Common Weakness Enumeration

CWE-862

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

CVE-2026-4281 (GCVE-0-2026-4281)

Vulnerability from cvelistv5 – Published: 2026-03-26 03:37 – Updated: 2026-04-08 17:13
VLAI
Title
FormLift for Infusionsoft Web Forms <= 7.5.21 - Missing Authorization to Unauthenticated Infusionsoft Connection Hijack via OAuth Connection Flow
Summary
The FormLift for Infusionsoft Web Forms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 7.5.21. This is due to missing capability checks on the connect() and listen_for_tokens() methods of the FormLift_Infusionsoft_Manager class, both of which are hooked to 'plugins_loaded' and execute on every page load. The connect() function generates an OAuth connection password and leaks it in the redirect Location header without verifying the requesting user is authenticated or authorized. The listen_for_tokens() function only validates the temporary password but performs no user authentication before calling update_option() to save attacker-controlled OAuth tokens and app domain. This makes it possible for unauthenticated attackers to hijack the site's Infusionsoft connection by first triggering the OAuth flow to obtain the temporary password, then using that password to set arbitrary OAuth tokens and app domain via update_option(), effectively redirecting the plugin's API communication to an attacker-controlled server.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Credits
Nabil Irawan
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-4281",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-26T14:11:44.213872Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-26T15:02:13.589Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "FormLift for Infusionsoft Web Forms",
          "vendor": "trainingbusinesspros",
          "versions": [
            {
              "lessThanOrEqual": "7.5.21",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Nabil Irawan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The FormLift for Infusionsoft Web Forms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 7.5.21. This is due to missing capability checks on the connect() and listen_for_tokens() methods of the FormLift_Infusionsoft_Manager class, both of which are hooked to \u0027plugins_loaded\u0027 and execute on every page load. The connect() function generates an OAuth connection password and leaks it in the redirect Location header without verifying the requesting user is authenticated or authorized. The listen_for_tokens() function only validates the temporary password but performs no user authentication before calling update_option() to save attacker-controlled OAuth tokens and app domain. This makes it possible for unauthenticated attackers to hijack the site\u0027s Infusionsoft connection by first triggering the OAuth flow to obtain the temporary password, then using that password to set arbitrary OAuth tokens and app domain via update_option(), effectively redirecting the plugin\u0027s API communication to an attacker-controlled server."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:13:28.717Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a65cc674-a0ea-46b9-b609-b184e1f7ca8e?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/formlift/trunk/modules/api/infusionsoft-manager.php#L64"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/formlift/tags/7.5.21/modules/api/infusionsoft-manager.php#L64"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/formlift/trunk/modules/api/infusionsoft-manager.php#L62"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/formlift/tags/7.5.21/modules/api/infusionsoft-manager.php#L62"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/formlift/trunk/modules/api/infusionsoft-manager.php#L21"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/formlift/tags/7.5.21/modules/api/infusionsoft-manager.php#L21"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/formlift/trunk/modules/api/infusionsoft-manager.php#L46"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/formlift/tags/7.5.21/modules/api/infusionsoft-manager.php#L46"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3490212%40formlift\u0026new=3490212%40formlift\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-16T19:16:26.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-03-25T14:51:55.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "FormLift for Infusionsoft Web Forms \u003c= 7.5.21 - Missing Authorization to Unauthenticated Infusionsoft Connection Hijack via OAuth Connection Flow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-4281",
    "datePublished": "2026-03-26T03:37:28.487Z",
    "dateReserved": "2026-03-16T15:52:40.406Z",
    "dateUpdated": "2026-04-08T17:13:28.717Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4283 (GCVE-0-2026-4283)

