Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2025-3037 (GCVE-0-2025-3037)
Vulnerability from cvelistv5 – Published: 2025-03-31 22:31 – Updated: 2025-04-01 03:57
VLAI
Title
yzk2356911358 StudentServlet-JSP cross-site request forgery
Summary
A vulnerability has been found in yzk2356911358 StudentServlet-JSP cc0cdce25fbe43b6c58b60a77a2c85f52d2102f5/d4d7a0643f1dae908a4831206f2714b21820f991 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.
Severity
4.3 (Medium)
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.302098 | vdb-entry |
| https://vuldb.com/?ctiid.302098 | signaturepermissions-required |
| https://vuldb.com/?submit.524631 | third-party-advisory |
| https://github.com/yzk2356911358/StudentServlet-J… | issue-tracking |
| https://github.com/yzk2356911358/StudentServlet-J… | exploitissue-tracking |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| yzk2356911358 | StudentServlet-JSP |
Affected:
cc0cdce25fbe43b6c58b60a77a2c85f52d2102f5
Affected: d4d7a0643f1dae908a4831206f2714b21820f991 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3037",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T03:57:12.506751Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T03:57:31.845Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "StudentServlet-JSP",
"vendor": "yzk2356911358",
"versions": [
{
"status": "affected",
"version": "cc0cdce25fbe43b6c58b60a77a2c85f52d2102f5"
},
{
"status": "affected",
"version": "d4d7a0643f1dae908a4831206f2714b21820f991"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "TTTlw1024 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in yzk2356911358 StudentServlet-JSP cc0cdce25fbe43b6c58b60a77a2c85f52d2102f5/d4d7a0643f1dae908a4831206f2714b21820f991 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available."
},
{
"lang": "de",
"value": "In yzk2356911358 StudentServlet-JSP cc0cdce25fbe43b6c58b60a77a2c85f52d2102f5/d4d7a0643f1dae908a4831206f2714b21820f991 wurde eine problematische Schwachstelle gefunden. Dabei geht es um eine nicht genauer bekannte Funktion. Mittels dem Manipulieren mit unbekannten Daten kann eine cross-site request forgery-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Dieses Produkt verzichtet auf eine Versionierung und verwendet stattdessen Rolling Releases. Deshalb sind keine Details zu betroffenen oder zu aktualisierende Versionen vorhanden."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T22:31:04.940Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-302098 | yzk2356911358 StudentServlet-JSP cross-site request forgery",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.302098"
},
{
"name": "VDB-302098 | CTI Indicators (IOB, IOC)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.302098"
},
{
"name": "Submit #524631 | yzk2356911358 StudentServlet-JSP null Cross-Site Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.524631"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/yzk2356911358/StudentServlet-JSP/issues/3"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/yzk2356911358/StudentServlet-JSP/issues/3#issue-2937762896"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-03-31T13:38:45.000Z",
"value": "VulDB entry last update"
}
],
"title": "yzk2356911358 StudentServlet-JSP cross-site request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-3037",
"datePublished": "2025-03-31T22:31:04.940Z",
"dateReserved": "2025-03-31T11:33:32.486Z",
"dateUpdated": "2025-04-01T03:57:31.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30398 (GCVE-0-2025-30398)
Vulnerability from cvelistv5 – Published: 2025-11-11 17:59 – Updated: 2026-02-13 20:46
VLAI
Title
Nuance PowerScribe 360 Information Disclosure Vulnerability
Summary
Missing authorization in Nuance PowerScribe allows an unauthorized attacker to disclose information over a network.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | vendor-advisorypatch |
Impacted products
20 products
Date Public
2025-11-11 08:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30398",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T14:40:54.242798Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T14:41:02.084Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Nuance PowerScribe 360 version 4.0.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "7.0.111.66",
"status": "affected",
"version": "4.0.1",
"versionType": "custom"
}
]
},
{
"product": "Nuance PowerScribe 360 version 4.0.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "7.0.154.16",
"status": "affected",
"version": "4.0.2",
"versionType": "custom"
}
]
},
{
"product": "Nuance PowerScribe 360 version 4.0.3",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "7.0.197.8",
"status": "affected",
"version": "4.0.3",
"versionType": "custom"
}
]
},
{
"product": "Nuance PowerScribe 360 version 4.0.4",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "7.0.212.9",
"status": "affected",
"version": "4.0.4",
"versionType": "custom"
}
]
},
{
"product": "Nuance PowerScribe 360 version 4.0.5",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "7.0.243.17",
"status": "affected",
"version": "4.0.5",
"versionType": "custom"
}
]
},
{
"product": "Nuance PowerScribe 360 version 4.0.6",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "7.0.277.26",
"status": "affected",
"version": "4.0.6",
"versionType": "custom"
}
]
},
{
"product": "Nuance PowerScribe 360 version 4.0.7",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "7.0.316.9",
"status": "affected",
"version": "4.0.7",
"versionType": "custom"
}
]
},
{
"product": "Nuance PowerScribe 360 version 4.0.8",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "7.0.427.13",
"status": "affected",
"version": "4.0.8",
"versionType": "custom"
}
]
},
{
