Authentication Bypass

Authenticated users can modify email configurations in YayMail for WooCommerce through version 4.3.2 due to missing authorization checks on access control settings. An attacker with low-level WordPress user privileges could alter email templates or settings without proper permissions. No patch is currently available for this vulnerability.

Function name collision in Rs Soroban SDK versions prior to 22.0.10, 23.5.2, and 25.1.1 causes the #[contractimpl] macro to invoke incorrect functions when both trait and inherent implementations share identical function names, allowing attackers to exploit logic flaws through public exploit code. Smart contract developers using affected versions risk silent execution of unintended code paths that could compromise contract integrity and security guarantees. Patches are available for all vulnerable versions.

opa-envoy-plugun is a plugin to enforce OPA policies with Envoy. Versions prior to 1.13.2-envoy-2 have a vulnerability in how the `input.parsed_path` field is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes (`//`) as authority components, and therefore dropping them from the parsed path. This creates a path in...

Hardcoded PostgreSQL credentials in Ruckus Network Director OVA < 4.5.0.54.

Unauthenticated attackers can bypass access controls in Alfresco Content Services to retrieve sensitive files from protected directories such as WEB-INF through the /share/page/resource/ endpoint. This vulnerability exposes critical configuration data and credentials without requiring authentication or user interaction. No patch is currently available for this remotely exploitable issue affecting Alfresco deployments.

SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. [CVSS 6.5 MEDIUM]

Execution After Redirect + missing auth in BiEticaret CMS.

Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. No authorization check is applied here. [CVSS 5.3 MEDIUM]

Dell PowerProtect Data Manager versions prior to 19.22 contain improper verification of communication channels in the REST API, allowing high-privileged remote attackers to bypass security protections. The vulnerability requires administrative credentials but carries no patch availability, creating ongoing risk for affected deployments.

Inadequate access control in WPAdverts through version 2.2.11 permits authenticated users to access sensitive information they should not be authorized to view. An attacker with valid login credentials could exploit misconfigured permission checks to read confidential data within the plugin. No patch is currently available for this vulnerability.

PI Web Solution Live sales notification for WooCommerce live-sales-notifications-for-woocommerce is affected by missing authorization (CVSS 5.3).

Improper access control in StellarWP iThemes Sync through version 3.2.8 allows authenticated attackers to modify data they should not have permission to access. An attacker with valid login credentials could exploit misconfigured authorization checks to perform unauthorized modifications within the plugin. No patch is currently available for this vulnerability.

Penci AI SmartContent Creator version 2.0 and earlier contains an authorization bypass vulnerability that allows authenticated users to perform unauthorized actions due to improperly configured access controls. An attacker with valid credentials could exploit this to modify data or functionality they should not have access to. No patch is currently available for this issue.

Unauthorized modification of content is possible in WPDeveloper NotificationX through version 3.2.1 due to improper access control checks that allow unauthenticated attackers to manipulate notification data. This vulnerability affects all installations of the plugin without authentication requirements, enabling attackers to alter or inject malicious content. No security patch is currently available.

Dell Unisphere for PowerMax 10.2 lacks proper authorization checks, allowing authenticated remote attackers to bypass access controls and gain unauthorized administrative capabilities. This missing authorization vulnerability (CWE-862) affects users who have any valid account credentials on affected systems. No patch is currently available, making this a critical risk for organizations operating vulnerable PowerMax installations.

AA-Team WZone through version 14.0.31 contains a missing authorization vulnerability that allows authenticated users to bypass access control restrictions. An attacker with valid credentials could exploit this misconfiguration to modify data or cause service unavailability. No patch is currently available for this issue.

Improper access control in uixthemes Sober through version 3.5.12 enables authenticated attackers to modify data or resources they should not have permission to access. An attacker with valid login credentials can bypass authorization checks to perform unauthorized actions. No patch is currently available for this vulnerability.

LeadConnector versions 3.0.21 and earlier contain an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data due to improperly configured access controls. An attacker can exploit this vulnerability without authentication or user interaction to tamper with application data, though confidentiality and availability are not affected. No patch is currently available for this vulnerability.

creativeinteractivemedia Real 3D FlipBook real3d-flipbook-lite is affected by missing authorization (CVSS 3.8).

MailerLite MailerLite official-mailerlite-sign-up-forms is affected by missing authorization (CVSS 4.3).

UpsellWP versions 2.2.3 and earlier contain an authorization bypass vulnerability that allows authenticated users to access checkout upsell features they should not have permission to modify. An attacker with low-privilege account access could exploit improper access control to manipulate order bump and upsell configurations, potentially affecting store operations and revenue.

blazethemes News Kit Elementor Addons news-kit-elementor-addons is affected by missing authorization (CVSS 4.3).

