CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14566 vulnerabilities reference this CWE, most recent first.
CVE-2026-4024 (GCVE-0-2026-4024)
Vulnerability from cvelistv5 – Published: 2026-05-02 08:27 – Updated: 2026-05-04 14:49- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
0 , ≤ 1.7.1056
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4024",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T14:47:25.593109Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T14:49:17.791Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1056",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen C"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `wpr_update_form_action_meta` AJAX action in all versions up to, and including, 1.7.1056. The handler is registered on both `wp_ajax` and `wp_ajax_nopriv` hooks, making it accessible to unauthenticated users. Although a nonce is verified, the nonce (`wpr-addons-js`) is publicly exposed in frontend JavaScript via `WprConfig.nonce` on any page that loads Royal Addons widgets, rendering the protection ineffective. The endpoint also lacks any capability or ownership checks and directly calls `update_post_meta()` with user-controlled input on a whitelisted set of form action meta keys. This makes it possible for unauthenticated attackers to modify form action configuration metadata (email, submissions, Mailchimp, and webhook settings) on any post, potentially leading to webhook/email action tampering and data exfiltration via modified webhook URLs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T08:27:04.649Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2ecec7d7-d1b2-4ccf-ade6-1f78224968c6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L21"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/classes/modules/forms/wpr-actions-status.php#L21"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L73"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/classes/modules/forms/wpr-actions-status.php#L73"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/plugin.php#L592"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/plugin.php#L592"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-11T20:46:34.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-01T20:11:49.000Z",
"value": "Disclosed"
}
],
"title": "Royal Addons for Elementor \u003c= 1.7.1056 - Missing Authorization to Unauthenticated Form Action Meta Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4024",
"datePublished": "2026-05-02T08:27:04.649Z",
"dateReserved": "2026-03-11T20:30:55.411Z",
"dateUpdated": "2026-05-04T14:49:17.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4019 (GCVE-0-2026-4019)
Vulnerability from cvelistv5 – Published: 2026-04-29 08:27 – Updated: 2026-04-29 13:52- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| complianz | Complianz – GDPR/CCPA Cookie Consent |
Affected:
0 , ≤ 7.4.5
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4019",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T13:51:10.434133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T13:52:26.882Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Complianz \u2013 GDPR/CCPA Cookie Consent",
"vendor": "complianz",
"versions": [
{
"lessThanOrEqual": "7.4.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Wesley van de Kamp"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Complianz \u2013 GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to unauthorized data access in all versions up to, and including, 7.4.5 This is due to the REST API endpoint at /wp-json/complianz/v1/consent-area/{post_id}/{block_id} using __return_true as the permission_callback, allowing any unauthenticated user to access it. The cmplz_rest_consented_content() function retrieves a post by ID via get_post() and returns the consentedContent attribute of any complianz/consent-area block found in it, without checking if the post is published or if the user has permission to read it. This makes it possible for unauthenticated attackers to read the consent area block content from private, draft, or unpublished posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T08:27:43.231Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3892489e-6ff7-4664-bb06-b8edff6dd659?source=cve"
},
{
"url": "https://github.com/complianz/complianz-gdpr/blob/64c09657bd028f62d7b50a54d83ca19b87df2cef/rest-api/rest-api.php#L61"
},
{
"url": "https://plugins.trac.wordpress.org/browser/complianz-gdpr/tags/7.4.4.2/rest-api/rest-api.php#L54"
},
{
"url": "https://plugins.trac.wordpress.org/browser/complianz-gdpr/tags/7.4.4.2/rest-api/rest-api.php#L61"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3508713/complianz-gdpr/trunk/rest-api/rest-api.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fcomplianz-gdpr/tags/7.4.5\u0026new_path=%2Fcomplianz-gdpr/tags/7.4.6"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-11T20:05:04.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-28T19:52:18.000Z",
"value": "Disclosed"
}
],
"title": "Complianz \u2013 GDPR/CCPA Cookie Consent \u003c= 7.4.5 - Missing Authorization to Unauthenticated Private Post Content Disclosure via Consent Area REST Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4019",
"datePublished": "2026-04-29T08:27:43.231Z",
"dateReserved": "2026-03-11T19:49:54.038Z",
"dateUpdated": "2026-04-29T13:52:26.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4003 (GCVE-0-2026-4003)
