Common Weakness Enumeration

CWE-862

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

CVE-2025-24600 (GCVE-0-2025-24600)

Vulnerability from cvelistv5 – Published: 2025-01-27 14:22 – Updated: 2026-04-28 16:11
VLAI
Title
WordPress RSVPMaker plugin <= 11.4.5 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in davidfcarr RSVPMarker rsvpmaker.This issue affects RSVPMarker : from n/a through <= 11.4.5.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
davidfcarr RSVPMarker Affected: 0 , ≤ 11.4.5 (custom)
Create a notification for this product.
Date Public
2026-04-01 16:34
Credits
Mika | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24600",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-27T15:01:41.251467Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T20:01:11.968Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "rsvpmaker",
          "product": "RSVPMarker",
          "vendor": "davidfcarr",
          "versions": [
            {
              "changes": [
                {
                  "at": "11.4.6",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "11.4.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Mika | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:34:01.444Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing Authorization vulnerability in davidfcarr RSVPMarker  rsvpmaker.\u003cp\u003eThis issue affects RSVPMarker : from n/a through \u003c= 11.4.5.\u003c/p\u003e"
            }
          ],
          "value": "Missing Authorization vulnerability in davidfcarr RSVPMarker  rsvpmaker.This issue affects RSVPMarker : from n/a through \u003c= 11.4.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:11:29.487Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/rsvpmaker/vulnerability/wordpress-rsvpmaker-plugin-11-4-5-broken-access-control-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress RSVPMaker plugin \u003c= 11.4.5 - Broken Access Control vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-24600",
    "datePublished": "2025-01-27T14:22:15.699Z",
    "dateReserved": "2025-01-23T14:50:57.839Z",
    "dateUpdated": "2026-04-28T16:11:29.487Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-24603 (GCVE-0-2025-24603)

Vulnerability from cvelistv5 – Published: 2025-01-27 14:22 – Updated: 2026-05-11 23:19
VLAI
Title
WordPress Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce plugin <= 3.4.10 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in Dmitry V. (CEO of "UKR Solution") Print Barcode Labels for your WooCommerce products/orders a4-barcode-generator.This issue affects Print Barcode Labels for your WooCommerce products/orders: from n/a through <= 3.4.10.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Date Public
2026-04-01 16:34
Credits
Trương Hữu Phúc (truonghuuphuc) | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24603",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-27T15:01:24.525705Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T23:19:33.334Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "a4-barcode-generator",
          "product": "Print Barcode Labels for your WooCommerce products/orders",
          "vendor": "Dmitry V. (CEO of \"UKR Solution\")",
          "versions": [
            {
              "changes": [
                {
                  "at": "3.4.11",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.4.10",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:34:01.786Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing Authorization vulnerability in Dmitry V. (CEO of \"UKR Solution\") Print Barcode Labels for your WooCommerce products/orders a4-barcode-generator.\u003cp\u003eThis issue affects Print Barcode Labels for your WooCommerce products/orders: from n/a through \u003c= 3.4.10.\u003c/p\u003e"
            }
          ],
          "value": "Missing Authorization vulnerability in Dmitry V. (CEO of \"UKR Solution\") Print Barcode Labels for your WooCommerce products/orders a4-barcode-generator.This issue affects Print Barcode Labels for your WooCommerce products/orders: from n/a through \u003c= 3.4.10."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:11:29.628Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/a4-barcode-generator/vulnerability/wordpress-print-labels-with-barcodes-create-price-tags-product-labels-order-labels-for-woocommerce-plugin-3-4-10-broken-access-control-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce plugin \u003c= 3.4.10 - Broken Access Control vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-24603",
    "datePublished": "2025-01-27T14:22:15.870Z",
    "dateReserved": "2025-01-23T14:51:10.027Z",
    "dateUpdated": "2026-05-11T23:19:33.334Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-24604 (GCVE-0-2025-24604)

