Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-5944 (GCVE-0-2026-5944)
Vulnerability from cvelistv5 – Published: 2026-04-28 13:06 – Updated: 2026-04-28 14:14 X_Api Security X_Unauthenticated Access X_Cisco Intersight Device Connector X_Prism Central X_Port 7373
VLAI
Title
Cisco Intersight Device Connector for Nutanix Prism Central Unauthenticated API Access
Summary
An improper access control vulnerability exists in the Cisco Intersight Device Connector for Nutanix Prism Central. The service exposes an API passthrough endpoint on TCP port 7373 that is accessible within the network scope of the deployment environment without authentication.
An unauthenticated attacker with network access can exploit this vulnerability by sending crafted requests to the exposed endpoint to enumerate cluster metadata, including virtual machine information and cluster configuration details. While the API primarily supports read-only operations, it also allows certain cluster maintenance workflows to be invoked.
Although this vulnerability does not allow persistent modification of system configurations or access to credentials or sensitive user data, successful exploitation may result in disruption of active workloads, leading to loss of service availability within the affected environment.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://download.nutanix.com/alerts/Security_Advi… | vendor-advisory |
| https://portal.nutanix.com/page/documents/list?ty… | release-notes |
| https://www.nutanix.com/support | x_support |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Nutanix | Cisco Intersight Device Connector for Prism Central |
Affected:
4.3.0 , < 7.5.1
(custom)
|
Date Public
2026-04-28 13:06
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5944",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T14:14:48.970984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T14:14:58.850Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cisco Intersight Device Connector for Prism Central",
"vendor": "Nutanix",
"versions": [
{
"changes": [
{
"at": "7.5.1",
"status": "unaffected"
}
],
"lessThan": "7.5.1",
"status": "affected",
"version": "4.3.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe vulnerability is exploitable only when the Cisco Intersight Device Connector has been manually installed via the Prism Central Marketplace. If the connector is not enabled, the affected service and TCP port 7373 remain closed and unexposed.\u003c/p\u003e\u003cp\u003eOrganizations are impacted only when the connector is active and running a version greater than or equal to 4.3.0 and less than 7.5.1, which can be verified by navigating to the Admin Center in Prism Central, selecting the My Apps tab and verifying the installation status and version of the Cisco Intersight Device Connector.\u003c/p\u003e"
}
],
"value": "The vulnerability is exploitable only when the Cisco Intersight Device Connector has been manually installed via the Prism Central Marketplace. If the connector is not enabled, the affected service and TCP port 7373 remain closed and unexposed.\nOrganizations are impacted only when the connector is active and running a version greater than or equal to 4.3.0 and less than 7.5.1, which can be verified by navigating to the Admin Center in Prism Central, selecting the My Apps tab and verifying the installation status and version of the Cisco Intersight Device Connector."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nutanix:cisco_intersight_device_connector_for_prism_central:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.5.1",
"versionStartIncluding": "4.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "External Security Researcher (via Cisco)"
}
],
"datePublic": "2026-04-28T13:06:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn improper access control vulnerability exists in the Cisco Intersight Device Connector for Nutanix Prism Central. The service exposes an API passthrough endpoint on TCP port 7373 that is accessible within the network scope of the deployment environment without authentication.\u003c/p\u003e\u003cp\u003eAn unauthenticated attacker with network access can exploit this vulnerability by sending crafted requests to the exposed endpoint to enumerate cluster metadata, including virtual machine information and cluster configuration details. While the API primarily supports read-only operations, it also allows certain cluster maintenance workflows to be invoked.\u003c/p\u003e\u003cp\u003eAlthough this vulnerability does not allow persistent modification of system configurations or access to credentials or sensitive user data, successful exploitation may result in disruption of active workloads, leading to loss of service availability within the affected environment.\u003c/p\u003e"
}
],
"value": "An improper access control vulnerability exists in the Cisco Intersight Device Connector for Nutanix Prism Central. The service exposes an API passthrough endpoint on TCP port 7373 that is accessible within the network scope of the deployment environment without authentication.\n\n\n\nAn unauthenticated attacker with network access can exploit this vulnerability by sending crafted requests to the exposed endpoint to enumerate cluster metadata, including virtual machine information and cluster configuration details. While the API primarily supports read-only operations, it also allows certain cluster maintenance workflows to be invoked.\n\n\n\nAlthough this vulnerability does not allow persistent modification of system configurations or access to credentials or sensitive user data, successful exploitation may result in disruption of active workloads, leading to loss of service availability within the affected environment."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Nutanix Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.\u003c/p\u003e"