Vulnerability from cvelistv5 – Published: 2026-04-08 03:36 – Updated: 2026-04-08 16:42- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| felixmartinez | Users manager – PN |
Affected:
0 , ≤ 1.1.15
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4003",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T14:48:48.869485Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:14:10.743Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Users manager \u2013 PN",
"vendor": "felixmartinez",
"versions": [
{
"lessThanOrEqual": "1.1.15",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HA GIA BAO"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Users manager \u2013 PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within the \u0027userspn_form_save\u0027 case. The conditional only blocks unauthenticated users when the user_id is empty, but when a non-empty user_id is supplied, execution bypasses this check entirely and proceeds to update arbitrary user meta via update_user_meta() without any authentication or authorization verification. Additionally, the nonce required for this AJAX endpoint (\u0027userspn-nonce\u0027) is exposed to all visitors via wp_localize_script on the public wp_enqueue_scripts hook, rendering the nonce check ineffective as a security control. This makes it possible for unauthenticated attackers to update arbitrary user metadata for any user account, including the userspn_secret_token field."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:42:58.430Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/27bb60c1-43fa-4a18-b9ca-059535b0d5b6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-ajax-nopriv.php#L233"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-ajax-nopriv.php#L233"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-ajax-nopriv.php#L186"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-ajax-nopriv.php#L186"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-ajax-nopriv.php#L190"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-ajax-nopriv.php#L190"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-common.php#L168"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-common.php#L168"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userspn/trunk/includes/class-userspn-functions-user.php#L235"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userspn/tags/1.0.31/includes/class-userspn-functions-user.php#L235"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3491109%40userspn\u0026new=3491109%40userspn\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-12T22:34:37.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-07T15:32:12.000Z",
"value": "Disclosed"
}
],
"title": "Users manager \u2013 PN \u003c= 1.1.15 - Unauthenticated Privilege Escalation via Account Takeover via \u0027userspn_form_save\u0027 AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4003",
"datePublished": "2026-04-08T03:36:08.200Z",
"dateReserved": "2026-03-11T18:52:48.888Z",
"dateUpdated": "2026-04-08T16:42:58.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3977 (GCVE-0-2026-3977)
Vulnerability from cvelistv5 – Published: 2026-03-12 03:02 – Updated: 2026-03-12 16:17 X_Open Source| URL | Tags |
|---|---|
| https://vuldb.com/?id.350412 | vdb-entry |
| https://vuldb.com/?ctiid.350412 | signaturepermissions-required |
| https://github.com/projectsend/projectsend/issues/1525 | issue-tracking |
| https://github.com/projectsend/projectsend/issues… | issue-tracking |
| https://github.com/projectsend/projectsend/commit… | patch |
| https://github.com/projectsend/projectsend/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | projectsend |
Affected:
r1945
cpe:2.3:a:projectsend:projectsend:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3977",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-12T13:55:16.667473Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T16:17:36.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:projectsend:projectsend:*:*:*:*:*:*:*:*"
],
"modules": [
"AJAX Endpoints"
],
"product": "projectsend",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "r1945"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "tool",
"value": "VulDB GitHub Commit Analyzer"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in projectsend up to r1945. The affected element is an unknown function of the component AJAX Endpoints. The manipulation leads to missing authorization. The attack can be initiated remotely. The identifier of the patch is 35dfd6f08f7d517709c77ee73e57367141107e6b. To fix this issue, it is recommended to deploy a patch."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T03:02:08.383Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-350412 | projectsend AJAX Endpoints authorization",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.350412"
},
{
"name": "VDB-350412 | CTI Indicators (IOB, IOC)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.350412"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/projectsend/projectsend/issues/1525"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/projectsend/projectsend/issues/1525#issuecomment-3957109914"
},
{
"tags": [
"patch"
],
"url": "https://github.com/projectsend/projectsend/commit/35dfd6f08f7d517709c77ee73e57367141107e6b"
},
{
"tags": [
"product"
],
"url": "https://github.com/projectsend/projectsend/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-03-11T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-11T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-11T15:25:43.000Z",