Vulnerability from cvelistv5 – Published: 2025-01-24 17:24 – Updated: 2026-05-11 23:17
VLAI
Title
WordPress VForm plugin <= 3.0.5 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in Vikas Ratudi VPSUForm v-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VPSUForm: from n/a through <= 3.0.5.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Vikas Ratudi VPSUForm Affected: 0 , ≤ 3.0.5 (custom)
Create a notification for this product.
Date Public
2026-04-01 16:34
Credits
Mika | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24604",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-24T18:47:21.413156Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T23:17:11.352Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "v-form",
          "product": "VPSUForm",
          "vendor": "Vikas Ratudi",
          "versions": [
            {
              "changes": [
                {
                  "at": "3.0.7",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.0.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Mika | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:34:01.336Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing Authorization vulnerability in Vikas Ratudi VPSUForm v-form allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects VPSUForm: from n/a through \u003c= 3.0.5.\u003c/p\u003e"
            }
          ],
          "value": "Missing Authorization vulnerability in Vikas Ratudi VPSUForm v-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VPSUForm: from n/a through \u003c= 3.0.5."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:11:29.655Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/v-form/vulnerability/wordpress-lifetime-free-drag-drop-contact-form-builder-for-wordpress-vform-plugin-3-0-5-broken-access-control-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress VForm plugin \u003c= 3.0.5 - Broken Access Control vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-24604",
    "datePublished": "2025-01-24T17:24:30.154Z",
    "dateReserved": "2025-01-23T14:51:10.027Z",
    "dateUpdated": "2026-05-11T23:17:11.352Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-24606 (GCVE-0-2025-24606)

Vulnerability from cvelistv5 – Published: 2025-01-27 14:22 – Updated: 2026-04-29 09:51
VLAI
Title
WordPress Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress plugin <=20.8.1 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.1.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
BoldGrid Client Invoicing by Sprout Invoices Affected: 0 , ≤ 20.8.1 (custom)
Create a notification for this product.
Date Public
2026-04-01 16:34
Credits
Trương Hữu Phúc (truonghuuphuc) | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24606",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-27T15:00:56.737460Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T20:41:34.847Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "sprout-invoices",
          "product": "Client Invoicing by Sprout Invoices",
          "vendor": "BoldGrid",
          "versions": [
            {
              "changes": [
                {
                  "at": "20.8.2",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "20.8.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:34:02.887Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Client Invoicing by Sprout Invoices: from n/a through \u003c= 20.8.1.\u003c/p\u003e"
            }
          ],
          "value": "Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through \u003c= 20.8.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-29T09:51:54.235Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/sprout-invoices/vulnerability/wordpress-client-invoicing-by-sprout-invoices-easy-estimates-and-invoices-for-wordpress-plugin-20-8-1-broken-access-control-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress Client Invoicing by Sprout Invoices \u2013 Easy Estimates and Invoices for WordPress plugin \u003c=20.8.1 - Broken Access Control vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-24606",
    "datePublished": "2025-01-27T14:22:16.064Z",
    "dateReserved": "2025-01-23T14:51:10.027Z",
    "dateUpdated": "2026-04-29T09:51:54.235Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-24607 (GCVE-0-2025-24607)

Vulnerability from cvelistv5 – Published: 2025-02-14 12:44 – Updated: 2026-04-29 09:51
VLAI
Title
WordPress IdeaPush plugin <= 8.71 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in Northern Beaches Websites IdeaPush ideapush allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects IdeaPush: from n/a through <= 8.71.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Northern Beaches Websites IdeaPush Affected: 0 , ≤ 8.71 (custom)
Create a notification for this product.
Date Public
2026-04-01 16:34
Credits
Trương Hữu Phúc (truonghuuphuc) | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24607",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-14T14:30:38.198802Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-14T14:30:56.859Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "ideapush",
          "product": "IdeaPush",
          "vendor": "Northern Beaches Websites",
          "versions": [
            {
              "changes": [
                {
                  "at": "8.73",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "8.71",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:34:02.481Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing Authorization vulnerability in Northern Beaches Websites IdeaPush ideapush allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects IdeaPush: from n/a through \u003c= 8.71.\u003c/p\u003e"
            }
          ],
          "value": "Missing Authorization vulnerability in Northern Beaches Websites IdeaPush ideapush allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects IdeaPush: from n/a through \u003c= 8.71."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-29T09:51:54.186Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/ideapush/vulnerability/wordpress-ideapush-plugin-8-71-broken-access-control-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress IdeaPush plugin \u003c= 8.71 - Broken Access Control vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-24607",
    "datePublished": "2025-02-14T12:44:34.766Z",
    "dateReserved": "2025-01-23T14:51:10.027Z",
    "dateUpdated": "2026-04-29T09:51:54.186Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-24613 (GCVE-0-2025-24613)