Vulnerability from cvelistv5 – Published: 2026-03-24 04:27 – Updated: 2026-04-08 16:41
VLAI
Title
WP DSGVO Tools (GDPR) <= 3.1.38 - Missing Authorization to Unauthenticated Account Destruction of Non-Admin Users
Summary
The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the `super-unsubscribe` AJAX action accepting a `process_now` parameter from unauthenticated users, which bypasses the intended email-confirmation flow and immediately triggers irreversible account anonymization. This makes it possible for unauthenticated attackers to permanently destroy any non-administrator user account (password randomized, username/email overwritten, roles stripped, comments anonymized, sensitive usermeta wiped) by submitting the victim's email address with `process_now=1`. The nonce required for the request is publicly available on any page containing the `[unsubscribe_form]` shortcode.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
legalweb WP DSGVO Tools (GDPR) Affected: 0 , ≤ 3.1.38 (semver)
Create a notification for this product.
Credits
Angus Girvan
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-4283",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T13:18:37.216159Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T13:18:49.435Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "WP DSGVO Tools (GDPR)",
          "vendor": "legalweb",
          "versions": [
            {
              "lessThanOrEqual": "3.1.38",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Angus Girvan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the `super-unsubscribe` AJAX action accepting a `process_now` parameter from unauthenticated users, which bypasses the intended email-confirmation flow and immediately triggers irreversible account anonymization. This makes it possible for unauthenticated attackers to permanently destroy any non-administrator user account (password randomized, username/email overwritten, roles stripped, comments anonymized, sensitive usermeta wiped) by submitting the victim\u0027s email address with `process_now=1`. The nonce required for the request is publicly available on any page containing the `[unsubscribe_form]` shortcode."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:41:24.691Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/21389122-cb39-45d1-a889-b830d3a55603?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/public/shortcodes/super-unsubscribe/unsubscribe-form-action.php#L39"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/includes/models/unsubscriber.php#L24"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/includes/class-sp-dsgvo-data-collecter.php#L250"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/trunk/public/shortcodes/super-unsubscribe/unsubscribe-form-action.php#L39"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/includes/class-sp-dsgvo-ajax-action.php#L69"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?old_path=/shapepress-dsgvo/tags/3.1.38\u0026new_path=/shapepress-dsgvo/tags/3.1.39"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-16T19:16:29.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-03-23T16:27:36.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "WP DSGVO Tools (GDPR) \u003c= 3.1.38 - Missing Authorization to Unauthenticated Account Destruction of Non-Admin Users"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-4283",
    "datePublished": "2026-03-24T04:27:50.054Z",
    "dateReserved": "2026-03-16T16:17:14.969Z",
    "dateUpdated": "2026-04-08T16:41:24.691Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42851 (GCVE-0-2026-42851)

Vulnerability from cvelistv5 – Published: 2026-06-12 20:00 – Updated: 2026-06-16 13:12
VLAI
Title
@kitty-edit DCS + --color=geninclude vulnerable to Unauthenticated in-process RCE
Summary
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with `cat`, a log line, an email body rendered in `less`, an issue body in a TUI, etc. — can cause kitty to execute attacker-supplied Python inside the running kitty process, with the user's full privileges. There is no approval prompt, no remote-control permission requirement, no shell-integration interaction, no clipboard touch, and no editor interaction. Version 0.47.0 fixes the issue.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-94 - Improper Control of Generation of Code ('Code Injection')
  • CWE-862 - Missing Authorization
Assigner
References
Impacted products
Vendor Product Version
kovidgoyal kitty Affected: < 0.47.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42851",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-16T03:56:02.774347Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-16T13:12:55.145Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kitty",
          "vendor": "kovidgoyal",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.47.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal \u2014 a remote SSH peer, a downloaded file viewed with `cat`, a log line, an email body rendered in `less`, an issue body in a TUI, etc. \u2014 can cause kitty to execute attacker-supplied Python inside the running kitty process, with the user\u0027s full privileges. There is no approval prompt, no remote-control permission requirement, no shell-integration interaction, no clipboard touch, and no editor interaction. Version 0.47.0 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-12T20:00:23.386Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kovidgoyal/kitty/security/advisories/GHSA-w98g-hpvr-r332",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kovidgoyal/kitty/security/advisories/GHSA-w98g-hpvr-r332"
        }
      ],
      "source": {
        "advisory": "GHSA-w98g-hpvr-r332",
        "discovery": "UNKNOWN"
      },
      "title": "@kitty-edit DCS + --color=geninclude vulnerable to Unauthenticated in-process RCE"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42851",
    "datePublished": "2026-06-12T20:00:23.386Z",
    "dateReserved": "2026-04-30T16:44:48.378Z",
    "dateUpdated": "2026-06-16T13:12:55.145Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4290 (GCVE-0-2026-4290)