"value": "VulDB entry last update"
}
],
"title": "projectsend AJAX Endpoints authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-3977",
"datePublished": "2026-03-12T03:02:08.383Z",
"dateReserved": "2026-03-11T14:20:26.569Z",
"dateUpdated": "2026-03-12T16:17:36.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3906 (GCVE-0-2026-3906)
Vulnerability from cvelistv5 – Published: 2026-03-11 09:25 – Updated: 2026-03-11 13:18- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| WordPress Foundation | WordPress |
Affected:
6.9 , ≤ 6.9.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3906",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T13:18:15.777023Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T13:18:53.880Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress",
"vendor": "WordPress Foundation",
"versions": [
{
"lessThanOrEqual": "6.9.1",
"status": "affected",
"version": "6.9",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "kaminuma"
}
],
"descriptions": [
{
"lang": "en",
"value": "WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T09:25:44.130Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a69782f0-aa61-4049-8339-7f27f4b6c36b?source=cve"
},
{
"url": "https://core.trac.wordpress.org/changeset/61888"
},
{
"url": "https://core.trac.wordpress.org/browser/trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php#L562"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-10T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WordPress 6.9 - 6.9.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Note Creation via REST API"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3906",
"datePublished": "2026-03-11T09:25:44.130Z",
"dateReserved": "2026-03-10T19:52:58.673Z",
"dateUpdated": "2026-03-11T13:18:53.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3897 (GCVE-0-2026-3897)
Vulnerability from cvelistv5 – Published: 2026-05-27 06:46 – Updated: 2026-05-27 10:30- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| livemesh | Livemesh Addons for Beaver Builder |
Affected:
0 , ≤ 3.9.2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3897",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T10:20:14.869980Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T10:30:09.616Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Livemesh Addons for Beaver Builder",
"vendor": "livemesh",
"versions": [
{
"lessThanOrEqual": "3.9.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `labb_admin_ajax` AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not check user capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T06:46:16.655Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8bc41c61-1d8a-445f-bd70-3b14a40c89d4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addons-for-beaver-builder/tags/3.9.2/admin/admin-ajax.php#L64"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addons-for-beaver-builder/tags/3.9.2/includes/helper-functions.php#L248"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addons-for-beaver-builder/tags/3.9.2/admin/views/settings.php#L137"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-26T17:34:25.000Z",
"value": "Disclosed"
}
],
"title": "Livemesh Addons for Beaver Builder \u003c= 3.9.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3897",
"datePublished": "2026-05-27T06:46:16.655Z",
"dateReserved": "2026-03-10T17:35:10.486Z",
"dateUpdated": "2026-05-27T10:30:09.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3896 (GCVE-0-2026-3896)
Vulnerability from cvelistv5 – Published: 2026-05-27 06:46 – Updated: 2026-05-27 10:29- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| livemesh | Livemesh SiteOrigin Widgets |
Affected:
0 , ≤ 3.9.2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3896",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T10:19:52.527479Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T10:29:55.291Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Livemesh SiteOrigin Widgets",
"vendor": "livemesh",
"versions": [
{
"lessThanOrEqual": "3.9.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lsow_admin_ajax` AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not check user capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T06:46:17.045Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a1510984-571b-49ce-9e10-129e2a1aca7b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/livemesh-siteorigin-widgets/tags/3.9.2/admin/admin-ajax.php#L65"
},
{
"url": "https://plugins.trac.wordpress.org/browser/livemesh-siteorigin-widgets/tags/3.9.2/includes/helper-functions.php#L235"
},
{
"url": "https://plugins.trac.wordpress.org/browser/livemesh-siteorigin-widgets/tags/3.9.2/admin/views/settings.php#L107"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-26T17:33:59.000Z",
"value": "Disclosed"
}
],
"title": "Livemesh SiteOrigin Widgets \u003c= 3.9.2 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3896",
"datePublished": "2026-05-27T06:46:17.045Z",
"dateReserved": "2026-03-10T17:28:29.405Z",
"dateUpdated": "2026-05-27T10:29:55.291Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3895 (GCVE-0-2026-3895)
Vulnerability from cvelistv5 – Published: 2026-05-27 06:46 – Updated: 2026-05-27 10:28- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| livemesh | WPBakery Page Builder Addons by Livemesh |
Affected:
0 , ≤ 3.9.4
