CVE-2026-23683

SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on confidentiality, integrity and availability are not impacted...

CVE-2026-24124

Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints /api/v1/jobs lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with acce...

EUVD-2026-4258

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated but does not verify that the requester has...

CVE-2025-66138

Missing Authorization vulnerability in merkulove Motionger for Elementor motionger-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Motionger for Elementor: from n/a through = 2.0.4...

GHSA-WM8H-26FV-MG7G phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)

Summary Authenticated non‑admin users can call /api/setup/backup and trigger a configuration backup. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. Details SetupController.php uses userIsAuthenticated but does not verify that the requester has...

phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)

Summary Authenticated non‑admin users can call /api/setup/backup and trigger a configuration backup. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. Details SetupController.php uses userIsAuthenticated but does not verify that the requester has...

CVE-2025-14947 All-in-One Video Gallery <= 4.6.4 - Missing Authorization to Unauthenticated Bunny Stream Video Creation/Deletion

The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxcallbackcreatebunnystreamvideo, ajaxcallbackgetbunnystreamvideo, and ajaxcallbackdeletebunnystreamvideo functions in all versions up to, and including,...

CVE-2026-24619 WordPress PopCash.Net Code Integration Tool plugin <= 1.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in PopCash PopCash.Net Code Integration Tool popcashnet-code-integration-tool allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PopCash.Net Code Integration Tool: from n/a through = 1.8...

CVE-2026-24619

CVE-2026-24619 : WordPress plugin PopCash Code Integration Tool (popcashnet-code-integration-tool) versions prior to 1.9 suffer Missing Authorization due to incorrectly configured access control. Public advisories (NVD/NVDRH/Red Hat) corroborate a medium impact with CVSS v3.1 base score 5.3 (Netw...

CVE-2026-24561

CVE-2026-24561: FluentBoards fluent-boards contains a Missing Authorization flaw (Broken Access Control) in versions up to 1.91.1. CVSS 3.1 base score 5.4 (Network, Low privileges, no user interaction). Wordfence/Red Hat/CVE listings indicate the issue is a broken access control vulnerability in ...

CVE-2026-24543 WordPress Materialis Companion plugin <= 1.3.52 - Broken Access Control vulnerability

Missing Authorization vulnerability in Horea Radu Materialis Companion materialis-companion allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Materialis Companion: from n/a through = 1.3.52...

CVE-2026-0927

The KiviCare – Clinic & Patient Management System EHR plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport function in all versions up to, and including, 3.6.15. This makes it possible for unauthenticated attackers to upload...

CVE-2026-22472

Missing Authorization vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Form Builder: from n/a through = 3.9.6...

CVE-2025-69193 WordPress WP Membership plugin <= 1.6.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in e-plugins WP Membership wp-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Membership: from n/a through = 1.6.4...

CVE-2025-69191 WordPress ListingHub plugin <= 1.2.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in e-plugins ListingHub listinghub allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingHub: from n/a through = 1.2.7...

CVE-2025-69187 WordPress Final User plugin <= 1.2.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in e-plugins Final User final-user allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Final User: from n/a through = 1.2.5...

CVE-2025-68003 WordPress Shown Connector plugin <= 1.2.10 - Settings Change vulnerability

Missing Authorization vulnerability in renatoatshown Shown Connector shown-connector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shown Connector: from n/a through = 1.2.10...

CVE-2025-67956 WordPress User Registration plugin <= 4.4.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through = 4.4.6...

PT-2026-4229

Missing Authorization vulnerability in Proptech Plugin Apimo Connector apimo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Apimo Connector: from n/a through = 2.6.4...

CVE-2026-1036 Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.36 - Missing Authorization to Unauthenticated Arbitrary Comment Deletion

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deletecomment function in all versions up to, and including, 1.8.36. This makes it possible for unauthenticated attackers to...