Common Weakness Enumeration

CWE-862

Allowed-with-Review

Missing Authorization

Abstraction: Class · Status: Incomplete

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

14554 vulnerabilities reference this CWE, most recent first.

CVE-2026-12738 (GCVE-0-2026-12738)

Vulnerability from cvelistv5 – Published: 2026-07-11 05:35 – Updated: 2026-07-13 17:36
VLAI
Title
WP Easy Pay <= 4.5.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Status Modification via wpep_draft_confirm AJAX Action
Summary
The WP Easy Pay – Payment and Donation form Builder for Square plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.5.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to set the status of arbitrary posts and pages to 'draft', effectively unpublishing arbitrary site content.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Credits
PRISM
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12738",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-13T17:35:57.846175Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-13T17:36:08.815Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "WP Easy Pay \u2013 Payment and Donation form Builder for Square",
          "vendor": "saadiqbal",
          "versions": [
            {
              "lessThanOrEqual": "4.5.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "PRISM"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The WP Easy Pay \u2013 Payment and Donation form Builder for Square plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.5.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to set the status of arbitrary posts and pages to \u0027draft\u0027, effectively unpublishing arbitrary site content."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-11T05:35:46.200Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2121d9fa-bab4-489d-89bc-07a8660bc3d1?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-easy-pay/tags/4.5.0/wpep-setup.php#L1703"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-easy-pay/tags/4.5.0/wpep-setup.php#L1698"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-easy-pay/tags/4.5.0/wpep-setup.php#L31"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3593500%40wp-easy-pay\u0026new=3593500%40wp-easy-pay"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-10T16:56:12.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "WP Easy Pay \u003c= 4.5.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Status Modification via wpep_draft_confirm AJAX Action"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-12738",
    "datePublished": "2026-07-11T05:35:46.200Z",
    "dateReserved": "2026-06-19T16:37:04.989Z",
    "dateUpdated": "2026-07-13T17:36:08.815Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12729 (GCVE-0-2026-12729)

Vulnerability from cvelistv5 – Published: 2026-07-03 01:28 – Updated: 2026-07-06 16:36
VLAI
Title
weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot <= 2.3.0 - Missing Authorization to Authenticated (Subscriber+) Data Migration via wedocs_migrate_betterdocs_to_wedocs AJAX Action
Summary
The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 2.3.0. This is due to a missing capability check on the do_migration() function registered as the wedocs_migrate_betterdocs_to_wedocs AJAX action, which performs no nonce verification via check_ajax_referer() and no capability check via current_user_can() before executing sensitive operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full BetterDocs-to-weDocs data migration, creating and modifying 'docs' custom post type entries with attacker-controlled titles, updating site options, and deactivating the BetterDocs and BetterDocs Pro plugins via deactivate_plugins().
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Credits
PRISM
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12729",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-06T16:36:10.654062Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-06T16:36:20.191Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki \u0026 AI Chatbot",
          "vendor": "wedevs",
          "versions": [
            {
              "lessThanOrEqual": "2.3.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "PRISM"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki \u0026 AI Chatbot plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 2.3.0. This is due to a missing capability check on the do_migration() function registered as the wedocs_migrate_betterdocs_to_wedocs AJAX action, which performs no nonce verification via check_ajax_referer() and no capability check via current_user_can() before executing sensitive operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full BetterDocs-to-weDocs data migration, creating and modifying \u0027docs\u0027 custom post type entries with attacker-controlled titles, updating site options, and deactivating the BetterDocs and BetterDocs Pro plugins via deactivate_plugins()."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-03T01:28:19.653Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/228d63a5-5053-4692-9801-4860325da153?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wedocs/tags/2.3.0/includes/Admin/Migrate.php#L206"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wedocs/tags/2.3.0/includes/Ajax.php#L39"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wedocs/tags/2.3.0/includes/Admin/Migrate.php#L183"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wedocs/tags/2.3.0/includes/Admin/Migrate.php#L56"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3589430%40wedocs\u0026new=3589430%40wedocs\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-19T16:14:11.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-07-02T11:59:24.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki \u0026 AI Chatbot \u003c= 2.3.0 - Missing Authorization to Authenticated (Subscriber+) Data Migration via wedocs_migrate_betterdocs_to_wedocs AJAX Action"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-12729",
    "datePublished": "2026-07-03T01:28:19.653Z",
    "dateReserved": "2026-06-19T15:59:01.807Z",
    "dateUpdated": "2026-07-06T16:36:20.191Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12593 (GCVE-0-2026-12593)

