Skip to main content

Authentication Bypass

31161 CVEs technique

Monthly

CVE-2026-61952 MEDIUM This Month

Missing authorization in WooCommerce Bulk Edit Products - WP Sheet Editor (versions up to and including 1.8.21) permits authenticated high-privilege users to exploit incorrectly configured access control security levels, resulting in unauthorized bulk modification of WooCommerce product data. The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to enforce proper capability checks before executing privileged bulk-edit operations via the network. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis, though the integrity-only impact and high-privilege requirement constrain the realistic attack surface.

Authentication Bypass WordPress Woocommerce Bulk Edit Products Wp Sheet Editor
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-57812 MEDIUM This Month

Unauthenticated broken access control in the Simply Schedule Appointments WordPress plugin (versions through 1.6.12.4) allows remote attackers to perform unauthorized actions against appointment data, resulting in low-integrity and low-availability impacts. The plugin by NSquared fails to enforce proper authorization checks on one or more endpoints, enabling exploitation without any credentials against default installations. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low attack complexity and zero privilege requirement lower the barrier for opportunistic abuse.

Authentication Bypass Simply Schedule Appointments
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57797 MEDIUM This Month

Broken access control in ThemeMove's EduMall WordPress theme (versions through 4.5.1) permits authenticated low-privileged users to invoke restricted functionality without proper authorization checks. An attacker with any valid WordPress account can bypass the intended access control tiers and trigger actions that degrade site availability. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS score of 4.3 reflects a contained, low-severity impact limited to availability.

Authentication Bypass Edumall
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-57786 HIGH This Week

Authentication bypass in the WorkScout Core WordPress plugin (versions up to and including 1.7.08) can be triggered through a Cross-Site Request Forgery flaw, letting an off-site attacker perform privileged authentication-related actions in the context of a logged-in victim who visits a malicious page. The issue was reported by Patchstack and carries a CVSS 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation hinges on tricking an authenticated user into clicking (UI:R), it is high-impact but not point-and-click automatable.

Authentication Bypass CSRF Workscout Core
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-57782 MEDIUM This Month

Universal Clocks WordPress plugin (≤1.2.0) by PressTigers exposes unauthorized action endpoints due to missing authorization checks, enabling unauthenticated remote attackers to perform integrity-impacting operations without valid credentials. Reported by Patchstack under CWE-862, the flaw stems from incorrectly configured access control security levels that fail to validate caller permissions before executing plugin functionality. No public exploit code or active exploitation (CISA KEV listing) has been identified at time of analysis.

Authentication Bypass Universal Clocks
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-57781 MEDIUM This Month

Missing authorization in the MeetingHub WordPress plugin (versions through 1.25.10) allows unauthenticated remote attackers to exploit incorrectly configured access control and perform unauthorized integrity-affecting actions. The CVSS vector (PR:N/AV:N/AC:L/UI:N) confirms no authentication or user interaction is required, making any WordPress installation running an affected version directly exposed from the network. No active exploitation has been confirmed (no CISA KEV listing) and no public exploit has been identified at time of analysis.

Authentication Bypass Meetinghub
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-57779 MEDIUM This Month

Unauthenticated broken access control in the Fascinate WordPress theme by themebeez (versions through 1.1.5) permits remote attackers to exploit incorrectly configured capability checks, resulting in unauthorized write-level actions on affected WordPress installations. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or user interaction is required, with impact limited to integrity (I:L). No active exploitation is confirmed in CISA KEV, and no public exploit code has been identified at time of analysis.

Authentication Bypass Fascinate
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-57778 MEDIUM This Month

Missing authorization in the wpdevart Booking Calendar, Appointment Booking System WordPress plugin (versions through 3.2.36) permits unauthenticated remote attackers to bypass access controls and perform restricted booking-related actions, resulting in unauthorized data modification. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the flaw is trivially reachable over the network with no authentication, though impact is limited to integrity (I:L) with no confidentiality or availability consequence. No public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Booking Calendar Appointment Booking System
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-57776 MEDIUM This Month

Broken access control in the VW Wedding WordPress theme (vowelweb) allows unauthenticated remote attackers to exploit incorrectly configured authorization checks, resulting in limited availability impact against affected WordPress installations. All versions through 1.3.7 are affected per the CPE string cpe:2.3:a:vowelweb:vw_wedding. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, placing this in the lower-urgency tier despite network-level reachability.

Authentication Bypass Vw Wedding
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-57774 MEDIUM This Month

Missing authorization controls in the VW Food Corner WordPress theme (versions through 1.1.0) permit unauthenticated remote attackers to invoke restricted theme functionality without valid access credentials, resulting in availability impact. Reported by Patchstack and classified under CWE-862, the flaw stems from incorrectly configured access control levels that fail to verify caller identity or capability before executing protected actions. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis.

Authentication Bypass Vw Food Corner
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-57740 HIGH This Week

Broken access control in the AcyMailing SMTP Newsletter plugin for WordPress (versions up to and including 10.11.1) lets an authenticated low-privileged user reach functionality that should be restricted, impacting integrity and, most notably, availability of the plugin's newsletter/mailing operations. The flaw is a missing authorization check (CWE-862) reported by Patchstack; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Note an inconsistency in the source data: the CVE description states affected 'through <= 10.11.1' while the linked Patchstack advisory slug references 10.10.2 - the exact patched version is not confirmed from the input.

Authentication Bypass Acymailing Smtp Newsletter
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57729 HIGH This Week

Broken access control in the UX-Themes Flatsome WordPress theme (versions up to and including 3.20.5) allows remote unauthenticated attackers to reach functionality or data that should be authorization-gated, resulting in confidentiality-only impact per the CVSS vector. The flaw stems from a missing authorization check (CWE-862) and was catalogued by Patchstack, but there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Flatsome is one of the most widely sold commercial WooCommerce themes, so the affected footprint is substantial even though only information disclosure (not integrity or availability) is implicated.

Authentication Bypass Flatsome
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-57727 HIGH This Week

Broken access control in the Themeum Kirki WordPress customizer framework (versions up to and including 6.0.13) allows remote unauthenticated attackers to reach functionality protected by incorrectly configured access-control levels, resulting in disclosure of sensitive information. The flaw was reported by Patchstack and stems from a missing authorization check (CWE-862); no public exploit has been identified at time of analysis. With a CVSS of 7.5 driven purely by confidentiality impact, the practical risk is unauthorized data exposure rather than site takeover.

Authentication Bypass Kirki
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-57705 HIGH This Week

Broken access control in the Event Tickets WordPress plugin (versions up to and including 5.28.5) lets remote unauthenticated attackers modify data they should not be able to reach because an authorization check is missing on a privileged action. The flaw carries a 7.5 CVSS with an integrity-only impact (I:H) and no confidentiality or availability effect, and there is no public exploit identified at time of analysis. It was disclosed by Patchstack and affects default installations of the plugin.

Authentication Bypass Event Tickets
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-57698 MEDIUM This Month

Authentication bypass in VillaTheme's Abandoned Cart Recovery for WooCommerce (versions through 1.1.12) allows unauthenticated remote attackers to access protected functionality via an alternate authentication path or channel (CWE-288). The CVSS vector confirms network-reachable, zero-complexity exploitation requiring no privileges or user interaction, yielding partial confidentiality and integrity compromise. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and unauthenticated nature elevate practical risk for any WooCommerce store running this plugin.

Authentication Bypass WordPress Abandoned Cart Recovery For Woocommerce
NVD VulDB
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-57697 HIGH This Week

Authentication bypass in the Metagauss ProfileGrid WordPress plugin (versions up to and including 5.9.9.6) lets remote unauthenticated attackers abuse the password recovery flow as an alternate channel to hijack arbitrary user accounts, including administrators. Because the flaw is exploitable over the network with no privileges and no user interaction (CVSS 7.5, I:H), it enables full account takeover on affected WordPress sites. No public exploit is identified at time of analysis and it is not in CISA KEV, but the low attack complexity makes it an attractive target once details circulate.

Authentication Bypass Profilegrid
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57694 MEDIUM This Month

Insecure Direct Object Reference (IDOR) in Tutor LMS WordPress plugin allows authenticated low-privilege users to bypass authorization controls by manipulating user-controlled keys, resulting in unauthorized modification of LMS objects such as courses, lessons, or student records. Affected versions span all releases through 3.9.13 by Themeum. No confirmed active exploitation (KEV) or public exploit code has been identified at time of analysis, but the low attack complexity and wide WordPress deployment surface make this a credible integrity risk for any site running an unpatched version.

Authentication Bypass Tutor Lms
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57424 MEDIUM This Month

Missing authorization in Razorpay Payment Links for WooCommerce (versions through 2.1.4) allows unauthenticated network attackers to invoke privileged plugin actions without any authentication check. The flaw stems from CWE-862, where one or more AJAX endpoints or REST routes in the plugin fail to verify the caller's identity or capability before executing sensitive operations, resulting in low-severity integrity and availability impacts against WooCommerce payment link workflows. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

Authentication Bypass WordPress Razorpay Payment Links For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57418 MEDIUM This Month

Missing authorization controls in the Client Invoicing by Sprout Invoices WordPress plugin (versions through 20.8.13) allow low-privileged authenticated users to access confidential invoice data without proper permission checks. The flaw (CWE-862) enables a logged-in WordPress user with minimal privileges to bypass intended access control restrictions and retrieve sensitive financial or client information managed by the plugin. No public exploit or active exploitation has been identified at time of analysis, but the network-accessible attack vector and high confidentiality impact make this a meaningful exposure for sites hosting sensitive invoicing workflows.

Authentication Bypass Client Invoicing By Sprout Invoices
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57419 MEDIUM This Month

Stock Locations for WooCommerce plugin (versions through 3.1.8) exposes one or more privileged operations without performing authorization checks, allowing authenticated low-privileged WordPress users to manipulate stock location data they should have no rights to modify. Rooted in CWE-862 (Missing Authorization), the flaw means the plugin accepts and executes sensitive requests based solely on authentication rather than verifying the requester's WordPress capability level. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low-privilege access requirement and straightforward network exploitation path make it a realistic risk for any multi-location WooCommerce store running the affected plugin.

Authentication Bypass WordPress Stock Locations For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57412 MEDIUM This Month

Missing authorization controls in the Codemenschen Gift Vouchers WordPress plugin (versions through 4.6.9) allow unauthenticated remote attackers to perform unauthorized actions against voucher-related functionality, resulting in low-severity integrity and availability impact. The flaw stems from CWE-862 (Missing Authorization), meaning the plugin fails to verify whether a requesting user has rights to access specific functionality - effectively treating restricted endpoints as publicly accessible. No public exploit or CISA KEV listing is identified at time of analysis, but the unauthenticated attack vector (PR:N, AV:N) lowers the bar for opportunistic exploitation significantly.

Authentication Bypass Gift Vouchers
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57408 MEDIUM This Month

Broken access control in the Peach Payments Gateway WordPress plugin (all versions through 4.0.2) permits remote unauthenticated attackers to invoke plugin functionality without valid authorization, bypassing intended access control security levels. Rooted in CWE-862 (Missing Authorization) and reported by Patchstack, the flaw enables limited integrity and availability impact against WooCommerce-powered sites using this plugin. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the unauthenticated, low-complexity attack vector warrants prompt remediation for any site processing payments through this gateway.

Authentication Bypass Peach Payments Gateway
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57406 MEDIUM This Month

Missing authorization in the FundEngine WordPress fundraising plugin (versions through 1.7.6) permits unauthenticated remote attackers to exploit incorrectly configured access control, resulting in partial data integrity and availability impact. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms low-complexity, unauthenticated network exploitation with no user interaction required. No active exploitation is confirmed in the CISA KEV catalog, and no public exploit code has been identified at the time of this analysis.

