access:pre-auth — CVE vulnerabilities tagged 19704

19704 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE ID	Title	CVSS	Severity	Published
CVE-2019-25579	phpTransformer 2016.9 Directory Traversal via jQueryFileUpload — phpTransformerCWE-22	7.5	High	2026-03-21
CVE-2019-25576	Kepler Wallpaper Script 1.1 SQL Injection via category — Kepler Wallpaper ScriptCWE-89	8.2	High	2026-03-21
CVE-2019-25575	SimplePress CMS 1.0.7 SQL Injection via p and s Parameters — SimplePress CMSCWE-89	8.2	High	2026-03-21
CVE-2019-25570	RealTerm Serial Terminal 2.0.0.70 Denial of Service via Port Field — RealTerm: Serial TerminalCWE-1260	5.5	Medium	2026-03-21
CVE-2026-4373	JetFormBuilder <= 3.5.6.2 - Unauthenticated Arbitrary File Read via Media Field — JetFormBuilder — Dynamic Blocks Form BuilderCWE-36	7.5	High	2026-03-21
CVE-2026-3478	Content Syndication Toolkit <= 1.3 - Unauthenticated Server-Side Request Forgery via 'url' Parameter — Content Syndication ToolkitCWE-918	7.2	High	2026-03-21
CVE-2026-2723	Post Snippits <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update — Post SnippitsCWE-352	6.1	Medium	2026-03-21
CVE-2026-4143	Neos Connector for Fakturama <= 0.0.14 - Cross-Site Request Forgery to Settings Update — Neos Connector for FakturamaCWE-352	4.3	Medium	2026-03-21
CVE-2026-1648	Performance Monitor <= 1.0.6 - Unauthenticated Server-Side Request Forgery via 'url' Parameter — Performance MonitorCWE-918	7.2	High	2026-03-21
CVE-2026-1647	Comment Genius <= 1.2.5 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] — Comment GeniusCWE-79	6.1	Medium	2026-03-21
CVE-2026-2427	itsukaita <= 0.1.2 - Reflected Cross-Site Scripting via 'day_from' Parameter — itsukaitaCWE-79	6.1	Medium	2026-03-21
CVE-2026-1503	login_register <= 1.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting — Plugin Name: login_registerCWE-352	4.3	Medium	2026-03-21
CVE-2024-13785	Contact Form, Survey, Quiz & Popup Form Builder – ARForms <= 1.7.2 - Unauthenticated Blind Arbitrary Shortcode Execution — Contact Form, Survey, Quiz & Popup Form Builder – ARFormsCWE-94	5.6	Medium	2026-03-21
CVE-2026-3331	Lobot Slider Administrator <= 0.6.0 - Cross-Site Request Forgery to Settings Update — Lobot Slider AdministratorCWE-352	4.3	Medium	2026-03-21
CVE-2026-3003	Vagaro Booking Widget <= 0.3 - Unauthenticated Stored Cross-Site Scripting via 'vagaro_code' — Vagaro Booking WidgetCWE-79	7.2	High	2026-03-21
CVE-2026-1392	SR WP Minify HTML <= 2.1 - Cross-Site Request Forgery to Settings Update — SR WP Minify HTMLCWE-352	4.3	Medium	2026-03-21
CVE-2026-3641	Appmax <= 1.0.3 - Missing Authorization to Order Status Manipulation and Arbitrary Order Creation via Webhook Endpoint — AppmaxCWE-20	5.3	Medium	2026-03-21
CVE-2026-2468	Quentn WP <= 1.2.12 - Unauthenticated SQL Injection via 'qntn_wp_access' Cookie — Quentn WPCWE-89	7.5	High	2026-03-21
CVE-2026-3332	Xhanch - My Advanced Settings <= 1.1.2 - Cross-Site Request Forgery to Settings Update — Xhanch – My Advanced SettingsCWE-352	4.3	Medium	2026-03-21
CVE-2026-3651	Build App Online <= 1.0.23 - Missing Authorization to Arbitrary Post Author Modification via 'build-app-online-update-vendor-product' AJAX Action — Build App OnlineCWE-862	5.3	Medium	2026-03-21
CVE-2025-13910	WP-WebAuthn <= 1.3.4 - Unauthenticated Stored Cross-Site Scripting — WP-WebAuthnCWE-79	6.1	Medium	2026-03-21
CVE-2026-4069	Alfie – Feed Plugin <= 1.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'naam' Parameter — Alfie – Feed PluginCWE-79	6.1	Medium	2026-03-21
CVE-2026-3506	WP-Chatbot for Messenger <= 4.9 - Missing Authorization to Unauthenticated Chatbot Configuration Takeover — WP-Chatbot for MessengerCWE-862	5.3	Medium	2026-03-21
CVE-2026-2277	rexCrawler <= 1.0.15 - Reflected Cross-Site Scripting via 'url' and 'regex' Parameters — rexCrawlerCWE-79	6.1	Medium	2026-03-21
CVE-2026-1378	WP Posts Re-order <= 1.0 - Cross-Site Request Forgery to Settings Update — WP Posts Re-orderCWE-352	4.3	Medium	2026-03-21
CVE-2026-1390	Redirect countdown <= 1.0 - Cross-Site Request Forgery to Settings Update — Redirect countdownCWE-352	4.3	Medium	2026-03-21
CVE-2026-1393	Add Google Social Profiles to Knowledge Graph Box <= 1.0 - Cross-Site Request Forgery to Settings Update — Add Google Social Profiles to Knowledge Graph BoxCWE-352	4.3	Medium	2026-03-21
CVE-2026-1800	Fonts Manager \| Custom Fonts <= 1.2 - Unauthenticated SQL Injection via fmcfIdSelectedFnt parameter — Fonts Manager \| Custom FontsCWE-89	7.5	High	2026-03-21
CVE-2026-2375	App Builder – Create Native Android & iOS Apps On The Flight <= 5.5.10 - Unauthenticated Privilege Escalation via 'role' Parameter — App Builder – Create Native Android & iOS Apps On The FlightCWE-269	6.5	Medium	2026-03-21
CVE-2026-2440	SurveyJS: Drag & Drop Form Builder <= 2.5.3 - Unauthenticated Stored Cross-Site Scripting — SurveyJS: Drag & Drop Form BuilderCWE-79	7.2	High	2026-03-21

Vulnerabilities classified as access:pre-auth represent 19704 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.

Goal Reached Thanks to every supporter — we hit 100%!

access:pre-auth — CVE vulnerabilities tagged 19704