Authentication Bypass
Monthly
Missing authorization in WooCommerce Bulk Edit Products - WP Sheet Editor (versions up to and including 1.8.21) permits authenticated high-privilege users to exploit incorrectly configured access control security levels, resulting in unauthorized bulk modification of WooCommerce product data. The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to enforce proper capability checks before executing privileged bulk-edit operations via the network. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis, though the integrity-only impact and high-privilege requirement constrain the realistic attack surface.
Unauthenticated broken access control in the Simply Schedule Appointments WordPress plugin (versions through 1.6.12.4) allows remote attackers to perform unauthorized actions against appointment data, resulting in low-integrity and low-availability impacts. The plugin by NSquared fails to enforce proper authorization checks on one or more endpoints, enabling exploitation without any credentials against default installations. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low attack complexity and zero privilege requirement lower the barrier for opportunistic abuse.
Broken access control in ThemeMove's EduMall WordPress theme (versions through 4.5.1) permits authenticated low-privileged users to invoke restricted functionality without proper authorization checks. An attacker with any valid WordPress account can bypass the intended access control tiers and trigger actions that degrade site availability. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS score of 4.3 reflects a contained, low-severity impact limited to availability.
Authentication bypass in the WorkScout Core WordPress plugin (versions up to and including 1.7.08) can be triggered through a Cross-Site Request Forgery flaw, letting an off-site attacker perform privileged authentication-related actions in the context of a logged-in victim who visits a malicious page. The issue was reported by Patchstack and carries a CVSS 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation hinges on tricking an authenticated user into clicking (UI:R), it is high-impact but not point-and-click automatable.
Universal Clocks WordPress plugin (≤1.2.0) by PressTigers exposes unauthorized action endpoints due to missing authorization checks, enabling unauthenticated remote attackers to perform integrity-impacting operations without valid credentials. Reported by Patchstack under CWE-862, the flaw stems from incorrectly configured access control security levels that fail to validate caller permissions before executing plugin functionality. No public exploit code or active exploitation (CISA KEV listing) has been identified at time of analysis.
Missing authorization in the MeetingHub WordPress plugin (versions through 1.25.10) allows unauthenticated remote attackers to exploit incorrectly configured access control and perform unauthorized integrity-affecting actions. The CVSS vector (PR:N/AV:N/AC:L/UI:N) confirms no authentication or user interaction is required, making any WordPress installation running an affected version directly exposed from the network. No active exploitation has been confirmed (no CISA KEV listing) and no public exploit has been identified at time of analysis.
Unauthenticated broken access control in the Fascinate WordPress theme by themebeez (versions through 1.1.5) permits remote attackers to exploit incorrectly configured capability checks, resulting in unauthorized write-level actions on affected WordPress installations. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or user interaction is required, with impact limited to integrity (I:L). No active exploitation is confirmed in CISA KEV, and no public exploit code has been identified at time of analysis.
Missing authorization in the wpdevart Booking Calendar, Appointment Booking System WordPress plugin (versions through 3.2.36) permits unauthenticated remote attackers to bypass access controls and perform restricted booking-related actions, resulting in unauthorized data modification. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the flaw is trivially reachable over the network with no authentication, though impact is limited to integrity (I:L) with no confidentiality or availability consequence. No public exploit code or CISA KEV listing has been identified at time of analysis.
Broken access control in the VW Wedding WordPress theme (vowelweb) allows unauthenticated remote attackers to exploit incorrectly configured authorization checks, resulting in limited availability impact against affected WordPress installations. All versions through 1.3.7 are affected per the CPE string cpe:2.3:a:vowelweb:vw_wedding. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, placing this in the lower-urgency tier despite network-level reachability.
Missing authorization controls in the VW Food Corner WordPress theme (versions through 1.1.0) permit unauthenticated remote attackers to invoke restricted theme functionality without valid access credentials, resulting in availability impact. Reported by Patchstack and classified under CWE-862, the flaw stems from incorrectly configured access control levels that fail to verify caller identity or capability before executing protected actions. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis.
Broken access control in the AcyMailing SMTP Newsletter plugin for WordPress (versions up to and including 10.11.1) lets an authenticated low-privileged user reach functionality that should be restricted, impacting integrity and, most notably, availability of the plugin's newsletter/mailing operations. The flaw is a missing authorization check (CWE-862) reported by Patchstack; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Note an inconsistency in the source data: the CVE description states affected 'through <= 10.11.1' while the linked Patchstack advisory slug references 10.10.2 - the exact patched version is not confirmed from the input.
Broken access control in the UX-Themes Flatsome WordPress theme (versions up to and including 3.20.5) allows remote unauthenticated attackers to reach functionality or data that should be authorization-gated, resulting in confidentiality-only impact per the CVSS vector. The flaw stems from a missing authorization check (CWE-862) and was catalogued by Patchstack, but there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Flatsome is one of the most widely sold commercial WooCommerce themes, so the affected footprint is substantial even though only information disclosure (not integrity or availability) is implicated.
Broken access control in the Themeum Kirki WordPress customizer framework (versions up to and including 6.0.13) allows remote unauthenticated attackers to reach functionality protected by incorrectly configured access-control levels, resulting in disclosure of sensitive information. The flaw was reported by Patchstack and stems from a missing authorization check (CWE-862); no public exploit has been identified at time of analysis. With a CVSS of 7.5 driven purely by confidentiality impact, the practical risk is unauthorized data exposure rather than site takeover.
Broken access control in the Event Tickets WordPress plugin (versions up to and including 5.28.5) lets remote unauthenticated attackers modify data they should not be able to reach because an authorization check is missing on a privileged action. The flaw carries a 7.5 CVSS with an integrity-only impact (I:H) and no confidentiality or availability effect, and there is no public exploit identified at time of analysis. It was disclosed by Patchstack and affects default installations of the plugin.
Authentication bypass in VillaTheme's Abandoned Cart Recovery for WooCommerce (versions through 1.1.12) allows unauthenticated remote attackers to access protected functionality via an alternate authentication path or channel (CWE-288). The CVSS vector confirms network-reachable, zero-complexity exploitation requiring no privileges or user interaction, yielding partial confidentiality and integrity compromise. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and unauthenticated nature elevate practical risk for any WooCommerce store running this plugin.
Authentication bypass in the Metagauss ProfileGrid WordPress plugin (versions up to and including 5.9.9.6) lets remote unauthenticated attackers abuse the password recovery flow as an alternate channel to hijack arbitrary user accounts, including administrators. Because the flaw is exploitable over the network with no privileges and no user interaction (CVSS 7.5, I:H), it enables full account takeover on affected WordPress sites. No public exploit is identified at time of analysis and it is not in CISA KEV, but the low attack complexity makes it an attractive target once details circulate.
Insecure Direct Object Reference (IDOR) in Tutor LMS WordPress plugin allows authenticated low-privilege users to bypass authorization controls by manipulating user-controlled keys, resulting in unauthorized modification of LMS objects such as courses, lessons, or student records. Affected versions span all releases through 3.9.13 by Themeum. No confirmed active exploitation (KEV) or public exploit code has been identified at time of analysis, but the low attack complexity and wide WordPress deployment surface make this a credible integrity risk for any site running an unpatched version.
Missing authorization in Razorpay Payment Links for WooCommerce (versions through 2.1.4) allows unauthenticated network attackers to invoke privileged plugin actions without any authentication check. The flaw stems from CWE-862, where one or more AJAX endpoints or REST routes in the plugin fail to verify the caller's identity or capability before executing sensitive operations, resulting in low-severity integrity and availability impacts against WooCommerce payment link workflows. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.
Missing authorization controls in the Client Invoicing by Sprout Invoices WordPress plugin (versions through 20.8.13) allow low-privileged authenticated users to access confidential invoice data without proper permission checks. The flaw (CWE-862) enables a logged-in WordPress user with minimal privileges to bypass intended access control restrictions and retrieve sensitive financial or client information managed by the plugin. No public exploit or active exploitation has been identified at time of analysis, but the network-accessible attack vector and high confidentiality impact make this a meaningful exposure for sites hosting sensitive invoicing workflows.
Stock Locations for WooCommerce plugin (versions through 3.1.8) exposes one or more privileged operations without performing authorization checks, allowing authenticated low-privileged WordPress users to manipulate stock location data they should have no rights to modify. Rooted in CWE-862 (Missing Authorization), the flaw means the plugin accepts and executes sensitive requests based solely on authentication rather than verifying the requester's WordPress capability level. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low-privilege access requirement and straightforward network exploitation path make it a realistic risk for any multi-location WooCommerce store running the affected plugin.
Missing authorization controls in the Codemenschen Gift Vouchers WordPress plugin (versions through 4.6.9) allow unauthenticated remote attackers to perform unauthorized actions against voucher-related functionality, resulting in low-severity integrity and availability impact. The flaw stems from CWE-862 (Missing Authorization), meaning the plugin fails to verify whether a requesting user has rights to access specific functionality - effectively treating restricted endpoints as publicly accessible. No public exploit or CISA KEV listing is identified at time of analysis, but the unauthenticated attack vector (PR:N, AV:N) lowers the bar for opportunistic exploitation significantly.
Broken access control in the Peach Payments Gateway WordPress plugin (all versions through 4.0.2) permits remote unauthenticated attackers to invoke plugin functionality without valid authorization, bypassing intended access control security levels. Rooted in CWE-862 (Missing Authorization) and reported by Patchstack, the flaw enables limited integrity and availability impact against WooCommerce-powered sites using this plugin. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the unauthenticated, low-complexity attack vector warrants prompt remediation for any site processing payments through this gateway.
Missing authorization in the FundEngine WordPress fundraising plugin (versions through 1.7.6) permits unauthenticated remote attackers to exploit incorrectly configured access control, resulting in partial data integrity and availability impact. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms low-complexity, unauthenticated network exploitation with no user interaction required. No active exploitation is confirmed in the CISA KEV catalog, and no public exploit code has been identified at the time of this analysis.
Missing authorization in the Booking and Rental Manager WordPress plugin (≤ 2.6.9) exposes unauthenticated remote attackers to broken access control, enabling unauthorized modification of booking data and partial disruption of plugin availability. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication or user interaction against any internet-facing WordPress/WooCommerce site running the affected plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes this straightforwardly exploitable once a target is identified.
