Common Weakness Enumeration

CWE-862

Allowed-with-Review

Missing Authorization

Abstraction: Class · Status: Incomplete

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

14608 vulnerabilities reference this CWE, most recent first.

GHSA-VJ42-43CH-3XP2

Vulnerability from github – Published: 2026-06-18 12:40 – Updated: 2026-06-18 21:32
VLAI
Details

In AndroidManifest.xml, there is a possible persistent denial of service due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-28573"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-18T08:16:33Z",
    "severity": "CRITICAL"
  },
  "details": "In AndroidManifest.xml, there is a possible persistent denial of service due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-vj42-43ch-3xp2",
  "modified": "2026-06-18T21:32:33Z",
  "published": "2026-06-18T12:40:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28573"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/docs/security/bulletin/wear/2026/2026-06-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VJ56-C5QR-HH8C

Vulnerability from github – Published: 2024-06-09 12:30 – Updated: 2026-04-01 18:31
VLAI
Details

Missing Authorization vulnerability in Tainacan.Org Tainacan.This issue affects Tainacan: from n/a through 0.20.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30529"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-09T11:15:52Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in Tainacan.Org Tainacan.This issue affects Tainacan: from n/a through 0.20.7.",
  "id": "GHSA-vj56-c5qr-hh8c",
  "modified": "2026-04-01T18:31:48Z",
  "published": "2024-06-09T12:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30529"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/tainacan/vulnerability/wordpress-tainacan-plugin-0-20-7-broken-access-control-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/tainacan/wordpress-tainacan-plugin-0-20-7-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJ5X-X7X2-XQ6V

Vulnerability from github – Published: 2022-10-17 19:00 – Updated: 2022-10-21 12:00
VLAI
Details

The Import all XML, CSV & TXT WordPress plugin before 6.5.8 does not have authorisation in some places, which could allow any authenticated users to access some of the plugin features if they manage to get the related nonce

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3244"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-17T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Import all XML, CSV \u0026 TXT WordPress plugin before 6.5.8 does not have authorisation in some places, which could allow any authenticated users to access some of the plugin features if they manage to get the related nonce",
  "id": "GHSA-vj5x-x7x2-xq6v",
  "modified": "2022-10-21T12:00:22Z",
  "published": "2022-10-17T19:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3244"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/de4bc449-3dd4-4776-943f-ac59ae813132"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJ7Q-773H-8QQF

Vulnerability from github – Published: 2022-03-01 00:00 – Updated: 2022-03-17 00:04
VLAI
Details

The Use Any Font | Custom Font Uploader WordPress plugin before 6.2.1 does not have any authorisation checks when assigning a font, allowing unauthenticated users to sent arbitrary CSS which will then be processed by the frontend for all users. Due to the lack of sanitisation and escaping in the backend, it could also lead to Stored XSS issues

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-24977"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-28T09:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Use Any Font | Custom Font Uploader WordPress plugin before 6.2.1 does not have any authorisation checks when assigning a font, allowing unauthenticated users to sent arbitrary CSS which will then be processed by the frontend for all users. Due to the lack of sanitisation and escaping in the backend, it could also lead to Stored XSS issues",
  "id": "GHSA-vj7q-773h-8qqf",
  "modified": "2022-03-17T00:04:57Z",
  "published": "2022-03-01T00:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24977"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/739831e3-cdfb-4a22-9abf-6c594d7e3d75"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJ84-G42V-754M

Vulnerability from github – Published: 2025-01-02 15:31 – Updated: 2026-04-23 15:34
VLAI
Details

Missing Authorization vulnerability in Crocoblock JetEngine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through 3.2.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-48758"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-02T15:15:20Z",
    "severity": "HIGH"
  },
  "details": "Missing Authorization vulnerability in Crocoblock JetEngine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through 3.2.4.",
  "id": "GHSA-vj84-g42v-754m",
  "modified": "2026-04-23T15:34:26Z",
  "published": "2025-01-02T15:31:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48758"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-2-4-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJ9G-GH94-W9MC

Vulnerability from github – Published: 2026-03-13 21:31 – Updated: 2026-03-13 21:31
VLAI
Details

Missing Authorization vulnerability in raratheme Lawyer Landing Page lawyer-landing-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lawyer Landing Page: from n/a through <= 1.2.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-32487"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-13T19:55:09Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in raratheme Lawyer Landing Page lawyer-landing-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lawyer Landing Page: from n/a through \u003c= 1.2.7.",
  "id": "GHSA-vj9g-gh94-w9mc",
  "modified": "2026-03-13T21:31:51Z",
  "published": "2026-03-13T21:31:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32487"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Theme/lawyer-landing-page/vulnerability/wordpress-lawyer-landing-page-theme-1-2-7-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJC7-JRH9-9J86

Vulnerability from github – Published: 2026-07-06 21:22 – Updated: 2026-07-06 21:22
VLAI
Summary
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats
Details

title: Unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats product: 9Router version: <= 0.4.41 severity: critical cve_request: true


Summary

Multiple critical API security vulnerabilities were discovered in 9Router's Next.js dashboard. The /api/providers endpoints lack authentication entirely, allowing anyone to create, read, update, and delete provider connections. Additionally, /api/usage/stats exposes full plaintext API keys, and /api/usage/request-logs + /api/usage/request-details expose all users' request history and full conversation contents (including system prompts, user messages, assistant responses) without authentication.

