Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2024-32525 (GCVE-0-2024-32525)
Vulnerability from cvelistv5 – Published: 2024-04-17 07:17 – Updated: 2026-04-28 16:09
VLAI
Title
WordPress Theme My Login plugin <= 7.1.6 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in Theme My Login.This issue affects Theme My Login: from n/a through 7.1.6.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/the… | vdb-entry |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Theme My Login | Theme My Login |
Affected:
n/a , ≤ 7.1.6
(custom)
|
|
| thememylogin | thememylogin |
Affected:
n/a , ≤ 7.1.6
(custom)
cpe:2.3:a:thememylogin:thememylogin:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:thememylogin:thememylogin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "thememylogin",
"vendor": "thememylogin",
"versions": [
{
"lessThanOrEqual": "7.1.6",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32525",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-22T19:52:56.086046Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:50:51.550Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:13:40.117Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/theme-my-login/wordpress-theme-my-login-plugin-7-1-6-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "theme-my-login",
"product": "Theme My Login",
"vendor": "Theme My Login",
"versions": [
{
"changes": [
{
"at": "7.1.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "7.1.6",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Abdi Pranata (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Theme My Login.\u003cp\u003eThis issue affects Theme My Login: from n/a through 7.1.6.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Theme My Login.This issue affects Theme My Login: from n/a through 7.1.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:36.474Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/theme-my-login/wordpress-theme-my-login-plugin-7-1-6-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 7.1.7 or a higher version."
}
],
"value": "Update to 7.1.7 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Theme My Login plugin \u003c= 7.1.6 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-32525",
"datePublished": "2024-04-17T07:17:23.473Z",
"dateReserved": "2024-04-15T09:13:32.833Z",
"dateUpdated": "2026-04-28T16:09:36.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32532 (GCVE-0-2024-32532)
Vulnerability from cvelistv5 – Published: 2024-04-17 07:13 – Updated: 2026-04-28 16:09
VLAI
Title
WordPress Speed Optimizer plugin <= 7.4.6 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in SiteGround Speed Optimizer.This issue affects Speed Optimizer: from n/a through 7.4.6.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/sg-… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SiteGround | Speed Optimizer |
Affected:
n/a , ≤ 7.4.6
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32532",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-19T19:20:25.313870Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:50:37.122Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:13:39.769Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/sg-cachepress/wordpress-speed-optimizer-plugin-7-4-6-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "sg-cachepress",
"product": "Speed Optimizer",
"vendor": "SiteGround",
"versions": [
{
"changes": [
{
"at": "7.5.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "7.4.6",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafie Muhammad (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in SiteGround Speed Optimizer.\u003cp\u003eThis issue affects Speed Optimizer: from n/a through 7.4.6.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in SiteGround Speed Optimizer.This issue affects Speed Optimizer: from n/a through 7.4.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:36.565Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/sg-cachepress/wordpress-speed-optimizer-plugin-7-4-6-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 7.5.0 or a higher version."