Vulnerability from cvelistv5 – Published: 2025-01-24 17:24 – Updated: 2026-05-12 23:49
VLAI
Title
WordPress FV Thoughtful Comments plugin <= 0.3.5 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in FolioVision FV Thoughtful Comments thoughtful-comments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FV Thoughtful Comments: from n/a through <= 0.3.5.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
FolioVision FV Thoughtful Comments Affected: 0 , ≤ 0.3.5 (custom)
Create a notification for this product.
Date Public
2026-04-01 16:34
Credits
Mika | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24613",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-24T18:46:57.815439Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T23:49:37.573Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "thoughtful-comments",
          "product": "FV Thoughtful Comments",
          "vendor": "FolioVision",
          "versions": [
            {
              "changes": [
                {
                  "at": "0.3.6",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "0.3.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Mika | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:34:03.542Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing Authorization vulnerability in FolioVision FV Thoughtful Comments thoughtful-comments allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects FV Thoughtful Comments: from n/a through \u003c= 0.3.5.\u003c/p\u003e"
            }
          ],
          "value": "Missing Authorization vulnerability in FolioVision FV Thoughtful Comments thoughtful-comments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FV Thoughtful Comments: from n/a through \u003c= 0.3.5."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:11:30.096Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/thoughtful-comments/vulnerability/wordpress-fv-thoughtful-comments-plugin-0-3-5-broken-access-control-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress FV Thoughtful Comments plugin \u003c= 0.3.5 - Broken Access Control vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-24613",
    "datePublished": "2025-01-24T17:24:37.249Z",
    "dateReserved": "2025-01-23T14:51:18.435Z",
    "dateUpdated": "2026-05-12T23:49:37.573Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-24618 (GCVE-0-2025-24618)

Vulnerability from cvelistv5 – Published: 2025-01-24 17:24 – Updated: 2026-04-28 16:11
VLAI
Title
WordPress ElementInvader Addons for Elementor Plugin <= 1.3.1 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ElementInvader Addons for Elementor: from n/a through <= 1.3.1.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Date Public
2026-04-01 16:34
Credits
Nirmal Kavaiya | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24618",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-24T18:47:11.766602Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-24T18:59:22.298Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "elementinvader-addons-for-elementor",
          "product": "ElementInvader Addons for Elementor",
          "vendor": "Element Invader",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.3.2",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "1.3.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Nirmal Kavaiya | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:34:04.064Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing Authorization vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects ElementInvader Addons for Elementor: from n/a through \u003c= 1.3.1.\u003c/p\u003e"
            }
          ],
          "value": "Missing Authorization vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ElementInvader Addons for Elementor: from n/a through \u003c= 1.3.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:11:30.421Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/elementinvader-addons-for-elementor/vulnerability/wordpress-elementinvader-addons-for-elementor-plugin-1-3-1-broken-access-control-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress ElementInvader Addons for Elementor Plugin \u003c= 1.3.1 - Broken Access Control vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-24618",
    "datePublished": "2025-01-24T17:24:35.505Z",
    "dateReserved": "2025-01-23T14:51:18.436Z",
    "dateUpdated": "2026-04-28T16:11:30.421Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-24625 (GCVE-0-2025-24625)

Vulnerability from cvelistv5 – Published: 2025-01-24 17:24 – Updated: 2026-05-11 23:17
VLAI
Title
WordPress Taxonomy/Term and Role based Discounts for WooCommerce plugin <= 5.1 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability
Summary
Missing Authorization vulnerability in Marco Almeida | Webdados Taxonomy/Term and Role based Discounts for WooCommerce taxonomy-discounts-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Taxonomy/Term and Role based Discounts for WooCommerce: from n/a through <= 5.1.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Date Public
2026-04-01 16:34
Credits
Mika | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24625",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-24T18:46:40.888502Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T23:17:46.360Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "taxonomy-discounts-woocommerce",
          "product": "Taxonomy/Term and Role based Discounts for WooCommerce",
          "vendor": "Marco Almeida | Webdados",
          "versions": [
            {
              "changes": [
                {
                  "at": "5.2",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "5.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Mika | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:34:06.611Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing Authorization vulnerability in Marco Almeida | Webdados Taxonomy/Term and Role based Discounts for WooCommerce taxonomy-discounts-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Taxonomy/Term and Role based Discounts for WooCommerce: from n/a through \u003c= 5.1.\u003c/p\u003e"
            }
          ],
          "value": "Missing Authorization vulnerability in Marco Almeida | Webdados Taxonomy/Term and Role based Discounts for WooCommerce taxonomy-discounts-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Taxonomy/Term and Role based Discounts for WooCommerce: from n/a through \u003c= 5.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:11:30.625Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/taxonomy-discounts-woocommerce/vulnerability/wordpress-taxonomy-term-and-role-based-discounts-for-woocommerce-plugin-5-1-cross-site-request-forgery-csrf-to-settings-change-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress Taxonomy/Term and Role based Discounts for WooCommerce plugin \u003c= 5.1 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-24625",
    "datePublished": "2025-01-24T17:24:40.728Z",
    "dateReserved": "2025-01-23T14:51:25.978Z",
    "dateUpdated": "2026-05-11T23:17:46.360Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-24633 (GCVE-0-2025-24633)

