CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14591 vulnerabilities reference this CWE, most recent first.
GHSA-6WP4-CPXH-5846
Vulnerability from github – Published: 2024-12-21 12:30 – Updated: 2024-12-21 12:30The WP BASE Booking of Appointments, Services and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_db function in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to expose sensitive information from the database, such as the hashed administrator password.
{
"affected": [],
"aliases": [
"CVE-2024-12558"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-21T10:15:08Z",
"severity": "MODERATE"
},
"details": "The WP BASE Booking of Appointments, Services and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_db function in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to expose sensitive information from the database, such as the hashed administrator password.",
"id": "GHSA-6wp4-cpxh-5846",
"modified": "2024-12-21T12:30:40Z",
"published": "2024-12-21T12:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12558"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wp-base-booking-of-appointments-services-and-events/tags/4.9.2/includes/freeons/export-import.php"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3210164/wp-base-booking-of-appointments-services-and-events/tags/5.0.0/includes/freeons/export-import.php?old=3207827\u0026old_path=wp-base-booking-of-appointments-services-and-events%2Ftags%2F4.9.2%2Fincludes%2Ffreeons%2Fexport-import.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/09831b2f-8f79-4833-8fc6-f1af56c6abc8?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6WQ8-PG78-64GW
Vulnerability from github – Published: 2024-03-23 15:30 – Updated: 2024-03-23 15:30Missing Authorization vulnerability in BdThemes Element Pack Elementor Addons.This issue affects Element Pack Elementor Addons: from n/a through 5.4.11.
{
"affected": [],
"aliases": [
"CVE-2024-24840"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-23T15:15:07Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in BdThemes Element Pack Elementor Addons.This issue affects Element Pack Elementor Addons: from n/a through 5.4.11.\n\n",
"id": "GHSA-6wq8-pg78-64gw",
"modified": "2024-03-23T15:30:33Z",
"published": "2024-03-23T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24840"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/bdthemes-element-pack-lite/wordpress-element-pack-elementor-addons-plugin-5-4-11-broken-access-control-on-duplicate-post-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6X25-X9R9-9HCF
Vulnerability from github – Published: 2025-07-04 03:30 – Updated: 2025-07-04 03:30The Booking X plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_now() function in versions 1.0 to 1.1.2. This makes it possible for unauthenticated attackers to download all plugin data, including user accounts, user meta, and PayPal credentials, by issuing a crafted POST request.
{
"affected": [],
"aliases": [
"CVE-2025-6814"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-04T03:15:23Z",
"severity": "HIGH"
},
"details": "The Booking X plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_now() function in versions 1.0 to 1.1.2. This makes it possible for unauthenticated attackers to download all plugin data, including user accounts, user meta, and PayPal credentials, by issuing a crafted POST request.",
"id": "GHSA-6x25-x9r9-9hcf",
"modified": "2025-07-04T03:30:32Z",
"published": "2025-07-04T03:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6814"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/booking-x/tags/1.1.2/admin/class-bookingx-admin.php#L784"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/booking-x/tags/1.1.2/includes/class-bookingx.php#L322"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/booking-x/#developers"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6a30d572-e086-4b83-8cb7-4cef9a3253bd?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6X2M-XM68-855H
Vulnerability from github – Published: 2024-07-10 00:30 – Updated: 2024-07-10 00:30Windows Text Services Framework Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-21417"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-10T00:15:03Z",
"severity": "HIGH"
},
"details": "Windows Text Services Framework Elevation of Privilege Vulnerability",
"id": "GHSA-6x2m-xm68-855h",
"modified": "2024-07-10T00:30:43Z",
"published": "2024-07-10T00:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21417"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21417"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6X3H-JQ42-QQ24
Vulnerability from github – Published: 2024-12-09 15:31 – Updated: 2026-04-01 18:32Missing Authorization vulnerability in Astoundify Jobify - Job Board WordPress Theme.This issue affects Jobify - Job Board WordPress Theme: from n/a through 4.2.3.
{
"affected": [],
"aliases": [
"CVE-2024-52480"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-09T14:15:11Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Astoundify Jobify - Job Board WordPress Theme.This issue affects Jobify - Job Board WordPress Theme: from n/a through 4.2.3.",
"id": "GHSA-6x3h-jq42-qq24",
"modified": "2026-04-01T18:32:42Z",
"published": "2024-12-09T15:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52480"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/theme/jobify/vulnerability/wordpress-jobify-plugin-4-2-3-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6X4J-8954-5HXM
Vulnerability from github – Published: 2026-06-23 23:03 – Updated: 2026-06-23 23:03Impact
A user who can edit other users could reset a superadmin's 2FA.