"product": "Nuance PowerScribe 360 version 4.0.9",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "7.0.528.18",
"status": "affected",
"version": "4.0.9",
"versionType": "custom"
}
]
},
{
"product": "Nuance PowerScribe One version 2019.1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "2019.1.96.5",
"status": "affected",
"version": "2019.1",
"versionType": "custom"
}
]
},
{
"product": "Nuance PowerScribe One version 2019.10",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "2019.10.36.4",
"status": "affected",
"version": "2019.10",
"versionType": "custom"
}
]
},
{
"product": "Nuance PowerScribe One version 2019.2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "2019.2.9.8",
"status": "affected",
"version": "2019.2",
"versionType": "custom"
}
]
},
{
"product": "Nuance PowerScribe One version 2019.3",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "2019.3.16.20",
"status": "affected",
"version": "2019.3",
"versionType": "custom"
}
]
},
{
"product": "Nuance PowerScribe One version 2019.4",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "2019.4.9.16",
"status": "affected",
"version": "2019.4",
"versionType": "custom"
}
]
},
{
"product": "Nuance PowerScribe One version 2019.5",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "2019.5.14.39",
"status": "affected",
"version": "2019.5",
"versionType": "custom"
}
]
},
{
"product": "Nuance PowerScribe One version 2019.6",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "2019.6.36.39",
"status": "affected",
"version": "2019.6",
"versionType": "custom"
}
]
},
{
"product": "Nuance PowerScribe One version 2019.7",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "2019.7.107.21",
"status": "affected",
"version": "2019.7",
"versionType": "custom"
}
]
},
{
"product": "Nuance PowerScribe One version 2019.8",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "2019.8.43.15",
"status": "affected",
"version": "2019.8",
"versionType": "custom"
}
]
},
{
"product": "Nuance PowerScribe One version 2019.9",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "2019.9.31.19",
"status": "affected",
"version": "2019.9",
"versionType": "custom"
}
]
},
{
"product": "PowerScribe One version 2023.1 SP2 Patch 7",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "2023.2.3027.0",
"status": "affected",
"version": "2023.1",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_360:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.243.17",
"versionStartIncluding": "4.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_360:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.427.13",
"versionStartIncluding": "4.0.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_360:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.528.18",
"versionStartIncluding": "4.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_360:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.277.26",
"versionStartIncluding": "4.0.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_360:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.316.9",
"versionStartIncluding": "4.0.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2019.3.16.20",
"versionStartIncluding": "2019.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2019.2.9.8",
"versionStartIncluding": "2019.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2019.1.96.5",
"versionStartIncluding": "2019.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_360:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.111.66",
"versionStartIncluding": "4.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_360:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.154.16",
"versionStartIncluding": "4.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_360:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.197.8",
"versionStartIncluding": "4.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_360:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.212.9",
"versionStartIncluding": "4.0.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2019.5.14.39",
"versionStartIncluding": "2019.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2019.4.9.16",
"versionStartIncluding": "2019.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2019.6.36.39",
"versionStartIncluding": "2019.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2019.8.43.15",
"versionStartIncluding": "2019.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2019.7.107.21",
"versionStartIncluding": "2019.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2019.9.31.19",
"versionStartIncluding": "2019.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2019.10.36.4",
"versionStartIncluding": "2019.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:nuance_powerscribe_one:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2023.2.3027.0",
"versionStartIncluding": "2023.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2025-11-11T08:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Missing authorization in Nuance PowerScribe allows an unauthorized attacker to disclose information over a network."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T20:46:19.436Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Nuance PowerScribe 360 Information Disclosure Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30398"
}
],
"title": "Nuance PowerScribe 360 Information Disclosure Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2025-30398",
"datePublished": "2025-11-11T17:59:51.398Z",
"dateReserved": "2025-03-21T19:09:29.816Z",
"dateUpdated": "2026-02-13T20:46:19.436Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30416 (GCVE-0-2025-30416)
Vulnerability from cvelistv5 – Published: 2026-02-20 00:31 – Updated: 2026-02-26 14:44
VLAI
Summary
Sensitive data disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800.