Vulnerability from cvelistv5 – Published: 2026-07-09 12:29 – Updated: 2026-07-09 14:20
VLAI
Title
Privilege escalation via forged API token creation in Axivion Dashboard OIDC/OAuth2/SSO subsystem
Summary
The implementation of an internal and undocumented Dashboard API endpoint (POST /api/users/~/{user}/tokens) forgot to ensure an HTTP request for creating an API Token for another user had sufficient permission to do so. Precondition for successful exploitation was a preexisting internal user (with more privileges than the attacker), the attacker knowing its login name and the attacker being able to authenticate to the Dashboard via OAuth/OIDC. The attacker would then have had to forge a token creation API request on behalf of the other user and could have authenticated and finalized the token creation with their own OAuth/OIDC credentials. In the worst case, this would mean an attacker could have become Dashboard Administrator and been able to perform all administrative actions if the preexisting internal user had administrative privileges. In combination with a separate weakness, this could have further led to code execution on the host system running the Dashboard with the privileges of the OS-User running the Dashboard server.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Qt Axivion Affected: 7.8.5 , ≤ 7.8.12 (custom)
Affected: 7.9.0 , < 7.9.13 (custom)
Affected: 7.10.0 , < 7.10.11 (custom)
Affected: 7.11.0 , < 7.11.7 (custom)
Affected: 7.12.0 , < 7.12.2 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12593",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-09T14:20:08.451329Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-09T14:20:19.757Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "Dashboard OIDC/OAuth2/SSO subsystem"
          ],
          "product": "Axivion",
          "vendor": "Qt",
          "versions": [
            {
              "lessThanOrEqual": "7.8.12",
              "status": "affected",
              "version": "7.8.5",
              "versionType": "custom"
            },
            {
              "lessThan": "7.9.13",
              "status": "affected",
              "version": "7.9.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.10.11",
              "status": "affected",
              "version": "7.10.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.11.7",
              "status": "affected",
              "version": "7.11.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.12.2",
              "status": "affected",
              "version": "7.12.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:qt:axivion:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "7.8.12",
                  "versionStartIncluding": "7.8.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:qt:axivion:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.9.13",
                  "versionStartIncluding": "7.9.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:qt:axivion:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.10.11",
                  "versionStartIncluding": "7.10.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:qt:axivion:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.11.7",
                  "versionStartIncluding": "7.11.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:qt:axivion:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.12.2",
                  "versionStartIncluding": "7.12.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003cp\u003eThe implementation of an internal\u0026nbsp;and\u0026nbsp;undocumented\u0026nbsp;Dashboard\u0026nbsp;API endpoint\u0026nbsp;(POST /api/users/~/{user}/tokens)\u0026nbsp;forgot\u0026nbsp;to ensure an HTTP\u0026nbsp;request for creating an\u0026nbsp;API\u0026nbsp;Token for another\u0026nbsp;user had sufficient permission to do so.\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003ePrecondition for successful exploitation was a preexisting internal user (with more privileges than the attacker),\u0026nbsp;the attacker knowing\u0026nbsp;its login name and the attacker being able to authenticate to the Dashboard via OAuth/OIDC. The attacker\u0026nbsp;would then have\u0026nbsp;had\u0026nbsp;to forge a token creation\u0026nbsp;API\u0026nbsp;request\u0026nbsp;on behalf of the\u0026nbsp;other user and could have authenticated\u0026nbsp;and\u0026nbsp;finalized\u0026nbsp;the token creation\u0026nbsp;with their own\u0026nbsp;OAuth/OIDC\u0026nbsp;credentials. In the worst case, this would mean an attacker could\u0026nbsp;have\u0026nbsp;become Dashboard Administrator\u0026nbsp;and\u0026nbsp;been\u0026nbsp;able to\u0026nbsp;perform\u0026nbsp;all\u0026nbsp;administrative actions\u0026nbsp;if the preexisting internal user had administrative\u0026nbsp;privileges.\u0026nbsp;In combination with a separate weakness,\u0026nbsp;this could have\u0026nbsp;further\u0026nbsp;led\u0026nbsp;to code execution on the\u0026nbsp;host\u0026nbsp;system running the Dashboard with the privileges of the OS-User running the Dashboard\u0026nbsp;server.\u003c/p\u003e\u003c/div\u003e"
            }
          ],
          "value": "The implementation of an internal\u00a0and\u00a0undocumented\u00a0Dashboard\u00a0API endpoint\u00a0(POST /api/users/~/{user}/tokens)\u00a0forgot\u00a0to ensure an HTTP\u00a0request for creating an\u00a0API\u00a0Token for another\u00a0user had sufficient permission to do so.\n\n\n\n\n\nPrecondition for successful exploitation was a preexisting internal user (with more privileges than the attacker),\u00a0the attacker knowing\u00a0its login name and the attacker being able to authenticate to the Dashboard via OAuth/OIDC. The attacker\u00a0would then have\u00a0had\u00a0to forge a token creation\u00a0API\u00a0request\u00a0on behalf of the\u00a0other user and could have authenticated\u00a0and\u00a0finalized\u00a0the token creation\u00a0with their own\u00a0OAuth/OIDC\u00a0credentials. In the worst case, this would mean an attacker could\u00a0have\u00a0become Dashboard Administrator\u00a0and\u00a0been\u00a0able to\u00a0perform\u00a0all\u00a0administrative actions\u00a0if the preexisting internal user had administrative\u00a0privileges.\u00a0In combination with a separate weakness,\u00a0this could have\u00a0further\u00a0led\u00a0to code execution on the\u00a0host\u00a0system running the Dashboard with the privileges of the OS-User running the Dashboard\u00a0server."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Authenticated Remote Privilege escalation. Any OIDC/OAuth authenticated user can become a Dashboard Administrator. By exploiting another weakness this can also lead to arbitrary code execution on the host-system running the Dashboard in the context of the OS-User used to run the Dashboard."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-09T12:29:47.260Z",
        "orgId": "a59d8014-47c4-4630-ab43-e1b13cbe58e3",
        "shortName": "TQtC"
      },
      "references": [
        {
          "name": "Qt Group Internal Vulnerability Ticket",
          "tags": [
            "issue-tracking"
          ],
          "url": "https://wiki.qt.io/List_of_known_vulnerabilities_in_Qt_products#CVE-2026-12593"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUpdate to one of the fixed releases: 7.9.13, 7.10.11, 7.11.7, or 7.12.2. There is no fixed release on the 7.8.x branch; deployments running 7.8.5-7.8.12 must migrate to one of the fixed releases.\u003c/p\u003e"
            }
          ],
          "value": "Update to one of the fixed releases: 7.9.13, 7.10.11, 7.11.7, or 7.12.2. There is no fixed release on the 7.8.x branch; deployments running 7.8.5-7.8.12 must migrate to one of the fixed releases."
        }
      ],
      "source": {
        "defectId": "BAUHAUS-30026",
        "discovery": "INTERNAL"
      },
      "title": "Privilege escalation via forged API token creation in Axivion Dashboard OIDC/OAuth2/SSO subsystem",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eDisable the OIDC/OAuth2/SSO authentication feature or shut down the Dashboard server.\u003c/p\u003e"
            }
          ],
          "value": "Disable the OIDC/OAuth2/SSO authentication feature or shut down the Dashboard server."
        }
      ],
      "x_generator": {
        "engine": "Claude AI (Opus 4.8) - draft only, requires human validation before submission"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a59d8014-47c4-4630-ab43-e1b13cbe58e3",
    "assignerShortName": "TQtC",
    "cveId": "CVE-2026-12593",
    "datePublished": "2026-07-09T12:29:47.260Z",
    "dateReserved": "2026-06-18T09:26:17.599Z",
    "dateUpdated": "2026-07-09T14:20:19.757Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12557 (GCVE-0-2026-12557)

