CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2025-1483 (GCVE-0-2025-1483)
Vulnerability from cvelistv5 – Published: 2025-02-20 09:21 – Updated: 2026-04-08 16:34- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| enituretechnology | LTL Freight Quotes – GlobalTranz Edition |
Affected:
0 , ≤ 2.3.12
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1483",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T14:29:11.041280Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T14:29:19.702Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LTL Freight Quotes \u2013 GlobalTranz Edition",
"vendor": "enituretechnology",
"versions": [
{
"lessThanOrEqual": "2.3.12",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Colin Xu"
}
],
"descriptions": [
{
"lang": "en",
"value": "The LTL Freight Quotes \u2013 GlobalTranz Edition plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the engtz_wd_save_dropship AJAX endpoint in all versions up to, and including, 2.3.12. This makes it possible for unauthenticated attackers to update the drop shipping settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:34:23.629Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0906e9b0-5093-4ddd-8868-8fcaad8e3a5b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3243002/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-19T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "LTL Freight Quotes \u2013 GlobalTranz Edition \u003c= 2.3.12 - Missing Authorization to Unauthenticated Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-1483",
"datePublished": "2025-02-20T09:21:35.504Z",
"dateReserved": "2025-02-19T21:13:44.386Z",
"dateUpdated": "2026-04-08T16:34:23.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14843 (GCVE-0-2025-14843)
Vulnerability from cvelistv5 – Published: 2026-01-24 07:26 – Updated: 2026-04-08 17:17- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| wizit | Wizit Gateway for WooCommerce |
Affected:
0 , ≤ 1.2.9
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14843",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-26T15:34:01.390359Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T15:44:44.088Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Wizit Gateway for WooCommerce",
"vendor": "wizit",
"versions": [
{
"lessThanOrEqual": "1.2.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "MD. TAREQ AHAMED JONY"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Wizit Gateway for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Order Cancellation in all versions up to, and including, 1.2.9. This is due to a lack of authentication and authorization checks in the \u0027handle_checkout_redirecturl_response\u0027 function. This makes it possible for unauthenticated attackers to cancel arbitrary WooCommerce orders by sending a crafted request with a valid order ID."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:17:28.159Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b6926c2c-79d4-477c-a2eb-ba62545f2e2b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wizit-gateway-for-woocommerce/tags/1.2.9/class-wizit-gateway.php?marks=1249,1341-1349#L1249"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-15T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-23T19:23:49.000Z",
"value": "Disclosed"
}
],
"title": "Wizit Gateway for WooCommerce \u003c= 1.2.9 - Missing Authentication to Unauthenticated Arbitrary Order Cancellation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14843",
"datePublished": "2026-01-24T07:26:46.217Z",
"dateReserved": "2025-12-17T18:02:47.010Z",
"dateUpdated": "2026-04-08T17:17:28.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14854 (GCVE-0-2025-14854)
Vulnerability from cvelistv5 – Published: 2026-01-14 05:28 – Updated: 2026-04-08 17:27- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| nofearinc | WP-CRM System – Manage Clients and Projects |
Affected:
0 , ≤ 3.4.5
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14854",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-15T17:26:11.009304Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T17:26:26.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP-CRM System \u2013 Manage Clients and Projects",
"vendor": "nofearinc",
"versions": [
{
"lessThanOrEqual": "3.4.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Teerachai Somprasong"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP-CRM System plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on the wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status AJAX functions in all versions up to, and including, 3.4.5. This makes it possible for authenticated attackers, with subscriber level access and above, to enumerate CRM contact email addresses (PII disclosure) and modify CRM task statuses. \tCVE-2025-62106 is likely a duplicate of this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:27:19.435Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/da607df4-1dbb-4b1e-ace6-b339cf9e8512?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-crm-system/tags/3.4.5/includes/wcs-functions.php?marks=942-975#L942"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-crm-system/tags/3.4.5/includes/wcs-dashboard-task-list.php?marks=177-190#L177"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-crm-system/tags/3.4.6/includes/wcs-functions.php?marks=942-975#L942"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-16T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-13T16:44:00.000Z",
"value": "Disclosed"
}
],
"title": "WP-CRM System \u2013 Manage Clients and Projects \u003c= 3.4.5 - Missing Authorization to Authenticated (Subscriber+) CRM Data Exposure and Task Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14854",
"datePublished": "2026-01-14T05:28:12.974Z",
"dateReserved": "2025-12-17T20:47:41.920Z",
"dateUpdated": "2026-04-08T17:27:19.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14864 (GCVE-0-2025-14864)
Vulnerability from cvelistv5 – Published: 2026-02-19 04:36 – Updated: 2026-04-08 17:06- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| virusdie | Virusdie – One-click website security |
Affected:
0 , ≤ 1.1.7
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14864",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T21:09:07.048518Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T21:09:20.114Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Virusdie \u2013 One-click website security",
"vendor": "virusdie",
"versions": [
{