Authentication Bypass Fundengine
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57404 MEDIUM This Month

Missing authorization in the Booking and Rental Manager WordPress plugin (≤ 2.6.9) exposes unauthenticated remote attackers to broken access control, enabling unauthorized modification of booking data and partial disruption of plugin availability. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication or user interaction against any internet-facing WordPress/WooCommerce site running the affected plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes this straightforwardly exploitable once a target is identified.

Authentication Bypass WordPress Booking And Rental Manager
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57405 HIGH This Week

Broken access control in the ThemeHunk Open Shop WordPress theme (versions up to and including 1.7.1) lets an authenticated low-privileged user reach functionality that should be restricted, tampering with data and degrading site availability. Reported by Patchstack and rated CVSS 7.1, the flaw stems from missing authorization checks on a privileged action. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Open Shop
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57400 MEDIUM This Month

Missing Authorization (CWE-862) in the Event Tickets Manager for WooCommerce WordPress plugin versions through 1.5.5 allows unauthenticated remote attackers to exploit incorrectly configured access control levels, resulting in limited but unauthorized modification of data and disruption of availability. The CVSS vector (PR:N/UI:N) confirms exploitation requires no authentication and no user interaction, lowering the barrier for abuse against any WordPress site with the plugin installed and active. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Event Tickets Manager For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57395 MEDIUM This Month

Missing Authorization (CWE-862) in the Tourfic WordPress plugin through version 2.22.5 permits authenticated low-privilege users to exploit incorrectly configured access control levels, resulting in unauthorized high-confidentiality data exposure. The CVSS vector (PR:L, C:H, I:N) confirms that any logged-in WordPress user - such as a customer or subscriber - can read sensitive data reserved for higher-privileged roles without modifying or disrupting it. No public exploit or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes exploitation straightforward once the unprotected endpoint is located.

Authentication Bypass Tourfic
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57392 MEDIUM This Month

Tourfic, a WordPress travel booking plugin by Themefic, exposes unauthenticated access control bypass through missing authorization checks on one or more plugin endpoints, affecting all versions through 2.22.5. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms remote, unauthenticated exploitation with limited integrity and availability impact. No public exploit or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes opportunistic exploitation straightforward against any WordPress site with the plugin installed.

Authentication Bypass Tourfic
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57390 MEDIUM This Month

Missing authorization in the Extra Product Options Builder for WooCommerce plugin (versions through 1.2.167) permits remote unauthenticated attackers to perform restricted actions without valid credentials, impacting both data integrity and service availability on affected WordPress storefronts. The flaw stems from CWE-862 - the plugin exposes endpoints or AJAX actions that fail to verify whether the caller holds the necessary capability or role before executing sensitive operations. No public exploit code has been identified at time of analysis, and the vulnerability has not been listed in the CISA KEV catalog.

Authentication Bypass WordPress Extra Product Options Builder For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57378 HIGH This Week

Broken access control in the Phil Kurth "Advanced Forms" WordPress plugin (all versions up to and including 1.9.3.7) lets remote unauthenticated attackers reach a form-handling function that fails to verify authorization, enabling unauthorized modification of form data or settings. The CVSS 3.1 score is 7.5 with integrity-only impact and no confidentiality or availability loss. Reported by Patchstack; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Advanced Forms
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-57375 MEDIUM This Month

Broken access control in FluxBuilder's MStore API WordPress plugin (versions through 4.18.4) allows unauthenticated remote attackers to bypass authorization checks on restricted API endpoints. Rooted in CWE-862 (Missing Authorization), the flaw enables callers to interact with functionality gated behind access control levels that are incorrectly enforced - resulting in limited unauthorized data read and write operations against affected WooCommerce-backed mobile API deployments. No public exploit code or CISA KEV listing has been identified at time of analysis, but the PR:N/AC:L CVSS vector confirms the attack requires no authentication or special conditions.

Authentication Bypass Mstore Api
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57377 MEDIUM This Month

Missing authorization in WPXPO WowAddons WordPress plugin (versions through 1.6.8) enables unauthenticated remote attackers to invoke privileged plugin actions without proper access control checks. Exploitation produces limited integrity and availability impact - unauthorized modification or disruption of plugin-managed content - with no confidentiality exposure confirmed by the CVSS vector. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the zero-privileges-required network vector makes this class of flaw attractive for opportunistic automated scanning once a proof-of-concept surfaces.

Authentication Bypass Wowaddons
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-10106 MEDIUM This Month

Incorrect authorization in Mattermost's interactive post action handler allows authenticated users to trigger post actions in private channels they are not members of. The flaw stems from action cookies failing to bind to the specific channel of the target post - a cookie obtained from any accessible channel can be reused against posts in restricted private channels. Affected are Mattermost versions 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19; no public exploit has been identified and the vulnerability is not listed in CISA KEV.

Authentication Bypass Mattermost
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-10085 MEDIUM This Month

Mattermost's channel patch API fails to enforce authorization on the group_constrained flag, permitting any authenticated low-privilege member of a group message or direct message channel to remove all participants from the conversation. All three supported release lines are affected: 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19. No public exploit code has been identified at time of analysis; however, the low attack complexity and minimal privilege requirement make this straightforward to abuse on any reachable Mattermost deployment.

Authentication Bypass Mattermost
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-9708 MEDIUM This Month

Incoming webhook impersonation in Mattermost allows a requester holding webhook management permissions to post content attributed to arbitrary users in teams or channels those users do not belong to. Affected deployments span three active release branches: 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19. No public exploit code exists and the vulnerability is not listed in CISA KEV; the CVSS score of 4.9 correctly reflects that exploitation is constrained by the High privilege requirement, limiting realistic risk to insider threats or compromised privileged accounts.

Authentication Bypass Mattermost
NVD
CVSS 3.1
4.9
EPSS
0.2%
CVE-2026-10103 MEDIUM This Month

Post ownership verification is absent in Mattermost's shared channel inbound sync handler, allowing an authenticated remote cluster to forge sync messages that modify or delete posts authored by local users or other federated remotes. Affected versions span the 10.11.x, 11.6.x, and 11.7.x release trains up to and including 10.11.19, 11.6.4, and 11.7.2 respectively. No public exploit has been identified and CISA KEV confirmation is absent, but the integrity impact is direct and the attack complexity is low once federation trust is established.

Authentication Bypass Mattermost
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-57830 HIGH This Week

Arbitrary file deletion in JoomShaper's Helix Ultimate template framework for Joomla allows unauthenticated remote attackers to delete files on the server due to a missing authorization check (CWE-862). Any anonymous user can reach the vulnerable functionality without credentials (PR:N/UI:N), enabling deletion of critical Joomla files to corrupt or take down the site. No public exploit has been identified at time of analysis, and the CVE is not listed in CISA KEV.

Authentication Bypass Helix Ultimate Extension For Joomla
NVD
CVSS 4.0
8.8
EPSS
0.2%
CVE-2026-14165 HIGH This Week

Insecure direct object reference (IDOR) in Dassault Systèmes Tuleap Enterprise Edition 17.0 through 17.5 lets attackers read other users' data by manipulating a user-controlled key/identifier, breaking horizontal authorization boundaries. The CVSS 3.1 vector (AV:N/PR:N) scores it as remotely reachable with high confidentiality impact but no integrity or availability effect. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Tuleap Enterprise Edition
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-15542 MEDIUM PATCH This Month

Improper WebSocket authentication in will-moss Isaiah up to version 1.36.9 permits unauthenticated remote attackers to establish authenticated WebSocket sessions against the Docker management interface. The flaw resides in app/main.go within the WebSocket Connection Authentication component, where authentication controls can be bypassed, granting access to Docker management functionality without valid credentials. No public exploit has been identified at time of analysis, and an upstream fix exists as a pending pull request (PR #36) that has not yet been merged into a released version.

Authentication Bypass Isaiah
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-15541 MEDIUM PATCH This Month

Missing authorization in Isaiah's Master WebSocket Handler allows remote unauthenticated attackers to manipulate the Agent argument in the Server.Handle function, bypassing access controls over Docker management operations. All versions of the will-moss/isaiah project up to and including 1.36.9 are affected. No public exploit or active exploitation has been identified at time of analysis; a fix pull request (#35) exists upstream but awaits acceptance.

Authentication Bypass Isaiah
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-12273 MEDIUM POC PATCH This Month

Tutor LMS WordPress plugin (all versions before 3.9.13) allows authenticated users with subscriber-level access to post auto-approved comments containing arbitrary HTML and external links on any site content, bypassing the comment moderation queue entirely. The vulnerable comment handler performs no authorization check and no post-target validation before creating comments, making this exploitable by any registered user on sites with open registration - a common LMS deployment pattern. A publicly available POC from WPScan exists; no CISA KEV listing indicates confirmed mass exploitation, but the low privilege bar and POC availability make this a realistic content-integrity threat.

Authentication Bypass WordPress Tutor Lms
NVD WPScan
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-15516 LOW POC PATCH Monitor

Authorization bypass in MacCMS Pro's installation module allows remote attackers to circumvent access controls via the `step5` function in the installation controller, affecting all versions through 2022.1000.3005. Exploitation is rated high-complexity (AC:H), limiting opportunistic mass exploitation, though a public proof-of-concept is available on GitHub. No CISA KEV listing at time of analysis; EPSS data was not included in the available intelligence, but POC availability elevates the practical risk above the raw CVSS score alone might suggest.

Authentication Bypass PHP Maccms Pro
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.3%
CVE-2026-51538 CRITICAL Act Now

Access-control bypass in EIPStackGroup OpENer 2.3.0 (commit 76b95cf) lets any unauthenticated network attacker hijack another client's EtherNet/IP encapsulation session by replaying a valid session_handle, because the stack validates the handle against a global session list but never binds it to the originating TCP socket. Affected industrial devices running this open-source stack can have their EtherNet/IP command channel abused for read/write operations under another client's authority. No CISA KEV listing exists, but a researcher gist referenced in the advisory appears to publish exploit details, and the CVSS 9.1 rating reflects high confidentiality and integrity impact.

Authentication Bypass N A
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-15510 LOW POC Monitor

Broken access control in Leantime's API component (versions up to 3.8.0) allows authenticated low-privileged users to invoke the Setting::saveSetting function and modify application settings beyond their authorization level. The flaw is classified under CWE-285 (Improper Authorization) and is tagged as an authentication bypass and broken access control issue, meaning the application fails to enforce permission boundaries after login. A publicly available proof-of-concept exploit exists per VulDB and bytium.com; no CISA KEV listing was identified at time of analysis, and the vendor has not responded to disclosure.

Authentication Bypass Leantime
NVD VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15509 LOW POC Monitor

Privilege escalation in Leantime up to 3.8.0 allows authenticated low-privileged users to elevate their role to owner by manipulating the role argument in JSON-RPC requests to the editUser/addUser endpoint. The server fails to verify whether the calling user is authorized to assign elevated roles, a CWE-285 Improper Authorization flaw. A public proof-of-concept exploit has been disclosed, and the vendor did not respond to coordinated disclosure, meaning no patch is confirmed available.