}
],
"value": "The Nutanix Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/S:N/AU:N/R:U/V:C/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV2_0": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 8.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:C",
"version": "2.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"other": {
"content": {
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CNA",
"version": "2.0.3"
},
"type": "ssvc"
},
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing authentication for critical function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T13:06:35.686Z",
"orgId": "2ffdacf6-8681-47df-b023-4f11abd61c1d",
"shortName": "Nutanix"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://download.nutanix.com/alerts/Security_Advisory_0046.pdf"
},
{
"tags": [
"release-notes"
],
"url": "https://portal.nutanix.com/page/documents/list?type=software\u0026filterKey=software\u0026filterVal=Prism"
},
{
"tags": [
"x_support"
],
"url": "https://www.nutanix.com/support"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eNutanix has released version 7.5.1 of the Cisco Intersight Device Connector:\u003c/p\u003e\u003cul\u003e\u003cli\u003eLog in to Prism Central (PC) and navigate to the Life Cycle Manager (LCM) Dashboard.\u003c/li\u003e\u003cli\u003eClick \"Perform Inventory\" or \"Get Full Inventory\" to refresh the inventory.\u003c/li\u003e\u003cli\u003eAfter the inventory refresh completes, navigate to the Marketplace.\u003c/li\u003e\u003cli\u003eSelect the Cisco Intersight Device Connector.\u003c/li\u003e\u003cli\u003eClick \"Upgrade\" to update to version 7.5.1 or later.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "Nutanix has released version 7.5.1 of the Cisco Intersight Device Connector:\n * Log in to Prism Central (PC) and navigate to the Life Cycle Manager (LCM) Dashboard.\n * Click \"Perform Inventory\" or \"Get Full Inventory\" to refresh the inventory.\n * After the inventory refresh completes, navigate to the Marketplace.\n * Select the Cisco Intersight Device Connector.\n * Click \"Upgrade\" to update to version 7.5.1 or later."
}
],
"source": {
"advisory": "nutanix-sa-0046",
"discovery": "EXTERNAL"
},
"tags": [
"x_api-security",
"x_unauthenticated-access",
"x_cisco-intersight-device-connector",
"x_prism-central",
"x_port-7373"
],
"timeline": [
{
"lang": "en",
"time": "2026-04-08T15:45:00.000Z",
"value": "Initial vulnerability analysis and internal update"
},
{
"lang": "en",
"time": "2026-04-08T18:30:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2026-04-28T13:06:00.000Z",
"value": "Advisory published"
}
],
"title": "Cisco Intersight Device Connector for Nutanix Prism Central Unauthenticated API Access",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIf upgrading the Cisco Intersight Device Connector to version 7.5.1 or later is not immediately possible, restrict access to TCP port 7373 by limiting the service to internal traffic only:\u003c/p\u003e\u003cul\u003e\u003cli\u003eEstablish an SSH session to Prism Central (PC).\u003c/li\u003e\u003cli\u003eExecute the following command to reconfigure the service visibility to internal traffic only: \u003ccode\u003esudo kubectl -n pc-platform-other annotate service cisco-device-connector service.msp.ntnx.io/lb=pc-internal --overwrite\u003c/code\u003e\u003c/li\u003e\u003cli\u003eRun the following command: \u003ccode\u003esudo kubectl get svc -n pc-platform-other\u003c/code\u003e and verify that the Cisco Intersight Device Connector is no longer associated with the Prism Central public IP address.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "If upgrading the Cisco Intersight Device Connector to version 7.5.1 or later is not immediately possible, restrict access to TCP port 7373 by limiting the service to internal traffic only:\n * Establish an SSH session to Prism Central (PC).\n * Execute the following command to reconfigure the service visibility to internal traffic only: sudo kubectl -n pc-platform-other annotate service cisco-device-connector service.msp.ntnx.io/lb=pc-internal --overwrite\n * Run the following command: sudo kubectl get svc -n pc-platform-other and verify that the Cisco Intersight Device Connector is no longer associated with the Prism Central public IP address."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2ffdacf6-8681-47df-b023-4f11abd61c1d",
"assignerShortName": "Nutanix",
"cveId": "CVE-2026-5944",
"datePublished": "2026-04-28T13:06:35.686Z",
"dateReserved": "2026-04-09T05:40:22.214Z",
"dateUpdated": "2026-04-28T14:14:58.850Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6109 (GCVE-0-2026-6109)
Vulnerability from cvelistv5 – Published: 2026-04-12 01:30 – Updated: 2026-04-14 16:33
VLAI
Title
FoundationAgents MetaGPT Mineflayer HTTP API index.js evaluateCode cross-site request forgery
Summary
A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/356969 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/356969/cti | signaturepermissions-required |
| https://vuldb.com/submit/791759 | third-party-advisory |