Patches
Patched in 8.5.0
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "snipe/snipe-it"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-50550"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-23T23:03:20Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nA user who can edit other users could reset a superadmin\u0027s 2FA.\n\n### Patches\nPatched in 8.5.0",
"id": "GHSA-6x4j-8954-5hxm",
"modified": "2026-06-23T23:03:20Z",
"published": "2026-06-23T23:03:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/grokability/snipe-it/security/advisories/GHSA-6x4j-8954-5hxm"
},
{
"type": "PACKAGE",
"url": "https://github.com/grokability/snipe-it"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Snipe-IT has a 2FA reset privilege bypass"
}
GHSA-6X5J-5M95-64XW
Vulnerability from github – Published: 2022-12-21 15:30 – Updated: 2022-12-21 15:30In getNearbyNotificationStreamingPolicy of DevicePolicyManagerService.java, there is a possible way to learn about the notification streaming policy of other users due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-235822336
{
"affected": [],
"aliases": [
"CVE-2022-20510"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-16T16:15:00Z",
"severity": "MODERATE"
},
"details": "In getNearbyNotificationStreamingPolicy of DevicePolicyManagerService.java, there is a possible way to learn about the notification streaming policy of other users due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-235822336",
"id": "GHSA-6x5j-5m95-64xw",
"modified": "2022-12-21T15:30:19Z",
"published": "2022-12-21T15:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20510"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2022-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6X67-5CP9-C6CQ
Vulnerability from github – Published: 2022-05-24 16:53 – Updated: 2024-04-04 01:38SAP Kernel (ABAP Debugger), versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, KERNEL 7.21, 7.49, 7.53, 7.73, 7.75, 7.76, 7.77, allows a user to execute ?Go to statement? without possessing the authorization S_DEVELOP DEBUG 02, resulting in Missing Authorization Check
{
"affected": [],
"aliases": [
"CVE-2019-0349"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-14T15:15:00Z",
"severity": "HIGH"
},
"details": "SAP Kernel (ABAP Debugger), versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, KERNEL 7.21, 7.49, 7.53, 7.73, 7.75, 7.76, 7.77, allows a user to execute ?Go to statement? without possessing the authorization S_DEVELOP DEBUG 02, resulting in Missing Authorization Check",
"id": "GHSA-6x67-5cp9-c6cq",
"modified": "2024-04-04T01:38:54Z",
"published": "2022-05-24T16:53:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0349"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/2798743"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6X7X-GCMF-7R8X
Vulnerability from github – Published: 2026-07-09 20:57 – Updated: 2026-07-09 20:57Summary
The {{erasespamedcomments}} wiki action (actions/EraseSpamedCommentsAction.php) accepts a suppr[] array from POST and deletes every wiki page whose tag appears in that array, with no authorization check anywhere in the action body or in the page-deletion path it invokes. Combined with YesWiki's allow-by-default action ACL model, any user who has page write access, which is the default for everyone (default_write_acl='*') on a fresh install can permanently delete arbitrary wiki pages, including the front page, admin pages, and pages owned by other users.
The action's delete() callee is PageManager::deleteOrphaned(), which despite its name does not check whether the target page is orphaned: it issues an unconditional DELETE against pages, links, acls, triples, referrers, and tags tables.
Details
Three issues compose the vulnerability.
actions/EraseSpamedCommentsAction.phpperforms no authorization check before processing$_POST['clean']/$_POST['suppr'][]inactions/EraseSpamedCommentsAction.php:
```php
public function run()
{
$wiki = &$this->wiki;
ob_start();
// ...
elseif (isset($_POST['clean'])) {
$deletedPages = '';
if (!empty($_POST['suppr'])) {
foreach ($_POST['suppr'] as $page) {
echo 'Effacement de : ' . $page . "
\n";
if ($wiki->services->get(PageController::class)->delete($page)) {
$deletedPages .= $page . ', ';
}
}
}
}
} ```
No UserIsAdmin(), no UserIsOwner(), no HasAccess('write', $page) per-target check, no CSRF token check.
- The default action ACL grants access to everyone in
includes/YesWiki.php:
php
$acl = empty($this->config['permissions'][$moduleType][$module])
? '*'
: $this->config['permissions'][$moduleType][$module];
php
if ($acl === null) { return true; }
return $this->CheckACL($acl, $user);
No shipped permissions map gates erasespamedcomments to admins, so Performer::CheckModuleACL('erasespamedcomments', 'action') returns true for anonymous users.