Broken access control in the ThemeHunk Open Shop WordPress theme (versions up to and including 1.7.1) lets an authenticated low-privileged user reach functionality that should be restricted, tampering with data and degrading site availability. Reported by Patchstack and rated CVSS 7.1, the flaw stems from missing authorization checks on a privileged action. No public exploit identified at time of analysis and it is not listed in CISA KEV.
Missing Authorization (CWE-862) in the Event Tickets Manager for WooCommerce WordPress plugin versions through 1.5.5 allows unauthenticated remote attackers to exploit incorrectly configured access control levels, resulting in limited but unauthorized modification of data and disruption of availability. The CVSS vector (PR:N/UI:N) confirms exploitation requires no authentication and no user interaction, lowering the barrier for abuse against any WordPress site with the plugin installed and active. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Missing Authorization (CWE-862) in the Tourfic WordPress plugin through version 2.22.5 permits authenticated low-privilege users to exploit incorrectly configured access control levels, resulting in unauthorized high-confidentiality data exposure. The CVSS vector (PR:L, C:H, I:N) confirms that any logged-in WordPress user - such as a customer or subscriber - can read sensitive data reserved for higher-privileged roles without modifying or disrupting it. No public exploit or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes exploitation straightforward once the unprotected endpoint is located.
Tourfic, a WordPress travel booking plugin by Themefic, exposes unauthenticated access control bypass through missing authorization checks on one or more plugin endpoints, affecting all versions through 2.22.5. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms remote, unauthenticated exploitation with limited integrity and availability impact. No public exploit or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes opportunistic exploitation straightforward against any WordPress site with the plugin installed.
Missing authorization in the Extra Product Options Builder for WooCommerce plugin (versions through 1.2.167) permits remote unauthenticated attackers to perform restricted actions without valid credentials, impacting both data integrity and service availability on affected WordPress storefronts. The flaw stems from CWE-862 - the plugin exposes endpoints or AJAX actions that fail to verify whether the caller holds the necessary capability or role before executing sensitive operations. No public exploit code has been identified at time of analysis, and the vulnerability has not been listed in the CISA KEV catalog.
Broken access control in the Phil Kurth "Advanced Forms" WordPress plugin (all versions up to and including 1.9.3.7) lets remote unauthenticated attackers reach a form-handling function that fails to verify authorization, enabling unauthorized modification of form data or settings. The CVSS 3.1 score is 7.5 with integrity-only impact and no confidentiality or availability loss. Reported by Patchstack; no public exploit identified at time of analysis and not listed in CISA KEV.
Broken access control in FluxBuilder's MStore API WordPress plugin (versions through 4.18.4) allows unauthenticated remote attackers to bypass authorization checks on restricted API endpoints. Rooted in CWE-862 (Missing Authorization), the flaw enables callers to interact with functionality gated behind access control levels that are incorrectly enforced - resulting in limited unauthorized data read and write operations against affected WooCommerce-backed mobile API deployments. No public exploit code or CISA KEV listing has been identified at time of analysis, but the PR:N/AC:L CVSS vector confirms the attack requires no authentication or special conditions.
Missing authorization in WPXPO WowAddons WordPress plugin (versions through 1.6.8) enables unauthenticated remote attackers to invoke privileged plugin actions without proper access control checks. Exploitation produces limited integrity and availability impact - unauthorized modification or disruption of plugin-managed content - with no confidentiality exposure confirmed by the CVSS vector. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the zero-privileges-required network vector makes this class of flaw attractive for opportunistic automated scanning once a proof-of-concept surfaces.
Incorrect authorization in Mattermost's interactive post action handler allows authenticated users to trigger post actions in private channels they are not members of. The flaw stems from action cookies failing to bind to the specific channel of the target post - a cookie obtained from any accessible channel can be reused against posts in restricted private channels. Affected are Mattermost versions 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19; no public exploit has been identified and the vulnerability is not listed in CISA KEV.
Mattermost's channel patch API fails to enforce authorization on the group_constrained flag, permitting any authenticated low-privilege member of a group message or direct message channel to remove all participants from the conversation. All three supported release lines are affected: 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19. No public exploit code has been identified at time of analysis; however, the low attack complexity and minimal privilege requirement make this straightforward to abuse on any reachable Mattermost deployment.
Incoming webhook impersonation in Mattermost allows a requester holding webhook management permissions to post content attributed to arbitrary users in teams or channels those users do not belong to. Affected deployments span three active release branches: 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19. No public exploit code exists and the vulnerability is not listed in CISA KEV; the CVSS score of 4.9 correctly reflects that exploitation is constrained by the High privilege requirement, limiting realistic risk to insider threats or compromised privileged accounts.
Post ownership verification is absent in Mattermost's shared channel inbound sync handler, allowing an authenticated remote cluster to forge sync messages that modify or delete posts authored by local users or other federated remotes. Affected versions span the 10.11.x, 11.6.x, and 11.7.x release trains up to and including 10.11.19, 11.6.4, and 11.7.2 respectively. No public exploit has been identified and CISA KEV confirmation is absent, but the integrity impact is direct and the attack complexity is low once federation trust is established.
Arbitrary file deletion in JoomShaper's Helix Ultimate template framework for Joomla allows unauthenticated remote attackers to delete files on the server due to a missing authorization check (CWE-862). Any anonymous user can reach the vulnerable functionality without credentials (PR:N/UI:N), enabling deletion of critical Joomla files to corrupt or take down the site. No public exploit has been identified at time of analysis, and the CVE is not listed in CISA KEV.
Insecure direct object reference (IDOR) in Dassault Systèmes Tuleap Enterprise Edition 17.0 through 17.5 lets attackers read other users' data by manipulating a user-controlled key/identifier, breaking horizontal authorization boundaries. The CVSS 3.1 vector (AV:N/PR:N) scores it as remotely reachable with high confidentiality impact but no integrity or availability effect. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Improper WebSocket authentication in will-moss Isaiah up to version 1.36.9 permits unauthenticated remote attackers to establish authenticated WebSocket sessions against the Docker management interface. The flaw resides in app/main.go within the WebSocket Connection Authentication component, where authentication controls can be bypassed, granting access to Docker management functionality without valid credentials. No public exploit has been identified at time of analysis, and an upstream fix exists as a pending pull request (PR #36) that has not yet been merged into a released version.
Missing authorization in Isaiah's Master WebSocket Handler allows remote unauthenticated attackers to manipulate the Agent argument in the Server.Handle function, bypassing access controls over Docker management operations. All versions of the will-moss/isaiah project up to and including 1.36.9 are affected. No public exploit or active exploitation has been identified at time of analysis; a fix pull request (#35) exists upstream but awaits acceptance.
Tutor LMS WordPress plugin (all versions before 3.9.13) allows authenticated users with subscriber-level access to post auto-approved comments containing arbitrary HTML and external links on any site content, bypassing the comment moderation queue entirely. The vulnerable comment handler performs no authorization check and no post-target validation before creating comments, making this exploitable by any registered user on sites with open registration - a common LMS deployment pattern. A publicly available POC from WPScan exists; no CISA KEV listing indicates confirmed mass exploitation, but the low privilege bar and POC availability make this a realistic content-integrity threat.
Authorization bypass in MacCMS Pro's installation module allows remote attackers to circumvent access controls via the `step5` function in the installation controller, affecting all versions through 2022.1000.3005. Exploitation is rated high-complexity (AC:H), limiting opportunistic mass exploitation, though a public proof-of-concept is available on GitHub. No CISA KEV listing at time of analysis; EPSS data was not included in the available intelligence, but POC availability elevates the practical risk above the raw CVSS score alone might suggest.
Access-control bypass in EIPStackGroup OpENer 2.3.0 (commit 76b95cf) lets any unauthenticated network attacker hijack another client's EtherNet/IP encapsulation session by replaying a valid session_handle, because the stack validates the handle against a global session list but never binds it to the originating TCP socket. Affected industrial devices running this open-source stack can have their EtherNet/IP command channel abused for read/write operations under another client's authority. No CISA KEV listing exists, but a researcher gist referenced in the advisory appears to publish exploit details, and the CVSS 9.1 rating reflects high confidentiality and integrity impact.
Broken access control in Leantime's API component (versions up to 3.8.0) allows authenticated low-privileged users to invoke the Setting::saveSetting function and modify application settings beyond their authorization level. The flaw is classified under CWE-285 (Improper Authorization) and is tagged as an authentication bypass and broken access control issue, meaning the application fails to enforce permission boundaries after login. A publicly available proof-of-concept exploit exists per VulDB and bytium.com; no CISA KEV listing was identified at time of analysis, and the vendor has not responded to disclosure.
Privilege escalation in Leantime up to 3.8.0 allows authenticated low-privileged users to elevate their role to owner by manipulating the role argument in JSON-RPC requests to the editUser/addUser endpoint. The server fails to verify whether the calling user is authorized to assign elevated roles, a CWE-285 Improper Authorization flaw. A public proof-of-concept exploit has been disclosed, and the vendor did not respond to coordinated disclosure, meaning no patch is confirmed available.
Missing authorization in Coolify's Policy Handler allows authenticated remote attackers to bypass resource-level access controls in versions up to 4.1.1. The flaw resides in the /app/Policies/ component, where policy enforcement checks are absent or incomplete, enabling low-privileged users to access or manipulate resources beyond their intended authorization scope. A public proof-of-concept exploit is available, raising the urgency for operators running self-hosted Coolify instances.
Privilege elevation in Microsoft Edge (Chromium-based) lets a network attacker escalate privileges by luring a victim into loading crafted web content that triggers an untrusted pointer dereference (CWE-822). Microsoft rates it CVSS 8.3, driven by a scope change (sandbox/boundary crossing) and full confidentiality, integrity, and availability impact, but exploitation requires user interaction and is of high attack complexity. No public exploit identified at time of analysis (E:U), it is not on CISA KEV, and an official vendor fix is available.
Path normalization failure in filebrowser's DeleteWithPathPrefix function allows authenticated users on versions before 2.63.17 to leave stale public share records intact by deleting directories with trailing-slash paths. After deletion, an attacker can recreate the same directory path and cause its new contents to be silently exposed through the previously dormant, still-valid public share URL. No public exploit code has been identified at time of analysis, and the vendor-confirmed CVSS 4.0 score of 2.3 reflects the high complexity and limited confidentiality impact.
