CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14556 vulnerabilities reference this CWE, most recent first.
CVE-2024-7888 (GCVE-0-2024-7888)
Vulnerability from cvelistv5 – Published: 2024-09-13 06:47 – Updated: 2026-04-08 16:50- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| techlabpro1 | Classified Listing – AI-Powered Classified ads & Business Directory Plugin |
Affected:
0 , ≤ 3.1.7
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7888",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-13T13:39:35.703881Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T13:39:49.847Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Classified Listing \u2013 AI-Powered Classified ads \u0026 Business Directory Plugin",
"vendor": "techlabpro1",
"versions": [
{
"lessThanOrEqual": "3.1.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions like export_forms(), import_forms(), update_fb_options(), and many more in all versions up to, and including, 3.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify forms and various other settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:50:27.216Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/494d2e69-0759-419a-a603-e8870c157e49?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/3.1.6/app/Controllers/Ajax/FormBuilderAdminAjax.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3150743/classified-listing/trunk/app/Controllers/Ajax/FormBuilderAdminAjax.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-12T18:35:01.000Z",
"value": "Disclosed"
}
],
"title": "Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin \u003c= 3.1.7 - Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7888",
"datePublished": "2024-09-13T06:47:26.961Z",
"dateReserved": "2024-08-16T16:01:37.031Z",
"dateUpdated": "2026-04-08T16:50:27.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-7858 (GCVE-0-2024-7858)
Vulnerability from cvelistv5 – Published: 2024-08-30 09:29 – Updated: 2026-04-08 17:34- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| maxfoundry | Media Library Folders |
Affected:
0 , ≤ 8.2.3
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7858",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-30T14:47:55.577125Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T14:48:04.872Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Media Library Folders",
"vendor": "maxfoundry",
"versions": [
{
"lessThanOrEqual": "8.2.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Media Library Folders plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several AJAX functions in the media-library-plus.php file in all versions up to, and including, 8.2.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several actions related to managing media files and folder along with controlling settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:34:51.480Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fcc0fc00-b7d6-429c-9ab3-f08971c48777?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/media-library-plus/trunk/media-library-plus.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3143036%40media-library-plus\u0026new=3143036%40media-library-plus\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-29T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Media Library Folders \u003c= 8.2.3 - Missing Authorization on Various Functions"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7858",
"datePublished": "2024-08-30T09:29:49.791Z",
"dateReserved": "2024-08-15T17:32:52.998Z",
"dateUpdated": "2026-04-08T17:34:51.480Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-7856 (GCVE-0-2024-7856)
Vulnerability from cvelistv5 – Published: 2024-08-29 03:52 – Updated: 2026-04-08 16:49- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| sonaar | MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar |
Affected:
0 , ≤ 5.7.0.1
(semver)
|
|
| sonaar | mp3_audio_player_for_music\,_radio_\&_podcast |
Affected:
0 , ≤ 5.7.0.1
(custom)
cpe:2.3:a:sonaar:mp3_audio_player_for_music\,_radio_\&_podcast:-:*:*:*:*:wordpress:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sonaar:mp3_audio_player_for_music\\,_radio_\\\u0026_podcast:-:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "mp3_audio_player_for_music\\,_radio_\\\u0026_podcast",
"vendor": "sonaar",
"versions": [
{
"lessThanOrEqual": "5.7.0.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7856",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T14:04:58.469120Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T14:07:23.168Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MP3 Audio Player \u2013 Music Player, Podcast Player \u0026 Radio by Sonaar",
"vendor": "sonaar",
"versions": [
{
"lessThanOrEqual": "5.7.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arkadiusz Hydzik"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MP3 Audio Player \u2013 Music Player, Podcast Player \u0026 Radio by Sonaar plugin for WordPress is vulnerable to unauthorized arbitrary file deletion due to a missing capability check on the removeTempFiles() function and insufficient path validation on the \u0027file\u0027 parameter in all versions up to, and including, 5.7.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files which can make remote code execution possible when wp-config.php is deleted."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:49:09.935Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/43adc9dd-1780-440f-90c2-ff05a22eb084?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.7.0.1/includes/class-sonaar-music.php#L755"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3142445/mp3-music-player-by-sonaar/trunk/includes/class-sonaar-music.php"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.7.0.1/includes/class-sonaar-music.php#L739"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-28T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "MP3 Audio Player \u2013 Music Player, Podcast Player \u0026 Radio by Sonaar \u003c= 5.7.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7856",
"datePublished": "2024-08-29T03:52:57.401Z",
"dateReserved": "2024-08-15T17:01:22.836Z",
"dateUpdated": "2026-04-08T16:49:09.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-7767 (GCVE-0-2024-7767)
Vulnerability from cvelistv5 – Published: 2025-03-20 10:11 – Updated: 2025-10-15 12:49- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| danswer-ai | danswer-ai/danswer |
Affected:
unspecified , ≤ latest
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7767",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-20T13:09:24.590978Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T13:09:28.298Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://huntr.com/bounties/1425dada-72d8-4bd9-a3e7-2863bb3e1a6c"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "danswer-ai/danswer",
"vendor": "danswer-ai",
"versions": [
{
"lessThanOrEqual": "latest",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. This vulnerability allows the first user created in the system to view, modify, and delete chats created by an Admin. This can lead to unauthorized access to sensitive information, loss of data integrity, and potential compliance violations."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T12:49:51.871Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/1425dada-72d8-4bd9-a3e7-2863bb3e1a6c"
}
],
"source": {
"advisory": "1425dada-72d8-4bd9-a3e7-2863bb3e1a6c",
"discovery": "EXTERNAL"
},
"title": "Improper Access Control in danswer-ai/danswer"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-7767",
"datePublished": "2025-03-20T10:11:20.256Z",
"dateReserved": "2024-08-13T18:40:30.797Z",
"dateUpdated": "2025-10-15T12:49:51.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7727 (GCVE-0-2024-7727)
Vulnerability from cvelistv5 – Published: 2024-09-11 04:31 – Updated: 2026-04-08 17:06- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| bplugins | HTML5 Video Player – Embed and Play Videos in Custom Player |
Affected:
0 , ≤ 2.5.32
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T18:12:10.083777Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T18:12:22.682Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HTML5 Video Player \u2013 Embed and Play Videos in Custom Player",
"vendor": "bplugins",
"versions": [
{
"lessThanOrEqual": "2.5.32",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The HTML5 Video Player \u2013 mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions called via the \u0027h5vp_ajax_handler\u0027 ajax action in all versions up to, and including, 2.5.32. This makes it possible for unauthenticated attackers to call these functions to manipulate data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:06:47.090Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/908df18e-7178-4d40-becb-86e1a714a7da?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/html5-video-player/trunk/inc/Model/ImportData.php#L4"
},
{
"url": "https://plugins.trac.wordpress.org/browser/html5-video-player/trunk/inc/Model/Ajax.php#L5"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3139559/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-10T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "HTML5 Video Player \u2013 mp4 Video Player Plugin and Block \u003c= 2.5.32 - Missing Authorization in multiple functions via h5vp_ajax_handler"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7727",
"datePublished": "2024-09-11T04:31:20.937Z",
"dateReserved": "2024-08-12T22:09:56.793Z",
"dateUpdated": "2026-04-08T17:06:47.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-7721 (GCVE-0-2024-7721)
Vulnerability from cvelistv5 – Published: 2024-09-11 04:31 – Updated: 2026-04-08 16:59- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| bplugins | HTML5 Video Player – Embed and Play Videos in Custom Player |
Affected:
0 , ≤ 2.5.34
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7721",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T13:09:37.951198Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T13:16:50.214Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HTML5 Video Player \u2013 Embed and Play Videos in Custom Player",
"vendor": "bplugins",
"versions": [
{
"lessThanOrEqual": "2.5.34",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The HTML5 Video Player \u2013 mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027save_password\u0027 function in all versions up to, and including, 2.5.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to set any options that are not explicitly checked as false to an array, including enabling user registration if it has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:59:31.364Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6dc3f308-d1e1-430b-bccd-168c0972fe7c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/html5-video-player/trunk/inc/Model/Ajax.php#L79"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3148088/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-10T15:52:47.000Z",
"value": "Disclosed"
}
],
"title": "HTML5 Video Player \u2013 mp4 Video Player Plugin and Block \u003c= 2.5.34 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7721",
"datePublished": "2024-09-11T04:31:20.309Z",
"dateReserved": "2024-08-12T21:19:24.582Z",
"dateUpdated": "2026-04-08T16:59:31.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-7648 (GCVE-0-2024-7648)
Vulnerability from cvelistv5 – Published: 2024-08-10 03:23 – Updated: 2026-04-08 17:25- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| wpopal | Opal Membership |
Affected:
0 , ≤ 1.2.4
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7648",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T14:31:36.769190Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T14:31:45.025Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Opal Membership",
"vendor": "wpopal",
"versions": [
{
"lessThanOrEqual": "1.2.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Karolina Jankowska"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Opal Membership plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.4 via the private notes functionality on payments which utilizes WordPress comments. This makes it possible for authenticated attackers, with subscriber-level access and above, to view private notes via recent comments that should be restricted to just administrators."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:25:28.129Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d3098565-d037-4a31-af3c-00e8b93b922e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/opal-membership/trunk/inc/class-opalmembership-ajax.php#L128"
},
{
"url": "https://plugins.trac.wordpress.org/browser/opal-membership/trunk/inc/mixes-functions.php#L154"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-09T15:03:14.000Z",
"value": "Disclosed"
}
],
"title": "Opal Membership \u003c= 1.2.4 - Authenticated (Subscriber+) Information Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7648",
"datePublished": "2024-08-10T03:23:26.394Z",
"dateReserved": "2024-08-09T14:57:49.314Z",
"dateUpdated": "2026-04-08T17:25:28.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-7622 (GCVE-0-2024-7622)
Vulnerability from cvelistv5 – Published: 2024-09-06 13:55 – Updated: 2026-04-08 16:43- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| themastercut | Revision Manager TMC |
Affected:
0 , ≤ 2.8.19
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7622",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-06T14:12:28.963357Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T14:12:41.701Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Revision Manager TMC",
"vendor": "themastercut",
"versions": [
{
"lessThanOrEqual": "2.8.19",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Revision Manager TMC plugin for WordPress is vulnerable to unauthorized arbitrary email sending due to a missing capability check on the _a_ajaxQuickEmailTestCallback() function in all versions up to, and including, 2.8.19. This makes it possible for authenticated attackers, with subscriber-level access and above, to send emails with arbitrary content to any individual through the vulnerable web server."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:43:55.443Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2c8a6ff9-6aa8-4e0f-b058-759561a55508?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/revision-manager-tmc/trunk/src/Components/Notifications.php#L357"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3147298/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-06T01:25:17.000Z",
"value": "Disclosed"
}
],
"title": "Revision Manager TMC \u003c= 2.8.19 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7622",
"datePublished": "2024-09-06T13:55:14.025Z",
"dateReserved": "2024-08-08T17:42:09.428Z",
"dateUpdated": "2026-04-08T16:43:55.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-7621 (GCVE-0-2024-7621)
Vulnerability from cvelistv5 – Published: 2024-08-10 02:01 – Updated: 2026-04-08 17:03- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| wpfeedback | Atarim – Visual Feedback, Review & AI Collaboration |
Affected:
0 , ≤ 4.0.2
(semver)
|
|
| wpfeedback | visual_website_collaboration |
Affected:
0 , ≤ 4.0.2
(semver)
cpe:2.3:a:wpfeedback:visual_website_collaboration:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wpfeedback:visual_website_collaboration:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "visual_website_collaboration",
"vendor": "wpfeedback",
"versions": [
{
"lessThanOrEqual": "4.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7621",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T16:38:21.568028Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T16:40:37.442Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Atarim \u2013 Visual Feedback, Review \u0026 AI Collaboration",
"vendor": "wpfeedback",
"versions": [
{
"lessThanOrEqual": "4.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the process_wpfeedback_misc_options() function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins settings which can also be leveraged to gain access to the plugin\u0027s settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:03:17.912Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f17e055-ad49-4115-89c5-dd76b6c531f7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/atarim-visual-collaboration/trunk/inc/wpf_function.php?rev=3116009#L235"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3133163/atarim-visual-collaboration/trunk/inc/wpf_function.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-09T13:41:33.000Z",
"value": "Disclosed"
}
],
"title": "Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim \u003c= 4.0.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7621",
"datePublished": "2024-08-10T02:01:21.796Z",
"dateReserved": "2024-08-08T17:27:46.997Z",
"dateUpdated": "2026-04-08T17:03:17.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-7605 (GCVE-0-2024-7605)
Vulnerability from cvelistv5 – Published: 2024-09-05 11:00 – Updated: 2026-04-08 16:37- CWE-862 - Missing Authorization
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7605",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T18:28:25.748425Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T18:28:40.831Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HelloAsso",
"vendor": "helloasso",
"versions": [
{
"lessThanOrEqual": "1.1.10",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Thaleikis"
}
],
"descriptions": [
{
"lang": "en",
"value": "The HelloAsso plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027ha_ajax\u0027 function in all versions up to, and including, 1.1.10. This makes it possible for authenticated attackers, with Contributor-level access and above, to update plugin options, potentially disrupting the service."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:37:13.059Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1690631b-0e5d-45d1-9db6-6ac426874762?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/helloasso/trunk/admin/class-hello-asso-admin.php#L457"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3145151/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-04T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "HelloAsso \u003c= 1.1.10 - Missing Authorization to Authenticated (Contributor+) Limited Options Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7605",
"datePublished": "2024-09-05T11:00:13.521Z",
"dateReserved": "2024-08-08T00:54:52.129Z",
"dateUpdated": "2026-04-08T16:37:13.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.