CVE-2026-24546

Missing Authorization vulnerability in Ruben Garcia GamiPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GamiPress: from n/a through 7.6.3...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the /mlflow-artifacts/mpu/ endpoints in --serve-artifacts mode. An attacker can gain unauthorized access to and overwrite artifacts belonging to other users by manipulating artifactpath and pathfilename argument...

WordPress Kirki – Freeform Page Builder, Website Builder & Customizer plugin <= 6.0.6 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Submission Data Exposure vulnerability

Missing Authorization to Authenticated Subscriber+ Sensitive Form Submission Data Exposure vulnerability discovered by Z3no in WordPress Plugin Kirki – Freeform Page Builder, Website Builder & Customizer versions = 6.0.6...

PT-2026-43137

Name of the Vulnerable Software and Affected Versions Autoship Cloud for WooCommerce Subscription Products versions prior to 2.14.1 Description A missing authorization issue exists in the Autoship Cloud for WooCommerce Subscription Products plugin, which allows for the exploitation of incorrectly...

PT-2026-43139

Name of the Vulnerable Software and Affected Versions B2BKing versions prior to 5.2.10 Description A missing authorization issue allows for the exploitation of incorrectly configured access control security levels. This is a broken access control flaw where the system fails to properly verify if ...

PT-2026-43156

Name of the Vulnerable Software and Affected Versions Sunshine Photo Cart versions prior to 3.6.8 Description A missing authorization issue in the WP Sunshine Sunshine Photo Cart plugin allows for the exploitation of incorrectly configured access control security levels. This is a broken access...

PT-2026-43154

Name of the Vulnerable Software and Affected Versions SePay Gateway versions prior to 1.1.21 Description A missing authorization issue in the SePay Gateway allows for the retrieval of embedded sensitive data. Recommendations Update to a version later than 1.1.20...

PT-2026-43140

Name of the Vulnerable Software and Affected Versions WP Search Analytics versions prior to 1.5.0 Description A missing authorization issue in the plugin allows for the exploitation of incorrectly configured access control security levels, resulting in broken access control. Recommendations Updat...

PT-2026-43135

Missing Authorization vulnerability in Lucian Apostol Auto Affiliate Links allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Auto Affiliate Links: from n/a through 6.8.8.3...

PT-2026-43145

Name of the Vulnerable Software and Affected Versions MyCryptoCheckout versions prior to 2.162 Description A missing authorization issue in the MyCryptoCheckout plugin allows for the exploitation of incorrectly configured access control security levels, resulting in broken access control...

PT-2026-43133

Missing Authorization vulnerability in WPPOOL FlexTable allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FlexTable: from n/a through 3.24.0...

PT-2026-43141

Name of the Vulnerable Software and Affected Versions WP Chill RSVP and Event Management versions prior to 2.7.17 Description A missing authorization issue exists due to incorrectly configured access control security levels, which allows for broken access control. Recommendations Update to a...

PT-2026-43134

Name of the Vulnerable Software and Affected Versions Newses versions prior to 2.0.0.78 Description A missing authorization issue allows for the exploitation of incorrectly configured access control security levels. Recommendations Update to a version newer than 2.0.0.77...

CVE-2026-9350

A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. This affects the function checkallcommandguards of the file tools/approval.py of the component Batch Runner. Such manipulation leads to missing authorization. The attack can be launched remotely. The exploit is publicly...

CVE-2026-9350 NousResearch hermes-agent Batch Runner approval.py check_all_command_guards authorization

A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. This affects the function checkallcommandguards of the file tools/approval.py of the component Batch Runner. Such manipulation leads to missing authorization. The attack can be launched remotely. The exploit is publicly...

CVE-2026-6419

The WishList Member plugin for WordPress is vulnerable to Privilege Escalation via Missing Authorization in versions up to and including 3.30.1. This is due to the missing capability and nonce check in the ajaxgetscreen function. This makes it possible for authenticated attackers, with...

CVE-2026-6895

The WishList Member plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Disclosure and Privilege Escalation in versions up to and including 3.30.1. This is due to the missing capability checks in the 'exportsettings' function. This function returns the RES...

CVE-2026-6419 Wishlist Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) API Secret Key Disclosure and Privilege Escalation via 'wlm3_get_screen' AJAX action

The WishList Member plugin for WordPress is vulnerable to Privilege Escalation via Missing Authorization in versions up to and including 3.30.1. This is due to the missing capability and nonce check in the ajaxgetscreen function. This makes it possible for authenticated attackers, with...

CVE-2026-6419

Vulnerability summary (CVE-2026-6419) : The WishList Member WordPress plugin is affected on versions up to 3.30.1 by a missing authorization check in ajax_get_screen(), allowing authenticated users with Subscriber-level access or higher to pass an admin screen via data[url] and load the administr...

EUVD-2026-31527

The WishList Member plugin for WordPress is vulnerable to Privilege Escalation via Missing Authorization in versions up to and including 3.30.1. This is due to the missing capability and nonce check in the ajaxgetscreen function. This makes it possible for authenticated attackers, with...