VYPR

CWE-288

Authentication Bypass Using an Alternate Path or Channel

BaseIncomplete

Description

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-127 · CAPEC-665

CVEs mapped to this weakness (336)

page 1 of 17
  • CVE-2026-24858CriKEVJan 27, 2026
    risk 0.76cvss 9.8epss 0.86

    An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through…

  • CVE-2024-50477CriOct 28, 2024
    risk 0.73cvss 9.8epss 0.08

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Stacks Stacks Mobile App Builder stacks-mobile-app-builder allows Authentication Bypass.This issue affects Stacks Mobile App Builder: from n/a through <= 5.2.3.

  • CVE-2023-2732CriMay 25, 2023
    risk 0.71cvss 9.8epss 0.68

    The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. This is due to insufficient verification on the user being supplied during the add listing REST API request through the plugin. This makes it possible for…

  • CVE-2017-5174CriMay 19, 2017
    risk 0.71cvss 9.8epss 0.52

    An Authentication Bypass issue was discovered in Geutebruck IP Camera G-Cam/EFD-2250 Version 1.11.0.12. An authentication bypass vulnerability has been identified. The existing file system architecture could allow attackers to bypass the access control that may allow remote code…

  • CVE-2022-25369CriJan 23, 2026
    risk 0.70cvss 9.8epss 0.41

    An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again. Once an attacker is authenticated as the new…

  • CVE-2023-2437CriNov 22, 2023
    risk 0.70cvss 9.8epss 0.07

    The UserPro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.1. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated attackers…

  • CVE-2023-2734CriMay 25, 2023
    risk 0.69cvss 9.8epss 0.04

    The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1. This is due to insufficient verification on the user being supplied during the cart sync from mobile REST API request through the plugin. This makes it possible…

  • CVE-2026-7567CriMay 1, 2026
    risk 0.67cvss 9.8epss 0.09

    The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.0.0. This is due to improper input validation in the maybe_login_temporary_user() function, which fails to verify that the 'temp-login-token' GET parameter is a…

  • CVE-2024-10245CriNov 12, 2024
    risk 0.67cvss 9.8epss 0.01

    The Relais 2FA plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.0. This is due to incorrect authentication and capability checking in the 'rl_do_ajax' function. This makes it possible for unauthenticated attackers to log in as any…

  • CVE-2024-49328CriOct 20, 2024
    risk 0.67cvss 9.8epss 0.01

    Authentication Bypass Using an Alternate Path or Channel vulnerability in vivek2tamrakar WP REST API FNS rest-api-fns allows Authentication Bypass.This issue affects WP REST API FNS: from n/a through <= 1.0.0.

  • CVE-2024-9106CriOct 1, 2024
    risk 0.67cvss 9.8epss 0.02

    The Wechat Social login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.3.0. This is due to insufficient verification on the user being supplied during the social login. This makes it possible for unauthenticated attackers to log…

  • CVE-2023-3277CriNov 3, 2023
    risk 0.67cvss 9.8epss 0.03

    The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login feature. This allows unauthenticated attackers to log in as any user as long as…

  • CVE-2023-2986CriJun 8, 2023
    risk 0.67cvss 9.8epss 0.43

    The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.14.2. This is due to insufficient encryption on the user being supplied during the abandoned cart link decode through the plugin. This allows…

  • CVE-2024-52475CriNov 28, 2024
    risk 0.66cvss 9.8epss 0.02

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Information Technology Wawp automation-web-platform allows Authentication Bypass.This issue affects Wawp: from n/a through < 3.0.18.

  • CVE-2025-0674CriFeb 7, 2025
    risk 0.65cvss 9.8epss 0.04

    Multiple Elber products are affected by an authentication bypass vulnerability which allows unauthorized access to the password management functionality. Attackers can exploit this issue by manipulating the endpoint to overwrite any user's password within the system. This…

  • CVE-2024-2973CriJun 27, 2024
    risk 0.65cvss 10.0epss 0.01

    An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or conductor running with a redundant peer allows a network based attacker to bypass authentication and take full control of the device. Only routers or conductors…

  • CVE-2026-49764CriJun 15, 2026
    risk 0.64cvss 9.8epss 0.00

    Unauthenticated Broken Authentication in RegistrationMagic <= 6.0.8.6 versions.

  • CVE-2026-10523CriJun 9, 2026
    risk 0.64cvss 9.9epss 0.47

    An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access

  • CVE-2025-41273CriMay 29, 2026
    risk 0.64cvss 9.8epss 0.00

    Nozomi Networks Labs identified a CWE-288: Authentication Bypass Using an Alternate Path or Channel in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to bypass authentication of the Console web…

  • CVE-2026-24207CriMay 20, 2026
    risk 0.64cvss 9.8epss 0.01

    NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, or information disclosure.