Authentication Bypass

The Reviewify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'send_test_email' AJAX action in all versions up to, and including, 1.0.6. [CVSS 7.5 HIGH]

The Unify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'init' action in all versions up to, and including, 3.4.9. [CVSS 5.3 MEDIUM]

Rankology SEO and Analytics Tool (WordPress plugin) is affected by improper authorization (CVSS 2.7).

The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. [CVSS 7.5 HIGH]

wolfSSH through 1.4.21 has a key exchange state machine vulnerability that can leak client passwords in cleartext, trick clients into sending bogus signatures, or skip user authentication entirely. A fundamental protocol implementation flaw.

Missing Authorization vulnerability in Cloudways Breeze breeze allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze: from n/a through <= 2.2.21. [CVSS 5.3 MEDIUM]

CyberChimps Responsive Addons for Elementor responsive-addons-for-elementor is affected by missing authorization (CVSS 6.5).

Missing Authorization vulnerability in PublishPress Post Expirator post-expirator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Expirator: from n/a through <= 4.9.3. [CVSS 4.3 MEDIUM]

Missing Authorization vulnerability in WPFunnels Creator LMS creatorlms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Creator LMS: from n/a through <= 1.1.12. [CVSS 5.3 MEDIUM]

Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tickera: from n/a through <= 3.5.6.4. [CVSS 4.3 MEDIUM]

BBR Plugins Better Business Reviews better-business-reviews is affected by missing authorization (CVSS 5.4).

Missing Authorization vulnerability in Proxy &amp; VPN Blocker Proxy &amp; VPN Blocker proxy-vpn-blocker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Proxy &amp; VPN Blocker: from n/a through <= 3.5.3. [CVSS 5.4 MEDIUM]

Missing Authorization vulnerability in StellarWP The Events Calendar the-events-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar: from n/a through <= 6.15.12.2. [CVSS 5.4 MEDIUM]

Missing Authorization vulnerability in Fahad Mahmood RSS Feed Widget rss-feed-widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RSS Feed Widget: from n/a through <= 3.0.2. [CVSS 5.4 MEDIUM]

CoolHappy The Events Calendar Countdown Addon countdown-for-the-events-calendar is affected by missing authorization (CVSS 5.4).

Missing Authorization vulnerability in WPCenter AffiliateX affiliatex allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AffiliateX: from n/a through <= 1.3.9.3. [CVSS 5.4 MEDIUM]

BoldGrid Post and Page Builder by BoldGrid post-and-page-builder is affected by missing authorization (CVSS 5.4).

BuddhaThemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon is affected by missing authorization (CVSS 5.4).

bdthemes Ultimate Store Kit Elementor Addons ultimate-store-kit is affected by missing authorization (CVSS 4.3).

magepeopleteam Car Rental Manager car-rental-manager is affected by missing authorization (CVSS 4.3).

Blue Access Cobalt v02.000.195 has an authentication bypass through selective request proxying. Attackers can manipulate proxy behavior to access web application functions without legitimate credentials.

InWave Jobs WordPress plugin (through 3.5.8) has missing authorization allowing unauthenticated access to restricted functionality. The maximum CVSS score indicates complete compromise of confidentiality, integrity, and availability.

NJHYST HY511 POE core (before 2.1) allows unauthenticated download of the configuration file containing usernames and self-decrypted MD5 passwords, due to insufficient cookie verification. PoC available.

Arteco DVR/NVR web client uses session IDs with insufficient complexity, allowing brute-force attacks to hijack active sessions and access live camera streams without authentication. PoC available.