Authentication Bypass Leantime
NVD VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15507 LOW Monitor

Missing authorization in Coolify's Policy Handler allows authenticated remote attackers to bypass resource-level access controls in versions up to 4.1.1. The flaw resides in the /app/Policies/ component, where policy enforcement checks are absent or incomplete, enabling low-privileged users to access or manipulate resources beyond their intended authorization scope. A public proof-of-concept exploit is available, raising the urgency for operators running self-hosted Coolify instances.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-58596 HIGH PATCH Exploit Likely This Week

Privilege elevation in Microsoft Edge (Chromium-based) lets a network attacker escalate privileges by luring a victim into loading crafted web content that triggers an untrusted pointer dereference (CWE-822). Microsoft rates it CVSS 8.3, driven by a scope change (sandbox/boundary crossing) and full confidentiality, integrity, and availability impact, but exploitation requires user interaction and is of high attack complexity. No public exploit identified at time of analysis (E:U), it is not on CISA KEV, and an official vendor fix is available.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
8.3
EPSS
0.5%
CVE-2026-61874 LOW PATCH Monitor

Path normalization failure in filebrowser's DeleteWithPathPrefix function allows authenticated users on versions before 2.63.17 to leave stale public share records intact by deleting directories with trailing-slash paths. After deletion, an attacker can recreate the same directory path and cause its new contents to be silently exposed through the previously dormant, still-valid public share URL. No public exploit code has been identified at time of analysis, and the vendor-confirmed CVSS 4.0 score of 2.3 reflects the high complexity and limited confidentiality impact.

Authentication Bypass Filebrowser
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-56313 HIGH PATCH This Week

Cross-organization account disruption in Capgo before 12.128.2 lets an enterprise administrator in one organization destroy the email/password login of users belonging to different organizations. By abusing the SSO prelink-users endpoint, an attacker holding the org.update_settings permission with an active SSO provider can permanently remove password identities for any user whose email matches the provider's domain, locking victims out of native authentication and forcing them onto the attacker's SSO or a password-reset recovery flow. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was reported by VulnCheck.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.3%
CVE-2026-56308 HIGH PATCH This Week

Account takeover in Capgo before 12.128.2 arises because the email-change endpoint performs no current-password re-authentication and no verification of the existing email address, letting an attacker who already holds a valid session cookie or an authenticated browser silently repoint the account email. By seizing the recovery address, the attacker captures password-reset flows and sidesteps multi-factor authentication, converting a hijacked session into durable full account control. There is no public exploit identified at time of analysis, but the flaw is vendor-confirmed via GitHub Security Advisory GHSA-9px4-w25f-mvm4 and reported by VulnCheck.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.2%
CVE-2026-56271 npm CRITICAL PATCH Act Now

Authentication bypass in Flowise 3.0.13 and earlier lets remote unauthenticated attackers forge valid JWTs and impersonate any user, including administrators, because the enterprise passport authentication middleware silently falls back to publicly known hardcoded secrets ('auth_token', 'refresh_token') and default audience/issuer values ('AUDIENCE', 'ISSUER') whenever the JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, and JWT_ISSUER environment variables are unset. Reported by VulnCheck and rated CVSS 4.0 9.3 (Critical), it grants full account takeover, though there is no public exploit identified at time of analysis and no CISA KEV listing.

Authentication Bypass Flowise
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-56259 PyPI HIGH PATCH This Week

Credential exfiltration in Crawl4AI's Docker API server (all versions before 0.8.8) lets remote unauthenticated attackers steal secrets from the host. By abusing the exposed /md, /llm, and /llm/job endpoints, an attacker supplies a malicious base_url to redirect outbound LLM API calls and sets api_token to the special form env:VARIABLE_NAME, causing the server to resolve and leak arbitrary environment variables - including provider API keys and the JWT SECRET_KEY, which in turn enables full authentication bypass. No public exploit identified at time of analysis, but the flaw is trivially exploitable and reported by VulnCheck with an assigned CVSS 4.0 score of 8.8.

Authentication Bypass Docker Information Disclosure Crawl4ai
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2026-56252 MEDIUM PATCH This Month

Scope isolation failure in Capgo's POST /webhooks/test endpoint allows authenticated app-scoped API keys to invoke org-scoped webhook operations, bypassing the intended limited_to_apps authorization boundary. All Capgo instances prior to version 12.128.2 are affected, enabling credential holders with narrow, app-level access to trigger signed outbound webhook deliveries targeting arbitrary organization webhooks they should not control. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the CVSS 4.0 vector (PR:L, AV:N) confirms low-privilege network exploitation is straightforward once credentials are in hand.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56241 HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 lets demoted super_admin users retain organization-wide bundle management rights because the org_users.user_right column is not cleared when their role binding is deleted. A user who once held super_admin can continue invoking the delete_non_compliant_bundles and count_non_compliant_bundles RPCs to enumerate and bulk-delete non-compliant bundles across the entire organization indefinitely, well after their privileges were supposedly revoked. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Privilege Escalation Capgo
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-15499 LOW POC Monitor

Improper authorization in AstrBot's Scheduled Task Handler allows a remote low-privileged user to bypass authorization controls by manipulating the payload["note"] argument in FutureTaskTool.call (astrbot/core/tools/cron_tools.py), affecting all versions up to and including 4.25.2. A publicly available proof-of-concept exploit (GitHub gist) demonstrates exploitation. No patch has been released and the vendor did not respond to disclosure; EPSS and CVSS 4.0 score this at 5.3, indicating moderate-to-low real-world severity, but the active POC elevates practical risk for deployed instances. Not currently listed in CISA KEV.

Authentication Bypass Astrbot
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15491 MEDIUM This Month

Missing authentication in RafyMrX TOKO-ONLINE-ROTI, an Indonesian online bakery shop management application, allows remote unauthenticated attackers to access restricted application functionality with low-level impact across confidentiality, integrity, and availability. All code through commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 is affected, and no patch exists because the vendor did not respond to coordinated disclosure. No public exploit code and no CISA KEV listing exist at time of analysis.

Authentication Bypass Toko Online Roti
NVD VulDB
CVSS 4.0
6.9
EPSS
0.5%
CVE-2026-15488 MEDIUM This Month

Unrestricted file upload in shiroiAdmin versions 1.1 and 1.3 (PHP admin panel by hcr707305003) exposes the `FileController::upload` function to unauthenticated remote exploitation, enabling attackers to upload arbitrary files - including PHP webshells - to the server without authentication. A public exploit has been disclosed (CVSS 4.0 E:P), and the vendor did not respond to coordinated disclosure. Exploitation conditions are severe: the CVSS 4.0 vector confirms network-accessible, zero-authentication, low-complexity exploitation with no user interaction required.

Authentication Bypass File Upload PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-15476 LOW POC PATCH Monitor

Improper access control in the diskbckp.sys kernel driver of QILING Disk Master 6.0.0.0 allows local low-privileged users to bypass authorization checks and interact with privileged kernel driver functionality. Tagged as an authentication bypass, the flaw resides in an unknown function within the kernel driver component, enabling manipulation of access control logic without elevated credentials. A public proof-of-concept exploit has been disclosed (no CISA KEV listing); the vendor has released a patch via beta download.

Authentication Bypass Disk Master
NVD VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-15475 LOW POC PATCH Monitor

Improper access controls in MiniTool Partition Wizard's signed kernel driver pwdrvio.sys (versions up to 13.6) allow a local low-privileged user to interact with privileged driver functionality without authorization. The vulnerability is tagged as an authentication bypass against a kernel-mode component, meaning a standard user account can invoke driver operations that should be restricted to administrative or system-level callers. A publicly available proof-of-concept exploit lowers the practical exploitation bar, though no active exploitation is confirmed via CISA KEV at time of analysis.

Authentication Bypass Partition Wizard
NVD VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-15474 LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 enables remote authenticated attackers to access call recordings they are not permitted to view by manipulating the `callId` parameter in the `/callrec/audio.jsp` endpoint. The flaw follows a classic Insecure Direct Object Reference (IDOR) pattern under CWE-285, where the application fails to enforce per-user ownership checks on recording identifiers. A public exploit has been released and no vendor patch exists - the vendor did not respond to responsible disclosure - making compensating controls the only available mitigation at this time.

Authentication Bypass Call Recording Software
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15473 LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to perform unauthorized operations on the Recorded Calls Page via the `/callrec/restoreCallAction.do` endpoint, potentially accessing or restoring call recordings outside their permitted scope. The vulnerability stems from CWE-285 (Improper Authorization), meaning the application fails to enforce access controls on the restore call action, permitting privilege escalation within the recording management interface. A publicly available proof-of-concept exploit exists per the CVSS 4.0 E:P supplemental metric; no patch has been confirmed by the vendor, who did not respond to disclosure attempts.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15472 LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to bypass access controls on the /callrec/composeEmailAction.do endpoint, exposing limited confidential data. The flaw (CWE-285) means the application fails to enforce authorization decisions for at least one action reachable by low-privileged authenticated users. A publicly available proof-of-concept exploit has been disclosed via VulDB, and no vendor patch exists - the vendor did not respond to the coordinated disclosure. No public exploit identified at time of analysis as actively exploited (not in CISA KEV), though exploit code exists.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15471 LOW POC Monitor

Improper authorization on the /callrec/pci_dss_status.jsp endpoint in Eleveo Call Recording Software 9.7.0 allows authenticated low-privilege users to access PCI DSS compliance status data they are not authorized to view. The exposed information reveals the payment card compliance posture of the organization, which could be leveraged to identify exploitable compliance gaps and inform targeted attacks against payment infrastructure. A public proof-of-concept exploit exists; the vendor did not respond to responsible disclosure, leaving no official patch or advisory available.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15470 LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to access the /callrec/group.jsp endpoint without proper permission checks, resulting in unauthorized read access to call recording group data. A publicly available exploit has been disclosed via Google Drive; the vendor was notified but did not respond, meaning no official patch exists at time of analysis. No public exploit identified at time of analysis is superseded here - a public POC exists (E:P in the CVSS 4.0 vector), though this is not confirmed actively exploited (CISA KEV) and the CVSS 4.0 score of 2.1 reflects limited scope impact.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-61858 MEDIUM PATCH This Month

Policy bypass in ImageMagick before 7.1.2-26 allows low-privileged local users to write files to filesystem paths explicitly blocked by the application's security policy framework. The APNG encoder and external delegate mechanisms omit required validation against policy.xml restrictions, enabling circumvention of configured path-based access controls. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the impact is meaningful in multi-tenant or shared-processing environments that rely on ImageMagick's policy layer as a security boundary.

Authentication Bypass Imagemagick
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-61442 HIGH PATCH This Week

Broken authorization in PraisonAI Platform (praisonai-platform) before 0.1.9 lets any low-privileged workspace member modify owner- or admin-created projects, issues, and agents because the PATCH routes only check for workspace-member role instead of owner/admin. Because a member can reassign a project's lead_id to their own user id, they can then satisfy and bypass the delete route's owner/admin check to destroy owner-created projects. No public exploit identified at time of analysis, though the flaw is trivially reachable by any authenticated tenant member.

Authentication Bypass Praisonai
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-61439 HIGH PATCH This Week

System prompt extraction and unauthorized tool invocation in PraisonAI before 4.6.78 arise because the prompt-injection defense ships with its blocking threshold defaulting to CRITICAL, so HIGH-severity injection attempts are detected and logged but never blocked. Any remote user interacting with a PraisonAI agent can submit single-vector prompt injection (instruction overrides, financial manipulation) that scores HIGH and passes through, leaking the system prompt and triggering agent tools without authorization. No public exploit identified at time of analysis, and the issue is not in CISA KEV; the vendor CVSS 4.0 score is 8.7 (High).

Authentication Bypass Praisonai
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-61428 MEDIUM PATCH This Month

Webhook signature verification is absent in PraisonAI AgentMail before version 4.6.78, permitting any unauthenticated network attacker to POST crafted message.received events directly to the webhook endpoint with spoofed sender identities. This bypasses configured sender allow/block lists, injecting arbitrary content into the AI agent's processing pipeline and causing the agent to dispatch replies to attacker-controlled addresses. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog, though the low-complexity, unauthenticated attack vector makes exploitation straightforward for any attacker with network access to the webhook endpoint.