Vulnerability from cvelistv5 – Published: 2026-05-29 14:29 – Updated: 2026-05-29 15:03
VLAI
Title
WP Travel Pro <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators
Summary
The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. This is due to the check_permission() callback unconditionally returning true and the Database::delete() method passing the user ID directly to wp_delete_user() without any role validation. This makes it possible for unauthenticated attackers to delete arbitrary user accounts, including those of administrators.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
WPTravel WP Travel Pro Affected: 0 , ≤ 10.6.0 (semver)
Create a notification for this product.
Credits
Ren Voza
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-4290",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-29T15:03:49.351480Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-29T15:03:55.782Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "WP Travel Pro",
          "vendor": "WPTravel",
          "versions": [
            {
              "lessThanOrEqual": "10.6.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Ren Voza"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. This is due to the check_permission() callback unconditionally returning true and the Database::delete() method passing the user ID directly to wp_delete_user() without any role validation. This makes it possible for unauthenticated attackers to delete arbitrary user accounts, including those of administrators."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-29T14:29:08.134Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/885dd550-4c80-4e36-8dae-cb47c1500ea5?source=cve"
        },
        {
          "url": "https://wptravel.io/wp-travel-pro/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-28T14:22:39.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "WP Travel Pro \u003c= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-4290",
    "datePublished": "2026-05-29T14:29:08.134Z",
    "dateReserved": "2026-03-16T16:54:44.082Z",
    "dateUpdated": "2026-05-29T15:03:55.782Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4292 (GCVE-0-2026-4292)

Vulnerability from cvelistv5 – Published: 2026-04-07 14:22 – Updated: 2026-04-07 15:12
VLAI
Title
Privilege abuse in ModelAdmin.list_editable
Summary
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
DSF
Impacted products
Vendor Product Version
djangoproject Django Affected: 6.0 , < 6.0.4 (semver)
Unaffected: 6.0.4 (semver)
Affected: 5.2 , < 5.2.13 (semver)
Unaffected: 5.2.13 (semver)
Affected: 4.2 , < 4.2.30 (semver)
Unaffected: 4.2.30 (semver)
Create a notification for this product.
Date Public
2026-04-07 09:00
Credits
Cantina Jacob Walls Jacob Walls
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 2.7,
              "baseSeverity": "LOW",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-4292",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-07T15:12:50.786633Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-07T15:12:56.065Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.4",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "6.0.4",
              "versionType": "semver"
            },
            {
              "lessThan": "5.2.13",
              "status": "affected",
              "version": "5.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "5.2.13",
              "versionType": "semver"
            },
            {
              "lessThan": "4.2.30",
              "status": "affected",
              "version": "4.2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.2.30",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Cantina"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jacob Walls"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jacob Walls"
        }
      ],
      "datePublic": "2026-04-07T09:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\u003c/p\u003e\u003cp\u003eAdmin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new\u003c/p\u003e\u003cp\u003einstances to be created via forged `POST` data.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Cantina for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nAdmin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new\r\ninstances to be created via forged `POST` data.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Cantina for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-122",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-122: Privilege Abuse"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "low"
            },
            "type": "Django severity rating"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-07T14:22:38.254Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.4, 5.2.13, and 4.2.30",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-11T12:00:00.000Z",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2026-03-16T12:00:00.000Z",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-04-07T09:00:00.000Z",
          "value": "Security release issued."
        }
      ],
      "title": "Privilege abuse in ModelAdmin.list_editable",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2026-4292",
    "datePublished": "2026-04-07T14:22:38.254Z",
    "dateReserved": "2026-03-16T16:58:02.592Z",
    "dateUpdated": "2026-04-07T15:12:56.065Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4297 (GCVE-0-2026-4297)