Sony BRAVIA Digital Signage 1.7.8 has an IDOR vulnerability that allows attackers to access hidden system resources like /#/content-creation by bypassing client-side access restrictions. PoC available.

iDS6 DSSPro Digital Signage System 6.2 contains an improper access control vulnerability that allows authenticated users to elevate privileges through console JavaScript functions. [CVSS 8.8 HIGH]

All-Dynamics Software enlogic:show 2.0.2 contains a session fixation vulnerability that allows attackers to set a predefined PHP session identifier during the login process. [CVSS 5.3 MEDIUM]

The Quiz and Survey Master (QSM) - Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the qsm_dashboard_delete_result function in all versions up to, and including, 10.3.1. [CVSS 4.3 MEDIUM]

The Tag, Category, and Taxonomy Manager - AI Autotagger with OpenAI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the taxopress_ai_add_post_term function in all versions up to, and including, 3.41.0. [CVSS 4.3 MEDIUM]

OpenBlocks firmware versions before 5.0.8 contain an authentication bypass vulnerability that allows unauthenticated attackers on adjacent networks to gain administrator access and reset passwords without valid credentials. This high-severity flaw affects all OpenBlocks series devices and requires no user interaction to exploit, though no patch is currently available.

The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE `/subscribers` REST API endpoint in all versions up to, and including, 2.2.0. [CVSS 5.3 MEDIUM]

TECNO Mobile's Boomplayer app (v7.4.63) has insufficient data authenticity verification allowing authentication bypass. A pre-installed app vulnerability affecting TECNO phone users.

Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. [CVSS 6.5 MEDIUM]

Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality.

Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. [CVSS 6.5 MEDIUM]

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can see and use invitation links sent to an administrator. [CVSS 8.8 HIGH]

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can invite a high privileged user. [CVSS 8.0 HIGH]

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.1, the GraphQL mutation "WorkspacePopoverDeletionMutation" allows users to delete workspace-related objects such as dashboards and investigation cases. [CVSS 7.1 HIGH]

Unifi Connect EV Station Lite firmware v1.5.2 and earlier contains an access control weakness that permits nearby Wi-Fi attackers to activate the AutoLink feature on devices provisioned exclusively through Ethernet connections. This vulnerability could allow unauthorized wireless configuration of the charging station despite it being administratively restricted to wired network adoption. No patch is currently available for this medium-severity issue.

UniFi Protect Camera versions 6.1.79 and earlier contain an authentication bypass in their discovery protocol that allows adjacent network attackers to gain unauthorized access without credentials. An attacker on the local network can exploit this vulnerability to compromise camera systems and obtain full control. No patch is currently available, though updating to version 6.2.72 or later is recommended as mitigation.

Missing Authorization vulnerability in Marketing Fire LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5. [CVSS 7.5 HIGH]

Missing Authorization vulnerability in Marketing Fire, LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5. [CVSS 6.5 MEDIUM]

Mega-Fence (webgate-lib.*) 25.1.914 and prior trusts the first value of the X-Forwarded-For (XFF) header as the client IP without validating a trusted proxy chain. [CVSS 6.5 MEDIUM]

WHILL Model C2 electric wheelchairs and Model F power chairs accept Bluetooth connections without authentication. An attacker within Bluetooth range can pair with the device and issue movement commands, override speed restrictions, and change configuration – creating a direct physical safety hazard for the user.

Centreon Infra Monitoring's centreon-awie module lacks authentication on critical import functions, allowing unauthenticated attackers to access functionality that should be restricted by ACLs. Affects multiple Centreon versions. Patch available.

Online Product Reservation System versions up to 1.0 is affected by improper authentication (CVSS 7.3).

Missing Authorization vulnerability in Codepeople Sell Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sell Downloads: from n/a through 1.1.12. [CVSS 7.5 HIGH]

Missing Authorization vulnerability in WPweb Follow My Blog Post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Follow My Blog Post: from n/a through 2.4.0. [CVSS 7.5 HIGH]

Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Five Star Restaurant Reservations: from n/a through 2.7.8. [CVSS 8.6 HIGH]

Missing Authorization vulnerability in WPvibes AnyWhere Elementor Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyWhere Elementor Pro: from n/a through 2.29. [CVSS 4.3 MEDIUM]

QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Missing Authorization vulnerability, allowing authenticated remote attackers to modify specific network packet parameters, enabling certain system functions to access other users' files. [CVSS 6.5 MEDIUM]

Petlibro versions up to 1.7.31 contains a vulnerability that allows attackers to access other users' pet data by exploiting missing ownership verification (CVSS 6.5).