Authentication Bypass Praisonai
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56240 MEDIUM PATCH This Month

Billing authorization bypass in Capgo (prior to 12.128.12) enables authenticated organizations with exhausted or expired usage credit grants to continue consuming paid API endpoints without valid entitlement. The divergence between the plugin's hot-path plan_valid expression and the authoritative billing gate creates a logic gap exploitable by any organization that reaches credit depletion, granting continued access to /updates, /stats, /channel_self, and attachment upload endpoints. No public exploit or CISA KEV listing exists at time of analysis, but the low attack complexity and network accessibility make this straightforward for any affected account holder to abuse.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-1359 HIGH This Week

Privilege escalation in the Genolve AI image and video generation plugin for WordPress (all versions through 5.0.5) lets authenticated users with Contributor-level access or above update arbitrary WordPress options because the genolve_setOpt() function performs no capability check. By enabling the users_can_register option and setting default_role to administrator, a low-privileged user can register a new administrator account and fully take over the site. Reported by Wordfence with a CVSS of 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress Privilege Escalation Genolve Genolve Ai Business Graphics Ai Images
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-9017 MEDIUM This Month

Authorization bypass in the NEX-Forms WordPress plugin (all versions through 9.2.2) allows unauthenticated remote attackers to overwrite email metadata fields on arbitrary form entries and weaponize the victim WordPress site as an outbound email relay. The CVSS vector (PR:N/AC:L/AV:N) confirms zero authentication and zero configuration prerequisites beyond plugin activation. No public exploit has been identified at time of analysis, but the trivially low exploitation complexity makes mass scanning and abuse for phishing or spam distribution operationally realistic at scale.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-10041 MEDIUM This Month

Unauthorized cross-vendor manipulation in WCFM - Frontend Manager for WooCommerce (all versions ≤ 6.7.27) allows authenticated subscriber-level users to archive competitor vendors' product listings, toggle featured status on arbitrary listings, mark WooCommerce orders as completed, and permanently delete enquiries and bulk messages belonging to other vendors within the same marketplace. Multiple AJAX handlers in class-wcfm-ajax.php, class-wcfm-enquiry.php, and class-wcfm-notification.php accept user-controlled object IDs without verifying ownership - a textbook CWE-639 IDOR pattern enabling horizontal privilege escalation across vendor accounts. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass WordPress Wcfm Frontend Manager For Woocommerce
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-12103 MEDIUM This Month

User enumeration via authorization bypass in the Wallet for WooCommerce WordPress plugin (versions up to and including 1.6.4) allows any authenticated subscriber-level user to extract login names, email addresses, and user IDs for every WordPress account on the site, including administrators. The flaw exists because the plugin exposes a 'search-user' nonce - required to call its AJAX search handler - directly in the wallet_param JavaScript object rendered on the publicly accessible WooCommerce My Account page, making it trivially obtainable by any logged-in user. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and wide subscriber-level accessibility make exploitation straightforward on sites with open user registration.

Authentication Bypass WordPress Wallet For Woocommerce
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-12994 MEDIUM This Month

Authorization bypass in WCFM - Frontend Manager for WooCommerce (all versions through 6.7.27) allows unauthenticated network attackers to inject arbitrary content into store inquiry replies, overwrite inquiry records in the wp_wcfm_enquiries database table, and trigger unsolicited notification emails to customers and vendors. The root cause is a missing authentication gate in the wcfm-my-account-enquiry-manage controller branch - unlike its sibling branches, it performs neither is_user_logged_in() nor current_user_can() checks. The nonce that serves as the sole barrier is embedded into every public page load without any login requirement, rendering it ineffective as an access control. No public exploit code and no CISA KEV listing identified at time of analysis.

Authentication Bypass WordPress Wcfm Frontend Manager For Woocommerce
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-12738 MEDIUM This Month

Authorization bypass in the WP Easy Pay WordPress plugin (versions ≤4.5.0) allows any authenticated WordPress user at subscriber level or above to set arbitrary posts and pages to 'draft', silently unpublishing site content without editorial authorization. The flaw stems from missing capability checks in the plugin's action handlers (wpep-setup.php), confirmed by Wordfence with direct source code references. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, but the low barrier to exploitation - any registered user qualifies - makes this a meaningful risk on sites with open user registration.

Authentication Bypass WordPress Wp Easy Pay Payment And Donation Form Builder For Square
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-1832 MEDIUM This Month

Unauthorized cache deletion in the ThriveDesk WordPress plugin (all versions through 2.1.7) is possible by any authenticated user holding a Subscriber-level role or above, due to a missing capability check on the `thrivedesk_clear_cache` AJAX action. The root cause is a CWE-862 Missing Authorization flaw in `includes/helper.php` - any logged-in user can invoke the privileged cache-clearing function without role validation. No public exploit has been identified at time of analysis and no CISA KEV listing exists; real-world impact is bounded to cache disruption and potential performance degradation rather than data loss or code execution.

Authentication Bypass WordPress Agentic Help Desk Plugin For Wordpress Live Chat Ai Chatbot Ticketing Thrivedesk
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14262 HIGH This Week

Privilege escalation in the Simple JWT Login WordPress plugin (all versions through 3.6.6) lets an authenticated subscriber-level user forge an Administrator session by injecting arbitrary identity claims into the JWT payload. Because AuthenticateService::generatePayload() only overwrites payload keys that appear in the admin-configured jwt_payload allowlist, attacker-supplied claims such as email, id, or username survive and are signed with the site's HS256 secret; the token is then redeemed at /autologin to log in as any administrator. Reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.

Privilege Escalation WordPress Authentication Bypass Simple Jwt Login Allows You To Use Jwt On Rest Endpoints
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-6804 MEDIUM This Month

Authorization bypass in the AI Copilot - Content Generator WordPress plugin (by wupsales/AIWU) allows unauthenticated remote attackers to manipulate WordPress post publication states across all versions through 1.4.12. By supplying arbitrary scenario IDs to the plugin's workspace controller endpoint - which lacks any authorization verification - attackers can expose unpublished draft content or take live published posts offline, causing content disclosure and service disruption. No public exploit or CISA KEV listing has been identified at time of analysis, though the trivial exploitation complexity (AV:N/AC:L/PR:N/UI:N) makes independent rediscovery straightforward.

Authentication Bypass WordPress Ai Copilot Content Generator
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-13250 MEDIUM This Month

Permanent, irreversible deletion of all Starter Template-imported site content in the Solace Extra WordPress plugin (all versions through 1.5.3) is achievable by fully unauthenticated network attackers due to the complete absence of authorization checks on the responsible AJAX handler. The handler is registered via wp_ajax_nopriv_, removing WordPress's authentication gate entirely, while the required nonce is leaked to any Subscriber-level user visiting any wp-admin page - eliminating both authentication and authorization barriers simultaneously. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the Wordfence disclosure includes exact file and line references enabling straightforward reproduction; the official CVSS score of 5.3 significantly understates the destructive impact.

Authentication Bypass WordPress PHP Solace Extra
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-7559 MEDIUM This Month

Unauthorized affiliate management actions in the Affilia plugin for WordPress (all versions through 3.3.3) allow any subscriber-level authenticated user to approve or reject referrals, credit commissions to affiliate wallets, delete referral records, and modify banner options - enabling direct financial fraud against WooCommerce stores. The root cause is that the sole authentication gate relies on a WordPress nonce that is publicly embedded in every frontend page load via the JavaScript global `rtwalwm_global_params.rtwalwm_nonce`, making role-based access enforcement trivially bypassable. No public exploit code or CISA KEV listing is identified at time of analysis, but the low exploitation complexity and direct financial fraud impact make this a meaningful operational risk for any site running an affiliate program on this plugin.

Authentication Bypass WordPress Affiliate Program Referral Tracking For Woocommerce Wordpress Affilia
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-13116 MEDIUM This Month

Insecure Direct Object Reference in the PDF Invoices & Packing Slips for WooCommerce plugin (versions through 5.14.0) allows authenticated contributors to mint permanent, session-free download links for arbitrary third-party orders, exposing customer PII including names, billing and shipping addresses, email addresses, phone numbers, line items, payment details, and customer notes. Exploitation is gated on a non-default plugin setting - the 'Document link access type' must be configured to 'full' rather than the default 'logged_in'; the default configuration signs URLs with a per-session nonce, neutralising the attack path. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass WordPress Pdf Invoices Packing Slips For Woocommerce
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-3552 MEDIUM PATCH This Month

Unauthorized data modification in SurfLink - Link Manager & Backup Restore (all versions up to 2.6.0) allows authenticated attackers with Subscriber-level access to inject arbitrary URLs into the plugin's 410 Gone database table, causing those site paths to return HTTP 410 Gone responses to all visitors. The root cause is a missing capability check (current_user_can()) and absent nonce verification (check_ajax_referer()) in the ajax_import_410() AJAX handler - a conspicuous gap given that every other AJAX handler in the same PHP class correctly implements both controls. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, but the low authentication barrier and clear impact on site availability and SEO ranking make this a meaningful risk for affected WordPress deployments.

Authentication Bypass WordPress Denial Of Service Surflink Link Manager Backup Restore
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-6803 MEDIUM This Month

Unauthenticated mass data deletion in the AI Copilot - Content Generator WordPress plugin (all versions through 1.4.12) exposes sites to complete wipeout of plugin-managed database records by any remote visitor. The vulnerability stems from a permanently open authorization gate: the base controller's getPermissions() returns an empty array causing the auth check to unconditionally pass, while the removeGroup and clear AJAX actions are excluded from getNoncedMethods(), bypassing nonce verification entirely. No active exploitation has been confirmed in CISA KEV and no public exploit code has been identified at time of analysis, though the attack requires no credentials and minimal technical skill given the straightforward AJAX endpoint targeting.

Authentication Bypass WordPress Ai Copilot Content Generator
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-7620 MEDIUM This Month

Authorization bypass in the Notification for Telegram WordPress plugin (all versions through 3.5.1) allows authenticated subscribers to manipulate WordPress cron scheduling logic. Authenticated attackers with subscriber-level access or above can create, modify, or reschedule the nftb_cron_hook cron event due to missing authorization checks in nftncron.php, disrupting the plugin's background task scheduling for Telegram notifications. No public exploit or active exploitation has been identified at time of analysis; CVSS rates this Medium (4.3) with integrity-only impact.

Authentication Bypass WordPress Notification For Telegram
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-10628 MEDIUM This Month

Authorization bypass in Points and Rewards for WooCommerce (all versions through 2.10.0) allows authenticated subscribers to drain any user's reward points into a wallet balance, exfiltrate all user emails and point balances to an attacker-controlled Klaviyo account, and overwrite the site's Klaviyo API key - compounding financial fraud with third-party data exfiltration. Critically, the plugin exposes its authentication nonce (wps-wpr-verify-nonce) on every public-facing page via wp_localize_script(), and the wallet-draining handler is registered on the wp_ajax_nopriv_ hook, meaning the most financially damaging action - converting points to wallet balance - is exploitable by unauthenticated visitors. No public exploit code or CISA KEV listing identified at time of analysis.

Authentication Bypass WordPress Points And Rewards For Woocommerce
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-8678 MEDIUM This Month

Authorization bypass in the MyParcel (woocommerce-myparcel) WordPress plugin allows any authenticated subscriber-level user to view and modify shipment options - including carrier, delivery type, package type, label count, weight, signature requirement, and insurance - on arbitrary WooCommerce orders they do not own. All plugin versions up to and including 4.25.1 are affected, with the flaw rooted in missing capability checks on administrative AJAX handlers. No public exploit or active exploitation has been identified at time of analysis, though the low privilege bar (any registered WordPress user) expands the realistic attacker pool significantly for e-commerce stores.

