CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2023-40003 (GCVE-0-2023-40003)
Vulnerability from cvelistv5 – Published: 2024-12-13 14:24 – Updated: 2026-04-29 09:51
VLAI
Title
WordPress WP Project Manager plugin <= 2.6.7 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in weDevs WP Project Manager wedevs-project-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Project Manager: from n/a through <= 2.6.7.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| weDevs | WP Project Manager |
Affected:
0 , ≤ 2.6.7
(custom)
|
Date Public
2026-04-22 14:34
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40003",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T20:38:57.943489Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T20:39:21.204Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wedevs-project-manager",
"product": "WP Project Manager",
"vendor": "weDevs",
"versions": [
{
"changes": [
{
"at": "2.6.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.6.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "lttn | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-22T14:34:56.777Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in weDevs WP Project Manager wedevs-project-manager allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects WP Project Manager: from n/a through \u003c= 2.6.7.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in weDevs WP Project Manager wedevs-project-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Project Manager: from n/a through \u003c= 2.6.7."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T09:51:49.303Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/wedevs-project-manager/vulnerability/wordpress-wp-project-manager-plugin-2-6-7-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress WP Project Manager plugin \u003c= 2.6.7 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-40003",
"datePublished": "2024-12-13T14:24:03.519Z",
"dateReserved": "2023-08-08T12:15:26.376Z",
"dateUpdated": "2026-04-29T09:51:49.303Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-40004 (GCVE-0-2023-40004)
Vulnerability from cvelistv5 – Published: 2024-06-19 12:03 – Updated: 2026-04-28 16:08
VLAI
Title
Unauth. Access Token Manipulation vulnerability in multiple ServMask WordPress plugins
Summary
Missing Authorization vulnerability in ServMask All-in-One WP Migration Box Extension, ServMask All-in-One WP Migration OneDrive Extension, ServMask All-in-One WP Migration Dropbox Extension, ServMask All-in-One WP Migration Google Drive Extension.This issue affects All-in-One WP Migration Box Extension: from n/a through 1.53; All-in-One WP Migration OneDrive Extension: from n/a through 1.66; All-in-One WP Migration Dropbox Extension: from n/a through 3.75; All-in-One WP Migration Google Drive Extension: from n/a through 2.79.
Severity
7.3 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/all… | vdb-entry |
| https://patchstack.com/database/vulnerability/all… | vdb-entry |
| https://patchstack.com/database/vulnerability/all… | vdb-entry |
| https://patchstack.com/database/vulnerability/all… | vdb-entry |
| https://patchstack.com/articles/pre-auth-access-t… | third-party-advisorytechnical-description |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| ServMask | All-in-One WP Migration Box Extension |
Affected:
n/a , ≤ 1.53
(custom)
|
|
| ServMask | All-in-One WP Migration OneDrive Extension |
Affected:
n/a , ≤ 1.66
(custom)
|
|
| ServMask | All-in-One WP Migration Dropbox Extension |
Affected:
n/a , ≤ 3.75
(custom)
|
|
| ServMask | All-in-One WP Migration Google Drive Extension |
Affected:
n/a , ≤ 2.79
(custom)
|
|
| servmask | all-in-one_wp_migration |
Affected:
1.54
Affected: 2.80 Affected: 1.67 Affected: 3.76 cpe:2.3:a:servmask:all-in-one_wp_migration:1.54:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:servmask:all-in-one_wp_migration:1.54:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "all-in-one_wp_migration",
"vendor": "servmask",
"versions": [
{
"status": "affected",
"version": "1.54"
},
{
"status": "affected",
"version": "2.80"
},
{
"status": "affected",
"version": "1.67"
},
{
"status": "affected",
