VYPR

CWE-285

Improper Authorization

ClassDraftLikelihood: High

Description

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-104 · CAPEC-127 · CAPEC-13 · CAPEC-17 · CAPEC-39 · CAPEC-402 · CAPEC-45 · CAPEC-5 · CAPEC-51 · CAPEC-59 · CAPEC-60 · CAPEC-647 · CAPEC-668 · CAPEC-76 · CAPEC-77 · CAPEC-87

CVEs mapped to this weakness (812)

page 27 of 41
  • CVE-2025-13085MedNov 19, 2025
    risk 0.21cvss 4.3epss 0.00

    The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to Improper Authorization leading to Sensitive Post Meta Disclosure in versions up to and including 1.3.2. This is due to missing object-level authorization checks in the resolve_variables() AJAX handler. This…

  • CVE-2025-12494MedNov 15, 2025
    risk 0.21cvss 4.3epss 0.00

    The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajax_import_file function in all versions up to, and including, 2.12.28. This makes it possible for authenticated…

  • CVE-2025-12360MedNov 6, 2025
    risk 0.21cvss 4.3epss 0.00

    The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to unauthorized API usage due to a missing capability check on the rtafar_ajax() function in all versions up to, and including, 1.7.7. This makes it possible for authenticated attackers,…

  • CVE-2025-12367MedNov 1, 2025
    risk 0.21cvss 4.3epss 0.00

    The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.3.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated…

  • CVE-2025-10902MedOct 24, 2025
    risk 0.21cvss 4.3epss 0.00

    The Originality.ai AI Checker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ai_scan_result_remove' function in all versions up to, and including, 1.0.15. This makes it possible for authenticated attackers, with…

  • CVE-2025-11510MedOct 18, 2025
    risk 0.21cvss 4.3epss 0.00

    The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /filebird/v1/fb-wipe-clear-all-data function in all versions up to, and including, 6.4.9. This makes…

  • CVE-2025-8147MedAug 29, 2025
    risk 0.21cvss 4.3epss 0.00

    The LWSCache plugin for WordPress is vulnerable to unauthorized modification of data due to improper authorization on the lwscache_activatePlugin() function in all versions up to, and including, 2.8.5. This makes it possible for authenticated attackers, with Subscriber-level…

  • CVE-2024-13552MedMar 7, 2025
    risk 0.21cvss 4.3epss 0.00

    The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.0 via file upload due to missing validation on a user controlled key. This makes it possible for…

  • CVE-2025-24784MedJan 30, 2025
    risk 0.21cvss 4.3epss 0.00

    kubewarden-controller is a Kubernetes controller that allows you to dynamically register Kubewarden admission policies. The policy group feature, added to by the 1.17.0 release. By being namespaced, the AdmissionPolicyGroup has a well constrained impact on cluster resources.…

  • CVE-2024-1803MedMay 23, 2024
    risk 0.21cvss 4.3epss 0.00

    The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to unauthorized access of functionality due to insufficient authorization validation on the PDF embed…

  • CVE-2023-3957MedJul 27, 2023
    risk 0.21cvss 4.3epss 0.00

    The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient restriction on the 'apg_profile_update' function in versions up to, and including, 1.9. This makes it possible for authenticated attackers, with…

  • CVE-2023-0583MedJun 3, 2023
    risk 0.21cvss 4.3epss 0.01

    The VK Blocks plugin for WordPress is vulnerable to improper authorization via the REST 'update_vk_blocks_options' function in versions up to, and including, 1.57.0.5. This allows authenticated attackers, with contributor-level permissions or above, to change plugin settings…

  • CVE-2016-7078MedSep 10, 2018
    risk 0.21cvss 4.3epss 0.01

    foreman before version 1.15.0 is vulnerable to an information leak through organizations and locations feature. When a user is assigned _no_ organizations/locations, they are able to view all resources instead of none (mirroring an administrator's view). The user's actions are…

  • CVE-2016-7077MedSep 10, 2018
    risk 0.21cvss 4.3epss 0.01

    foreman before 1.14.0 is vulnerable to an information leak. It was found that Foreman form helper does not authorize options for associated objects. Unauthorized user can see names of such objects if their count is less than 6.

  • CVE-2026-4958LowMar 27, 2026
    risk 0.20cvss 3.1epss 0.00

    A vulnerability has been found in OpenBMB XAgent 1.0.0. This affects the function ReplayServer.on_connect/ReplayServer.send_data of the file XAgentServer/application/websockets/replayer.py of the component WebSocket Endpoint. Such manipulation of the argument interaction_id…

  • CVE-2026-4549LowMar 22, 2026
    risk 0.20cvss 3.1epss 0.00

    A flaw has been found in mickasmt next-saas-stripe-starter 1.0.0. Affected by this issue is the function openCustomerPortal of the file actions/open-customer-portal.ts of the component Stripe API. This manipulation causes authorization bypass. Remote exploitation of the attack…

  • CVE-2025-15126LowDec 28, 2025
    risk 0.20cvss 3.1epss 0.00

    A weakness has been identified in JeecgBoot up to 3.9.0. Affected by this vulnerability is the function getPositionUserList of the file /sys/position/getPositionUserList. This manipulation of the argument positionId causes improper authorization. The attack may be initiated…

  • CVE-2025-15125LowDec 28, 2025
    risk 0.20cvss 3.1epss 0.00

    A security flaw has been discovered in JeecgBoot up to 3.9.0. Affected is the function queryDepartPermission of the file /sys/permission/queryDepartPermission. The manipulation of the argument departId results in improper authorization. The attack can be launched remotely. This…

  • CVE-2025-15124LowDec 28, 2025
    risk 0.20cvss 3.1epss 0.00

    A vulnerability was identified in JeecgBoot up to 3.9.0. This impacts the function getParameterMap of the file /sys/sysDepartPermission/list. The manipulation of the argument departId leads to improper authorization. The attack can be initiated remotely. The attack's complexity…

  • CVE-2025-15123LowDec 28, 2025
    risk 0.20cvss 3.1epss 0.00

    A vulnerability was determined in JeecgBoot up to 3.9.0. This affects an unknown function of the file /sys/sysDepartPermission/datarule/. Executing manipulation can lead to improper authorization. It is possible to launch the attack remotely. The attack requires a high level of…