Vulnerability from cvelistv5 – Published: 2026-06-24 05:33 – Updated: 2026-06-24 14:50
VLAI
Title
Welcome Software Publishing <= 0.0.31 - Authenticated (Subscriber+) Arbitrary Options Update to Privilege Escalation via 'nc.setOption' XML-RPC Method
Summary
The Welcome Software Publishing plugin for WordPress is vulnerable to Arbitrary Options Update in all versions up to and including 0.0.31. This is due to a missing capability check in the nc_setOption() function, which is exposed via the nc.setOption XML-RPC method. The function authenticates the user via $wp_xmlrpc_server->login() (verifying credentials are valid) but does not perform any authorization check such as current_user_can('manage_options'). This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary WordPress options via XML-RPC requests. This can be leveraged to change the default_role option to 'administrator' and then register a new administrator account, achieving full privilege escalation and site takeover.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
newscred Welcome Software Publishing Affected: 0 , ≤ 0.0.31 (semver)
Create a notification for this product.
Credits
Nabil Irawan
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-4297",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T14:49:59.958116Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T14:50:13.376Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Welcome Software Publishing",
          "vendor": "newscred",
          "versions": [
            {
              "lessThanOrEqual": "0.0.31",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Nabil Irawan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Welcome Software Publishing plugin for WordPress is vulnerable to Arbitrary Options Update in all versions up to and including 0.0.31. This is due to a missing capability check in the nc_setOption() function, which is exposed via the nc.setOption XML-RPC method. The function authenticates the user via $wp_xmlrpc_server-\u003elogin() (verifying credentials are valid) but does not perform any authorization check such as current_user_can(\u0027manage_options\u0027). This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary WordPress options via XML-RPC requests. This can be leveraged to change the default_role option to \u0027administrator\u0027 and then register a new administrator account, achieving full privilege escalation and site takeover."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T05:33:24.530Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/47e53fd3-4e3f-433a-8e70-3a58c864184a?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/newscred-publishing/trunk/newscred.php#L272"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/newscred-publishing/tags/0.0.31/newscred.php#L272"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/newscred-publishing/trunk/newscred.php#L264"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/newscred-publishing/tags/0.0.31/newscred.php#L264"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/newscred-publishing/trunk/newscred.php#L265"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/newscred-publishing/tags/0.0.31/newscred.php#L265"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/newscred-publishing/trunk/newscred.php#L44"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/newscred-publishing/tags/0.0.31/newscred.php#L44"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-23T16:42:18.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Welcome Software Publishing \u003c= 0.0.31 - Authenticated (Subscriber+) Arbitrary Options Update to Privilege Escalation via \u0027nc.setOption\u0027 XML-RPC Method"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-4297",
    "datePublished": "2026-06-24T05:33:24.530Z",
    "dateReserved": "2026-03-16T18:58:52.144Z",
    "dateUpdated": "2026-06-24T14:50:13.376Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4298 (GCVE-0-2026-4298)

