CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-9172 (GCVE-0-2026-9172)
Vulnerability from cvelistv5 – Published: 2026-06-24 05:33 – Updated: 2026-06-24 12:36- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| ajitdas | Devs Accounting – Simple Accounting and Invoicing Solution |
Affected:
0 , ≤ 1.2.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9172",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T12:36:51.150212Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T12:36:58.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Devs Accounting \u2013 Simple Accounting and Invoicing Solution",
"vendor": "ajitdas",
"versions": [
{
"lessThanOrEqual": "1.2.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "jamaal"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Devs Accounting \u2013 Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to unauthorized modification/deletion of data due to a missing capability check on the delete_single_account() function in versions up to, and including, 1.2.0. The REST route \u0027devs-accounting/v1/delete-account/(?P\u003cid\u003e\\d+)\u0027 is registered without any permission_callback, which causes WordPress to expose the endpoint to public, unauthenticated access. This makes it possible for unauthenticated attackers to soft-delete arbitrary accounting account records (wp_dac_accounts) by issuing a simple GET request to the endpoint with any account ID."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T05:33:29.128Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bbe99411-ba74-4e97-8d14-659897942906?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/devs-accounting/tags/1.2.0/classes/class-devs-accounting-accounts.php#L199"
},
{
"url": "https://plugins.trac.wordpress.org/browser/devs-accounting/tags/1.2.0/classes/class-devs-accounting-accounts.php#L36"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-23T16:39:47.000Z",
"value": "Disclosed"
}
],
"title": "Devs Accounting \u003c= 1.2.0 - Missing Authorization to Unauthenticated Account Deletion via /delete-account/ REST Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9172",
"datePublished": "2026-06-24T05:33:29.128Z",
"dateReserved": "2026-05-21T14:37:49.953Z",
"dateUpdated": "2026-06-24T12:36:58.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9175 (GCVE-0-2026-9175)
Vulnerability from cvelistv5 – Published: 2026-06-24 05:33 – Updated: 2026-06-24 19:35- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| ajitdas | Devs Accounting – Simple Accounting and Invoicing Solution |
Affected:
0 , ≤ 1.2.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9175",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T19:35:01.286884Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T19:35:10.751Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Devs Accounting \u2013 Simple Accounting and Invoicing Solution",
"vendor": "ajitdas",
"versions": [
{
"lessThanOrEqual": "1.2.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "jamaal"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Devs Accounting \u2013 Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.0. This is due to the get_single_account() REST API callback being registered with a permission_callback that unconditionally returns true, providing no authentication or authorization checks on the /devs-accounting/v1/get-account/\u003cid\u003e endpoint. This makes it possible for unauthenticated attackers to read arbitrary private financial account records (including account name, bank name, and opening balance) by enumerating the numeric account ID, resulting in sensitive information disclosure."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T05:33:22.725Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2212585b-1437-40a8-a5da-5b5c9f88c365?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/devs-accounting/tags/1.2.0/classes/class-devs-accounting-accounts.php#L157"
},
{
"url": "https://plugins.trac.wordpress.org/browser/devs-accounting/tags/1.2.0/classes/class-devs-accounting-accounts.php#L31"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-23T16:39:37.000Z",
"value": "Disclosed"
}
],
"title": "Devs Accounting \u003c= 1.2.0 - Missing Authorization to Unauthenticated Sensitive Information Exposure via \u0027id\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9175",
"datePublished": "2026-06-24T05:33:22.725Z",
"dateReserved": "2026-05-21T14:38:42.910Z",
"dateUpdated": "2026-06-24T19:35:10.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9178 (GCVE-0-2026-9178)
Vulnerability from cvelistv5 – Published: 2026-06-24 05:33 – Updated: 2026-06-24 12:13- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| hancock11 | WP Forms Connector |
Affected:
0 , ≤ 1.8
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9178",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T12:12:27.782825Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T12:13:00.298Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Forms Connector",
"vendor": "hancock11",
"versions": [
{
"lessThanOrEqual": "1.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "jamaal"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Forms Connector plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.8. The plugin registers the REST route wp/v3/user/list/\u003cid\u003e (callback userDetail()) with permission_callback set to \u0027__return_true\u0027, and the function\u0027s home-grown authentication only verifies that the supplied \u0027Username\u0027 HTTP header maps to an administrator account and that a \u0027Password\u0027 HTTP header is non-empty. It never validates the password with wp_check_password() (unlike the sibling delete_wc_user() function which does). This makes it possible for unauthenticated attackers to retrieve sensitive information for any registered user ID \u2014 including the WordPress password hash (user_pass) and email address \u2014 by sending a request with a valid administrator login name (commonly the default \u0027admin\u0027) and any arbitrary password value."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T05:33:33.451Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5dfafee-9b6c-4e57-b263-39ff15cd3b51?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-forms-connector/tags/1.8/WP-Forms-Connector.php#L1490"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-forms-connector/tags/1.8/WP-Forms-Connector.php#L1477"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-forms-connector/tags/1.8/WP-Forms-Connector.php#L1464"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-forms-connector/tags/1.8/WP-Forms-Connector.php#L739"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-23T16:39:27.000Z",
