| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains missing authorization checks on multiple web application endpoints. An authenticated attacker with minimal privileges can access endpoints that are not visible in the frontend but remain directly reachable. This allows the attacker to perform restricted actions such as switching the user's branch, uploading arbitrary files, downloading arbitrary files, and viewing details of arbitrary branches. |
| Improper Access Control, Missing Authorization vulnerability in MIA Technology Inc. Pizzy Library allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250. |
| Subscriber Broken Access Control in bunny.net <= 2.3.6 versions. |
| Subscriber Broken Access Control in Bookify <= 1.1.1 versions. |
| Unauthenticated Broken Access Control in User Registration <= 5.1.2 versions. |
| Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions. |
| Unauthenticated Broken Access Control in Booking Activities <= 1.16.48.1 versions. |
| Subscriber Broken Access Control in Ultra Addons for WPForms <= 1.0.11 versions. |
| Unauthenticated Broken Access Control in Redsys for WooCommerce Light <= 7.0.0 versions. |
| Unauthenticated Broken Access Control in Royal MCP <= 1.4.2 versions. |
| Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.8 versions. |
| Subscriber Broken Access Control in Amelia <= 2.2 versions. |
| Unauthenticated Broken Access Control in AI Product Search for WooCommerce – Motive Commerce Search <= 1.38.2 versions. |
| Unauthenticated Broken Access Control in Salon booking system <= 10.30.25 versions. |
| Unauthenticated Broken Access Control in Contact Form by WPForms <= 1.10.0.4 versions. |
| Unauthenticated Broken Access Control in JS Help Desk <= 3.0.9 versions. |
| Unauthenticated Broken Access Control in Knit Pay <= 9.4.0.0 versions. |
| The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action__remove_abandoned() function, which is registered to both the wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned hooks. The handler takes a user-supplied recover_id parameter from $_POST and passes it directly to wp_delete_post() with the force-delete flag set to true, without verifying that the ID belongs to the plugin's own cf7af_data post type. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, or other content on the affected site by sending a single admin-ajax. |
| Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.12 versions. |
| Unauthenticated Broken Access Control in WooCommerce POS <= 1.8.14 versions. |