}
],
"value": "Update to 7.5.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Speed Optimizer plugin \u003c= 7.4.6 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-32532",
"datePublished": "2024-04-17T07:13:52.400Z",
"dateReserved": "2024-04-15T09:13:32.835Z",
"dateUpdated": "2026-04-28T16:09:36.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32589 (GCVE-0-2024-32589)
Vulnerability from cvelistv5 – Published: 2025-08-31 03:46 – Updated: 2026-04-28 16:09
VLAI
Title
WordPress Barcode Scanner and Inventory manager plugin <= 1.5.3 - Broken Access Control to XSS vulnerability
Summary
Missing Authorization vulnerability in Dmitry V. (CEO of "UKR Solution") Barcode Scanner with Inventory & Order Manager barcode-scanner-lite-pos-to-manage-products-inventory-and-orders.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through <= 1.5.3.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Dmitry V. (CEO of "UKR Solution") | Barcode Scanner with Inventory & Order Manager |
Affected:
0 , ≤ 1.5.3
(custom)
|
Date Public
2026-04-01 16:25
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32589",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-02T20:36:24.957467Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-02T20:36:40.682Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "barcode-scanner-lite-pos-to-manage-products-inventory-and-orders",
"product": "Barcode Scanner with Inventory \u0026 Order Manager",
"vendor": "Dmitry V. (CEO of \"UKR Solution\")",
"versions": [
{
"changes": [
{
"at": "1.5.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.5.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Maksim Kosenko | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:25:03.552Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Dmitry V. (CEO of \"UKR Solution\") Barcode Scanner with Inventory \u0026 Order Manager barcode-scanner-lite-pos-to-manage-products-inventory-and-orders.\u003cp\u003eThis issue affects Barcode Scanner with Inventory \u0026 Order Manager: from n/a through \u003c= 1.5.3.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Dmitry V. (CEO of \"UKR Solution\") Barcode Scanner with Inventory \u0026 Order Manager barcode-scanner-lite-pos-to-manage-products-inventory-and-orders.This issue affects Barcode Scanner with Inventory \u0026 Order Manager: from n/a through \u003c= 1.5.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:37.965Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/barcode-scanner-lite-pos-to-manage-products-inventory-and-orders/vulnerability/wordpress-barcode-scanner-and-inventory-manager-plugin-1-5-3-broken-access-control-to-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Barcode Scanner and Inventory manager plugin \u003c= 1.5.3 - Broken Access Control to XSS vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-32589",
"datePublished": "2025-08-31T03:46:56.764Z",
"dateReserved": "2024-04-15T10:18:19.798Z",
"dateUpdated": "2026-04-28T16:09:37.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32601 (GCVE-0-2024-32601)
Vulnerability from cvelistv5 – Published: 2024-04-18 08:19 – Updated: 2026-04-28 16:09
VLAI
Title
WordPress Popup Anything plugin <= 2.8 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in WP OnlineSupport, Essential Plugin Popup Anything.This issue affects Popup Anything: from n/a through 2.8.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/pop… | vdb-entry |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| WP OnlineSupport, Essential Plugin | Popup Anything |
Affected:
n/a , ≤ 2.8
(custom)
|
|
| wordpress | popup_anything |
Affected:
0 , ≤ 2.8
(custom)
cpe:2.3:a:wordpress:popup_anything:2.8:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wordpress:popup_anything:2.8:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "popup_anything",
"vendor": "wordpress",
"versions": [
{
"lessThanOrEqual": "2.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32601",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-22T15:36:32.548265Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:50:25.125Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:13:40.352Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/popup-anything-on-click/wordpress-popup-anything-plugin-2-8-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "popup-anything-on-click",
"product": "Popup Anything",
"vendor": "WP OnlineSupport, Essential Plugin",
"versions": [
{
"changes": [
{
"at": "2.8.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.8",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Steven Julian (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in WP OnlineSupport, Essential Plugin Popup Anything.\u003cp\u003eThis issue affects Popup Anything: from n/a through 2.8.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in WP OnlineSupport, Essential Plugin Popup Anything.This issue affects Popup Anything: from n/a through 2.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:38.398Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/popup-anything-on-click/wordpress-popup-anything-plugin-2-8-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 2.8.1 or a higher version."