"value": "Disclosed"
}
],
"title": "WP Forms Connector \u003c= 1.8 - Missing Authorization to Unauthenticated Information Exposure via \u0027user/list\u0027 REST Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9178",
"datePublished": "2026-06-24T05:33:33.451Z",
"dateReserved": "2026-05-21T14:44:27.753Z",
"dateUpdated": "2026-06-24T12:13:00.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9184 (GCVE-0-2026-9184)
Vulnerability from cvelistv5 – Published: 2026-06-24 05:33 – Updated: 2026-06-24 14:51- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| 24liveblog | 24liveblog – live blog tool |
Affected:
0 , ≤ 2.2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9184",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T14:51:41.367266Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T14:51:55.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "24liveblog \u2013 live blog tool",
"vendor": "24liveblog",
"versions": [
{
"lessThanOrEqual": "2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joy Gilbert"
}
],
"descriptions": [
{
"lang": "en",
"value": "The 24liveblog - live blog tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_lb24_token() AJAX function in versions up to, and including, 2.2. The handler only verifies the \u0027lb24\u0027 nonce (which is generated and localized to any user with block editor access via lb24_block_enqueue_scripts()) and does not verify the user\u0027s capabilities or that the supplied user_id belongs to the current user. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the lb24_token, lb24_uid, lb24_refresh_token, and lb24_uname user meta values of any user (including administrators) as well as the corresponding site-wide options, effectively hijacking the plugin\u0027s integration with the 24liveblog service."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T05:33:27.676Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a7f22854-049a-4b4f-a448-13c416e0a6b7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/24liveblog/trunk/plugin.php#L93"
},
{
"url": "https://plugins.trac.wordpress.org/browser/24liveblog/trunk/plugin.php#L94"
},
{
"url": "https://plugins.trac.wordpress.org/browser/24liveblog/trunk/src/init.php#L127"
},
{
"url": "https://plugins.trac.wordpress.org/browser/24liveblog/trunk/plugin.php#L100"
},
{
"url": "https://plugins.trac.wordpress.org/browser/24liveblog/trunk/plugin.php#L104"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-23T16:39:07.000Z",
"value": "Disclosed"
}
],
"title": "24liveblog \u003c= 2.2 - Missing Authorization to Authenticated (Author+) Settings Modification via update_lb24_token AJAX action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9184",
"datePublished": "2026-06-24T05:33:27.676Z",
"dateReserved": "2026-05-21T14:55:58.925Z",
"dateUpdated": "2026-06-24T14:51:55.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9187 (GCVE-0-2026-9187)
Vulnerability from cvelistv5 – Published: 2026-06-16 04:30 – Updated: 2026-06-16 12:37- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| zealopensource | Abandoned Contact Form 7 |
Affected:
0 , ≤ 2.2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9187",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T12:37:23.714180Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T12:37:54.599Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Abandoned Contact Form 7",
"vendor": "zealopensource",
"versions": [
{
"lessThanOrEqual": "2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joy Gilbert"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action__remove_abandoned() function, which is registered to both the wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned hooks. The handler takes a user-supplied recover_id parameter from $_POST and passes it directly to wp_delete_post() with the force-delete flag set to true, without verifying that the ID belongs to the plugin\u0027s own cf7af_data post type. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, or other content on the affected site by sending a single admin-ajax."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T04:30:15.996Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a38ebdeb-6ab8-4f1d-9c13-39211a9e97b6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/abandoned-contact-form-7/tags/2.2/inc/class.cf7af.php#L68"
},
{
"url": "https://plugins.trac.wordpress.org/browser/abandoned-contact-form-7/tags/2.2/inc/class.cf7af.php#L65"
},
{
"url": "https://plugins.trac.wordpress.org/browser/abandoned-contact-form-7/tags/2.2/inc/class.cf7af.php#L49"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-15T16:26:44.000Z",
"value": "Disclosed"
}
],
"title": "Abandoned Contact Form 7 \u003c= 2.2 - Missing Authorization to Unauthenticated Arbitrary Post Deletion via \u0027recover_id\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9187",
"datePublished": "2026-06-16T04:30:15.996Z",
"dateReserved": "2026-05-21T15:01:06.791Z",
"dateUpdated": "2026-06-16T12:37:54.599Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9199 (GCVE-0-2026-9199)
Vulnerability from cvelistv5 – Published: 2026-06-18 04:31 – Updated: 2026-06-18 12:49- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| equalizedigital | Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance |
Affected:
0 , ≤ 1.42.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9199",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T12:48:57.570590Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T12:49:05.539Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Equalize Digital Accessibility Checker \u2013 WCAG, ADA, EAA and Section 508 compliance",
"vendor": "equalizedigital",
"versions": [
{