"version": "3.76"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40004",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-25T15:05:43.168004Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T15:12:01.353Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:18:10.198Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/all-in-one-wp-migration-gdrive-extension/wordpress-all-in-one-wp-migration-google-drive-extension-plugin-2-79-unauthenticated-access-token-manipulation-vulnerability?_s_id=cve"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/all-in-one-wp-migration-dropbox-extension/wordpress-all-in-one-wp-migration-dropbox-extension-plugin-3-75-unauthenticated-access-token-manipulation-vulnerability?_s_id=cve"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/all-in-one-wp-migration-onedrive-extension/wordpress-all-in-one-wp-migration-onedrive-extension-plugin-1-66-unauthenticated-access-token-manipulation-vulnerability?_s_id=cve"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/all-in-one-wp-migration-box-extension/wordpress-all-in-one-wp-migration-box-extension-plugin-1-53-unauthenticated-access-token-manipulation-vulnerability?_s_id=cve"
},
{
"tags": [
"third-party-advisory",
"technical-description",
"x_transferred"
],
"url": "https://patchstack.com/articles/pre-auth-access-token-manipulation-in-all-in-one-wp-migration-extensions?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "All-in-One WP Migration Box Extension",
"vendor": "ServMask",
"versions": [
{
"changes": [
{
"at": "1.54",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.53",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "All-in-One WP Migration OneDrive Extension",
"vendor": "ServMask",
"versions": [
{
"changes": [
{
"at": "1.67",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.66",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "All-in-One WP Migration Dropbox Extension",
"vendor": "ServMask",
"versions": [
{
"changes": [
{
"at": "3.76",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.75",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "All-in-One WP Migration Google Drive Extension",
"vendor": "ServMask",
"versions": [
{
"changes": [
{
"at": "2.80",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.79",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafie Muhammad (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in ServMask All-in-One WP Migration Box Extension, ServMask All-in-One WP Migration OneDrive Extension, ServMask All-in-One WP Migration Dropbox Extension, ServMask All-in-One WP Migration Google Drive Extension.\u003cp\u003eThis issue affects All-in-One WP Migration Box Extension: from n/a through 1.53; All-in-One WP Migration OneDrive Extension: from n/a through 1.66; All-in-One WP Migration Dropbox Extension: from n/a through 3.75; All-in-One WP Migration Google Drive Extension: from n/a through 2.79.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in ServMask All-in-One WP Migration Box Extension, ServMask All-in-One WP Migration OneDrive Extension, ServMask All-in-One WP Migration Dropbox Extension, ServMask All-in-One WP Migration Google Drive Extension.This issue affects All-in-One WP Migration Box Extension: from n/a through 1.53; All-in-One WP Migration OneDrive Extension: from n/a through 1.66; All-in-One WP Migration Dropbox Extension: from n/a through 3.75; All-in-One WP Migration Google Drive Extension: from n/a through 2.79."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:35.799Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/all-in-one-wp-migration-gdrive-extension/wordpress-all-in-one-wp-migration-google-drive-extension-plugin-2-79-unauthenticated-access-token-manipulation-vulnerability?_s_id=cve"
},
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/all-in-one-wp-migration-dropbox-extension/wordpress-all-in-one-wp-migration-dropbox-extension-plugin-3-75-unauthenticated-access-token-manipulation-vulnerability?_s_id=cve"
},
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/all-in-one-wp-migration-onedrive-extension/wordpress-all-in-one-wp-migration-onedrive-extension-plugin-1-66-unauthenticated-access-token-manipulation-vulnerability?_s_id=cve"
},
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/all-in-one-wp-migration-box-extension/wordpress-all-in-one-wp-migration-box-extension-plugin-1-53-unauthenticated-access-token-manipulation-vulnerability?_s_id=cve"
},
{
"tags": [
"third-party-advisory",
"technical-description"
],
"url": "https://patchstack.com/articles/pre-auth-access-token-manipulation-in-all-in-one-wp-migration-extensions?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update ServMask All-in-One WP Migration Box Extension to 1.54 or a higher version.\u003cbr\u003e"
}
],