}
],
"value": "Update to 2.8.1 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Popup Anything plugin \u003c= 2.8 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-32601",
"datePublished": "2024-04-18T08:19:59.086Z",
"dateReserved": "2024-04-15T10:26:32.016Z",
"dateUpdated": "2026-04-28T16:09:38.398Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32656 (GCVE-0-2024-32656)
Vulnerability from cvelistv5 – Published: 2024-04-22 22:16 – Updated: 2024-08-02 02:13
VLAI
Title
Ant Media Server vulnerable to local privilege escalation
Summary
Ant Media Server is live streaming engine software. A local privilege escalation vulnerability in present in versions 2.6.0 through 2.8.2 allows any unprivileged operating system user account to escalate privileges to the root user account on the system. This vulnerability arises from Ant Media Server running with Java Management Extensions (JMX) enabled and authentication disabled on localhost on port 5599/TCP. This vulnerability is nearly identical to the local privilege escalation vulnerability CVE-2023-26269 identified in Apache James. Any unprivileged operating system user can connect to the JMX service running on port 5599/TCP on localhost and leverage the MLet Bean within JMX to load a remote MBean from an attacker-controlled server. This allows an attacker to execute arbitrary code within the Java process run by Ant Media Server and execute code within the context of the `antmedia` service account on the system. Version 2.9.0 contains a patch for the issue. As a workaround, one may remove certain parameters from the `antmedia.service` file.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/ant-media/Ant-Media-Server/sec… | x_refsource_CONFIRM |
| https://github.com/ant-media/Ant-Media-Server/com… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| ant-media | Ant-Media-Server |
Affected:
>= 2.6.0, < 2.9.0
|
|
| ant-media | Ant-Media-Server |
Affected:
2.6.0
cpe:2.3:a:ant-media:Ant-Media-Server:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ant-media:Ant-Media-Server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "Ant-Media-Server",
"vendor": "ant-media",
"versions": [
{
"status": "affected",
"version": "2.6.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32656",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-24T20:57:26.041661Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:50:22.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:13:40.308Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ant-media/Ant-Media-Server/security/advisories/GHSA-qwhw-hh9j-54f5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ant-media/Ant-Media-Server/security/advisories/GHSA-qwhw-hh9j-54f5"
},
{
"name": "https://github.com/ant-media/Ant-Media-Server/commit/9cb38500729e0ff302da0290b9cfe1ec4dd6c764",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ant-media/Ant-Media-Server/commit/9cb38500729e0ff302da0290b9cfe1ec4dd6c764"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Ant-Media-Server",
"vendor": "ant-media",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.6.0, \u003c 2.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ant Media Server is live streaming engine software. A local privilege escalation vulnerability in present in versions 2.6.0 through 2.8.2 allows any unprivileged operating system user account to escalate privileges to the root user account on the system. This vulnerability arises from Ant Media Server running with Java Management Extensions (JMX) enabled and authentication disabled on localhost on port 5599/TCP. This vulnerability is nearly identical to the local privilege escalation vulnerability CVE-2023-26269 identified in Apache James. Any unprivileged operating system user can connect to the JMX service running on port 5599/TCP on localhost and leverage the MLet Bean within JMX to load a remote MBean from an attacker-controlled server. This allows an attacker to execute arbitrary code within the Java process run by Ant Media Server and execute code within the context of the `antmedia` service account on the system. Version 2.9.0 contains a patch for the issue. As a workaround, one may remove certain parameters from the `antmedia.service` file."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-22T22:16:52.424Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ant-media/Ant-Media-Server/security/advisories/GHSA-qwhw-hh9j-54f5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ant-media/Ant-Media-Server/security/advisories/GHSA-qwhw-hh9j-54f5"
},
{
"name": "https://github.com/ant-media/Ant-Media-Server/commit/9cb38500729e0ff302da0290b9cfe1ec4dd6c764",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ant-media/Ant-Media-Server/commit/9cb38500729e0ff302da0290b9cfe1ec4dd6c764"
}
],
"source": {
"advisory": "GHSA-qwhw-hh9j-54f5",
"discovery": "UNKNOWN"
},
"title": "Ant Media Server vulnerable to local privilege escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32656",
"datePublished": "2024-04-22T22:16:52.424Z",
"dateReserved": "2024-04-16T14:15:26.877Z",
"dateUpdated": "2024-08-02T02:13:40.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32675 (GCVE-0-2024-32675)
Vulnerability from cvelistv5 – Published: 2024-04-24 15:26 – Updated: 2026-04-28 16:09
VLAI
Title
WordPress Order Limit for WooCommerce plugin <= 2.0.0 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in Xfinity Soft Order Limit for WooCommerce.This issue affects Order Limit for WooCommerce: from n/a through 2.0.0.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/wc-… | vdb-entry |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Xfinity Soft | Order Limit for WooCommerce |
Affected:
n/a , ≤ 2.0.0
(custom)
|
|
| xfinity_soft | order_limit_for_woocommerce |
Affected:
*
cpe:2.3:a:xfinity_soft:order_limit_for_woocommerce:-:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xfinity_soft:order_limit_for_woocommerce:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "order_limit_for_woocommerce",
"vendor": "xfinity_soft",
"versions": [
{
"status": "affected",
"version": "*"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32675",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-25T18:59:58.237280Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:51:30.970Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:13:40.448Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wc-order-limit-lite/wordpress-order-limit-for-woocommerce-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wc-order-limit-lite",
"product": "Order Limit for WooCommerce",
"vendor": "Xfinity Soft",
"versions": [
{
"changes": [
{
"at": "2.0.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.0.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Abdi Pranata (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Xfinity Soft Order Limit for WooCommerce.\u003cp\u003eThis issue affects Order Limit for WooCommerce: from n/a through 2.0.0.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Xfinity Soft Order Limit for WooCommerce.This issue affects Order Limit for WooCommerce: from n/a through 2.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:38.469Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wc-order-limit-lite/wordpress-order-limit-for-woocommerce-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 2.0.1 or a higher version."