Inadequate access control in WPBookit Pro through version 1.6.18 permits unauthenticated attackers to modify data by bypassing authorization checks. The vulnerability allows remote attackers without credentials to perform unauthorized actions on the plugin, affecting all installations running the vulnerable versions. No patch is currently available to remediate this issue.

Broken Link Notifier plugin versions 1.3.5 and earlier contain an authorization bypass vulnerability that allows unauthenticated attackers to modify data through improperly configured access controls. An attacker can exploit this flaw to alter link notifications without proper authentication, potentially disrupting the plugin's functionality or manipulating stored information. No patch is currently available for this vulnerability.

Cookiebot versions 4.6.4 and earlier contain an access control bypass that allows authenticated attackers to exploit misconfigured security levels and gain unauthorized access to sensitive information. An attacker with low-level user credentials can leverage this vulnerability to read restricted data without proper authorization. No patch is currently available for this vulnerability.

The echo-knowledge-base plugin through version 16.011.0 fails to properly enforce access controls, enabling authenticated users to modify content they should not have permission to change. An attacker with valid login credentials could exploit misconfigured authorization rules to alter documentation or FAQ entries within the knowledge base system.

CryoutCreations Serious Slider cryout-serious-slider is affected by missing authorization (CVSS 4.3).

Insufficient access control in ikreatethemes Business Roy versions up to 1.1.4 enables authenticated users to modify data they should not have permission to access. An attacker with valid credentials could exploit misconfigured security levels to perform unauthorized changes within the application. No patch is currently available for this vulnerability.

Sparklewpthemes Fitness FSE plugin versions up to 1.0.6 contains a missing authorization check that allows authenticated users to modify content they should not have access to. An attacker with low-level user privileges can exploit this access control misconfiguration to alter website data without proper permission.

Unauthorized data modification in Hello FSE WordPress theme version 1.0.6 and earlier results from improper access control enforcement. Authenticated users can exploit this vulnerability to make unauthorized changes to website content or settings without proper permission checks.

WP Wand AI Content Generation plugin for WordPress versions up to 1.3.07 contains an authorization bypass that allows authenticated users to modify or disable plugin functionality through improper access control enforcement. An attacker with user-level credentials can exploit this vulnerability to cause service disruption or data integrity issues. No patch is currently available.

Inadequate access control in scripteo Ads Pro plugin version 5.0 and earlier enables authenticated attackers to modify data and cause service disruptions through misconfigured security levels. An attacker with valid credentials can exploit this vulnerability to bypass authorization checks and alter plugin functionality without administrative privileges. No patch is currently available.

Elementor Image Optimizer by Elementor image-optimization is affected by missing authorization (CVSS 4.3).

Elementor Ally versions up to 4.0.2 contain an authorization bypass vulnerability that allows unauthenticated remote attackers to modify content through improperly configured access controls. The vulnerability has a network attack vector with low complexity and no user interaction required, potentially enabling unauthorized alterations to website content. No patch is currently available.

WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite is affected by missing authorization (CVSS 4.3).

Inadequate access control in raratheme Spa and Salon plugin versions 1.3.2 and earlier permits unauthorized users to modify sensitive data through improperly configured security levels. An unauthenticated remote attacker can exploit this vulnerability to perform unauthorized actions without authentication. No patch is currently available for this vulnerability.

Kodezen Academy LMS versions up to 3.5.3 contain an access control misconfiguration that allows authenticated users to modify data they should not have permission to access. An attacker with valid credentials can exploit this missing authorization check to perform unauthorized changes, though no public exploit code or active exploitation has been reported. No patch is currently available for this vulnerability.

codepeople Calculated Fields Form calculated-fields-form is affected by missing authorization (CVSS 6.5).

NooTheme CitiLights versions below 3.7.2 contain an authorization bypass that allows unauthenticated remote attackers to modify data through improperly configured access controls. The vulnerability enables unauthorized state changes without requiring user interaction or elevated privileges. A patch is not currently available for this vulnerability.

BoldGrid Client Invoicing by Sprout Invoices sprout-invoices is affected by missing authorization (CVSS 5.3).

FooGallery through version 3.1.11 contains a missing authorization check that allows authenticated users to modify gallery content they should not have access to. An attacker with valid login credentials can exploit improperly configured access controls to alter galleries, potentially defacing or corrupting gallery data. No patch is currently available.

Improper access control in Alt Text AI versions up to 1.10.15 enables unauthenticated remote attackers to cause denial of service through misconfigured authorization checks. The vulnerability allows an attacker to disrupt service availability without requiring authentication or user interaction. No patch is currently available for this issue.

