CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14602 vulnerabilities reference this CWE, most recent first.
CVE-2023-6700 (GCVE-0-2023-6700)
Vulnerability from cvelistv5 – Published: 2024-02-05 21:21 – Updated: 2026-04-08 16:48- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| cookieinformation | Cookie Information | Free GDPR Consent Solution |
Affected:
0 , ≤ 2.0.22
(semver)
|
|
| cookieinformation | free_gdpr_consent_solution |
Affected:
0 , ≤ 2.0.22
(custom)
cpe:2.3:a:cookieinformation:free_gdpr_consent_solution:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.877Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/42a4ef37-c842-4925-b06a-3e6423337567?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3028096/wp-gdpr-compliance/trunk?contextall=1\u0026old=2865555\u0026old_path=%2Fwp-gdpr-compliance%2Ftrunk"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cookieinformation:free_gdpr_consent_solution:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "free_gdpr_consent_solution",
"vendor": "cookieinformation",
"versions": [
{
"lessThanOrEqual": "2.0.22",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6700",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-06T17:51:45.864083Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T18:10:16.968Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cookie Information | Free GDPR Consent Solution",
"vendor": "cookieinformation",
"versions": [
{
"lessThanOrEqual": "2.0.22",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler in versions up to, and including, 2.0.22. This makes it possible for authenticated attackers, with subscriber-level access or higher, to edit arbitrary site options which can be used to create administrator accounts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:48:57.429Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/42a4ef37-c842-4925-b06a-3e6423337567?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3028096/wp-gdpr-compliance/trunk?contextall=1\u0026old=2865555\u0026old_path=%2Fwp-gdpr-compliance%2Ftrunk"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-01-29T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Cookie Information | Free GDPR Consent Solution \u003c= 2.0.22 - Authenticated (Subscriber+) Arbitrary Options Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-6700",
"datePublished": "2024-02-05T21:21:41.583Z",
"dateReserved": "2023-12-11T21:19:06.551Z",
"dateUpdated": "2026-04-08T16:48:57.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-6696 (GCVE-0-2023-6696)
Vulnerability from cvelistv5 – Published: 2024-06-15 02:02 – Updated: 2026-04-08 17:11- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| popupbuilder | Popup Builder – Create highly converting, mobile friendly marketing popups. |
Affected:
0 , ≤ 4.3.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6696",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-17T13:59:51.368858Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T13:59:57.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.844Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9f86ec30-7a9d-4c36-8559-bde331c8b958?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.2.3/com/classes/Ajax.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3096000/popup-builder/trunk/com/classes/Ajax.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Popup Builder \u2013 Create highly converting, mobile friendly marketing popups.",
"vendor": "popupbuilder",
"versions": [
{
"lessThanOrEqual": "4.3.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Builder \u2013 Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 4.3.1. While some functions contain a nonce check, the nonce can be obtained from the profile page of a logged-in user. This allows subscribers to perform several actions including deleting subscribers and perform blind Server-Side Request Forgery."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:11:59.399Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9f86ec30-7a9d-4c36-8559-bde331c8b958?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.2.3/com/classes/Ajax.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3096000/popup-builder/trunk/com/classes/Ajax.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-14T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Popup Builder \u2013 Create highly converting, mobile friendly marketing popups \u003c= 4.3.1 - Missing Authorization and Nonce Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-6696",
"datePublished": "2024-06-15T02:02:00.502Z",
"dateReserved": "2023-12-11T18:28:25.914Z",
"dateUpdated": "2026-04-08T17:11:59.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-6638 (GCVE-0-2023-6638)
Vulnerability from cvelistv5 – Published: 2024-01-11 08:33 – Updated: 2026-04-08 17:24- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| wpopal | GG Woo Feed for WooCommerce Shopping Feed on Google and Other Channels |
Affected:
0 , ≤ 1.2.4
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.859Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce6b9b0a-e82e-459a-bddf-1c9354bcec00?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/gg-woo-feed/trunk/inc/Admin/Admin.php?rev=2933599#L199"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6638",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:43:24.859049Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:08:44.404Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "GG Woo Feed for WooCommerce Shopping Feed on Google and Other Channels",
"vendor": "wpopal",
"versions": [
{
"lessThanOrEqual": "1.2.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The GTG Product Feed for Shopping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027update_settings\u0027 function in versions up to, and including, 1.2.4. This makes it possible for unauthenticated attackers to update plugin settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:24:24.891Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce6b9b0a-e82e-459a-bddf-1c9354bcec00?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gg-woo-feed/trunk/inc/Admin/Admin.php?rev=2933599#L199"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3026053"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-12-08T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-12-15T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "GTG Product Feed for Shopping \u003c= 1.2.4 - Missing Authorization to Unauthenticated Plugin Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-6638",