Severity
10 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security-advisory.acronis.com/advisories/… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Acronis | Acronis Cyber Protect 16 |
Affected:
unspecified , < 39938
(semver)
|
|
| Acronis | Acronis Cyber Protect 15 |
Affected:
unspecified , < 41800
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30416",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-21T04:56:26.646856Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T14:44:13.675Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux",
"Windows"
],
"product": "Acronis Cyber Protect 16",
"vendor": "Acronis",
"versions": [
{
"lessThan": "39938",
"status": "affected",
"version": "unspecified",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Linux",
"Windows"
],
"product": "Acronis Cyber Protect 15",
"vendor": "Acronis",
"versions": [
{
"lessThan": "41800",
"status": "affected",
"version": "unspecified",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Airbus SecLab (mailto:vuln@airbus.com)"
},
{
"lang": "en",
"type": "finder",
"value": "Quentin Liddell (mailto:vuln@airbus.com)"
},
{
"lang": "en",
"type": "finder",
"value": "Matt\u00e9o Ricordeau (mailto:vuln@airbus.com)"
},
{
"lang": "en",
"type": "finder",
"value": "Beno\u00eet Camredon (mailto:vuln@airbus.com)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Sensitive data disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 10,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T00:31:27.426Z",
"orgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175",
"shortName": "Acronis"
},
"references": [
{
"name": "SEC-8766",
"tags": [
"vendor-advisory"
],
"url": "https://security-advisory.acronis.com/advisories/SEC-8766"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175",
"assignerShortName": "Acronis",
"cveId": "CVE-2025-30416",
"datePublished": "2026-02-20T00:31:27.426Z",
"dateReserved": "2025-03-21T21:04:39.511Z",
"dateUpdated": "2026-02-26T14:44:13.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30543 (GCVE-0-2025-30543)
Vulnerability from cvelistv5 – Published: 2025-03-24 13:46 – Updated: 2026-04-28 16:11
VLAI
Title
WordPress Menu Duplicator plugin <= 1.0 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in swayam.tejwani Menu Duplicator copy-menu allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Menu Duplicator: from n/a through <= 1.0.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| swayam.tejwani | Menu Duplicator |
Affected:
0 , ≤ 1.0
(custom)
|
Date Public
2026-04-01 16:36
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30543",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-24T14:50:22.897940Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T15:05:41.066Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "copy-menu",
"product": "Menu Duplicator",
"vendor": "swayam.tejwani",
"versions": [
{
"lessThanOrEqual": "1.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nabil Irawan | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:36:14.311Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in swayam.tejwani Menu Duplicator copy-menu allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Menu Duplicator: from n/a through \u003c= 1.0.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in swayam.tejwani Menu Duplicator copy-menu allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Menu Duplicator: from n/a through \u003c= 1.0."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:53.652Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/copy-menu/vulnerability/wordpress-menu-duplicator-plugin-1-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Menu Duplicator plugin \u003c= 1.0 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-30543",
"datePublished": "2025-03-24T13:46:51.070Z",
"dateReserved": "2025-03-24T12:59:49.932Z",
"dateUpdated": "2026-04-28T16:11:53.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-3058 (GCVE-0-2025-3058)
Vulnerability from cvelistv5 – Published: 2025-04-24 08:23 – Updated: 2026-04-08 16:42
VLAI
Title
Xelion Webchat <= 9.1.0 - Authenticated (Subscriber+) Arbitrary Options Update
Summary
The Xelion Webchat plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the xwc_save_settings() function in all versions up to, and including, 9.1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jauharixelion | Xelion Webchat |
Affected:
0 , ≤ 9.1.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3058",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T13:40:02.547376Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T15:22:57.254Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Xelion Webchat",
"vendor": "jauharixelion",
"versions": [
{
"lessThanOrEqual": "9.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kenneth Dunn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Xelion Webchat plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the xwc_save_settings() function in all versions up to, and including, 9.1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:42:20.190Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/250202d5-3a0d-494c-8386-1f4cd015ad7e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/xelion-webchat/trunk//includes/class-xelion-webchat-ajax-admin.php#L119"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3282039%40xelion-webchat\u0026new=3282039%40xelion-webchat\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-23T19:47:14.000Z",