Vulnerability from cvelistv5 – Published: 2025-01-24 17:24 – Updated: 2026-04-28 16:11
VLAI
Title
WordPress Build Private Store For Woocommerce plugin <= 1.0 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in silverplugins217 Build Private Store For Woocommerce build-private-store-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Build Private Store For Woocommerce: from n/a through <= 1.0.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Date Public
2026-04-01 16:34
Credits
Mika | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24633",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-24T18:47:16.321609Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-24T18:59:37.975Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "build-private-store-for-woocommerce",
          "product": "Build Private Store For Woocommerce",
          "vendor": "silverplugins217",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.1",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "1.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Mika | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:34:07.001Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing Authorization vulnerability in silverplugins217 Build Private Store For Woocommerce build-private-store-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Build Private Store For Woocommerce: from n/a through \u003c= 1.0.\u003c/p\u003e"
            }
          ],
          "value": "Missing Authorization vulnerability in silverplugins217 Build Private Store For Woocommerce build-private-store-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Build Private Store For Woocommerce: from n/a through \u003c= 1.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:11:30.861Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/build-private-store-for-woocommerce/vulnerability/wordpress-build-private-store-for-woocommerce-plugin-1-0-broken-access-control-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress Build Private Store For Woocommerce plugin \u003c= 1.0 - Broken Access Control vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-24633",
    "datePublished": "2025-01-24T17:24:34.338Z",
    "dateReserved": "2025-01-23T14:51:34.071Z",
    "dateUpdated": "2026-04-28T16:11:30.861Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-24642 (GCVE-0-2025-24642)

Vulnerability from cvelistv5 – Published: 2025-02-03 14:22 – Updated: 2026-04-28 16:11
VLAI
Title
WordPress Setup Default Featured Image plugin <= 1.2 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in theme funda Setup Default Featured Image setup-default-feature-image allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Setup Default Featured Image: from n/a through <= 1.2.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
theme funda Setup Default Featured Image Affected: 0 , ≤ 1.2 (custom)
Create a notification for this product.
Date Public
2026-04-01 16:34
Credits
Mika | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24642",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-03T16:03:18.010672Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-03T16:03:46.354Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "setup-default-feature-image",
          "product": "Setup Default Featured Image",
          "vendor": "theme funda",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.3",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "1.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Mika | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:34:30.735Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing Authorization vulnerability in theme funda Setup Default Featured Image setup-default-feature-image allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Setup Default Featured Image: from n/a through \u003c= 1.2.\u003c/p\u003e"
            }
          ],
          "value": "Missing Authorization vulnerability in theme funda Setup Default Featured Image setup-default-feature-image allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Setup Default Featured Image: from n/a through \u003c= 1.2."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:11:31.281Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/setup-default-feature-image/vulnerability/wordpress-setup-default-featured-image-plugin-1-2-broken-access-control-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress Setup Default Featured Image plugin \u003c= 1.2 - Broken Access Control vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-24642",
    "datePublished": "2025-02-03T14:22:48.333Z",
    "dateReserved": "2025-01-23T14:51:34.072Z",
    "dateUpdated": "2026-04-28T16:11:31.281Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation

Phase: Architecture and Design

Description:

  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation

Phase: Architecture and Design

Description:

  • Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation ID: MIT-4.4

Phase: Architecture and Design

Strategy: Libraries or Frameworks

Description:

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation

Phase: Architecture and Design

Description:

  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation

Phases: System Configuration, Installation

Description:

  • Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.

Back to CWE stats page