Cross-organization account disruption in Capgo before 12.128.2 lets an enterprise administrator in one organization destroy the email/password login of users belonging to different organizations. By abusing the SSO prelink-users endpoint, an attacker holding the org.update_settings permission with an active SSO provider can permanently remove password identities for any user whose email matches the provider's domain, locking victims out of native authentication and forcing them onto the attacker's SSO or a password-reset recovery flow. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was reported by VulnCheck.
Account takeover in Capgo before 12.128.2 arises because the email-change endpoint performs no current-password re-authentication and no verification of the existing email address, letting an attacker who already holds a valid session cookie or an authenticated browser silently repoint the account email. By seizing the recovery address, the attacker captures password-reset flows and sidesteps multi-factor authentication, converting a hijacked session into durable full account control. There is no public exploit identified at time of analysis, but the flaw is vendor-confirmed via GitHub Security Advisory GHSA-9px4-w25f-mvm4 and reported by VulnCheck.
Authentication bypass in Flowise 3.0.13 and earlier lets remote unauthenticated attackers forge valid JWTs and impersonate any user, including administrators, because the enterprise passport authentication middleware silently falls back to publicly known hardcoded secrets ('auth_token', 'refresh_token') and default audience/issuer values ('AUDIENCE', 'ISSUER') whenever the JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, and JWT_ISSUER environment variables are unset. Reported by VulnCheck and rated CVSS 4.0 9.3 (Critical), it grants full account takeover, though there is no public exploit identified at time of analysis and no CISA KEV listing.
Credential exfiltration in Crawl4AI's Docker API server (all versions before 0.8.8) lets remote unauthenticated attackers steal secrets from the host. By abusing the exposed /md, /llm, and /llm/job endpoints, an attacker supplies a malicious base_url to redirect outbound LLM API calls and sets api_token to the special form env:VARIABLE_NAME, causing the server to resolve and leak arbitrary environment variables - including provider API keys and the JWT SECRET_KEY, which in turn enables full authentication bypass. No public exploit identified at time of analysis, but the flaw is trivially exploitable and reported by VulnCheck with an assigned CVSS 4.0 score of 8.8.
Scope isolation failure in Capgo's POST /webhooks/test endpoint allows authenticated app-scoped API keys to invoke org-scoped webhook operations, bypassing the intended limited_to_apps authorization boundary. All Capgo instances prior to version 12.128.2 are affected, enabling credential holders with narrow, app-level access to trigger signed outbound webhook deliveries targeting arbitrary organization webhooks they should not control. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the CVSS 4.0 vector (PR:L, AV:N) confirms low-privilege network exploitation is straightforward once credentials are in hand.
Privilege escalation in Capgo before 12.128.2 lets demoted super_admin users retain organization-wide bundle management rights because the org_users.user_right column is not cleared when their role binding is deleted. A user who once held super_admin can continue invoking the delete_non_compliant_bundles and count_non_compliant_bundles RPCs to enumerate and bulk-delete non-compliant bundles across the entire organization indefinitely, well after their privileges were supposedly revoked. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.
Improper authorization in AstrBot's Scheduled Task Handler allows a remote low-privileged user to bypass authorization controls by manipulating the payload["note"] argument in FutureTaskTool.call (astrbot/core/tools/cron_tools.py), affecting all versions up to and including 4.25.2. A publicly available proof-of-concept exploit (GitHub gist) demonstrates exploitation. No patch has been released and the vendor did not respond to disclosure; EPSS and CVSS 4.0 score this at 5.3, indicating moderate-to-low real-world severity, but the active POC elevates practical risk for deployed instances. Not currently listed in CISA KEV.
Missing authentication in RafyMrX TOKO-ONLINE-ROTI, an Indonesian online bakery shop management application, allows remote unauthenticated attackers to access restricted application functionality with low-level impact across confidentiality, integrity, and availability. All code through commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 is affected, and no patch exists because the vendor did not respond to coordinated disclosure. No public exploit code and no CISA KEV listing exist at time of analysis.
Unrestricted file upload in shiroiAdmin versions 1.1 and 1.3 (PHP admin panel by hcr707305003) exposes the `FileController::upload` function to unauthenticated remote exploitation, enabling attackers to upload arbitrary files - including PHP webshells - to the server without authentication. A public exploit has been disclosed (CVSS 4.0 E:P), and the vendor did not respond to coordinated disclosure. Exploitation conditions are severe: the CVSS 4.0 vector confirms network-accessible, zero-authentication, low-complexity exploitation with no user interaction required.
Improper access control in the diskbckp.sys kernel driver of QILING Disk Master 6.0.0.0 allows local low-privileged users to bypass authorization checks and interact with privileged kernel driver functionality. Tagged as an authentication bypass, the flaw resides in an unknown function within the kernel driver component, enabling manipulation of access control logic without elevated credentials. A public proof-of-concept exploit has been disclosed (no CISA KEV listing); the vendor has released a patch via beta download.
Improper access controls in MiniTool Partition Wizard's signed kernel driver pwdrvio.sys (versions up to 13.6) allow a local low-privileged user to interact with privileged driver functionality without authorization. The vulnerability is tagged as an authentication bypass against a kernel-mode component, meaning a standard user account can invoke driver operations that should be restricted to administrative or system-level callers. A publicly available proof-of-concept exploit lowers the practical exploitation bar, though no active exploitation is confirmed via CISA KEV at time of analysis.
Improper authorization in Eleveo Call Recording Software 9.7.0 enables remote authenticated attackers to access call recordings they are not permitted to view by manipulating the `callId` parameter in the `/callrec/audio.jsp` endpoint. The flaw follows a classic Insecure Direct Object Reference (IDOR) pattern under CWE-285, where the application fails to enforce per-user ownership checks on recording identifiers. A public exploit has been released and no vendor patch exists - the vendor did not respond to responsible disclosure - making compensating controls the only available mitigation at this time.
Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to perform unauthorized operations on the Recorded Calls Page via the `/callrec/restoreCallAction.do` endpoint, potentially accessing or restoring call recordings outside their permitted scope. The vulnerability stems from CWE-285 (Improper Authorization), meaning the application fails to enforce access controls on the restore call action, permitting privilege escalation within the recording management interface. A publicly available proof-of-concept exploit exists per the CVSS 4.0 E:P supplemental metric; no patch has been confirmed by the vendor, who did not respond to disclosure attempts.
Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to bypass access controls on the /callrec/composeEmailAction.do endpoint, exposing limited confidential data. The flaw (CWE-285) means the application fails to enforce authorization decisions for at least one action reachable by low-privileged authenticated users. A publicly available proof-of-concept exploit has been disclosed via VulDB, and no vendor patch exists - the vendor did not respond to the coordinated disclosure. No public exploit identified at time of analysis as actively exploited (not in CISA KEV), though exploit code exists.
Improper authorization on the /callrec/pci_dss_status.jsp endpoint in Eleveo Call Recording Software 9.7.0 allows authenticated low-privilege users to access PCI DSS compliance status data they are not authorized to view. The exposed information reveals the payment card compliance posture of the organization, which could be leveraged to identify exploitable compliance gaps and inform targeted attacks against payment infrastructure. A public proof-of-concept exploit exists; the vendor did not respond to responsible disclosure, leaving no official patch or advisory available.
Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to access the /callrec/group.jsp endpoint without proper permission checks, resulting in unauthorized read access to call recording group data. A publicly available exploit has been disclosed via Google Drive; the vendor was notified but did not respond, meaning no official patch exists at time of analysis. No public exploit identified at time of analysis is superseded here - a public POC exists (E:P in the CVSS 4.0 vector), though this is not confirmed actively exploited (CISA KEV) and the CVSS 4.0 score of 2.1 reflects limited scope impact.
Policy bypass in ImageMagick before 7.1.2-26 allows low-privileged local users to write files to filesystem paths explicitly blocked by the application's security policy framework. The APNG encoder and external delegate mechanisms omit required validation against policy.xml restrictions, enabling circumvention of configured path-based access controls. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the impact is meaningful in multi-tenant or shared-processing environments that rely on ImageMagick's policy layer as a security boundary.
Broken authorization in PraisonAI Platform (praisonai-platform) before 0.1.9 lets any low-privileged workspace member modify owner- or admin-created projects, issues, and agents because the PATCH routes only check for workspace-member role instead of owner/admin. Because a member can reassign a project's lead_id to their own user id, they can then satisfy and bypass the delete route's owner/admin check to destroy owner-created projects. No public exploit identified at time of analysis, though the flaw is trivially reachable by any authenticated tenant member.
System prompt extraction and unauthorized tool invocation in PraisonAI before 4.6.78 arise because the prompt-injection defense ships with its blocking threshold defaulting to CRITICAL, so HIGH-severity injection attempts are detected and logged but never blocked. Any remote user interacting with a PraisonAI agent can submit single-vector prompt injection (instruction overrides, financial manipulation) that scores HIGH and passes through, leaking the system prompt and triggering agent tools without authorization. No public exploit identified at time of analysis, and the issue is not in CISA KEV; the vendor CVSS 4.0 score is 8.7 (High).
Webhook signature verification is absent in PraisonAI AgentMail before version 4.6.78, permitting any unauthenticated network attacker to POST crafted message.received events directly to the webhook endpoint with spoofed sender identities. This bypasses configured sender allow/block lists, injecting arbitrary content into the AI agent's processing pipeline and causing the agent to dispatch replies to attacker-controlled addresses. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog, though the low-complexity, unauthenticated attack vector makes exploitation straightforward for any attacker with network access to the webhook endpoint.
Billing authorization bypass in Capgo (prior to 12.128.12) enables authenticated organizations with exhausted or expired usage credit grants to continue consuming paid API endpoints without valid entitlement. The divergence between the plugin's hot-path plan_valid expression and the authoritative billing gate creates a logic gap exploitable by any organization that reaches credit depletion, granting continued access to /updates, /stats, /channel_self, and attachment upload endpoints. No public exploit or CISA KEV listing exists at time of analysis, but the low attack complexity and network accessibility make this straightforward for any affected account holder to abuse.
Privilege escalation in the Genolve AI image and video generation plugin for WordPress (all versions through 5.0.5) lets authenticated users with Contributor-level access or above update arbitrary WordPress options because the genolve_setOpt() function performs no capability check. By enabling the users_can_register option and setting default_role to administrator, a low-privileged user can register a new administrator account and fully take over the site. Reported by Wordfence with a CVSS of 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authorization bypass in the NEX-Forms WordPress plugin (all versions through 9.2.2) allows unauthenticated remote attackers to overwrite email metadata fields on arbitrary form entries and weaponize the victim WordPress site as an outbound email relay. The CVSS vector (PR:N/AC:L/AV:N) confirms zero authentication and zero configuration prerequisites beyond plugin activation. No public exploit has been identified at time of analysis, but the trivially low exploitation complexity makes mass scanning and abuse for phishing or spam distribution operationally realistic at scale.
