CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2025-12809 (GCVE-0-2025-12809)
Vulnerability from cvelistv5 – Published: 2025-12-16 05:25 – Updated: 2026-04-08 16:53- CWE-862 - Missing Authorization
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12809",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T17:29:24.180260Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T17:36:28.342Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Dokan Pro",
"vendor": "wedevs",
"versions": [
{
"lessThanOrEqual": "4.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ahmed Rayen Ayari"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Dokan Pro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/dokan/v1/wholesale/register` REST API endpoint in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to enumerate users and retrieve their email addresses via the REST API by providing a user ID, along with other information such as usernames, display names, user roles, and registration dates."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:53:00.867Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/534557b0-16d2-4a77-a118-b66fc7474ecf?source=cve"
},
{
"url": "https://dokan.co/wordpress/changelog/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-29T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-11-06T16:27:25.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-15T16:39:50.000Z",
"value": "Disclosed"
}
],
"title": "dokan pro \u003c= 4.1.3 - Missing Authorization to Unauthenticated Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12809",
"datePublished": "2025-12-16T05:25:20.504Z",
"dateReserved": "2025-11-06T16:12:03.255Z",
"dateUpdated": "2026-04-08T16:53:00.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12817 (GCVE-0-2025-12817)
Vulnerability from cvelistv5 – Published: 2025-11-13 13:00 – Updated: 2025-11-13 13:59- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | PostgreSQL |
Affected:
18 , < 18.1
(rpm)
Affected: 17 , < 17.7 (rpm) Affected: 16 , < 16.11 (rpm) Affected: 15 , < 15.15 (rpm) Affected: 14 , < 14.20 (rpm) Affected: 0 , < 13.23 (rpm) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12817",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T13:59:49.176346Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T13:59:54.599Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PostgreSQL",
"vendor": "n/a",
"versions": [
{
"lessThan": "18.1",
"status": "affected",
"version": "18",
"versionType": "rpm"
},
{
"lessThan": "17.7",
"status": "affected",
"version": "17",
"versionType": "rpm"
},
{
"lessThan": "16.11",
"status": "affected",
"version": "16",
"versionType": "rpm"
},
{
"lessThan": "15.15",
"status": "affected",
"version": "15",
"versionType": "rpm"
},
{
"lessThan": "14.20",
"status": "affected",
"version": "14",
"versionType": "rpm"
},
{
"lessThan": "13.23",
"status": "affected",
"version": "0",
"versionType": "rpm"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "attacker owns a table or has permission to create objects (temporary objects or non-temporary objects in at least one schema)"
}
],
"credits": [
{
"lang": "en",
"value": "The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem."
}
],
"descriptions": [
{
"lang": "en",
"value": "Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T13:00:12.160Z",
"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
"shortName": "PostgreSQL"
},
"references": [
{
"url": "https://www.postgresql.org/support/security/CVE-2025-12817/"
}
],
"title": "PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege"
}
},
"cveMetadata": {
"assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
"assignerShortName": "PostgreSQL",
"cveId": "CVE-2025-12817",
"datePublished": "2025-11-13T13:00:12.160Z",
"dateReserved": "2025-11-06T17:22:31.286Z",
"dateUpdated": "2025-11-13T13:59:54.599Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12822 (GCVE-0-2025-12822)
Vulnerability from cvelistv5 – Published: 2025-11-19 05:45 – Updated: 2026-04-08 17:10- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| cyberlord92 | WP Login and Register using JWT |
Affected:
0 , ≤ 3.0.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12822",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T18:43:07.788647Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T18:43:17.593Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Login and Register using JWT",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "3.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Login and Register using JWT plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027mo_jwt_generate_new_api_key\u0027 function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate a new API key on site\u0027s that do not have an API key configured and subsequently use that to access restricted endpoints."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:10:14.150Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/966523a4-3d4b-444b-b9d0-63c72527a99f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3397900%40login-register-using-jwt\u0026new=3397900%40login-register-using-jwt\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-06T19:00:51.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-18T17:17:49.000Z",
"value": "Disclosed"
}
],
"title": "WP Login and Register using JWT \u003c= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) API Key Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12822",
"datePublished": "2025-11-19T05:45:15.251Z",
"dateReserved": "2025-11-06T18:44:15.837Z",
"dateUpdated": "2026-04-08T17:10:14.150Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12825 (GCVE-0-2025-12825)
Vulnerability from cvelistv5 – Published: 2026-01-17 04:34 – Updated: 2026-04-08 17:16- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| zealopensource | User Registration Using Contact Form 7 |
Affected:
0 , ≤ 2.5
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12825",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T18:34:21.355448Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T18:34:56.055Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "User Registration Using Contact Form 7",
"vendor": "zealopensource",
"versions": [
{
"lessThanOrEqual": "2.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Md. Moniruzzaman Prodhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027get_cf7_form_data\u0027 function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve form settings which includes Facebook app secrets."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:16:59.140Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b49978c1-9254-4229-8d32-e12896301f3d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3433276%40user-registration-using-contact-form-7\u0026new=3433276%40user-registration-using-contact-form-7\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-16T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "User Registration Using Contact Form 7 \u003c= 2.5 - Authenticated (Subscriber+) Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12825",
