66 matches found
PT-2026-31704
OpenPLC V3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator acces...
Missing Authorization
Overview @openclaw/discord is an OpenClaw Discord channel plugin Affected versions of this package are vulnerable to Missing Authorization in the Discord voice ingress authorization process. An attacker can gain unauthorized access to restricted voice channels by exploiting gaps in channel, name,...
GHSA-X2M8-53H4-6HCH OpenClaw: Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps
Summary Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps Current Maintainer Triage - Status: narrow - Assessment: Real in shipped v2026.3.28 Discord voice ingress, but impact is channel/member allowlist bypass rather than a broader critical aut...
OpenClaw: Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps
Summary Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps Current Maintainer Triage - Status: narrow - Assessment: Real in shipped v2026.3.28 Discord voice ingress, but impact is channel/member allowlist bypass rather than a broader critical aut...
GHSA-CH3W-9456-38V3 Netmaker has Privilege Escalation from Admin to Super-Admin via User Update
The user update handler PUT /api/users/username lacks validation to prevent an admin-role user from assigning the super-admin role during account updates. While the code correctly blocks an admin from assigning the admin role to another user, it does not include an equivalent check for the...
EUVD-2025-208125
The Listee theme for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.1.6. This is due to a broken validation check in the bundled listee-core plugin's user registration function that fails to properly sanitize the userrole parameter. This makes it possible...
PT-2026-22305
Name of the Vulnerable Software and Affected Versions Listee theme for WordPress versions prior to 1.1.7 Description The Listee theme for WordPress is affected by a privilege escalation issue. A broken validation check in the bundled listee-core plugin’s user registration function does not proper...
CVE-2025-8572
The Truelysell Core plugin for WordPress is vulnerable to privilege escalation in versions less than, or equal to, 1.8.7. This is due to insufficient validation of the userrole parameter during user registration. This makes it possible for unauthenticated attackers to create accounts with elevate...
CVE-2025-8572 Truelysell Core <= 1.8.7 - Unauthenticated Privilege Escalation via Registration
The Truelysell Core plugin for WordPress is vulnerable to privilege escalation in versions less than, or equal to, 1.8.7. This is due to insufficient validation of the userrole parameter during user registration. This makes it possible for unauthenticated attackers to create accounts with elevate...
CVE-2025-8572 Truelysell Core <= 1.8.7 - Unauthenticated Privilege Escalation via Registration
The Truelysell Core plugin for WordPress is vulnerable to privilege escalation in versions less than, or equal to, 1.8.7. This is due to insufficient validation of the userrole parameter during user registration. This makes it possible for unauthenticated attackers to create accounts with elevate...
CVE-2025-8572
The CVE concerns the Truelysell Core plugin for WordPress. Versions
WordPress plugin Truelysell Core 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
CVE-2025-14736
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.29. This is due to insufficient validation of user-supplied role values in the 'validatevalue', 'preupdatevalue', and 'getfieldsdisplay' functions. This makes it...
CVE-2025-56747
Creativeitem Academy LMS up to and including 5.13 contains a privilege escalation vulnerability in the Apiinstructor controller where regular authenticated users can access instructor-only functions without proper role validation, allowing unauthorized course creation and management...
PT-2025-41934
Name of the Vulnerable Software and Affected Versions Creativeitem Academy LMS versions up to and including 5.13 Description A privilege escalation issue exists in the Api instructor controller. Authenticated users without the necessary permissions can access functions intended only for...
CVE-2025-56747
Affected software : Creativeitem Academy LMS (versions up to 5.13). Vulnerability : Privilege escalation in the Api_instructor controller where regular authenticated users can access instructor-only functions due to missing/incorrect role validation, enabling unauthorized course creation and mana...
EUVD-2015-0050
Malware in sbrugna...
EUVD-2017-11793
Malware in sbrugna...
CVE-2025-6685
ATEN eco DC Missing Authorization Privilege Escalation Vulnerability. This vulnerability allows remote attackers to escalate privileges on affected installations of ATEN eco DC. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based interface. The...
CVE-2025-6685
ATEN eco DC contains a missing authorization flaw in its web-based interface that can enable privilege escalation. The issue arises from not validating the assigned user role when handling requests, allowing an attacker with network access to escalate privileges to restricted resources; authentic...