CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2023-32586 (GCVE-0-2023-32586)
Vulnerability from cvelistv5 – Published: 2024-12-13 14:23 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress SoundCloud Is Gold plugin <= 2.5.1 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in Thomas Michalak Soundcloud Is Gold allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Soundcloud Is Gold: from n/a through 2.5.1.
Severity
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Thomas Michalak | Soundcloud Is Gold |
Affected:
n/a , ≤ 2.5.1
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32586",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T18:45:04.983702Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T18:46:05.223Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "soundcloud-is-gold",
"product": "Soundcloud Is Gold",
"vendor": "Thomas Michalak",
"versions": [
{
"lessThanOrEqual": "2.5.1",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Istv\u00e1n M\u00e1rton (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in Thomas Michalak Soundcloud Is Gold allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Soundcloud Is Gold: from n/a through 2.5.1.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Thomas Michalak Soundcloud Is Gold allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Soundcloud Is Gold: from n/a through 2.5.1."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:23.635Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/soundcloud-is-gold/vulnerability/wordpress-soundcloud-is-gold-plugin-2-5-1-broken-access-control?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress SoundCloud Is Gold plugin \u003c= 2.5.1 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-32586",
"datePublished": "2024-12-13T14:23:25.449Z",
"dateReserved": "2023-05-10T09:25:05.363Z",
"dateUpdated": "2026-04-28T16:08:23.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-32593 (GCVE-0-2023-32593)
Vulnerability from cvelistv5 – Published: 2024-12-13 14:23 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress GS Pins for Pinterest plugin <= 1.6.7 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in GS Plugins GS Pins for Pinterest allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GS Pins for Pinterest: from n/a through 1.6.7.
Severity
5.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| GS Plugins | GS Pins for Pinterest |
Affected:
n/a , ≤ 1.6.7
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32593",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T18:52:12.811653Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T18:52:47.964Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "gs-pinterest-portfolio",
"product": "GS Pins for Pinterest",
"vendor": "GS Plugins",
"versions": [
{
"changes": [
{
"at": "1.6.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.6.7",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Abdi Pranata (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in GS Plugins GS Pins for Pinterest allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects GS Pins for Pinterest: from n/a through 1.6.7.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in GS Plugins GS Pins for Pinterest allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GS Pins for Pinterest: from n/a through 1.6.7."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:23.702Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/gs-pinterest-portfolio/vulnerability/wordpress-gs-pins-for-pinterest-plugin-1-6-7-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress GS Pins for Pinterest plugin to the latest available version (at least 1.6.8)."
}
],
"value": "Update the WordPress GS Pins for Pinterest plugin to the latest available version (at least 1.6.8)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress GS Pins for Pinterest plugin \u003c= 1.6.7 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-32593",
"datePublished": "2024-12-13T14:23:25.996Z",
"dateReserved": "2023-05-10T09:25:05.364Z",
"dateUpdated": "2026-04-28T16:08:23.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-32599 (GCVE-0-2023-32599)
Vulnerability from cvelistv5 – Published: 2024-12-13 14:23 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress reCAPTCHA for all plugin <= 1.22 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in Bill Minozzi reCAPTCHA for all allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects reCAPTCHA for all: from n/a through 1.22.
Severity
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Bill Minozzi | reCAPTCHA for all |
Affected:
n/a , ≤ 1.22
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32599",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T21:18:07.380846Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T21:18:17.389Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "recaptcha-for-all",
"product": "reCAPTCHA for all",
"vendor": "Bill Minozzi",
"versions": [
{
"changes": [
{
"at": "1.23",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.22",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jonas H\u00f6benreich (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in Bill Minozzi reCAPTCHA for all allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects reCAPTCHA for all: from n/a through 1.22.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Bill Minozzi reCAPTCHA for all allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects reCAPTCHA for all: from n/a through 1.22."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:23.939Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/recaptcha-for-all/vulnerability/wordpress-recaptcha-for-all-plugin-1-22-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress reCAPTCHA for all plugin to the latest available version (at least 1.23)."