"value": "Update ServMask All-in-One WP Migration Box Extension to 1.54 or a higher version."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpdate ServMask All-in-One WP Migration OneDrive Extension to 1.67 or a higher version.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Update ServMask All-in-One WP Migration OneDrive Extension to 1.67 or a higher version."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpdate ServMask All-in-One WP Migration Dropbox Extension to 3.76 or a higher version.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Update ServMask All-in-One WP Migration Dropbox Extension to 3.76 or a higher version."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpdate ServMask All-in-One WP Migration Google Drive Extension to 2.80 or a higher version.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Update ServMask All-in-One WP Migration Google Drive Extension to 2.80 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unauth. Access Token Manipulation vulnerability in multiple ServMask WordPress plugins",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-40004",
"datePublished": "2024-06-19T12:03:07.922Z",
"dateReserved": "2023-08-08T12:15:26.376Z",
"dateUpdated": "2026-04-28T16:08:35.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-40005 (GCVE-0-2023-40005)
Vulnerability from cvelistv5 – Published: 2024-12-13 14:24 – Updated: 2026-04-29 09:51
VLAI
Title
WordPress Easy Digital Downloads plugin <= 3.1.5 - Broken Access Control
Summary
Missing Authorization vulnerability in Syed Balkhi Easy Digital Downloads easy-digital-downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Digital Downloads: from n/a through <= 3.1.5.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Syed Balkhi | Easy Digital Downloads |
Affected:
0 , ≤ 3.1.5
(custom)
|
Date Public
2026-04-22 14:34
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40005",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T19:05:26.095458Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T19:05:42.103Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "easy-digital-downloads",
"product": "Easy Digital Downloads",
"vendor": "Syed Balkhi",
"versions": [
{
"changes": [
{
"at": "3.2.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.1.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Anh Tien | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-22T14:34:57.158Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Syed Balkhi Easy Digital Downloads easy-digital-downloads allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Easy Digital Downloads: from n/a through \u003c= 3.1.5.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Syed Balkhi Easy Digital Downloads easy-digital-downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Digital Downloads: from n/a through \u003c= 3.1.5."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T09:51:49.577Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/easy-digital-downloads/vulnerability/wordpress-easy-digital-downloads-plugin-3-1-5-broken-access-control?_s_id=cve"
}
],
"title": "WordPress Easy Digital Downloads plugin \u003c= 3.1.5 - Broken Access Control"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-40005",
"datePublished": "2024-12-13T14:24:04.354Z",
"dateReserved": "2023-08-08T12:15:26.376Z",
"dateUpdated": "2026-04-29T09:51:49.577Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-40011 (GCVE-0-2023-40011)
Vulnerability from cvelistv5 – Published: 2024-12-13 14:24 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress Cost Calculator Builder plugin <= 3.1.42 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in StylemixThemes Cost Calculator Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cost Calculator Builder: from n/a through 3.1.42.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| StylemixThemes | Cost Calculator Builder |
Affected:
n/a , ≤ 3.1.42
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40011",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T19:02:40.467319Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T19:02:50.209Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cost-calculator-builder",
"product": "Cost Calculator Builder",
"vendor": "StylemixThemes",
"versions": [
{
"changes": [
{
"at": "3.1.43",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.1.42",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafshanzani Suhada (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in StylemixThemes Cost Calculator Builder allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Cost Calculator Builder: from n/a through 3.1.42.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in StylemixThemes Cost Calculator Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cost Calculator Builder: from n/a through 3.1.42."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:35.585Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/cost-calculator-builder/vulnerability/wordpress-cost-calculator-builder-plugin-3-1-42-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Cost Calculator Builder plugin to the latest available version (at least 3.1.43)."