Affected Endpoints

Endpoint Method Issue
/api/providers GET Lists all provider connections with partial credentials, OAuth tokens, account IDs
/api/providers/:id GET Read any single provider detail (IDOR)
/api/providers POST Create arbitrary provider connections with attacker-controlled API keys
/api/providers/:id PUT Modify any existing provider connection
/api/providers/:id DELETE Delete any provider connection
/api/usage/stats GET Exposes full plaintext API keys, per-account usage breakdown, cost data
/api/usage/request-logs GET Exposes all users' request logs (model, tokens, cost, timestamp, provider)
/api/usage/request-details/:id GET Exposes full conversation turns including system prompts, user messages, assistant responses
/api/version GET Exposes current version info
/api/models GET Exposes full model routing catalog
/api/v1/models GET Exposes model list

Impact

Critical: Provider CRUD without authentication

An attacker can: 1. Add a malicious provider — inject a provider that proxies through their server, capturing all prompts, responses, and API keys routed through 9Router 2. Modify existing providers — replace API keys with attacker-controlled ones, redirect traffic 3. Delete all providers — cause complete denial of service 4. Read all provider configurations — harvest partial credentials, GitHub Copilot OAuth tokens, Cloudflare account IDs, email addresses

Critical: Full API key leak via /api/usage/stats

The endpoint returns complete API key strings (e.g., sk-...) in plaintext alongside usage data per key, enabling unauthorized use of connected AI provider accounts.

Critical: Conversation history leak

/api/usage/request-details returns the full conversation history of other users' AI sessions, including system prompts, user messages, assistant responses, tool calls, and reasoning traces.

Steps to Reproduce

1. Unauthenticated read of all providers

curl -s https://<host>/api/providers

Returns all provider connections with email addresses, auth type, account IDs, and partial API key prefixes.

2. Create a provider without authentication

curl -X POST https://<host>/api/providers \
  -H "Content-Type: application/json" \
  -d '{"provider":"openai","authType":"apikey","name":"rogue","apiKey":"sk-attacker-controlled"}'

Returns the created connection object with a new UUID and isActive: true.

3. Modify an existing provider without authentication

curl -X PUT https://<host>/api/providers/<existing-uuid> \
  -H "Content-Type: application/json" \
  -d '{"name":"modified","apiKey":"sk-attacker-key"}'

Returns the updated connection object.

4. Delete a provider without authentication

curl -X DELETE https://<host>/api/providers/<existing-uuid>

Returns {"message":"Connection deleted successfully"}.

5. Read full usage stats with API keys

curl -s https://<host>/api/usage/stats

Returns full API key strings, per-account token/cost breakdown, recent requests.

6. Read request logs

curl -s "https://<host>/api/usage/request-logs?page=1&pageSize=50"

Returns paginated request logs with timestamps, models, providers, user emails, token counts.

7. Read full conversation

curl -s https://<host>/api/usage/request-details/<request-uuid>

Returns complete conversation turns for that request.

8. Read version info

curl -s https://<host>/api/version

Returns {"currentVersion":"0.4.19","latestVersion":"0.4.45","hasUpdate":true}.

Root Cause

The Next.js API routes under src/app/api/* lack authentication middleware on several endpoints. Specifically:

  • /api/providers/* — No auth check before CRUD operations on provider connections stored in the database
  • /api/usage/stats — No auth check before returning aggregated usage data including full API keys
  • /api/usage/request-logs — No auth check before returning request history
  • /api/usage/request-details/:id — No auth check before returning full conversation contents

Suggested Fix

  1. Add authentication middleware to all /api/providers/* routes (GET, POST, PUT, DELETE)
  2. Add authentication middleware to all /api/usage/* routes
  3. Never return full API key strings in any API response — return masked keys only
  4. Never return GitHub Copilot tokens or similar OAuth secrets in API responses
  5. Implement proper authorization checks so users can only access their own data
  6. Add rate limiting to public endpoints