}
],
"value": "Update the WordPress reCAPTCHA for all plugin to the latest available version (at least 1.23)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress reCAPTCHA for all plugin \u003c= 1.22 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-32599",
"datePublished": "2024-12-13T14:23:26.551Z",
"dateReserved": "2023-05-10T11:11:32.951Z",
"dateUpdated": "2026-04-28T16:08:23.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-32601 (GCVE-0-2023-32601)
Vulnerability from cvelistv5 – Published: 2024-12-13 14:23 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress Booking Ultra Pro Appointments Booking Calendar Plugin plugin <= 1.1.12 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in Booking Ultra Pro Booking Ultra Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking Ultra Pro: from n/a through 1.1.12.
Severity
5.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Booking Ultra Pro | Booking Ultra Pro |
Affected:
n/a , ≤ 1.1.12
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32601",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T18:47:15.687534Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T18:47:35.107Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "booking-ultra-pro",
"product": "Booking Ultra Pro",
"vendor": "Booking Ultra Pro",
"versions": [
{
"changes": [
{
"at": "1.1.13",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.1.12",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Badromance 1337 (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in Booking Ultra Pro Booking Ultra Pro allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Booking Ultra Pro: from n/a through 1.1.12.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Booking Ultra Pro Booking Ultra Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking Ultra Pro: from n/a through 1.1.12."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:24.026Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/booking-ultra-pro/vulnerability/wordpress-booking-ultra-pro-appointments-booking-calendar-plugin-plugin-1-1-4-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No patched version is available."
}
],
"value": "No patched version is available."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Booking Ultra Pro Appointments Booking Calendar Plugin plugin \u003c= 1.1.12 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-32601",
"datePublished": "2024-12-13T14:23:27.127Z",
"dateReserved": "2023-05-10T11:11:32.951Z",
"dateUpdated": "2026-04-28T16:08:24.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-32677 (GCVE-0-2023-32677)
Vulnerability from cvelistv5 – Published: 2023-05-19 20:44 – Updated: 2025-02-12 16:37
VLAI
Title
Users who can send invitations can erroneously add users to streams during invitation in Zulip
Summary
Zulip is an open-source team collaboration tool with unique topic-based threading. Zulip administrators can configure Zulip to limit who can add users to streams, and separately to limit who can invite users to the organization. In Zulip Server 6.1 and below, the UI which allows a user to invite a new user also allows them to set the streams that the new user is invited to -- even if the inviting user would not have permissions to add an existing user to streams. While such a configuration is likely rare in practice, the behavior does violate security-related controls. This does not let a user invite new users to streams they cannot see, or would not be able to add users to if they had that general permission. This issue has been addressed in version 6.2. Users are advised to upgrade. Users unable to upgrade may limit sending of invitations down to users who also have the permission to add users to streams.
Severity
CWE
- CWE-862 - Missing Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/zulip/zulip/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/zulip/zulip/commit/7c2693a2c64… | x_refsource_MISC |
| https://zulip.com/help/configure-who-can-invite-t… | x_refsource_MISC |
| https://zulip.com/help/restrict-account-creation#… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:25:36.618Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/zulip/zulip/security/advisories/GHSA-mrvp-96q6-jpvc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zulip/zulip/security/advisories/GHSA-mrvp-96q6-jpvc"
},
{
"name": "https://github.com/zulip/zulip/commit/7c2693a2c64904d1d0af8503b57763943648cbe5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zulip/zulip/commit/7c2693a2c64904d1d0af8503b57763943648cbe5"
},
{
"name": "https://zulip.com/help/configure-who-can-invite-to-streams",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://zulip.com/help/configure-who-can-invite-to-streams"
},
{
"name": "https://zulip.com/help/restrict-account-creation#change-who-can-send-invitations",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://zulip.com/help/restrict-account-creation#change-who-can-send-invitations"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32677",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T17:06:56.888216Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T16:37:08.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zulip",
"vendor": "zulip",
"versions": [
{
"status": "affected",
