CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14539 vulnerabilities reference this CWE, most recent first.
CVE-2024-11816 (GCVE-0-2024-11816)
Vulnerability from cvelistv5 – Published: 2025-01-08 03:18 – Updated: 2026-04-08 17:16- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| wpextended | The Ultimate WordPress Toolkit – WP Extended |
Affected:
0 , ≤ 3.0.11
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11816",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T15:21:58.335263Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T15:22:05.707Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "The Ultimate WordPress Toolkit \u2013 WP Extended",
"vendor": "wpextended",
"versions": [
{
"lessThanOrEqual": "3.0.11",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matthew Rollings"
},
{
"lang": "en",
"type": "finder",
"value": "Youcef Hamdani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Ultimate WordPress Toolkit \u2013 WP Extended plugin for WordPress is vulnerable to Remote Code Execution in version 3.0.11. This is due to a missing capability check on the \u0027wpext_handle_snippet_update\u0027 function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute code on the server providing an admin has created at least one code snippet."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:16:47.610Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3ce53e5-8666-4227-83d3-58f35db0ce68?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpextended/trunk/includes/modules/core_extensions/wpext_snippets/wpext_snippets.php#L705"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3213331%40wpextended\u0026new=3213331%40wpextended\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-07T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "The Ultimate WordPress Toolkit \u2013 WP Extended \u003c= 3.0.11 - Missing Authorization to Authenticated (Subscriber+) Remote Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11816",
"datePublished": "2025-01-08T03:18:11.444Z",
"dateReserved": "2024-11-26T16:46:04.633Z",
"dateUpdated": "2026-04-08T17:16:47.610Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11743 (GCVE-0-2024-11743)
Vulnerability from cvelistv5 – Published: 2024-11-26 20:00 – Updated: 2024-11-28 06:47| URL | Tags |
|---|---|
| https://vuldb.com/?id.286140 | vdb-entry |
| https://vuldb.com/?ctiid.286140 | signaturepermissions-required |
| https://vuldb.com/?submit.449697 | third-party-advisory |
| https://github.com/YasserREED/YasserREED-CVEs/blo… | exploit |
| https://www.sourcecodester.com/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | Best House Rental Management System |
Affected:
1.0
|
|
| sourcecodester | best_house_rental_management_system |
Affected:
1.0
cpe:2.3:a:sourcecodester:best_house_rental_management_system:1.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sourcecodester:best_house_rental_management_system:1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "best_house_rental_management_system",
"vendor": "sourcecodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11743",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T20:52:15.695115Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T20:52:42.319Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"POST Request Handler"
],
"product": "Best House Rental Management System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yasser Alshammari"
},
{
"lang": "en",
"type": "reporter",
"value": "YasserREED (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as problematic, was found in SourceCodester Best House Rental Management System 1.0. Affected is an unknown function of the file /rental/ajax.php?action=delete_user of the component POST Request Handler. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in SourceCodester Best House Rental Management System 1.0 gefunden. Sie wurde als problematisch eingestuft. Es betrifft eine unbekannte Funktion der Datei /rental/ajax.php?action=delete_user der Komponente POST Request Handler. Durch Manipulieren mit unbekannten Daten kann eine cross-site request forgery-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-28T06:47:43.135Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-286140 | SourceCodester Best House Rental Management System POST Request ajax.php cross-site request forgery",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.286140"
},
{
"name": "VDB-286140 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.286140"
},
{
"name": "Submit #449697 | sourcecodester Best Courier Management System Project in PHP v1.0 Cross-Site Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.449697"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/YasserREED/YasserREED-CVEs/blob/main/Best%20house%20rental%20management%20system%20project%20in%20php/Cross-Site%20Request%20Forgery%20(CSRF).md"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-11-26T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-11-28T07:52:15.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester Best House Rental Management System POST Request ajax.php cross-site request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-11743",
"datePublished": "2024-11-26T20:00:16.395Z",
"dateReserved": "2024-11-26T13:28:42.687Z",
"dateUpdated": "2024-11-28T06:47:43.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11725 (GCVE-0-2024-11725)
