Reddit NetSec

AlienVault OTX General

CVE Database V5

Reddit InfoSec News

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

Missing Authorization vulnerability in Drupal Bookable Calendar allows Forceful Browsing.This issue affects Bookable Calendar: from 0.0.0 before 2.2.13.

CVE-2025-48916 is a Missing Authorization vulnerability identified in the Drupal Bookable Calendar module, specifically affecting versions prior to 2.2.13. The vulnerability is classified under CWE-862, which pertains to improper authorization checks. This flaw allows an attacker to perform forceful browsing, meaning they can access resources or pages within the Bookable Calendar module without proper permission validation. Essentially, the module fails to verify whether the requesting user has the necessary rights to view or interact with certain calendar entries or booking functionalities. This can lead to unauthorized access to sensitive booking data or administrative functions. The vulnerability exists because the authorization logic is either missing or incorrectly implemented, allowing attackers to bypass intended access controls. Although no known exploits are currently reported in the wild, the nature of the vulnerability suggests that exploitation could be straightforward, as it does not require complex conditions or advanced privileges. The absence of a CVSS score indicates that the vulnerability has not yet been fully assessed for severity, but the technical details confirm that it is a significant authorization bypass issue in a widely used content management system extension.

Detailed information about CVE-2025-48916: CWE-862 Missing Authorization in Drupal Bookable Calendar affecting Drupal Bookable Calendar. Get real-time updates, 

CVE-2025-48916: CWE-862 Missing Authorization in Drupal Bookable Calendar - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-48916: CWE-862 Missing Authorization in Drupal Bookable Calendar

The Traffic Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tfcm_maybe_set_bot_flags() function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to disabled bot logging.

CVE-2025-5815 is a medium-severity vulnerability affecting the Traffic Monitor plugin for WordPress developed by dmitriamartin. The issue stems from a missing authorization check in the function tfcm_maybe_set_bot_flags() in all versions up to and including 3.2.2. Specifically, this function lacks a capability check to verify whether the user invoking it has the appropriate permissions. As a result, unauthenticated attackers can invoke this function to disable bot logging within the plugin. This vulnerability is classified under CWE-862 (Missing Authorization), indicating that the system fails to properly restrict access to sensitive functionality. The CVSS v3.1 base score is 5.3, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), integrity impact (I:L), and no availability impact (A:N). The primary impact is the unauthorized modification of plugin data, specifically disabling bot logging, which can hinder detection of malicious bot activity on the affected WordPress site. No known exploits are currently reported in the wild, and no official patches or updates have been linked yet. Given that the vulnerability allows unauthenticated attackers to alter logging behavior, it can be leveraged to evade detection mechanisms, potentially facilitating further attacks such as automated scraping, brute force, or other malicious bot activities without triggering alerts. The vulnerability affects all versions of the Traffic Monitor plugin up to 3.2.2, which is widely used by WordPress site administrators to monitor traffic and bot activity. Since WordPress is a popular CMS platform across Europe, this vulnerability poses a risk to a large number of websites that rely on this plugin for traffic monitoring and security insights.

Detailed information about CVE-2025-5815: CWE-862 Missing Authorization in dmitriamartin Traffic Monitor affecting dmitriamartin Traffic Monitor. Get real-time 

CVE-2025-5815: CWE-862 Missing Authorization in dmitriamartin Traffic Monitor - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-5815: CWE-862 Missing Authorization in dmitriamartin Traffic Monitor

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to delete arbitrary posts.

CVE-2025-5282 is a high-severity vulnerability affecting the WP Travel Engine – Tour Booking Plugin, a WordPress plugin widely used for tour operator software and booking management. The vulnerability arises from a missing authorization check in the delete_package() function across all versions up to and including 6.5.1. Specifically, the plugin fails to verify whether the user has the necessary capabilities to delete tour packages, allowing unauthenticated attackers to invoke this function remotely. This lack of access control means that an attacker can delete arbitrary posts representing tour packages without any authentication or user interaction. The vulnerability is classified under CWE-862 (Missing Authorization), indicating a failure to enforce proper permission checks before performing sensitive operations. The CVSS 3.1 base score is 7.5 (high), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, meaning the attack can be launched remotely over the network with low attack complexity, requires no privileges or user interaction, and results in a high impact on integrity (data modification) but no impact on confidentiality or availability. Although no known exploits have been reported in the wild yet, the ease of exploitation and the critical nature of the affected function make this a significant threat. The plugin is commonly deployed on WordPress sites operated by tour operators, travel agencies, and related businesses to manage tour packages and bookings, making the integrity of their data crucial for business operations and customer trust. The vulnerability could be exploited to maliciously delete tour package data, disrupting business operations and potentially causing financial and reputational damage.

Detailed information about CVE-2025-5282: CWE-862 Missing Authorization in wptravelengine WP Travel Engine – Tour Booking Plugin – Tour Operator Software affect

CVE-2025-5282: CWE-862 Missing Authorization in wptravelengine WP Travel Engine – Tour Booking Plugin – Tour Operator Software - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-5282: CWE-862 Missing Authorization in wptravelengine WP Travel Engine – Tour Booking Plugin – Tour Operator Software

The REST API | Custom API Generator For Cross Platform And Import Export In WP plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the process_handler() function in versions 1.0.0 to 2.0.3. This makes it possible for unauthenticated attackers to POST an arbitrary import_api URL, import specially crafted JSON, and thereby create a new user with full Administrator privileges.

CVE-2025-5288 is a critical privilege escalation vulnerability found in the WordPress plugin 'REST API | Custom API Generator For Cross Platform And Import Export In WP' developed by weboccults, affecting versions 1.0.0 through 2.0.3. The root cause of this vulnerability is a missing authorization check (CWE-862) in the process_handler() function, which handles POST requests to import data via an arbitrary import_api URL. Due to the lack of capability verification, unauthenticated attackers can craft and send specially formatted JSON payloads to this endpoint, enabling them to create new WordPress users with full Administrator privileges. This effectively bypasses all authentication and authorization mechanisms, granting attackers complete control over the affected WordPress site. The vulnerability has a CVSS 3.1 base score of 9.8 (critical), reflecting its high impact on confidentiality, integrity, and availability, as well as its ease of exploitation without any required privileges or user interaction. Although no known exploits have been reported in the wild yet, the straightforward exploitation method and the critical nature of the flaw make it a significant threat to WordPress sites using this plugin. The vulnerability was publicly disclosed on June 13, 2025, and as of this date, no official patches have been released by the vendor, increasing the urgency for mitigation.

Detailed information about CVE-2025-5288: CWE-862 Missing Authorization in weboccults REST API | Custom API Generator For Cross Platform And Import Export In WP

CVE-2025-5288: CWE-862 Missing Authorization in weboccults REST API | Custom API Generator For Cross Platform And Import Export In WP - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-5288: CWE-862 Missing Authorization in weboccults REST API | Custom API Generator For Cross Platform And Import Export In WP

Due to missing authorization of an API endpoint, unauthorized users can send HTTP GET
requests to gather sensitive information. An attacker could also send HTTP POST requests to modify
the log files’ root path as well as the TCP ports the service is running on, leading to a Denial of Service
attack.

CVE-2025-49181 is a high-severity vulnerability affecting all versions of the SICK Media Server, a product developed by SICK AG, a company specializing in industrial sensor solutions. The vulnerability stems from a missing authorization check on a specific API endpoint within the media server. This flaw allows an unauthenticated attacker to send HTTP GET requests to retrieve sensitive information from the server without any access controls. Furthermore, the attacker can send HTTP POST requests to modify critical configuration parameters, specifically the root path for log files and the TCP ports on which the service operates. By altering these parameters, the attacker can disrupt normal service operation, potentially causing a Denial of Service (DoS) condition. The vulnerability is classified under CWE-862 (Missing Authorization), indicating that the system fails to verify whether the requester has the necessary permissions to perform the requested actions. The CVSS v3.1 base score is 8.6, reflecting a high impact due to the combination of network accessibility (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and a scope that is unchanged (S:U). The impact on confidentiality and integrity is limited but present (both rated low), while availability impact is high due to the potential DoS. No known exploits have been reported in the wild as of the publication date (June 12, 2025), and no patches have been released yet. The vulnerability affects all versions of the SICK Media Server, indicating a widespread exposure for users of this product. The missing authorization on the API endpoint represents a critical security oversight, especially given the industrial context in which SICK Media Server is deployed, where reliability and data integrity are paramount.

Detailed information about CVE-2025-49181: CWE-862 Missing Authorization in SICK AG SICK Media Server affecting SICK AG SICK Media Server. Get real-time updates

CVE-2025-49181: CWE-862 Missing Authorization in SICK AG SICK Media Server - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-49181: CWE-862 Missing Authorization in SICK AG SICK Media Server

Missing Authorization vulnerability in Drupal Quick Node Block allows Forceful Browsing.This issue affects Quick Node Block: from 0.0.0 before 2.0.0.