Ays Pro AI ChatBot with ChatGPT and Content Generator by AYS ays-chatgpt-assistant is affected by missing authorization (CVSS 5.3).

Coachify plugin versions 1.1.5 and earlier contain an authorization bypass that allows unauthenticated remote attackers to exploit misconfigured access controls. This vulnerability enables denial of service attacks without requiring user interaction or authentication.

Ays Pro Secure Copy Content Protection and Content Locking secure-copy-content-protection is affected by missing authorization (CVSS 4.3).

The Shopwell theme for Shopify versions 1.0.11 and earlier contains improper access control that allows unauthenticated remote attackers to view sensitive information through incorrectly configured authorization checks. This vulnerability exposes confidential data without requiring authentication or user interaction. No patch is currently available.

Fahad Mahmood Endless Posts Navigation endless-posts-navigation is affected by missing authorization (CVSS 5.3).

PublishPress PublishPress Authors publishpress-authors is affected by missing authorization (CVSS 4.3).

ExpressTech Systems Quiz And Survey Master quiz-master-next is affected by missing authorization (CVSS 4.3).

ExpressTech Systems Quiz And Survey Master quiz-master-next is affected by authorization bypass through user-controlled key (CVSS 5.3).

Improper access control in MiKa OSM through version 6.1.12 allows authenticated users to modify data or settings they should not have permission to access. An attacker with valid credentials could exploit misconfigured security levels to escalate privileges or alter system configuration. No patch is currently available for this vulnerability.

Insufficient access control in SupportCandy plugin versions 3.4.4 and earlier allows unauthenticated remote attackers to modify data through improperly configured security permissions. This vulnerability affects WordPress installations using the vulnerable plugin, enabling attackers to perform unauthorized actions without requiring authentication. No patch is currently available for this issue.

Cool Plugins Elementor Contact Form DB sb-elementor-contact-form-db is affected by missing authorization (CVSS 5.3).

hcaptcha hCaptcha for WP hcaptcha-for-forms-and-more is affected by missing authorization (CVSS 5.3).

WP Messiah TOP Table Of Contents top-table-of-contents is affected by missing authorization (CVSS 4.3).

FluentForm versions 6.1.14 and earlier contain an access control bypass that allows authenticated users to perform unauthorized modifications. An attacker with valid credentials can exploit improperly configured security levels to alter data they should not have access to. No patch is currently available.

Improper access control in 10up Autoshare for Twitter through version 2.3.1 enables authenticated users to modify or disable sharing functionality without proper authorization checks. An attacker with limited privileges could exploit this vulnerability to disrupt social media publishing workflows or cause service unavailability for legitimate users. No patch is currently available for this medium-severity vulnerability.

Improper access control in wp.insider Simple Membership plugin versions 4.6.9 and earlier allows authenticated users to bypass security level restrictions and modify content they should not have access to. An attacker with valid credentials can exploit misconfigured access controls to escalate privileges within the plugin. No patch is currently available for this vulnerability.

N-Media Frontend File Manager nmedia-user-file-uploader is affected by authorization bypass through user-controlled key (CVSS 5.3).

Improper access control in madalin.ungureanu Client Portal versions up to 1.2.1 allows authenticated users to modify data they should not have access to due to incorrectly configured security levels. An attacker with valid credentials can exploit this missing authorization check to perform unauthorized modifications, though no patch is currently available.

Kraft Plugins Wheel of Life version 1.2.0 and earlier contains a missing authorization vulnerability that allows unauthenticated remote attackers to modify data through incorrectly configured access controls. The vulnerability enables integrity attacks against affected installations without requiring user interaction. No patch is currently available.

BBR Plugins Better Business Reviews better-business-reviews is affected by missing authorization (CVSS 5.4).

DirectoryPress through version 3.6.25 contains an access control bypass that allows unauthenticated attackers to modify data due to improperly configured authorization checks. An attacker can exploit this vulnerability over the network without authentication or user interaction to alter information in affected installations. No patch is currently available for this vulnerability.

cmsmasters CMSMasters Content Composer cmsmasters-content-composer is affected by missing authorization (CVSS 7.1).

Aruba.it Dev Aruba HiSpeed Cache aruba-hispeed-cache is affected by missing authorization (CVSS 6.5).

WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite is affected by missing authorization (CVSS 5.3).

Missing Authorization vulnerability in WPFunnels Mail Mint mail-mint allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mail Mint: from n/a through <= 1.19.4.

Dell PowerProtect Data Manager versions prior to 19.22 contain improper verification of REST API communication channels that allows high-privileged remote attackers to bypass security protections. The vulnerability requires administrative credentials and network access, enabling authenticated attackers to circumvent established security controls. No patch is currently available.