Vulnerability from cvelistv5 – Published: 2026-07-03 04:30 – Updated: 2026-07-06 16:32
VLAI
Title
Ninja Forms - File Uploads <= 3.3.29 - Missing Authorization to Unauthenticated Log Disclosure and Deletion via debug-log/delete-all and debug-log/get-all REST Endpoints
Summary
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.3.29. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to read all plugin debug log entries stored in the wp_nf3_log table or permanently delete all rows from that table.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
SaturdayDrive Ninja Forms - File Uploads Affected: 0 , ≤ 3.3.29 (semver)
Create a notification for this product.
Credits
Ad4m5
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12557",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-06T16:32:33.689655Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-06T16:32:44.790Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Ninja Forms - File Uploads",
          "vendor": "SaturdayDrive",
          "versions": [
            {
              "lessThanOrEqual": "3.3.29",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Ad4m5"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Ninja Forms - File Uploads plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.3.29. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to read all plugin debug log entries stored in the wp_nf3_log table or permanently delete all rows from that table."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-03T04:30:16.018Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a54f8cc-cadb-4496-bcc4-ef8387b72300?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ninja-forms-uploads/trunk/includes/Common/Routes/DebugLog.php#L88"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-17T20:18:43.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-07-02T16:04:30.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Ninja Forms - File Uploads \u003c= 3.3.29 - Missing Authorization to Unauthenticated Log Disclosure and Deletion via debug-log/delete-all and debug-log/get-all REST Endpoints"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-12557",
    "datePublished": "2026-07-03T04:30:16.018Z",
    "dateReserved": "2026-06-17T20:03:34.649Z",
    "dateUpdated": "2026-07-06T16:32:44.790Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12515 (GCVE-0-2026-12515)