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an improper access control vulnerability that allows unauthorized device manipulation by accepting arbitrary serial numbers without ownership verification. [CVSS 7.3 HIGH]

Petlibro versions up to 1.7.31 is affected by missing authentication for critical function (CVSS 7.3).

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authentication bypass vulnerability that allows unauthenticated attackers to access any user account by exploiting OAuth token validation flaws in the social login system. [CVSS 6.5 MEDIUM]

Insufficiently Protected Credentials vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Signature Spoofing by Key Theft.This issue affects Multi-Stack Controller (MSC): through 2.5.1. [CVSS 5.5 MEDIUM]

Nuvation Energy Multi-Stack Controller (MSC) for battery storage systems allows authentication bypass through an alternate channel, enabling unauthenticated attackers to access critical energy management functions. Affects versions 2.3.8 to 2.5.1.

A vulnerability in Nuvation Battery Management System allows Authentication Bypass.This issue affects Battery Management System: through 2.3.9.

Langflow before 1.7.0.dev45 exposes multiple API endpoints without authentication, allowing unauthenticated access to user conversations, transaction data, and message deletion. Critical for AI workflow platforms that handle sensitive prompt data.

Emlog 2.5.23 contains an integrity bypass vulnerability that allows authenticated administrators to restrict legitimate users from editing or deleting their own published articles through improper access controls. This medium-severity flaw (CVSS 4.3) enables privileged users to modify content permissions without authorization, and public exploit code exists. No patch is currently available for affected installations.

In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for unrelated access) via a shared_servers endpoint. [CVSS 5.0 MEDIUM]

In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intended for unrelated access) via clients.plex.tv/devices.xml. [CVSS 5.0 MEDIUM]

Plex Media Server (PMS) through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token. [CVSS 8.5 HIGH]

An authentication bypass in the /cgi-bin/jvsweb.cgi endpoint of Revotech I6032W-FHW v1.0.0014 - 20210517 allows attackers to access sensitive information and escalate privileges via a crafted HTTP request. [CVSS 7.5 HIGH]

Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[:]//app[.]plane[.]so/[:]slug/settings. [CVSS 4.3 MEDIUM]

A vulnerability has been found in xnx3 wangmarket up to 6.4. The impacted element is the function uploadImage of the file /sits/uploadImage.do of the component XML File Handler. [CVSS 4.7 MEDIUM]

Signal K Server before 2.19.0 exposes two features that chain together to steal JWT tokens without authentication: WebSocket-based request enumeration plus unauthenticated polling of access request status. An attacker can hijack admin sessions remotely. PoC available.

A flaw has been found in PHPGurukul Online Course Registration up to 3.1. This affects an unknown function. [CVSS 6.3 MEDIUM]

Missing authorization controls in Conformer for Elementor WordPress plugin version 1.0.7 and earlier allow attackers to exploit incorrectly configured access control security levels, potentially enabling unauthorized access to plugin functionality. The vulnerability stems from broken access control (CWE-862) without explicit authentication requirements, affecting all users of the plugin through version 1.0.7. While EPSS score is minimal at 0.05%, the nature of access control bypasses warrants assessment in WordPress environments where the plugin is deployed.

Missing authorization in merkulove Logger for Elementor plugin through version 1.0.9 allows attackers to bypass access controls and exploit incorrectly configured security levels. Unauthenticated or low-privileged users can access protected functionality due to absent or insufficient authorization checks. The vulnerability has low exploitation probability (EPSS 0.05%) and no confirmed public exploit code or active exploitation reported.

