VYPR

CWE-288

Authentication Bypass Using an Alternate Path or Channel

BaseIncomplete

Description

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-127 · CAPEC-665

CVEs mapped to this weakness (336)

page 8 of 17
  • CVE-2025-67998HigFeb 20, 2026
    risk 0.57cvss 8.8epss 0.00

    Authentication Bypass Using an Alternate Path or Channel vulnerability in kamleshyadav Miraculous Elementor miraculous-el allows Authentication Abuse.This issue affects Miraculous Elementor: from n/a through <= 2.0.7.

  • CVE-2026-1618HigFeb 13, 2026
    risk 0.57cvss 8.8epss 0.00

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Universal Software Inc. FlexCity/Kiosk allows Privilege Escalation. This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.

  • CVE-2025-67915HigJan 8, 2026
    risk 0.57cvss 8.8epss 0.00

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Arraytics Timetics timetics allows Authentication Abuse.This issue affects Timetics: from n/a through <= 1.0.46.

  • CVE-2026-21411HigJan 6, 2026
    risk 0.57cvss 8.8epss 0.00

    Authentication bypass issue exists in OpenBlocks series versions prior to FW5.0.8, which may allow an attacker to bypass administrator authentication and change the password.

  • CVE-2025-60041HigOct 22, 2025
    risk 0.57cvss 8.8epss 0.00

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Iulia Cazan Emails Catch All emails-catch-all allows Password Recovery Exploitation.This issue affects Emails Catch All: from n/a through <= 3.5.3.

  • CVE-2025-10538HigOct 1, 2025
    risk 0.57cvss epss 0.01

    An authentication bypass vulnerability exists in LG Innotek camera models LND7210 and LNV7210R. The vulnerability allows a malicious actor to gain access to camera information including user account information.

  • CVE-2023-49564HigSep 18, 2025
    risk 0.57cvss 8.8epss 0.00

    The CBIS/NCS Manager API is vulnerable to an authentication bypass. By sending a specially crafted HTTP header, an unauthenticated user can gain unauthorized access to API functions. This flaw allows attackers to reach restricted or sensitive endpoints of the HTTP API without…

  • CVE-2025-24000HigAug 7, 2025
    risk 0.57cvss 8.8epss 0.01

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Saad Iqbal Post SMTP post-smtp allows Authentication Bypass.This issue affects Post SMTP: from n/a through <= 3.2.0.

  • CVE-2025-6895CriJul 26, 2025
    risk 0.57cvss 9.8epss 0.01

    The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. This makes it possible for unauthenticated attackers who know an arbitrary user…

  • CVE-2025-1313HigJul 12, 2025
    risk 0.57cvss 8.8epss 0.00

    The Nokri - Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.3. This is due to the plugin not properly validating a user's identity prior to updating their details like email…

  • CVE-2025-25171HigJun 27, 2025
    risk 0.57cvss 8.8epss 0.00

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Convers Lab WP SmartPay smartpay allows Authentication Abuse.This issue affects WP SmartPay: from n/a through <= 2.7.13.

  • CVE-2025-32976HigJun 24, 2025
    risk 0.57cvss 8.8epss 0.01

    Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains a logic flaw in its two-factor authentication implementation that allows…

  • CVE-2025-31019HigJun 9, 2025
    risk 0.57cvss 8.8epss 0.01

    Authentication Bypass Using an Alternate Path or Channel vulnerability in miniOrange Password Policy Manager password-policy-manager allows Authentication Abuse.This issue affects Password Policy Manager: from n/a through <= 2.0.4.

  • CVE-2025-5190HigMay 30, 2025
    risk 0.57cvss 8.8epss 0.00

    The Browse As plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.2. This is due to incorrect authentication checking in the 'IS_BA_Browse_As::notice' function with the 'is_ba_original_user_COOKIEHASH' cookie value. This makes it…

  • CVE-2025-47461HigMay 23, 2025
    risk 0.57cvss 8.8epss 0.00

    Authentication Bypass Using an Alternate Path or Channel vulnerability in mediaticus Subaccounts for WooCommerce subaccounts-for-woocommerce allows Authentication Abuse.This issue affects Subaccounts for WooCommerce: from n/a through <= 1.6.6.

  • CVE-2025-22277HigApr 1, 2025
    risk 0.57cvss 8.8epss 0.00

    Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos vitepos-lite allows Authentication Abuse.This issue affects Vitepos: from n/a through <= 3.1.4.

  • CVE-2024-12402CriJan 7, 2025
    risk 0.57cvss 9.8epss 0.01

    The Themes Coder – Create Android & iOS Apps For Your Woocommerce Site plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.4. This is due to the plugin not properly validating a user's identity prior to…

  • CVE-2024-56013HigDec 16, 2024
    risk 0.57cvss 8.8epss 0.01

    Authentication Bypass Using an Alternate Path or Channel vulnerability in wovax Wovax IDX wovax-idx allows Authentication Bypass.This issue affects Wovax IDX: from n/a through <= 1.2.2.

  • CVE-2024-54336HigDec 13, 2024
    risk 0.57cvss 8.8epss 0.01

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Projectopia Projectopia projectopia-core allows Authentication Bypass.This issue affects Projectopia: from n/a through <= 5.1.7.

  • CVE-2024-10961CriNov 23, 2024
    risk 0.57cvss 9.8epss 0.01

    The Social Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.9.0. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in…