Vulnerability from cvelistv5 – Published: 2026-06-17 15:34 – Updated: 2026-06-26 23:05
VLAI
Title
Katello: missing repository authorization in content_uploads exposes cross-product content existence
Summary
A flaw was found in Katello's of Red Hat Satellite. A content upload functionality where insufficient authorization checks in the ContentUploadsController allowed users with the edit_products permission to query content information for repositories outside the products they were authorized to manage. An authenticated attacker could exploit this issue to determine whether specific content exists within repositories that should otherwise be inaccessible. This issue does not allow unauthorized modification, import, or publication of content.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
Create a notification for this product.
Red Hat Red Hat Satellite 6     cpe:/a:redhat:satellite:6
Create a notification for this product.
Date Public
2026-06-17 15:27
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12515",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-18T15:25:59.268222Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-18T15:26:22.574Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:hummingbird:1"
          ],
          "defaultStatus": "unaffected",
          "packageName": "ctags",
          "product": "Red Hat Hardened Images",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:satellite:6"
          ],
          "defaultStatus": "affected",
          "packageName": "rubygem-katello",
          "product": "Red Hat Satellite 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:satellite:6"
          ],
          "defaultStatus": "affected",
          "packageName": "satellite:el8/rubygem-katello",
          "product": "Red Hat Satellite 6",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2026-06-17T15:27:46.078Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Katello\u0027s of Red Hat Satellite. A content upload functionality where insufficient authorization checks in the ContentUploadsController allowed users with the edit_products permission to query content information for repositories outside the products they were authorized to manage. An authenticated attacker could exploit this issue to determine whether specific content exists within repositories that should otherwise be inaccessible. This issue does not allow unauthorized modification, import, or publication of content."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-26T23:05:32.585Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-12515"
        },
        {
          "name": "RHBZ#2489812",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489812"
        },
        {
          "url": "https://github.com/Katello/katello/pull/11712"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-17T11:37:24.783Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-06-17T15:27:46.078Z",
          "value": "Made public."
        }
      ],
      "title": "Katello: missing repository authorization in content_uploads exposes cross-product content existence",
      "workarounds": [
        {
          "lang": "en",
          "value": "Red Hat is not aware of a practical temporary workaround that fully mitigates this issue or meets Red Hat Product Security\u0027s standards for usability, deployment, applicability, or stability. Customers are advised to apply the relevant security updates if they become available."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-862: Missing Authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-12515",
    "datePublished": "2026-06-17T15:34:00.815Z",
    "dateReserved": "2026-06-17T12:39:00.644Z",
    "dateUpdated": "2026-06-26T23:05:32.585Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12472 (GCVE-0-2026-12472)