"datePublished": "2024-01-11T08:33:00.702Z",
"dateReserved": "2023-12-08T19:41:10.808Z",
"dateUpdated": "2026-04-08T17:24:24.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-6637 (GCVE-0-2023-6637)
Vulnerability from cvelistv5 – Published: 2024-01-11 08:32 – Updated: 2026-04-08 16:56- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| daanvandenbergh | CAOS | Host Google Analytics Locally |
Affected:
0 , ≤ 4.7.14
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.866Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5ec1fd03-f865-4f58-b63b-e70c0c7e701d?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/host-analyticsjs-local/tags/4.7.12/includes/class-caos.php#L414"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3008878/host-analyticsjs-local#file8"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3009011/host-analyticsjs-local#file5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6637",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T20:10:25.848375Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:09:21.070Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CAOS | Host Google Analytics Locally",
"vendor": "daanvandenbergh",
"versions": [
{
"lessThanOrEqual": "4.7.14",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The CAOS | Host Google Analytics Locally plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027update_settings\u0027 function in versions up to, and including, 4.7.14. This makes it possible for unauthenticated attackers to update plugin settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:56:13.981Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5ec1fd03-f865-4f58-b63b-e70c0c7e701d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/host-analyticsjs-local/tags/4.7.12/includes/class-caos.php#L414"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3008878/host-analyticsjs-local#file8"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3009011/host-analyticsjs-local#file5"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-12-08T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-12-08T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-12-12T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "CAOS | Host Google Analytics Locally \u003c= 4.7.14 - Missing Authorization to Unauthenticated Plugin Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-6637",
"datePublished": "2024-01-11T08:32:35.681Z",
"dateReserved": "2023-12-08T19:40:32.987Z",
"dateUpdated": "2026-04-08T16:56:13.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-6600 (GCVE-0-2023-6600)
Vulnerability from cvelistv5 – Published: 2024-01-03 05:31 – Updated: 2026-04-08 16:51| Vendor | Product | Version | |
|---|---|---|---|
| daanvandenbergh | OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. |
Affected:
0 , ≤ 5.7.9
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.582Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e835b97-c066-4e8f-b99f-1a930105af0c?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3008876%40host-webfonts-local\u0026new=3008876%40host-webfonts-local\u0026sfp_email=\u0026sfph_mail="
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3009010%40host-webfonts-local\u0026new=3009010%40host-webfonts-local\u0026sfp_email=\u0026sfph_mail="
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3009453%40host-webfonts-local\u0026new=3009453%40host-webfonts-local\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6600",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:43:56.391336Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:44:18.802Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.",
"vendor": "daanvandenbergh",
"versions": [
{
"lessThanOrEqual": "5.7.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting due to a missing capability check on the update_settings() function hooked via admin_init in all versions up to, and including, 5.7.9. This makes it possible for unauthenticated attackers to update the plugin\u0027s settings which can be used to inject Cross-Site Scripting payloads and delete entire directories. PLease note there were several attempted patched, and we consider 5.7.10 to be the most sufficiently patched."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:51:46.382Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e835b97-c066-4e8f-b99f-1a930105af0c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3008876%40host-webfonts-local\u0026new=3008876%40host-webfonts-local\u0026sfp_email=\u0026sfph_mail="
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3009010%40host-webfonts-local\u0026new=3009010%40host-webfonts-local\u0026sfp_email=\u0026sfph_mail="
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3009453%40host-webfonts-local\u0026new=3009453%40host-webfonts-local\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-01-02T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. \u003c= 5.7.9 - Missing Authorization to Unauthenticated Directory Deletion and Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-6600",
"datePublished": "2024-01-03T05:31:18.483Z",
"dateReserved": "2023-12-08T00:04:00.899Z",
"dateUpdated": "2026-04-08T16:51:46.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-6598 (GCVE-0-2023-6598)
Vulnerability from cvelistv5 – Published: 2024-01-11 08:33 – Updated: 2026-04-08 17:27- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| softaculous | SpeedyCache – Cache, Optimization, Performance |
Affected:
0 , ≤ 1.1.3
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.578Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/db8cfdba-f3b2-45dc-9be7-6f6374fd5f39?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3010577/speedycache"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6598",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T15:48:51.188407Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T15:48:59.226Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SpeedyCache \u2013 Cache, Optimization, Performance",