Vulnerability from cvelistv5 – Published: 2025-01-07 06:40 – Updated: 2026-04-08 16:45- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| cozyvision1 | SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery |
Affected:
0 , ≤ 3.7.6
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11725",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T17:15:54.313339Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T17:16:03.368Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SMS Alert \u2013 SMS \u0026 OTP for WooCommerce, Order Notifications \u0026 Abandoned Cart Recovery",
"vendor": "cozyvision1",
"versions": [
{
"lessThanOrEqual": "3.7.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "AmrAwad"
}
],
"descriptions": [
{
"lang": "en",
"value": "The SMS Alert Order Notifications \u2013 WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the updateWcWarrantySettings() function in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. Please note this requires the woocommerce-warranty plugin to be installed in order to be exploited."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:45:27.952Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/33517dba-78ac-4391-a55e-d1f13801b212?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sms-alert/trunk/helper/return-warranty.php#L74"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3199795%40sms-alert\u0026new=3199795%40sms-alert\u0026sfp_email=\u0026sfph_mail="
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3198056/sms-alert/trunk/helper/return-warranty.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3197777%40sms-alert\u0026new=3197777%40sms-alert\u0026sfp_email=\u0026sfph_mail="
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3207391%40sms-alert\u0026new=3207391%40sms-alert\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-06T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "SMS Alert Order Notifications \u2013 WooCommerce \u003c= 3.7.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11725",
"datePublished": "2025-01-07T06:40:56.260Z",
"dateReserved": "2024-11-25T20:41:23.678Z",
"dateUpdated": "2026-04-08T16:45:27.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11724 (GCVE-0-2024-11724)
Vulnerability from cvelistv5 – Published: 2024-12-12 06:46 – Updated: 2026-04-08 17:30- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| wplegalpages | Cookie Banner for GDPR / CCPA – WPLP Cookie Consent |
Affected:
0 , ≤ 3.6.5
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11724",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-12T14:45:40.896917Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T14:45:52.572Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cookie Banner for GDPR / CCPA \u2013 WPLP Cookie Consent",
"vendor": "wplegalpages",
"versions": [
{
"lessThanOrEqual": "3.6.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tieu Pham Trong Nhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Cookie Consent for WP \u2013 Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA \u0026 ePrivacy) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpl_script_save AJAX action in all versions up to, and including, 3.6.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to whitelist scripts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:30:50.216Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e9a1de53-330f-49ab-a8f8-22753c62bd36?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3203552/gdpr-cookie-consent/tags/3.6.6/public/modules/script-blocker/class-wpl-cookie-consent-script-blocker.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-11T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Cookie Consent for WP \u2013 Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA \u0026 ePrivacy) \u003c= 3.6.5 - Missing Authorization to Authenticated (Subscriber+) Whitelist Script"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11724",
"datePublished": "2024-12-12T06:46:34.875Z",
"dateReserved": "2024-11-25T20:30:10.076Z",
"dateUpdated": "2026-04-08T17:30:50.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11715 (GCVE-0-2024-11715)
Vulnerability from cvelistv5 – Published: 2024-12-14 06:45 – Updated: 2026-04-08 16:48- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| wpjobportal | WP Job Portal – AI-Powered Recruitment System for Company or Job Board website |
Affected:
0 , ≤ 2.2.2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11715",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-16T16:49:59.834101Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T17:48:03.674Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 AI-Powered Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tran Van Nhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the assignUserRole() function in all versions up to, and including, 2.2.2. This makes it possible for unauthenticated attackers to elevate their privileges to that of an employer."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:48:32.398Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4107199d-e3c7-4379-b39d-1868de7d777b?source=cve"
},
{
"url": "https://gist.github.com/tvnnn/9b706643c5f88989c98815be8b101e11"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3202327/wp-job-portal/tags/2.2.3/modules/user/controller.php?old=3187129\u0026old_path=wp-job-portal%2Ftags%2F2.2.2%2Fmodules%2Fuser%2Fcontroller.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.2.2 - Missing Authorization to Limited Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11715",
