CWE-288
Authentication Bypass Using an Alternate Path or Channel
Description
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-127 · CAPEC-665
CVEs mapped to this weakness (336)
page 8 of 17| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-67998 | Hig | 0.57 | 8.8 | 0.00 | Feb 20, 2026 | Authentication Bypass Using an Alternate Path or Channel vulnerability in kamleshyadav Miraculous Elementor miraculous-el allows Authentication Abuse.This issue affects Miraculous Elementor: from n/a through <= 2.0.7. | ||
| CVE-2026-1618 | Hig | 0.57 | 8.8 | 0.00 | Feb 13, 2026 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Universal Software Inc. FlexCity/Kiosk allows Privilege Escalation. This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36. | ||
| CVE-2025-67915 | Hig | 0.57 | 8.8 | 0.00 | Jan 8, 2026 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Arraytics Timetics timetics allows Authentication Abuse.This issue affects Timetics: from n/a through <= 1.0.46. | ||
| CVE-2026-21411 | Hig | 0.57 | 8.8 | 0.00 | Jan 6, 2026 | Authentication bypass issue exists in OpenBlocks series versions prior to FW5.0.8, which may allow an attacker to bypass administrator authentication and change the password. | ||
| CVE-2025-60041 | Hig | 0.57 | 8.8 | 0.00 | Oct 22, 2025 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Iulia Cazan Emails Catch All emails-catch-all allows Password Recovery Exploitation.This issue affects Emails Catch All: from n/a through <= 3.5.3. | ||
| CVE-2025-10538 | Hig | 0.57 | — | 0.01 | Oct 1, 2025 | An authentication bypass vulnerability exists in LG Innotek camera models LND7210 and LNV7210R. The vulnerability allows a malicious actor to gain access to camera information including user account information. | ||
| CVE-2023-49564 | Hig | 0.57 | 8.8 | 0.00 | Sep 18, 2025 | The CBIS/NCS Manager API is vulnerable to an authentication bypass. By sending a specially crafted HTTP header, an unauthenticated user can gain unauthorized access to API functions. This flaw allows attackers to reach restricted or sensitive endpoints of the HTTP API without… | ||
| CVE-2025-24000 | Hig | 0.57 | 8.8 | 0.01 | Aug 7, 2025 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Saad Iqbal Post SMTP post-smtp allows Authentication Bypass.This issue affects Post SMTP: from n/a through <= 3.2.0. | ||
| CVE-2025-6895 | Cri | 0.57 | 9.8 | 0.01 | Jul 26, 2025 | The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. This makes it possible for unauthenticated attackers who know an arbitrary user… | ||
| CVE-2025-1313 | Hig | 0.57 | 8.8 | 0.00 | Jul 12, 2025 | The Nokri - Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.3. This is due to the plugin not properly validating a user's identity prior to updating their details like email… | ||
| CVE-2025-25171 | Hig | 0.57 | 8.8 | 0.00 | Jun 27, 2025 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Convers Lab WP SmartPay smartpay allows Authentication Abuse.This issue affects WP SmartPay: from n/a through <= 2.7.13. | ||
| CVE-2025-32976 | Hig | 0.57 | 8.8 | 0.01 | Jun 24, 2025 | Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains a logic flaw in its two-factor authentication implementation that allows… | ||
| CVE-2025-31019 | Hig | 0.57 | 8.8 | 0.01 | Jun 9, 2025 | Authentication Bypass Using an Alternate Path or Channel vulnerability in miniOrange Password Policy Manager password-policy-manager allows Authentication Abuse.This issue affects Password Policy Manager: from n/a through <= 2.0.4. | ||
| CVE-2025-5190 | Hig | 0.57 | 8.8 | 0.00 | May 30, 2025 | The Browse As plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.2. This is due to incorrect authentication checking in the 'IS_BA_Browse_As::notice' function with the 'is_ba_original_user_COOKIEHASH' cookie value. This makes it… | ||
| CVE-2025-47461 | Hig | 0.57 | 8.8 | 0.00 | May 23, 2025 | Authentication Bypass Using an Alternate Path or Channel vulnerability in mediaticus Subaccounts for WooCommerce subaccounts-for-woocommerce allows Authentication Abuse.This issue affects Subaccounts for WooCommerce: from n/a through <= 1.6.6. | ||
| CVE-2025-22277 | Hig | 0.57 | 8.8 | 0.00 | Apr 1, 2025 | Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos vitepos-lite allows Authentication Abuse.This issue affects Vitepos: from n/a through <= 3.1.4. | ||
| CVE-2024-12402 | Cri | 0.57 | 9.8 | 0.01 | Jan 7, 2025 | The Themes Coder – Create Android & iOS Apps For Your Woocommerce Site plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.4. This is due to the plugin not properly validating a user's identity prior to… | ||
| CVE-2024-56013 | Hig | 0.57 | 8.8 | 0.01 | Dec 16, 2024 | Authentication Bypass Using an Alternate Path or Channel vulnerability in wovax Wovax IDX wovax-idx allows Authentication Bypass.This issue affects Wovax IDX: from n/a through <= 1.2.2. | ||
| CVE-2024-54336 | Hig | 0.57 | 8.8 | 0.01 | Dec 13, 2024 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Projectopia Projectopia projectopia-core allows Authentication Bypass.This issue affects Projectopia: from n/a through <= 5.1.7. | ||
| CVE-2024-10961 | Cri | 0.57 | 9.8 | 0.01 | Nov 23, 2024 | The Social Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.9.0. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in… |
- risk 0.57cvss 8.8epss 0.00
Authentication Bypass Using an Alternate Path or Channel vulnerability in kamleshyadav Miraculous Elementor miraculous-el allows Authentication Abuse.This issue affects Miraculous Elementor: from n/a through <= 2.0.7.
