability in merkulove Audier For Elementor audier-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Audier For Elementor: from n/a through <= 1.0.9. [CVSS 5.4 MEDIUM]
merkulove Motionger for Elementor motionger-elementor is affected by missing authorization (CVSS 8.8).
Missing Authorization vulnerability in merkulove Searcher for Elementor searcher-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Searcher for Elementor: from n/a through <= 1.0.3. [CVSS 8.8 HIGH]
Missing Authorization vulnerability in merkulove Carter for Elementor carter-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Carter for Elementor: from n/a through <= 1.0.2. [CVSS 8.8 HIGH]
Missing Authorization vulnerability in merkulove Imager for Elementor imager-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Imager for Elementor: from n/a through <= 2.0.4. [CVSS 8.8 HIGH]
Missing Authorization vulnerability in wproyal Bard bard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bard: from n/a through <= 2.229. [CVSS 8.8 HIGH]
Payment Gateway bKash for WooCommerce has a missing authorization vulnerability allowing attackers to exploit incorrect access controls for privilege escalation.
Missing Authorization vulnerability in Ninetheme Electron electron allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Electron: from n/a through <= 1.8.2. [CVSS 8.8 HIGH]
Missing Authorization vulnerability in Jthemes xSmart xsmart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects xSmart: from n/a through <= 1.2.9.4. [CVSS 8.8 HIGH]
Missing Authorization vulnerability in cozythemes HomeLancer homelancer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HomeLancer: from n/a through <= 1.0.1. [CVSS 8.8 HIGH]
Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.4. [CVSS 8.1 HIGH]
The anti-theft protection mechanism can be bypassed by attackers due to weak response generation algorithms for the head unit. It is possible to reveal all 32 corresponding responses by sniffing CAN traffic or by pre-calculating the values, which allow to bypass the protection. [CVSS 4.0 MEDIUM]
SmarterTools SmarterMail prior to build 9511 contains a critical authentication bypass in the password reset API (CVE-2026-23760) that allows unauthenticated attackers to reset system administrator passwords without verification. With EPSS 65% and KEV listing, this trivially exploitable vulnerability enables complete email server takeover, compromising all hosted mailboxes and organizational communications.
NervesHub OTA firmware management has a weak random number generation vulnerability that allows attackers to predict firmware update tokens and push malicious updates.
Solvera Software Services Trade Inc. Teknoera is affected by authorization bypass through user-controlled key (CVSS 7.5).
EXERT Computer Technologies Software Ltd. Co. Education Management System is affected by authorization bypass through user-controlled key (CVSS 7.5).
Meetinghub Paperless Meetings is affected by missing authentication for critical function (CVSS 5.3).
Horilla HRMS 1.4.0 contains insufficient server-side authorization checks that permit low-privileged employees to self-approve documents they have submitted, bypassing intended administrative-only controls. Public exploit code exists for this vulnerability, enabling standard users to alter HR application state and potentially submit unvetted credentials or certifications. The integrity of HR document workflows is compromised as employees can modify approval statuses reserved for administrators.
Horilla HRMS versions prior to 1.5.0 allow authenticated attackers to bypass two-factor authentication due to improper OTP validation that treats missing OTP fields as valid when the OTP has expired. Public exploit code exists for this vulnerability, enabling attackers with user credentials to gain unauthorized access to accounts, particularly administrative accounts with access to sensitive HR data and employee records. An attacker exploiting this flaw could manipulate employee information and compromise system-wide operations.
Horilla HRMS versions 1.4.0 and above allow unauthenticated access to unpublished job postings through the /recruitment/recruitment-details/ endpoint, exposing draft job titles, descriptions, and application workflows. An attacker can leverage public exploit code to view sensitive internal hiring information and access recruitment processes for unpublished positions. The vulnerability affects all users with network access to affected Horilla instances and has been patched in version 1.5.0.
Horilla is a free and open source Human Resource Management System (HRMS). [CVSS 4.3 MEDIUM]
The sm-crypto JavaScript library has a private key recovery vulnerability in its SM2 implementation, allowing attackers to extract secret keys from signatures.
Mastodon is a free, open-source social network server based on ActivityPub. [CVSS 6.5 MEDIUM]
Suspended remote users in Mastodon can bypass suspension restrictions and have their posts appear in timelines through boosting and post processing logic errors. This affects all Mastodon versions for older posts, with additional bypass capabilities in versions 4.5.0-4.5.4, 4.4.5-4.4.11, 4.3.13-4.3.17, and 4.2.26-4.2.29, allowing suspended users to inject new content into the system. No patch is currently available for this integrity issue.
DataEase data visualization tool prior to 2.10.19 uses MD5-hashed passwords without salting, allowing attackers to crack credentials and gain unauthorized access.
Altium Designer version 24.9.0 does not validate self-signed server certificates for cloud connections. [CVSS 5.3 MEDIUM]
Claude Code versions prior to 2.0.65 allow attackers to steal Anthropic API keys from users by crafting malicious repositories that redirect API calls to attacker-controlled servers before the trust confirmation dialog appears. When a victim opens an infected repository, the tool automatically reads malicious configuration settings and sends API requests containing credentials before displaying any security prompt, enabling credential theft. Users should upgrade to version 2.0.65 or later, though auto-update users have already received the patch.
EVerest is an EV charging software stack. Prior to version 2025.9.0, once the validity of the received V2G message has been verified, it is checked whether the submitted session ID matches the registered one. [CVSS 4.3 MEDIUM]
Blitar Tourism 1.0 contains an authentication bypass vulnerability that allows attackers to bypass login by injecting SQL code through the username parameter. [CVSS 8.2 HIGH]