CWE-266
Incorrect Privilege Assignment
BaseDraft
Description
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Hierarchy (View 1000)
CVEs mapped to this weakness (462)
page 4 of 24| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-54293 | Cri | 0.64 | 9.8 | 0.00 | Dec 13, 2024 | Incorrect Privilege Assignment vulnerability in CE21 CE21 Suite ce21-suite allows Privilege Escalation.This issue affects CE21 Suite: from n/a through <= 2.2.0. | |
| CVE-2024-52442 | Cri | 0.64 | 9.8 | 0.00 | Nov 20, 2024 | Incorrect Privilege Assignment vulnerability in userplus UserPlus userplus allows Privilege Escalation.This issue affects UserPlus: from n/a through <= 2.0. | |
| CVE-2024-49322 | Cri | 0.64 | 9.8 | 0.00 | Oct 17, 2024 | Incorrect Privilege Assignment vulnerability in CodePassenger Job Board Manager for WordPress jemployee allows Privilege Escalation.This issue affects Job Board Manager for WordPress: from n/a through <= 1.0. | |
| CVE-2024-49217 | Cri | 0.64 | 9.8 | 0.00 | Oct 17, 2024 | Incorrect Privilege Assignment vulnerability in madiriaashish Adding drop down roles in registration user-drop-down-roles-in-registration allows Privilege Escalation.This issue affects Adding drop down roles in registration: from n/a through <= 1.1. | |
| CVE-2024-9863 | Cri | 0.64 | 9.8 | 0.01 | Oct 17, 2024 | The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for the 'default_user_role' option. This makes it possible for unauthenticated attackers to register an administrator user even if the registration form is disabled. | |
| CVE-2024-43153 | Cri | 0.64 | 9.8 | 0.01 | Aug 13, 2024 | Incorrect Privilege Assignment vulnerability in WofficeIO Woffice woffice.This issue affects Woffice: from n/a through <= 5.4.10. | |
| CVE-2024-37927 | Cri | 0.64 | 9.8 | 0.01 | Jul 12, 2024 | Incorrect Privilege Assignment vulnerability in NooTheme Jobmonster noo-jobmonster allows Privilege Escalation.This issue affects Jobmonster: from n/a through <= 4.7.5. | |
| CVE-2024-35700 | Cri | 0.64 | 9.8 | 0.01 | Jun 4, 2024 | Incorrect Privilege Assignment vulnerability in DeluxeThemes Userpro userpro.This issue affects Userpro: from n/a through <= 5.1.8. | |
| CVE-2024-2409 | Cri | 0.64 | 9.8 | 0.00 | Mar 29, 2024 | The MasterStudy LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.3.1. This is due to insufficient validation checks within the _register_user() function called by the 'wp_ajax_nopriv_stm_lms_register' AJAX action. This makes it possible for unauthenticated attackers to register a user with administrator-level privileges when MasterStudy LMS Pro is installed and the LMS Forms Editor add-on is enabled. | |
| CVE-2026-32916 | Cri | 0.61 | 9.4 | 0.00 | Mar 31, 2026 | OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where plugin subagent routes execute gateway methods through a synthetic operator client with broad administrative scopes. Remote unauthenticated requests to plugin-owned routes can invoke runtime.subagent methods to perform privileged gateway actions including session deletion and agent execution. | |
| CVE-2024-22145 | Hig | 0.61 | 8.8 | 0.49 | May 17, 2024 | Incorrect Privilege Assignment vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.8. | |
| CVE-2026-32519 | Cri | 0.59 | 9.0 | 0.00 | Mar 25, 2026 | Incorrect Privilege Assignment vulnerability in Bit Apps Bit SMTP bit-smtp allows Privilege Escalation.This issue affects Bit SMTP: from n/a through <= 1.2.2. | |
| CVE-2025-45006 | Cri | 0.59 | 9.1 | 0.00 | Jul 1, 2025 | Improper mstatus.SUM bit retention (non-zero) in Open-Source RISC-V Processor commit f517abb violates privileged spec constraints, enabling potential physical memory access attacks. | |
| CVE-2026-5141 | Hig | 0.57 | 8.8 | 0.00 | Apr 29, 2026 | Improper Privilege Management, Improper Access Control, Incorrect privilege assignment vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Software Center allows Hijacking a privileged process. This issue affects Pardus Software Center: from 1.0.2 before 1.0.3. | |
| CVE-2026-27668 | Hig | 0.57 | 8.8 | 0.00 | Apr 14, 2026 | A vulnerability has been identified in RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) (All versions < V5.8). User Administrators are allowed to administer groups they belong to. This could allow an authenticated User Administrator to escalate their own privileges and grant themselves access to any device group at any access level. | |
| CVE-2026-32530 | Hig | 0.57 | 8.8 | 0.00 | Mar 25, 2026 | Incorrect Privilege Assignment vulnerability in WPFunnels Creator LMS creatorlms allows Privilege Escalation.This issue affects Creator LMS: from n/a through <= 1.1.18. | |
| CVE-2026-25414 | Hig | 0.57 | 8.8 | 0.00 | Mar 25, 2026 | Incorrect Privilege Assignment vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Privilege Escalation.This issue affects WPBookit Pro: from n/a through <= 1.6.18. | |
| CVE-2025-69293 | Hig | 0.57 | 8.8 | 0.00 | Jan 22, 2026 | Incorrect Privilege Assignment vulnerability in e-plugins Final User final-user allows Privilege Escalation.This issue affects Final User: from n/a through <= 1.2.5. | |
| CVE-2025-69292 | Hig | 0.57 | 8.8 | 0.00 | Jan 22, 2026 | Incorrect Privilege Assignment vulnerability in e-plugins WP Membership wp-membership allows Privilege Escalation.This issue affects WP Membership: from n/a through <= 1.6.4. | |
| CVE-2025-69183 | Hig | 0.57 | 8.8 | 0.00 | Jan 22, 2026 | Incorrect Privilege Assignment vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Privilege Escalation.This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9. |