Authentication Bypass WordPress Myparcel
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-20744 CRITICAL CISA Emergency

Authentication bypass in the Hydro-Québec Le Circuit Électrique EV charging station backend lets remote unauthenticated attackers open connections directly to the charging-station WebSocket endpoint, which lacks proper access control (CWE-284), and leverage that access for privilege escalation. All backend versions prior to the June 2026 fix are affected, and the CVSS 4.0 base score of 9.3 (critical) reflects full compromise of confidentiality, integrity, and availability over the network with no privileges or user interaction. Reported through CISA ICS-CERT (ICSA-26-188-01); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Privilege Escalation Le Circuit Electrique Charging Station Backend
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-15087 PHP MEDIUM This Month

vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions: *.*.

Clean Restful Authentication Bypass
NVD VulDB
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-15089 PHP CRITICAL Act Now

Authentication bypass in the Drupal Commerce Guest Registration contributed module allows remote unauthenticated attackers to circumvent identity verification during the guest checkout/registration flow, per Drupal advisory SA-CONTRIB-2026-079. The CVSS 9.1 scoring (C:H/I:H) indicates an attacker can gain unauthorized access to or hijack account/order data without credentials or user interaction. No public exploit has been identified at time of analysis, and the low EPSS score (0.24%, 15th percentile) suggests exploitation is not yet widespread.

Authentication Bypass Commerce Guest Registration
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-58590 PHP MEDIUM PATCH This Month

Missing Authorization (CWE-862) in the Drupal FlowDrop contributed module allows authenticated low-privilege users to perform Forceful Browsing - directly accessing protected URLs without proper permission checks being enforced. All FlowDrop releases from 0.0.0 up to 1.6.0 are affected; a successful attacker can read or modify content and workflow data beyond their authorized scope. No public exploit has been identified and EPSS sits at 0.18% (8th percentile), indicating negligible observed exploitation probability at time of analysis; the vulnerability is not listed in CISA KEV.

Authentication Bypass Flowdrop
NVD
CVSS 3.1
5.4
EPSS
0.2%
EPSS 0% CVSS 4.9
MEDIUM This Month

Missing authorization in WooCommerce Bulk Edit Products - WP Sheet Editor (versions up to and including 1.8.21) permits authenticated high-privilege users to exploit incorrectly configured access control security levels, resulting in unauthorized bulk modification of WooCommerce product data. The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to enforce proper capability checks before executing privileged bulk-edit operations via the network. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis, though the integrity-only impact and high-privilege requirement constrain the realistic attack surface.

Authentication Bypass WordPress Woocommerce Bulk Edit Products Wp Sheet Editor
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated broken access control in the Simply Schedule Appointments WordPress plugin (versions through 1.6.12.4) allows remote attackers to perform unauthorized actions against appointment data, resulting in low-integrity and low-availability impacts. The plugin by NSquared fails to enforce proper authorization checks on one or more endpoints, enabling exploitation without any credentials against default installations. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low attack complexity and zero privilege requirement lower the barrier for opportunistic abuse.

Authentication Bypass Simply Schedule Appointments
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Broken access control in ThemeMove's EduMall WordPress theme (versions through 4.5.1) permits authenticated low-privileged users to invoke restricted functionality without proper authorization checks. An attacker with any valid WordPress account can bypass the intended access control tiers and trigger actions that degrade site availability. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS score of 4.3 reflects a contained, low-severity impact limited to availability.

Authentication Bypass Edumall
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authentication bypass in the WorkScout Core WordPress plugin (versions up to and including 1.7.08) can be triggered through a Cross-Site Request Forgery flaw, letting an off-site attacker perform privileged authentication-related actions in the context of a logged-in victim who visits a malicious page. The issue was reported by Patchstack and carries a CVSS 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation hinges on tricking an authenticated user into clicking (UI:R), it is high-impact but not point-and-click automatable.

Authentication Bypass CSRF Workscout Core
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Universal Clocks WordPress plugin (≤1.2.0) by PressTigers exposes unauthorized action endpoints due to missing authorization checks, enabling unauthenticated remote attackers to perform integrity-impacting operations without valid credentials. Reported by Patchstack under CWE-862, the flaw stems from incorrectly configured access control security levels that fail to validate caller permissions before executing plugin functionality. No public exploit code or active exploitation (CISA KEV listing) has been identified at time of analysis.

Authentication Bypass Universal Clocks
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization in the MeetingHub WordPress plugin (versions through 1.25.10) allows unauthenticated remote attackers to exploit incorrectly configured access control and perform unauthorized integrity-affecting actions. The CVSS vector (PR:N/AV:N/AC:L/UI:N) confirms no authentication or user interaction is required, making any WordPress installation running an affected version directly exposed from the network. No active exploitation has been confirmed (no CISA KEV listing) and no public exploit has been identified at time of analysis.

Authentication Bypass Meetinghub
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated broken access control in the Fascinate WordPress theme by themebeez (versions through 1.1.5) permits remote attackers to exploit incorrectly configured capability checks, resulting in unauthorized write-level actions on affected WordPress installations. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or user interaction is required, with impact limited to integrity (I:L). No active exploitation is confirmed in CISA KEV, and no public exploit code has been identified at time of analysis.

Authentication Bypass Fascinate
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization in the wpdevart Booking Calendar, Appointment Booking System WordPress plugin (versions through 3.2.36) permits unauthenticated remote attackers to bypass access controls and perform restricted booking-related actions, resulting in unauthorized data modification. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the flaw is trivially reachable over the network with no authentication, though impact is limited to integrity (I:L) with no confidentiality or availability consequence. No public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Booking Calendar Appointment Booking System
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Broken access control in the VW Wedding WordPress theme (vowelweb) allows unauthenticated remote attackers to exploit incorrectly configured authorization checks, resulting in limited availability impact against affected WordPress installations. All versions through 1.3.7 are affected per the CPE string cpe:2.3:a:vowelweb:vw_wedding. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, placing this in the lower-urgency tier despite network-level reachability.

Authentication Bypass Vw Wedding
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization controls in the VW Food Corner WordPress theme (versions through 1.1.0) permit unauthenticated remote attackers to invoke restricted theme functionality without valid access credentials, resulting in availability impact. Reported by Patchstack and classified under CWE-862, the flaw stems from incorrectly configured access control levels that fail to verify caller identity or capability before executing protected actions. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis.

Authentication Bypass Vw Food Corner
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Broken access control in the AcyMailing SMTP Newsletter plugin for WordPress (versions up to and including 10.11.1) lets an authenticated low-privileged user reach functionality that should be restricted, impacting integrity and, most notably, availability of the plugin's newsletter/mailing operations. The flaw is a missing authorization check (CWE-862) reported by Patchstack; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Note an inconsistency in the source data: the CVE description states affected 'through <= 10.11.1' while the linked Patchstack advisory slug references 10.10.2 - the exact patched version is not confirmed from the input.

Authentication Bypass Acymailing Smtp Newsletter
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Broken access control in the UX-Themes Flatsome WordPress theme (versions up to and including 3.20.5) allows remote unauthenticated attackers to reach functionality or data that should be authorization-gated, resulting in confidentiality-only impact per the CVSS vector. The flaw stems from a missing authorization check (CWE-862) and was catalogued by Patchstack, but there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Flatsome is one of the most widely sold commercial WooCommerce themes, so the affected footprint is substantial even though only information disclosure (not integrity or availability) is implicated.

Authentication Bypass Flatsome
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Broken access control in the Themeum Kirki WordPress customizer framework (versions up to and including 6.0.13) allows remote unauthenticated attackers to reach functionality protected by incorrectly configured access-control levels, resulting in disclosure of sensitive information. The flaw was reported by Patchstack and stems from a missing authorization check (CWE-862); no public exploit has been identified at time of analysis. With a CVSS of 7.5 driven purely by confidentiality impact, the practical risk is unauthorized data exposure rather than site takeover.

Authentication Bypass Kirki
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Broken access control in the Event Tickets WordPress plugin (versions up to and including 5.28.5) lets remote unauthenticated attackers modify data they should not be able to reach because an authorization check is missing on a privileged action. The flaw carries a 7.5 CVSS with an integrity-only impact (I:H) and no confidentiality or availability effect, and there is no public exploit identified at time of analysis. It was disclosed by Patchstack and affects default installations of the plugin.

Authentication Bypass Event Tickets
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Authentication bypass in VillaTheme's Abandoned Cart Recovery for WooCommerce (versions through 1.1.12) allows unauthenticated remote attackers to access protected functionality via an alternate authentication path or channel (CWE-288). The CVSS vector confirms network-reachable, zero-complexity exploitation requiring no privileges or user interaction, yielding partial confidentiality and integrity compromise. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and unauthenticated nature elevate practical risk for any WooCommerce store running this plugin.

Authentication Bypass WordPress Abandoned Cart Recovery For Woocommerce
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Authentication bypass in the Metagauss ProfileGrid WordPress plugin (versions up to and including 5.9.9.6) lets remote unauthenticated attackers abuse the password recovery flow as an alternate channel to hijack arbitrary user accounts, including administrators. Because the flaw is exploitable over the network with no privileges and no user interaction (CVSS 7.5, I:H), it enables full account takeover on affected WordPress sites. No public exploit is identified at time of analysis and it is not in CISA KEV, but the low attack complexity makes it an attractive target once details circulate.

Authentication Bypass Profilegrid
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Insecure Direct Object Reference (IDOR) in Tutor LMS WordPress plugin allows authenticated low-privilege users to bypass authorization controls by manipulating user-controlled keys, resulting in unauthorized modification of LMS objects such as courses, lessons, or student records. Affected versions span all releases through 3.9.13 by Themeum. No confirmed active exploitation (KEV) or public exploit code has been identified at time of analysis, but the low attack complexity and wide WordPress deployment surface make this a credible integrity risk for any site running an unpatched version.

Authentication Bypass Tutor Lms
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing authorization in Razorpay Payment Links for WooCommerce (versions through 2.1.4) allows unauthenticated network attackers to invoke privileged plugin actions without any authentication check. The flaw stems from CWE-862, where one or more AJAX endpoints or REST routes in the plugin fail to verify the caller's identity or capability before executing sensitive operations, resulting in low-severity integrity and availability impacts against WooCommerce payment link workflows. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

Authentication Bypass WordPress Razorpay Payment Links For Woocommerce
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing authorization controls in the Client Invoicing by Sprout Invoices WordPress plugin (versions through 20.8.13) allow low-privileged authenticated users to access confidential invoice data without proper permission checks. The flaw (CWE-862) enables a logged-in WordPress user with minimal privileges to bypass intended access control restrictions and retrieve sensitive financial or client information managed by the plugin. No public exploit or active exploitation has been identified at time of analysis, but the network-accessible attack vector and high confidentiality impact make this a meaningful exposure for sites hosting sensitive invoicing workflows.

Authentication Bypass Client Invoicing By Sprout Invoices
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stock Locations for WooCommerce plugin (versions through 3.1.8) exposes one or more privileged operations without performing authorization checks, allowing authenticated low-privileged WordPress users to manipulate stock location data they should have no rights to modify. Rooted in CWE-862 (Missing Authorization), the flaw means the plugin accepts and executes sensitive requests based solely on authentication rather than verifying the requester's WordPress capability level. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low-privilege access requirement and straightforward network exploitation path make it a realistic risk for any multi-location WooCommerce store running the affected plugin.

Authentication Bypass WordPress Stock Locations For Woocommerce
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing authorization controls in the Codemenschen Gift Vouchers WordPress plugin (versions through 4.6.9) allow unauthenticated remote attackers to perform unauthorized actions against voucher-related functionality, resulting in low-severity integrity and availability impact. The flaw stems from CWE-862 (Missing Authorization), meaning the plugin fails to verify whether a requesting user has rights to access specific functionality - effectively treating restricted endpoints as publicly accessible. No public exploit or CISA KEV listing is identified at time of analysis, but the unauthenticated attack vector (PR:N, AV:N) lowers the bar for opportunistic exploitation significantly.