An authentication bypass vulnerability has been found in Thesamur's AutoGPT. This vulnerability allows an attacker to bypass authentication mechanisms.

A security flaw has been discovered in Beetel 777VR1 up to 01.00.09. This issue affects some unknown processing of the component WPA2 PSK. Performing a manipulation results in hard-coded credentials. The attacker must have access to the local network to execute the attack. The complexity of an attack is rather high. The exploitability is assessed as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did ...

The Dealia - Request a quote WordPress plugin fails to properly validate user permissions on AJAX endpoints, allowing authenticated users with Contributor-level access or higher to reset plugin configuration by exploiting an exposed admin nonce. An attacker with basic edit_posts capability can bypass the capability check and modify critical plugin settings without administrative privileges. The vulnerability affects all versions up to 1.0.6 and currently has no available patch.

OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSecret` is not configured, allowing attackers with network access to the webhook endpoint to forge Telegram messages and trigger unintended bot actions. Public exploit code exists for this vulnerability. Affected deployments must upgrade to version 2026.2.1 or later, or ensure the webhook endpoint is not reachable by untrusted networks.

Gogs versions 0.13.4 and earlier contain an access control bypass in the label management function that allows authenticated users to modify labels across repositories they don't own. The vulnerability stems from insufficient validation in the label update endpoint, enabling cross-repository label tampering attacks. Public exploit code exists for this issue, though a patch is available in version 0.14.1.

Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. [CVSS 2.7 LOW]

OGP-Website installs prior git commit 52f865a4fba763594453068acf8fa9e3fc38d663 are affected by a type juggling flaw which if exploited can result in authentication bypass without knowledge of the victim account's password.

The Two Factor (2FA) Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. [CVSS 6.5 MEDIUM]

Electronic Archives System versions up to 3.2.210802 is affected by improper access control (CVSS 7.3).

Unauthenticated module deletion in Majordomo's market module allows remote attackers to completely disable installations through a series of GET requests. The vulnerability stems from improper authentication checks that expose the uninstall functionality without requiring credentials, enabling attackers to iteratively remove all modules and associated files. Public exploit code exists for this high-severity flaw, and no patch is currently available.

Centova Cast 3.2.11 contains a file download vulnerability that allows authenticated attackers to retrieve arbitrary system files through the server.copyfile API endpoint. [CVSS 8.8 HIGH]

Unrestricted file upload in mingSoft MCMS 6.1.1's template archive handler allows authenticated attackers with high privileges to upload arbitrary files via manipulation of the File parameter in /ms/file/uploadTemplate.do. Public exploit code exists for this vulnerability and no patch is currently available. The attack requires network access and high-level authentication but could lead to remote code execution or system compromise.

Hospital Management System versions up to 4.0 is affected by authorization bypass through user-controlled key (CVSS 6.5).

BSV Blockchain SDK is a unified TypeScript SDK for developing scalable apps on the BSV Blockchain. versions up to 2.0.0 contains a security vulnerability (CVSS 5.4).

Missing authentication on multiple admin action scripts in ProjectWorlds Online Time Table Generator allows unauthenticated users to perform administrative operations. PoC available.

Graylog 2.2.3 contains an insecure direct object reference (IDOR) vulnerability in its user API endpoint that allows authenticated users to enumerate and access other users' profiles by manipulating user IDs in requests. An attacker with valid credentials can extract sensitive information including usernames, email addresses, internal identifiers, and last activity timestamps from arbitrary user accounts. No patch is currently available for this vulnerability.

Improper session invalidation in Graylog Web Interface 2.2.3 allows attackers to maintain access through expired sessions, potentially enabling persistent unauthorized access to log management systems.

The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling vulnerability in the security token comparison which uses loose comparison (==) instead of strict comparison (===). This makes it possible for unauthenticated attackers to bypass authentication using "magic hash" values when the expected MD5 hash prefix happens to be numeric-looking (matching pa...

Doruk Communication and Automation Industry and Trade Inc. Wispotter is affected by improper authentication (CVSS 5.3).

Unauthorized data modification in YayMail WooCommerce Email Customizer WordPress plugin allows unauthenticated attackers to modify email templates, potentially enabling phishing attacks against customers.

Unauthenticated API exposure in industrial control products allows remote attackers to access critical functions without authentication.

HPE Aruba Networking 5G Core API error handling exposes sensitive information including user accounts, roles, and system configuration to unauthenticated remote attackers. Successful exploitation enables attackers to gather intelligence on internal services and workflows, creating a foundation for further attacks targeting unauthorized access and privilege escalation. A patch is available.