Unauthorized cross-vendor manipulation in WCFM - Frontend Manager for WooCommerce (all versions ≤ 6.7.27) allows authenticated subscriber-level users to archive competitor vendors' product listings, toggle featured status on arbitrary listings, mark WooCommerce orders as completed, and permanently delete enquiries and bulk messages belonging to other vendors within the same marketplace. Multiple AJAX handlers in class-wcfm-ajax.php, class-wcfm-enquiry.php, and class-wcfm-notification.php accept user-controlled object IDs without verifying ownership - a textbook CWE-639 IDOR pattern enabling horizontal privilege escalation across vendor accounts. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
User enumeration via authorization bypass in the Wallet for WooCommerce WordPress plugin (versions up to and including 1.6.4) allows any authenticated subscriber-level user to extract login names, email addresses, and user IDs for every WordPress account on the site, including administrators. The flaw exists because the plugin exposes a 'search-user' nonce - required to call its AJAX search handler - directly in the wallet_param JavaScript object rendered on the publicly accessible WooCommerce My Account page, making it trivially obtainable by any logged-in user. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and wide subscriber-level accessibility make exploitation straightforward on sites with open user registration.
Authorization bypass in WCFM - Frontend Manager for WooCommerce (all versions through 6.7.27) allows unauthenticated network attackers to inject arbitrary content into store inquiry replies, overwrite inquiry records in the wp_wcfm_enquiries database table, and trigger unsolicited notification emails to customers and vendors. The root cause is a missing authentication gate in the wcfm-my-account-enquiry-manage controller branch - unlike its sibling branches, it performs neither is_user_logged_in() nor current_user_can() checks. The nonce that serves as the sole barrier is embedded into every public page load without any login requirement, rendering it ineffective as an access control. No public exploit code and no CISA KEV listing identified at time of analysis.
Authorization bypass in the WP Easy Pay WordPress plugin (versions ≤4.5.0) allows any authenticated WordPress user at subscriber level or above to set arbitrary posts and pages to 'draft', silently unpublishing site content without editorial authorization. The flaw stems from missing capability checks in the plugin's action handlers (wpep-setup.php), confirmed by Wordfence with direct source code references. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, but the low barrier to exploitation - any registered user qualifies - makes this a meaningful risk on sites with open user registration.
Unauthorized cache deletion in the ThriveDesk WordPress plugin (all versions through 2.1.7) is possible by any authenticated user holding a Subscriber-level role or above, due to a missing capability check on the `thrivedesk_clear_cache` AJAX action. The root cause is a CWE-862 Missing Authorization flaw in `includes/helper.php` - any logged-in user can invoke the privileged cache-clearing function without role validation. No public exploit has been identified at time of analysis and no CISA KEV listing exists; real-world impact is bounded to cache disruption and potential performance degradation rather than data loss or code execution.
Privilege escalation in the Simple JWT Login WordPress plugin (all versions through 3.6.6) lets an authenticated subscriber-level user forge an Administrator session by injecting arbitrary identity claims into the JWT payload. Because AuthenticateService::generatePayload() only overwrites payload keys that appear in the admin-configured jwt_payload allowlist, attacker-supplied claims such as email, id, or username survive and are signed with the site's HS256 secret; the token is then redeemed at /autologin to log in as any administrator. Reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.
Authorization bypass in the AI Copilot - Content Generator WordPress plugin (by wupsales/AIWU) allows unauthenticated remote attackers to manipulate WordPress post publication states across all versions through 1.4.12. By supplying arbitrary scenario IDs to the plugin's workspace controller endpoint - which lacks any authorization verification - attackers can expose unpublished draft content or take live published posts offline, causing content disclosure and service disruption. No public exploit or CISA KEV listing has been identified at time of analysis, though the trivial exploitation complexity (AV:N/AC:L/PR:N/UI:N) makes independent rediscovery straightforward.
Permanent, irreversible deletion of all Starter Template-imported site content in the Solace Extra WordPress plugin (all versions through 1.5.3) is achievable by fully unauthenticated network attackers due to the complete absence of authorization checks on the responsible AJAX handler. The handler is registered via wp_ajax_nopriv_, removing WordPress's authentication gate entirely, while the required nonce is leaked to any Subscriber-level user visiting any wp-admin page - eliminating both authentication and authorization barriers simultaneously. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the Wordfence disclosure includes exact file and line references enabling straightforward reproduction; the official CVSS score of 5.3 significantly understates the destructive impact.
Unauthorized affiliate management actions in the Affilia plugin for WordPress (all versions through 3.3.3) allow any subscriber-level authenticated user to approve or reject referrals, credit commissions to affiliate wallets, delete referral records, and modify banner options - enabling direct financial fraud against WooCommerce stores. The root cause is that the sole authentication gate relies on a WordPress nonce that is publicly embedded in every frontend page load via the JavaScript global `rtwalwm_global_params.rtwalwm_nonce`, making role-based access enforcement trivially bypassable. No public exploit code or CISA KEV listing is identified at time of analysis, but the low exploitation complexity and direct financial fraud impact make this a meaningful operational risk for any site running an affiliate program on this plugin.
Insecure Direct Object Reference in the PDF Invoices & Packing Slips for WooCommerce plugin (versions through 5.14.0) allows authenticated contributors to mint permanent, session-free download links for arbitrary third-party orders, exposing customer PII including names, billing and shipping addresses, email addresses, phone numbers, line items, payment details, and customer notes. Exploitation is gated on a non-default plugin setting - the 'Document link access type' must be configured to 'full' rather than the default 'logged_in'; the default configuration signs URLs with a per-session nonce, neutralising the attack path. No public exploit code or active exploitation has been identified at time of analysis.
Unauthorized data modification in SurfLink - Link Manager & Backup Restore (all versions up to 2.6.0) allows authenticated attackers with Subscriber-level access to inject arbitrary URLs into the plugin's 410 Gone database table, causing those site paths to return HTTP 410 Gone responses to all visitors. The root cause is a missing capability check (current_user_can()) and absent nonce verification (check_ajax_referer()) in the ajax_import_410() AJAX handler - a conspicuous gap given that every other AJAX handler in the same PHP class correctly implements both controls. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, but the low authentication barrier and clear impact on site availability and SEO ranking make this a meaningful risk for affected WordPress deployments.
Unauthenticated mass data deletion in the AI Copilot - Content Generator WordPress plugin (all versions through 1.4.12) exposes sites to complete wipeout of plugin-managed database records by any remote visitor. The vulnerability stems from a permanently open authorization gate: the base controller's getPermissions() returns an empty array causing the auth check to unconditionally pass, while the removeGroup and clear AJAX actions are excluded from getNoncedMethods(), bypassing nonce verification entirely. No active exploitation has been confirmed in CISA KEV and no public exploit code has been identified at time of analysis, though the attack requires no credentials and minimal technical skill given the straightforward AJAX endpoint targeting.
Authorization bypass in the Notification for Telegram WordPress plugin (all versions through 3.5.1) allows authenticated subscribers to manipulate WordPress cron scheduling logic. Authenticated attackers with subscriber-level access or above can create, modify, or reschedule the nftb_cron_hook cron event due to missing authorization checks in nftncron.php, disrupting the plugin's background task scheduling for Telegram notifications. No public exploit or active exploitation has been identified at time of analysis; CVSS rates this Medium (4.3) with integrity-only impact.
Authorization bypass in Points and Rewards for WooCommerce (all versions through 2.10.0) allows authenticated subscribers to drain any user's reward points into a wallet balance, exfiltrate all user emails and point balances to an attacker-controlled Klaviyo account, and overwrite the site's Klaviyo API key - compounding financial fraud with third-party data exfiltration. Critically, the plugin exposes its authentication nonce (wps-wpr-verify-nonce) on every public-facing page via wp_localize_script(), and the wallet-draining handler is registered on the wp_ajax_nopriv_ hook, meaning the most financially damaging action - converting points to wallet balance - is exploitable by unauthenticated visitors. No public exploit code or CISA KEV listing identified at time of analysis.
Authorization bypass in the MyParcel (woocommerce-myparcel) WordPress plugin allows any authenticated subscriber-level user to view and modify shipment options - including carrier, delivery type, package type, label count, weight, signature requirement, and insurance - on arbitrary WooCommerce orders they do not own. All plugin versions up to and including 4.25.1 are affected, with the flaw rooted in missing capability checks on administrative AJAX handlers. No public exploit or active exploitation has been identified at time of analysis, though the low privilege bar (any registered WordPress user) expands the realistic attacker pool significantly for e-commerce stores.
Authentication bypass in the Hydro-Québec Le Circuit Électrique EV charging station backend lets remote unauthenticated attackers open connections directly to the charging-station WebSocket endpoint, which lacks proper access control (CWE-284), and leverage that access for privilege escalation. All backend versions prior to the June 2026 fix are affected, and the CVSS 4.0 base score of 9.3 (critical) reflects full compromise of confidentiality, integrity, and availability over the network with no privileges or user interaction. Reported through CISA ICS-CERT (ICSA-26-188-01); no public exploit identified at time of analysis and it is not listed in CISA KEV.
vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions: *.*.
Authentication bypass in the Drupal Commerce Guest Registration contributed module allows remote unauthenticated attackers to circumvent identity verification during the guest checkout/registration flow, per Drupal advisory SA-CONTRIB-2026-079. The CVSS 9.1 scoring (C:H/I:H) indicates an attacker can gain unauthorized access to or hijack account/order data without credentials or user interaction. No public exploit has been identified at time of analysis, and the low EPSS score (0.24%, 15th percentile) suggests exploitation is not yet widespread.
Missing Authorization (CWE-862) in the Drupal FlowDrop contributed module allows authenticated low-privilege users to perform Forceful Browsing - directly accessing protected URLs without proper permission checks being enforced. All FlowDrop releases from 0.0.0 up to 1.6.0 are affected; a successful attacker can read or modify content and workflow data beyond their authorized scope. No public exploit has been identified and EPSS sits at 0.18% (8th percentile), indicating negligible observed exploitation probability at time of analysis; the vulnerability is not listed in CISA KEV.
