VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 11 of 278
  • CVE-2025-10299HigOct 15, 2025
    risk 0.57cvss 8.8epss 0.00

    The WPBifröst – Instant Passwordless Temporary Login Links plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ctl_create_link AJAX action in all versions up to, and including, 1.0.7. This makes it possible for authenticated…

  • CVE-2025-8593HigOct 11, 2025
    risk 0.57cvss 8.8epss 0.00

    The GSheetConnector For Gravity Forms plugin for WordPress is vulnerable to authorization bypass in versions less than, or equal to, 1.3.27. This is due to a missing capability check on the 'install_plugin' function. This makes it possible for authenticated attackers, with…

  • CVE-2025-57605HigSep 22, 2025
    risk 0.57cvss 8.8epss 0.00

    Lack of server-side authorisation on department admin assignment APIs in AiKaan IoT Platform allows authenticated users to elevate their privileges by assigning themselves as admins of other departments. This results in unauthorized privilege escalation across the department

  • CVE-2025-43358HigSep 15, 2025
    risk 0.57cvss 8.8epss 0.00

    A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in iOS 18.7 and iPadOS 18.7, iOS 26 and iPadOS 26, macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. A shortcut may be able to bypass sandbox restrictions.

  • CVE-2025-43329HigSep 15, 2025
    risk 0.57cvss 8.8epss 0.00

    A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26 and iPadOS 26, macOS Tahoe 26, tvOS 26, watchOS 26. An app may be able to break out of its sandbox.

  • CVE-2025-8425HigSep 11, 2025
    risk 0.57cvss 8.8epss 0.00

    The My WP Translate plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajax_import_strings() function in all versions up to, and including, 1.1. This makes it possible for…

  • CVE-2025-8898CriAug 16, 2025
    risk 0.57cvss 9.8epss 0.00

    The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.0. This is due to the plugin not properly validating a user's capabilities prior to updating a plugin…

  • CVE-2025-8059CriAug 12, 2025
    risk 0.57cvss 9.8epss 0.00

    The B Blocks plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization and improper input validation within the rgfr_registration() function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to create…

  • CVE-2025-6754HigAug 2, 2025
    risk 0.57cvss 8.8epss 0.00

    The SEO Metrics plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks in both the seo_metrics_handle_connect_button_click() AJAX handler and the seo_metrics_handle_custom_endpoint() function in all versions up to, and including, 1.0.15.…

  • CVE-2025-8322HigJul 30, 2025
    risk 0.57cvss 8.8epss 0.00

    The e-School from Ventem has a Missing Authorization vulnerability, allowing remote attackers with regular privilege to access administrator functions, including creating, modifying, and deleting accounts. They can even escalate any account to system administrator privilege.

  • CVE-2025-5835HigJul 25, 2025
    risk 0.57cvss 8.8epss 0.00

    The Droip plugin for WordPress is vulnerable to unauthorized modification and access of data due to a missing capability check on the droip_post_apis() function in all versions up to, and including, 2.2.6. This makes it possible for authenticated attackers, with Subscriber-level…

  • CVE-2025-7695HigJul 24, 2025
    risk 0.57cvss 8.8epss 0.01

    The Dataverse Integration plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks within its reset_password_link REST endpoint in versions 2.77 through 2.81. The endpoint’s handler accepts a client-supplied id, email, or login, looks up…

  • CVE-2025-6441CriJul 24, 2025
    risk 0.57cvss 9.8epss 0.01

    The Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition plugin for WordPress is vulnerable to unauthenticated login token generation due to a missing capability check on the `webinarignition_sign_in_support_staff` and…

  • CVE-2025-6190HigJul 23, 2025
    risk 0.57cvss 8.8epss 0.00

    The Realty Portal – Agent plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the rp_user_profile() AJAX handler in versions 0.1.0 through 0.3.9. The handler reads the client-supplied meta key and value pairs from $_POST and passes…

  • CVE-2025-6718HigJul 18, 2025
    risk 0.57cvss 8.8epss 0.00

    The B1.lt plugin for WordPress is vulnerable to SQL Injection due to a missing capability check on the b1_run_query AJAX action in all versions up to, and including, 2.2.57. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute…

  • CVE-2025-6813HigJul 18, 2025
    risk 0.57cvss 8.8epss 0.00

    The aapanel WP Toolkit plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks within the auto_login() function in versions 1.0 to 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to bypass…

  • CVE-2025-52824HigJun 27, 2025
    risk 0.57cvss 8.8epss 0.00

    Missing Authorization vulnerability in MDJM Mobile DJ Manager mobile-dj-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mobile DJ Manager: from n/a through <= 1.7.8.3.

  • CVE-2025-42982HigJun 10, 2025
    risk 0.57cvss 8.8epss 0.00

    SAP GRC allows a non-administrative user to access and initiate transaction which could allow them to modify or control the transmitted system credentials. This causes high impact on confidentiality, integrity and availability of the application.

  • CVE-2025-5894HigJun 9, 2025
    risk 0.57cvss 8.8epss 0.01

    Smart Parking Management System from Honding Technology has a Missing Authorization vulnerability, allowing remote attackers with regular privileges to access a specific functionality to create administrator accounts, and subsequently log into the system using those accounts.

  • CVE-2025-47601HigJun 7, 2025
    risk 0.57cvss 8.8epss 0.00

    Missing Authorization vulnerability in Christiaan Pieterse MaxiBlocks maxi-blocks allows Privilege Escalation.This issue affects MaxiBlocks: from n/a through <= 2.1.0.