VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 10 of 278
  • CVE-2026-4277CriApr 7, 2026
    risk 0.57cvss 9.8epss 0.00

    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and…

  • CVE-2026-35182HigApr 6, 2026
    risk 0.57cvss 8.8epss 0.00

    Brave CMS is an open-source CMS. Prior to 2.0.6, this vulnerability is a missing authorization check found in the update role endpoint at routes/web.php. The POST route for /rights/update-role/{id} lacks the checkUserPermissions:assign-user-roles middleware. This allows any…

  • CVE-2026-3524HigApr 6, 2026
    risk 0.57cvss 8.8epss 0.00

    Mattermost Plugin Legal Hold versions <=1.1.4 fail to halt request processing after a failed authorization check in ServeHTTP which allows an authenticated attacker to access, create, download, and delete legal hold data via crafted API requests to the plugin's endpoints.…

  • CVE-2026-4261HigMar 21, 2026
    risk 0.57cvss 8.8epss 0.00

    The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.2. This is due to the plugin allowing a user to update the 'on_expire_default_to_role' meta through the 'save_extra_user_profile_fields' function. This makes it…

  • CVE-2026-2941HigMar 21, 2026
    risk 0.57cvss 8.8epss 0.00

    The Linksy Search and Replace plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'linksy_search_and_replace_item_details' function in all versions up to, and including, 1.0.4. This makes it possible for authenticated…

  • CVE-2026-21668HigMar 12, 2026
    risk 0.57cvss 8.8epss 0.01

    A vulnerability allowing an authenticated domain user to bypass restrictions and manipulate arbitrary files on a Backup Repository.

  • CVE-2025-13603HigFeb 19, 2026
    risk 0.57cvss 8.8epss 0.00

    The WP AUDIO GALLERY plugin for WordPress is vulnerable to Unauthorized Arbitrary File Read in all versions up to, and including, 2.0. This is due to insufficient capability checks and lack of nonce verification on the "wpag_htaccess_callback" function This makes it possible for…

  • CVE-2019-25351HigFeb 18, 2026
    risk 0.57cvss 8.8epss 0.00

    Centova Cast 3.2.11 contains a file download vulnerability that allows authenticated attackers to retrieve arbitrary system files through the server.copyfile API endpoint. Attackers can exploit the vulnerability by supplying crafted parameters to download sensitive files like…

  • CVE-2026-2001HigFeb 16, 2026
    risk 0.57cvss 8.8epss 0.00

    The WowRevenue plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'Notice::install_activate_plugin' function in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with…

  • CVE-2025-15157HigFeb 13, 2026
    risk 0.57cvss 8.8epss 0.00

    The Starfish Review Generation & Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'srm_restore_options_defaults' function in all versions up to, and…

  • CVE-2026-1499HigFeb 6, 2026
    risk 0.57cvss 8.8epss 0.01

    The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on the `process_add_site()` AJAX action combined with path traversal in the file…

  • CVE-2025-14386HigJan 28, 2026
    risk 0.57cvss 8.8epss 0.00

    The Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the 'generate_sso_url' and 'validate_sso_token' functions in versions 2.4.4 to…

  • CVE-2025-14397HigDec 13, 2025
    risk 0.57cvss 8.8epss 0.00

    The Postem Ipsum plugin for WordPress is vulnerable to unauthorized modification of data to Privilege Escalation due to a missing capability check on the postem_ipsum_generate_users() function in all versions up to, and including, 3.0.1. This makes it possible for authenticated…

  • CVE-2025-13313CriDec 5, 2025
    risk 0.57cvss 9.8epss 0.00

    The CRM Memberships plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 2.6. This is due to missing authorization and authentication checks on the `ntzcrm_changepassword` AJAX action. This makes it possible for…

  • CVE-2025-13342CriDec 3, 2025
    risk 0.57cvss 9.8epss 0.00

    The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validation in the ActionOptions::run() save…

  • CVE-2025-41016HigNov 24, 2025
    risk 0.57cvss epss 0.00

    Inadequate access control vulnerability in Davantis DFUSION v6.177.7, which allows unauthorised actors to extract images and videos related to alarm events through access to “/alarms/<ALARM_ID>/”, where the “MEDIA” parameter can take the value of “snapshot” or…

  • CVE-2025-11985HigNov 21, 2025
    risk 0.57cvss 8.8epss 0.00

    The Realty Portal plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'rp_save_property_settings' function in versions 0.1 to 0.4.1. This makes it possible for authenticated…

  • CVE-2025-10896HigNov 4, 2025
    risk 0.57cvss 8.8epss 0.01

    Multiple plugins for WordPress with the Jewel Theme Recommended Plugins Library are vulnerable to Unrestricted Upload of File with Dangerous Type via arbitrary plugin installation in all versions up to, and including, 1.0.2.3. This is due to missing capability checks on the…

  • CVE-2025-62614HigOct 22, 2025
    risk 0.57cvss epss 0.01

    BookLore is a self-hosted web app for organizing and managing personal book collections. In versions 1.8.1 and prior, an authentication bypass vulnerability in the BookMediaController allows any unauthenticated user to access and download book covers, thumbnails, and complete…

  • CVE-2025-10706HigOct 16, 2025
    risk 0.57cvss 8.8epss 0.01

    The Classified Pro theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'cwp_addons_update_plugin_cb' function in all versions up to, and including, 1.0.14. This makes it possible for authenticated attackers, with…