CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14537 vulnerabilities reference this CWE, most recent first.
CVE-2026-8688 (GCVE-0-2026-8688)
Vulnerability from cvelistv5 – Published: 2026-06-24 05:33 – Updated: 2026-06-24 12:34- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| krishaweb | Advance Nav Menu Manager |
Affected:
0 , ≤ 1.3
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8688",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T12:34:18.167729Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T12:34:31.003Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Advance Nav Menu Manager",
"vendor": "krishaweb",
"versions": [
{
"lessThanOrEqual": "1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hardik Patel"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Advance Nav Menu Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to duplicate, copy, move, or publish nav_menu_item posts via wp_insert_post(), modifying the site\u0027s navigation menus without authorization."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T05:33:31.957Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e234a79d-5d46-44db-833c-51e202dc49bf?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/advance-nav-menu-manager/tags/1.3/include/class-advancenavmenumanager.php#L236"
},
{
"url": "https://plugins.trac.wordpress.org/browser/advance-nav-menu-manager/tags/1.3/include/class-advancenavmenumanager.php#L231"
},
{
"url": "https://plugins.trac.wordpress.org/browser/advance-nav-menu-manager/tags/1.3/include/option.php#L107"
},
{
"url": "https://plugins.trac.wordpress.org/browser/advance-nav-menu-manager/tags/1.1/include/class-advancenavmenumanager.php#L236"
},
{
"url": "https://plugins.trac.wordpress.org/browser/advance-nav-menu-manager/tags/1.1/include/class-advancenavmenumanager.php#L231"
},
{
"url": "https://plugins.trac.wordpress.org/browser/advance-nav-menu-manager/tags/1.1/include/option.php#L107"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-23T16:38:27.000Z",
"value": "Disclosed"
}
],
"title": "Advance Nav Menu Manager \u003c= 1.3 - Missing Authorization to Authenticated (Subscriber+) Nav Menu Item Modification via anmm_save_menu_data AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8688",
"datePublished": "2026-06-24T05:33:31.957Z",
"dateReserved": "2026-05-15T14:37:32.505Z",
"dateUpdated": "2026-06-24T12:34:31.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8684 (GCVE-0-2026-8684)
Vulnerability from cvelistv5 – Published: 2026-05-22 07:50 – Updated: 2026-05-22 12:18- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| jetmonsters | MotoPress Hotel Booking |
Affected:
0 , ≤ 6.0.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8684",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T12:18:13.716596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T12:18:21.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MotoPress Hotel Booking",
"vendor": "jetmonsters",
"versions": [
{
"lessThanOrEqual": "6.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "MD. TAREQ AHAMED JONY"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite or delete the internal notes (_mphb_booking_internal_notes) of any booking by supplying an arbitrary booking ID. The nonce for this action is output in the HTML source of every public page through wp_localize_script (MPHB._data.nonces), so any unauthenticated visitor can obtain a valid nonce and perform the action without any account or prior interaction."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T07:50:26.756Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6567e63c-3129-47b2-a734-733eb599821a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/6.0.1/includes/ajax-api/ajax-actions/update-booking-notes.php#L83"
},
{
"url": "https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/6.0.1/includes/ajax-api/ajax-actions/abstract-ajax-api-action.php#L34"
},
{
"url": "https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/6.0.1/includes/ajax-api/ajax-api-handler.php#L43"
},
{
"url": "https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/5.4.1/includes/ajax-api/ajax-actions/update-booking-notes.php#L83"
},
{
"url": "https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/5.4.1/includes/ajax-api/ajax-actions/abstract-ajax-api-action.php#L34"
},
{
"url": "https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/5.4.1/includes/ajax-api/ajax-api-handler.php#L43"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3537354/motopress-hotel-booking-lite/trunk/includes/ajax-api/ajax-actions/update-booking-notes.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-15T14:31:20.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-21T19:21:36.000Z",
"value": "Disclosed"
}
],
"title": "MotoPress Hotel Booking \u003c= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary Booking Notes Modification via mphb_update_booking_notes AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8684",
"datePublished": "2026-05-22T07:50:26.756Z",
"dateReserved": "2026-05-15T14:16:10.958Z",
"dateUpdated": "2026-05-22T12:18:21.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8682 (GCVE-0-2026-8682)
Vulnerability from cvelistv5 – Published: 2026-05-28 06:45 – Updated: 2026-05-28 10:33- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| hasanazizul | 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On |
Affected:
0 , ≤ 2.0.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8682",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T10:25:17.834878Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T10:33:38.952Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "3D Viewer \u2013 3D Model Viewer \u2013 Augmented Reality \u2013 Virtual Try On",
"vendor": "hasanazizul",
"versions": [
{