- risk 0.57cvss 8.8epss 0.00
Authentication Bypass Using an Alternate Path or Channel vulnerability in Universal Software Inc. FlexCity/Kiosk allows Privilege Escalation. This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.
- risk 0.57cvss 8.8epss 0.00
Authentication Bypass Using an Alternate Path or Channel vulnerability in Arraytics Timetics timetics allows Authentication Abuse.This issue affects Timetics: from n/a through <= 1.0.46.
- risk 0.57cvss 8.8epss 0.00
Authentication bypass issue exists in OpenBlocks series versions prior to FW5.0.8, which may allow an attacker to bypass administrator authentication and change the password.
- risk 0.57cvss 8.8epss 0.00
Authentication Bypass Using an Alternate Path or Channel vulnerability in Iulia Cazan Emails Catch All emails-catch-all allows Password Recovery Exploitation.This issue affects Emails Catch All: from n/a through <= 3.5.3.
- risk 0.57cvss —epss 0.01
An authentication bypass vulnerability exists in LG Innotek camera models LND7210 and LNV7210R. The vulnerability allows a malicious actor to gain access to camera information including user account information.
- risk 0.57cvss 8.8epss 0.00
The CBIS/NCS Manager API is vulnerable to an authentication bypass. By sending a specially crafted HTTP header, an unauthenticated user can gain unauthorized access to API functions. This flaw allows attackers to reach restricted or sensitive endpoints of the HTTP API without…
- risk 0.57cvss 8.8epss 0.01
Authentication Bypass Using an Alternate Path or Channel vulnerability in Saad Iqbal Post SMTP post-smtp allows Authentication Bypass.This issue affects Post SMTP: from n/a through <= 3.2.0.
- risk 0.57cvss 9.8epss 0.01
The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. This makes it possible for unauthenticated attackers who know an arbitrary user…
- risk 0.57cvss 8.8epss 0.00
The Nokri - Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.3. This is due to the plugin not properly validating a user's identity prior to updating their details like email…
- risk 0.57cvss 8.8epss 0.00
Authentication Bypass Using an Alternate Path or Channel vulnerability in Convers Lab WP SmartPay smartpay allows Authentication Abuse.This issue affects WP SmartPay: from n/a through <= 2.7.13.
- risk 0.57cvss 8.8epss 0.01
Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains a logic flaw in its two-factor authentication implementation that allows…
- risk 0.57cvss 8.8epss 0.01
Authentication Bypass Using an Alternate Path or Channel vulnerability in miniOrange Password Policy Manager password-policy-manager allows Authentication Abuse.This issue affects Password Policy Manager: from n/a through <= 2.0.4.
- risk 0.57cvss 8.8epss 0.00
The Browse As plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.2. This is due to incorrect authentication checking in the 'IS_BA_Browse_As::notice' function with the 'is_ba_original_user_COOKIEHASH' cookie value. This makes it…
- risk 0.57cvss 8.8epss 0.00
Authentication Bypass Using an Alternate Path or Channel vulnerability in mediaticus Subaccounts for WooCommerce subaccounts-for-woocommerce allows Authentication Abuse.This issue affects Subaccounts for WooCommerce: from n/a through <= 1.6.6.
- risk 0.57cvss 8.8epss 0.00
Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos vitepos-lite allows Authentication Abuse.This issue affects Vitepos: from n/a through <= 3.1.4.
- risk 0.57cvss 9.8epss 0.01
The Themes Coder – Create Android & iOS Apps For Your Woocommerce Site plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.4. This is due to the plugin not properly validating a user's identity prior to…
- risk 0.57cvss 8.8epss 0.01
Authentication Bypass Using an Alternate Path or Channel vulnerability in wovax Wovax IDX wovax-idx allows Authentication Bypass.This issue affects Wovax IDX: from n/a through <= 1.2.2.
- risk 0.57cvss 8.8epss 0.01
Authentication Bypass Using an Alternate Path or Channel vulnerability in Projectopia Projectopia projectopia-core allows Authentication Bypass.This issue affects Projectopia: from n/a through <= 5.1.7.
- risk 0.57cvss 9.8epss 0.01
The Social Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.9.0. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in…