Missing authorization in WooCommerce Bulk Edit Products - WP Sheet Editor (versions up to and including 1.8.21) permits authenticated high-privilege users to exploit incorrectly configured access control security levels, resulting in unauthorized bulk modification of WooCommerce product data. The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to enforce proper capability checks before executing privileged bulk-edit operations via the network. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis, though the integrity-only impact and high-privilege requirement constrain the realistic attack surface.
Unauthenticated broken access control in the Simply Schedule Appointments WordPress plugin (versions through 1.6.12.4) allows remote attackers to perform unauthorized actions against appointment data, resulting in low-integrity and low-availability impacts. The plugin by NSquared fails to enforce proper authorization checks on one or more endpoints, enabling exploitation without any credentials against default installations. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low attack complexity and zero privilege requirement lower the barrier for opportunistic abuse.
Broken access control in ThemeMove's EduMall WordPress theme (versions through 4.5.1) permits authenticated low-privileged users to invoke restricted functionality without proper authorization checks. An attacker with any valid WordPress account can bypass the intended access control tiers and trigger actions that degrade site availability. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS score of 4.3 reflects a contained, low-severity impact limited to availability.
Authentication bypass in the WorkScout Core WordPress plugin (versions up to and including 1.7.08) can be triggered through a Cross-Site Request Forgery flaw, letting an off-site attacker perform privileged authentication-related actions in the context of a logged-in victim who visits a malicious page. The issue was reported by Patchstack and carries a CVSS 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation hinges on tricking an authenticated user into clicking (UI:R), it is high-impact but not point-and-click automatable.
Universal Clocks WordPress plugin (≤1.2.0) by PressTigers exposes unauthorized action endpoints due to missing authorization checks, enabling unauthenticated remote attackers to perform integrity-impacting operations without valid credentials. Reported by Patchstack under CWE-862, the flaw stems from incorrectly configured access control security levels that fail to validate caller permissions before executing plugin functionality. No public exploit code or active exploitation (CISA KEV listing) has been identified at time of analysis.
Missing authorization in the MeetingHub WordPress plugin (versions through 1.25.10) allows unauthenticated remote attackers to exploit incorrectly configured access control and perform unauthorized integrity-affecting actions. The CVSS vector (PR:N/AV:N/AC:L/UI:N) confirms no authentication or user interaction is required, making any WordPress installation running an affected version directly exposed from the network. No active exploitation has been confirmed (no CISA KEV listing) and no public exploit has been identified at time of analysis.
Unauthenticated broken access control in the Fascinate WordPress theme by themebeez (versions through 1.1.5) permits remote attackers to exploit incorrectly configured capability checks, resulting in unauthorized write-level actions on affected WordPress installations. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or user interaction is required, with impact limited to integrity (I:L). No active exploitation is confirmed in CISA KEV, and no public exploit code has been identified at time of analysis.
Missing authorization in the wpdevart Booking Calendar, Appointment Booking System WordPress plugin (versions through 3.2.36) permits unauthenticated remote attackers to bypass access controls and perform restricted booking-related actions, resulting in unauthorized data modification. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the flaw is trivially reachable over the network with no authentication, though impact is limited to integrity (I:L) with no confidentiality or availability consequence. No public exploit code or CISA KEV listing has been identified at time of analysis.
Broken access control in the VW Wedding WordPress theme (vowelweb) allows unauthenticated remote attackers to exploit incorrectly configured authorization checks, resulting in limited availability impact against affected WordPress installations. All versions through 1.3.7 are affected per the CPE string cpe:2.3:a:vowelweb:vw_wedding. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, placing this in the lower-urgency tier despite network-level reachability.
Missing authorization controls in the VW Food Corner WordPress theme (versions through 1.1.0) permit unauthenticated remote attackers to invoke restricted theme functionality without valid access credentials, resulting in availability impact. Reported by Patchstack and classified under CWE-862, the flaw stems from incorrectly configured access control levels that fail to verify caller identity or capability before executing protected actions. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis.
Broken access control in the AcyMailing SMTP Newsletter plugin for WordPress (versions up to and including 10.11.1) lets an authenticated low-privileged user reach functionality that should be restricted, impacting integrity and, most notably, availability of the plugin's newsletter/mailing operations. The flaw is a missing authorization check (CWE-862) reported by Patchstack; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Note an inconsistency in the source data: the CVE description states affected 'through <= 10.11.1' while the linked Patchstack advisory slug references 10.10.2 - the exact patched version is not confirmed from the input.
Broken access control in the UX-Themes Flatsome WordPress theme (versions up to and including 3.20.5) allows remote unauthenticated attackers to reach functionality or data that should be authorization-gated, resulting in confidentiality-only impact per the CVSS vector. The flaw stems from a missing authorization check (CWE-862) and was catalogued by Patchstack, but there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Flatsome is one of the most widely sold commercial WooCommerce themes, so the affected footprint is substantial even though only information disclosure (not integrity or availability) is implicated.
Broken access control in the Themeum Kirki WordPress customizer framework (versions up to and including 6.0.13) allows remote unauthenticated attackers to reach functionality protected by incorrectly configured access-control levels, resulting in disclosure of sensitive information. The flaw was reported by Patchstack and stems from a missing authorization check (CWE-862); no public exploit has been identified at time of analysis. With a CVSS of 7.5 driven purely by confidentiality impact, the practical risk is unauthorized data exposure rather than site takeover.
Broken access control in the Event Tickets WordPress plugin (versions up to and including 5.28.5) lets remote unauthenticated attackers modify data they should not be able to reach because an authorization check is missing on a privileged action. The flaw carries a 7.5 CVSS with an integrity-only impact (I:H) and no confidentiality or availability effect, and there is no public exploit identified at time of analysis. It was disclosed by Patchstack and affects default installations of the plugin.
Authentication bypass in VillaTheme's Abandoned Cart Recovery for WooCommerce (versions through 1.1.12) allows unauthenticated remote attackers to access protected functionality via an alternate authentication path or channel (CWE-288). The CVSS vector confirms network-reachable, zero-complexity exploitation requiring no privileges or user interaction, yielding partial confidentiality and integrity compromise. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and unauthenticated nature elevate practical risk for any WooCommerce store running this plugin.
Authentication bypass in the Metagauss ProfileGrid WordPress plugin (versions up to and including 5.9.9.6) lets remote unauthenticated attackers abuse the password recovery flow as an alternate channel to hijack arbitrary user accounts, including administrators. Because the flaw is exploitable over the network with no privileges and no user interaction (CVSS 7.5, I:H), it enables full account takeover on affected WordPress sites. No public exploit is identified at time of analysis and it is not in CISA KEV, but the low attack complexity makes it an attractive target once details circulate.
Insecure Direct Object Reference (IDOR) in Tutor LMS WordPress plugin allows authenticated low-privilege users to bypass authorization controls by manipulating user-controlled keys, resulting in unauthorized modification of LMS objects such as courses, lessons, or student records. Affected versions span all releases through 3.9.13 by Themeum. No confirmed active exploitation (KEV) or public exploit code has been identified at time of analysis, but the low attack complexity and wide WordPress deployment surface make this a credible integrity risk for any site running an unpatched version.
Missing authorization in Razorpay Payment Links for WooCommerce (versions through 2.1.4) allows unauthenticated network attackers to invoke privileged plugin actions without any authentication check. The flaw stems from CWE-862, where one or more AJAX endpoints or REST routes in the plugin fail to verify the caller's identity or capability before executing sensitive operations, resulting in low-severity integrity and availability impacts against WooCommerce payment link workflows. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.
Missing authorization controls in the Client Invoicing by Sprout Invoices WordPress plugin (versions through 20.8.13) allow low-privileged authenticated users to access confidential invoice data without proper permission checks. The flaw (CWE-862) enables a logged-in WordPress user with minimal privileges to bypass intended access control restrictions and retrieve sensitive financial or client information managed by the plugin. No public exploit or active exploitation has been identified at time of analysis, but the network-accessible attack vector and high confidentiality impact make this a meaningful exposure for sites hosting sensitive invoicing workflows.
Stock Locations for WooCommerce plugin (versions through 3.1.8) exposes one or more privileged operations without performing authorization checks, allowing authenticated low-privileged WordPress users to manipulate stock location data they should have no rights to modify. Rooted in CWE-862 (Missing Authorization), the flaw means the plugin accepts and executes sensitive requests based solely on authentication rather than verifying the requester's WordPress capability level. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low-privilege access requirement and straightforward network exploitation path make it a realistic risk for any multi-location WooCommerce store running the affected plugin.
Missing authorization controls in the Codemenschen Gift Vouchers WordPress plugin (versions through 4.6.9) allow unauthenticated remote attackers to perform unauthorized actions against voucher-related functionality, resulting in low-severity integrity and availability impact. The flaw stems from CWE-862 (Missing Authorization), meaning the plugin fails to verify whether a requesting user has rights to access specific functionality - effectively treating restricted endpoints as publicly accessible. No public exploit or CISA KEV listing is identified at time of analysis, but the unauthenticated attack vector (PR:N, AV:N) lowers the bar for opportunistic exploitation significantly.
Broken access control in the Peach Payments Gateway WordPress plugin (all versions through 4.0.2) permits remote unauthenticated attackers to invoke plugin functionality without valid authorization, bypassing intended access control security levels. Rooted in CWE-862 (Missing Authorization) and reported by Patchstack, the flaw enables limited integrity and availability impact against WooCommerce-powered sites using this plugin. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the unauthenticated, low-complexity attack vector warrants prompt remediation for any site processing payments through this gateway.
Missing authorization in the FundEngine WordPress fundraising plugin (versions through 1.7.6) permits unauthenticated remote attackers to exploit incorrectly configured access control, resulting in partial data integrity and availability impact. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms low-complexity, unauthenticated network exploitation with no user interaction required. No active exploitation is confirmed in the CISA KEV catalog, and no public exploit code has been identified at the time of this analysis.
Missing authorization in the Booking and Rental Manager WordPress plugin (≤ 2.6.9) exposes unauthenticated remote attackers to broken access control, enabling unauthorized modification of booking data and partial disruption of plugin availability. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication or user interaction against any internet-facing WordPress/WooCommerce site running the affected plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes this straightforwardly exploitable once a target is identified.