"datePublished": "2024-12-14T06:45:14.790Z",
"dateReserved": "2024-11-25T17:32:12.284Z",
"dateUpdated": "2026-04-08T16:48:32.398Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11709 (GCVE-0-2024-11709)
Vulnerability from cvelistv5 – Published: 2024-12-12 04:23 – Updated: 2026-04-08 17:32- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| kekotron | AI Post Generator | AutoWriter |
Affected:
0 , ≤ 3.5
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11709",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-12T15:21:45.658908Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T15:46:40.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AI Post Generator | AutoWriter",
"vendor": "kekotron",
"versions": [
{
"lessThanOrEqual": "3.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Brian Sans-Souci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The AI Post Generator | AutoWriter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ai_post_generator_delete_Post AJAX action in all versions up to, and including, 3.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary pages and posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:32:09.417Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f00ac468-870a-4c43-af25-9febea5e4d67?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ai-post-generator/trunk/inc/insert-head.php#L430"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ai-post-generator/trunk/inc/insert-head.php#L512"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-11T15:25:24.000Z",
"value": "Disclosed"
}
],
"title": "AI Post Generator | AutoWriter \u003c= 3.5 - Missing Authorization to Authenticated (Contributor+) Post/Page Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11709",
"datePublished": "2024-12-12T04:23:15.579Z",
"dateReserved": "2024-11-25T16:33:45.833Z",
"dateUpdated": "2026-04-08T17:32:09.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11673 (GCVE-0-2024-11673)
Vulnerability from cvelistv5 – Published: 2024-11-25 23:00 – Updated: 2024-11-26 15:21| URL | Tags |
|---|---|
| https://vuldb.com/?id.286013 | vdb-entry |
| https://vuldb.com/?ctiid.286013 | signaturepermissions-required |
| https://vuldb.com/?submit.448470 | third-party-advisory |
| https://github.com/Hacker0xone/CVE/issues/16 | exploitissue-tracking |
| https://1000projects.org/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| 1000 Projects | Bookstore Management System |
Affected:
1.0
|
|
| 1000projects | bookstore_management_system |
Affected:
1.0
cpe:2.3:a:1000projects:bookstore_management_system:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:1000projects:bookstore_management_system:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bookstore_management_system",
"vendor": "1000projects",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11673",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T15:21:07.345953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T15:21:45.286Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bookstore Management System",
"vendor": "1000 Projects",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "polaris0x1 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as problematic, has been found in 1000 Projects Bookstore Management System 1.0. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in 1000 Projects Bookstore Management System 1.0 entdeckt. Sie wurde als problematisch eingestuft. Betroffen davon ist ein unbekannter Prozess. Mit der Manipulation mit unbekannten Daten kann eine cross-site request forgery-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-25T23:00:14.123Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-286013 | 1000 Projects Bookstore Management System cross-site request forgery",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.286013"
},
{
"name": "VDB-286013 | CTI Indicators (IOB, IOC)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.286013"
},
{
"name": "Submit #448470 | 1000 Projects Bookstore Management System PHP MySQL Project V1.0 Cross-Site Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.448470"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/Hacker0xone/CVE/issues/16"
},
{
"tags": [
"product"
],
"url": "https://1000projects.org/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-25T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-11-25T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-11-25T15:41:23.000Z",
"value": "VulDB entry last update"
}
],
"title": "1000 Projects Bookstore Management System cross-site request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-11673",
"datePublished": "2024-11-25T23:00:14.123Z",
"dateReserved": "2024-11-25T14:36:07.680Z",
"dateUpdated": "2024-11-26T15:21:45.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11643 (GCVE-0-2024-11643)
Vulnerability from cvelistv5 – Published: 2024-12-04 15:22 – Updated: 2026-04-08 17:18- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| allaccessible | Accessibility by AllAccessible |
Affected:
0 , ≤ 1.3.4
(semver)
|
|
| allaccessible | accessibility |
Affected:
0 , ≤ 1.3.4
(custom)