}
],
"value": "Update the WordPress Cost Calculator Builder plugin to the latest available version (at least 3.1.43)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Cost Calculator Builder plugin \u003c= 3.1.42 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-40011",
"datePublished": "2024-12-13T14:24:05.384Z",
"dateReserved": "2023-08-08T12:57:23.980Z",
"dateUpdated": "2026-04-28T16:08:35.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-40027 (GCVE-0-2023-40027)
Vulnerability from cvelistv5 – Published: 2023-08-15 17:45 – Updated: 2024-10-02 17:45
VLAI
Title
Conditionally missing authorization in @keystone-6/core
Summary
Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When `ui.isAccessAllowed` is set as `undefined`, the `adminMeta` GraphQL query is publicly accessible (no session required). This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible (no session required) if a `session` strategy is not defined. This vulnerability does not affect developers using the `@keystone-6/auth` package, or any users that have written their own `ui.isAccessAllowed` (that is to say, `isAccessAllowed` is not `undefined`). This vulnerability does affect users who believed that their `session` strategy will, by default, enforce that `adminMeta` is inaccessible by the public in accordance with that strategy; akin to the behaviour of the AdminUI middleware. This vulnerability has been patched in `@keystone-6/core` version `5.5.1`. Users are advised to upgrade. Users unable to upgrade may opt to write their own `isAccessAllowed` functionality to work-around this vulnerability.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/keystonejs/keystone/security/a… | x_refsource_CONFIRM |
| https://github.com/keystonejs/keystone/pull/8771 | x_refsource_MISC |
| https://github.com/keystonejs/keystone/commit/650… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| keystonejs | keystone |
Affected:
< 5.5.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:24:54.703Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/keystonejs/keystone/security/advisories/GHSA-9cvc-v7wm-992c",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/keystonejs/keystone/security/advisories/GHSA-9cvc-v7wm-992c"
},
{
"name": "https://github.com/keystonejs/keystone/pull/8771",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/keystonejs/keystone/pull/8771"
},
{
"name": "https://github.com/keystonejs/keystone/commit/650e27e6e9b42abfb94c340c8470faf61f0ff284",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/keystonejs/keystone/commit/650e27e6e9b42abfb94c340c8470faf61f0ff284"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40027",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T17:45:13.788780Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T17:45:51.611Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "keystone",
"vendor": "keystonejs",
"versions": [
{
"status": "affected",
"version": "\u003c 5.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Keystone is an open source headless CMS for Node.js \u2014 built with GraphQL and React. When `ui.isAccessAllowed` is set as `undefined`, the `adminMeta` GraphQL query is publicly accessible (no session required). This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible (no session required) if a `session` strategy is not defined. This vulnerability does not affect developers using the `@keystone-6/auth` package, or any users that have written their own `ui.isAccessAllowed` (that is to say, `isAccessAllowed` is not `undefined`). This vulnerability does affect users who believed that their `session` strategy will, by default, enforce that `adminMeta` is inaccessible by the public in accordance with that strategy; akin to the behaviour of the AdminUI middleware. This vulnerability has been patched in `@keystone-6/core` version `5.5.1`. Users are advised to upgrade. Users unable to upgrade may opt to write their own `isAccessAllowed` functionality to work-around this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-15T17:45:54.439Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/keystonejs/keystone/security/advisories/GHSA-9cvc-v7wm-992c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/keystonejs/keystone/security/advisories/GHSA-9cvc-v7wm-992c"
},
{
"name": "https://github.com/keystonejs/keystone/pull/8771",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/keystonejs/keystone/pull/8771"
},
{
"name": "https://github.com/keystonejs/keystone/commit/650e27e6e9b42abfb94c340c8470faf61f0ff284",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/keystonejs/keystone/commit/650e27e6e9b42abfb94c340c8470faf61f0ff284"
}
],
"source": {
"advisory": "GHSA-9cvc-v7wm-992c",
"discovery": "UNKNOWN"
},
"title": "Conditionally missing authorization in @keystone-6/core"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40027",
"datePublished": "2023-08-15T17:45:54.439Z",
"dateReserved": "2023-08-08T13:46:25.243Z",
"dateUpdated": "2024-10-02T17:45:51.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40203 (GCVE-0-2023-40203)
Vulnerability from cvelistv5 – Published: 2024-12-13 14:24 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress MailChimp Forms by MailMunch plugin <= 3.1.4 - Broken Access Control
Summary
Missing Authorization vulnerability in MailMunch MailChimp Forms by MailMunch allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MailChimp Forms by MailMunch: from n/a through 3.1.4.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MailMunch | MailChimp Forms by MailMunch |
Affected:
n/a , ≤ 3.1.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40203",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T19:02:10.302868Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T19:02:21.230Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "mailchimp-forms-by-mailmunch",
"product": "MailChimp Forms by MailMunch",
"vendor": "MailMunch",
"versions": [
{
"changes": [
{
"at": "3.1.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.1.4",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Istv\u00e1n M\u00e1rton (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in MailMunch MailChimp Forms by MailMunch allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects MailChimp Forms by MailMunch: from n/a through 3.1.4.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in MailMunch MailChimp Forms by MailMunch allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MailChimp Forms by MailMunch: from n/a through 3.1.4."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:36.231Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/mailchimp-forms-by-mailmunch/vulnerability/wordpress-mailchimp-forms-by-mailmunch-plugin-3-1-4-broken-access-control?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No patched version is available."
