Improper Access Control

mautic/core is vulnerable to Improper Access Control. The vulnerability is due to missing enforcement of update settings restrictions, which allows a low-privileged user to install or remove arbitrary packages and execute malicious code for privilege escalation...

CVE-2025-13828 Mautic user without privileged access to the Marketplace can install and uninstall composer packages

SummaryA non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. ImpactA low-privileged user of the platform can install malicious code to obtain higher privileges...

PT-2025-44950

The Import Export For WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update setting function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with Subscriber-level access...

EUVD-2017-9700

Malware in sbrugna...

CVE-2024-2359

The CVE concerns parisneo/lollms-webui v9.3. An OS command injection stems from improper neutralization, enabling remote code execution. Affected component: the host/config handling in the runtime; attacker-controlled host via the /update_setting endpoint bypasses the intended protection on /exec...

PT-2024-19951 · Unknown · Parisneo/Lollms-Webui

Name of the Vulnerable Software and Affected Versions: parisneo/lollms-webui version 9.3 Description: The issue arises from the application's handling of the "/execute code" endpoint, which is intended to be blocked from external access by default. However, attackers can exploit the "/update...

flusity CMS Security Vulnerability

flusity CMS is a user interactive interface solution where code can be easily changed or added. A security vulnerability exists in flusity CMS version 2.33, which stems from an unrestricted upload of dangerously typed files allowed in updatesetting.php...

DRUPAL-CONTRIB-2021-044

This module enables users to authenticate through their Microsoft Azure AD account. The module does not sufficiently check authorization before updating user profile information in certain non-default configurations. This could lead a user being able to hijack another existing account. This...

Design/Logic Flaw

The post-pay-counter plugin before 2.731 for WordPress has no permissions check for an update-settinga action...

CVE-2017-18584

CVE-2017-18584 : The WordPress plugin “post-pay-counter” prior to version 2.731 exposes an update-settinga action without a permissions check, enabling unauthorized usage. Root cause: missing access control in the plugin’s update-settinga workflow. Impact: as described in multiple sources, this c...

CVE-2012-6511

Multiple cross-site scripting XSS vulnerabilities in organizer/page/users.php in the Organizer plugin 1.2.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 deleteid parameter or 2 extension parameter in an "Update Setting" action to wp-admin/admin.php...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in organizer/page/users.php in the Organizer plugin 1.2.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 deleteid parameter or 2 extension parameter in an "Update Setting" action to wp-admin/admin.php...

CVE-2012-6511

Multiple cross-site scripting XSS vulnerabilities in organizer/page/users.php in the Organizer plugin 1.2.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 deleteid parameter or 2 extension parameter in an "Update Setting" action to wp-admin/admin.php...