"lessThanOrEqual": "1.1.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sushi Com Abacate"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Virusdie - One-click website security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.7. This is due to missing capability checks on the `vd_get_apikey` function which is hooked to `wp_ajax_virusdie_apikey`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve the site\u0027s Virusdie API key, which could be used to access the site owner\u0027s Virusdie account and potentially compromise site security."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:06:29.314Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8ef2e0b1-52ef-4f70-9e95-d010a586d060?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/virusdie/trunk/inc/class-virusdie.php#L75"
},
{
"url": "https://plugins.trac.wordpress.org/browser/virusdie/trunk/inc/tools/class-virusdie-behavior.php#L240"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3450727%40virusdie\u0026new=3450727%40virusdie\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Virusdie \u003c= 1.1.7 - Missing Authorization to Authenticated (Subscriber+) API Key Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14864",
"datePublished": "2026-02-19T04:36:18.706Z",
"dateReserved": "2025-12-18T01:15:36.057Z",
"dateUpdated": "2026-04-08T17:06:29.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14880 (GCVE-0-2025-14880)
Vulnerability from cvelistv5 – Published: 2026-01-14 05:28 – Updated: 2026-04-08 16:59- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| netcashpaynow | Netcash WooCommerce Payment Gateway |
Affected:
0 , ≤ 4.1.3
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14880",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T15:44:34.559599Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:16:52.390Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Netcash WooCommerce Payment Gateway",
"vendor": "netcashpaynow",
"versions": [
{
"lessThanOrEqual": "4.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Md. Moniruzzaman Prodhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Netcash WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_return_url function in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processing/completed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:59:13.217Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ca11df6-83e3-48b5-84b8-3f3e4f75ac4a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/netcash-pay-now-payment-gateway-for-woocommerce/tags/4.1.3/includes/class-wc-gateway-paynow.php#L1127"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3438674/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-13T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-13T17:16:35.000Z",
"value": "Disclosed"
}
],
"title": "Netcash WooCommerce Payment Gateway \u003c= 4.1.3 - Missing Authorization to Unauthenticated Order Status Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14880",
"datePublished": "2026-01-14T05:28:09.641Z",
"dateReserved": "2025-12-18T11:31:02.534Z",
"dateUpdated": "2026-04-08T16:59:13.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14886 (GCVE-0-2025-14886)
Vulnerability from cvelistv5 – Published: 2026-01-09 04:31 – Updated: 2026-04-08 16:51- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| shoheitanaka | Japanized for WooCommerce |
Affected:
0 , ≤ 2.7.17
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14886",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T18:17:25.306119Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T18:17:33.884Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Japanized for WooCommerce",
"vendor": "shoheitanaka",
"versions": [
{
"lessThanOrEqual": "2.7.17",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Md. Moniruzzaman Prodhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `order` REST API endpoint in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processed/completed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:51:07.402Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4bf3248a-f235-472c-b751-96ac9838b27f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/tags/2.7.17/includes/gateways/paidy/class-wc-paidy-endpoint.php#L51"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-13T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-12-18T17:14:50.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-08T16:20:49.000Z",
"value": "Disclosed"
}
],
"title": "Japanized for WooCommerce \u003c= 2.7.17 - Missing Authorization to Unauthenticated Order Status Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14886",
"datePublished": "2026-01-09T04:31:05.133Z",
"dateReserved": "2025-12-18T12:39:35.788Z",
"dateUpdated": "2026-04-08T16:51:07.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14895 (GCVE-0-2025-14895)
Vulnerability from cvelistv5 – Published: 2026-02-10 09:26 – Updated: 2026-04-08 17:19- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| roxnor | Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers |
Affected:
0 , ≤ 2.2.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T16:08:34.765978Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T16:10:07.358Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers",
"vendor": "roxnor",
"versions": [
{
"lessThanOrEqual": "2.2.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and delete analytics data including device types, browser information, countries, referrer URLs, and campaign metrics."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:19:50.834Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c13bb699-f065-4065-9ea5-bb86d24e09ab?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Popup.php#L145"
},
{
"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Popup.php#L32"
},
{
"url": "https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Popup.php#L85"
},
{
"url": "https://research.cleantalk.org/cve-2025-14895"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3421671/popup-builder-block/trunk/includes/Routes/Popup.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-03T22:04:16.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-09T20:31:47.000Z",
"value": "Disclosed"
}
],
"title": "PopupKit \u003c= 2.2.0 - Missing Authorization to Sensitive Information Disclosure and Data Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14895",
"datePublished": "2026-02-10T09:26:06.042Z",
"dateReserved": "2025-12-18T16:04:05.446Z",
"dateUpdated": "2026-04-08T17:19:50.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14901 (GCVE-0-2025-14901)
Vulnerability from cvelistv5 – Published: 2026-01-07 06:35 – Updated: 2026-04-08 16:33- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| bitpressadmin | Bit Form – Custom Contact Form, Multi Step, Conversational Form & Payment Form builder |
Affected:
0 , ≤ 2.21.6
