140 matches found
praisonai-platform: Project endpoints accept any project_id without workspace ownership check, cross-workspace read/update/delete IDOR
Summary Type: Insecure Direct Object Reference. The project CRUD endpoints GET / PATCH / DELETE /workspaces/workspaceid/projects/projectid and GET .../projectid/stats gate access on requireworkspacememberworkspaceid only, then resolve projectid through ProjectService.getprojectid / updateprojecti...
CVE-2026-49047
Missing Authorization vulnerability in DearHive DearFlip allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects DearFlip: from n/a through 2.4.27...
CVE-2026-49045
Missing Authorization vulnerability in WP Media Adminimize allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Adminimize: from n/a through 1.11.11...
CVE-2026-32389
The CVE affects WordPress NanoCare theme prior to version 1.2.2, where a Missing Authorization vulnerability enables Broken Access Control due to incorrectly configured access control security levels in NanoCare. Affected component is the NanoCare WordPress theme; root cause is improper authoriza...
CVE-2026-4094
The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'adminhead' function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Contributor-lev...
CVE-2026-25431 WordPress Hustle plugin <= 7.8.10.1 - Broken Access Control vulnerability
Missing Authorization vulnerability in WPMU DEV Hustle allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hustle: through 7.8.10.1...
CVE-2026-39432 WordPress Timetics plugin <= 1.0.53 - Broken Access Control vulnerability
Missing Authorization vulnerability in Arraytics Timetics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Timetics: from n/a through 1.0.53...
EUVD-2026-24654
The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in all versions up to and including 1.0.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The ttttwitteetweeter...
CVE-2026-40728
The CVE-2026-40728 entry documents a Missing Authorization vulnerability in the WordPress Magazine Blocks plugin (BlockArt magazine-blocks) affecting versions up to 1.8.3. The issue arises from incorrectly configured access control security levels, enabling exploitation due to insufficient author...
CVE-2026-40728 WordPress Magazine Blocks plugin <= 1.8.3 - Broken Access Control vulnerability
Missing Authorization vulnerability in BlockArt Magazine Blocks magazine-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Magazine Blocks: from n/a through = 1.8.3...
CVE-2026-39610
Missing Authorization vulnerability in Pankaj Kumar WpXmas-Snow wpxmas-snow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpXmas-Snow: from n/a through = 1.1...
CVE-2026-39607 WordPress Filter Plus plugin <= 1.1.17 - Broken Access Control vulnerability
Missing Authorization vulnerability in Wpbens Filter Plus filter-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Filter Plus: from n/a through = 1.1.17...
CVE-2026-39585
The CVE-2026-39585 entry concerns the WordPress Booktics plugin, version range from unknown up to and including 1.0.16, described as a Missing Authorization vulnerability due to incorrectly configured access control. The vulnerability affects Booktics components (booktics) and is characterized by...
CVE-2026-39501
CVE-2026-39501 is a Broken Access Control vulnerability affecting WordPress FOX plugin (woocommerce-currency-switcher) versions <= 1.4.5. The root cause is Missing Authorization / incorrectly configured access control, allowing unauthorized access due to insufficient restrictions. Documents co...
CVE-2026-39504 WordPress InstaWP Connect plugin <= 0.1.2.5 - Broken Access Control vulnerability
Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InstaWP Connect: from n/a through = 0.1.2.5...
CVE-2026-39506 WordPress AI Engine (Pro) plugin < 3.4.2 - Broken Access Control vulnerability
Missing Authorization vulnerability in Jordy Meow AI Engine Pro ai-engine-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Engine Pro: from n/a through 3.4.2...
CVE-2026-25460
CVE-2026-25460 affects Ave Core (Ave Core plugin) for WordPress, with a Missing Authorization flaw in ave-core that permits exploitation due to incorrectly configured access control/security levels in Ave Core versions up to 2.9.1. The connected documents confirm the vendor/product (Ave Core) and...
CVE-2026-24972 WordPress Elated Listing plugin <= 1.4 - Broken Access Control vulnerability
Missing Authorization vulnerability in Elated-Themes Elated Listing eltd-listing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elated Listing: from n/a through = 1.4...
CVE-2026-32586
CVE-2026-32586 describes a Missing Authorization vulnerability in Booster for WooCommerce (WordPress plugin). Affected: Booster for WooCommerce versions prior to 7.11.3. Root cause: incorrectly configured access control/security levels allowing unauthorized actions. Impact: CVSS v3.1 base score 5...
EUVD-2026-11899
Missing Authorization vulnerability in linethemes Nanosoft nanosoft allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Nanosoft: from n/a through 1.3.2...