"lessThanOrEqual": "1.42.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joy Gilbert"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Equalize Digital Accessibility Checker \u2013 WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with author-level access and above, to dismiss, ignore, or restore accessibility audit issue records belonging to posts they are not permitted to edit by supplying an issue from their own post as an authorization token to affect matching issues across the entire site. An Author-level user can exploit this by passing largeBatch=true on a dismiss-issue request referencing one of their own post\u0027s issues, causing the handler to bulk-modify all site-wide accessibility issues sharing the same \u0027object\u0027 value \u2014 including those belonging to administrator-owned posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T04:31:07.632Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e5cc0ce-3785-4240-863e-d1396db6e8ef?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.42.0/includes/classes/class-rest-api.php#L1247"
},
{
"url": "https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.42.0/includes/classes/class-rest-api.php#L1232"
},
{
"url": "https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.42.0/includes/classes/class-rest-api.php#L349"
},
{
"url": "https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.39.0/includes/classes/class-rest-api.php#L1247"
},
{
"url": "https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.39.0/includes/classes/class-rest-api.php#L1232"
},
{
"url": "https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.39.0/includes/classes/class-rest-api.php#L349"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3553926%40accessibility-checker\u0026new=3553926%40accessibility-checker\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-21T15:55:53.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-17T16:07:31.000Z",
"value": "Disclosed"
}
],
"title": "Equalize Digital Accessibility Checker \u003c= 1.42.1 - Missing Authorization to Authenticated (Author+) Arbitrary Accessibility Issue Modification via \u0027largeBatch\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9199",
"datePublished": "2026-06-18T04:31:07.632Z",
"dateReserved": "2026-05-21T15:40:33.877Z",
"dateUpdated": "2026-06-18T12:49:05.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9224 (GCVE-0-2026-9224)
Vulnerability from cvelistv5 – Published: 2026-05-22 15:25 – Updated: 2026-05-22 16:53- CWE-862 - Missing authorization
| Vendor | Product | Version | |
|---|---|---|---|
| Devolutions | Server |
Affected:
2026.1.6.0 , ≤ 2026.1.16.0
(custom)
Affected: 0 , ≤ 2025.3.20.0 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9224",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T16:53:29.042423Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T16:53:32.882Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2026.1.16.0",
"status": "affected",
"version": "2026.1.6.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2025.3.20.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request.\u003cp\u003eThis issue affects :\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevolutions Server 2026.1.6.0 through 2026.1.16.0\u003c/li\u003e\u003cli\u003eDevolutions Server 2025.3.20.0 and earlier\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request.\n\nThis issue affects :\n\n * Devolutions Server 2026.1.6.0 through 2026.1.16.0\n * Devolutions Server 2025.3.20.0 and earlier"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T15:25:33.660Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2026-0013/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2026-9224",
"datePublished": "2026-05-22T15:25:33.660Z",
"dateReserved": "2026-05-21T17:54:29.652Z",
"dateUpdated": "2026-05-22T16:53:32.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9230 (GCVE-0-2026-9230)
Vulnerability from cvelistv5 – Published: 2026-07-03 06:50 – Updated: 2026-07-06 14:45- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| expresstech | Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker |
Affected:
0 , ≤ 11.1.4
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9230",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T14:45:11.708715Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T14:45:18.312Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Quiz and Survey Master (QSM) \u2013 Easy Quiz and Survey Maker",
"vendor": "expresstech",
"versions": [
{
"lessThanOrEqual": "11.1.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kirasec"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quiz and Survey Master (QSM) \u2013 Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to modify quizzes they do not own, overwrite quiz results pages, and reroute quiz-result notification emails to attacker-controlled addresses. An attacker first calls the /quiz/structure endpoint with an arbitrary victim quiz ID to obtain a valid nonce bound to that quiz ID and their own user ID, then presents that nonce to the /quizzes/{id}/emails save endpoint, which accepts it without verifying quiz ownership."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T06:50:11.170Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/49c66f9e-e58c-435b-9bb0-d6b66261e789?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.1.2/php/rest-api.php#L460"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.1.2/php/rest-api.php#L513"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.1.2/blocks/block.php#L424"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.1.2/blocks/block.php#L257"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.1.2/php/rest-api.php#L862"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.1.2/mlw_quizmaster2.php#L890"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/php/rest-api.php#L460"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/php/rest-api.php#L513"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/blocks/block.php#L424"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/blocks/block.php#L257"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/php/rest-api.php#L862"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/mlw_quizmaster2.php#L890"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3570062%40quiz-master-next\u0026new=3570062%40quiz-master-next\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-02T18:30:42.000Z",