| https://github.com/FoundationAgents/MetaGPT/issues/1932 | exploitissue-tracking |
| https://github.com/FoundationAgents/MetaGPT/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| FoundationAgents | MetaGPT |
Affected:
0.8.0
Affected: 0.8.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6109",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:17:18.777544Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:33:38.654Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Mineflayer HTTP API"
],
"product": "MetaGPT",
"vendor": "FoundationAgents",
"versions": [
{
"status": "affected",
"version": "0.8.0"
},
{
"status": "affected",
"version": "0.8.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-d (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-12T01:30:15.439Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-356969 | FoundationAgents MetaGPT Mineflayer HTTP API index.js evaluateCode cross-site request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/356969"
},
{
"name": "VDB-356969 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/356969/cti"
},
{
"name": "Submit #791759 | FoundationAgents MetaGPT 0.8.1 Cross Site Request Forgery (CWE-352)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/791759"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/FoundationAgents/MetaGPT/issues/1932"
},
{
"tags": [
"product"
],
"url": "https://github.com/FoundationAgents/MetaGPT/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-11T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-11T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-11T09:54:47.000Z",
"value": "VulDB entry last update"
}
],
"title": "FoundationAgents MetaGPT Mineflayer HTTP API index.js evaluateCode cross-site request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-6109",
"datePublished": "2026-04-12T01:30:15.439Z",
"dateReserved": "2026-04-11T07:49:27.735Z",
"dateUpdated": "2026-04-14T16:33:38.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6145 (GCVE-0-2026-6145)
Vulnerability from cvelistv5 – Published: 2026-05-14 08:24 – Updated: 2026-05-14 10:42
VLAI
Title
User Registration & Membership <= 5.1.5 - Unauthenticated Missing Authorization to Admin Approval Bypass via 'action' Parameter
Summary
The User Registration & Membership plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.1.5. This is due to the is_admin_creation_process() method relying solely on the presence of action=createuser in the $_REQUEST superglobal without performing any authentication or capability check. This makes it possible for unauthenticated attackers to bypass the admin approval requirement when registering new accounts via the fallback submission path.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wpeverest | User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder |
Affected:
0 , ≤ 5.1.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T10:37:19.153556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T10:42:26.164Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "User Registration \u0026 Membership \u2013 Free \u0026 Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration \u0026 Login Builder",
"vendor": "wpeverest",
"versions": [
{
"lessThanOrEqual": "5.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Anthony Cihan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The User Registration \u0026 Membership plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.1.5. This is due to the is_admin_creation_process() method relying solely on the presence of action=createuser in the $_REQUEST superglobal without performing any authentication or capability check. This makes it possible for unauthenticated attackers to bypass the admin approval requirement when registering new accounts via the fallback submission path."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T08:24:27.293Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b6b349f2-24c9-4921-bb5f-a7726ebc5c2a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3516468/user-registration/trunk/includes/class-ur-user-approval.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-09T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-04-12T13:35:18.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-13T19:52:48.000Z",
"value": "Disclosed"
}
],
"title": "User Registration \u0026 Membership \u003c= 5.1.5 - Unauthenticated Missing Authorization to Admin Approval Bypass via \u0027action\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6145",
"datePublished": "2026-05-14T08:24:27.293Z",
"dateReserved": "2026-04-12T13:19:58.638Z",
"dateUpdated": "2026-05-14T10:42:26.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6214 (GCVE-0-2026-6214)
Vulnerability from cvelistv5 – Published: 2026-05-07 03:27 – Updated: 2026-05-07 12:37
VLAI
Title
Forminator Forms <= 1.53.0 - Missing Authorization to Authenticated (Subscriber+) Scheduled Form Submission Export via forminator_export_entries Action on wp_loaded Hook
Summary
The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.53.0. This is due to the listen_for_saving_export_schedule() function in library/class-export.php failing to perform a capability check before saving the scheduled export configuration, unlike the parallel listen_for_csv_export() function which correctly verifies user permissions. This makes it possible for authenticated attackers with subscriber-level access to configure a scheduled export job that emails all form submissions to an attacker-controlled email address, resulting in sensitive data exfiltration.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wpmudev | Forminator Forms – Contact Form, Payment Form & Custom Form Builder |