}
],
"value": "No patched version is available."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress MailChimp Forms by MailMunch plugin \u003c= 3.1.4 - Broken Access Control",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-40203",
"datePublished": "2024-12-13T14:24:05.949Z",
"dateReserved": "2023-08-10T11:31:18.459Z",
"dateUpdated": "2026-04-28T16:08:36.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-40209 (GCVE-0-2023-40209)
Vulnerability from cvelistv5 – Published: 2024-06-12 09:53 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress Highcompress Image Compressor plugin <= 6.0.0 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in Himalaya Saxena Highcompress Image Compressor.This issue affects Highcompress Image Compressor: from n/a through 6.0.0.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/hig… | vdb-entry |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Himalaya Saxena | Highcompress Image Compressor |
Affected:
n/a , ≤ 6.0.0
(custom)
|
|
| himalaya_saxena | highcompress_image_compressor |
Affected:
0 , ≤ 6.0.0
(custom)
cpe:2.3:a:himalaya_saxena:highcompress_image_compressor:6.0.0:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:himalaya_saxena:highcompress_image_compressor:6.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "highcompress_image_compressor",
"vendor": "himalaya_saxena",
"versions": [
{
"lessThanOrEqual": "6.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40209",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-12T13:07:48.300899Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-12T13:12:01.350Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:24:55.656Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/high-compress/wordpress-highcompress-image-compressor-plugin-4-0-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "high-compress",
"product": "Highcompress Image Compressor",
"vendor": "Himalaya Saxena",
"versions": [
{
"lessThanOrEqual": "6.0.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Abdi Pranata (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Himalaya Saxena Highcompress Image Compressor.\u003cp\u003eThis issue affects Highcompress Image Compressor: from n/a through 6.0.0.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Himalaya Saxena Highcompress Image Compressor.This issue affects Highcompress Image Compressor: from n/a through 6.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:36.340Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/high-compress/wordpress-highcompress-image-compressor-plugin-4-0-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Highcompress Image Compressor plugin \u003c= 6.0.0 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-40209",
"datePublished": "2024-06-12T09:53:47.723Z",
"dateReserved": "2023-08-10T13:20:36.817Z",
"dateUpdated": "2026-04-28T16:08:36.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-40213 (GCVE-0-2023-40213)
Vulnerability from cvelistv5 – Published: 2024-12-13 14:24 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress Justified Gallery plugin <= 1.7.3 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in Mateusz Czardybon Justified Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Justified Gallery: from n/a through 1.7.3.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mateusz Czardybon | Justified Gallery |
Affected:
n/a , ≤ 1.7.3
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40213",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T18:19:36.507262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T18:19:56.296Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "justified-gallery",
"product": "Justified Gallery",
"vendor": "Mateusz Czardybon",
"versions": [
{
"changes": [
{
"at": "1.8.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.7.3",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Abdi Pranata (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in Mateusz Czardybon Justified Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Justified Gallery: from n/a through 1.7.3.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Mateusz Czardybon Justified Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Justified Gallery: from n/a through 1.7.3."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:36.581Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/justified-gallery/vulnerability/wordpress-justified-gallery-plugin-1-7-3-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Justified Gallery plugin to the latest available version (at least 1.8.0)."
