Vulnerabilities (CVE)

Filtered by CWE-862
Total 4703 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-31789 2025-05-13 N/A 6.5 MEDIUM
Missing Authorization vulnerability in Matat Technologies TextMe SMS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TextMe SMS: from n/a through 1.9.1.
CVE-2025-26846 2025-05-12 N/A 9.8 CRITICAL
An issue was discovered in Znuny before 7.1.4. Permissions are not checked properly when using the Generic Interface to update ticket metadata.
CVE-2025-47628 1 Quomodosoft 1 Qs Dark Mode 2025-05-12 N/A 5.4 MEDIUM
Missing Authorization vulnerability in quomodosoft QS Dark Mode allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects QS Dark Mode: from n/a through 3.0.
CVE-2025-21416 1 Microsoft 1 Azure Virtual Desktop 2025-05-12 N/A 8.5 HIGH
Missing authorization in Azure Virtual Desktop allows an authorized attacker to elevate privileges over a network.
CVE-2025-2816 1 A3rev 1 Page View Count 2025-05-12 N/A 8.1 HIGH
The Page View Count plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the yellow_message_dontshow() function in versions 2.8.0 to 2.8.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to one on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration.
CVE-2025-3959 1 Withstars 1 Books-management-system 2025-05-12 5.0 MEDIUM 4.3 MEDIUM
A vulnerability was found in withstars Books-Management-System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /reader_delete.html. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2025-3960 1 Withstars 1 Books-management-system 2025-05-12 7.5 HIGH 7.3 HIGH
A vulnerability was found in withstars Books-Management-System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /allreaders.html of the component Background Interface. The manipulation leads to missing authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2025-3963 1 Withstars 1 Books-management-system 2025-05-12 7.5 HIGH 7.3 HIGH
A vulnerability, which was classified as critical, has been found in withstars Books-Management-System 1.0. This issue affects some unknown processing of the file /admin/article/list of the component Background Interface. The manipulation leads to missing authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2025-3964 1 Withstars 1 Books-management-system 2025-05-12 5.0 MEDIUM 4.3 MEDIUM
A vulnerability, which was classified as problematic, was found in withstars Books-Management-System 1.0. Affected is an unknown function of the file /api/article/del of the component Article Handler. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2025-3977 1 Iteachyou 1 Dreamer Cms 2025-05-12 4.0 MEDIUM 4.3 MEDIUM
A vulnerability was found in iteachyou Dreamer CMS up to 4.1.3. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/attachment/download of the component Attachment Handler. The manipulation of the argument ID leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-3979 1 Lecms 1 Lecms 2025-05-12 5.0 MEDIUM 4.3 MEDIUM
A vulnerability classified as problematic has been found in dazhouda lecms 3.0.3. This affects an unknown part of the file /index.php?my-password-ajax-1 of the component Password Change Handler. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-3980 1 Wowjoy 1 Internet Doctor Workstation System 2025-05-12 4.0 MEDIUM 4.3 MEDIUM
A vulnerability classified as problematic was found in wowjoy 浙江湖州华卓信息科技有限公司 Internet Doctor Workstation System 1.0. This vulnerability affects unknown code of the file /v1/prescription/list. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-3981 1 Wowjoy 1 Internet Doctor Workstation System 2025-05-12 4.0 MEDIUM 4.3 MEDIUM
A vulnerability, which was classified as problematic, has been found in wowjoy 浙江湖州华卓信息科技有限公司 Internet Doctor Workstation System 1.0. This issue affects some unknown processing of the file /v1/prescription/details/. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-3949 2025-05-12 N/A 4.3 MEDIUM
The Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'seedprod_lite_get_revisisons' function in all versions up to, and including, 6.18.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the content of arbitrary landing page revisions.
CVE-2025-28202 2025-05-12 N/A 8.8 HIGH
Incorrect access control in Victure RX1800 EN_V1.0.0_r12_110933 allows attackers to enable SSH and Telnet services without authentication.
CVE-2025-3876 2025-05-12 N/A 8.8 HIGH
The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to insufficient user OTP validation in the handleWpLoginCreateUserAction() function in all versions up to, and including, 3.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate any account by supplying its username or email and elevate their privileges to that of an administrator.
CVE-2025-28103 2025-05-12 N/A 6.4 MEDIUM
Incorrect access control in laskBlog v2.6.1 allows attackers to arbitrarily delete user accounts via a crafted request.
CVE-2023-6066 1 Kishorkhambu 1 Wp Custom Widget Area 2025-05-12 N/A 4.3 MEDIUM
The WP Custom Widget area WordPress plugin through 1.2.5 does not properly apply capability and nonce checks on any of its AJAX action callback functions, which could allow attackers with subscriber+ privilege to create, delete or modify menus on the site.
CVE-2023-5533 1 Quantumcloud 1 Wpbot 2025-05-12 N/A 5.3 MEDIUM
The AI ChatBot plugin for WordPress is vulnerable to unauthorized use of AJAX actions due to missing capability checks on the corresponding functions in versions up to, and including, 4.8.9 as well as 4.9.2. This makes it possible for unauthenticated attackers to perform some of those actions that were intended for higher privileged users.
CVE-2024-0453 1 Quantumcloud 1 Wpbot 2025-05-12 N/A 5.0 MEDIUM
The AI ChatBot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the openai_file_delete_callback function in all versions up to, and including, 5.3.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete files from a linked OpenAI account.