PageController::delete()andPageManager::deleteOrphaned()perform no authorization check and do not validate that the page is actually orphaned inincludes/controllers/PageController.php:38–48:
php
public function delete(string $tag): bool
{
if ($this->entryManager->isEntry($tag)) {
return $this->entryController->delete($tag);
} else {
$this->pageManager->deleteOrphaned($tag);
$this->wiki->LogAdministrativeAction(
$this->authController->getLoggedUserName(),
'Suppression de la page ->""' . $tag . '""'
);
return true;
}
}
in includes/services/PageManager.php:289–310:
php
public function deleteOrphaned($tag)
{
if ($this->securityController->isWikiHibernated()) { throw new \Exception(_t('WIKI_IN_HIBERNATION')); }
unset($this->ownersCache[$tag]);
if (in_array($tag, $this->pageCache)) { unset($this->pageCache[$tag]); }
$this->dbService->query("DELETE FROM ... WHERE tag='{$this->dbService->escape($tag)}' OR comment_on='{$this->dbService->escape($tag)}'");
$this->dbService->query("DELETE FROM ...links... WHERE from_tag='{$this->dbService->escape($tag)}' ");
$this->dbService->query("DELETE FROM ...acls... WHERE page_tag='{$this->dbService->escape($tag)}' ");
// ...further unconditional DELETEs across triples, referrers, tags
}
The companion isOrphaned() method (line 284) exists but is never called from deleteOrphaned(). The function name is misleading as it deletes any page, not just orphans.
PoC
Default fresh install where default_write_acl='*' (per includes/YesWikiInit.php:219), anonymous browsing.
- create a trigger page (anonymous)
POST /?wiki=SpamCleanup/edit HTTP/1.1
Host: target.example
Content-Type: application/x-www-form-urlencoded
body=%7B%7Berasespamedcomments%7D%7D&submit=1
This succeeds because the new page passes aclService->hasAccess('write', 'SpamCleanup') against default_write_acl='*'.
- trigger arbitrary page deletion (anonymous)
POST /?wiki=SpamCleanup HTTP/1.1
Host: target.example
Content-Type: application/x-www-form-urlencoded
clean=yes&suppr%5B0%5D=PagePrincipale&suppr%5B1%5D=AnotherTargetPage
Server response includes Effacement de : PagePrincipale and Effacement de : AnotherTargetPage. pages, links, acls, triples, referrers, and tags rows for those tags are deleted from the database.
Impact
Arbitrary page deletion, including the front page (PagePrincipale).
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "yeswiki/yeswiki"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-52766"
],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-09T20:57:25Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\n\nThe `{{erasespamedcomments}}` wiki action (`actions/EraseSpamedCommentsAction.php`) accepts a `suppr[]` array from `POST` and deletes every wiki page whose tag appears in that array, with no authorization check anywhere in the action body or in the page-deletion path it invokes. Combined with YesWiki\u0027s allow-by-default action ACL model, any user who has page write access, which is the default for everyone (`default_write_acl=\u0027*\u0027`) on a fresh install can permanently delete arbitrary wiki pages, including the front page, admin pages, and pages owned by other users.\n\nThe action\u0027s `delete()` callee is `PageManager::deleteOrphaned()`, which despite its name does not check whether the target page is orphaned: it issues an unconditional `DELETE` against `pages`, `links`, `acls`, `triples`, `referrers`, and `tags` tables.\n\n### Details\n\nThree issues compose the vulnerability.\n\n1. `actions/EraseSpamedCommentsAction.php` performs no authorization check before processing `$_POST[\u0027clean\u0027]` / `$_POST[\u0027suppr\u0027][]` in `actions/EraseSpamedCommentsAction.php`:\n\n ```php\n public function run()\n {\n $wiki = \u0026$this-\u003ewiki;\n ob_start();\n // ...\n elseif (isset($_POST[\u0027clean\u0027])) { \n $deletedPages = \u0027\u0027;\n if (!empty($_POST[\u0027suppr\u0027])) { \n foreach ($_POST[\u0027suppr\u0027] as $page) {\n echo \u0027Effacement de : \u0027 . $page . \"\u003cbr /\u003e\\n\";\n if ($wiki-\u003eservices-\u003eget(PageController::class)-\u003edelete($page)) { \n $deletedPages .= $page . \u0027, \u0027;\n }\n }\n }\n \n }\n }\n ```\n\n No `UserIsAdmin()`, no `UserIsOwner()`, no `HasAccess(\u0027write\u0027, $page)` per-target check, no CSRF token check.\n\n2. The default action ACL grants access to everyone in `includes/YesWiki.php`:\n\n ```php\n $acl = empty($this-\u003econfig[\u0027permissions\u0027][$moduleType][$module])\n ? \u0027*\u0027\n : $this-\u003econfig[\u0027permissions\u0027][$moduleType][$module];\n ```\n\n ```php\n if ($acl === null) { return true; }\n return $this-\u003eCheckACL($acl, $user);\n ```\n\n No shipped `permissions` map gates `erasespamedcomments` to admins, so `Performer::CheckModuleACL(\u0027erasespamedcomments\u0027, \u0027action\u0027)` returns `true` for anonymous users.