Affected:
0 , ≤ 1.53.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6214",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T12:37:32.818185Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T12:37:58.665Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Forminator Forms \u2013 Contact Form, Payment Form \u0026 Custom Form Builder",
"vendor": "wpmudev",
"versions": [
{
"lessThanOrEqual": "1.53.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chu Duc Anh"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.53.0. This is due to the listen_for_saving_export_schedule() function in library/class-export.php failing to perform a capability check before saving the scheduled export configuration, unlike the parallel listen_for_csv_export() function which correctly verifies user permissions. This makes it possible for authenticated attackers with subscriber-level access to configure a scheduled export job that emails all form submissions to an attacker-controlled email address, resulting in sensitive data exfiltration."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T03:27:06.427Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7b8d42c-bceb-456e-a682-358e8df831e3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/forminator/trunk/library/class-export.php#L178"
},
{
"url": "https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/library/class-export.php#L178"
},
{
"url": "https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/classes/class-admin-l10n.php#L448"
},
{
"url": "https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/classes/class-admin-l10n.php#L448"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3512045%40forminator%2Ftrunk\u0026old=3510688%40forminator%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-13T12:54:04.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-06T14:41:59.000Z",
"value": "Disclosed"
}
],
"title": "Forminator Forms \u003c= 1.53.0 - Missing Authorization to Authenticated (Subscriber+) Scheduled Form Submission Export via forminator_export_entries Action on wp_loaded Hook"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6214",
"datePublished": "2026-05-07T03:27:06.427Z",
"dateReserved": "2026-04-13T12:38:36.797Z",
"dateUpdated": "2026-05-07T12:37:58.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6222 (GCVE-0-2026-6222)
Vulnerability from cvelistv5 – Published: 2026-05-07 01:25 – Updated: 2026-05-07 15:52
VLAI
Title
Forminator Forms <= 1.51.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'forminator_action' Parameter
Summary
The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.51.1. This is due to the `processRequest()` method in `Forminator_Admin_Module_Edit_Page` (admin/abstracts/class-admin-module-edit-page.php) dispatching sensitive module-management actions — including export, delete, clone, delete-entries, publish/draft, and bulk variants — after only a nonce check, without ever verifying that the current user holds the `manage_forminator_modules` capability. The nonce used (`forminator_form_request`) is unconditionally embedded in the global `forminatorData` JavaScript object and localized on every Forminator admin page, including Templates and Reports pages accessible to users who explicitly lack module-management permissions. Because `processRequest()` is invoked during the `admin_menu` action hook — which fires before WordPress enforces page-level capability checks — a user whose Forminator role is restricted to Templates or Reports can craft a valid POST request targeting any published module and successfully trigger the vulnerable actions. This makes it possible for authenticated attackers with subscriber-level access (or any custom low-privilege Forminator role) to export the complete internal configuration of arbitrary forms/polls/quizzes (including notification routing, integration credentials, and conditional logic), delete modules, delete all submissions/votes, clone modules, or bulk-change publish/draft status.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wpmudev | Forminator Forms – Contact Form, Payment Form & Custom Form Builder |
Affected:
0 , ≤ 1.51.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6222",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T15:52:04.445595Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T15:52:44.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Forminator Forms \u2013 Contact Form, Payment Form \u0026 Custom Form Builder",
"vendor": "wpmudev",
"versions": [
{
