CVE-2020-37106

Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. Attackers can craft a malicious HTML form to modify user privileges by submitting a POST request to the user creation endpoint with...

CVE-2020-37106 Business Live Chat Software 1.0 - Cross-Site Request Forgery (Add Admin)

Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. Attackers can craft a malicious HTML form to modify user privileges by submitting a POST request to the user creation endpoint with...

CVE-2025-12963

The LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.29. This is due to the plugin not properly validating a user's identity via the...

PT-2025-46776

Name of the Vulnerable Software and Affected Versions LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin versions 3.5.3 through 3.41.2 LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin versions 4.0.0 through 4.21.3 LifterLMS – WP LMS for eLearning, Online Courses,...

EUVD-2025-5122

Malicious code in bioql PyPI...

CVE-2025-2075

The CVE concerns the WordPress plugin Uncanny Automator (versions up to and including 6.3.0.2). The root cause is missing capability checks in add_role() and user_role() performed through validate_rest_call(), enabling privilege escalation to administrator. Attackers with an active account can el...

CVE-2024-13643

CVE-2024-13643 relates to the Zox News – Pro WordPress Theme plugin (WordPress) with versions up to 3.17.0. The root cause, per Wordfence and related sources, is missing authorization checks in backup_options() and reset_options(), allowing authenticated users with Subscriber-level access and abo...

CVE-2024-5326

The Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'postxpresetscallback' function in all versions up to, and including, 4.1.2. This makes it possible for authenticated...

PT-2024-24122 · Mintplex · Anything-Llm

Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm affected versions not specified Description: A vulnerability exists in the thread update process, allowing users with Default or Manager roles to escalate their privileges to Administrator. This issue arises from...

postgresql: row security policies disregard user ID changes after inlining.

A flaw was found in PostgreSQL, which could permit incorrect policies being applied in certain cases where role-specific policies are used and a given query is planned under one role and executed under other roles. This scenario can happen under security definer functions, or when a common user a...

Business Live Chat Software 1.0 - Cross-Site Request Forgery (Add Admin)

Business Live Chat Software 1.0 - Cross-Site Request Forgery Add Admin Exploit Title: Business Live Chat Software 1.0 - Cross-Site Request Forgery Add Admin Description: Operator Can Change Role User Type to admin Date: 2020-02-26 Exploit Author: Meisam Monsef Vendor Homepage:...

Business Live Chat Software 1.0 Cross Site Request Forgery

Exploit Title: Business Live Chat Software 1.0 - Cross-Site Request Forgery Add Admin Description: Operator Can Change Role User Type to admin Date: 2020-02-26 Exploit Author: Meisam Monsef Vendor Homepage: https://www.bdtask.com/business-live-chat-software.php Version: V-1.0 Tested on: ubuntu...