"datePublished": "2026-01-17T04:34:02.212Z",
"dateReserved": "2025-11-06T19:06:39.317Z",
"dateUpdated": "2026-04-08T17:16:59.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12826 (GCVE-0-2025-12826)
Vulnerability from cvelistv5 – Published: 2025-12-04 06:48 – Updated: 2026-04-08 17:06- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| webdevstudios | Custom Post Type UI |
Affected:
0 , ≤ 1.18.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12826",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-05T17:21:52.610540Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T17:22:05.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Custom Post Type UI",
"vendor": "webdevstudios",
"versions": [
{
"lessThanOrEqual": "1.18.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "mahdi salhi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Custom Post Type UI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.18.0. This is due to the plugin not verifying that a user has the required capability to perform actions in the \"cptui_process_post_type\" function. This makes it possible for authenticated attackers, with subscriber level access and above, to add, edit, or delete custom post types in limited situations."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:06:50.072Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/90d203b1-9426-4eff-b566-02c8a1c6adfa?source=cve"
},
{
"url": "https://github.com/WebDevStudios/custom-post-type-ui/commit/215779a5ac0c624f0dcf875e87305b4898d5bcf9"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-29T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-11-19T16:47:37.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-03T18:13:21.000Z",
"value": "Disclosed"
}
],
"title": "Custom Post Type UI \u003c= 1.18.0 - Missing Authorization to Unauthenticated (Previously Administrator+) Custom Post Type Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12826",
"datePublished": "2025-12-04T06:48:40.592Z",
"dateReserved": "2025-11-06T19:14:37.111Z",
"dateUpdated": "2026-04-08T17:06:50.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12845 (GCVE-0-2025-12845)
Vulnerability from cvelistv5 – Published: 2026-02-19 03:25 – Updated: 2026-02-19 17:41- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| essekia | Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent |
Affected:
0.5.4 , ≤ 1.2.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12845",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T17:07:25.532402Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T17:41:17.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tablesome Table \u2013 Contact Form DB \u2013 WPForms, CF7, Gravity, Forminator, Fluent",
"vendor": "essekia",
"versions": [
{
"lessThanOrEqual": "1.2.1",
"status": "affected",
"version": "0.5.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kenneth Dunn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tablesome Table \u2013 Contact Form DB \u2013 WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to unauthorized access of data that leads to privilege escalation due to a missing capability check on the get_table_data() function in versions 0.5.4 to 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve plugin table data that can expose email log information. Attackers can leverage this on sites where the table log is enabled in order to trigger a password reset and obtain the reset key."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T03:25:17.846Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a22b2724-2541-4345-bd42-e8a5844f3f0a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3447966"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Tablesome Table \u2013 Contact Form DB \u2013 WPForms, CF7, Gravity, Forminator, Fluent 0.5.4 - 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Information Exposure and Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12845",
"datePublished": "2026-02-19T03:25:17.846Z",
"dateReserved": "2025-11-06T20:32:56.357Z",
"dateUpdated": "2026-02-19T17:41:17.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12847 (GCVE-0-2025-12847)
Vulnerability from cvelistv5 – Published: 2025-11-15 05:45 – Updated: 2026-04-08 16:33- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| smub | All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic |
Affected:
0 , ≤ 4.8.9
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12847",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-17T18:42:37.154492Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T18:42:46.195Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings \u0026 Increase Traffic",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "4.8.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Angus Girvan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings \u0026 Increase Traffic plugin for WordPress is vulnerable to unauthorized arbitrary media attachment deletion due to a missing authorization check in all versions up to, and including, 4.8.9. This is due to the REST API endpoint `/wp-json/aioseo/v1/ai/image-generator` only verifying that users have the `edit_posts` capability (Contributors and above) without checking if they own or have permission to delete the specific media attachments. This makes it possible for authenticated attackers, with Contributor-level access and above, to permanently delete arbitrary media attachments by ID via the REST API, granted they can determine valid attachment IDs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:33:27.132Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05abc09f-903b-45a9-8cde-1bf8fd5d7d44?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Api/Api.php#L192"
},
{
"url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Api/Ai.php#L542"
},
{
"url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Ai/Image.php#L192"
},
{
"url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Utils/Access.php#L184"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3393820%40all-in-one-seo-pack\u0026old=3384131%40all-in-one-seo-pack\u0026sfp_email=\u0026sfph_mail=#file1387"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-06T21:20:07.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-14T16:58:45.000Z",