Authentication Bypass Gift Vouchers
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in the Peach Payments Gateway WordPress plugin (all versions through 4.0.2) permits remote unauthenticated attackers to invoke plugin functionality without valid authorization, bypassing intended access control security levels. Rooted in CWE-862 (Missing Authorization) and reported by Patchstack, the flaw enables limited integrity and availability impact against WooCommerce-powered sites using this plugin. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the unauthenticated, low-complexity attack vector warrants prompt remediation for any site processing payments through this gateway.

Authentication Bypass Peach Payments Gateway
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing authorization in the FundEngine WordPress fundraising plugin (versions through 1.7.6) permits unauthenticated remote attackers to exploit incorrectly configured access control, resulting in partial data integrity and availability impact. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms low-complexity, unauthenticated network exploitation with no user interaction required. No active exploitation is confirmed in the CISA KEV catalog, and no public exploit code has been identified at the time of this analysis.

Authentication Bypass Fundengine
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing authorization in the Booking and Rental Manager WordPress plugin (≤ 2.6.9) exposes unauthenticated remote attackers to broken access control, enabling unauthorized modification of booking data and partial disruption of plugin availability. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication or user interaction against any internet-facing WordPress/WooCommerce site running the affected plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes this straightforwardly exploitable once a target is identified.

Authentication Bypass WordPress Booking And Rental Manager
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Broken access control in the ThemeHunk Open Shop WordPress theme (versions up to and including 1.7.1) lets an authenticated low-privileged user reach functionality that should be restricted, tampering with data and degrading site availability. Reported by Patchstack and rated CVSS 7.1, the flaw stems from missing authorization checks on a privileged action. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Open Shop
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing Authorization (CWE-862) in the Event Tickets Manager for WooCommerce WordPress plugin versions through 1.5.5 allows unauthenticated remote attackers to exploit incorrectly configured access control levels, resulting in limited but unauthorized modification of data and disruption of availability. The CVSS vector (PR:N/UI:N) confirms exploitation requires no authentication and no user interaction, lowering the barrier for abuse against any WordPress site with the plugin installed and active. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Event Tickets Manager For Woocommerce
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing Authorization (CWE-862) in the Tourfic WordPress plugin through version 2.22.5 permits authenticated low-privilege users to exploit incorrectly configured access control levels, resulting in unauthorized high-confidentiality data exposure. The CVSS vector (PR:L, C:H, I:N) confirms that any logged-in WordPress user - such as a customer or subscriber - can read sensitive data reserved for higher-privileged roles without modifying or disrupting it. No public exploit or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes exploitation straightforward once the unprotected endpoint is located.

Authentication Bypass Tourfic
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Tourfic, a WordPress travel booking plugin by Themefic, exposes unauthenticated access control bypass through missing authorization checks on one or more plugin endpoints, affecting all versions through 2.22.5. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms remote, unauthenticated exploitation with limited integrity and availability impact. No public exploit or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes opportunistic exploitation straightforward against any WordPress site with the plugin installed.

Authentication Bypass Tourfic
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing authorization in the Extra Product Options Builder for WooCommerce plugin (versions through 1.2.167) permits remote unauthenticated attackers to perform restricted actions without valid credentials, impacting both data integrity and service availability on affected WordPress storefronts. The flaw stems from CWE-862 - the plugin exposes endpoints or AJAX actions that fail to verify whether the caller holds the necessary capability or role before executing sensitive operations. No public exploit code has been identified at time of analysis, and the vulnerability has not been listed in the CISA KEV catalog.

Authentication Bypass WordPress Extra Product Options Builder For Woocommerce
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Broken access control in the Phil Kurth "Advanced Forms" WordPress plugin (all versions up to and including 1.9.3.7) lets remote unauthenticated attackers reach a form-handling function that fails to verify authorization, enabling unauthorized modification of form data or settings. The CVSS 3.1 score is 7.5 with integrity-only impact and no confidentiality or availability loss. Reported by Patchstack; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Advanced Forms
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in FluxBuilder's MStore API WordPress plugin (versions through 4.18.4) allows unauthenticated remote attackers to bypass authorization checks on restricted API endpoints. Rooted in CWE-862 (Missing Authorization), the flaw enables callers to interact with functionality gated behind access control levels that are incorrectly enforced - resulting in limited unauthorized data read and write operations against affected WooCommerce-backed mobile API deployments. No public exploit code or CISA KEV listing has been identified at time of analysis, but the PR:N/AC:L CVSS vector confirms the attack requires no authentication or special conditions.

Authentication Bypass Mstore Api
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing authorization in WPXPO WowAddons WordPress plugin (versions through 1.6.8) enables unauthenticated remote attackers to invoke privileged plugin actions without proper access control checks. Exploitation produces limited integrity and availability impact - unauthorized modification or disruption of plugin-managed content - with no confidentiality exposure confirmed by the CVSS vector. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the zero-privileges-required network vector makes this class of flaw attractive for opportunistic automated scanning once a proof-of-concept surfaces.

Authentication Bypass Wowaddons
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Incorrect authorization in Mattermost's interactive post action handler allows authenticated users to trigger post actions in private channels they are not members of. The flaw stems from action cookies failing to bind to the specific channel of the target post - a cookie obtained from any accessible channel can be reused against posts in restricted private channels. Affected are Mattermost versions 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19; no public exploit has been identified and the vulnerability is not listed in CISA KEV.

Authentication Bypass Mattermost
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Mattermost's channel patch API fails to enforce authorization on the group_constrained flag, permitting any authenticated low-privilege member of a group message or direct message channel to remove all participants from the conversation. All three supported release lines are affected: 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19. No public exploit code has been identified at time of analysis; however, the low attack complexity and minimal privilege requirement make this straightforward to abuse on any reachable Mattermost deployment.

Authentication Bypass Mattermost
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Incoming webhook impersonation in Mattermost allows a requester holding webhook management permissions to post content attributed to arbitrary users in teams or channels those users do not belong to. Affected deployments span three active release branches: 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19. No public exploit code exists and the vulnerability is not listed in CISA KEV; the CVSS score of 4.9 correctly reflects that exploitation is constrained by the High privilege requirement, limiting realistic risk to insider threats or compromised privileged accounts.

Authentication Bypass Mattermost
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Post ownership verification is absent in Mattermost's shared channel inbound sync handler, allowing an authenticated remote cluster to forge sync messages that modify or delete posts authored by local users or other federated remotes. Affected versions span the 10.11.x, 11.6.x, and 11.7.x release trains up to and including 10.11.19, 11.6.4, and 11.7.2 respectively. No public exploit has been identified and CISA KEV confirmation is absent, but the integrity impact is direct and the attack complexity is low once federation trust is established.

Authentication Bypass Mattermost
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Arbitrary file deletion in JoomShaper's Helix Ultimate template framework for Joomla allows unauthenticated remote attackers to delete files on the server due to a missing authorization check (CWE-862). Any anonymous user can reach the vulnerable functionality without credentials (PR:N/UI:N), enabling deletion of critical Joomla files to corrupt or take down the site. No public exploit has been identified at time of analysis, and the CVE is not listed in CISA KEV.

Authentication Bypass Helix Ultimate Extension For Joomla
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Insecure direct object reference (IDOR) in Dassault Systèmes Tuleap Enterprise Edition 17.0 through 17.5 lets attackers read other users' data by manipulating a user-controlled key/identifier, breaking horizontal authorization boundaries. The CVSS 3.1 vector (AV:N/PR:N) scores it as remotely reachable with high confidentiality impact but no integrity or availability effect. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Tuleap Enterprise Edition
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Improper WebSocket authentication in will-moss Isaiah up to version 1.36.9 permits unauthenticated remote attackers to establish authenticated WebSocket sessions against the Docker management interface. The flaw resides in app/main.go within the WebSocket Connection Authentication component, where authentication controls can be bypassed, granting access to Docker management functionality without valid credentials. No public exploit has been identified at time of analysis, and an upstream fix exists as a pending pull request (PR #36) that has not yet been merged into a released version.

Authentication Bypass Isaiah
NVD VulDB GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Missing authorization in Isaiah's Master WebSocket Handler allows remote unauthenticated attackers to manipulate the Agent argument in the Server.Handle function, bypassing access controls over Docker management operations. All versions of the will-moss/isaiah project up to and including 1.36.9 are affected. No public exploit or active exploitation has been identified at time of analysis; a fix pull request (#35) exists upstream but awaits acceptance.

Authentication Bypass Isaiah
NVD VulDB GitHub
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Tutor LMS WordPress plugin (all versions before 3.9.13) allows authenticated users with subscriber-level access to post auto-approved comments containing arbitrary HTML and external links on any site content, bypassing the comment moderation queue entirely. The vulnerable comment handler performs no authorization check and no post-target validation before creating comments, making this exploitable by any registered user on sites with open registration - a common LMS deployment pattern. A publicly available POC from WPScan exists; no CISA KEV listing indicates confirmed mass exploitation, but the low privilege bar and POC availability make this a realistic content-integrity threat.

Authentication Bypass WordPress Tutor Lms
NVD WPScan
EPSS 0% CVSS 2.9
LOW POC PATCH Monitor

Authorization bypass in MacCMS Pro's installation module allows remote attackers to circumvent access controls via the `step5` function in the installation controller, affecting all versions through 2022.1000.3005. Exploitation is rated high-complexity (AC:H), limiting opportunistic mass exploitation, though a public proof-of-concept is available on GitHub. No CISA KEV listing at time of analysis; EPSS data was not included in the available intelligence, but POC availability elevates the practical risk above the raw CVSS score alone might suggest.

Authentication Bypass PHP Maccms Pro
NVD VulDB GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Access-control bypass in EIPStackGroup OpENer 2.3.0 (commit 76b95cf) lets any unauthenticated network attacker hijack another client's EtherNet/IP encapsulation session by replaying a valid session_handle, because the stack validates the handle against a global session list but never binds it to the originating TCP socket. Affected industrial devices running this open-source stack can have their EtherNet/IP command channel abused for read/write operations under another client's authority. No CISA KEV listing exists, but a researcher gist referenced in the advisory appears to publish exploit details, and the CVSS 9.1 rating reflects high confidentiality and integrity impact.

Authentication Bypass N A
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Broken access control in Leantime's API component (versions up to 3.8.0) allows authenticated low-privileged users to invoke the Setting::saveSetting function and modify application settings beyond their authorization level. The flaw is classified under CWE-285 (Improper Authorization) and is tagged as an authentication bypass and broken access control issue, meaning the application fails to enforce permission boundaries after login. A publicly available proof-of-concept exploit exists per VulDB and bytium.com; no CISA KEV listing was identified at time of analysis, and the vendor has not responded to disclosure.

Authentication Bypass Leantime
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Privilege escalation in Leantime up to 3.8.0 allows authenticated low-privileged users to elevate their role to owner by manipulating the role argument in JSON-RPC requests to the editUser/addUser endpoint. The server fails to verify whether the calling user is authorized to assign elevated roles, a CWE-285 Improper Authorization flaw. A public proof-of-concept exploit has been disclosed, and the vendor did not respond to coordinated disclosure, meaning no patch is confirmed available.

