CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14566 vulnerabilities reference this CWE, most recent first.
CVE-2026-4162 (GCVE-0-2026-4162)
Vulnerability from cvelistv5 – Published: 2026-04-10 09:25 – Updated: 2026-04-13 15:15- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| RocketGenius | Gravity SMTP |
Affected:
0 , ≤ 2.1.4
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4162",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T15:08:52.295268Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T15:15:09.053Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gravity SMTP",
"vendor": "RocketGenius",
"versions": [
{
"lessThanOrEqual": "2.1.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Osvaldo Noe Gonzalez Del Rio"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to uninstall and deactivate the plugin and delete plugin options. NOTE: This vulnerability is also exploitable via a Cross-Site Request Forgery vector."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T09:25:56.478Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f9d18a4-262b-4011-91e9-b29a27a76470?source=cve"
},
{
"url": "https://www.gravityforms.com/brand-new-release-gravity-smtp-2-1-5/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-17T17:39:59.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-09T21:01:07.000Z",
"value": "Disclosed"
}
],
"title": "Gravity SMTP \u003c= 2.1.4 - Missing Authorization to Authenticated (Subscriber+) Plugin Uninstall"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4162",
"datePublished": "2026-04-10T09:25:56.478Z",
"dateReserved": "2026-03-13T22:45:31.558Z",
"dateUpdated": "2026-04-13T15:15:09.053Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4128 (GCVE-0-2026-4128)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 12:11- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| tplugins | TP Restore Categories And Taxonomies |
Affected:
0 , ≤ 1.0.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4128",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T12:11:20.647147Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T12:11:34.991Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TP Restore Categories And Taxonomies",
"vendor": "tplugins",
"versions": [
{
"lessThanOrEqual": "1.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nabil Irawan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The TP Restore Categories And Taxonomies plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. The delete_term() function, which handles the \u0027tpmcattt_delete_term\u0027 AJAX action, does not perform any capability check (e.g., current_user_can()) to verify the user has sufficient permissions. While it does verify a nonce via check_ajax_referer(), this nonce is generated for all authenticated users via the admin_enqueue_scripts hook and exposed on any wp-admin page (including profile.php, which subscribers can access). This makes it possible for authenticated attackers, with Subscriber-level access and above, to permanently delete taxonomy term records from the plugin\u0027s trash/backup tables by sending a crafted AJAX request with a valid nonce and an arbitrary term_id."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:35.777Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53a0749f-86e9-4f62-9de2-a6759c78ba2f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tp-restore-categories-and-taxonomies/trunk/admin/class-tp-move-categories-and-taxonomies-to-trash-admin.php#L474"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tp-restore-categories-and-taxonomies/tags/1.0.1/admin/class-tp-move-categories-and-taxonomies-to-trash-admin.php#L474"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tp-restore-categories-and-taxonomies/trunk/includes/class-tp-move-categories-and-taxonomies-to-trash.php#L169"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tp-restore-categories-and-taxonomies/tags/1.0.1/includes/class-tp-move-categories-and-taxonomies-to-trash.php#L169"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:08:29.000Z",
"value": "Disclosed"
}
],
"title": "TP Restore Categories And Taxonomies \u003c= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Taxonomy Deletion via \u0027tpmcattt_delete_term\u0027 AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4128",
"datePublished": "2026-04-22T07:45:35.777Z",
"dateReserved": "2026-03-13T14:11:25.304Z",
"dateUpdated": "2026-04-22T12:11:34.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4127 (GCVE-0-2026-4127)
Vulnerability from cvelistv5 – Published: 2026-03-21 03:26 – Updated: 2026-04-16 12:51- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| charlycharm | Speedup Optimization |
Affected:
0 , ≤ 1.5.9
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4127",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T12:51:03.357443Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T12:51:09.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Speedup Optimization",
"vendor": "charlycharm",
"versions": [
{
"lessThanOrEqual": "1.5.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nabil Irawan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Speedup Optimization plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.5.9. The `speedup01_ajax_enabled()` function, which handles the `wp_ajax_speedup01_enabled` AJAX action, does not perform any capability check via `current_user_can()` and also lacks nonce verification. This is in contrast to other AJAX handlers in the same plugin (e.g., `speedup01_ajax_install_iox` and `speedup01_ajax_delete_cache_file`) which properly check for `install_plugins` and `manage_options` capabilities respectively. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable or disable the site\u0027s optimization module by sending a POST request to admin-ajax."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:48:09.149Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f37c650-af0d-4474-9c1b-7f8d361b4d81?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/speedup-optimization/trunk/speedup-optimization.php#L172"