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14901",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-07T14:52:47.173907Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-07T16:14:30.203Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Bit Form \u2013 Custom Contact Form, Multi Step, Conversational Form \u0026 Payment Form builder",
"vendor": "bitpressadmin",
"versions": [
{
"lessThanOrEqual": "2.21.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "andrea bocchetti"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Bit Form \u2013 Contact Form Plugin plugin for WordPress is vulnerable to unauthorized workflow execution due to missing authorization in the triggerWorkFlow function in all versions up to, and including, 2.21.6. This is due to a logic flaw in the nonce verification where the security check only blocks requests when both the nonce verification fails and the user is logged in. This makes it possible for unauthenticated attackers to replay form workflow executions and trigger all configured integrations including webhooks, email notifications, CRM integrations, and automation platforms via the bitforms_trigger_workflow AJAX action granted they can obtain the entry ID and log IDs from a legitimate form submission response."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:33:04.061Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0402e4a6-73ba-49e6-bf80-997ac83b4cfe?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bit-form/tags/2.21.6/includes/Frontend/Ajax/FrontendAjax.php#L146"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bit-form/tags/2.21.6/includes/Frontend/Ajax/FrontendAjax.php#L30"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3429172%40bit-form%2Ftrunk\u0026old=3420966%40bit-form%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file827"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-18T16:48:55.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-06T17:34:11.000Z",
"value": "Disclosed"
}
],
"title": "Bit Form \u2013 Contact Form Plugin \u003c= 2.21.6 - Missing Authorization to Unauthenticated Workflow Replay"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14901",
"datePublished": "2026-01-07T06:35:57.705Z",
"dateReserved": "2025-12-18T16:33:20.699Z",
"dateUpdated": "2026-04-08T16:33:04.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14913 (GCVE-0-2025-14913)
Vulnerability from cvelistv5 – Published: 2025-12-25 23:20 – Updated: 2026-04-08 16:37- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| wpshuffle | Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin |
Affected:
0 , ≤ 1.2.6
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14913",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-26T14:49:18.855238Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-26T14:51:18.712Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Frontend Post Submission Manager Lite \u2013 Frontend Posting WordPress Plugin",
"vendor": "wpshuffle",
"versions": [
{
"lessThanOrEqual": "1.2.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Md. Moniruzzaman Prodhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Frontend Post Submission Manager Lite \u2013 Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to an incorrect authorization check on the \u0027media_delete_action\u0027 function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to delete arbitrary attachments."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:37:55.266Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/19a6b19c-244d-4b30-8db2-b4d06a5f5509?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/tags/1.2.6/includes/classes/class-fpsml-ajax.php#L91"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3427082/frontend-post-submission-manager-lite"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-18T19:44:42.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-25T11:05:20.000Z",
"value": "Disclosed"
}
],
"title": "Frontend Post Submission Manager Lite \u003c= 1.2.6 - Incorrect Authorization to Unauthenticated Arbitrary Attachment Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14913",
"datePublished": "2025-12-25T23:20:02.743Z",
"dateReserved": "2025-12-18T19:29:05.828Z",
"dateUpdated": "2026-04-08T16:37:55.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14944 (GCVE-0-2025-14944)
Vulnerability from cvelistv5 – Published: 2026-04-07 16:26 – Updated: 2026-04-08 17:12- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| inisev | BackupBliss – Backup & Migration with Free Cloud Storage |
Affected:
0 , ≤ 2.0.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14944",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T18:28:36.678542Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T18:28:56.700Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BackupBliss \u2013 Backup \u0026 Migration with Free Cloud Storage",
"vendor": "inisev",
"versions": [
{
"lessThanOrEqual": "2.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafa\u0142"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the \u0027initializeOfflineAjax\u0027 function and lack of proper nonce verification. The endpoint only validates against hardcoded tokens which are publicly exposed in the plugin\u0027s JavaScript. This makes it possible for unauthenticated attackers to trigger the backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets and resource exhaustion."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:12:41.782Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a2a41a15-0743-48cc-8c92-7cb839fa5847?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/backup-backup/trunk/includes/offline.php#L29"
},
{
"url": "https://plugins.trac.wordpress.org/browser/backup-backup/trunk/includes/ajax_offline.php#L112"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old=3386897\u0026old_path=backup-backup%2Ftags%2F2.0.0%2Fincludes%2Foffline.php\u0026new=3449635\u0026new_path=backup-backup%2Ftags%2F2.1.0%2Fincludes%2Foffline.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-06T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Backup Migration \u003c= 2.0.0 - Missing Authorization to Unauthenticated Backup Upload to Offline Storage"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14944",
"datePublished": "2026-04-07T16:26:24.676Z",
"dateReserved": "2025-12-19T00:55:56.950Z",
"dateUpdated": "2026-04-08T17:12:41.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Phase: Architecture and Design
Description:
- Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation ID: MIT-4.4
Phase: Architecture and Design
Strategy: Libraries or Frameworks
Description:
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Phase: Architecture and Design
Description:
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Phases: System Configuration, Installation
Description:
- Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.