"version": "\u003e 1.9.0, \u003c 6.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zulip is an open-source team collaboration tool with unique topic-based threading. Zulip administrators can configure Zulip to limit who can add users to streams, and separately to limit who can invite users to the organization. In Zulip Server 6.1 and below, the UI which allows a user to invite a new user also allows them to set the streams that the new user is invited to -- even if the inviting user would not have permissions to add an existing user to streams. While such a configuration is likely rare in practice, the behavior does violate security-related controls. This does not let a user invite new users to streams they cannot see, or would not be able to add users to if they had that general permission. This issue has been addressed in version 6.2. Users are advised to upgrade. Users unable to upgrade may limit sending of invitations down to users who also have the permission to add users to streams."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-19T20:44:47.105Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zulip/zulip/security/advisories/GHSA-mrvp-96q6-jpvc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zulip/zulip/security/advisories/GHSA-mrvp-96q6-jpvc"
},
{
"name": "https://github.com/zulip/zulip/commit/7c2693a2c64904d1d0af8503b57763943648cbe5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zulip/zulip/commit/7c2693a2c64904d1d0af8503b57763943648cbe5"
},
{
"name": "https://zulip.com/help/configure-who-can-invite-to-streams",
"tags": [
"x_refsource_MISC"
],
"url": "https://zulip.com/help/configure-who-can-invite-to-streams"
},
{
"name": "https://zulip.com/help/restrict-account-creation#change-who-can-send-invitations",
"tags": [
"x_refsource_MISC"
],
"url": "https://zulip.com/help/restrict-account-creation#change-who-can-send-invitations"
}
],
"source": {
"advisory": "GHSA-mrvp-96q6-jpvc",
"discovery": "UNKNOWN"
},
"title": "Users who can send invitations can erroneously add users to streams during invitation in Zulip"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32677",
"datePublished": "2023-05-19T20:44:47.105Z",
"dateReserved": "2023-05-11T16:33:45.731Z",
"dateUpdated": "2025-02-12T16:37:08.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32798 (GCVE-0-2023-32798)
Vulnerability from cvelistv5 – Published: 2024-12-13 14:23 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress Simple Page Ordering plugin <= 2.5.0 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in 10up Simple Page Ordering allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Page Ordering: from n/a through 2.5.0.
Severity
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| 10up | Simple Page Ordering |
Affected:
n/a , ≤ 2.5.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32798",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T18:46:24.586048Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T18:46:38.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "simple-page-ordering",
"product": "Simple Page Ordering",
"vendor": "10up",
"versions": [
{
"changes": [
{
"at": "2.5.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.5.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mika (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in 10up Simple Page Ordering allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Simple Page Ordering: from n/a through 2.5.0.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in 10up Simple Page Ordering allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Page Ordering: from n/a through 2.5.0."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:24.334Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/simple-page-ordering/vulnerability/wordpress-simple-page-ordering-plugin-2-5-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Simple Page Ordering plugin to the latest available version (at least 2.5.1)."
}
],
"value": "Update the WordPress Simple Page Ordering plugin to the latest available version (at least 2.5.1)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Simple Page Ordering plugin \u003c= 2.5.0 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-32798",
"datePublished": "2024-12-13T14:23:27.692Z",
"dateReserved": "2023-05-15T12:15:04.075Z",
"dateUpdated": "2026-04-28T16:08:24.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-32963 (GCVE-0-2023-32963)
Vulnerability from cvelistv5 – Published: 2024-12-13 14:23 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress Predictive Search for WooCommerce plugin <= 5.8.0 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in a3rev Software WooCommerce Predictive Search allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Predictive Search: from n/a through 5.8.0.
Severity
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| a3rev Software | WooCommerce Predictive Search |
Affected:
n/a , ≤ 5.8.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32963",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T18:45:12.620831Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T18:45:26.809Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "woocommerce-predictive-search",
"product": "WooCommerce Predictive Search",
"vendor": "a3rev Software",
"versions": [
{
"changes": [
{
"at": "5.8.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.8.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mika (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in a3rev Software WooCommerce Predictive Search allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects WooCommerce Predictive Search: from n/a through 5.8.0.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in a3rev Software WooCommerce Predictive Search allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Predictive Search: from n/a through 5.8.0."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:24.612Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/woocommerce-predictive-search/vulnerability/wordpress-predictive-search-for-woocommerce-plugin-5-8-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress WooCommerce Predictive Search plugin to the latest available version (at least 5.8.1)."
