| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization in all versions up to, and including, 1.2.5. This is due to the plugin registering a REST API endpoint that only checks for a broad capability (aioseo_blc_broken_links_page) that is granted to contributor level users, without verifying the user's permission to perform actions on the specific post being targeted. This makes it possible for authenticated attackers, with contributor level access and above, to trash arbitrary posts via the DELETE /wp-json/aioseoBrokenLinkChecker/v1/post endpoint. |
| The Live sales notification for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.39. This is due to the "getOrders" function lacking proper authorization and capability checks when the plugin is configured to display recent order information. This makes it possible for unauthenticated attackers to extract sensitive customer information including buyer first names, city, state, country, purchase time and date, and product details. |
| The Checkbox plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wp_ajax_nopriv_checkbox_clean_log' AJAX endpoint in all versions up to, and including, 2.8.10. This makes it possible for unauthenticated attackers to clear log files. |
| The Autochat Automatic Conversation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_auycht_saveCid' AJAX endpoint in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to connect and disconnect the client ID. |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the undo-send route `GET /conversation/undo-reply/{thread_id}` checks only whether the current user can view the parent conversation. It does not verify that the current user created the reply being undone. In a shared mailbox, one agent can therefore recall another agent's just-sent reply during the 15-second undo window. Version 1.8.214 fixes the vulnerability. |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, the `load_customer_info` action in `POST /conversation/ajax` returns complete customer profile data to any authenticated user without verifying mailbox access. An attacker only needs a valid email address to retrieve all customer PII. Version 1.8.213 fixes the issue. |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, customer-thread editing is authorized through `ThreadPolicy::edit()`, which checks mailbox access but does not apply the assigned-only restriction from `ConversationPolicy`. A user who cannot view a conversation can still load and edit customer-authored threads inside it. Version 1.8.215 fixes the vulnerability. |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, when `APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS` is enabled, direct conversation view correctly blocks users who are neither the assignee nor the creator. The `save_draft` AJAX path is weaker. A direct POST can create a draft inside a conversation that is hidden in the UI. Version 1.8.215 fixes the vulnerability. |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the reply and draft flows trust client-supplied encrypted attachment IDs. Any IDs present in `attachments_all[]` but omitted from retained lists are decrypted and passed directly to `Attachment::deleteByIds()`. Because `load_attachments` returns encrypted IDs for attachments on a visible conversation, a mailbox peer can replay those IDs through `save_draft` and delete the original attachment row and file. Version 1.8.215 fixes the vulnerability. |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, `MailboxesController::updateSave()` persists `chat_start_new` outside the allowed-field filter. A user with only the mailbox `sig` permission sees only the signature field in the UI, but can still change the hidden mailbox-wide chat setting via direct POST. Version 1.8.215 fixes the vulnerability. |
| October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled. This vulnerability is fixed in 3.7.14 and 4.1.10. |
| October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly granted editor access but had editor.cms_assets or editor.tailor_blueprints specifically withheld, an uncommon permission configuration. In this edge case, such users could perform file operations (create, delete, rename, move, upload) on theme assets or blueprint files despite lacking the required sub-permission. A related operator precedence error in the Tailor navigation also disclosed the theme blueprint directory tree under the same conditions. This vulnerability is fixed in 3.7.16 and 4.1.16. |
| Decidim is a participatory democracy framework. Starting in version 0.0.1 and prior to versions 0.30.5 and 0.31.1, the root level `commentable` field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that have not secured the `/api` endpoint. The `/api` endpoint is publicly available with the default configuration. Versions 0.30.5 and 0.31.1 fix the issue. As a workaround, limit the scope to only authenticated users by limiting access to the `/api` endpoint. This would require custom code or installing the 3rd party module `Decidim::Apiauth`. With custom code, the `/api` endpoint can be limited to only authenticated users. The same configuration can be also used without the `allow` statements to disable all traffic to the the `/api` endpoint. When considering a workaround and the seriousness of the vulnerability, please consider the nature of the platform. If the platform is primarily serving public data, this vulnerability is not serious by its nature. If the platform is protecting some resources, e.g. inside private participation spaces, the vulnerability may expose some data to the attacker that is not meant public. For those who have enabled the organization setting "Force users to authenticate before access organization", the scope of this vulnerability is limited to the users who are allowed to log in to the Decidim platform. This setting was introduced in version 0.19.0 and it was applied to the `/api` endpoint in version 0.22.0. |
| October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safe_mode is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query builder, which is included in the sandbox allow-list. This vulnerability is fixed in 3.7.14 and 4.1.10. |
| The PDF for Contact Form 7 + Drag and Drop Template Builder plugin for WordPress is vulnerable to unauthorized post duplication due to a missing capability check on the 'rednumber_duplicate' function in all versions up to, and including, 6.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to duplicate arbitrary posts, including password protected or private ones. |
| The Popover Windows plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple ajax actions (e.g., pop_submit, poptheme_submit) in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin's settings and content. |
| The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getAuthors function in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to retrieve emails for all users with edit_posts capability. |
| The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.16. This is due to the plugin exposing its admin embed endpoint at `/wp-json/ssa/v1/embed-inner-admin` without authentication, which leaks plugin settings including staff names, business names, and configuration data that are not publicly displayed on the booking form. This makes it possible for unauthenticated attackers to extract private business configuration. In premium versions with integrations configured, this might also expose other sensitive data including API keys for external services. |
| The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_template_content' function in all versions up to, and including, 4.11.53. This makes it possible for unauthenticated attackers to view the content of private, draft, and pending templates. |
| The All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'my_sticky_elements_bulks' function in all versions up to, and including, 2.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all contact form leads stored by the plugin. |