Vulnerability from cvelistv5 – Published: 2026-07-09 09:31 – Updated: 2026-07-09 14:39
VLAI
Title
DSGVO All in one for WP <= 4.9 - Missing Authorization to Authenticated (Subscriber+) Settings Reset
Summary
The DSGVO All in one for WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 4.9. This is due to the dsgvo_reset_policy_service_func() function lacking both capability checks and nonce verification while processing user-supplied parameters to reset plugin options. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset all customized privacy policy content including cookie notices, Google Analytics policies, Facebook policies, and YouTube policies to their default values.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
mlfactory DSGVO All in one for WP Affected: 0 , ≤ 4.9 (semver)
Create a notification for this product.
Credits
nudien udin nudien
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-4298",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-09T14:39:32.001412Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-09T14:39:42.090Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "DSGVO All in one for WP",
          "vendor": "mlfactory",
          "versions": [
            {
              "lessThanOrEqual": "4.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "nudien udin"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "nudien"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The DSGVO All in one for WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 4.9. This is due to the dsgvo_reset_policy_service_func() function lacking both capability checks and nonce verification while processing user-supplied parameters to reset plugin options. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset all customized privacy policy content including cookie notices, Google Analytics policies, Facebook policies, and YouTube policies to their default values."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-09T09:31:21.285Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d8a5268-03a2-48c6-9c59-840a11e7a34f?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dsgvo-all-in-one-for-wp/trunk/dsgvo_all_in_one_wp.php#L1123"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dsgvo-all-in-one-for-wp/tags/4.9/dsgvo_all_in_one_wp.php#L1123"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dsgvo-all-in-one-for-wp/trunk/dsgvo_all_in_one_wp.php#L56"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dsgvo-all-in-one-for-wp/tags/4.9/dsgvo_all_in_one_wp.php#L56"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3503821%40dsgvo-all-in-one-for-wp\u0026new=3503821%40dsgvo-all-in-one-for-wp"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-08T20:46:28.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "DSGVO All in one for WP \u003c= 4.9 - Missing Authorization to Authenticated (Subscriber+) Settings Reset"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-4298",
    "datePublished": "2026-07-09T09:31:21.285Z",
    "dateReserved": "2026-03-16T19:14:02.711Z",
    "dateUpdated": "2026-07-09T14:39:42.090Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4299 (GCVE-0-2026-4299)

Vulnerability from cvelistv5 – Published: 2026-04-08 03:36 – Updated: 2026-04-13 15:15
VLAI
Title
MainWP Child Reports <= 2.2.6 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via Heartbeat API
Summary
The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 2.2.6. This is due to a missing capability check in the heartbeat_received() function in the Live_Update class. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain MainWP Child Reports activity log entries (including action summaries, user information, IP addresses, and contextual data) via the WordPress Heartbeat API by sending a crafted heartbeat request with the 'wp-mainwp-stream-heartbeat' data key.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
mainwp MainWP Child Reports Affected: 0 , ≤ 2.2.6 (semver)
Create a notification for this product.
Credits
Hunter Jensen
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-4299",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T15:06:40.658600Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T15:15:10.520Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "MainWP Child Reports",
          "vendor": "mainwp",
          "versions": [
            {
              "lessThanOrEqual": "2.2.6",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Hunter Jensen"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 2.2.6. This is due to a missing capability check in the heartbeat_received() function in the Live_Update class. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain MainWP Child Reports activity log entries (including action summaries, user information, IP addresses, and contextual data) via the WordPress Heartbeat API by sending a crafted heartbeat request with the \u0027wp-mainwp-stream-heartbeat\u0027 data key."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:02:53.164Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7d4141bd-cd3f-44e9-b423-be03377a342d?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mainwp-child-reports/trunk/classes/class-live-update.php#L182"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mainwp-child-reports/tags/2.2.6/classes/class-live-update.php#L182"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mainwp-child-reports/trunk/classes/class-live-update.php#L44"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mainwp-child-reports/tags/2.2.6/classes/class-live-update.php#L44"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3490157%40mainwp-child-reports\u0026new=3490157%40mainwp-child-reports\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-16T20:41:23.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-04-07T15:21:54.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "MainWP Child Reports \u003c= 2.2.6 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via Heartbeat API"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-4299",
    "datePublished": "2026-04-08T03:36:09.655Z",
    "dateReserved": "2026-03-16T19:23:21.908Z",
    "dateUpdated": "2026-04-13T15:15:10.520Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4301 (GCVE-0-2026-4301)