Missing authorization in Worker for WPBakery plugin versions through 1.1.1 allows attackers to exploit incorrectly configured access control, enabling unauthorized actions through broken access control mechanisms. The vulnerability affects WordPress installations running this plugin and could allow unauthenticated or low-privileged users to bypass security restrictions, though the specific attack surface and impact are limited by low EPSS probability (0.05%) and minimal public awareness.

Missing authorization controls in the merkulove Worker for Elementor WordPress plugin (versions through 1.0.10) allow unauthenticated or low-privileged users to exploit incorrectly configured access control mechanisms. The vulnerability stems from CWE-862 (Missing Authorization) and enables attackers to perform unauthorized actions without proper privilege verification, potentially affecting sites running vulnerable plugin versions.

Missing authorization controls in Headinger for Elementor plugin (versions up to 1.1.4) permit unauthenticated or insufficiently privileged attackers to bypass access control restrictions and perform unauthorized actions. The vulnerability stems from incorrectly configured security levels that fail to validate user permissions before granting access to sensitive functionality, enabling attackers to exploit the plugin's features beyond their intended authorization scope.

Criptopayer for Elementor WordPress plugin through version 1.0.1 contains a missing authorization vulnerability allowing unauthenticated attackers to exploit incorrectly configured access control security levels and bypass authentication mechanisms. The vulnerability stems from insufficient validation of user permissions, enabling unauthorized access to sensitive plugin functionality. With an EPSS score of 0.05% (17th percentile), real-world exploitation probability is currently low, and no active exploitation or public proof-of-concept code has been reported.

Missing authorization in merkulove Countdowner for Elementor plugin (versions up to 1.0.4) allows unauthenticated attackers to exploit incorrectly configured access control security levels, potentially enabling unauthorized access to plugin functionality. With an EPSS score of 0.05% (17th percentile), this vulnerability represents low real-world exploitation probability despite the authorization bypass classification.

Missing authorization in the merkulove Appender WordPress plugin versions through 1.1.1 allows authenticated attackers to bypass access control checks and exploit incorrectly configured security levels, potentially gaining unauthorized access to restricted functionality or data. EPSS probability is minimal at 0.05%, and no public exploit code or active exploitation has been reported.

Missing authorization in merkulove UnGrabber WordPress plugin version 3.1.3 and earlier allows unauthenticated attackers to exploit incorrectly configured access control to bypass security restrictions. The vulnerability stems from CWE-862 (Missing Authorization) and has been identified in the plugin's access control implementation, potentially enabling attackers to perform unauthorized actions without proper privilege verification.

Missing authorization in Select Graphist for Elementor WordPress plugin versions up to 1.2.10 allows unauthenticated attackers to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from broken access control mechanisms that fail to properly validate user permissions before granting access to sensitive functionality. With an EPSS score of 0.01% and no confirmed active exploitation, this represents a low-probability attack despite the authorization flaw.

Missing authorization in Walker for Elementor plugin (versions through 1.1.6) allows unauthenticated attackers to exploit improperly configured access controls to bypass intended security restrictions and access unauthorized functionality. The vulnerability stems from inadequate permission validation in the plugin's WordPress implementation, enabling attackers to interact with protected features without proper authentication or role-based authorization checks.

Gmaper for Elementor plugin versions up to 1.0.9 contains a missing authorization vulnerability (CWE-862) that allows attackers to exploit incorrectly configured access control security levels, potentially bypassing authentication mechanisms to access restricted functionality. The vulnerability carries a 0.02% EPSS score (percentile 4%), indicating minimal real-world exploitation risk at present, with no public exploit code or active exploitation currently identified.

Missing authorization in merkulove Sliper for Elementor plugin versions up to 1.0.10 allows attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from insufficient access control validation (CWE-862), enabling unauthenticated or low-privileged users to perform actions they should not be authorized to execute. With an EPSS score of 0.02% (4th percentile) indicating very low real-world exploitation likelihood, this issue represents a lower-priority authorization flaw compared to actively exploited vulnerabilities.