Authentication Bypass Leantime
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Missing authorization in Coolify's Policy Handler allows authenticated remote attackers to bypass resource-level access controls in versions up to 4.1.1. The flaw resides in the /app/Policies/ component, where policy enforcement checks are absent or incomplete, enabling low-privileged users to access or manipulate resources beyond their intended authorization scope. A public proof-of-concept exploit is available, raising the urgency for operators running self-hosted Coolify instances.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.3
HIGH PATCH Exploit Likely This Week

Privilege elevation in Microsoft Edge (Chromium-based) lets a network attacker escalate privileges by luring a victim into loading crafted web content that triggers an untrusted pointer dereference (CWE-822). Microsoft rates it CVSS 8.3, driven by a scope change (sandbox/boundary crossing) and full confidentiality, integrity, and availability impact, but exploitation requires user interaction and is of high attack complexity. No public exploit identified at time of analysis (E:U), it is not on CISA KEV, and an official vendor fix is available.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Path normalization failure in filebrowser's DeleteWithPathPrefix function allows authenticated users on versions before 2.63.17 to leave stale public share records intact by deleting directories with trailing-slash paths. After deletion, an attacker can recreate the same directory path and cause its new contents to be silently exposed through the previously dormant, still-valid public share URL. No public exploit code has been identified at time of analysis, and the vendor-confirmed CVSS 4.0 score of 2.3 reflects the high complexity and limited confidentiality impact.

Authentication Bypass Filebrowser
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Cross-organization account disruption in Capgo before 12.128.2 lets an enterprise administrator in one organization destroy the email/password login of users belonging to different organizations. By abusing the SSO prelink-users endpoint, an attacker holding the org.update_settings permission with an active SSO provider can permanently remove password identities for any user whose email matches the provider's domain, locking victims out of native authentication and forcing them onto the attacker's SSO or a password-reset recovery flow. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was reported by VulnCheck.

Authentication Bypass Capgo
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Account takeover in Capgo before 12.128.2 arises because the email-change endpoint performs no current-password re-authentication and no verification of the existing email address, letting an attacker who already holds a valid session cookie or an authenticated browser silently repoint the account email. By seizing the recovery address, the attacker captures password-reset flows and sidesteps multi-factor authentication, converting a hijacked session into durable full account control. There is no public exploit identified at time of analysis, but the flaw is vendor-confirmed via GitHub Security Advisory GHSA-9px4-w25f-mvm4 and reported by VulnCheck.

Authentication Bypass Capgo
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass in Flowise 3.0.13 and earlier lets remote unauthenticated attackers forge valid JWTs and impersonate any user, including administrators, because the enterprise passport authentication middleware silently falls back to publicly known hardcoded secrets ('auth_token', 'refresh_token') and default audience/issuer values ('AUDIENCE', 'ISSUER') whenever the JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, and JWT_ISSUER environment variables are unset. Reported by VulnCheck and rated CVSS 4.0 9.3 (Critical), it grants full account takeover, though there is no public exploit identified at time of analysis and no CISA KEV listing.

Authentication Bypass Flowise
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Credential exfiltration in Crawl4AI's Docker API server (all versions before 0.8.8) lets remote unauthenticated attackers steal secrets from the host. By abusing the exposed /md, /llm, and /llm/job endpoints, an attacker supplies a malicious base_url to redirect outbound LLM API calls and sets api_token to the special form env:VARIABLE_NAME, causing the server to resolve and leak arbitrary environment variables - including provider API keys and the JWT SECRET_KEY, which in turn enables full authentication bypass. No public exploit identified at time of analysis, but the flaw is trivially exploitable and reported by VulnCheck with an assigned CVSS 4.0 score of 8.8.

Authentication Bypass Docker Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Scope isolation failure in Capgo's POST /webhooks/test endpoint allows authenticated app-scoped API keys to invoke org-scoped webhook operations, bypassing the intended limited_to_apps authorization boundary. All Capgo instances prior to version 12.128.2 are affected, enabling credential holders with narrow, app-level access to trigger signed outbound webhook deliveries targeting arbitrary organization webhooks they should not control. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the CVSS 4.0 vector (PR:L, AV:N) confirms low-privilege network exploitation is straightforward once credentials are in hand.

Authentication Bypass Capgo
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 lets demoted super_admin users retain organization-wide bundle management rights because the org_users.user_right column is not cleared when their role binding is deleted. A user who once held super_admin can continue invoking the delete_non_compliant_bundles and count_non_compliant_bundles RPCs to enumerate and bulk-delete non-compliant bundles across the entire organization indefinitely, well after their privileges were supposedly revoked. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Privilege Escalation Capgo
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in AstrBot's Scheduled Task Handler allows a remote low-privileged user to bypass authorization controls by manipulating the payload["note"] argument in FutureTaskTool.call (astrbot/core/tools/cron_tools.py), affecting all versions up to and including 4.25.2. A publicly available proof-of-concept exploit (GitHub gist) demonstrates exploitation. No patch has been released and the vendor did not respond to disclosure; EPSS and CVSS 4.0 score this at 5.3, indicating moderate-to-low real-world severity, but the active POC elevates practical risk for deployed instances. Not currently listed in CISA KEV.

Authentication Bypass Astrbot
NVD VulDB GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

Missing authentication in RafyMrX TOKO-ONLINE-ROTI, an Indonesian online bakery shop management application, allows remote unauthenticated attackers to access restricted application functionality with low-level impact across confidentiality, integrity, and availability. All code through commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 is affected, and no patch exists because the vendor did not respond to coordinated disclosure. No public exploit code and no CISA KEV listing exist at time of analysis.

Authentication Bypass Toko Online Roti
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Unrestricted file upload in shiroiAdmin versions 1.1 and 1.3 (PHP admin panel by hcr707305003) exposes the `FileController::upload` function to unauthenticated remote exploitation, enabling attackers to upload arbitrary files - including PHP webshells - to the server without authentication. A public exploit has been disclosed (CVSS 4.0 E:P), and the vendor did not respond to coordinated disclosure. Exploitation conditions are severe: the CVSS 4.0 vector confirms network-accessible, zero-authentication, low-complexity exploitation with no user interaction required.

Authentication Bypass File Upload PHP
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

Improper access control in the diskbckp.sys kernel driver of QILING Disk Master 6.0.0.0 allows local low-privileged users to bypass authorization checks and interact with privileged kernel driver functionality. Tagged as an authentication bypass, the flaw resides in an unknown function within the kernel driver component, enabling manipulation of access control logic without elevated credentials. A public proof-of-concept exploit has been disclosed (no CISA KEV listing); the vendor has released a patch via beta download.

Authentication Bypass Disk Master
NVD VulDB
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

Improper access controls in MiniTool Partition Wizard's signed kernel driver pwdrvio.sys (versions up to 13.6) allow a local low-privileged user to interact with privileged driver functionality without authorization. The vulnerability is tagged as an authentication bypass against a kernel-mode component, meaning a standard user account can invoke driver operations that should be restricted to administrative or system-level callers. A publicly available proof-of-concept exploit lowers the practical exploitation bar, though no active exploitation is confirmed via CISA KEV at time of analysis.

Authentication Bypass Partition Wizard
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 enables remote authenticated attackers to access call recordings they are not permitted to view by manipulating the `callId` parameter in the `/callrec/audio.jsp` endpoint. The flaw follows a classic Insecure Direct Object Reference (IDOR) pattern under CWE-285, where the application fails to enforce per-user ownership checks on recording identifiers. A public exploit has been released and no vendor patch exists - the vendor did not respond to responsible disclosure - making compensating controls the only available mitigation at this time.

Authentication Bypass Call Recording Software
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to perform unauthorized operations on the Recorded Calls Page via the `/callrec/restoreCallAction.do` endpoint, potentially accessing or restoring call recordings outside their permitted scope. The vulnerability stems from CWE-285 (Improper Authorization), meaning the application fails to enforce access controls on the restore call action, permitting privilege escalation within the recording management interface. A publicly available proof-of-concept exploit exists per the CVSS 4.0 E:P supplemental metric; no patch has been confirmed by the vendor, who did not respond to disclosure attempts.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to bypass access controls on the /callrec/composeEmailAction.do endpoint, exposing limited confidential data. The flaw (CWE-285) means the application fails to enforce authorization decisions for at least one action reachable by low-privileged authenticated users. A publicly available proof-of-concept exploit has been disclosed via VulDB, and no vendor patch exists - the vendor did not respond to the coordinated disclosure. No public exploit identified at time of analysis as actively exploited (not in CISA KEV), though exploit code exists.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization on the /callrec/pci_dss_status.jsp endpoint in Eleveo Call Recording Software 9.7.0 allows authenticated low-privilege users to access PCI DSS compliance status data they are not authorized to view. The exposed information reveals the payment card compliance posture of the organization, which could be leveraged to identify exploitable compliance gaps and inform targeted attacks against payment infrastructure. A public proof-of-concept exploit exists; the vendor did not respond to responsible disclosure, leaving no official patch or advisory available.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to access the /callrec/group.jsp endpoint without proper permission checks, resulting in unauthorized read access to call recording group data. A publicly available exploit has been disclosed via Google Drive; the vendor was notified but did not respond, meaning no official patch exists at time of analysis. No public exploit identified at time of analysis is superseded here - a public POC exists (E:P in the CVSS 4.0 vector), though this is not confirmed actively exploited (CISA KEV) and the CVSS 4.0 score of 2.1 reflects limited scope impact.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Policy bypass in ImageMagick before 7.1.2-26 allows low-privileged local users to write files to filesystem paths explicitly blocked by the application's security policy framework. The APNG encoder and external delegate mechanisms omit required validation against policy.xml restrictions, enabling circumvention of configured path-based access controls. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the impact is meaningful in multi-tenant or shared-processing environments that rely on ImageMagick's policy layer as a security boundary.

Authentication Bypass Imagemagick
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Broken authorization in PraisonAI Platform (praisonai-platform) before 0.1.9 lets any low-privileged workspace member modify owner- or admin-created projects, issues, and agents because the PATCH routes only check for workspace-member role instead of owner/admin. Because a member can reassign a project's lead_id to their own user id, they can then satisfy and bypass the delete route's owner/admin check to destroy owner-created projects. No public exploit identified at time of analysis, though the flaw is trivially reachable by any authenticated tenant member.

Authentication Bypass Praisonai
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

System prompt extraction and unauthorized tool invocation in PraisonAI before 4.6.78 arise because the prompt-injection defense ships with its blocking threshold defaulting to CRITICAL, so HIGH-severity injection attempts are detected and logged but never blocked. Any remote user interacting with a PraisonAI agent can submit single-vector prompt injection (instruction overrides, financial manipulation) that scores HIGH and passes through, leaking the system prompt and triggering agent tools without authorization. No public exploit identified at time of analysis, and the issue is not in CISA KEV; the vendor CVSS 4.0 score is 8.7 (High).

Authentication Bypass Praisonai
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Webhook signature verification is absent in PraisonAI AgentMail before version 4.6.78, permitting any unauthenticated network attacker to POST crafted message.received events directly to the webhook endpoint with spoofed sender identities. This bypasses configured sender allow/block lists, injecting arbitrary content into the AI agent's processing pipeline and causing the agent to dispatch replies to attacker-controlled addresses. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog, though the low-complexity, unauthenticated attack vector makes exploitation straightforward for any attacker with network access to the webhook endpoint.

Authentication Bypass Praisonai
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Billing authorization bypass in Capgo (prior to 12.128.12) enables authenticated organizations with exhausted or expired usage credit grants to continue consuming paid API endpoints without valid entitlement. The divergence between the plugin's hot-path plan_valid expression and the authoritative billing gate creates a logic gap exploitable by any organization that reaches credit depletion, granting continued access to /updates, /stats, /channel_self, and attachment upload endpoints. No public exploit or CISA KEV listing exists at time of analysis, but the low attack complexity and network accessibility make this straightforward for any affected account holder to abuse.