"vendor": "softaculous",
"versions": [
{
"lessThanOrEqual": "1.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The SpeedyCache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the speedycache_save_varniship, speedycache_img_update_settings, speedycache_preloading_add_settings, and speedycache_preloading_delete_resource functions in all versions up to, and including, 1.1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to update plugin options."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:27:37.164Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/db8cfdba-f3b2-45dc-9be7-6f6374fd5f39?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3010577/speedycache"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-12-16T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "SpeedyCache \u003c= 1.1.3 - Missing Authorization to Plugin Options Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-6598",
"datePublished": "2024-01-11T08:33:02.864Z",
"dateReserved": "2023-12-07T21:32:43.325Z",
"dateUpdated": "2026-04-08T17:27:37.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-6557 (GCVE-0-2023-6557)
Vulnerability from cvelistv5 – Published: 2024-02-05 21:22 – Updated: 2026-04-08 17:34- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| stellarwp | The Events Calendar |
Affected:
0 , ≤ 6.2.8.2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6557",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-07T15:34:35.300763Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:37.457Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.035Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc40196e-c0f3-4bc6-ac4b-b866902def61?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3010104%40the-events-calendar%2Ftags%2F6.2.9\u0026old=3010096%40the-events-calendar%2Ftags%2F6.2.9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "The Events Calendar",
"vendor": "stellarwp",
"versions": [
{
"lessThanOrEqual": "6.2.8.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nicolas Decayeux"
}
],
"descriptions": [
{
"lang": "en",
"value": "The The Events Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.2.8.2 via the route function hooked into wp_ajax_nopriv_tribe_dropdown. This makes it possible for unauthenticated attackers to extract potentially sensitive data including post titles and IDs of pending, private and draft posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:34:41.990Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc40196e-c0f3-4bc6-ac4b-b866902def61?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3010104%40the-events-calendar%2Ftags%2F6.2.9\u0026old=3010096%40the-events-calendar%2Ftags%2F6.2.9"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-12-06T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-01-12T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "The Events Calendar \u003c= 6.2.8.2 - Unauthenticated Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-6557",
"datePublished": "2024-02-05T21:22:06.072Z",
"dateReserved": "2023-12-06T14:41:25.107Z",
"dateUpdated": "2026-04-08T17:34:41.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-6554 (GCVE-0-2023-6554)
Vulnerability from cvelistv5 – Published: 2024-01-11 15:17 – Updated: 2025-06-20 16:34- CWE-862 - Missing Authorization
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2024/01/CVE-2023-6554/ | third-party-advisory |
| https://cert.pl/posts/2024/01/CVE-2023-6554/ | third-party-advisory |
| https://tcexam.org/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| Tecnick.com | TCExam |
Affected:
0 , < 15.1.0
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.736Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/en/posts/2024/01/CVE-2023-6554/"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/posts/2024/01/CVE-2023-6554/"
},
{
"tags": [
"product",
"x_transferred"
],
"url": "https://tcexam.org/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-6554",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-11T17:22:59.733530Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-20T16:34:34.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TCExam",
"repo": "https://github.com/tecnickcom/tcexam",
"vendor": "Tecnick.com",
"versions": [
{
"lessThan": "15.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Krzysztof Zaj\u0105c (CERT.PL)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eWhen access to the \"admin\" folder is not protected by some external authorization mechanisms e.g. Apache Basic Auth, it is possible for any user to download protected information like exam answers.\u003cbr\u003e\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "When access to the \"admin\" folder is not protected by some external authorization mechanisms e.g. Apache Basic Auth, it is possible for any user to download protected information like exam answers.\n\n\n\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-11T15:17:23.523Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2024/01/CVE-2023-6554/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2024/01/CVE-2023-6554/"
},
{
"tags": [
"product"
],
"url": "https://tcexam.org/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing authorisation in TCExam",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2023-6554",
"datePublished": "2024-01-11T15:17:23.523Z",
"dateReserved": "2023-12-06T13:46:33.216Z",
"dateUpdated": "2025-06-20T16:34:34.387Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6394 (GCVE-0-2023-6394)
Vulnerability from cvelistv5 – Published: 2023-12-09 01:26 – Updated: 2026-03-24 11:28- CWE-862 - Missing Authorization
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2023:7612 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2023:7700 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2023-6394 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2252197 | issue-trackingx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat build of Quarkus 2.13.9.Final |
Unaffected:
2.13.9.Final-redhat-00002 , < *
(rpm)
cpe:/a:redhat:quarkus:2.13 |
|
| Red Hat | Red Hat build of Quarkus 3.2.9.Final |
Unaffected:
3.2.9.Final-redhat-00002 , < *
(rpm)