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T10:15:35.483557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T10:28:46.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WPBakery Page Builder Addons by Livemesh",
"vendor": "livemesh",
"versions": [
{
"lessThanOrEqual": "3.9.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lvca_admin_ajax` AJAX action in all versions up to, and including, 3.9.4 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not check user capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T06:46:19.096Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ff0d4000-020b-4e22-9362-a8f0f5df321e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addons-for-visual-composer/tags/3.9.4/admin/admin-ajax.php#L64"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addons-for-visual-composer/tags/3.9.4/includes/helper-functions.php#L256"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addons-for-visual-composer/tags/3.9.4/admin/views/settings.php#L568"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-26T17:33:39.000Z",
"value": "Disclosed"
}
],
"title": "WPBakery Page Builder Addons by Livemesh \u003c= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3895",
"datePublished": "2026-05-27T06:46:19.096Z",
"dateReserved": "2026-03-10T17:22:10.258Z",
"dateUpdated": "2026-05-27T10:28:46.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3831 (GCVE-0-2026-3831)
Vulnerability from cvelistv5 – Published: 2026-04-01 01:24 – Updated: 2026-04-08 17:12- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| crmperks | Database for Contact Form 7, WPforms, Elementor forms |
Affected:
0 , ≤ 1.4.9
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3831",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T13:13:40.091778Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T13:13:46.475Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Database for Contact Form 7, WPforms, Elementor forms",
"vendor": "crmperks",
"versions": [
{
"lessThanOrEqual": "1.4.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qu\u1ed1c Huy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the entries_shortcode() function in all versions up to, and including, 1.4.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract all form submissions - including names, emails, phone numbers."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:12:10.218Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a033ea44-8084-44c1-8e24-bdb1b61c3566?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-entries/tags/1.4.8/contact-form-entries.php#L204"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-01T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-03-09T13:53:46.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-31T12:23:38.000Z",
"value": "Disclosed"
}
],
"title": "Database for Contact Form 7, WPforms, Elementor forms \u003c= 1.4.9 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3831",
"datePublished": "2026-04-01T01:24:20.558Z",
"dateReserved": "2026-03-09T13:37:57.000Z",
"dateUpdated": "2026-04-08T17:12:10.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3829 (GCVE-0-2026-3829)
Vulnerability from cvelistv5 – Published: 2026-05-14 05:30 – Updated: 2026-05-14 10:46- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| gowebsmarty | WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL Scan |
Affected:
0 , ≤ 7.8.5.10
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3829",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T10:38:38.767071Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T10:46:18.449Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Encryption \u2013 One Click Free SSL Certificate \u0026 SSL / HTTPS Redirect, Security \u0026 SSL Scan",
"vendor": "gowebsmarty",
"versions": [
{
"lessThanOrEqual": "7.8.5.10",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kitch Global"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Encryption \u2013 One Click Free SSL Certificate \u0026 SSL / HTTPS Redirect, Security \u0026 SSL Scan plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the \u0027wple_basic_get_requests\u0027 function in all versions up to, and including, 7.8.5.10. This makes it possible for authenticated attackers, with subscriber level access and above, to reset the SSL setup state, force SSL to appear complete, and modify plan selection options."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T05:30:29.507Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9a09ec65-32e4-4841-a365-f67c15b80bf9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=wp-letsencrypt-ssl/tags/7.8.5.10/admin/le_admin.php\u0026new_path=wp-letsencrypt-ssl/tags/7.8.5.11/admin/le_admin.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=wp-letsencrypt-ssl/tags/7.8.5.10/admin/le_handlers.php\u0026new_path=wp-letsencrypt-ssl/tags/7.8.5.11/admin/le_handlers.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-25T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-05-13T17:14:25.000Z",
"value": "Disclosed"
}
],
"title": "WP Encryption - One Click SSL \u0026 Force HTTPS \u003c= 7.8.5.10 - Missing Authorization to Authenticated (Subscriber+) SSL Setup Tampering"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3829",
"datePublished": "2026-05-14T05:30:29.507Z",
"dateReserved": "2026-03-09T11:24:21.753Z",
"dateUpdated": "2026-05-14T10:46:18.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.