"value": "Disclosed"
}
],
"title": "Quiz and Survey Master (QSM) \u003c= 11.1.4 - Missing Authorization to Authenticated (Contributor+) Arbitrary Quiz Modification and Email Reroute via Leaked Nonce from /quiz/structure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9230",
"datePublished": "2026-07-03T06:50:11.170Z",
"dateReserved": "2026-05-21T18:35:49.663Z",
"dateUpdated": "2026-07-06T14:45:18.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9233 (GCVE-0-2026-9233)
Vulnerability from cvelistv5 – Published: 2026-06-27 06:50 – Updated: 2026-06-29 19:04- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| expresstech | Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker |
Affected:
0 , ≤ 11.1.4
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9233",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T19:04:11.317122Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T19:04:24.909Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Quiz and Survey Master (QSM) \u2013 Easy Quiz and Survey Maker",
"vendor": "expresstech",
"versions": [
{
"lessThanOrEqual": "11.1.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Weerawat Pawanawiwat (ErbaZZ)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quiz and Survey Master (QSM) \u2013 Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create, modify, and delete quiz output templates stored in the mlw_quiz_output_templates database table, including storing unsanitized HTML content such as arbitrary script tags."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T06:50:57.158Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38db911b-cad5-4c8c-b0a4-70dc543b4591?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.1.2/php/admin/functions.php#L1557"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.1.2/php/admin/functions.php#L1563"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.1.2/php/admin/functions.php#L1638"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.1.2/php/admin/options-page-email-tab.php#L52"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.1.2/mlw_quizmaster2.php#L931"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.0.0/php/admin/functions.php#L1557"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.0.0/php/admin/functions.php#L1563"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.0.0/php/admin/functions.php#L1638"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.0.0/php/admin/options-page-email-tab.php#L52"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/11.0.0/mlw_quizmaster2.php#L931"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3570062%40quiz-master-next\u0026new=3570062%40quiz-master-next\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-26T17:57:43.000Z",
"value": "Disclosed"
}
],
"title": "Quiz and Survey Master (QSM) \u003c= 11.1.4 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via qsm_insert_quiz_template AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9233",
"datePublished": "2026-06-27T06:50:57.158Z",
"dateReserved": "2026-05-21T18:39:37.842Z",
"dateUpdated": "2026-06-29T19:04:24.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9234 (GCVE-0-2026-9234)
Vulnerability from cvelistv5 – Published: 2026-06-02 07:48 – Updated: 2026-06-02 10:47- CWE-862 - Missing Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| ntbyk | JTL-Connector for WooCommerce |
Affected:
0 , ≤ 2.4.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9234",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T10:38:20.828085Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T10:47:20.534Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "JTL-Connector for WooCommerce",
"vendor": "ntbyk",
"versions": [
{
"lessThanOrEqual": "2.4.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhan Luo"
}
],
"descriptions": [
{
"lang": "en",
"value": "The JTL-Connector for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.4.1. This is due to missing capability checks and nonce verification on the admin_post_settings_save_woo-jtl-connector action (handled by JtlConnectorAdmin::save()) and on the wp_ajax_downloadJTLLogs and wp_ajax_clearJTLLogs AJAX actions (handled by the global downloadJTLLogs() and clearJTLLogs() functions). This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary plugin settings, download a ZIP archive of the connector\u0027s developer log files, and delete those log files."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T07:48:27.609Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1475f3c4-b1ff-422c-a832-f6261361c240?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-jtl-connector/tags/2.4.1/includes/JtlConnectorAdmin.php#L3007"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-jtl-connector/tags/2.4.1/woo-jtl-connector.php#L161"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-jtl-connector/tags/2.4.1/woo-jtl-connector.php#L221"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-jtl-connector/tags/2.4.1/includes/JtlConnectorAdmin.php#L574"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-jtl-connector/tags/2.4.1/woo-jtl-connector.php#L92"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-01T19:43:29.000Z",
"value": "Disclosed"
}
],
"title": "JTL-Connector for WooCommerce \u003c= 2.4.1 - Missing Authorization to Authenticated (Subscriber+) Settings Modification via Multiple Functions"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9234",
"datePublished": "2026-06-02T07:48:27.609Z",
"dateReserved": "2026-05-21T18:46:05.539Z",
"dateUpdated": "2026-06-02T10:47:20.534Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Phase: Architecture and Design
Description:
- Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation ID: MIT-4.4
Phase: Architecture and Design
Strategy: Libraries or Frameworks
Description:
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Phase: Architecture and Design
Description:
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Phases: System Configuration, Installation
Description:
- Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.