Resources

  • https://github.com/decolua/9router
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "9router"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.4.41"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-306",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-06T21:22:10Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "---\ntitle: Unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats\nproduct: 9Router\nversion: \u003c= 0.4.41\nseverity: critical\ncve_request: true\n---\n\n## Summary\n\nMultiple critical API security vulnerabilities were discovered in 9Router\u0027s Next.js dashboard. The `/api/providers` endpoints lack authentication entirely, allowing anyone to create, read, update, and delete provider connections. Additionally, `/api/usage/stats` exposes full plaintext API keys, and `/api/usage/request-logs` + `/api/usage/request-details` expose all users\u0027 request history and full conversation contents (including system prompts, user messages, assistant responses) without authentication.\n\n## Affected Endpoints\n\n| Endpoint | Method | Issue |\n|---|---|---|\n| `/api/providers` | GET | Lists all provider connections with partial credentials, OAuth tokens, account IDs |\n| `/api/providers/:id` | GET | Read any single provider detail (IDOR) |\n| `/api/providers` | POST | Create arbitrary provider connections with attacker-controlled API keys |\n| `/api/providers/:id` | PUT | Modify any existing provider connection |\n| `/api/providers/:id` | DELETE | Delete any provider connection |\n| `/api/usage/stats` | GET | Exposes full plaintext API keys, per-account usage breakdown, cost data |\n| `/api/usage/request-logs` | GET | Exposes all users\u0027 request logs (model, tokens, cost, timestamp, provider) |\n| `/api/usage/request-details/:id` | GET | Exposes full conversation turns including system prompts, user messages, assistant responses |\n| `/api/version` | GET | Exposes current version info |\n| `/api/models` | GET | Exposes full model routing catalog |\n| `/api/v1/models` | GET | Exposes model list |\n\n## Impact\n\n### Critical: Provider CRUD without authentication\n\nAn attacker can:\n1. **Add a malicious provider** \u2014 inject a provider that proxies through their server, capturing all prompts, responses, and API keys routed through 9Router\n2. **Modify existing providers** \u2014 replace API keys with attacker-controlled ones, redirect traffic\n3. **Delete all providers** \u2014 cause complete denial of service\n4. **Read all provider configurations** \u2014 harvest partial credentials, GitHub Copilot OAuth tokens, Cloudflare account IDs, email addresses\n\n### Critical: Full API key leak via /api/usage/stats\n\nThe endpoint returns complete API key strings (e.g., `sk-...`) in plaintext alongside usage data per key, enabling unauthorized use of connected AI provider accounts.\n\n### Critical: Conversation history leak\n\n`/api/usage/request-details` returns the full conversation history of other users\u0027 AI sessions, including system prompts, user messages, assistant responses, tool calls, and reasoning traces.\n\n## Steps to Reproduce\n\n### 1. Unauthenticated read of all providers\n\n```bash\ncurl -s https://\u003chost\u003e/api/providers\n```\n\nReturns all provider connections with email addresses, auth type, account IDs, and partial API key prefixes.\n\n### 2. Create a provider without authentication\n\n```bash\ncurl -X POST https://\u003chost\u003e/api/providers \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"provider\":\"openai\",\"authType\":\"apikey\",\"name\":\"rogue\",\"apiKey\":\"sk-attacker-controlled\"}\u0027\n```\n\nReturns the created connection object with a new UUID and `isActive: true`.\n\n### 3. Modify an existing provider without authentication\n\n```bash\ncurl -X PUT https://\u003chost\u003e/api/providers/\u003cexisting-uuid\u003e \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"name\":\"modified\",\"apiKey\":\"sk-attacker-key\"}\u0027\n```\n\nReturns the updated connection object.\n\n### 4. Delete a provider without authentication\n\n```bash\ncurl -X DELETE https://\u003chost\u003e/api/providers/\u003cexisting-uuid\u003e\n```\n\nReturns `{\"message\":\"Connection deleted successfully\"}`.\n\n### 5. Read full usage stats with API keys\n\n```bash\ncurl -s https://\u003chost\u003e/api/usage/stats\n```\n\nReturns full API key strings, per-account token/cost breakdown, recent requests.\n\n### 6. Read request logs\n\n```bash\ncurl -s \"https://\u003chost\u003e/api/usage/request-logs?page=1\u0026pageSize=50\"\n```\n\nReturns paginated request logs with timestamps, models, providers, user emails, token counts.\n\n### 7. Read full conversation\n\n```bash\ncurl -s https://\u003chost\u003e/api/usage/request-details/\u003crequest-uuid\u003e\n```\n\nReturns complete conversation turns for that request.\n\n### 8. Read version info\n\n```bash\ncurl -s https://\u003chost\u003e/api/version\n```\n\nReturns `{\"currentVersion\":\"0.4.19\",\"latestVersion\":\"0.4.45\",\"hasUpdate\":true}`.\n\n## Root Cause\n\nThe Next.js API routes under `src/app/api/*` lack authentication middleware on several endpoints. Specifically:\n\n- `/api/providers/*` \u2014 No auth check before CRUD operations on provider connections stored in the database\n- `/api/usage/stats` \u2014 No auth check before returning aggregated usage data including full API keys\n- `/api/usage/request-logs` \u2014 No auth check before returning request history\n- `/api/usage/request-details/:id` \u2014 No auth check before returning full conversation contents\n\n## Suggested Fix\n\n1. Add authentication middleware to all `/api/providers/*` routes (GET, POST, PUT, DELETE)\n2. Add authentication middleware to all `/api/usage/*` routes\n3. Never return full API key strings in any API response \u2014 return masked keys only\n4. Never return GitHub Copilot tokens or similar OAuth secrets in API responses\n5. Implement proper authorization checks so users can only access their own data\n6. Add rate limiting to public endpoints\n\n## Resources\n\n- https://github.com/decolua/9router",
  "id": "GHSA-vjc7-jrh9-9j86",
  "modified": "2026-07-06T21:22:10Z",
  "published": "2026-07-06T21:22:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/decolua/9router/security/advisories/GHSA-vjc7-jrh9-9j86"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/decolua/9router"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats"
}

