VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 1 of 278
  • CVE-2024-57726CriKEVJan 15, 2025
    risk 0.85cvss 9.9epss 0.09

    SimpleHelp remote support software v5.5.7 and before has a vulnerability that allows low-privileges technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role.

  • CVE-2018-6000CriJan 22, 2018
    risk 0.73cvss 9.8epss 0.84

    An issue was discovered in AsusWRT before 3.0.0.4.384_10007. The do_vpnupload_post function in router/httpd/web.c in vpnupload.cgi provides functionality for setting NVRAM configuration values, which allows attackers to set the admin password and launch an SSH daemon (or enable…

  • CVE-2017-6622CriMay 18, 2017
    risk 0.72cvss 9.8epss 0.62

    A vulnerability in the web interface for Cisco Prime Collaboration Provisioning could allow an unauthenticated, remote attacker to bypass authentication and perform command injection with root privileges. The vulnerability is due to missing security constraints in certain HTTP…

  • CVE-2023-32117CriDec 9, 2024
    risk 0.71cvss 9.8epss 0.06

    Missing Authorization vulnerability in SoftLab Integrate Google Drive allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Integrate Google Drive: from n/a through 1.1.99.

  • CVE-2024-9234CriOct 11, 2024
    risk 0.71cvss 9.8epss 0.10

    The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API…

  • CVE-2024-4898CriJun 12, 2024
    risk 0.71cvss 9.8epss 0.04

    The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers…

  • CVE-2020-36719CriJun 7, 2023
    risk 0.70cvss 9.8epss 0.04

    The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Arbitrary Plugin Installation, Activation and Deactivation in versions before 2.6.1. This is due to a missing capability check on the lp_cc_addons_actions function. This makes it possible for…

  • CVE-2019-25141CriJun 7, 2023
    risk 0.70cvss 9.8epss 0.04

    The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.3.9. This is due to missing capability checks on the admin_init() function, in addition to insufficient input validation. This makes it possible for unauthenticated…

  • CVE-2018-1217CriApr 9, 2018
    risk 0.70cvss 9.8epss 0.47

    Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, and 7.5.0, and Dell EMC Integrated Data Protection Appliance 2.0 and 2.1, is affected by a missing access control check vulnerability which could potentially allow a remote unauthenticated attacker to read or…

  • CVE-2021-4374CriJun 7, 2023
    risk 0.69cvss 9.1epss 0.16

    The WordPress Automatic Plugin for WordPress is vulnerable to arbitrary options updates in versions up to, and including, 3.53.2. This is due to missing authorization and option validation in the process_form.php file. This makes it possible for unauthenticated attackers to…

  • CVE-2024-10586CriNov 9, 2024
    risk 0.68cvss 9.8epss 0.02

    The Debug Tool plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check on the dbt_pull_image() function and missing file type validation in all versions up to, and including, 2.2. This makes it possible for unauthenticated attackers to to…

  • CVE-2024-50490CriOct 29, 2024
    risk 0.68cvss 9.8epss 0.01

    Missing Authorization vulnerability in lowcage PegaPoll pegapoll allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects PegaPoll: from n/a through <= 1.0.2.

  • CVE-2026-1830CriApr 9, 2026
    risk 0.67cvss 9.8epss 0.03

    The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads. This makes it possible…

  • CVE-2025-46811CriJul 30, 2025
    risk 0.67cvss 9.8epss 0.10

    A Missing Authorization vulnerability in SUSE Linux Manager allows anyone with the ability to connect to port 443 of SUSE Manager is able to run any command as root on any client. This issue affects Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: from ? before…

  • CVE-2023-6875CriJan 11, 2024
    risk 0.67cvss 9.8epss 0.90

    The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and…

  • CVE-2017-6639CriJun 8, 2017
    risk 0.67cvss 9.8epss 0.35

    A vulnerability in the role-based access control (RBAC) functionality of Cisco Prime Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to access sensitive information or execute arbitrary code with root privileges on an affected system. The…

  • CVE-2024-50476CriOct 29, 2024
    risk 0.66cvss 9.8epss 0.01

    Missing Authorization vulnerability in GRÜN Software Group GmbH GRÜN spendino Spendenformular spendino allows Privilege Escalation.This issue affects GRÜN spendino Spendenformular: from n/a through <= 1.0.1.

  • CVE-2024-50475CriOct 29, 2024
    risk 0.66cvss 9.8epss 0.01

    Missing Authorization vulnerability in Scott Gamon Signup Page signup-page allows Privilege Escalation.This issue affects Signup Page: from n/a through <= 1.0.

  • CVE-2026-33712CriMay 22, 2026
    risk 0.65cvss 10.0epss 0.00

    Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the preview chat endpoint (POST /api/v1/typebots/{typebotId}/preview/startChat) allows unauthenticated users to achieve Server-Side Request Forgery (SSRF) by supplying a custom typebot definition with server-side…

  • CVE-2026-2031CriMay 15, 2026
    risk 0.65cvss epss 0.01

    An Improper Access Control vulnerability in several internal API endpoints for Google Cloud Application Integration prior to 2026-01-23 allows a remote, unauthenticated attacker to disclose sensitive internal information and execute arbitrary code using specially crafted…