Vulnerabilities > Missing Authorization

DATE CVE VULNERABILITY TITLE RISK
2025-03-04 CVE-2025-1307 Missing Authorization vulnerability in Spicethemes Newscrunch
The Newscrunch theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check in the newscrunch_install_and_activate_plugin() function in all versions up to, and including, 1.8.4.1.
network
low complexity
spicethemes CWE-862
critical
9.8
2025-03-04 CVE-2024-13686 The VW Storefront theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vw_storefront_reset_all_settings() function in all versions up to, and including, 0.9.9.
network
low complexity
CWE-862
4.3
2025-03-04 CVE-2025-1639 Missing Authorization vulnerability in Crowdytheme Arolax
The Animation Addons for Elementor Pro plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_elementor_plugin_handler() function in all versions up to, and including, 1.6.
network
low complexity
crowdytheme CWE-862
8.8
2025-03-03 CVE-2025-24654 Missing Authorization vulnerability in Squirrly SEO Plugin BY Squirrly SEO
Missing Authorization vulnerability in SEO Squirrly SEO Plugin by Squirrly SEO.This issue affects SEO Plugin by Squirrly SEO: from n/a through 12.4.05.
network
low complexity
squirrly CWE-862
8.8
2025-03-01 CVE-2025-1404 The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_sccp_reports_user_search() function in all versions up to, and including, 4.4.7.
network
low complexity
CWE-862
5.3
2025-03-01 CVE-2024-12544 The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to arbitrary file deletion due to a missing capability check on the callback function of the SurveyJS_DeleteFile class in all versions up to, and including, 1.12.17.
network
low complexity
CWE-862
8.8
2025-03-01 CVE-2025-1502 The IP2Location Redirection plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'download_ip2location_redirection_backup' AJAX action in all versions up to, and including, 1.33.3.
network
low complexity
CWE-862
5.3
2025-03-01 CVE-2024-13746 The Booking Calendar and Notification plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on the wpcb_all_bookings(), wpcb_update_booking_post(), and wpcb_delete_posts() functions in all versions up to, and including, 4.0.3.
network
low complexity
CWE-862
6.5
2025-03-01 CVE-2024-13358 The BuddyPress WooCommerce My Account Integration.
network
low complexity
CWE-862
4.3
2025-03-01 CVE-2025-1780 The BuddyPress WooCommerce My Account Integration.
network
low complexity
CWE-862
4.3