"value": "Disclosed"
}
],
"title": "All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings \u0026 Increase Traffic \u003c= 4.8.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Media Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12847",
"datePublished": "2025-11-15T05:45:32.963Z",
"dateReserved": "2025-11-06T21:04:39.818Z",
"dateUpdated": "2026-04-08T16:33:27.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12849 (GCVE-0-2025-12849)
Vulnerability from cvelistv5 – Published: 2025-11-15 06:41 – Updated: 2026-04-08 17:28- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| contest-gallery | Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe |
Affected:
0 , ≤ 28.0.2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12849",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-17T19:01:28.652320Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T19:01:33.905Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Contest Gallery \u2013 Upload \u0026 Vote Photos, Media, Sell with PayPal \u0026 Stripe",
"vendor": "contest-gallery",
"versions": [
{
"lessThanOrEqual": "28.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "M Indra Purnama"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Contest Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 28.0.2. This is due to the plugin registering the `cg_check_wp_admin_upload_v10` AJAX action for both authenticated and unauthenticated users without implementing capability checks or nonce verification. This makes it possible for unauthenticated attackers to inject arbitrary WordPress media attachments into galleries and manipulate gallery metadata via the `cg_check_wp_admin_upload_v10` action. It does not enable an attacker to move or upload files."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:28:36.066Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e000c4ad-43ec-4ad0-89f9-74e9e6d8b917?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.0.2/v10/include-functions-v10.php#L42"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.0.2/v10/include-functions-v10.php#L47"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.0.2/v10/include-functions-v10.php#L64"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.0.2/v10/v10-admin/gallery/wp-uploader.php#L15"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contest-gallery/tags/28.0.2/v10/v10-admin/gallery/wp-uploader.php#L173"
},
{
"url": "https://wordpress.org/plugins/contest-gallery/#developers"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-06T21:54:06.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-14T18:27:20.000Z",
"value": "Disclosed"
}
],
"title": "Contest Gallery \u003c= 28.0.2 - Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12849",
"datePublished": "2025-11-15T06:41:31.470Z",
"dateReserved": "2025-11-06T21:38:51.157Z",
"dateUpdated": "2026-04-08T17:28:36.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1285 (GCVE-0-2025-1285)
Vulnerability from cvelistv5 – Published: 2025-03-14 04:22 – Updated: 2026-04-08 16:45- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| SmartDataSoft | Resido - Real Estate WordPress Theme |
Affected:
0 , ≤ 3.6
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1285",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-14T15:12:44.709788Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T15:13:58.496Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Resido - Real Estate WordPress Theme",
"vendor": "SmartDataSoft",
"versions": [
{
"lessThanOrEqual": "3.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Resido - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_api_key and save_api_key AJAX actions in all versions up to, and including, 3.6. This makes it possible for unauthenticated attackers to issue requests to internal services and update API key details."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:45:53.732Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3512ce8f-b7a6-4a6f-a141-bca08c183882?source=cve"
},
{
"url": "https://themeforest.net/item/resido-real-estate-wordpress-theme/31804443"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Resido - Real Estate WordPress Theme \u003c= 3.6 - Missing Authorization to Unauthenticated Server-Side Request Forgery and API Key Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-1285",
"datePublished": "2025-03-14T04:22:32.126Z",
"dateReserved": "2025-02-13T17:58:40.682Z",
"dateUpdated": "2026-04-08T16:45:53.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12876 (GCVE-0-2025-12876)
Vulnerability from cvelistv5 – Published: 2025-12-05 09:27 – Updated: 2026-04-08 17:09- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| projectopia | Projectopia – Project Management Tool |
Affected:
0 , ≤ 5.1.19
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12876",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-05T12:48:22.781630Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T12:48:35.149Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Projectopia \u2013 Project Management Tool",
"vendor": "projectopia",
"versions": [
{
"lessThanOrEqual": "5.1.19",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Projectopia \u2013 WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pto_delete_file AJAX action in all versions up to, and including, 5.1.19. This makes it possible for unauthenticated attackers to delete arbitrary attachments."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:09:48.324Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/940c6a27-05a2-4eca-89ee-b483f88b9524?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/projectopia-core/trunk/includes/functions/general/general_functions.php#L389"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3417635/projectopia-core/trunk/includes/functions/general/general_functions.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-04T20:37:48.000Z",
"value": "Disclosed"
}
],
"title": "Projectopia \u2013 WordPress Project Management \u003c= 5.1.19 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12876",
"datePublished": "2025-12-05T09:27:02.882Z",
"dateReserved": "2025-11-07T15:34:35.396Z",
"dateUpdated": "2026-04-08T17:09:48.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Phase: Architecture and Design
Description:
- Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation ID: MIT-4.4
Phase: Architecture and Design
Strategy: Libraries or Frameworks
Description:
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Phase: Architecture and Design
Description:
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Phases: System Configuration, Installation
Description:
- Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.