Authentication Bypass Capgo
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Genolve AI image and video generation plugin for WordPress (all versions through 5.0.5) lets authenticated users with Contributor-level access or above update arbitrary WordPress options because the genolve_setOpt() function performs no capability check. By enabling the users_can_register option and setting default_role to administrator, a low-privileged user can register a new administrator account and fully take over the site. Reported by Wordfence with a CVSS of 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress Privilege Escalation +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in the NEX-Forms WordPress plugin (all versions through 9.2.2) allows unauthenticated remote attackers to overwrite email metadata fields on arbitrary form entries and weaponize the victim WordPress site as an outbound email relay. The CVSS vector (PR:N/AC:L/AV:N) confirms zero authentication and zero configuration prerequisites beyond plugin activation. No public exploit has been identified at time of analysis, but the trivially low exploitation complexity makes mass scanning and abuse for phishing or spam distribution operationally realistic at scale.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized cross-vendor manipulation in WCFM - Frontend Manager for WooCommerce (all versions ≤ 6.7.27) allows authenticated subscriber-level users to archive competitor vendors' product listings, toggle featured status on arbitrary listings, mark WooCommerce orders as completed, and permanently delete enquiries and bulk messages belonging to other vendors within the same marketplace. Multiple AJAX handlers in class-wcfm-ajax.php, class-wcfm-enquiry.php, and class-wcfm-notification.php accept user-controlled object IDs without verifying ownership - a textbook CWE-639 IDOR pattern enabling horizontal privilege escalation across vendor accounts. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass WordPress Wcfm Frontend Manager For Woocommerce
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

User enumeration via authorization bypass in the Wallet for WooCommerce WordPress plugin (versions up to and including 1.6.4) allows any authenticated subscriber-level user to extract login names, email addresses, and user IDs for every WordPress account on the site, including administrators. The flaw exists because the plugin exposes a 'search-user' nonce - required to call its AJAX search handler - directly in the wallet_param JavaScript object rendered on the publicly accessible WooCommerce My Account page, making it trivially obtainable by any logged-in user. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and wide subscriber-level accessibility make exploitation straightforward on sites with open user registration.

Authentication Bypass WordPress Wallet For Woocommerce
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in WCFM - Frontend Manager for WooCommerce (all versions through 6.7.27) allows unauthenticated network attackers to inject arbitrary content into store inquiry replies, overwrite inquiry records in the wp_wcfm_enquiries database table, and trigger unsolicited notification emails to customers and vendors. The root cause is a missing authentication gate in the wcfm-my-account-enquiry-manage controller branch - unlike its sibling branches, it performs neither is_user_logged_in() nor current_user_can() checks. The nonce that serves as the sole barrier is embedded into every public page load without any login requirement, rendering it ineffective as an access control. No public exploit code and no CISA KEV listing identified at time of analysis.

Authentication Bypass WordPress Wcfm Frontend Manager For Woocommerce
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the WP Easy Pay WordPress plugin (versions ≤4.5.0) allows any authenticated WordPress user at subscriber level or above to set arbitrary posts and pages to 'draft', silently unpublishing site content without editorial authorization. The flaw stems from missing capability checks in the plugin's action handlers (wpep-setup.php), confirmed by Wordfence with direct source code references. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, but the low barrier to exploitation - any registered user qualifies - makes this a meaningful risk on sites with open user registration.

Authentication Bypass WordPress Wp Easy Pay Payment And Donation Form Builder For Square
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized cache deletion in the ThriveDesk WordPress plugin (all versions through 2.1.7) is possible by any authenticated user holding a Subscriber-level role or above, due to a missing capability check on the `thrivedesk_clear_cache` AJAX action. The root cause is a CWE-862 Missing Authorization flaw in `includes/helper.php` - any logged-in user can invoke the privileged cache-clearing function without role validation. No public exploit has been identified at time of analysis and no CISA KEV listing exists; real-world impact is bounded to cache disruption and potential performance degradation rather than data loss or code execution.

Authentication Bypass WordPress Agentic Help Desk Plugin For Wordpress Live Chat Ai Chatbot Ticketing Thrivedesk
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Simple JWT Login WordPress plugin (all versions through 3.6.6) lets an authenticated subscriber-level user forge an Administrator session by injecting arbitrary identity claims into the JWT payload. Because AuthenticateService::generatePayload() only overwrites payload keys that appear in the admin-configured jwt_payload allowlist, attacker-supplied claims such as email, id, or username survive and are signed with the site's HS256 secret; the token is then redeemed at /autologin to log in as any administrator. Reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.

Privilege Escalation WordPress Authentication Bypass +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in the AI Copilot - Content Generator WordPress plugin (by wupsales/AIWU) allows unauthenticated remote attackers to manipulate WordPress post publication states across all versions through 1.4.12. By supplying arbitrary scenario IDs to the plugin's workspace controller endpoint - which lacks any authorization verification - attackers can expose unpublished draft content or take live published posts offline, causing content disclosure and service disruption. No public exploit or CISA KEV listing has been identified at time of analysis, though the trivial exploitation complexity (AV:N/AC:L/PR:N/UI:N) makes independent rediscovery straightforward.

Authentication Bypass WordPress Ai Copilot Content Generator
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Permanent, irreversible deletion of all Starter Template-imported site content in the Solace Extra WordPress plugin (all versions through 1.5.3) is achievable by fully unauthenticated network attackers due to the complete absence of authorization checks on the responsible AJAX handler. The handler is registered via wp_ajax_nopriv_, removing WordPress's authentication gate entirely, while the required nonce is leaked to any Subscriber-level user visiting any wp-admin page - eliminating both authentication and authorization barriers simultaneously. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the Wordfence disclosure includes exact file and line references enabling straightforward reproduction; the official CVSS score of 5.3 significantly understates the destructive impact.

Authentication Bypass WordPress PHP +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized affiliate management actions in the Affilia plugin for WordPress (all versions through 3.3.3) allow any subscriber-level authenticated user to approve or reject referrals, credit commissions to affiliate wallets, delete referral records, and modify banner options - enabling direct financial fraud against WooCommerce stores. The root cause is that the sole authentication gate relies on a WordPress nonce that is publicly embedded in every frontend page load via the JavaScript global `rtwalwm_global_params.rtwalwm_nonce`, making role-based access enforcement trivially bypassable. No public exploit code or CISA KEV listing is identified at time of analysis, but the low exploitation complexity and direct financial fraud impact make this a meaningful operational risk for any site running an affiliate program on this plugin.

Authentication Bypass WordPress Affiliate Program Referral Tracking For Woocommerce Wordpress Affilia
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in the PDF Invoices & Packing Slips for WooCommerce plugin (versions through 5.14.0) allows authenticated contributors to mint permanent, session-free download links for arbitrary third-party orders, exposing customer PII including names, billing and shipping addresses, email addresses, phone numbers, line items, payment details, and customer notes. Exploitation is gated on a non-default plugin setting - the 'Document link access type' must be configured to 'full' rather than the default 'logged_in'; the default configuration signs URLs with a per-session nonce, neutralising the attack path. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass WordPress Pdf Invoices Packing Slips For Woocommerce
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Unauthorized data modification in SurfLink - Link Manager & Backup Restore (all versions up to 2.6.0) allows authenticated attackers with Subscriber-level access to inject arbitrary URLs into the plugin's 410 Gone database table, causing those site paths to return HTTP 410 Gone responses to all visitors. The root cause is a missing capability check (current_user_can()) and absent nonce verification (check_ajax_referer()) in the ajax_import_410() AJAX handler - a conspicuous gap given that every other AJAX handler in the same PHP class correctly implements both controls. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, but the low authentication barrier and clear impact on site availability and SEO ranking make this a meaningful risk for affected WordPress deployments.

Authentication Bypass WordPress Denial Of Service +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated mass data deletion in the AI Copilot - Content Generator WordPress plugin (all versions through 1.4.12) exposes sites to complete wipeout of plugin-managed database records by any remote visitor. The vulnerability stems from a permanently open authorization gate: the base controller's getPermissions() returns an empty array causing the auth check to unconditionally pass, while the removeGroup and clear AJAX actions are excluded from getNoncedMethods(), bypassing nonce verification entirely. No active exploitation has been confirmed in CISA KEV and no public exploit code has been identified at time of analysis, though the attack requires no credentials and minimal technical skill given the straightforward AJAX endpoint targeting.

Authentication Bypass WordPress Ai Copilot Content Generator
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Notification for Telegram WordPress plugin (all versions through 3.5.1) allows authenticated subscribers to manipulate WordPress cron scheduling logic. Authenticated attackers with subscriber-level access or above can create, modify, or reschedule the nftb_cron_hook cron event due to missing authorization checks in nftncron.php, disrupting the plugin's background task scheduling for Telegram notifications. No public exploit or active exploitation has been identified at time of analysis; CVSS rates this Medium (4.3) with integrity-only impact.

Authentication Bypass WordPress Notification For Telegram
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in Points and Rewards for WooCommerce (all versions through 2.10.0) allows authenticated subscribers to drain any user's reward points into a wallet balance, exfiltrate all user emails and point balances to an attacker-controlled Klaviyo account, and overwrite the site's Klaviyo API key - compounding financial fraud with third-party data exfiltration. Critically, the plugin exposes its authentication nonce (wps-wpr-verify-nonce) on every public-facing page via wp_localize_script(), and the wallet-draining handler is registered on the wp_ajax_nopriv_ hook, meaning the most financially damaging action - converting points to wallet balance - is exploitable by unauthenticated visitors. No public exploit code or CISA KEV listing identified at time of analysis.

Authentication Bypass WordPress Points And Rewards For Woocommerce
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the MyParcel (woocommerce-myparcel) WordPress plugin allows any authenticated subscriber-level user to view and modify shipment options - including carrier, delivery type, package type, label count, weight, signature requirement, and insurance - on arbitrary WooCommerce orders they do not own. All plugin versions up to and including 4.25.1 are affected, with the flaw rooted in missing capability checks on administrative AJAX handlers. No public exploit or active exploitation has been identified at time of analysis, though the low privilege bar (any registered WordPress user) expands the realistic attacker pool significantly for e-commerce stores.

Authentication Bypass WordPress Myparcel
NVD
EPSS 1% CVSS 9.3
CRITICAL Emergency

Authentication bypass in the Hydro-Québec Le Circuit Électrique EV charging station backend lets remote unauthenticated attackers open connections directly to the charging-station WebSocket endpoint, which lacks proper access control (CWE-284), and leverage that access for privilege escalation. All backend versions prior to the June 2026 fix are affected, and the CVSS 4.0 base score of 9.3 (critical) reflects full compromise of confidentiality, integrity, and availability over the network with no privileges or user interaction. Reported through CISA ICS-CERT (ICSA-26-188-01); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Privilege Escalation Le Circuit Electrique Charging Station Backend
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions: *.*.

Clean Restful Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Authentication bypass in the Drupal Commerce Guest Registration contributed module allows remote unauthenticated attackers to circumvent identity verification during the guest checkout/registration flow, per Drupal advisory SA-CONTRIB-2026-079. The CVSS 9.1 scoring (C:H/I:H) indicates an attacker can gain unauthorized access to or hijack account/order data without credentials or user interaction. No public exploit has been identified at time of analysis, and the low EPSS score (0.24%, 15th percentile) suggests exploitation is not yet widespread.

Authentication Bypass Commerce Guest Registration
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Missing Authorization (CWE-862) in the Drupal FlowDrop contributed module allows authenticated low-privilege users to perform Forceful Browsing - directly accessing protected URLs without proper permission checks being enforced. All FlowDrop releases from 0.0.0 up to 1.6.0 are affected; a successful attacker can read or modify content and workflow data beyond their authorized scope. No public exploit has been identified and EPSS sits at 0.18% (8th percentile), indicating negligible observed exploitation probability at time of analysis; the vulnerability is not listed in CISA KEV.

Authentication Bypass Flowdrop
NVD
Prev Page 4 of 347 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy