CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14599 vulnerabilities reference this CWE, most recent first.
CVE-2024-4259 (GCVE-0-2024-4259)
Vulnerability from cvelistv5 – Published: 2024-09-03 13:15 – Updated: 2026-06-03 14:08- CWE-862 - Missing Authorization
| URL | Tags |
|---|---|
| https://www.usom.gov.tr/bildirim/tr-24-1377 | government-resourcebroken-link |
| https://siberguvenlik.gov.tr/guvenlik-bildirimler… | government-resource |
| Vendor | Product | Version | |
|---|---|---|---|
| SAMPAŞ Holding | AKOS (AkosCepVatandasService) |
Affected:
0 , < V2.0
(custom)
|
|
| SAMPAŞ Holding | AKOS (TahsilatService) |
Affected:
0 , < V1.0.7
(custom)
|
|
| sampas_holding | akos |
Affected:
0 , ≤ 20240902
(custom)
cpe:2.3:a:sampas_holding:akos:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sampas_holding:akos:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "akos",
"vendor": "sampas_holding",
"versions": [
{
"lessThanOrEqual": "20240902",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4259",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T13:35:12.532689Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T13:36:30.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AKOS (AkosCepVatandasService)",
"vendor": "SAMPA\u015e Holding",
"versions": [
{
"lessThan": "V2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "AKOS (TahsilatService)",
"vendor": "SAMPA\u015e Holding",
"versions": [
{
"lessThan": "V1.0.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mustafa An\u0131l YILDIRIM"
},
{
"lang": "en",
"type": "finder",
"value": "Yasin TEK\u0130N"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in SAMPA\u015e Holding AKOS (AkosCepVatandasService), SAMPA\u015e Holding AKOS (TahsilatService) allows Collect Data as Provided by Users.\u003cp\u003e\nThis issue affects AKOS (AkosCepVatandasService): before V2.0; AKOS (TahsilatService): before V1.0.7.\n\n\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in SAMPA\u015e Holding AKOS (AkosCepVatandasService), SAMPA\u015e Holding AKOS (TahsilatService) allows Collect Data as Provided by Users.\n\n\nThis issue affects AKOS (AkosCepVatandasService): before V2.0; AKOS (TahsilatService): before V1.0.7."
}
],
"impacts": [
{
"capecId": "CAPEC-569",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-569 Collect Data as Provided by Users"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T14:08:38.159Z",
"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"shortName": "TR-CERT"
},
"references": [
{
"tags": [
"government-resource",
"broken-link"
],
"url": "https://www.usom.gov.tr/bildirim/tr-24-1377"
},
{
"tags": [
"government-resource"
],
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-1377"
}
],
"source": {
"advisory": "TR-24-1377",
"defect": [
"TR-24-1377"
],
"discovery": "UNKNOWN"
},
"title": "Sensetive Data Exposure in SAMPAS\u0027s AKOS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"assignerShortName": "TR-CERT",
"cveId": "CVE-2024-4259",
"datePublished": "2024-09-03T13:15:31.501Z",
"dateReserved": "2024-04-26T14:40:25.762Z",
"dateUpdated": "2026-06-03T14:08:38.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-4233 (GCVE-0-2024-4233)
Vulnerability from cvelistv5 – Published: 2024-05-08 13:19 – Updated: 2026-04-28 16:10- CWE-862 - Missing Authorization
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/woo… | vdb-entry |
| https://patchstack.com/database/vulnerability/arc… | vdb-entry |
| https://patchstack.com/database/vulnerability/arc… | vdb-entry |
| Vendor | Product | Version | |
|---|---|---|---|
| Tyche Softwares | Print Invoice & Delivery Notes for WooCommerce |
Affected:
n/a , ≤ 4.8.1
(custom)
|
|
| Tyche Softwares | Arconix Shortcodes |
Affected:
n/a , ≤ 2.1.10
(custom)
|
|
| Tyche Softwares | Arconix FAQ |
Affected:
n/a , ≤ 1.9.3
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4233",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-08T17:04:53.220579Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:54:03.363Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:52.986Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/woocommerce-delivery-notes/wordpress-print-invoice-delivery-notes-for-woocommerce-plugin-4-8-1-broken-access-control-vulnerability?_s_id=cve"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/arconix-faq/wordpress-arconix-faq-plugin-1-9-3-broken-access-control-vulnerability?_s_id=cve"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/arconix-shortcodes/wordpress-arconix-shortcodes-plugin-2-1-10-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "woocommerce-delivery-notes",
"product": "Print Invoice \u0026 Delivery Notes for WooCommerce",
"vendor": "Tyche Softwares",
"versions": [
{
"changes": [
{
"at": "4.9.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.8.1",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "arconix-shortcodes",
"product": "Arconix Shortcodes",
"vendor": "Tyche Softwares",
"versions": [
{
"changes": [
{
"at": "2.1.11",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.1.10",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "arconix-faq",
"product": "Arconix FAQ",
"vendor": "Tyche Softwares",
"versions": [
{
"changes": [
{
"at": "1.9.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.9.3",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dhabaleshwar Das (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Tyche Softwares Print Invoice \u0026 Delivery Notes for WooCommerce, Tyche Softwares Arconix Shortcodes, Tyche Softwares Arconix FAQ.\u003cp\u003eThis issue affects Print Invoice \u0026 Delivery Notes for WooCommerce: from n/a through 4.8.1; Arconix Shortcodes: from n/a through 2.1.10; Arconix FAQ: from n/a through 1.9.3.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Tyche Softwares Print Invoice \u0026 Delivery Notes for WooCommerce, Tyche Softwares Arconix Shortcodes, Tyche Softwares Arconix FAQ.This issue affects Print Invoice \u0026 Delivery Notes for WooCommerce: from n/a through 4.8.1; Arconix Shortcodes: from n/a through 2.1.10; Arconix FAQ: from n/a through 1.9.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:08.359Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/woocommerce-delivery-notes/wordpress-print-invoice-delivery-notes-for-woocommerce-plugin-4-8-1-broken-access-control-vulnerability?_s_id=cve"
},
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/arconix-faq/wordpress-arconix-faq-plugin-1-9-3-broken-access-control-vulnerability?_s_id=cve"
},
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/arconix-shortcodes/wordpress-arconix-shortcodes-plugin-2-1-10-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update\u00a0Print Invoice \u0026 Delivery Notes for WooCommerce to\u00a04.9.0 or a higher version."
}
],
"value": "Update\u00a0Print Invoice \u0026 Delivery Notes for WooCommerce to\u00a04.9.0 or a higher version."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Arconix Shortcodes to\u00a02.1.11 or a higher version.\u003cbr\u003e"
}
],
"value": "Update Arconix Shortcodes to\u00a02.1.11 or a higher version."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update\u00a0Arconix FAQ to\u00a01.9.4 or a higher version."
}
],
"value": "Update\u00a0Arconix FAQ to\u00a01.9.4 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Broken Access Control vulnerability in multiple WordPress plugins by Tyche Softwares",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-4233",
"datePublished": "2024-05-08T13:19:59.655Z",
"dateReserved": "2024-04-26T10:17:15.928Z",
"dateUpdated": "2026-04-28T16:10:08.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-4223 (GCVE-0-2024-4223)
Vulnerability from cvelistv5 – Published: 2024-05-16 08:32 – Updated: 2026-04-08 17:24- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Tutor LMS – eLearning and online course solution |
Affected:
0 , ≤ 2.7.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4223",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-16T18:38:07.086210Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:53:27.397Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:52.989Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce4c4395-6d1a-4d5f-885f-383e5c44c0f8?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3086489/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS \u2013 eLearning and online course solution",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "2.7.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Villu Orav"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to add, modify, or delete data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:24:23.811Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce4c4395-6d1a-4d5f-885f-383e5c44c0f8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3086489/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-15T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Tutor LMS \u003c= 2.7.0 - Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4223",
"datePublished": "2024-05-16T08:32:50.538Z",
"dateReserved": "2024-04-26T00:21:41.464Z",
"dateUpdated": "2026-04-08T17:24:23.811Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-4222 (GCVE-0-2024-4222)
Vulnerability from cvelistv5 – Published: 2024-05-16 09:32 – Updated: 2026-04-08 17:09- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Tutor LMS Pro |
Affected:
0 , ≤ 2.7.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4222",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-16T15:16:59.311251Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:53:29.676Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:53.068Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/942fffb6-2719-4b70-9759-21b2d50002c5?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.themeum.com/product/tutor-lms/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS Pro",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "2.7.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Villu Orav"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:09:50.010Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/942fffb6-2719-4b70-9759-21b2d50002c5?source=cve"
},
{
"url": "https://www.themeum.com/product/tutor-lms/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-15T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Tutor LMS Pro \u003c= 2.7.0 - Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4222",
"datePublished": "2024-05-16T09:32:11.833Z",
"dateReserved": "2024-04-26T00:00:13.727Z",
"dateUpdated": "2026-04-08T17:09:50.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-4205 (GCVE-0-2024-4205)
Vulnerability from cvelistv5 – Published: 2024-05-31 05:31 – Updated: 2026-04-08 16:37- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| leap13 | Premium Addons for Elementor – Powerful Elementor Templates & Widgets |
Affected:
0 , ≤ 4.10.31
(semver)
|
|
| leap13 | premium_addons_for_elementor |
Affected:
0 , ≤ 4.10.31
(semver)
cpe:2.3:a:leap13:premium_addons_for_elementor:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:leap13:premium_addons_for_elementor:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "premium_addons_for_elementor",
"vendor": "leap13",
"versions": [
{
"lessThanOrEqual": "4.10.31",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4205",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-03T17:43:16.794030Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:54:10.392Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:52.902Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/175cb977-dcba-429f-814c-6de078e23472?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/tags/4.10.28/includes/addons-integration.php#L1408"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3090037/premium-addons-for-elementor/trunk/includes/addons-integration.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Premium Addons for Elementor \u2013 Powerful Elementor Templates \u0026 Widgets",
"vendor": "leap13",
"versions": [
{
"lessThanOrEqual": "4.10.31",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thura Moe Myint"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Premium Addons for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_template_content() function in all versions up to, and including, 4.10.31. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve Elementor template data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:37:22.658Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/175cb977-dcba-429f-814c-6de078e23472?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/tags/4.10.28/includes/addons-integration.php#L1408"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3090037/premium-addons-for-elementor/trunk/includes/addons-integration.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-30T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Premium Addons for Elementor \u003c= 4.10.31 - Missing Authorization to Information Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4205",
"datePublished": "2024-05-31T05:31:57.359Z",
"dateReserved": "2024-04-25T17:17:33.188Z",
"dateUpdated": "2026-04-08T16:37:22.658Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-4199 (GCVE-0-2024-4199)
Vulnerability from cvelistv5 – Published: 2024-05-15 01:56 – Updated: 2026-04-08 16:58- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| ithemelandco | WPBULKiT – Bulk Edit WordPress Posts & Pages |
Affected:
0 , ≤ 4.2.3