Missing authorization in merkulove Watcher for Elementor plugin (versions up to 1.0.9) allows unauthenticated attackers to bypass access controls and exploit incorrectly configured security levels, potentially enabling unauthorized access to sensitive functionality or data. The vulnerability carries an EPSS score of 0.02% (percentile 4%), indicating very low observed exploitation probability, with no public exploit code or active exploitation confirmed at the time of analysis.

Missing authorization controls in merkulove Questionar for Elementor plugin versions up to 1.1.7 allow attackers to exploit improperly configured access control mechanisms, potentially enabling unauthorized access to questionnaire data or administrative functions. The vulnerability stems from inadequate privilege validation and affects all users of the vulnerable plugin versions. With an EPSS score of 0.02% and no CVSS severity assigned, real-world exploitation likelihood is currently minimal, though the authentication bypass nature of the flaw warrants patching.

Missing authorization in Merkulove Couponer for Elementor plugin versions up to 1.1.7 allows unauthenticated attackers to bypass access controls and exploit incorrectly configured security levels, potentially gaining unauthorized access to sensitive coupon management functionality. The vulnerability carries low real-world exploitation probability (EPSS 0.02%) despite being classified as an authentication bypass, suggesting limited practical attack surface or requirement for specific configuration conditions.

Missing authorization in Northern Beaches Websites WP Custom Admin Interface plugin (versions up to 7.40) allows unauthenticated attackers to bypass access controls and exploit incorrectly configured security levels, potentially gaining unauthorized administrative access or performing privileged actions without proper authentication. The vulnerability affects WordPress installations using this plugin and carries a very low EPSS score (0.01%, 2nd percentile) despite the authorization flaw, suggesting limited real-world exploitation likelihood in practice.

Missing authorization in the Alexander AnyComment WordPress plugin through version 0.3.6 allows unauthenticated attackers to exploit incorrectly configured access control security levels, resulting in unauthorized access to protected functionality. The vulnerability stems from broken access control mechanisms (CWE-862) rather than authentication bypass, meaning authenticated sessions may also be affected depending on their privilege level. With an EPSS score of 0.02% and no reported active exploitation, this represents a low-probability real-world risk despite the critical nature of access control flaws.

Hide Plugins WordPress plugin through version 1.0.4 fails to enforce proper authorization checks, allowing unauthenticated or low-privileged users to access plugin management functions intended for administrators. The missing access control (CWE-862) permits attackers to exploit incorrectly configured security levels, potentially enabling unauthorized plugin visibility or manipulation. While EPSS indicates low real-world exploitation probability (0.01%, 2nd percentile), the vulnerability represents a direct authorization bypass that could escalate privileges in certain WordPress configurations.

The Signature Add-On for Gravity Forms plugin (version 1.8.6 and earlier) contains a missing authorization vulnerability that allows attackers to bypass access controls and exploit incorrectly configured security levels. The vulnerability stems from improper implementation of authorization checks, enabling unauthorized users to access protected functionality or data that should be restricted based on user roles and permissions. This authentication bypass affects WordPress installations using the vulnerable plugin versions and is tracked as CWE-862 (Missing Authorization).

Missing authorization in the Easy Upload Files During Checkout WordPress plugin through version 3.0.0 allows unauthenticated attackers to exploit incorrectly configured access controls to bypass security restrictions and upload files. The vulnerability, classified as a broken access control flaw (CWE-862), affects the plugin's core file upload functionality during checkout operations. While EPSS scoring indicates very low exploitation probability (0.01%, 2nd percentile), the absence of CVSS data and patch version information limits quantification of attack complexity and remediation specificity.

Authorization bypass in Order Cancellation & Returns for WooCommerce plugin (versions ≤1.1.11) allows unauthenticated or low-privileged users to access and manipulate order cancellation and return functionality through user-controlled parameters. The vulnerability stems from improper access control checks that fail to validate user permissions against the requested resource, enabling attackers to operate on orders belonging to other customers without proper authorization. EPSS score of 0.01% indicates low observed exploitation likelihood despite the straightforward attack vector.