Broken access control in the ThemeHunk Open Shop WordPress theme (versions up to and including 1.7.1) lets an authenticated low-privileged user reach functionality that should be restricted, tampering with data and degrading site availability. Reported by Patchstack and rated CVSS 7.1, the flaw stems from missing authorization checks on a privileged action. No public exploit identified at time of analysis and it is not listed in CISA KEV.
Missing Authorization (CWE-862) in the Event Tickets Manager for WooCommerce WordPress plugin versions through 1.5.5 allows unauthenticated remote attackers to exploit incorrectly configured access control levels, resulting in limited but unauthorized modification of data and disruption of availability. The CVSS vector (PR:N/UI:N) confirms exploitation requires no authentication and no user interaction, lowering the barrier for abuse against any WordPress site with the plugin installed and active. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Missing Authorization (CWE-862) in the Tourfic WordPress plugin through version 2.22.5 permits authenticated low-privilege users to exploit incorrectly configured access control levels, resulting in unauthorized high-confidentiality data exposure. The CVSS vector (PR:L, C:H, I:N) confirms that any logged-in WordPress user - such as a customer or subscriber - can read sensitive data reserved for higher-privileged roles without modifying or disrupting it. No public exploit or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes exploitation straightforward once the unprotected endpoint is located.
Tourfic, a WordPress travel booking plugin by Themefic, exposes unauthenticated access control bypass through missing authorization checks on one or more plugin endpoints, affecting all versions through 2.22.5. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms remote, unauthenticated exploitation with limited integrity and availability impact. No public exploit or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes opportunistic exploitation straightforward against any WordPress site with the plugin installed.
Missing authorization in the Extra Product Options Builder for WooCommerce plugin (versions through 1.2.167) permits remote unauthenticated attackers to perform restricted actions without valid credentials, impacting both data integrity and service availability on affected WordPress storefronts. The flaw stems from CWE-862 - the plugin exposes endpoints or AJAX actions that fail to verify whether the caller holds the necessary capability or role before executing sensitive operations. No public exploit code has been identified at time of analysis, and the vulnerability has not been listed in the CISA KEV catalog.
Broken access control in the Phil Kurth "Advanced Forms" WordPress plugin (all versions up to and including 1.9.3.7) lets remote unauthenticated attackers reach a form-handling function that fails to verify authorization, enabling unauthorized modification of form data or settings. The CVSS 3.1 score is 7.5 with integrity-only impact and no confidentiality or availability loss. Reported by Patchstack; no public exploit identified at time of analysis and not listed in CISA KEV.
Broken access control in FluxBuilder's MStore API WordPress plugin (versions through 4.18.4) allows unauthenticated remote attackers to bypass authorization checks on restricted API endpoints. Rooted in CWE-862 (Missing Authorization), the flaw enables callers to interact with functionality gated behind access control levels that are incorrectly enforced - resulting in limited unauthorized data read and write operations against affected WooCommerce-backed mobile API deployments. No public exploit code or CISA KEV listing has been identified at time of analysis, but the PR:N/AC:L CVSS vector confirms the attack requires no authentication or special conditions.
Missing authorization in WPXPO WowAddons WordPress plugin (versions through 1.6.8) enables unauthenticated remote attackers to invoke privileged plugin actions without proper access control checks. Exploitation produces limited integrity and availability impact - unauthorized modification or disruption of plugin-managed content - with no confidentiality exposure confirmed by the CVSS vector. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the zero-privileges-required network vector makes this class of flaw attractive for opportunistic automated scanning once a proof-of-concept surfaces.
Incorrect authorization in Mattermost's interactive post action handler allows authenticated users to trigger post actions in private channels they are not members of. The flaw stems from action cookies failing to bind to the specific channel of the target post - a cookie obtained from any accessible channel can be reused against posts in restricted private channels. Affected are Mattermost versions 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19; no public exploit has been identified and the vulnerability is not listed in CISA KEV.
Mattermost's channel patch API fails to enforce authorization on the group_constrained flag, permitting any authenticated low-privilege member of a group message or direct message channel to remove all participants from the conversation. All three supported release lines are affected: 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19. No public exploit code has been identified at time of analysis; however, the low attack complexity and minimal privilege requirement make this straightforward to abuse on any reachable Mattermost deployment.
Incoming webhook impersonation in Mattermost allows a requester holding webhook management permissions to post content attributed to arbitrary users in teams or channels those users do not belong to. Affected deployments span three active release branches: 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19. No public exploit code exists and the vulnerability is not listed in CISA KEV; the CVSS score of 4.9 correctly reflects that exploitation is constrained by the High privilege requirement, limiting realistic risk to insider threats or compromised privileged accounts.
Post ownership verification is absent in Mattermost's shared channel inbound sync handler, allowing an authenticated remote cluster to forge sync messages that modify or delete posts authored by local users or other federated remotes. Affected versions span the 10.11.x, 11.6.x, and 11.7.x release trains up to and including 10.11.19, 11.6.4, and 11.7.2 respectively. No public exploit has been identified and CISA KEV confirmation is absent, but the integrity impact is direct and the attack complexity is low once federation trust is established.
Arbitrary file deletion in JoomShaper's Helix Ultimate template framework for Joomla allows unauthenticated remote attackers to delete files on the server due to a missing authorization check (CWE-862). Any anonymous user can reach the vulnerable functionality without credentials (PR:N/UI:N), enabling deletion of critical Joomla files to corrupt or take down the site. No public exploit has been identified at time of analysis, and the CVE is not listed in CISA KEV.
Insecure direct object reference (IDOR) in Dassault Systèmes Tuleap Enterprise Edition 17.0 through 17.5 lets attackers read other users' data by manipulating a user-controlled key/identifier, breaking horizontal authorization boundaries. The CVSS 3.1 vector (AV:N/PR:N) scores it as remotely reachable with high confidentiality impact but no integrity or availability effect. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Improper WebSocket authentication in will-moss Isaiah up to version 1.36.9 permits unauthenticated remote attackers to establish authenticated WebSocket sessions against the Docker management interface. The flaw resides in app/main.go within the WebSocket Connection Authentication component, where authentication controls can be bypassed, granting access to Docker management functionality without valid credentials. No public exploit has been identified at time of analysis, and an upstream fix exists as a pending pull request (PR #36) that has not yet been merged into a released version.
Missing authorization in Isaiah's Master WebSocket Handler allows remote unauthenticated attackers to manipulate the Agent argument in the Server.Handle function, bypassing access controls over Docker management operations. All versions of the will-moss/isaiah project up to and including 1.36.9 are affected. No public exploit or active exploitation has been identified at time of analysis; a fix pull request (#35) exists upstream but awaits acceptance.
Tutor LMS WordPress plugin (all versions before 3.9.13) allows authenticated users with subscriber-level access to post auto-approved comments containing arbitrary HTML and external links on any site content, bypassing the comment moderation queue entirely. The vulnerable comment handler performs no authorization check and no post-target validation before creating comments, making this exploitable by any registered user on sites with open registration - a common LMS deployment pattern. A publicly available POC from WPScan exists; no CISA KEV listing indicates confirmed mass exploitation, but the low privilege bar and POC availability make this a realistic content-integrity threat.
Authorization bypass in MacCMS Pro's installation module allows remote attackers to circumvent access controls via the `step5` function in the installation controller, affecting all versions through 2022.1000.3005. Exploitation is rated high-complexity (AC:H), limiting opportunistic mass exploitation, though a public proof-of-concept is available on GitHub. No CISA KEV listing at time of analysis; EPSS data was not included in the available intelligence, but POC availability elevates the practical risk above the raw CVSS score alone might suggest.
Access-control bypass in EIPStackGroup OpENer 2.3.0 (commit 76b95cf) lets any unauthenticated network attacker hijack another client's EtherNet/IP encapsulation session by replaying a valid session_handle, because the stack validates the handle against a global session list but never binds it to the originating TCP socket. Affected industrial devices running this open-source stack can have their EtherNet/IP command channel abused for read/write operations under another client's authority. No CISA KEV listing exists, but a researcher gist referenced in the advisory appears to publish exploit details, and the CVSS 9.1 rating reflects high confidentiality and integrity impact.
Broken access control in Leantime's API component (versions up to 3.8.0) allows authenticated low-privileged users to invoke the Setting::saveSetting function and modify application settings beyond their authorization level. The flaw is classified under CWE-285 (Improper Authorization) and is tagged as an authentication bypass and broken access control issue, meaning the application fails to enforce permission boundaries after login. A publicly available proof-of-concept exploit exists per VulDB and bytium.com; no CISA KEV listing was identified at time of analysis, and the vendor has not responded to disclosure.
Privilege escalation in Leantime up to 3.8.0 allows authenticated low-privileged users to elevate their role to owner by manipulating the role argument in JSON-RPC requests to the editUser/addUser endpoint. The server fails to verify whether the calling user is authorized to assign elevated roles, a CWE-285 Improper Authorization flaw. A public proof-of-concept exploit has been disclosed, and the vendor did not respond to coordinated disclosure, meaning no patch is confirmed available.
Missing authorization in Coolify's Policy Handler allows authenticated remote attackers to bypass resource-level access controls in versions up to 4.1.1. The flaw resides in the /app/Policies/ component, where policy enforcement checks are absent or incomplete, enabling low-privileged users to access or manipulate resources beyond their intended authorization scope. A public proof-of-concept exploit is available, raising the urgency for operators running self-hosted Coolify instances.
Privilege elevation in Microsoft Edge (Chromium-based) lets a network attacker escalate privileges by luring a victim into loading crafted web content that triggers an untrusted pointer dereference (CWE-822). Microsoft rates it CVSS 8.3, driven by a scope change (sandbox/boundary crossing) and full confidentiality, integrity, and availability impact, but exploitation requires user interaction and is of high attack complexity. No public exploit identified at time of analysis (E:U), it is not on CISA KEV, and an official vendor fix is available.
Path normalization failure in filebrowser's DeleteWithPathPrefix function allows authenticated users on versions before 2.63.17 to leave stale public share records intact by deleting directories with trailing-slash paths. After deletion, an attacker can recreate the same directory path and cause its new contents to be silently exposed through the previously dormant, still-valid public share URL. No public exploit code has been identified at time of analysis, and the vendor-confirmed CVSS 4.0 score of 2.3 reflects the high complexity and limited confidentiality impact.