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4199",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-16T16:03:45.526732Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:54:48.335Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:52.605Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/683131a0-eec3-4251-b322-5c2088855687?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3085134%40ithemeland-bulk-posts-editing-lite%2Ftrunk\u0026old=2946926%40ithemeland-bulk-posts-editing-lite%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WPBULKiT \u2013 Bulk Edit WordPress Posts \u0026 Pages",
"vendor": "ithemelandco",
"versions": [
{
"lessThanOrEqual": "4.2.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Benedictus Jovan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Bulk Posts Editing For WordPress plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on the plugin\u0027s AJAX actions in all versions up to, and including, 4.2.3. This makes it possible for authenticated attackers, with subscriber access and higher, to invoke their corresponding functions. This may lead to post creation and duplication, post content retrieval, post taxonomy manipulation."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:58:24.783Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/683131a0-eec3-4251-b322-5c2088855687?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3085134%40ithemeland-bulk-posts-editing-lite%2Ftrunk\u0026old=2946926%40ithemeland-bulk-posts-editing-lite%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-14T12:16:49.000Z",
"value": "Disclosed"
}
],
"title": "Bulk Posts Editing For WordPress \u003c= 4.2.3 - Authenticated (Subscriber+) Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4199",
"datePublished": "2024-05-15T01:56:54.769Z",
"dateReserved": "2024-04-25T16:45:47.251Z",
"dateUpdated": "2026-04-08T16:58:24.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-4139 (GCVE-0-2024-4139)
Vulnerability from cvelistv5 – Published: 2024-05-14 03:51 – Updated: 2024-08-01 20:33- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| SAP_SE | SAP S/4 HANA (Manage Bank Statement Reprocessing Rules) |
Affected:
SAPSCORE 131
Affected: S4CORE 105 Affected: S4CORE 106 Affected: S4CORE 107 Affected: S4CORE 108 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4139",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-16T18:38:26.004595Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:55:21.514Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:52.507Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3434666"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP S/4 HANA (Manage Bank Statement Reprocessing Rules)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAPSCORE 131"
},
{
"status": "affected",
"version": "S4CORE 105"
},
{
"status": "affected",
"version": "S4CORE 106"
},
{
"status": "affected",
"version": "S4CORE 107"
},
{
"status": "affected",
"version": "S4CORE 108"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Manage Bank Statement ReProcessing Rules does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can delete rules of other users affecting the integrity of the application. Confidentiality and Availability are not affected."
}
],
"value": "Manage Bank Statement ReProcessing Rules does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can delete rules of other users affecting the integrity of the application. Confidentiality and Availability are not affected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-14T04:01:51.145Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3434666"
},
{
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization Checks in SAP S/4 HANA (Manage Bank Statement Reprocessing Rules)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-4139",
"datePublished": "2024-05-14T03:51:31.364Z",
"dateReserved": "2024-04-24T16:59:14.740Z",
"dateUpdated": "2024-08-01T20:33:52.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4138 (GCVE-0-2024-4138)
Vulnerability from cvelistv5 – Published: 2024-05-14 03:53 – Updated: 2024-08-01 20:33- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| SAP_SE | SAP S/4 HANA (Manage Bank Statement Reprocessing Rules) |
Affected:
SAPSCORE 131
Affected: S4CORE 105 Affected: S4CORE 106 Affected: S4CORE107 Affected: S4CORE 108 |
|
| sap | s\/4hana |
Affected:
105
cpe:2.3:a:sap:s\/4hana:105:*:*:*:*:*:*:* |
|
| sap | s\/4hana |
Affected:
106
cpe:2.3:a:sap:s\/4hana:106:*:*:*:*:*:*:* |
|
| sap | s\/4hana |
Affected:
107
cpe:2.3:a:sap:s\/4hana:107:*:*:*:*:*:*:* |
|
| sap | s\/4hana |
Affected:
108
cpe:2.3:a:sap:s\/4hana:108:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sap:s\\/4hana:105:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "s\\/4hana",
"vendor": "sap",
"versions": [
{
"status": "affected",
"version": "105"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap:s\\/4hana:106:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "s\\/4hana",
"vendor": "sap",
"versions": [
{
"status": "affected",
"version": "106"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap:s\\/4hana:107:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "s\\/4hana",
"vendor": "sap",
"versions": [
{
"status": "affected",
"version": "107"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap:s\\/4hana:108:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "s\\/4hana",
"vendor": "sap",
"versions": [
{
"status": "affected",
"version": "108"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4138",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-14T19:40:07.920544Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:55:13.334Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:52.538Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3434666"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP S/4 HANA (Manage Bank Statement Reprocessing Rules)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAPSCORE 131"
},
{
"status": "affected",
"version": "S4CORE 105"
},
{
"status": "affected",
"version": "S4CORE 106"
},
{
"status": "affected",
"version": "S4CORE107"
},
{
"status": "affected",
"version": "S4CORE 108"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Manage Bank Statement ReProcessing Rules does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can enable/disable the sharing rule of other users affecting the integrity of the application. Confidentiality and Availability are not affected."