}
],
"value": "Update the WordPress Justified Gallery plugin to the latest available version (at least 1.8.0)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Justified Gallery plugin \u003c= 1.7.3 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-40213",
"datePublished": "2024-12-13T14:24:06.519Z",
"dateReserved": "2023-08-10T13:20:36.817Z",
"dateUpdated": "2026-04-28T16:08:36.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-4024 (GCVE-0-2023-4024)
Vulnerability from cvelistv5 – Published: 2024-08-17 07:34 – Updated: 2026-04-08 16:48
VLAI
Title
Radio Player <= 2.0.73 - Missing Authorization to Player Deletion
Summary
The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_player function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to delete player instances.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| princeahmed | Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player |
Affected:
0 , ≤ 2.0.73
(semver)
|
|
| softlab | radio_player |
Affected:
0 , ≤ 2.0.73
(semver)
cpe:2.3:a:softlab:radio_player:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:softlab:radio_player:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "radio_player",
"vendor": "softlab",
"versions": [
{
"lessThanOrEqual": "2.0.73",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4024",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-19T15:09:46.227050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-19T15:13:13.059Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Radio Player \u2013 Live Shoutcast, Icecast and Any Audio Stream Player",
"vendor": "princeahmed",
"versions": [
{
"lessThanOrEqual": "2.0.73",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Thomas"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_player function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to delete player instances."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:48:09.654Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f408f1f-207e-427a-a5d0-d0fadf453d7e?source=cve"
},
{
"url": "https://plugins.svn.wordpress.org/radio-player/tags/2.0.7/readme.txt"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2942906/radio-player/trunk/includes/class-ajax.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3048105"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-16T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Radio Player \u003c= 2.0.73 - Missing Authorization to Player Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-4024",
"datePublished": "2024-08-17T07:34:21.024Z",
"dateReserved": "2023-07-31T15:45:37.083Z",
"dateUpdated": "2026-04-08T16:48:09.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-4025 (GCVE-0-2023-4025)
Vulnerability from cvelistv5 – Published: 2024-08-17 07:34 – Updated: 2026-04-08 17:01
VLAI
Title
Radio Player <= 2.0.73 - Missing Authorization to Player Update
Summary
The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_player function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to update player instances.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| princeahmed | Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player |
Affected:
0 , ≤ 2.0.73
(semver)
|
|
| softlab | radio_player |
Affected:
0 , ≤ 2.0.73
(semver)
cpe:2.3:a:softlab:radio_player:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:softlab:radio_player:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "radio_player",
"vendor": "softlab",
"versions": [
{
"lessThanOrEqual": "2.0.73",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4025",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-19T17:20:34.344159Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-19T18:20:59.587Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Radio Player \u2013 Live Shoutcast, Icecast and Any Audio Stream Player",
"vendor": "princeahmed",
"versions": [
{
"lessThanOrEqual": "2.0.73",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Thomas"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_player function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to update player instances."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:01:40.700Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/77409977-6822-4d14-9842-cb6a5aff2162?source=cve"
},
{
"url": "https://plugins.svn.wordpress.org/radio-player/tags/2.0.7/readme.txt"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2942906/radio-player/trunk/includes/class-ajax.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3048105"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-16T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Radio Player \u003c= 2.0.73 - Missing Authorization to Player Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-4025",
"datePublished": "2024-08-17T07:34:24.054Z",
"dateReserved": "2023-07-31T15:45:57.758Z",
"dateUpdated": "2026-04-08T17:01:40.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Phase: Architecture and Design
Description:
- Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation ID: MIT-4.4
Phase: Architecture and Design
Strategy: Libraries or Frameworks
Description:
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Phase: Architecture and Design
Description:
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Phases: System Configuration, Installation
Description:
- Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.