Cross-organization account disruption in Capgo before 12.128.2 lets an enterprise administrator in one organization destroy the email/password login of users belonging to different organizations. By abusing the SSO prelink-users endpoint, an attacker holding the org.update_settings permission with an active SSO provider can permanently remove password identities for any user whose email matches the provider's domain, locking victims out of native authentication and forcing them onto the attacker's SSO or a password-reset recovery flow. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was reported by VulnCheck.
Account takeover in Capgo before 12.128.2 arises because the email-change endpoint performs no current-password re-authentication and no verification of the existing email address, letting an attacker who already holds a valid session cookie or an authenticated browser silently repoint the account email. By seizing the recovery address, the attacker captures password-reset flows and sidesteps multi-factor authentication, converting a hijacked session into durable full account control. There is no public exploit identified at time of analysis, but the flaw is vendor-confirmed via GitHub Security Advisory GHSA-9px4-w25f-mvm4 and reported by VulnCheck.
Authentication bypass in Flowise 3.0.13 and earlier lets remote unauthenticated attackers forge valid JWTs and impersonate any user, including administrators, because the enterprise passport authentication middleware silently falls back to publicly known hardcoded secrets ('auth_token', 'refresh_token') and default audience/issuer values ('AUDIENCE', 'ISSUER') whenever the JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, and JWT_ISSUER environment variables are unset. Reported by VulnCheck and rated CVSS 4.0 9.3 (Critical), it grants full account takeover, though there is no public exploit identified at time of analysis and no CISA KEV listing.
Credential exfiltration in Crawl4AI's Docker API server (all versions before 0.8.8) lets remote unauthenticated attackers steal secrets from the host. By abusing the exposed /md, /llm, and /llm/job endpoints, an attacker supplies a malicious base_url to redirect outbound LLM API calls and sets api_token to the special form env:VARIABLE_NAME, causing the server to resolve and leak arbitrary environment variables - including provider API keys and the JWT SECRET_KEY, which in turn enables full authentication bypass. No public exploit identified at time of analysis, but the flaw is trivially exploitable and reported by VulnCheck with an assigned CVSS 4.0 score of 8.8.
Scope isolation failure in Capgo's POST /webhooks/test endpoint allows authenticated app-scoped API keys to invoke org-scoped webhook operations, bypassing the intended limited_to_apps authorization boundary. All Capgo instances prior to version 12.128.2 are affected, enabling credential holders with narrow, app-level access to trigger signed outbound webhook deliveries targeting arbitrary organization webhooks they should not control. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the CVSS 4.0 vector (PR:L, AV:N) confirms low-privilege network exploitation is straightforward once credentials are in hand.
Privilege escalation in Capgo before 12.128.2 lets demoted super_admin users retain organization-wide bundle management rights because the org_users.user_right column is not cleared when their role binding is deleted. A user who once held super_admin can continue invoking the delete_non_compliant_bundles and count_non_compliant_bundles RPCs to enumerate and bulk-delete non-compliant bundles across the entire organization indefinitely, well after their privileges were supposedly revoked. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.
Improper authorization in AstrBot's Scheduled Task Handler allows a remote low-privileged user to bypass authorization controls by manipulating the payload["note"] argument in FutureTaskTool.call (astrbot/core/tools/cron_tools.py), affecting all versions up to and including 4.25.2. A publicly available proof-of-concept exploit (GitHub gist) demonstrates exploitation. No patch has been released and the vendor did not respond to disclosure; EPSS and CVSS 4.0 score this at 5.3, indicating moderate-to-low real-world severity, but the active POC elevates practical risk for deployed instances. Not currently listed in CISA KEV.
Missing authentication in RafyMrX TOKO-ONLINE-ROTI, an Indonesian online bakery shop management application, allows remote unauthenticated attackers to access restricted application functionality with low-level impact across confidentiality, integrity, and availability. All code through commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 is affected, and no patch exists because the vendor did not respond to coordinated disclosure. No public exploit code and no CISA KEV listing exist at time of analysis.
Unrestricted file upload in shiroiAdmin versions 1.1 and 1.3 (PHP admin panel by hcr707305003) exposes the `FileController::upload` function to unauthenticated remote exploitation, enabling attackers to upload arbitrary files - including PHP webshells - to the server without authentication. A public exploit has been disclosed (CVSS 4.0 E:P), and the vendor did not respond to coordinated disclosure. Exploitation conditions are severe: the CVSS 4.0 vector confirms network-accessible, zero-authentication, low-complexity exploitation with no user interaction required.
Improper access control in the diskbckp.sys kernel driver of QILING Disk Master 6.0.0.0 allows local low-privileged users to bypass authorization checks and interact with privileged kernel driver functionality. Tagged as an authentication bypass, the flaw resides in an unknown function within the kernel driver component, enabling manipulation of access control logic without elevated credentials. A public proof-of-concept exploit has been disclosed (no CISA KEV listing); the vendor has released a patch via beta download.
Improper access controls in MiniTool Partition Wizard's signed kernel driver pwdrvio.sys (versions up to 13.6) allow a local low-privileged user to interact with privileged driver functionality without authorization. The vulnerability is tagged as an authentication bypass against a kernel-mode component, meaning a standard user account can invoke driver operations that should be restricted to administrative or system-level callers. A publicly available proof-of-concept exploit lowers the practical exploitation bar, though no active exploitation is confirmed via CISA KEV at time of analysis.
Improper authorization in Eleveo Call Recording Software 9.7.0 enables remote authenticated attackers to access call recordings they are not permitted to view by manipulating the `callId` parameter in the `/callrec/audio.jsp` endpoint. The flaw follows a classic Insecure Direct Object Reference (IDOR) pattern under CWE-285, where the application fails to enforce per-user ownership checks on recording identifiers. A public exploit has been released and no vendor patch exists - the vendor did not respond to responsible disclosure - making compensating controls the only available mitigation at this time.
Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to perform unauthorized operations on the Recorded Calls Page via the `/callrec/restoreCallAction.do` endpoint, potentially accessing or restoring call recordings outside their permitted scope. The vulnerability stems from CWE-285 (Improper Authorization), meaning the application fails to enforce access controls on the restore call action, permitting privilege escalation within the recording management interface. A publicly available proof-of-concept exploit exists per the CVSS 4.0 E:P supplemental metric; no patch has been confirmed by the vendor, who did not respond to disclosure attempts.
Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to bypass access controls on the /callrec/composeEmailAction.do endpoint, exposing limited confidential data. The flaw (CWE-285) means the application fails to enforce authorization decisions for at least one action reachable by low-privileged authenticated users. A publicly available proof-of-concept exploit has been disclosed via VulDB, and no vendor patch exists - the vendor did not respond to the coordinated disclosure. No public exploit identified at time of analysis as actively exploited (not in CISA KEV), though exploit code exists.
Improper authorization on the /callrec/pci_dss_status.jsp endpoint in Eleveo Call Recording Software 9.7.0 allows authenticated low-privilege users to access PCI DSS compliance status data they are not authorized to view. The exposed information reveals the payment card compliance posture of the organization, which could be leveraged to identify exploitable compliance gaps and inform targeted attacks against payment infrastructure. A public proof-of-concept exploit exists; the vendor did not respond to responsible disclosure, leaving no official patch or advisory available.
Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to access the /callrec/group.jsp endpoint without proper permission checks, resulting in unauthorized read access to call recording group data. A publicly available exploit has been disclosed via Google Drive; the vendor was notified but did not respond, meaning no official patch exists at time of analysis. No public exploit identified at time of analysis is superseded here - a public POC exists (E:P in the CVSS 4.0 vector), though this is not confirmed actively exploited (CISA KEV) and the CVSS 4.0 score of 2.1 reflects limited scope impact.
Policy bypass in ImageMagick before 7.1.2-26 allows low-privileged local users to write files to filesystem paths explicitly blocked by the application's security policy framework. The APNG encoder and external delegate mechanisms omit required validation against policy.xml restrictions, enabling circumvention of configured path-based access controls. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the impact is meaningful in multi-tenant or shared-processing environments that rely on ImageMagick's policy layer as a security boundary.
Broken authorization in PraisonAI Platform (praisonai-platform) before 0.1.9 lets any low-privileged workspace member modify owner- or admin-created projects, issues, and agents because the PATCH routes only check for workspace-member role instead of owner/admin. Because a member can reassign a project's lead_id to their own user id, they can then satisfy and bypass the delete route's owner/admin check to destroy owner-created projects. No public exploit identified at time of analysis, though the flaw is trivially reachable by any authenticated tenant member.
System prompt extraction and unauthorized tool invocation in PraisonAI before 4.6.78 arise because the prompt-injection defense ships with its blocking threshold defaulting to CRITICAL, so HIGH-severity injection attempts are detected and logged but never blocked. Any remote user interacting with a PraisonAI agent can submit single-vector prompt injection (instruction overrides, financial manipulation) that scores HIGH and passes through, leaking the system prompt and triggering agent tools without authorization. No public exploit identified at time of analysis, and the issue is not in CISA KEV; the vendor CVSS 4.0 score is 8.7 (High).
Webhook signature verification is absent in PraisonAI AgentMail before version 4.6.78, permitting any unauthenticated network attacker to POST crafted message.received events directly to the webhook endpoint with spoofed sender identities. This bypasses configured sender allow/block lists, injecting arbitrary content into the AI agent's processing pipeline and causing the agent to dispatch replies to attacker-controlled addresses. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog, though the low-complexity, unauthenticated attack vector makes exploitation straightforward for any attacker with network access to the webhook endpoint.
Billing authorization bypass in Capgo (prior to 12.128.12) enables authenticated organizations with exhausted or expired usage credit grants to continue consuming paid API endpoints without valid entitlement. The divergence between the plugin's hot-path plan_valid expression and the authoritative billing gate creates a logic gap exploitable by any organization that reaches credit depletion, granting continued access to /updates, /stats, /channel_self, and attachment upload endpoints. No public exploit or CISA KEV listing exists at time of analysis, but the low attack complexity and network accessibility make this straightforward for any affected account holder to abuse.
Privilege escalation in the Genolve AI image and video generation plugin for WordPress (all versions through 5.0.5) lets authenticated users with Contributor-level access or above update arbitrary WordPress options because the genolve_setOpt() function performs no capability check. By enabling the users_can_register option and setting default_role to administrator, a low-privileged user can register a new administrator account and fully take over the site. Reported by Wordfence with a CVSS of 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authorization bypass in the NEX-Forms WordPress plugin (all versions through 9.2.2) allows unauthenticated remote attackers to overwrite email metadata fields on arbitrary form entries and weaponize the victim WordPress site as an outbound email relay. The CVSS vector (PR:N/AC:L/AV:N) confirms zero authentication and zero configuration prerequisites beyond plugin activation. No public exploit has been identified at time of analysis, but the trivially low exploitation complexity makes mass scanning and abuse for phishing or spam distribution operationally realistic at scale.