},
{
"url": "https://plugins.trac.wordpress.org/browser/speedup-optimization/tags/1.5.9/speedup-optimization.php#L172"
},
{
"url": "https://plugins.trac.wordpress.org/browser/speedup-optimization/trunk/speedup-optimization.php#L178"
},
{
"url": "https://plugins.trac.wordpress.org/browser/speedup-optimization/tags/1.5.9/speedup-optimization.php#L178"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-20T15:08:25.000Z",
"value": "Disclosed"
}
],
"title": "Speedup Optimization \u003c= 1.5.9 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update via \u0027speedup01_enabled\u0027 AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4127",
"datePublished": "2026-03-21T03:26:41.459Z",
"dateReserved": "2026-03-13T14:10:09.369Z",
"dateUpdated": "2026-04-16T12:51:09.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4124 (GCVE-0-2026-4124)
Vulnerability from cvelistv5 – Published: 2026-04-09 02:25 – Updated: 2026-04-13 15:15- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| oliverfriedmann | Ziggeo |
Affected:
0 , ≤ 3.1.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4124",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T15:07:50.969198Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T15:15:09.635Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Ziggeo",
"vendor": "oliverfriedmann",
"versions": [
{
"lessThanOrEqual": "3.1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nabil Irawan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Ziggeo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1. The wp_ajax_ziggeo_ajax handler only verifies a nonce (check_ajax_referer) but performs no capability checks via current_user_can(). Furthermore, the nonce (\u0027ziggeo_ajax_nonce\u0027) is exposed to all logged-in users on every page via the wp_head and admin_head hooks . This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke multiple administrative operations including: saving arbitrary translation strings (translations_panel_save_strings via update_option(\u0027ziggeo_translations\u0027)), creating/updating/deleting event templates (event_editor_save_template/update_template/remove_template via update_option(\u0027ziggeo_events\u0027)), modifying SDK application settings (sdk_applications operations), and managing notifications (notification_handler via update_option(\u0027ziggeo_notifications\u0027))."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T02:25:04.372Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/15477c00-0764-4850-8bce-d65b6b1cbe4c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ziggeo/trunk/core/ajax.php#L31"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/core/ajax.php#L31"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_translations_ajax.php#L13"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_translations_ajax.php#L13"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_editor_events_ajax.php#L13"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_editor_events_ajax.php#L13"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_sdk_ajax.php#L8"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_sdk_ajax.php#L8"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ziggeo/trunk/core/header.php#L67"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/core/header.php#L67"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3494290%40ziggeo\u0026new=3494290%40ziggeo\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-08T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Ziggeo \u003c= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via \u0027ziggeo_ajax\u0027 AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4124",
"datePublished": "2026-04-09T02:25:04.372Z",
"dateReserved": "2026-03-13T13:43:23.239Z",
"dateUpdated": "2026-04-13T15:15:09.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4119 (GCVE-0-2026-4119)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 18:32- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| jppreus | Create DB Tables |
Affected:
0 , ≤ 1.2.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4119",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T18:31:57.438067Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T18:32:06.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Create DB Tables",
"vendor": "jppreus",
"versions": [
{
"lessThanOrEqual": "1.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youcef Hamdani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without implementing any capability checks via current_user_can() or nonce verification via wp_verify_nonce()/check_admin_referer(). The admin_post hook only requires the user to be logged in, meaning any authenticated user including Subscribers can access these endpoints. The cdbt_delete_db_table() function takes a user-supplied table name from $_POST[\u0027db_table\u0027] and executes a DROP TABLE SQL query, allowing any authenticated attacker to delete any database table including critical WordPress core tables such as wp_users or wp_options. The cdbt_create_new_table() function similarly allows creating arbitrary tables. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary database tables and delete any existing database table, potentially destroying the entire WordPress installation."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:41.323Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d1a3bc4b-cc17-4728-b242-13841b5f7660?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L376"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L376"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-new-table.php#L69"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-new-table.php#L69"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L370"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L370"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-new-table.php#L14"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-new-table.php#L14"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L405"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L405"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L408"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L408"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:08:50.000Z",
