CWE-862 <span class="text-2xl md:text-3xl font-bold ml-2" style="color:var(--text-secondary)">— Missing Authorization

CVE-2026-7563MEDIUMCVSS 4.3EG 4.3

The Geo Mashup plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.13.19. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possibl…

2026-05-15

The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 5.3.10. This is due to the plugin not properly verifying that …

CVE-2026-7621MEDIUMCVSS 4.3EG 4.3

CVE-2026-7624MEDIUMCVSS 4.3EG 4.3

The SMTP2GO for WordPress – Email Made Easy plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.16.0. This is due to the plugin not properly verifying that a user is authorized to perform an …

2026-06-06

The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 12.4.16. This is due to the plugin not properly verifying that a user is authorized to perform an action. This …

CVE-2026-7802HIGHCVSS 8.8EG 8.8

CVE-2026-7879MEDIUMCVSS 5.3EG 5.3

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This…

CVE-2026-8077HIGHCVSS 8.6EG 8.6

In Concrete CMS 9.5.0 and below, the submit_password() method in concrete/controllers/single_page/download_file.php allows unauthorized file access since downloading permission-restricted files bypasses the view_file permission check. F…

2026-05-08

Lack of proper authorization implementation in the CashDro 3 web administration panel, version 24.01.00.26. The backend lacks authorization controls, leaving security entirely to the frontend. By modifying the binary string in the ‘Permi…

CVE-2026-8096MEDIUMCVSS 6.5EG 6.5

2026-05-19

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not properly verifying that a user is autho…

CVE-2026-8144MEDIUMCVSS 4.3EG 4.3

2026-05-14

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with project membership to enumerate private group …

CVE-2026-8194MEDIUMCVSS 4.3EG 4.3

2026-05-09

A security vulnerability has been detected in osTicket up to 1.18.3. Impacted is an unknown function of the file include/class.dispatcher.php of the component Dispatcher. The manipulation of the argument _method leads to cross-site request…

CVE-2026-8236MEDIUMCVSS 4.3EG 4.3

CVE-2026-8237MEDIUMCVSS 5.3EG 5.3

Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/{fID} accepts an integer file ID in the URL and returns internal site structure data (page IDs, v…

CVE-2026-8238MEDIUMCVSS 5.3EG 5.3

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The `/ccm/frontend/conversations/message_detail` endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, inclu…

CVE-2026-8239MEDIUMCVSS 5.3EG 5.3

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/message_page' endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, inclu…

CVE-2026-8381MEDIUMCVSS 5.4EG 5.4

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/get_rating' endpoint confirms existence and returns rating score for any message by ID. The Concrete CMS security team gave this vulnerability a CVSS …

CVE-2026-8382MEDIUMCVSS 5.3EG 5.3

A broken access control vulnerability exists in the TeamViewer DEX Platform (On‑Premises) prior version 9.2. Certain backend API endpoints do not correctly enforce authorization checks, allowing an authenticated user with low privileges …

2026-05-31

The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. Thi…

CVE-2026-8407MEDIUMCVSS 4.3EG 4.3

2026-05-12

Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints. This iss…

CVE-2026-8495CRITICALCVSS 9.8EG 9.8

2026-05-19

Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing. This issue affects Date iCal: from 0.0.0 before 4.0.15.

CVE-2026-8502MEDIUMCVSS 5.3EG 5.3

2026-06-06

The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.6 via the 'return_type' parameter. This makes it poss…

CVE-2026-8547HIGHCVSS 7.5EG 7.5

2026-05-14

Insufficient policy enforcement in Passwords in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security…

CVE-2026-8610MEDIUMCVSS 4.3EG 4.3

2026-05-20

The TypeSquare Webfonts for ConoHa plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. Thi…

CVE-2026-8681MEDIUMCVSS 5.3EG 5.3

2026-05-16

The Essential Chat Support plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes …

CVE-2026-8682MEDIUMCVSS 4.3EG 4.3

CVE-2026-8684MEDIUMCVSS 5.3EG 5.3

The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user…

CVE-2026-8689MEDIUMCVSS 4.3EG 4.3

The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes…

CVE-2026-8692MEDIUMCVSS 4.3EG 4.3

The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.11.14. This is due to a missing capability check on the renderChartPages() and uplo…

CVE-2026-8976MEDIUMCVSS 4.3EG 4.3

The Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.1. This is due to the plugin not properly verifying t…

2026-06-05

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7. This is due to the plugin not proper…

CVE-2026-9008MEDIUMCVSS 4.3EG 4.3

2026-06-06

The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelist_unqprfx_ext_shortcode() function (the [pagelist_ext] / [pagelistext] shortcode) accepting atta…

CVE-2026-9011HIGHCVSS 7.5EG 7.5

CVE-2026-9014MEDIUMCVSS 5.3EG 5.3

The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.65. This is due to the plugin not properly verifying that a user is authorized t…

2026-05-27

The WP Promoter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_stats() function in versions up to, and including, 1.3. The function is hooked to both the wp_ajax_wpp-r…

CVE-2026-9015MEDIUMCVSS 4.3EG 4.3

CVE-2026-9050MEDIUMCVSS 4.3EG 4.3

The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.0. This is due to the plugin not properly verify…

2026-06-01

The Slider Revolution plugin for WordPress in versions 6.0.0-6.7.55 and 7.0.0-7.0.14 is vulnerable to unauthorized modification of data. This is due to the plugin not properly verifying that a user is authorized to perform an action. This …

CVE-2026-9187MEDIUMCVSS 5.3EG 5.3

2026-06-16

The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action__remove_aba…

CVE-2026-9224MEDIUMCVSS 4.3EG 4.3

CVE-2026-9234MEDIUMCVSS 4.3EG 4.3

Missing authorization in the user profile update feature in Devolutions Server allows an... Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own p…

2026-06-02

The JTL-Connector for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.4.1. This is due to missing capability checks and nonce verification on the admin_post_settings_save_woo-jtl-…

CVE-2026-9246MEDIUMCVSS 4.3EG 4.3

CVE-2026-9251MEDIUMCVSS 5.4EG 5.4

Improper access control in the entry documentation and attachment features in Devolutions Server... Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault r…

CVE-2026-9255HIGHCVSS 7.8EG 7.8

Missing authorization in the entry status management feature in Devolutions Server allows a non... Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass …

CVE-2026-9284HIGHCVSS 8.2EG 8.2

Missing input source validation in the tool authorization prompt in Kiro CLI before 1.28.0 allows a local attacker to execute arbitrary tools, including shell commands, without user approval by crafting content that is piped to kiro-cli vi…

2026-05-23

The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the `ppc-create-order` and `ppc-get-order` WC-AJAX endpoints in all ver…

CVE-2026-9303MEDIUMCVSS 4.3EG 4.3

2026-05-23

A vulnerability was identified in calcom cal.diy up to 4.9.4. Impacted is an unknown function. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit is publicly available and migh…

CVE-2026-9350HIGHCVSS 7.3EG 7.3

2026-05-24

A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. This affects the function check_all_command_guards of the file tools/approval.py of the component Batch Runner. Such manipulation leads to missing authorization. …

CVE-2026-9486MEDIUMCVSS 4.3EG 4.3

2026-05-25

A security flaw has been discovered in SourceCodester Student Grades Management System 1.0. This affects an unknown part. The manipulation results in cross-site request forgery. The attack can be executed remotely. The exploit has been rel…

CVE-2026-9582MEDIUMCVSS 4.3EG 4.3

CVE-2026-9603MEDIUMCVSS 6.5EG 6.5

A security flaw has been discovered in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This affects an unknown function. Performing a manipulation results in cross-site request forgery. The attack is possible …