"lessThanOrEqual": "2.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abhirup Konwar"
}
],
"descriptions": [
{
"lang": "en",
"value": "The 3D Viewer \u2013 3D Model Viewer \u2013 Augmented Reality \u2013 Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin settings by writing arbitrary data to the ar_try_on_settings option in the database via the /wp-json/ar_try_on/v1/settings REST endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T06:45:42.465Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bfcd914c-3c12-4e6a-bb05-38d42ce411d4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/2.0.1/api/AR_TRY_ON_Api_Routes.php#L102"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/2.0.1/api/AR_TRY_ON_Api_Routes.php#L358"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/2.0.1/api/AR_TRY_ON_Api_Routes.php#L40"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/1.9.0/api/AR_TRY_ON_Api_Routes.php#L102"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/1.9.0/api/AR_TRY_ON_Api_Routes.php#L358"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/1.9.0/api/AR_TRY_ON_Api_Routes.php#L40"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3536110%40ar-vr-3d-model-try-on\u0026new=3536110%40ar-vr-3d-model-try-on\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-15T14:41:20.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-27T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "3D Viewer \u003c= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification via settings REST endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8682",
"datePublished": "2026-05-28T06:45:42.465Z",
"dateReserved": "2026-05-15T13:40:00.628Z",
"dateUpdated": "2026-05-28T10:33:38.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8681 (GCVE-0-2026-8681)
Vulnerability from cvelistv5 – Published: 2026-05-16 02:26 – Updated: 2026-05-18 17:40- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| essentialplugin | Essential Chat Support |
Affected:
0 , ≤ 1.0.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8681",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T17:39:33.065247Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T17:40:28.240Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Essential Chat Support",
"vendor": "essentialplugin",
"versions": [
{
"lessThanOrEqual": "1.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abhirup Konwar"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Essential Chat Support plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to reset all plugin configuration settings \u2014 including general settings, display rules, custom CSS, and WooCommerce tab settings \u2014 to their defaults by sending a POST request with ecs_reset_settings=1."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T02:26:50.140Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6b98ea22-4c82-45c6-8e29-75cc9a9185be?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/essential-chat-support/trunk/includes/admin/settings/register-settings.php#L47"
},
{
"url": "https://plugins.trac.wordpress.org/browser/essential-chat-support/trunk/includes/ecs-functions.php#L33"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-15T13:35:51.000Z",
"value": "Disclosed"
}
],
"title": "Essential Chat Support \u003c= 1.0.1 - Missing Authorization to Unauthenticated Settings Reset via \u0027ecs_reset_settings\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8681",
"datePublished": "2026-05-16T02:26:50.140Z",
"dateReserved": "2026-05-15T13:35:04.229Z",
"dateUpdated": "2026-05-18T17:40:28.240Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8678 (GCVE-0-2026-8678)
Vulnerability from cvelistv5 – Published: 2026-07-11 02:31 – Updated: 2026-07-13 16:14- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| richardperdaan | MyParcel |
Affected:
0 , ≤ 4.25.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8678",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T16:14:30.963775Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T16:14:36.270Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MyParcel",
"vendor": "richardperdaan",
"versions": [
{
"lessThanOrEqual": "4.25.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "nudien udin"
},
{
"lang": "en",
"type": "finder",
"value": "nudien"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MyParcel plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.25.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to view and modify shipment options \u2014 including carrier, delivery type, package type, number of labels, weight, signature requirement, and insurance \u2014 on any arbitrary order."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-11T02:31:15.950Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a7bdae1-b28a-4fc6-9538-944ffeb32796?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-myparcel/tags/4.25.1/includes/admin/class-wcmypa-admin.php#L872"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-myparcel/tags/4.25.1/includes/admin/class-wcmypa-admin.php#L653"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-myparcel/tags/4.25.1/includes/admin/class-wcmypa-admin.php#L118"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-myparcel/tags/4.24.3/includes/admin/class-wcmypa-admin.php#L872"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-myparcel/tags/4.24.3/includes/admin/class-wcmypa-admin.php#L653"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-myparcel/tags/4.24.3/includes/admin/class-wcmypa-admin.php#L118"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3585914%40woocommerce-myparcel\u0026new=3585914%40woocommerce-myparcel"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-10T14:19:37.000Z",
"value": "Disclosed"
}
],