Vulnerability from cvelistv5 – Published: 2026-07-02 08:33 – Updated: 2026-07-02 14:52
VLAI
Title
Kirki <= 6.0.11 - Missing Authorization to Unauthenticated Arbitrary Email Content Injection (Mail Relay / Phishing) via 'emailBody' and 'emailSubject' Parameters
Summary
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.11. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to send arbitrary HTML-injected emails — including phishing messages embedding a real, valid WordPress password-reset URL for the targeted user — to any registered user via the site's own mail server, abusing its SPF/DKIM reputation. The attacker-controlled emailSubject parameter is passed to wp_mail() with only sanitize_text_field() applied, while emailBody 'text' items are concatenated raw into the HTML email body with no escaping, and 'chip' items can include the genuine WordPress password-reset link for the targeted account.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Credits
Niv Kochan Matan Bahar
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12472",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-02T14:52:34.777628Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-02T14:52:43.310Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Kirki \u2013 Freeform Page Builder, Website Builder \u0026 Customizer",
          "vendor": "themeum",
          "versions": [
            {
              "lessThanOrEqual": "6.0.11",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Niv Kochan"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Matan Bahar"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Kirki \u2013 Freeform Page Builder, Website Builder \u0026 Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.11. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to send arbitrary HTML-injected emails \u2014 including phishing messages embedding a real, valid WordPress password-reset URL for the targeted user \u2014 to any registered user via the site\u0027s own mail server, abusing its SPF/DKIM reputation. The attacker-controlled emailSubject parameter is passed to wp_mail() with only sanitize_text_field() applied, while emailBody \u0027text\u0027 items are concatenated raw into the HTML email body with no escaping, and \u0027chip\u0027 items can include the genuine WordPress password-reset link for the targeted account."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-02T08:33:07.265Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/af01964f-018d-4d19-8627-8889877db105?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.9/ComponentLibrary/controller/CompLibFormHandler.php#L342"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.9/ComponentLibrary/controller/CompLibFormHandler.php#L441"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.9/ComponentLibrary/controller/CompLibFormHandler.php#L49"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.9/ComponentLibrary/controller/ElementGenerator.php#L219"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3584702%40kirki\u0026new=3584702%40kirki\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-16T20:31:53.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-07-01T19:59:21.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Kirki \u003c= 6.0.11 - Missing Authorization to Unauthenticated Arbitrary Email Content Injection (Mail Relay / Phishing) via \u0027emailBody\u0027 and \u0027emailSubject\u0027 Parameters"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-12472",
    "datePublished": "2026-07-02T08:33:07.265Z",
    "dateReserved": "2026-06-16T20:16:45.315Z",
    "dateUpdated": "2026-07-02T14:52:43.310Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12471 (GCVE-0-2026-12471)

Vulnerability from cvelistv5 – Published: 2026-06-27 06:50 – Updated: 2026-06-29 14:54
VLAI
Title
Spexo <= 2.0.11 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Activation
Summary
The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activate_plugin function in all versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate a limited set of plugins.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
templatescoderthemes Spexo Affected: 0 , ≤ 2.0.11 (semver)
Create a notification for this product.
Credits
adhikara13
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12471",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-29T14:48:18.110119Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-29T14:54:13.727Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Spexo",
          "vendor": "templatescoderthemes",
          "versions": [
            {
              "lessThanOrEqual": "2.0.11",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "adhikara13"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activate_plugin function in all versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate a limited set of plugins."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-27T06:50:57.927Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ddf6da6-ec71-4206-8798-2c0c751b3209?source=cve"
        },
        {
          "url": "https://themes.trac.wordpress.org/browser/spexo/2.0.6/inc/activation/class-welcome-notice.php"
        },
        {
          "url": "https://themes.trac.wordpress.org/browser/spexo/2.0.11/inc/activation/class-welcome-notice.php#L304"
        },
        {
          "url": "https://themes.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=334799%40spexo\u0026new=334799%40spexo\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-16T20:14:01.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-06-26T17:49:02.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Spexo \u003c= 2.0.11 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Activation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-12471",
    "datePublished": "2026-06-27T06:50:57.927Z",
    "dateReserved": "2026-06-16T19:58:43.286Z",
    "dateUpdated": "2026-06-29T14:54:13.727Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12435 (GCVE-0-2026-12435)