"value": "Disclosed"
}
],
"title": "Create DB Tables \u003c= 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Database Table Creation/Deletion via admin-post.php"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4119",
"datePublished": "2026-04-22T07:45:41.323Z",
"dateReserved": "2026-03-13T13:27:41.833Z",
"dateUpdated": "2026-04-22T18:32:06.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4117 (GCVE-0-2026-4117)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 12:10- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| calj | CalJ Shabbat Times |
Affected:
0 , ≤ 1.5
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4117",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T12:09:58.174649Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T12:10:09.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CalJ Shabbat Times",
"vendor": "calj",
"versions": [
{
"lessThanOrEqual": "1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nabil Irawan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The CalJ plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5. This is due to a missing capability check in the CalJSettingsPage class constructor, which processes the \u0027save-obtained-key\u0027 operation directly from POST data without verifying that the requesting user has the \u0027manage_options\u0027 capability, and without any nonce verification. The plugin bootstrap file (calj.php) instantiates CalJSettingsPage whenever is_admin() returns true, which is the case for any authenticated user making requests to wp-admin URLs (including admin-ajax.php). This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin\u0027s API key setting and clear the Shabbat cache, effectively taking control of the plugin\u0027s API integration."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:41.691Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d1c7df8e-2f82-4474-88ef-8c8ddaeb4656?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/calj/trunk/CalJSettingsPage.php#L30"
},
{
"url": "https://plugins.trac.wordpress.org/browser/calj/tags/1.5/CalJSettingsPage.php#L30"
},
{
"url": "https://plugins.trac.wordpress.org/browser/calj/trunk/CalJSettingsPage.php#L25"
},
{
"url": "https://plugins.trac.wordpress.org/browser/calj/tags/1.5/CalJSettingsPage.php#L25"
},
{
"url": "https://plugins.trac.wordpress.org/browser/calj/trunk/calj.php#L17"
},
{
"url": "https://plugins.trac.wordpress.org/browser/calj/tags/1.5/calj.php#L17"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:08:40.000Z",
"value": "Disclosed"
}
],
"title": "CalJ \u003c= 1.5 - Authenticated (Subscriber+) Arbitrary Settings Modification via \u0027save-obtained-key\u0027 Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4117",
"datePublished": "2026-04-22T07:45:41.691Z",
"dateReserved": "2026-03-13T13:19:56.963Z",
"dateUpdated": "2026-04-22T12:10:09.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4109 (GCVE-0-2026-4109)
Vulnerability from cvelistv5 – Published: 2026-04-14 07:43 – Updated: 2026-04-14 13:00- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| arraytics | Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) |
Affected:
0 , ≤ 4.1.8
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4109",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T13:00:31.579916Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T13:00:42.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Eventin \u2013 Event Calendar, Event Registration, Tickets \u0026 Booking (AI Powered)",
"vendor": "arraytics",
"versions": [
{
"lessThanOrEqual": "4.1.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Eventin \u2013 Events Calendar, Event Booking, Ticket \u0026 Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versions up to, and including, 4.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary order data including customer PII (name, email, phone) by iterating order IDs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T07:43:03.588Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/87f82d5d-d89a-440d-8c23-ace5160a0739?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3501510/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-24T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-03-13T10:55:54.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-13T18:46:40.000Z",
"value": "Disclosed"
}
],
"title": "Eventin \u2013 Events Calendar, Event Booking, Ticket \u0026 Registration (AI Powered) \u003c= 4.1.8 Missing Authorization to Authenticated (Subscriber+) Order Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4109",
"datePublished": "2026-04-14T07:43:03.588Z",
"dateReserved": "2026-03-13T10:40:12.586Z",
"dateUpdated": "2026-04-14T13:00:42.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4100 (GCVE-0-2026-4100)
Vulnerability from cvelistv5 – Published: 2026-05-02 11:16 – Updated: 2026-05-04 14:24- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| strangerstudios | Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions |
Affected:
0 , ≤ 3.6.5
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4100",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T14:22:35.812863Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T14:24:32.736Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Paid Memberships Pro \u2013 Content Restriction, User Registration, \u0026 Paid Subscriptions",