"value": "Disclosed"
}
],
"title": "Xelion Webchat \u003c= 9.1.0 - Authenticated (Subscriber+) Arbitrary Options Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-3058",
"datePublished": "2025-04-24T08:23:47.679Z",
"dateReserved": "2025-03-31T22:16:07.422Z",
"dateUpdated": "2026-04-08T16:42:20.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30581 (GCVE-0-2025-30581)
Vulnerability from cvelistv5 – Published: 2025-03-24 13:47 – Updated: 2026-04-28 16:11
VLAI
Title
WordPress Top Bar plugin <= 3.3 - Broken Access Control Vulnerability
Summary
Missing Authorization vulnerability in PluginOps Top Bar ultimate-bar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Top Bar: from n/a through <= 3.3.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Date Public
2026-04-01 16:36
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30581",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-24T14:19:54.707157Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T18:40:23.719Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "ultimate-bar",
"product": "Top Bar",
"vendor": "PluginOps",
"versions": [
{
"lessThanOrEqual": "3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "0xd4rk5id3 | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:36:08.544Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in PluginOps Top Bar ultimate-bar allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Top Bar: from n/a through \u003c= 3.3.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in PluginOps Top Bar ultimate-bar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Top Bar: from n/a through \u003c= 3.3."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:54.656Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/ultimate-bar/vulnerability/wordpress-top-bar-3-3-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Top Bar plugin \u003c= 3.3 - Broken Access Control Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-30581",
"datePublished": "2025-03-24T13:47:10.737Z",
"dateReserved": "2025-03-24T13:00:24.105Z",
"dateUpdated": "2026-04-28T16:11:54.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30591 (GCVE-0-2025-30591)
Vulnerability from cvelistv5 – Published: 2025-03-24 13:47 – Updated: 2026-04-28 16:11
VLAI
Title
WordPress Music Press Pro plugin <= 1.4.6 Broken Access Control Vulnerability
Summary
Missing Authorization vulnerability in tuyennv Music Press Pro music-press-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Music Press Pro: from n/a through <= 1.4.6.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tuyennv | Music Press Pro |
Affected:
0 , ≤ 1.4.6
(custom)
|
Date Public
2026-04-01 16:36
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30591",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-25T17:46:58.426413Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T17:48:42.990Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "music-press-pro",
"product": "Music Press Pro",
"vendor": "tuyennv",
"versions": [
{
"lessThanOrEqual": "1.4.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "0xd4rk5id3 | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:36:12.574Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in tuyennv Music Press Pro music-press-pro allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Music Press Pro: from n/a through \u003c= 1.4.6.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in tuyennv Music Press Pro music-press-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Music Press Pro: from n/a through \u003c= 1.4.6."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:54.874Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/music-press-pro/vulnerability/wordpress-music-press-pro-1-4-6-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Music Press Pro plugin \u003c= 1.4.6 Broken Access Control Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-30591",
"datePublished": "2025-03-24T13:47:15.955Z",
"dateReserved": "2025-03-24T13:00:32.064Z",
"dateUpdated": "2026-04-28T16:11:54.874Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30592 (GCVE-0-2025-30592)
Vulnerability from cvelistv5 – Published: 2025-03-24 13:47 – Updated: 2026-04-28 16:11
VLAI
Title
WordPress Advanced Dewplayer - plugin <= 1.6 Broken Access Control Vulnerability
Summary
Missing Authorization vulnerability in WesternDeal Advanced Dewplayer advanced-dewplayer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Dewplayer: from n/a through <= 1.6.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WesternDeal | Advanced Dewplayer |
Affected:
0 , ≤ 1.6
(custom)
|
Date Public
2026-04-01 16:36
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30592",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-24T14:18:38.574483Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T18:41:25.913Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "advanced-dewplayer",
"product": "Advanced Dewplayer",
"vendor": "WesternDeal",
"versions": [
{
