| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Unauthenticated Broken Access Control in Five Star Restaurant Menu <= 2.5.2 versions. |
| Unauthenticated Broken Access Control in Intranet & Private Site – All-In-One Intranet <= 1.8.1 versions. |
| Unauthenticated Broken Access Control in Syncee Premium Dropshipping & Wholesale <= 1.0.27 versions. |
| Unauthenticated Broken Access Control in Paymob for WooCommerce <= 4.1.2 versions. |
| Contributor Privilege Escalation in Frisbii Pay <= 1.8.2 versions. |
| Unauthenticated Broken Access Control in MailChimp Block <= 1.1.15 versions. |
| Unauthenticated Broken Access Control in Flash & HTML5 Video <= 2.11.0 versions. |
| Contributor Broken Access Control in SEOPress PRO <= 9.1.1 versions. |
| The Product Specifications for WooCommerce plugin for WordPress is vulnerable to unauthorized modification, creation, and deletion of data in versions up to and including 0.8.9. This is due to a missing capability check and missing nonce verification in the __invoke() methods of the AttributeGroupController and AttributeController classes, which are bound to the 'dwps_modify_groups' and 'dwps_modify_attributes' AJAX actions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create, edit, and delete arbitrary product specification groups and attributes (taxonomy terms in the 'spec-group' and attribute taxonomies), corrupting business data and impacting the site's frontend display. |
| The Masteriyo LMS – LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with student-level access and above, to modify the description (post content) of arbitrary course announcements authored by instructors or administrators. |
| The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activate_plugin function in all versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate a limited set of plugins. |
| The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed_payment_status AJAX action. The handler is registered through both wp_ajax_ and wp_ajax_nopriv_ hooks and the underlying update_failed_payment_status() function performs no capability check, no nonce verification, and no logged-in check before calling $this->db->updatePaymentByEventId() with attacker-controlled POST parameters. This makes it possible for unauthenticated attackers who can obtain a valid Stripe Payment Intent ID for the target site (Payment Intent IDs are exposed to the customer browser during normal Stripe.js checkout flows) to manipulate payment records in the site's database, marking previously successful payments as failed and overwriting failure codes and messages with attacker-supplied values. |
| The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'process_batch' functions in all versions up to, and including, 1.8.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary CSV data and overwrite WooCommerce payment tokens, postmeta, and order meta records. |
| Unauthenticated Broken Access Control in SiteGround Email Marketing <= 1.7.5 versions. |
| Unauthenticated Broken Access Control in Gutenverse Companion <= 2.5.0 versions. |
| Unauthenticated Broken Access Control in Newsletters <= 4.13 versions. |
| Subscriber Broken Access Control in Email Marketing for WooCommerce by Omnisend <= 1.19.0 versions. |
| Subscriber Broken Access Control in MasterStudy LMS <= 3.7.30 versions. |
| newsletters_subscribers Broken Access Control in Newsletters <= 4.13 versions. |
| Subscriber Broken Access Control in Shoppable Images Lite <= 1.3 versions. |
