CVE-2024-11205

HIGH Year: 2024
CVSS v3 Score
8.5
High
Weakness Type
CWE-862
View all →

Vulnerability Description

The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpforms_is_admin_page' function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.

Related Vulnerabilities

CVE-2022-3337

HIGH
CVSS:8.5(High)

It was possible for a user to delete a VPN profile from WARP mobile client on iOS platform despite the Lock WARP switch https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/war...

CWE-8622022

CVE-2023-22736

HIGH
CVSS:8.5(High)

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5.0-rc1 and above, prior to 2.5.8, and version 2.6.0-rc4, are vulnerable to an authorization bypass b...

CWE-8622023

CVE-2024-12365

HIGH
CVSS:8.5(High)

The W3 Total Cache plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the is_w3tc_admin_page function in all versions up to, and including, 2.8.1. T...

CWE-8622024

CVE-2017-13316

HIGH
CVSS:8.4(High)

In checkPermissions of RecognitionService.java, there is a possible permissions bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution ...

CWE-8622017

CVE-2018-9469

HIGH
CVSS:8.4(High)

In multiple functions of ShortcutService.java, there is a possible creation of a spoofed shortcut due to a missing permission check. This could lead to local escalation of privilege in a privileged ap...

CWE-8622018

CVE-2020-23793

HIGH
CVSS:8.6(High)

An issue was discovered in spice-server spice-server-0.14.0-6.el7_6.1.x86_64 of Redhat's VDI product. There is a security vulnerablility that can restart KVMvirtual machine without any authorization. ...

CWE-8622020