CWE-862

Missing Authorization vulnerability in WordPress Page Builder Sandwich Team Page Builder Sandwich – Front-End Page Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Page Builder Sandwich – Front-End Page Builder: from n/a through 5.1.0.

Missing Authorization vulnerability in Laybuy Laybuy Payment Extension for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Laybuy Payment Extension for WooCommerce: from n/a through 5.3.9.

Missing Authorization vulnerability in javmah Woocommerce Customers Order History allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Woocommerce Customers Order History: from n/a through 5.2.2.

Missing Authorization vulnerability in Popup Box Team Popup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup box: from n/a through 4.5.1.

Missing Authorization vulnerability in Envira Gallery Team Envira Photo Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Envira Photo Gallery: from n/a through 1.8.7.3.

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_search_users function in all versions up to, and including, 5.0.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain usernames and emails of site users.

Missing Authorization vulnerability in mondula2016 Multi Step Form multi-step-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Multi Step Form: from n/a through <= 1.7.21.

Missing Authorization vulnerability in Benjamin Denis SEOPress wp-seopress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SEOPress: from n/a through <= 8.1.1.

The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to unauthorized Smar Message activation/deactivation due to a missing capability check on the ajax_enable function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or deactivate smart messages.

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handle_api_key_actions function in all versions up to, and including, 5.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to revoke existing API keys and generate new ones.

The Editorial Assistant by Sovrn plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_zemanta_set_featured_image' function in versions up to, and including, 1.3.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload attachment files (such as jpg, png, txt, zip), and set the post featured image.

The WooCommerce UPS Shipping – Live Rates and Access Points plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_oauth_data function in all versions up to, and including, 2.3.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's API key.

The HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized post publication due to a missing capability check on the activateCampaign() function in all versions up to, and including, 2.10.0. This makes it possible for authenticated attackers, with contributor-level access and above, to publish arbitrary posts like ones they have submitted for review, or a site administrator has in draft.

Missing Authorization vulnerability in colorlibplugins Simple Custom Post Order simple-custom-post-order allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Custom Post Order: from n/a through <= 2.5.7.

Missing Authorization vulnerability in RexTheme WP VR wpvr allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP VR: from n/a through <= 8.5.4.

Missing Authorization vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities.This issue affects ProfileGrid : from n/a through <= 5.9.3.

Missing Authorization vulnerability in wpdiscover Photo Gallery Builder photo-gallery-builder allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Photo Gallery Builder: from n/a through <= 3.0.

The Multiline files upload for contact form 7 plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the mfcf7_zl_custom_handle_deactivation_plugin_form_submission() function in all versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate the plugin and send a custom reason from the site.

The ImagePress – Image Gallery plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'ip_delete_post' and 'ip_update_post_title' functions in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts and update post titles.

The Read more By Adam plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteRm() function in all versions up to, and including, 1.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete read more buttons.