Vulnerability from cvelistv5 – Published: 2026-07-01 07:53 – Updated: 2026-07-01 10:32
VLAI
Title
Motors <= 1.4.111 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Modification via 'stm_mark_as_sold_car' Parameter
Summary
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.111. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to mark or unmark any other user's car listing as sold by replaying a valid nonce harvested from their own listing against an arbitrary victim post ID, triggering a site-wide 'Sold' badge on the victim's listing and silently stripping its special_car featured post meta as a side effect. Exploitation requires the attacker to hold an active listing of their own (obtainable by a Subscriber via the plugin's add-listing form) in order to harvest a valid nonce for the 'stm_mark_as_sold_car' action, which can then be replayed against any other listing's post ID.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Credits
Michael Perla (vizen5)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12435",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-01T10:26:32.849866Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-01T10:32:04.521Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Motors \u2013 Car Dealership \u0026 Classified Listings Plugin",
          "vendor": "stylemix",
          "versions": [
            {
              "lessThanOrEqual": "1.4.111",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Michael Perla (vizen5)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Motors \u2013 Car Dealership \u0026 Classified Listings Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.111. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to mark or unmark any other user\u0027s car listing as sold by replaying a valid nonce harvested from their own listing against an arbitrary victim post ID, triggering a site-wide \u0027Sold\u0027 badge on the victim\u0027s listing and silently stripping its special_car featured post meta as a side effect. Exploitation requires the attacker to hold an active listing of their own (obtainable by a Subscriber via the plugin\u0027s add-listing form) in order to harvest a valid nonce for the \u0027stm_mark_as_sold_car\u0027 action, which can then be replayed against any other listing\u0027s post ID."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-01T07:53:36.717Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5238c344-d685-4eab-822c-d3c1050cc982?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/motors-car-dealership-classified-listings/tags/1.4.110/includes/vehicle_functions.php#L2402"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/motors-car-dealership-classified-listings/tags/1.4.110/includes/vehicle_functions.php#L2400"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/motors-car-dealership-classified-listings/tags/1.4.110/templates/listing-cars/listing-list-owner-actions.php#L74"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/motors-car-dealership-classified-listings/tags/1.4.108/includes/vehicle_functions.php#L2402"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/motors-car-dealership-classified-listings/tags/1.4.108/includes/vehicle_functions.php#L2400"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/motors-car-dealership-classified-listings/tags/1.4.108/templates/listing-cars/listing-list-owner-actions.php#L74"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3577332%40motors-car-dealership-classified-listings\u0026new=3577332%40motors-car-dealership-classified-listings\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-16T18:49:13.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-06-30T19:04:55.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Motors \u003c= 1.4.111 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Modification via \u0027stm_mark_as_sold_car\u0027 Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-12435",
    "datePublished": "2026-07-01T07:53:36.717Z",
    "dateReserved": "2026-06-16T18:34:03.436Z",
    "dateUpdated": "2026-07-01T10:32:04.521Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12432 (GCVE-0-2026-12432)

