VYPR

CWE-288

Authentication Bypass Using an Alternate Path or Channel

BaseIncomplete

Description

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-127 · CAPEC-665

CVEs mapped to this weakness (336)

page 6 of 17
  • CVE-2023-37057CriJun 17, 2024
    risk 0.64cvss 9.8epss 0.01

    An issue in JLINK Unionman Technology Co. Ltd Jlink AX1800 v.1.0 allows a remote attacker to execute arbitrary code via the router's authentication mechanism.

  • CVE-2024-4552CriJun 4, 2024
    risk 0.64cvss 9.8epss 0.01

    The Social Login Lite For WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.6.0. This is due to insufficient verification on the user being supplied during the social login through the plugin. This makes it possible for…

  • CVE-2024-4544CriMay 24, 2024
    risk 0.64cvss 9.8epss 0.01

    The Pie Register - Social Sites Login (Add on) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.7. This is due to insufficient verification on the user being supplied during a social login through the plugin. This makes it…

  • CVE-2024-4393CriMay 8, 2024
    risk 0.64cvss 9.8epss 0.01

    The Social Connect plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2. This is due to insufficient verification on the OpenID server being supplied during the social login through the plugin. This makes it possible for…

  • CVE-2023-4702CriSep 14, 2023
    risk 0.64cvss 9.8epss 0.01

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Yepas Digital Yepas allows Authentication Bypass. This issue affects Digital Yepas: before 1.0.1.

  • CVE-2023-3249CriJun 30, 2023
    risk 0.64cvss 9.8epss 0.01

    The Web3 – Crypto wallet Login & NFT token gating plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.6.0. This is due to incorrect authentication checking in the 'hidden_form_data' function. This makes it possible for authenticated…

  • CVE-2020-36713CriJun 7, 2023
    risk 0.64cvss 9.8epss 0.02

    The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. This is due to unrestricted access to the 'register' and 'update_user_profile' routes. This makes it possible for unauthenticated attackers to create new…

  • CVE-2023-2733CriMay 25, 2023
    risk 0.64cvss 9.8epss 0.01

    The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.0. This is due to insufficient verification on the user being supplied during the coupon redemption REST API request through the plugin. This makes it possible for…

  • CVE-2023-2704CriMay 19, 2023
    risk 0.64cvss 9.8epss 0.02

    The BP Social Connect plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.5. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated…

  • CVE-2023-2499CriMay 16, 2023
    risk 0.64cvss 9.8epss 0.01

    The RegistrationMagic plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.2.1.0. This is due to insufficient verification on the user being supplied during a Google social login through the plugin. This makes it possible for…

  • CVE-2023-2027CriApr 15, 2023
    risk 0.64cvss 9.8epss 0.01

    The ZM Ajax Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.2. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for…

  • CVE-2022-0992CriApr 19, 2022
    risk 0.64cvss 9.8epss 0.03

    The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on initial 2FA set-up that allows unauthenticated and unauthorized users to configure 2FA…

  • CVE-2018-8859CriJul 24, 2018
    risk 0.64cvss 9.8epss 0.02

    Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. An attacker can bypass the required authentication specified in the security configuration file by including extra characters in the…

  • CVE-2018-4852CriJul 3, 2018
    risk 0.64cvss 9.8epss 0.03

    A vulnerability has been identified in SICLOCK TC100 (All versions) and SICLOCK TC400 (All versions). An attacker with network access to the device could potentially circumvent the authentication mechanism if he/she is able to obtain certain knowledge specific to the attacked…

  • CVE-2017-9944CriDec 27, 2017
    risk 0.64cvss 9.8epss 0.03

    A vulnerability has been identified in Siemens 7KT PAC1200 data manager (7KT1260) in all versions < V2.03. The integrated web server (port 80/tcp) of the affected devices could allow an unauthenticated remote attacker to perform administrative operations over the network.

  • CVE-2025-10571CriNov 20, 2025
    risk 0.62cvss 9.6epss 0.00

    Authentication Bypass Using an Alternate Path or Channel vulnerability in ABB ABB Ability Edgenius.This issue affects ABB Ability Edgenius: 3.2.0.0, 3.2.1.1.

  • CVE-2023-2982CriJun 29, 2023
    risk 0.62cvss 9.8epss 0.47

    The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insufficient encryption on the user being supplied during a login validated through…

  • CVE-2025-34143CriJul 22, 2025
    risk 0.61cvss epss 0.30

    An authentication bypass vulnerability exists in ETQ Reliance on the CG (legacy) platform. The application allowed login as the privileged internal SYSTEM user by manipulating the username field. The SYSTEM account does not require a password, enabling attackers with network…

  • CVE-2026-35090CriMay 27, 2026
    risk 0.60cvss epss 0.01

    In Slican telephone exchanges it is possible to manage the control panel remotely. An unauthenticated attacker can connect to the modem via a telephone with a specific caller ID. This allows them to bypass admin authentication and gain full access to the service protocol and…

  • CVE-2026-35087CriMay 27, 2026
    risk 0.60cvss epss 0.01

    Slican telephone exchanges allow administrative protocol authentication bypass. An attacker can bypass the need to enter login credentials by executing the appropriate command. This issue was fixed in versions below: - NCP: version 1.24.0250 - IPx series: version 6.61.0040 -…