"vendor": "strangerstudios",
"versions": [
{
"lessThanOrEqual": "3.6.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jared Reyes"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the `wp_ajax_pmpro_stripe_create_webhook`, `wp_ajax_pmpro_stripe_delete_webhook`, and `wp_ajax_pmpro_stripe_rebuild_webhook` AJAX handlers. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete, create, or rebuild the site\u0027s Stripe webhook, disrupting all payment processing, subscription renewal synchronization, cancellation handling, and failed payment management."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T11:16:09.788Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5b333a3d-e416-42aa-9722-5406df0a64b3?source=cve"
},
{
"url": "https://github.com/strangerstudios/paid-memberships-pro/pull/3615"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-13T00:41:05.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-01T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Paid Memberships Pro \u003c= 3.6.5 - Missing Authorization to Authenticated (Subscriber+) Stripe Webhook Deletion and Payment Processing Disruption"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4100",
"datePublished": "2026-05-02T11:16:09.788Z",
"dateReserved": "2026-03-13T00:23:37.614Z",
"dateUpdated": "2026-05-04T14:24:32.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4094 (GCVE-0-2026-4094)
Vulnerability from cvelistv5 – Published: 2026-05-15 06:45 – Updated: 2026-05-15 11:25- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| realmag777 | FOX – Currency Switcher Professional for WooCommerce |
Affected:
0 , ≤ 1.4.5
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4094",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-15T11:25:48.127326Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T11:25:58.454Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FOX \u2013 Currency Switcher Professional for WooCommerce",
"vendor": "realmag777",
"versions": [
{
"lessThanOrEqual": "1.4.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ren Voza"
}
],
"descriptions": [
{
"lang": "en",
"value": "The FOX \u2013 Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the \u0027admin_head\u0027 function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete the entire multi-currency configuration by visiting any wp-admin page with the `woocs_reset` parameter appended. Additionally, because no nonce is verified, this is also exploitable via Cross-Site Request Forgery against any administrator. The vulnerability may also be exploited by Subscriber-level users if the site is configured to allow Subscriber access to \u0027wp-admin\u0027 pages."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T06:45:58.221Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6eb9d68c-c081-484e-ad5d-5eabcfa6d6f0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/woocs.php#L1167"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/woocs.php#L1168"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3483839/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-12T23:02:13.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-14T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "FOX \u2013 Currency Switcher Professional for WooCommerce \u003c= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Configuration Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4094",
"datePublished": "2026-05-15T06:45:58.221Z",
"dateReserved": "2026-03-12T22:46:10.355Z",
"dateUpdated": "2026-05-15T11:25:58.454Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4066 (GCVE-0-2026-4066)
Vulnerability from cvelistv5 – Published: 2026-03-23 22:25 – Updated: 2026-04-08 17:05- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| inc2734 | Smart Custom Fields |
Affected:
0 , ≤ 5.0.6
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4066",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T13:58:26.021876Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T13:59:08.877Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Smart Custom Fields",
"vendor": "inc2734",
"versions": [
{
"lessThanOrEqual": "5.0.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "darkestmode"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 5.0.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to read private and draft post content from other authors via the smart-cf-relational-posts-search AJAX action. The function queries posts with post_status=any and returns full WP_Post objects including post_content, but only checks the generic edit_posts capability instead of verifying whether the requesting user has permission to read each individual post."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:05:11.962Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/87f52e3a-e414-4f47-b46c-e3811e76744b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/smart-custom-fields/trunk/classes/fields/class.field-related-posts.php#L101"
},
{
"url": "https://plugins.trac.wordpress.org/browser/smart-custom-fields/trunk/classes/fields/class.field-related-posts.php#L78"
},
{
"url": "https://plugins.trac.wordpress.org/browser/smart-custom-fields/trunk/classes/fields/class.field-related-posts.php#L143"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3485210%40smart-custom-fields%2Ftrunk\u0026old=3416964%40smart-custom-fields%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file2"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-12T18:59:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-23T09:49:02.000Z",
"value": "Disclosed"
}
],
"title": "Smart Custom Fields \u003c= 5.0.6 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Relational Post Search"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4066",
"datePublished": "2026-03-23T22:25:39.149Z",
"dateReserved": "2026-03-12T18:43:28.699Z",
"dateUpdated": "2026-04-08T17:05:11.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.