Vulnerability from cvelistv5 – Published: 2026-06-27 06:50 – Updated: 2026-06-29 13:50
VLAI
Title
Stripe Payment Forms by WP Full Pay <= 8.4.3 - Missing Authorization to Unauthenticated Payment Record Manipulation via 'paymentIntentId' Parameter
Summary
The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed_payment_status AJAX action. The handler is registered through both wp_ajax_ and wp_ajax_nopriv_ hooks and the underlying update_failed_payment_status() function performs no capability check, no nonce verification, and no logged-in check before calling $this->db->updatePaymentByEventId() with attacker-controlled POST parameters. This makes it possible for unauthenticated attackers who can obtain a valid Stripe Payment Intent ID for the target site (Payment Intent IDs are exposed to the customer browser during normal Stripe.js checkout flows) to manipulate payment records in the site's database, marking previously successful payments as failed and overwriting failure codes and messages with attacker-supplied values.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Credits
Netwurm
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12432",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-29T13:50:40.970266Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-29T13:50:52.725Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Stripe Payment Forms by WP Full Pay \u2013 Accept Credit Card Payments, Donations \u0026 Subscriptions",
          "vendor": "themeisle",
          "versions": [
            {
              "lessThanOrEqual": "8.4.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Netwurm"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed_payment_status AJAX action. The handler is registered through both wp_ajax_ and wp_ajax_nopriv_ hooks and the underlying update_failed_payment_status() function performs no capability check, no nonce verification, and no logged-in check before calling $this-\u003edb-\u003eupdatePaymentByEventId() with attacker-controlled POST parameters. This makes it possible for unauthenticated attackers who can obtain a valid Stripe Payment Intent ID for the target site (Payment Intent IDs are exposed to the customer browser during normal Stripe.js checkout flows) to manipulate payment records in the site\u0027s database, marking previously successful payments as failed and overwriting failure codes and messages with attacker-supplied values."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-27T06:50:59.039Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5811d13-0c5d-4a10-86a1-6318cc2e7663?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-customer.php#L3865"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-customer.php#L706"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-customer.php#L3840"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-database.php#L2652"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-customer.php#L3865"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-customer.php#L706"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-customer.php#L3840"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-database.php#L2652"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3584355%40wp-full-stripe-free\u0026new=3584355%40wp-full-stripe-free\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-16T18:27:19.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-06-26T18:04:03.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Stripe Payment Forms by WP Full Pay \u003c= 8.4.3 - Missing Authorization to Unauthenticated Payment Record Manipulation via \u0027paymentIntentId\u0027 Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-12432",
    "datePublished": "2026-06-27T06:50:59.039Z",
    "dateReserved": "2026-06-16T18:12:09.808Z",
    "dateUpdated": "2026-06-29T13:50:52.725Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12428 (GCVE-0-2026-12428)

Vulnerability from cvelistv5 – Published: 2026-07-09 09:31 – Updated: 2026-07-09 14:39
VLAI
Title
Blocks for ACF Fields <= 1.6.2 - Missing Authorization to Authenticated (Author+) Arbitrary ACF Field Value Disclosure via 'id' Parameter
Summary
The Blocks for ACF Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_all_values() function in the /wp-json/acf-field-blocks/v1/values REST endpoint in versions up to, and including, 1.6.2. The permission_callback only verifies the generic publish_posts capability and the handler passes a user-supplied id parameter directly to get_field_objects() without verifying that the requesting user is authorized to read the target object. This makes it possible for authenticated attackers, with Author-level access and above, to read ACF field values from arbitrary posts (including private posts, drafts, posts by other users, and other ACF-supported objects) that they should not have access to.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Credits
thinnawarth mathuros
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12428",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-09T13:16:17.161421Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-09T14:39:22.498Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Blocks for ACF Fields \u2014 Display Custom Fields in the Block Editor",
          "vendor": "gamaup",
          "versions": [
            {
              "lessThanOrEqual": "1.6.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "thinnawarth mathuros"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Blocks for ACF Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_all_values() function in the /wp-json/acf-field-blocks/v1/values REST endpoint in versions up to, and including, 1.6.2. The permission_callback only verifies the generic publish_posts capability and the handler passes a user-supplied id parameter directly to get_field_objects() without verifying that the requesting user is authorized to read the target object. This makes it possible for authenticated attackers, with Author-level access and above, to read ACF field values from arbitrary posts (including private posts, drafts, posts by other users, and other ACF-supported objects) that they should not have access to."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-09T09:31:23.347Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc48f75d-a2e8-49ea-9bfa-a27a61ff8a84?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/acf-field-blocks/tags/1.6.0/inc/class-rest.php#L302"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/acf-field-blocks/tags/1.6.0/inc/class-rest.php#L100"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/acf-field-blocks/tags/1.6.0/inc/class-rest.php#L296"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/acf-field-blocks/tags/1.5.0/inc/class-rest.php#L302"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/acf-field-blocks/tags/1.5.0/inc/class-rest.php#L100"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/acf-field-blocks/tags/1.5.0/inc/class-rest.php#L296"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3587876%40acf-field-blocks\u0026new=3587876%40acf-field-blocks"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-08T20:36:42.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Blocks for ACF Fields \u003c= 1.6.2 - Missing Authorization to Authenticated (Author+) Arbitrary ACF Field Value Disclosure via \u0027id\u0027 Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-12428",
    "datePublished": "2026-07-09T09:31:23.347Z",
    "dateReserved": "2026-06-16T17:09:56.538Z",
    "dateUpdated": "2026-07-09T14:39:22.498Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.