CVE-2025-48444 is a Missing Authorization vulnerability (CWE-862) identified in the Drupal Quick Node Block module versions prior to 2.0.0, specifically affecting version 0.0.0. This vulnerability allows an attacker to perform forceful browsing, meaning unauthorized users can access restricted nodes or content blocks that should be protected by authorization controls. The root cause is the absence of proper authorization checks within the Quick Node Block module, which fails to verify whether a user has the necessary permissions to view or interact with certain content nodes. As a result, attackers can bypass access control mechanisms and retrieve sensitive or restricted information. Although no known exploits are currently reported in the wild, the vulnerability is publicly disclosed and could be exploited once weaponized. The lack of a CVSS score indicates that the severity has not been formally assessed, but the nature of the vulnerability suggests significant risk to confidentiality and integrity of content managed by Drupal sites using this module. Since Drupal is a widely used content management system (CMS), especially in Europe, this vulnerability could impact a broad range of websites, including government portals, educational institutions, and private enterprises that rely on Drupal for content delivery and management. The vulnerability does not require user interaction beyond accessing the vulnerable endpoints, and no authentication is needed to exploit the missing authorization, increasing the attack surface and ease of exploitation. The absence of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps by administrators of affected Drupal installations.

Detailed information about CVE-2025-48444: CWE-862 Missing Authorization in Drupal Quick Node Block affecting Drupal Quick Node Block. Get real-time updates, te

CVE-2025-48444: CWE-862 Missing Authorization in Drupal Quick Node Block - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-48444: CWE-862 Missing Authorization in Drupal Quick Node Block

CVE-2025-48013 is a Missing Authorization vulnerability classified under CWE-862 affecting the Drupal Quick Node Block module versions prior to 2.0.0, specifically from version 0.0.0. This vulnerability allows an attacker to perform forceful browsing, meaning unauthorized users can access restricted nodes or content blocks that should be protected by access controls. The root cause is the absence of proper authorization checks within the Quick Node Block module, which fails to verify whether a user has the necessary permissions before granting access to certain content. As a result, attackers can bypass intended access restrictions and view or interact with content that should be limited to authorized users only. Although no known exploits are currently reported in the wild, the vulnerability is publicly disclosed and can be exploited without authentication or user interaction, making it a significant risk. The lack of a CVSS score indicates that the vulnerability has not yet been fully evaluated for severity, but the nature of missing authorization in a widely used CMS module suggests a potentially high impact on confidentiality and integrity of data. The Quick Node Block module is a component used in Drupal-based websites to display content nodes in block format, often utilized in content management and presentation layers. Given Drupal's extensive use in government, education, and enterprise websites across Europe, this vulnerability could expose sensitive information or enable unauthorized content manipulation if exploited.

Detailed information about CVE-2025-48013: CWE-862 Missing Authorization in Drupal Quick Node Block affecting Drupal Quick Node Block. Get real-time updates, te

CVE-2025-48013: CWE-862 Missing Authorization in Drupal Quick Node Block - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-48013: CWE-862 Missing Authorization in Drupal Quick Node Block

SunGrow's back end users system  iSolarCloud https://isolarcloud.com  uses an MQTT service to transport data from the user's connected devices to the user's web browser. 
The MQTT server however did not have sufficient restrictions in place to limit the topics that a user could subscribe to. 
While the data that is transmitted through the MQTT server is encrypted and the credentials for the MQTT server are obtained though an API call, the credentials could be used to subscribe to any topic and the encryption key can be used to decrypt all messages received.
An attack with an account on iSolarCloud.com could extract MQTT credentials and the decryption key from the browser and then use an external program to subscribe to the topic '#' and thus recieve all messages from all connected devices.

CVE-2025-29756 is a high-severity vulnerability (CWE-862: Missing Authorization) affecting SunGrow's iSolarCloud backend user system, which is used to manage data from connected solar energy devices. The system employs an MQTT (Message Queuing Telemetry Transport) service to transport data from user devices to the user's web browser. MQTT is a lightweight messaging protocol commonly used in IoT environments for real-time data transmission. In this case, the MQTT server does not enforce sufficient authorization controls on topic subscriptions. Although the MQTT credentials are obtained via an API call and the transmitted data is encrypted, any authenticated user with an iSolarCloud account can extract these MQTT credentials and the encryption key directly from their browser. With these credentials, an attacker can subscribe to the MQTT topic wildcard '#', which grants access to all messages from all connected devices across the platform. This means that an attacker can intercept and decrypt data streams from any user’s devices, leading to a significant breach of confidentiality. The vulnerability does not require user interaction beyond having an authenticated account, and no additional privileges are needed beyond standard user access. The CVSS 4.0 score is 8.3 (high), reflecting the network attack vector, low attack complexity, no required privileges beyond authentication, no user interaction, and a high impact on confidentiality. The vulnerability affects all versions of iSolarCloud as indicated. No patches or known exploits in the wild have been reported yet. The root cause is insufficient authorization checks on MQTT topic subscriptions, allowing lateral data access across users. This vulnerability could be exploited by malicious insiders or external attackers who have compromised user credentials, enabling them to eavesdrop on sensitive operational data from solar energy installations managed via iSolarCloud.