"lessThanOrEqual": "1.51.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chu Duc Anh"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.51.1. This is due to the `processRequest()` method in `Forminator_Admin_Module_Edit_Page` (admin/abstracts/class-admin-module-edit-page.php) dispatching sensitive module-management actions \u2014 including export, delete, clone, delete-entries, publish/draft, and bulk variants \u2014 after only a nonce check, without ever verifying that the current user holds the `manage_forminator_modules` capability. The nonce used (`forminator_form_request`) is unconditionally embedded in the global `forminatorData` JavaScript object and localized on every Forminator admin page, including Templates and Reports pages accessible to users who explicitly lack module-management permissions. Because `processRequest()` is invoked during the `admin_menu` action hook \u2014 which fires before WordPress enforces page-level capability checks \u2014 a user whose Forminator role is restricted to Templates or Reports can craft a valid POST request targeting any published module and successfully trigger the vulnerable actions. This makes it possible for authenticated attackers with subscriber-level access (or any custom low-privilege Forminator role) to export the complete internal configuration of arbitrary forms/polls/quizzes (including notification routing, integration credentials, and conditional logic), delete modules, delete all submissions/votes, clone modules, or bulk-change publish/draft status."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T01:25:27.229Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e860aa70-b8ef-4b2a-a035-b01efce30a79?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/abstracts/class-admin-module-edit-page.php#L1008"
},
{
"url": "https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/abstracts/class-admin-module-edit-page.php#L1008"
},
{
"url": "https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/abstracts/class-admin-module-edit-page.php#L951"
},
{
"url": "https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/abstracts/class-admin-module-edit-page.php#L951"
},
{
"url": "https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/classes/class-admin-data.php#L141"
},
{
"url": "https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/classes/class-admin-data.php#L141"
},
{
"url": "https://plugins.trac.wordpress.org/browser/forminator/tags/1.52/admin/abstracts/class-admin-module-edit-page.php#L988"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-13T13:51:40.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-06T12:50:38.000Z",
"value": "Disclosed"
}
],
"title": "Forminator Forms \u003c= 1.51.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via \u0027forminator_action\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6222",
"datePublished": "2026-05-07T01:25:27.229Z",
"dateReserved": "2026-04-13T13:36:22.720Z",
"dateUpdated": "2026-05-07T15:52:44.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6235 (GCVE-0-2026-6235)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-23 13:46
VLAI
Title
Sendmachine for WordPress <= 1.0.20 - Unauthenticated SMTP Hijack to Privilege Escalation via manage_admin_requests
Summary
The Sendmachine for WordPress plugin for WordPress is vulnerable to authorization bypass via the 'manage_admin_requests' function in all versions up to, and including, 1.0.20. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the plugin's SMTP configuration, which can be leveraged to intercept all outbound emails from the site (including password reset emails).
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| sendmachine | Sendmachine for WordPress |
Affected:
0 , ≤ 1.0.20
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6235",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T13:45:19.678581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T13:46:26.943Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sendmachine for WordPress",
"vendor": "sendmachine",
"versions": [
{
"lessThanOrEqual": "1.0.20",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nabil Irawan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Sendmachine for WordPress plugin for WordPress is vulnerable to authorization bypass via the \u0027manage_admin_requests\u0027 function in all versions up to, and including, 1.0.20. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the plugin\u0027s SMTP configuration, which can be leveraged to intercept all outbound emails from the site (including password reset emails)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:37.881Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7889e071-84a8-46ec-abe5-5c98980ce275?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sendmachine/tags/1.0.20/sendmachine_wp_admin.php#L183"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sendmachine/tags/1.0.20/sendmachine_wp_admin.php#L174"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sendmachine/tags/1.0.20/includes/sendmachine_email_manager.php#L39"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-10T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-04-21T19:01:50.000Z",
"value": "Disclosed"
}
],
"title": "Sendmachine for WordPress \u003c= 1.0.20 - Unauthenticated SMTP Hijack to Privilege Escalation via manage_admin_requests"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6235",
"datePublished": "2026-04-22T07:45:37.881Z",
"dateReserved": "2026-04-13T16:12:01.215Z",
"dateUpdated": "2026-04-23T13:46:26.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6372 (GCVE-0-2026-6372)
Vulnerability from cvelistv5 – Published: 2026-04-15 16:16 – Updated: 2026-04-16 14:06 X_Open Source
VLAI
Title
WordPress Accept Cryptocurrencies with Plisio plugin <= 2.0.5 - Payment Bypass vulnerability
Summary
Missing Authorization vulnerability in Plisio Accept Cryptocurrencies with Plisio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accept Cryptocurrencies with Plisio: from n/a through 2.0.5.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Plisio | Accept Cryptocurrencies with Plisio |
Affected:
n/a , ≤ 2.0.5