"title": "MyParcel \u003c= 4.25.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order Shipment Data Disclosure and Modification via wcmp_get_shipment_options and wcmp_save_shipment_options AJAX Actions"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8678",
"datePublished": "2026-07-11T02:31:15.950Z",
"dateReserved": "2026-05-15T13:30:01.361Z",
"dateUpdated": "2026-07-13T16:14:36.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8617 (GCVE-0-2026-8617)
Vulnerability from cvelistv5 – Published: 2026-06-24 05:33 – Updated: 2026-06-25 13:32- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| ailchev | SearchPlus |
Affected:
0 , ≤ 1.7.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8617",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T13:31:39.266052Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T13:32:13.928Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SearchPlus",
"vendor": "ailchev",
"versions": [
{
"lessThanOrEqual": "1.7.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abhirup Konwar"
}
],
"descriptions": [
{
"lang": "en",
"value": "The SearchPlus plugin for WordPress is vulnerable to unauthorized modification and deletion of data in versions up to, and including, 1.7.1. This is due to a missing capability check and missing nonce validation on the searchplus_save_token_action_callback() and searchplus_reset_token_action_callback() functions, both of which are exposed to unauthenticated users through the wp_ajax_nopriv_ hooks. This makes it possible for unauthenticated attackers to overwrite or delete the plugin\u0027s stored account token and account name options (dym_token, dym_name, searchplus_token, searchplus_name, sp_token, sp_name)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T05:33:28.047Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b1800f37-f9ab-454b-84f7-4d5eb5ed3acf?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/searchplus/tags/1.7.1/includes/functions.php#L24"
},
{
"url": "https://plugins.trac.wordpress.org/browser/searchplus/tags/1.7.1/includes/functions.php#L45"
},
{
"url": "https://plugins.trac.wordpress.org/browser/searchplus/tags/1.7.1/includes/functions.php#L39"
},
{
"url": "https://plugins.trac.wordpress.org/browser/searchplus/tags/1.7.1/includes/functions.php#L57"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-23T16:38:17.000Z",
"value": "Disclosed"
}
],
"title": "SearchPlus \u003c= 1.7.1 - Missing Authorization to Unauthenticated Settings Modification and Deletion via searchplus_save_token \u0026 searchplus_reset_token AJAX Actions"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8617",
"datePublished": "2026-06-24T05:33:28.047Z",
"dateReserved": "2026-05-14T17:38:56.751Z",
"dateUpdated": "2026-06-25T13:32:13.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8614 (GCVE-0-2026-8614)
Vulnerability from cvelistv5 – Published: 2026-06-24 05:33 – Updated: 2026-06-24 12:15- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| assistioai | Assistio |
Affected:
0 , ≤ 1.1.2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8614",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T12:15:10.328653Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T12:15:30.464Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Assistio",
"vendor": "assistioai",
"versions": [
{
"lessThanOrEqual": "1.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abhirup Konwar"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Assistio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce verification on the assistio_plugin_delete_assistio_settings() function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin\u0027s options including the critical \u0027assistiobot_oauth_settings\u0027 option, which disrupts the plugin\u0027s integration with the Assistio bot service."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T05:33:25.927Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/754f9598-3b41-4fe3-b290-8422031991a8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/assistio/tags/1.1.2/assistio.php#L350"
},
{
"url": "https://plugins.trac.wordpress.org/browser/assistio/tags/1.1.2/assistio.php#L346"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-23T16:38:07.000Z",
"value": "Disclosed"
}
],
"title": "Assistio \u003c= 1.1.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Deletion via assistio_plugin_delete_assistio_settings AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8614",
"datePublished": "2026-06-24T05:33:25.927Z",
"dateReserved": "2026-05-14T17:34:56.542Z",
"dateUpdated": "2026-06-24T12:15:30.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8610 (GCVE-0-2026-8610)
Vulnerability from cvelistv5 – Published: 2026-05-20 01:25 – Updated: 2026-05-20 13:03- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| conoha | TypeSquare Webfonts for ConoHa |
Affected:
0 , ≤ 2.0.4
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8610",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T13:03:16.157076Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T13:03:22.695Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TypeSquare Webfonts for ConoHa",
"vendor": "conoha",
"versions": [
{
"lessThanOrEqual": "2.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Van Tho Huynh"
},
{
"lang": "en",
"type": "finder",