cpe:/a:redhat:quarkus:3.2::el8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:28:21.766Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2023:7612",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7612"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-6394"
},
{
"name": "RHBZ#2252197",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2252197"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6394",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T14:24:22.279522Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T14:25:33.171Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:quarkus:2.13"
],
"defaultStatus": "affected",
"packageName": "io.quarkus/quarkus-smallrye-graphql",
"product": "Red Hat build of Quarkus 2.13.9.Final",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.13.9.Final-redhat-00002",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:quarkus:3.2::el8"
],
"defaultStatus": "affected",
"packageName": "io.quarkus/quarkus-smallrye-graphql",
"product": "Red Hat build of Quarkus 3.2.9.Final",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "3.2.9.Final-redhat-00002",
"versionType": "rpm"
}
]
}
],
"datePublic": "2023-12-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T11:28:00.390Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2023:7612",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7612"
},
{
"name": "RHSA-2023:7700",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7700"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-6394"
},
{
"name": "RHBZ#2252197",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2252197"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-11-30T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2023-12-08T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Quarkus: graphql operations over websockets bypass",
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-862: Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-6394",
"datePublished": "2023-12-09T01:26:52.908Z",
"dateReserved": "2023-11-30T04:05:52.129Z",
"dateUpdated": "2026-03-24T11:28:00.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-6369 (GCVE-0-2023-6369)
Vulnerability from cvelistv5 – Published: 2024-01-11 08:32 – Updated: 2026-04-08 16:50- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| recorp | Export WordPress Pages to Static HTML & PDF — Static Site Export |
Affected:
0 , ≤ 2.1.9
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:28:21.780Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/47cb48aa-b556-4f25-ac68-ff0a812972c1?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/export-wp-page-to-static-html/trunk/admin/includes/AjaxRequests/cancelRcExportProcess.php#L23"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/export-wp-page-to-static-html/trunk/admin/includes/AjaxRequests/deleteExportedZipFile.php#L24"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/export-wp-page-to-static-html/trunk/admin/includes/AjaxRequests/exportLogPercentage.php#L23"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/export-wp-page-to-static-html/trunk/admin/includes/AjaxRequests/requestForWpPageToStaticHtml.php#L24"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/export-wp-page-to-static-html/trunk/admin/includes/AjaxRequests/saveAdvancedSettings.php#L22"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/export-wp-page-to-static-html/trunk/admin/includes/AjaxRequests/searchPosts.php#L24"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/export-wp-page-to-static-html/trunk/admin/includes/AjaxRequests/seeLogsInDetails.php#L22"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3002740/export-wp-page-to-static-html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6369",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:55:49.907493Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:09:37.869Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Export WordPress Pages to Static HTML \u0026 PDF \u2014 Static Site Export",
"vendor": "recorp",
"versions": [
{
"lessThanOrEqual": "2.1.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Thomas"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Export WP Page to Static HTML/CSS plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 2.1.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to disclose sensitive information or perform unauthorized actions, such as saving advanced plugin settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:50:07.036Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/47cb48aa-b556-4f25-ac68-ff0a812972c1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/export-wp-page-to-static-html/trunk/admin/includes/AjaxRequests/cancelRcExportProcess.php#L23"
},
{
"url": "https://plugins.trac.wordpress.org/browser/export-wp-page-to-static-html/trunk/admin/includes/AjaxRequests/deleteExportedZipFile.php#L24"
},
{
"url": "https://plugins.trac.wordpress.org/browser/export-wp-page-to-static-html/trunk/admin/includes/AjaxRequests/exportLogPercentage.php#L23"
},
{
"url": "https://plugins.trac.wordpress.org/browser/export-wp-page-to-static-html/trunk/admin/includes/AjaxRequests/requestForWpPageToStaticHtml.php#L24"
},
{
"url": "https://plugins.trac.wordpress.org/browser/export-wp-page-to-static-html/trunk/admin/includes/AjaxRequests/saveAdvancedSettings.php#L22"
},
{
"url": "https://plugins.trac.wordpress.org/browser/export-wp-page-to-static-html/trunk/admin/includes/AjaxRequests/searchPosts.php#L24"
},
{
"url": "https://plugins.trac.wordpress.org/browser/export-wp-page-to-static-html/trunk/admin/includes/AjaxRequests/seeLogsInDetails.php#L22"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3002740/export-wp-page-to-static-html"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-10-30T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-10-31T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-11-28T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Export WP Page to Static HTML/CSS \u003c= 2.1.9 - Missing Authorization via Multiple AJAX Actions"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-6369",
"datePublished": "2024-01-11T08:32:33.836Z",
"dateReserved": "2023-11-28T16:49:15.827Z",
"dateUpdated": "2026-04-08T16:50:07.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.