}
],
"value": "Update the WordPress WooCommerce Predictive Search plugin to the latest available version (at least 5.8.1)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Predictive Search for WooCommerce plugin \u003c= 5.8.0 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-32963",
"datePublished": "2024-12-13T14:23:28.245Z",
"dateReserved": "2023-05-16T09:52:27.427Z",
"dateUpdated": "2026-04-28T16:08:24.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-33215 (GCVE-0-2023-33215)
Vulnerability from cvelistv5 – Published: 2024-12-13 14:23 – Updated: 2026-04-29 09:51
VLAI
Title
WordPress Taggbox plugin <= 3.3 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in Taggbox Taggbox taggbox-widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Taggbox: from n/a through <= 3.3.
Severity
5.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Date Public
2026-04-22 14:34
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33215",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T19:06:54.421394Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T20:37:38.844Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "taggbox-widget",
"product": "Taggbox",
"vendor": "Taggbox",
"versions": [
{
"changes": [
{
"at": "3.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonas H\u00f6benreich | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-22T14:34:57.411Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Taggbox Taggbox taggbox-widget allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Taggbox: from n/a through \u003c= 3.3.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Taggbox Taggbox taggbox-widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Taggbox: from n/a through \u003c= 3.3."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T09:51:48.552Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/taggbox-widget/vulnerability/wordpress-taggbox-ugc-galleries-social-media-widgets-user-reviews-analytics-plugin-2-9-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Taggbox plugin \u003c= 3.3 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-33215",
"datePublished": "2024-12-13T14:23:28.766Z",
"dateReserved": "2023-05-18T11:19:35.181Z",
"dateUpdated": "2026-04-29T09:51:48.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-33321 (GCVE-0-2023-33321)
Vulnerability from cvelistv5 – Published: 2024-05-17 06:45 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress EventPrime plugin <= 2.8.6 - Sensitive Data Exposure
Summary
Missing Authorization vulnerability in Metagauss EventPrime allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through 2.8.6.
Severity
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/eve… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Metagauss | EventPrime |
Affected:
n/a , ≤ 2.8.6
(custom)
|
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:metagauss:eventprime:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unaffected",
"product": "eventprime",
"vendor": "metagauss",
"versions": [
{
"lessThanOrEqual": "2.8.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33321",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-22T19:44:48.234667Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T14:06:14.937Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:39:36.151Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/eventprime-event-calendar-management/wordpress-eventprime-plugin-2-8-6-sensitive-data-exposure?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "eventprime-event-calendar-management",
"product": "EventPrime",
"vendor": "Metagauss",
"versions": [
{
"changes": [
{
"at": "3.0.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.8.6",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "yuyudhn (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Metagauss EventPrime allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects EventPrime: from n/a through 2.8.6.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Metagauss EventPrime allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through 2.8.6."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:25.307Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/eventprime-event-calendar-management/wordpress-eventprime-plugin-2-8-6-sensitive-data-exposure?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 3.0.0 or a higher version."
}
],
"value": "Update to 3.0.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress EventPrime plugin \u003c= 2.8.6 - Sensitive Data Exposure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-33321",
"datePublished": "2024-05-17T06:45:48.669Z",
"dateReserved": "2023-05-22T08:58:13.948Z",
"dateUpdated": "2026-04-28T16:08:25.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-33324 (GCVE-0-2023-33324)
Vulnerability from cvelistv5 – Published: 2024-12-13 14:23 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress Easy Captcha plugin <= 1.0 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in wppal Easy Captcha allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Captcha: from n/a through 1.0.
Severity
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wppal | Easy Captcha |
Affected:
n/a , ≤ 1.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33324",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T19:09:26.729707Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T20:37:32.440Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "easy-captcha",
"product": "Easy Captcha",
"vendor": "wppal",
"versions": [
{
"lessThanOrEqual": "1.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Skalucy (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in wppal Easy Captcha allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Easy Captcha: from n/a through 1.0.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in wppal Easy Captcha allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Captcha: from n/a through 1.0."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:25.334Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/easy-captcha/vulnerability/wordpress-easy-captcha-plugin-1-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Easy Captcha plugin \u003c= 1.0 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-33324",
"datePublished": "2024-12-13T14:23:29.320Z",
"dateReserved": "2023-05-22T09:25:40.834Z",
"dateUpdated": "2026-04-28T16:08:25.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Phase: Architecture and Design
Description:
- Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation ID: MIT-4.4
Phase: Architecture and Design
Strategy: Libraries or Frameworks
Description:
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Phase: Architecture and Design
Description:
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Phases: System Configuration, Installation
Description:
- Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.