Vulnerability from cvelistv5 – Published: 2026-05-12 07:48 – Updated: 2026-05-12 12:56
VLAI
Title
Rate Star Review Vote <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Modification via 'rating_id' Parameter
Summary
The Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. The vwrsr_review() AJAX handler lacks both capability checks and nonce verification. The only access control is an is_user_logged_in() check. When the 'form' parameter is set to 'update', the function takes an arbitrary post ID from the user-supplied 'rating_id' GET parameter, sets it as the post ID in the update array, and passes it directly to wp_update_post(). This overwrites the target post's title, content, author (changed to the attacker's user ID), post_type (changed to the plugin's custom post type, default 'review'), and status. Additionally, update_post_meta() is called on the arbitrary post ID at lines 758-763, modifying its metadata. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the title, content, author, post type, and metadata of arbitrary posts and pages on the site via the 'rating_id' parameter, effectively allowing full post content takeover.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Credits
Cipher Forensic
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-4301",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-12T12:56:10.766366Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:56:54.390Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Rate Star Review Vote \u2013 AJAX Reviews, Votes, Star Ratings",
          "vendor": "videowhisper",
          "versions": [
            {
              "lessThanOrEqual": "1.6.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Cipher Forensic"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. The vwrsr_review() AJAX handler lacks both capability checks and nonce verification. The only access control is an is_user_logged_in() check. When the \u0027form\u0027 parameter is set to \u0027update\u0027, the function takes an arbitrary post ID from the user-supplied \u0027rating_id\u0027 GET parameter, sets it as the post ID in the update array, and passes it directly to wp_update_post(). This overwrites the target post\u0027s title, content, author (changed to the attacker\u0027s user ID), post_type (changed to the plugin\u0027s custom post type, default \u0027review\u0027), and status. Additionally, update_post_meta() is called on the arbitrary post ID at lines 758-763, modifying its metadata. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the title, content, author, post type, and metadata of arbitrary posts and pages on the site via the \u0027rating_id\u0027 parameter, effectively allowing full post content takeover."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T07:48:17.336Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/107cb15f-4b2e-4ed4-8e8a-4f716f4873db?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/rate-star-review/trunk/rate-star-review.php#L754"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/rate-star-review/tags/1.6.4/rate-star-review.php#L754"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/rate-star-review/trunk/rate-star-review.php#L730"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/rate-star-review/tags/1.6.4/rate-star-review.php#L730"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/rate-star-review/trunk/rate-star-review.php#L758"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/rate-star-review/tags/1.6.4/rate-star-review.php#L758"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-11T19:07:44.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Rate Star Review Vote \u003c= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Modification via \u0027rating_id\u0027 Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-4301",
    "datePublished": "2026-05-12T07:48:17.336Z",
    "dateReserved": "2026-03-16T20:01:00.547Z",
    "dateUpdated": "2026-05-12T12:56:54.390Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4309 (GCVE-0-2026-4309)

