8 matches found
CVE-2026-9842
The CVE-2026-9842 entry concerns the Backstage - Customizer Demo Access plugin for WordPress (up to version 1.4.2). The root cause is that the plugin assigns the manage_options capability to the backstage_customizer_user demo role, which is more permissive than required for a Demo Access/Customiz...
EUVD-2025-199736
In Splunk Add-on for Palo Alto Networks versions below 2.0.2, the add-on exposes client secrets in plain text in the internal index during the addition of new “Data Security Accounts“. The vulnerability would require either local access to the log files or administrative access to internal indexe...
EUVD-2025-197964
The WP Duplicate Page plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'saveSettings' function. This makes it possible for authenticated...
CVE-2025-12481
The WP Duplicate Page plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'saveSettings' function. This makes it possible for authenticated...
Privilege escalation
The User Role by BestWebSoft WordPress plugin before 1.6.7 does not protect against CSRF in requests to update role capabilities, leading to arbitrary privilege escalation of any role...
PT-2023-16549 · Bestwebsoft · User Role
Name of the Vulnerable Software and Affected Versions: User Role by BestWebSoft WordPress plugin versions prior to 1.6.7 Description: The issue concerns a lack of protection against Cross-Site Request Forgery CSRF in requests to update role capabilities, leading to arbitrary privilege escalation ...
DEBIAN-CVE-2013-2200
WordPress before 3.5.2 does not properly check the capabilities of roles, which allows remote authenticated users to bypass intended restrictions on publishing and authorship reassignment via unspecified vectors...
CVE-2013-2200
WordPress before 3.5.2 does not properly check the capabilities of roles, which allows remote authenticated users to bypass intended restrictions on publishing and authorship reassignment via unspecified vectors...