36 matches found
CVE-2026-40291
Chamilo LMS exposes an insecure direct object modification in PUT /api/users/{id} prior to version 2.0.0-RC.3, allowing any authenticated user with ROLE_STUDENT to escalate to ROLE_ADMIN by modifying their own roles field. The API Platform check is_granted('EDIT', object) only verifies ownership,...
WordPress Plugin Simple User Registration Access Control Error Vulnerability
WordPress is a set of blogging platform developed using the PHP language, the platform has the ability to set up a personal blog site on a server based on PHP and MySQL, WordPress plugin is an application plugin. An access control error vulnerability exists in the WordPress plugin Simple User...
CVE-2026-0844
The Simple User Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7 due to insufficient restriction on the 'profilesavefield' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to...
CVE-2025-1682
The Cardealer theme for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.4 due to missing capability check on the 'savesettings' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the default user ro...
CVE-2023-53908
CVE-2023-53908 affects Belden HiSecOS 04.0.01. A privilege-escalation flaw allows authenticated users to modify their access role via crafted XML in NETCONF payloads sent to the /mops_data endpoint, elevating to administrative level. Affected component: XML-based NETCONF configuration handling; r...
CVE-2023-53908 HiSecOS 04.0.01 Privilege Escalation via User Role Modification
HiSecOS 04.0.01 contains a privilege escalation vulnerability that allows authenticated users to modify their access role through XML-based NETCONF configuration. Attackers can send crafted XML payloads to the /mopsdata endpoint with a specific role value to elevate their user privileges to...
EUVD-2014-0153
Malware in sbrugna...
EUVD-2023-44281
Malicious code in bioql PyPI...
EUVD-2025-5486
Malicious code in bioql PyPI...
EUVD-2023-58276
Malicious code in bioql PyPI...
EUVD-2023-54164
Malicious code in bioql PyPI...
EUVD-2025-10842
Malicious code in bioql PyPI...
EUVD-2023-54111
Malicious code in bioql PyPI...
EUVD-2024-44445
Malicious code in bioql PyPI...
EUVD-2023-54021
Malicious code in bioql PyPI...
CVE-2023-6009
The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.4 due to insufficient restriction on the 'userproupdateuserprofile' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify...
CVE-2023-3636
The WP Project Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.4 due to insufficient restriction on the 'saveusersmapname' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modif...
CVE-2023-2833
The ReviewX plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.13 due to insufficient restriction on the 'rxsetscreenoptions' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their...
CVE-2025-2907
The CVE-2025-2907 issue affects the WordPress plugin Order Delivery Date Pro for WooCommerce (versions before 12.3.1). The root cause is missing authorization and CSRF checks when importing settings, allowing an unauthenticated attacker to update arbitrary options such as default_user_role to adm...
CVE-2025-1682
The Cardealer theme for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.4 due to missing capability check on the 'savesettings' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the default user ro...