"value": "Nguyen Minh Toan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The TypeSquare Webfonts for ConoHa plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin\u0027s site-wide font settings, including the typesquare_auth option (fontThemeUseType), show_post_form, and typesquare_fonttheme, by submitting a POST request to any wp-admin page. For fontThemeUseType values 1 and 3, no nonce verification is performed either, meaning those branches are additionally exploitable via cross-site request forgery."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T01:25:50.347Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/88002a25-6890-4f8b-8a11-239b59d56672?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ts-webfonts-for-conoha/tags/2.0.4/typesquare-admin.php#L93"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ts-webfonts-for-conoha/tags/2.0.4/inc/class/class.auth.php#L51"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ts-webfonts-for-conoha/tags/2.0.4/typesquare-admin.php#L25"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-19T12:13:19.000Z",
"value": "Disclosed"
}
],
"title": "TypeSquare Webfonts for ConoHa \u003c= 2.0.4 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification via \u0027fontThemeUseType\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8610",
"datePublished": "2026-05-20T01:25:50.347Z",
"dateReserved": "2026-05-14T16:02:03.246Z",
"dateUpdated": "2026-05-20T13:03:22.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8502 (GCVE-0-2026-8502)
Vulnerability from cvelistv5 – Published: 2026-06-06 02:28 – Updated: 2026-06-06 11:47- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| thimpress | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses |
Affected:
0 , ≤ 4.3.6
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8502",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:38:08.814834Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:47:26.858Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LearnPress \u2013 WordPress LMS Plugin for Create and Sell Online Courses",
"vendor": "thimpress",
"versions": [
{
"lessThanOrEqual": "4.3.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jamshed Yergashvoyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The LearnPress \u2013 WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.6 via the \u0027return_type\u0027 parameter. This makes it possible for unauthenticated attackers to extract sensitive data including the plaintext post_password of password-protected courses and the full post_content, post_author, and post_name of unpublished draft, private, and pending courses via the unrestricted SELECT * fallback query. Exploitation requires supplying both c_status=all (to bypass the publish-only post_status WHERE clause) and return_type=json (to prevent the safe DISTINCT(ID) AS ID field override) in a single unauthenticated request to the /wp-json/lp/v1/courses/archive-course endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T02:28:36.811Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a32a6ea3-4473-4075-b660-9bba083ae0bf?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/Models/Courses.php#L200"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/Models/Courses.php#L126"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/rest-api/v1/frontend/class-lp-rest-courses-controller.php#L196"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/rest-api/v1/frontend/class-lp-rest-courses-controller.php#L68"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/Databases/class-lp-course-db.php#L472"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/Databases/class-lp-db.php#L610"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.8/inc/Models/Courses.php#L200"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.8/inc/Models/Courses.php#L126"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.8/inc/rest-api/v1/frontend/class-lp-rest-courses-controller.php#L196"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.8/inc/rest-api/v1/frontend/class-lp-rest-courses-controller.php#L68"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.8/inc/Databases/class-lp-course-db.php#L472"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.8/inc/Databases/class-lp-db.php#L610"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3545523%40learnpress\u0026new=3545523%40learnpress\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-13T21:14:44.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T14:23:22.000Z",
"value": "Disclosed"
}
],
"title": "LearnPress \u003c= 4.3.6 - Unauthenticated Sensitive Information Exposure via \u0027c_status\u0027 and \u0027return_type\u0027 Parameters"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8502",
"datePublished": "2026-06-06T02:28:36.811Z",
"dateReserved": "2026-05-13T20:58:03.070Z",
"dateUpdated": "2026-06-06T11:47:26.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8495 (GCVE-0-2026-8495)
Vulnerability from cvelistv5 – Published: 2026-05-19 22:29 – Updated: 2026-05-20 16:35- CWE-862 - Missing Authorization
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8495",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T15:52:33.388595Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T16:35:44.458Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/date_ical",
"defaultStatus": "unaffected",
"product": "Date iCal",
"repo": "https://git.drupalcode.org/project/date_ical",
"vendor": "Drupal",
"versions": [
{
"lessThan": "4.0.15",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jo\u00c3\u00abl Pittet (joelpittet)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
}
],
"datePublic": "2026-05-13T17:19:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing.\u003cp\u003eThis issue affects Date iCal: from 0.0.0 before 4.0.15.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing.\n\nThis issue affects Date iCal: from 0.0.0 before 4.0.15."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T22:29:50.850Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-037"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-8495",
"datePublished": "2026-05-19T22:29:50.850Z",
"dateReserved": "2026-05-13T16:55:31.986Z",
"dateUpdated": "2026-05-20T16:35:44.458Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.