}
],
"value": "Manage Bank Statement ReProcessing Rules does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can enable/disable the sharing rule of other users affecting the integrity of the application. Confidentiality and Availability are not affected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-14T04:01:25.521Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3434666"
},
{
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization Checks in SAP S/4 HANA (Manage Bank Statement Reprocessing Rules)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-4138",
"datePublished": "2024-05-14T03:53:10.737Z",
"dateReserved": "2024-04-24T16:59:01.812Z",
"dateUpdated": "2024-08-01T20:33:52.538Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4102 (GCVE-0-2024-4102)
Vulnerability from cvelistv5 – Published: 2024-07-09 08:33 – Updated: 2026-04-08 17:14- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| elfsight | Pricing Table |
Affected:
0 , ≤ 2.0.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4102",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T13:56:56.292393Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-10T16:46:16.251Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:52.272Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa769d51-8718-42e9-9070-0b878442dbc7?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/elfsight-pricing-table/trunk/core/includes/widgets-api.php#L71"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pricing Table",
"vendor": "elfsight",
"versions": [
{
"lessThanOrEqual": "2.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Benedictus Jovan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Pricing Table plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 2.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions like editing pricing tables."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:14:24.829Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa769d51-8718-42e9-9070-0b878442dbc7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/elfsight-pricing-table/trunk/core/includes/widgets-api.php#L71"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-08T20:06:55.000Z",
"value": "Disclosed"
}
],
"title": "Pricing Table \u003c= 2.0.1 - Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4102",
"datePublished": "2024-07-09T08:33:10.563Z",
"dateReserved": "2024-04-23T21:02:44.705Z",
"dateUpdated": "2026-04-08T17:14:24.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-4088 (GCVE-0-2024-4088)
Vulnerability from cvelistv5 – Published: 2024-06-05 06:50 – Updated: 2026-04-08 17:31- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| shafayat-alam | Gutenberg Blocks and Page Layouts – Attire Blocks |
Affected:
0 , ≤ 1.9.2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4088",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-05T12:57:51.533719Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-05T12:58:03.457Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:51.675Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ef47feb7-76fd-470d-ba48-55ba3c323c6d?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3085600/attire-blocks/trunk/admin/AttireBlocksSettings.php?old=2996841\u0026old_path=attire-blocks%2Ftrunk%2Fadmin%2FAttireBlocksSettings.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gutenberg Blocks and Page Layouts \u2013 Attire Blocks",
"vendor": "shafayat-alam",
"versions": [
{
"lessThanOrEqual": "1.9.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Benedictus Jovan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Gutenberg Blocks and Page Layouts \u2013 Attire Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disable_fe_assets function in all versions up to, and including, 1.9.2. This makes it possible for authenticated attackers, with subscriber access or above, to change the plugin\u0027s settings. Additionally, no nonce check is performed resulting in a CSRF vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:31:56.298Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ef47feb7-76fd-470d-ba48-55ba3c323c6d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3085600/attire-blocks/trunk/admin/AttireBlocksSettings.php?old=2996841\u0026old_path=attire-blocks%2Ftrunk%2Fadmin%2FAttireBlocksSettings.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-04T18:36:28.000Z",
"value": "Disclosed"
}
],
"title": "Gutenberg Blocks and Page Layouts \u2013 Attire Blocks \u003c= 1.9.2 - Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4088",
"datePublished": "2024-06-05T06:50:29.799Z",
"dateReserved": "2024-04-23T16:54:43.164Z",
"dateUpdated": "2026-04-08T17:31:56.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.