CWE-266

Incorrect Privilege Assignment

BaseDraft

Description

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Hierarchy (View 1000)

Parents

CWE-269

Children

CVEs mapped to this weakness (462)

page 3 of 24

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2025-31918	Cri	0.64	9.8	0.00	May 23, 2025	Incorrect Privilege Assignment vulnerability in quantumcloud Simple Business Directory Pro simple-business-directory-pro allows Privilege Escalation.This issue affects Simple Business Directory Pro: from n/a through < 15.6.9.
CVE-2025-32980	Cri	0.64	9.8	0.00	Apr 25, 2025	NETSCOUT nGeniusONE before 6.4.0 P11 b3245 has a Weak Sudo Configuration.
CVE-2025-2470	Cri	0.64	9.8	0.01	Apr 25, 2025	The Service Finder Bookings plugin for WordPress, used by the Service Finder - Directory and Job Board WordPress Theme, is vulnerable to privilege escalation in all versions up to, and including, 5.1. This is due to a lack of restriction on user role in the 'nsl_registration_store_extra_input' function. This makes it possible for unauthenticated attackers to register an account on the site with an arbitrary role, including Administrator, when registering via a social login. The Nextend Social Login plugin must be installed and configured to exploit the vulnerability.
CVE-2025-32648	Cri	0.64	9.8	0.00	Apr 17, 2025	Incorrect Privilege Assignment vulnerability in Projectopia Projectopia projectopia-core allows Privilege Escalation.This issue affects Projectopia: from n/a through <= 5.1.24.
CVE-2025-32491	Cri	0.64	9.8	0.00	Apr 11, 2025	Incorrect Privilege Assignment vulnerability in Rankology Rankology SEO – On-site SEO rankology-seo-all-in-one-seo-analytics allows Privilege Escalation.This issue affects Rankology SEO – On-site SEO: from n/a through <= 2.2.4.
CVE-2025-32695	Cri	0.64	9.8	0.00	Apr 9, 2025	Incorrect Privilege Assignment vulnerability in Mestres do WP Checkout Mestres WP checkout-mestres-wp allows Privilege Escalation.This issue affects Checkout Mestres WP: from n/a through <= 8.7.5.
CVE-2024-51800	Cri	0.64	9.8	0.01	Apr 4, 2025	Incorrect Privilege Assignment vulnerability in Favethemes Homey allows Privilege Escalation.This issue affects Homey: from n/a through 2.4.1.
CVE-2025-2345	Cri	0.64	9.8	0.00	Mar 16, 2025	A vulnerability, which was classified as very critical, was found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. This affects an unknown part. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-56000	Cri	0.64	9.8	0.00	Feb 18, 2025	Incorrect Privilege Assignment vulnerability in SeventhQueen K Elements k-elements allows Privilege Escalation.This issue affects K Elements: from n/a through < 5.4.0.
CVE-2024-12213	Cri	0.64	9.8	0.00	Feb 12, 2025	The WP Job Board Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to 2.3.16. This is due to the plugin allowing a user to supply the 'role' field when registering. This makes it possible for unauthenticated attackers to register as an administrator on vulnerable sites. Please note that this may have been patched sooner, however, the oldest available version for us to confirm this is patched in was 1.2.85.
CVE-2024-51888	Cri	0.64	9.8	0.00	Jan 21, 2025	Incorrect Privilege Assignment vulnerability in favethemes Homey Login Register homey-login-register allows Privilege Escalation.This issue affects Homey Login Register: from n/a through <= 2.4.0.
CVE-2024-32555	Cri	0.64	9.8	0.00	Jan 21, 2025	Incorrect Privilege Assignment vulnerability in InspiryThemes Easy Real Estate easy-real-estate allows Privilege Escalation.This issue affects Easy Real Estate: from n/a through <= 2.2.9.
CVE-2024-12470	Cri	0.64	9.8	0.00	Jan 7, 2025	The School Management System – SakolaWP plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.8. This is due to the registration function not properly limiting what roles a user can register as. This makes it possible for unauthenticated attackers to register as an administrative user.
CVE-2024-56043	Cri	0.64	9.8	0.00	Dec 31, 2024	Incorrect Privilege Assignment vulnerability in VibeThemes WPLMS wplms_plugin allows Privilege Escalation.This issue affects WPLMS: from n/a through <= 1.9.9.
CVE-2024-56040	Cri	0.64	9.8	0.00	Dec 31, 2024	Incorrect Privilege Assignment vulnerability in VibeThemes VibeBP vibebp allows Privilege Escalation.This issue affects VibeBP: from n/a through <= 1.9.9.4.1.
CVE-2024-56205	Cri	0.64	9.8	0.00	Dec 31, 2024	Incorrect Privilege Assignment vulnerability in SunnyKai AI Magic newsletter-page-redirects allows Privilege Escalation.This issue affects AI Magic: from n/a through <= 1.0.4.
CVE-2024-56071	Cri	0.64	9.8	0.00	Dec 31, 2024	Incorrect Privilege Assignment vulnerability in mikeleembruggen Simple Dashboard simple-dashboard allows Privilege Escalation.This issue affects Simple Dashboard: from n/a through <= 2.0.
CVE-2024-56220	Cri	0.64	9.8	0.00	Dec 31, 2024	Incorrect Privilege Assignment vulnerability in sslplugins SSL Wireless SMS Notification ssl-wireless-sms-notification allows Privilege Escalation.This issue affects SSL Wireless SMS Notification: from n/a through <= 3.6.0.
CVE-2024-54383	Cri	0.64	9.8	0.07	Dec 18, 2024	Incorrect Privilege Assignment vulnerability in wpweb WooCommerce PDF Vouchers woocommerce-pdf-vouchers allows Privilege Escalation.This issue affects WooCommerce PDF Vouchers: from n/a through < 4.9.9.
CVE-2024-54229	Cri	0.64	9.8	0.00	Dec 16, 2024	Incorrect Privilege Assignment vulnerability in straightvisions GmbH SV100 Companion sv100-companion allows Privilege Escalation.This issue affects SV100 Companion: from n/a through <= 2.0.02.