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6372",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T14:05:06.933621Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T14:06:37.842Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "plisio-payment-gateway-for-woocommerce",
"product": "Accept Cryptocurrencies with Plisio",
"vendor": "Plisio",
"versions": [
{
"lessThanOrEqual": "2.0.5",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "AXIS | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Plisio Accept Cryptocurrencies with Plisio allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Accept Cryptocurrencies with Plisio: from n/a through 2.0.5.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Plisio Accept Cryptocurrencies with Plisio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accept Cryptocurrencies with Plisio: from n/a through 2.0.5."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T16:16:46.970Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/plisio-payment-gateway-for-woocommerce/vulnerability/wordpress-accept-cryptocurrencies-with-plisio-plugin-2-0-5-payment-bypass-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress Accept Cryptocurrencies with Plisio plugin \u003c= 2.0.5 - Payment Bypass vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-6372",
"datePublished": "2026-04-15T16:16:46.970Z",
"dateReserved": "2026-04-15T16:14:56.230Z",
"dateUpdated": "2026-04-16T14:06:37.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6393 (GCVE-0-2026-6393)
Vulnerability from cvelistv5 – Published: 2026-04-24 03:27 – Updated: 2026-04-24 10:46
VLAI
Title
BetterDocs <= 4.3.11 - Missing Authorization to Authenticated (Subscriber+) Unauthorized AI API Usage
Summary
The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generate_openai_content_callback() function, which relies solely on a nonce rather than verifying user permissions. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger OpenAI API calls using the site's configured API key with arbitrary user-controlled prompts, leading to unauthorized consumption of the site owner's paid AI API quota.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wpdevteam | BetterDocs – Knowledge Base Docs & FAQ Solution for Elementor & Block Editor |
Affected:
0 , ≤ 4.3.11
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6393",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T10:46:06.950400Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T10:46:24.083Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BetterDocs \u2013 Knowledge Base Docs \u0026 FAQ Solution for Elementor \u0026 Block Editor",
"vendor": "wpdevteam",
"versions": [
{
"lessThanOrEqual": "4.3.11",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ph\u00fa"
}
],
"descriptions": [
{
"lang": "en",
"value": "The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generate_openai_content_callback() function, which relies solely on a nonce rather than verifying user permissions. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger OpenAI API calls using the site\u0027s configured API key with arbitrary user-controlled prompts, leading to unauthorized consumption of the site owner\u0027s paid AI API quota."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T03:27:05.541Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/432b11be-174d-45d6-aa3b-2fbfa85ec17a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/betterdocs/trunk/includes/Core/WriteWithAI.php#L138"
},
{
"url": "https://plugins.trac.wordpress.org/browser/betterdocs/tags/4.3.6/includes/Core/WriteWithAI.php#L138"
},
{
"url": "https://plugins.trac.wordpress.org/browser/betterdocs/trunk/includes/Core/WriteWithAI.php#L31"
},
{
"url": "https://plugins.trac.wordpress.org/browser/betterdocs/tags/4.3.6/includes/Core/WriteWithAI.php#L31"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3512640%40betterdocs\u0026new=3512640%40betterdocs\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-15T20:23:25.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-23T14:45:35.000Z",
"value": "Disclosed"
}
],
"title": "BetterDocs \u003c= 4.3.11 - Missing Authorization to Authenticated (Subscriber+) Unauthorized AI API Usage"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6393",
"datePublished": "2026-04-24T03:27:05.541Z",
"dateReserved": "2026-04-15T20:07:58.184Z",
"dateUpdated": "2026-04-24T10:46:24.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6441 (GCVE-0-2026-6441)
Vulnerability from cvelistv5 – Published: 2026-04-17 06:44 – Updated: 2026-04-17 16:39
VLAI
Title
Canto <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Setting Modification
Summary
The Canto plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 3.1.1. This is due to the absence of any capability check or nonce verification in the updateOptions() function, which is exposed via two AJAX hooks: wp_ajax_updateOptions (class-canto.php line 231) and wp_ajax_fbc_updateOptions (class-canto-settings.php line 76). Both hooks are registered exclusively under the wp_ajax_ prefix (requiring only a logged-in user), with no call to current_user_can() or check_ajax_referer(). This makes it possible for authenticated attackers with subscriber-level access and above to arbitrarily modify or delete plugin options controlling cron scheduling behavior (fbc_duplicates, fbc_cron, fbc_schedule, fbc_cron_time_day, fbc_cron_time_hour, fbc_cron_start) and to manipulate or clear the plugin's scheduled WordPress cron event (fbc_scheduled_update).