\n\n3. `PageController::delete()` and `PageManager::deleteOrphaned()` perform no authorization check and do not validate that the page is actually orphaned in `includes/controllers/PageController.php:38\u201348`:\n\n ```php\n public function delete(string $tag): bool\n {\n if ($this-\u003eentryManager-\u003eisEntry($tag)) {\n return $this-\u003eentryController-\u003edelete($tag);\n } else {\n $this-\u003epageManager-\u003edeleteOrphaned($tag);\n $this-\u003ewiki-\u003eLogAdministrativeAction(\n $this-\u003eauthController-\u003egetLoggedUserName(),\n \u0027Suppression de la page -\u003e\"\"\u0027 . $tag . \u0027\"\"\u0027\n );\n return true;\n }\n }\n ```\nin `includes/services/PageManager.php:289\u2013310`:\n ```php\n public function deleteOrphaned($tag)\n {\n if ($this-\u003esecurityController-\u003eisWikiHibernated()) { throw new \\Exception(_t(\u0027WIKI_IN_HIBERNATION\u0027)); }\n unset($this-\u003eownersCache[$tag]);\n if (in_array($tag, $this-\u003epageCache)) { unset($this-\u003epageCache[$tag]); }\n $this-\u003edbService-\u003equery(\"DELETE FROM ... WHERE tag=\u0027{$this-\u003edbService-\u003eescape($tag)}\u0027 OR comment_on=\u0027{$this-\u003edbService-\u003eescape($tag)}\u0027\");\n $this-\u003edbService-\u003equery(\"DELETE FROM ...links... WHERE from_tag=\u0027{$this-\u003edbService-\u003eescape($tag)}\u0027 \");\n $this-\u003edbService-\u003equery(\"DELETE FROM ...acls... WHERE page_tag=\u0027{$this-\u003edbService-\u003eescape($tag)}\u0027 \");\n // ...further unconditional DELETEs across triples, referrers, tags\n }\n ```\n\n The companion `isOrphaned()` method (line 284) exists but is never called from `deleteOrphaned()`. The function name is misleading as it deletes any page, not just orphans.\n\n### PoC\n\nDefault fresh install where `default_write_acl=\u0027*\u0027` (per `includes/YesWikiInit.php:219`), anonymous browsing.\n\n1. create a trigger page (anonymous)\n\n```http\nPOST /?wiki=SpamCleanup/edit HTTP/1.1\nHost: target.example\nContent-Type: application/x-www-form-urlencoded\n\nbody=%7B%7Berasespamedcomments%7D%7D\u0026submit=1\n```\n\nThis succeeds because the new page passes `aclService-\u003ehasAccess(\u0027write\u0027, \u0027SpamCleanup\u0027)` against `default_write_acl=\u0027*\u0027`.\n\n2. trigger arbitrary page deletion (anonymous)\n\n```http\nPOST /?wiki=SpamCleanup HTTP/1.1\nHost: target.example\nContent-Type: application/x-www-form-urlencoded\n\nclean=yes\u0026suppr%5B0%5D=PagePrincipale\u0026suppr%5B1%5D=AnotherTargetPage\n```\n\nServer response includes `Effacement de : PagePrincipale` and `Effacement de : AnotherTargetPage`. `pages`, `links`, `acls`, `triples`, `referrers`, and `tags` rows for those tags are deleted from the database.\n\n### Impact\n\n Arbitrary page deletion, including the front page (`PagePrincipale`).",
"id": "GHSA-6x7x-gcmf-7r8x",
"modified": "2026-07-09T20:57:25Z",
"published": "2026-07-09T20:57:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-6x7x-gcmf-7r8x"
},
{
"type": "WEB",
"url": "https://github.com/YesWiki/yeswiki/commit/ed5b548a705c8091ba0282aaaba73ddda976abef"
},
{
"type": "PACKAGE",
"url": "https://github.com/YesWiki/yeswiki"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "YesWiki vulnerable to unauthenticated arbitrary page deletion via `{{erasespamedcomments}}` action"
}
GHSA-6X83-FCF5-R65G
Vulnerability from github – Published: 2026-03-11 12:31 – Updated: 2026-03-11 12:31WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API create_item_permissions_check() method in the comments controller did not verify that the authenticated user has edit_post permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status.
{
"affected": [],
"aliases": [
"CVE-2026-3906"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-11T10:16:14Z",
"severity": "MODERATE"
},
"details": "WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status.",
"id": "GHSA-6x83-fcf5-r65g",
"modified": "2026-03-11T12:31:22Z",
"published": "2026-03-11T12:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3906"
},
{
"type": "WEB",
"url": "https://core.trac.wordpress.org/browser/trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php#L562"
},
{
"type": "WEB",
"url": "https://core.trac.wordpress.org/changeset/61888"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a69782f0-aa61-4049-8339-7f27f4b6c36b?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.