GHSA-VJCV-792V-VG3P

Vulnerability from github – Published: 2023-12-07 15:30 – Updated: 2025-11-04 21:30
VLAI
Details

In SENEC Storage Box V1,V2 and V3 an unauthenticated remote attacker can obtain the devices' logfiles that contain sensitive data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39167"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-07T14:15:07Z",
    "severity": "HIGH"
  },
  "details": "In\u00a0SENEC Storage Box V1,V2 and V3 an unauthenticated remote attacker can obtain the devices\u0027 logfiles that contain sensitive data.",
  "id": "GHSA-vjcv-792v-vg3p",
  "modified": "2025-11-04T21:30:50Z",
  "published": "2023-12-07T15:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39167"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2023/Nov/5"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2023/Nov/10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJG8-CQG5-HG64

Vulnerability from github – Published: 2026-06-02 09:36 – Updated: 2026-06-02 09:36
VLAI
Details

The JTL-Connector for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.4.1. This is due to missing capability checks and nonce verification on the admin_post_settings_save_woo-jtl-connector action (handled by JtlConnectorAdmin::save()) and on the wp_ajax_downloadJTLLogs and wp_ajax_clearJTLLogs AJAX actions (handled by the global downloadJTLLogs() and clearJTLLogs() functions). This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary plugin settings, download a ZIP archive of the connector's developer log files, and delete those log files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9234"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-02T09:16:17Z",
    "severity": "MODERATE"
  },
  "details": "The JTL-Connector for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.4.1. This is due to missing capability checks and nonce verification on the admin_post_settings_save_woo-jtl-connector action (handled by JtlConnectorAdmin::save()) and on the wp_ajax_downloadJTLLogs and wp_ajax_clearJTLLogs AJAX actions (handled by the global downloadJTLLogs() and clearJTLLogs() functions). This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary plugin settings, download a ZIP archive of the connector\u0027s developer log files, and delete those log files.",
  "id": "GHSA-vjg8-cqg5-hg64",
  "modified": "2026-06-02T09:36:15Z",
  "published": "2026-06-02T09:36:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9234"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/woo-jtl-connector/tags/2.4.1/includes/JtlConnectorAdmin.php#L3007"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/woo-jtl-connector/tags/2.4.1/includes/JtlConnectorAdmin.php#L574"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/woo-jtl-connector/tags/2.4.1/woo-jtl-connector.php#L161"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/woo-jtl-connector/tags/2.4.1/woo-jtl-connector.php#L221"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/woo-jtl-connector/tags/2.4.1/woo-jtl-connector.php#L92"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1475f3c4-b1ff-422c-a832-f6261361c240?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJGV-Q4QP-FR6P

Vulnerability from github – Published: 2024-04-09 21:31 – Updated: 2026-04-08 21:32
VLAI
Details

The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access & modification of data due to a missing capability check on the rtcl_import_location() rtcl_import_category() functions in all versions up to, and including, 3.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create terms.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1352"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-09T19:15:16Z",
    "severity": "MODERATE"
  },
  "details": "The Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access \u0026 modification of data due to a missing capability check on the rtcl_import_location() rtcl_import_category() functions in all versions up to, and including, 3.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create terms.",
  "id": "GHSA-vjgv-q4qp-fr6p",
  "modified": "2026-04-08T21:32:28Z",
  "published": "2024-04-09T21:31:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1352"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/Import.php?rev=2824166"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/classified-listing/trunk/app/Controllers/Ajax/Import.php?rev=3061893"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5da4cdd-15c7-41a6-be2f-e31bd407ae05?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.