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| flightbycanto | Canto |
Affected:
0 , ≤ 3.1.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6441",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T16:39:07.144897Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T16:39:26.532Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Canto",
"vendor": "flightbycanto",
"versions": [
{
"lessThanOrEqual": "3.1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abhirup Konwar"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Canto plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 3.1.1. This is due to the absence of any capability check or nonce verification in the updateOptions() function, which is exposed via two AJAX hooks: wp_ajax_updateOptions (class-canto.php line 231) and wp_ajax_fbc_updateOptions (class-canto-settings.php line 76). Both hooks are registered exclusively under the wp_ajax_ prefix (requiring only a logged-in user), with no call to current_user_can() or check_ajax_referer(). This makes it possible for authenticated attackers with subscriber-level access and above to arbitrarily modify or delete plugin options controlling cron scheduling behavior (fbc_duplicates, fbc_cron, fbc_schedule, fbc_cron_time_day, fbc_cron_time_hour, fbc_cron_start) and to manipulate or clear the plugin\u0027s scheduled WordPress cron event (fbc_scheduled_update)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T06:44:50.145Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c1a0200f-9861-4eca-adbf-d458eb6b4e63?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/canto/trunk/includes/class-canto.php#L572"
},
{
"url": "https://plugins.trac.wordpress.org/browser/canto/tags/3.1.1/includes/class-canto.php#L572"
},
{
"url": "https://plugins.trac.wordpress.org/browser/canto/trunk/includes/class-canto.php#L231"
},
{
"url": "https://plugins.trac.wordpress.org/browser/canto/tags/3.1.1/includes/class-canto.php#L231"
},
{
"url": "https://plugins.trac.wordpress.org/browser/canto/trunk/includes/class-canto-settings.php#L603"
},
{
"url": "https://plugins.trac.wordpress.org/browser/canto/tags/3.1.1/includes/class-canto-settings.php#L603"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-16T18:16:51.000Z",
"value": "Disclosed"
}
],
"title": "Canto \u003c= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Setting Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6441",
"datePublished": "2026-04-17T06:44:50.145Z",
"dateReserved": "2026-04-16T18:15:29.101Z",
"dateUpdated": "2026-04-17T16:39:26.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6472 (GCVE-0-2026-6472)
Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-14 13:43
VLAI
Title
PostgreSQL CREATE TYPE does not check multirange schema CREATE privilege
Summary
Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | PostgreSQL |
Affected:
18 , < 18.4
(rpm)
Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6472",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T13:43:42.467820Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:43:48.103Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PostgreSQL",
"vendor": "n/a",
"versions": [
{
"lessThan": "18.4",
"status": "affected",
"version": "18",
"versionType": "rpm"
},
{
"lessThan": "17.10",
"status": "affected",
"version": "17",
"versionType": "rpm"
},
{
"lessThan": "16.14",
"status": "affected",
"version": "16",
"versionType": "rpm"
},
{
"lessThan": "15.18",
"status": "affected",
"version": "15",
"versionType": "rpm"
},
{
"lessThan": "14.23",
"status": "affected",
"version": "0",
"versionType": "rpm"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "attacker has permission to create objects (temporary objects or non-temporary objects in at least one schema)"
},
{
"lang": "en",
"value": "victim query finds non-pg_catalog types via search_path"
}
],
"credits": [
{
"lang": "en",
"value": "The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem."
}
],
"descriptions": [
{
"lang": "en",
"value": "Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker\u0027s choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:00:02.086Z",
"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
"shortName": "PostgreSQL"
},
"references": [
{
"url": "https://www.postgresql.org/support/security/CVE-2026-6472/"
}
],
"title": "PostgreSQL CREATE TYPE does not check multirange schema CREATE privilege"
}
},
"cveMetadata": {
"assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
"assignerShortName": "PostgreSQL",
"cveId": "CVE-2026-6472",
"datePublished": "2026-05-14T13:00:02.086Z",
"dateReserved": "2026-04-17T00:23:44.190Z",
"dateUpdated": "2026-05-14T13:43:48.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Phase: Architecture and Design
Description:
- Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation ID: MIT-4.4
Phase: Architecture and Design
Strategy: Libraries or Frameworks
Description:
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Phase: Architecture and Design
Description:
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Phases: System Configuration, Installation
Description:
- Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.