Vulnerability from cvelistv5 – Published: 2026-03-27 11:46 – Updated: 2026-04-10 04:10
VLAI
Summary
Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to get a specific device information and change the settings via network.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
NEC
Impacted products
Vendor Product Version
NEC Platforms, Ltd. Aterm W1200EX(-MS) Affected: All versions
Create a notification for this product.
NEC Platforms, Ltd. Aterm WG1200HP2 Affected: All versions
Create a notification for this product.
NEC Platforms, Ltd. Aterm WG1900HP Affected: All versions
Create a notification for this product.
NEC Platforms, Ltd. Aterm WG1200HS2 Affected: All versions
Create a notification for this product.
NEC Platforms, Ltd. Aterm WG1800HP3 Affected: All versions
Create a notification for this product.
NEC Platforms, Ltd. Aterm WG1200HP3 Affected: All versions
Create a notification for this product.
NEC Platforms, Ltd. Aterm WG1900HP2 Affected: All versions
Create a notification for this product.
NEC Platforms, Ltd. Aterm WG1200HS3 Affected: All versions
Create a notification for this product.
NEC Platforms, Ltd. Aterm WG1800HP4 Affected: All versions
Create a notification for this product.
NEC Platforms, Ltd. Aterm WG1200HP4 Affected: All versions
Create a notification for this product.
NEC Platforms, Ltd. Aterm WG1200HS4 Affected: All versions
Create a notification for this product.
NEC Platforms, Ltd. Aterm WX1500HP Affected: Before Ver. 1.4.2
Create a notification for this product.
NEC Platforms, Ltd. Aterm WG2600HS Affected: Before Ver. 1.7.2
Create a notification for this product.
NEC Platforms, Ltd. Aterm WF1200CR Affected: Before Ver. 1.6.0
Create a notification for this product.
NEC Platforms, Ltd. Aterm WG1200CR Affected: Before Ver. 1.5.0
Create a notification for this product.
NEC Platforms, Ltd. Aterm WG2600HP4 Affected: Before Ver. 1.4.2
Create a notification for this product.
NEC Platforms, Ltd. Aterm WG2600HM4 Affected: Before Ver. 1.4.2
Create a notification for this product.
NEC Platforms, Ltd. Aterm WG2600HS2 Affected: Before Ver. 1.3.2
Create a notification for this product.
NEC Platforms, Ltd. Aterm WX3000HP Affected: Before Ver. 2.5.0
Create a notification for this product.
NEC Platforms, Ltd. Aterm WX3600HP Affected: Before Ver. 1.5.3
Create a notification for this product.
NEC Platforms, Ltd. Aterm GX1200HP Affected: All versions
Create a notification for this product.
NEC Platforms, Ltd. Aterm GX1200HS4 Affected: All versions
Create a notification for this product.
NEC Platforms, Ltd. Aterm WG1200DM4 Affected: All versions
Create a notification for this product.
NEC Platforms, Ltd. Aterm GB1200PE Affected: Before Ver. 1.3.1
Create a notification for this product.
Credits
Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-4309",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T12:00:30.434329Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T12:15:32.249Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Aterm W1200EX(-MS)",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Aterm WG1200HP2",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Aterm WG1900HP",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Aterm WG1200HS2",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Aterm WG1800HP3",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Aterm WG1200HP3",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Aterm WG1900HP2",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Aterm WG1200HS3",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Aterm WG1800HP4",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Aterm WG1200HP4",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Aterm WG1200HS4",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Aterm WX1500HP",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "Before Ver. 1.4.2"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Aterm WG2600HS",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "Before Ver. 1.7.2"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Aterm WF1200CR",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "Before Ver. 1.6.0"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Aterm WG1200CR",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "Before Ver. 1.5.0"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Aterm WG2600HP4",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "Before Ver. 1.4.2"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Aterm WG2600HM4",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "Before Ver. 1.4.2"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Aterm WG2600HS2",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "Before Ver. 1.3.2"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Aterm WX3000HP",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "Before Ver. 2.5.0"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Aterm WX3600HP",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "Before Ver. 1.5.3"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Aterm GX1200HP",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Aterm GX1200HS4",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Aterm WG1200DM4",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Aterm GB1200PE",
          "vendor": "NEC Platforms, Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "Before Ver. 1.3.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to get a specific device information and change the settings via network."
            }
          ],
          "value": "Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to get a specific device information and change the settings via network."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-10T04:10:43.726Z",
        "orgId": "f2760a35-e0d8-4637-ac4c-cc1a2de3e282",
        "shortName": "NEC"
      },
      "references": [
        {
          "url": "https://jpn.nec.com/security-info/secinfo/nv26-001_en.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f2760a35-e0d8-4637-ac4c-cc1a2de3e282",
    "assignerShortName": "NEC",
    "cveId": "CVE-2026-4309",
    "datePublished": "2026-03-27T11:46:26.310Z",
    "dateReserved": "2026-03-17T01:53:09.153Z",
    "dateUpdated": "2026-04-10T04:10:43.726Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation

Phase: Architecture and Design

Description:

  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation

Phase: Architecture and Design

Description:

  • Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation ID: MIT-4.4

Phase: Architecture and Design

Strategy: Libraries or Frameworks

Description:

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation

Phase: Architecture and Design

Description:

  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation

Phases: System Configuration, Installation

Description:

  • Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.

Back to CWE stats page