}
],
"value": "Update to 2.0.1 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Order Limit for WooCommerce plugin \u003c= 2.0.0 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-32675",
"datePublished": "2024-04-24T15:26:55.624Z",
"dateReserved": "2024-04-17T08:55:34.509Z",
"dateUpdated": "2026-04-28T16:09:38.469Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32677 (GCVE-0-2024-32677)
Vulnerability from cvelistv5 – Published: 2024-04-24 15:24 – Updated: 2026-04-28 16:09
VLAI
Title
WordPress LoginPress Pro plugin < 3.0.0 - Unauth. License Activation/Deactivation vulnerability
Summary
Missing Authorization vulnerability in LoginPress LoginPress Pro.This issue affects LoginPress Pro: from n/a before 3.0.0.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/log… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| LoginPress | LoginPress Pro |
Affected:
n/a , < 3.0.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32677",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-26T20:02:33.397779Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:50:46.243Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:13:40.391Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/loginpress-pro/wordpress-loginpress-pro-plugin-2-5-3-unauth-license-activation-deactivation-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LoginPress Pro",
"vendor": "LoginPress",
"versions": [
{
"changes": [
{
"at": "3.0.0",
"status": "unaffected"
}
],
"lessThan": "3.0.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Dave Jong (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in LoginPress LoginPress Pro.\u003cp\u003eThis issue affects LoginPress Pro: from n/a before 3.0.0.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in LoginPress LoginPress Pro.This issue affects LoginPress Pro: from n/a before 3.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:38.850Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/loginpress-pro/wordpress-loginpress-pro-plugin-2-5-3-unauth-license-activation-deactivation-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u00a03.0.0 or a higher version."
}
],
"value": "Update to\u00a03.0.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress LoginPress Pro plugin \u003c 3.0.0 - Unauth. License Activation/Deactivation vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-32677",
"datePublished": "2024-04-24T15:24:52.047Z",
"dateReserved": "2024-04-17T08:55:34.509Z",
"dateUpdated": "2026-04-28T16:09:38.850Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32678 (GCVE-0-2024-32678)
Vulnerability from cvelistv5 – Published: 2024-04-24 15:21 – Updated: 2026-04-28 16:09
VLAI
Title
WordPress TrackShip for WooCommerce plugin <= 1.7.5 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in TrackShip TrackShip for WooCommerce.This issue affects TrackShip for WooCommerce: from n/a through 1.7.5.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/tra… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TrackShip | TrackShip for WooCommerce |
Affected:
n/a , ≤ 1.7.5
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32678",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-25T18:34:54.270807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:51:06.121Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:13:40.470Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/trackship-for-woocommerce/wordpress-trackship-for-woocommerce-plugin-1-7-5-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "trackship-for-woocommerce",
"product": "TrackShip for WooCommerce",
"vendor": "TrackShip",
"versions": [
{
"changes": [
{
"at": "1.7.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.7.5",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Dhabaleshwar Das (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in TrackShip TrackShip for WooCommerce.\u003cp\u003eThis issue affects TrackShip for WooCommerce: from n/a through 1.7.5.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in TrackShip TrackShip for WooCommerce.This issue affects TrackShip for WooCommerce: from n/a through 1.7.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:38.950Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/trackship-for-woocommerce/wordpress-trackship-for-woocommerce-plugin-1-7-5-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.7.6 or a higher version."