"lessThanOrEqual": "1.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "0xd4rk5id3 | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:36:16.938Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in WesternDeal Advanced Dewplayer advanced-dewplayer allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Advanced Dewplayer: from n/a through \u003c= 1.6.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in WesternDeal Advanced Dewplayer advanced-dewplayer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Dewplayer: from n/a through \u003c= 1.6."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:55.136Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/advanced-dewplayer/vulnerability/wordpress-advanced-dewplayer-1-6-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Advanced Dewplayer - plugin \u003c= 1.6 Broken Access Control Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-30592",
"datePublished": "2025-03-24T13:47:16.723Z",
"dateReserved": "2025-03-24T13:00:32.064Z",
"dateUpdated": "2026-04-28T16:11:55.136Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30605 (GCVE-0-2025-30605)
Vulnerability from cvelistv5 – Published: 2025-03-24 13:47 – Updated: 2026-04-28 16:11
VLAI
Title
WordPress sourceplay-navermap plugin <= 0.0.2 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in ldwin79 sourceplay-navermap sourceplay-navermap allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects sourceplay-navermap: from n/a through <= 0.0.2.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ldwin79 | sourceplay-navermap |
Affected:
0 , ≤ 0.0.2
(custom)
|
Date Public
2026-04-01 16:36
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30605",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-24T15:40:33.365793Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T15:40:52.036Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "sourceplay-navermap",
"product": "sourceplay-navermap",
"vendor": "ldwin79",
"versions": [
{
"lessThanOrEqual": "0.0.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nabil Irawan | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:36:19.419Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in ldwin79 sourceplay-navermap sourceplay-navermap allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects sourceplay-navermap: from n/a through \u003c= 0.0.2.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in ldwin79 sourceplay-navermap sourceplay-navermap allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects sourceplay-navermap: from n/a through \u003c= 0.0.2."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:55.235Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/sourceplay-navermap/vulnerability/wordpress-sourceplay-navermap-plugin-0-0-2-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress sourceplay-navermap plugin \u003c= 0.0.2 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-30605",
"datePublished": "2025-03-24T13:47:24.229Z",
"dateReserved": "2025-03-24T13:00:39.013Z",
"dateUpdated": "2026-04-28T16:11:55.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30624 (GCVE-0-2025-30624)
Vulnerability from cvelistv5 – Published: 2025-06-06 12:54 – Updated: 2026-04-28 16:11
VLAI
Title
WordPress WordLift plugin <= 3.54.4 - Broken Access Control Vulnerability
Summary
Missing Authorization vulnerability in WordLift WordLift wordlift allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordLift: from n/a through <= 3.54.4.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
Date Public
2026-04-01 16:36
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30624",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-06T15:36:49.892619Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T16:02:09.338Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wordlift",
"product": "WordLift",
"vendor": "WordLift",
"versions": [
{
"changes": [
{
"at": "3.54.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.54.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Tran Tuan Dung (domiee13) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:36:25.680Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in WordLift WordLift wordlift allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects WordLift: from n/a through \u003c= 3.54.4.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in WordLift WordLift wordlift allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordLift: from n/a through \u003c= 3.54.4."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:55.940Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/wordlift/vulnerability/wordpress-wordlift-3-54-4-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress WordLift plugin \u003c= 3.54.4 - Broken Access Control Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-30624",
"datePublished": "2025-06-06T12:54:24.591Z",
"dateReserved": "2025-03-24T13:00:55.839Z",
"dateUpdated": "2026-04-28T16:11:55.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Phase: Architecture and Design
Description:
- Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation ID: MIT-4.4
Phase: Architecture and Design
Strategy: Libraries or Frameworks
Description:
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Phase: Architecture and Design
Description:
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Phases: System Configuration, Installation
Description:
- Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.