Detailed information about CVE-2025-29756: CWE-862 Missing Authorization in SunGrow iSolarCloud affecting SunGrow iSolarCloud. Get real-time updates, technical 

CVE-2025-29756: CWE-862 Missing Authorization in SunGrow iSolarCloud - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-29756: CWE-862 Missing Authorization in SunGrow iSolarCloud

A vulnerability in the K7RKScan.sys driver, part of the K7 Security Anti-Malware suite, allows a local low-privilege user to send crafted IOCTL requests to terminate a wide range of processes running with administrative or system-level privileges, with the exception of those inherently protected by the operating system. This flaw stems from missing access control in the driver's IOCTL handler, enabling unprivileged users to perform privileged actions in kernel space. Successful exploitation can lead to denial of service by disrupting critical services or privileged applications.

CVE-2025-1055 is a medium-severity vulnerability identified in the K7RKScan.sys driver, which is a component of the K7 Security Anti-Malware suite. The vulnerability arises due to missing authorization checks in the driver's IOCTL (Input Output Control) handler. Specifically, this flaw allows a local user with low privileges to craft and send specially designed IOCTL requests to the driver. These requests can forcibly terminate a broad range of processes running with administrative or system-level privileges, except those processes that are inherently protected by the operating system. The root cause is the absence of proper access control enforcement within the driver's kernel-mode interface, which enables privilege escalation in terms of process termination capabilities. Exploiting this vulnerability does not require user interaction but does require local access with low privileges. The impact is primarily a denial of service (DoS) condition, as critical services or privileged applications can be disrupted or terminated unexpectedly, potentially affecting system stability and availability. The CVSS 3.1 base score is 5.6, reflecting medium severity, with the vector indicating local attack vector, high attack complexity, low privileges required, no user interaction, and a scope change due to kernel-level impact. No known exploits are currently reported in the wild, and no patches have been published at the time of analysis.

Detailed information about CVE-2025-1055: CWE-862 Missing Authorization in K7 Security K7 Security Anti-Malware affecting K7 Security K7 Security Anti-Malware. 

CVE-2025-1055: CWE-862 Missing Authorization in K7 Security K7 Security Anti-Malware - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-1055: CWE-862 Missing Authorization in K7 Security K7 Security Anti-Malware

Missing Authorization vulnerability in Icegram Icegram Collect – Easy Form, Lead Collection and Subscription plugin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Icegram Collect – Easy Form, Lead Collection and Subscription plugin: from n/a through 1.3.18.

CVE-2025-47527 is a high-severity vulnerability classified under CWE-862 (Missing Authorization) affecting the Icegram Collect – Easy Form, Lead Collection and Subscription plugin, versions up to and including 1.3.18. This plugin is commonly used in WordPress environments to facilitate form creation, lead collection, and subscription management. The vulnerability arises from improperly configured access control mechanisms, allowing users with limited privileges (low-level authenticated users) to perform actions or access resources beyond their authorization scope. Specifically, the CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H) indicates that the vulnerability can be exploited remotely over the network with low attack complexity, requiring only low privileges and no user interaction. While confidentiality is not impacted, the integrity and availability of the system can be compromised. Attackers can modify data or disrupt service availability, potentially leading to denial of service or data tampering within the plugin's functionality. No public exploits have been reported yet, and no patches are currently linked, suggesting that organizations using this plugin should prioritize monitoring and mitigation. Given the plugin’s role in handling lead and subscription data, unauthorized modifications could affect business operations and customer trust.

Detailed information about CVE-2025-47527: CWE-862 Missing Authorization in Icegram Icegram Collect – Easy Form, Lead Collection and Subscription plugin affecti

CVE-2025-47527: CWE-862 Missing Authorization in Icegram Icegram Collect – Easy Form, Lead Collection and Subscription plugin - Live Threat Intelligence - Threat Radar | OffSeq.com

Title	Severity	Type	Source	Date

Threats Tagged 'cwe-862'

Filter Threats

Threats Tagged 'cwe-862'