cpe:2.3:a:allaccessible:accessibility:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:allaccessible:accessibility:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "accessibility",
"vendor": "allaccessible",
"versions": [
{
"lessThanOrEqual": "1.3.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11643",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-04T16:43:46.907482Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-04T16:45:07.627Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Accessibility by AllAccessible",
"vendor": "allaccessible",
"versions": [
{
"lessThanOrEqual": "1.3.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "AmrAwad"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Accessibility by AllAccessible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the \u0027AllAccessible_save_settings\u0027 function in all versions up to, and including, 1.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:18:29.327Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bb65d916-7d9e-4562-ab9b-c7ba012a08fb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/allaccessible/trunk/allaccessible.php#L249"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3202017/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-03T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Accessibility by AllAccessible \u003c= 1.3.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Option Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11643",
"datePublished": "2024-12-04T15:22:21.468Z",
"dateReserved": "2024-11-23T00:45:36.261Z",
"dateUpdated": "2026-04-08T17:18:29.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11601 (GCVE-0-2024-11601)
Vulnerability from cvelistv5 – Published: 2024-11-22 05:33 – Updated: 2026-04-08 16:55- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| wowdevs | Sky Addons – Elementor Addons with Widgets & Templates |
Affected:
0 , ≤ 2.6.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11601",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-22T11:28:58.256152Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-22T11:34:08.875Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sky Addons \u2013 Elementor Addons with Widgets \u0026 Templates",
"vendor": "wowdevs",
"versions": [
{
"lessThanOrEqual": "2.6.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "vgo0"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.1. This is due to missing or incorrect nonce validation on the save_options() function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Please note this is limited to option values that can be saved as arrays."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:55:24.054Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5b951fd9-0fbf-4576-80a9-dbb053c3da92?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sky-elementor-addons/tags/2.6.1/includes/admin.php#L1267"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sky-elementor-addons/tags/2.6.1/includes/admin.php#L1290"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3189030%40sky-elementor-addons\u0026new=3189030%40sky-elementor-addons\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-21T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blogs) \u003c= 2.6.1 - Cross-Site Request Forgery to Limited Arbitrary Options Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11601",
"datePublished": "2024-11-22T05:33:41.092Z",
"dateReserved": "2024-11-21T17:01:52.298Z",
"dateUpdated": "2026-04-08T16:55:24.054Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11583 (GCVE-0-2024-11583)
Vulnerability from cvelistv5 – Published: 2025-01-30 13:41 – Updated: 2026-04-08 16:34- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| visualmodo | Borderless – Addons and Templates for Elementor |
Affected:
0 , ≤ 1.5.9
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11583",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-30T14:54:33.091656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-30T14:54:40.574Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Borderless \u2013 Addons and Templates for Elementor",
"vendor": "visualmodo",
"versions": [
{
"lessThanOrEqual": "1.5.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Borderless \u2013 Widgets, Elements, Templates and Toolkit for Elementor \u0026 Gutenberg plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the \u0027remove_zipped_font\u0027 function in all versions up to, and including, 1.5.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete icon fonts that were previously uploaded."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:34:29.111Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0968fe3b-2256-41e8-8cc9-e800dd7f8c27?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/borderless/tags/1.5.7/includes/icon-manager/icon-manager.php#L270"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3230461%40borderless%2Ftrunk\u0026old=3209805%40borderless%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-30T00:56:47.000Z",
"value": "Disclosed"
}
],
"title": "Borderless \u2013 Widgets, Elements, Templates and Toolkit for Elementor \u0026 Gutenberg \u003c= 1.5.9 - Missing Authorization to Icon Font Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11583",
"datePublished": "2025-01-30T13:41:55.042Z",
"dateReserved": "2024-11-20T22:34:27.814Z",
"dateUpdated": "2026-04-08T16:34:29.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.