Unauthorized cross-vendor manipulation in WCFM - Frontend Manager for WooCommerce (all versions ≤ 6.7.27) allows authenticated subscriber-level users to archive competitor vendors' product listings, toggle featured status on arbitrary listings, mark WooCommerce orders as completed, and permanently delete enquiries and bulk messages belonging to other vendors within the same marketplace. Multiple AJAX handlers in class-wcfm-ajax.php, class-wcfm-enquiry.php, and class-wcfm-notification.php accept user-controlled object IDs without verifying ownership - a textbook CWE-639 IDOR pattern enabling horizontal privilege escalation across vendor accounts. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
User enumeration via authorization bypass in the Wallet for WooCommerce WordPress plugin (versions up to and including 1.6.4) allows any authenticated subscriber-level user to extract login names, email addresses, and user IDs for every WordPress account on the site, including administrators. The flaw exists because the plugin exposes a 'search-user' nonce - required to call its AJAX search handler - directly in the wallet_param JavaScript object rendered on the publicly accessible WooCommerce My Account page, making it trivially obtainable by any logged-in user. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and wide subscriber-level accessibility make exploitation straightforward on sites with open user registration.
Authorization bypass in WCFM - Frontend Manager for WooCommerce (all versions through 6.7.27) allows unauthenticated network attackers to inject arbitrary content into store inquiry replies, overwrite inquiry records in the wp_wcfm_enquiries database table, and trigger unsolicited notification emails to customers and vendors. The root cause is a missing authentication gate in the wcfm-my-account-enquiry-manage controller branch - unlike its sibling branches, it performs neither is_user_logged_in() nor current_user_can() checks. The nonce that serves as the sole barrier is embedded into every public page load without any login requirement, rendering it ineffective as an access control. No public exploit code and no CISA KEV listing identified at time of analysis.
Authorization bypass in the WP Easy Pay WordPress plugin (versions ≤4.5.0) allows any authenticated WordPress user at subscriber level or above to set arbitrary posts and pages to 'draft', silently unpublishing site content without editorial authorization. The flaw stems from missing capability checks in the plugin's action handlers (wpep-setup.php), confirmed by Wordfence with direct source code references. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, but the low barrier to exploitation - any registered user qualifies - makes this a meaningful risk on sites with open user registration.
Unauthorized cache deletion in the ThriveDesk WordPress plugin (all versions through 2.1.7) is possible by any authenticated user holding a Subscriber-level role or above, due to a missing capability check on the `thrivedesk_clear_cache` AJAX action. The root cause is a CWE-862 Missing Authorization flaw in `includes/helper.php` - any logged-in user can invoke the privileged cache-clearing function without role validation. No public exploit has been identified at time of analysis and no CISA KEV listing exists; real-world impact is bounded to cache disruption and potential performance degradation rather than data loss or code execution.
Privilege escalation in the Simple JWT Login WordPress plugin (all versions through 3.6.6) lets an authenticated subscriber-level user forge an Administrator session by injecting arbitrary identity claims into the JWT payload. Because AuthenticateService::generatePayload() only overwrites payload keys that appear in the admin-configured jwt_payload allowlist, attacker-supplied claims such as email, id, or username survive and are signed with the site's HS256 secret; the token is then redeemed at /autologin to log in as any administrator. Reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.
Authorization bypass in the AI Copilot - Content Generator WordPress plugin (by wupsales/AIWU) allows unauthenticated remote attackers to manipulate WordPress post publication states across all versions through 1.4.12. By supplying arbitrary scenario IDs to the plugin's workspace controller endpoint - which lacks any authorization verification - attackers can expose unpublished draft content or take live published posts offline, causing content disclosure and service disruption. No public exploit or CISA KEV listing has been identified at time of analysis, though the trivial exploitation complexity (AV:N/AC:L/PR:N/UI:N) makes independent rediscovery straightforward.
Permanent, irreversible deletion of all Starter Template-imported site content in the Solace Extra WordPress plugin (all versions through 1.5.3) is achievable by fully unauthenticated network attackers due to the complete absence of authorization checks on the responsible AJAX handler. The handler is registered via wp_ajax_nopriv_, removing WordPress's authentication gate entirely, while the required nonce is leaked to any Subscriber-level user visiting any wp-admin page - eliminating both authentication and authorization barriers simultaneously. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the Wordfence disclosure includes exact file and line references enabling straightforward reproduction; the official CVSS score of 5.3 significantly understates the destructive impact.
Unauthorized affiliate management actions in the Affilia plugin for WordPress (all versions through 3.3.3) allow any subscriber-level authenticated user to approve or reject referrals, credit commissions to affiliate wallets, delete referral records, and modify banner options - enabling direct financial fraud against WooCommerce stores. The root cause is that the sole authentication gate relies on a WordPress nonce that is publicly embedded in every frontend page load via the JavaScript global `rtwalwm_global_params.rtwalwm_nonce`, making role-based access enforcement trivially bypassable. No public exploit code or CISA KEV listing is identified at time of analysis, but the low exploitation complexity and direct financial fraud impact make this a meaningful operational risk for any site running an affiliate program on this plugin.
Insecure Direct Object Reference in the PDF Invoices & Packing Slips for WooCommerce plugin (versions through 5.14.0) allows authenticated contributors to mint permanent, session-free download links for arbitrary third-party orders, exposing customer PII including names, billing and shipping addresses, email addresses, phone numbers, line items, payment details, and customer notes. Exploitation is gated on a non-default plugin setting - the 'Document link access type' must be configured to 'full' rather than the default 'logged_in'; the default configuration signs URLs with a per-session nonce, neutralising the attack path. No public exploit code or active exploitation has been identified at time of analysis.
Unauthorized data modification in SurfLink - Link Manager & Backup Restore (all versions up to 2.6.0) allows authenticated attackers with Subscriber-level access to inject arbitrary URLs into the plugin's 410 Gone database table, causing those site paths to return HTTP 410 Gone responses to all visitors. The root cause is a missing capability check (current_user_can()) and absent nonce verification (check_ajax_referer()) in the ajax_import_410() AJAX handler - a conspicuous gap given that every other AJAX handler in the same PHP class correctly implements both controls. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, but the low authentication barrier and clear impact on site availability and SEO ranking make this a meaningful risk for affected WordPress deployments.
Unauthenticated mass data deletion in the AI Copilot - Content Generator WordPress plugin (all versions through 1.4.12) exposes sites to complete wipeout of plugin-managed database records by any remote visitor. The vulnerability stems from a permanently open authorization gate: the base controller's getPermissions() returns an empty array causing the auth check to unconditionally pass, while the removeGroup and clear AJAX actions are excluded from getNoncedMethods(), bypassing nonce verification entirely. No active exploitation has been confirmed in CISA KEV and no public exploit code has been identified at time of analysis, though the attack requires no credentials and minimal technical skill given the straightforward AJAX endpoint targeting.
Authorization bypass in the Notification for Telegram WordPress plugin (all versions through 3.5.1) allows authenticated subscribers to manipulate WordPress cron scheduling logic. Authenticated attackers with subscriber-level access or above can create, modify, or reschedule the nftb_cron_hook cron event due to missing authorization checks in nftncron.php, disrupting the plugin's background task scheduling for Telegram notifications. No public exploit or active exploitation has been identified at time of analysis; CVSS rates this Medium (4.3) with integrity-only impact.
Authorization bypass in Points and Rewards for WooCommerce (all versions through 2.10.0) allows authenticated subscribers to drain any user's reward points into a wallet balance, exfiltrate all user emails and point balances to an attacker-controlled Klaviyo account, and overwrite the site's Klaviyo API key - compounding financial fraud with third-party data exfiltration. Critically, the plugin exposes its authentication nonce (wps-wpr-verify-nonce) on every public-facing page via wp_localize_script(), and the wallet-draining handler is registered on the wp_ajax_nopriv_ hook, meaning the most financially damaging action - converting points to wallet balance - is exploitable by unauthenticated visitors. No public exploit code or CISA KEV listing identified at time of analysis.
Authorization bypass in the MyParcel (woocommerce-myparcel) WordPress plugin allows any authenticated subscriber-level user to view and modify shipment options - including carrier, delivery type, package type, label count, weight, signature requirement, and insurance - on arbitrary WooCommerce orders they do not own. All plugin versions up to and including 4.25.1 are affected, with the flaw rooted in missing capability checks on administrative AJAX handlers. No public exploit or active exploitation has been identified at time of analysis, though the low privilege bar (any registered WordPress user) expands the realistic attacker pool significantly for e-commerce stores.
Authentication bypass in the Hydro-Québec Le Circuit Électrique EV charging station backend lets remote unauthenticated attackers open connections directly to the charging-station WebSocket endpoint, which lacks proper access control (CWE-284), and leverage that access for privilege escalation. All backend versions prior to the June 2026 fix are affected, and the CVSS 4.0 base score of 9.3 (critical) reflects full compromise of confidentiality, integrity, and availability over the network with no privileges or user interaction. Reported through CISA ICS-CERT (ICSA-26-188-01); no public exploit identified at time of analysis and it is not listed in CISA KEV.
vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions: *.*.
Authentication bypass in the Drupal Commerce Guest Registration contributed module allows remote unauthenticated attackers to circumvent identity verification during the guest checkout/registration flow, per Drupal advisory SA-CONTRIB-2026-079. The CVSS 9.1 scoring (C:H/I:H) indicates an attacker can gain unauthorized access to or hijack account/order data without credentials or user interaction. No public exploit has been identified at time of analysis, and the low EPSS score (0.24%, 15th percentile) suggests exploitation is not yet widespread.
Missing Authorization (CWE-862) in the Drupal FlowDrop contributed module allows authenticated low-privilege users to perform Forceful Browsing - directly accessing protected URLs without proper permission checks being enforced. All FlowDrop releases from 0.0.0 up to 1.6.0 are affected; a successful attacker can read or modify content and workflow data beyond their authorized scope. No public exploit has been identified and EPSS sits at 0.18% (8th percentile), indicating negligible observed exploitation probability at time of analysis; the vulnerability is not listed in CISA KEV.