}
],
"value": "Update to 1.7.6 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress TrackShip for WooCommerce plugin \u003c= 1.7.5 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-32678",
"datePublished": "2024-04-24T15:21:56.375Z",
"dateReserved": "2024-04-17T08:55:34.510Z",
"dateUpdated": "2026-04-28T16:09:38.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32679 (GCVE-0-2024-32679)
Vulnerability from cvelistv5 – Published: 2024-04-23 14:12 – Updated: 2026-04-28 16:09
VLAI
Title
WordPress Shared Files plugin <= 1.7.16 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in Anssi Laitila Shared Files shared-files.This issue affects Shared Files: from n/a through <= 1.7.16.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
| https://patchstack.com/database/vulnerability/sha… | vdb-entryx_transferred |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Anssi Laitila | Shared Files |
Affected:
0 , ≤ 1.7.16
(custom)
|
|
| tammersoft | shared_files |
Affected:
0 , ≤ 1.7.16
(semver)
cpe:2.3:a:tammersoft:shared_files:*:*:*:*:*:*:*:* |
Date Public
2026-04-01 16:25
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tammersoft:shared_files:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "shared_files",
"vendor": "tammersoft",
"versions": [
{
"lessThanOrEqual": "1.7.16",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32679",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-23T15:44:33.541573Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T17:33:14.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:13:40.473Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/shared-files/wordpress-shared-files-plugin-1-7-16-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "shared-files",
"product": "Shared Files",
"vendor": "Anssi Laitila",
"versions": [
{
"changes": [
{
"at": "1.7.17",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.7.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dhabaleshwar Das | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:25:07.634Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Anssi Laitila Shared Files shared-files.\u003cp\u003eThis issue affects Shared Files: from n/a through \u003c= 1.7.16.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Anssi Laitila Shared Files shared-files.This issue affects Shared Files: from n/a through \u003c= 1.7.16."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:38.868Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/shared-files/vulnerability/wordpress-shared-files-plugin-1-7-16-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Shared Files plugin \u003c= 1.7.16 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-32679",
"datePublished": "2024-04-23T14:12:12.927Z",
"dateReserved": "2024-04-17T08:55:34.510Z",
"dateUpdated": "2026-04-28T16:09:38.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-3268 (GCVE-0-2024-3268)
Vulnerability from cvelistv5 – Published: 2024-05-21 11:33 – Updated: 2026-04-08 16:35
VLAI
Title
YouTube Video Gallery by YouTube Showcase – Video Gallery Plugin for WordPress <= 3.3.6 - Missing Authorization to Arbitrary Post/Page Creation
Summary
The YouTube Video Gallery by YouTube Showcase – Video Gallery Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the emd_form_builder_lite_submit_form function in all versions up to, and including, 3.3.6. This makes it possible for unauthenticated attackers to create arbitrary posts or pages.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| emarket-design | Video Gallery – YouTube Gallery & Responsive Video Playlist |
Affected:
0 , ≤ 3.3.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3268",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-21T14:38:56.840450Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:32:54.583Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:05:08.218Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e9d5382-d37d-4a40-8f22-e32b8ee98859?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3088363/youtube-showcase"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Video Gallery \u2013 YouTube Gallery \u0026 Responsive Video Playlist",
"vendor": "emarket-design",
"versions": [
{
"lessThanOrEqual": "3.3.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The YouTube Video Gallery by YouTube Showcase \u2013 Video Gallery Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the emd_form_builder_lite_submit_form function in all versions up to, and including, 3.3.6. This makes it possible for unauthenticated attackers to create arbitrary posts or pages."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:35:31.722Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e9d5382-d37d-4a40-8f22-e32b8ee98859?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3088363/youtube-showcase"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-08T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-05-20T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "YouTube Video Gallery by YouTube Showcase \u2013 Video Gallery Plugin for WordPress \u003c= 3.3.6 - Missing Authorization to Arbitrary Post/Page Creation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-3268",
"datePublished": "2024-05-21T11:33:17.396Z",
"dateReserved": "2024-04-03T17:19:50.376Z",
"dateUpdated": "2026-04-08T16:35:31.722Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Phase: Architecture and Design
Description:
- Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation ID: MIT-4.4
Phase: Architecture and Design
Strategy: Libraries or Frameworks
Description:
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Phase: Architecture and Design
Description:
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Phases: System Configuration, Installation
Description:
- Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.