CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Parents

CWE-285

Children

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,496)

page 121 of 275

CVE	Vendor / Product	Sev	Risk	CVSS	Published	Description
CVE-2026-23543	Wpdeveloper Essential Addons For Elementor	Med	0.34	5.3	Feb 19, 2026	Missing Authorization vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Addons for Elementor: from n/a through <= 6.5.5.
CVE-2025-14357	Mega Store Woocommerce theme Mega Store Woocommerce theme	Med	0.34	5.3	Feb 19, 2026	The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setup_widgets() function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. This makes it possible for…
CVE-2025-13930	WordPress Bitpay Checkout For Woocommerce	Med	0.34	5.3	Feb 19, 2026	The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. This is due to the plugin not properly verifying that a user is authorized to delete an attachment combined with…
CVE-2025-13864	WordPress Breeze	Med	0.34	5.3	Feb 19, 2026	The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with `permission_callback =>…
CVE-2026-1657	WordPress Eventprime	Med	0.34	5.3	Feb 17, 2026	The EventPrime plugin for WordPress is vulnerable to unauthorized image file upload in all versions up to, and including, 4.2.8.4. This is due to the plugin registering the upload_file_media AJAX action as publicly accessible (nopriv-enabled) without implementing any…
CVE-2026-1944	CallbackKiller service widget	Med	0.34	5.3	Feb 14, 2026	The CallbackKiller service widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cbk_save() function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to modify the…
CVE-2026-1303	WordPress MailChimp Campaigns	Med	0.34	5.3	Feb 14, 2026	The MailChimp Campaigns plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.2.4. This is due to missing capability checks on the `mailchimp_campaigns_manager_disconnect_app` function that is hooked to the AJAX action of the same…
CVE-2026-1932	WordPress Appointment Booking Calendar	Med	0.34	5.3	Feb 14, 2026	The Appointment Booking Calendar Plugin – Bookr plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update-appointment REST API endpoint in all versions up to, and including, 1.0.2. This makes it possible for…
CVE-2026-1537	Latepoint Latepoint	Med	0.34	5.3	Feb 12, 2026	The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_step() function in all versions up to, and including, 5.2.6. This makes it possible for…
CVE-2026-1833	—	Med	0.34	5.3	Feb 11, 2026	The WaMate Confirm – Order Confirmation plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for…
CVE-2026-1722	WordPress Woocommerce Multivendor Marketplace	Med	0.34	5.3	Feb 10, 2026	The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0. This is due to the plugin not implementing authorization checks in the `wcfm-refund-requests-form`…
CVE-2026-24095	Checkmk Checkmk	Med	0.34	—	Feb 9, 2026	Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p21, 2.3.0 before 2.3.0p43, and 2.2.0 (EOL) allows users with the "Use WATO" permission to access the "Analyze configuration" page by directly navigating to its URL, bypassing the intended "Access analyze…
CVE-2025-10753	WordPress OAuth Single Sign On	Med	0.34	5.3	Feb 6, 2026	The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 6.26.14. This is due to missing capability checks and authentication verification on the OAuth redirect functionality accessible via…
CVE-2026-0679	Fortis Fortis for WooCommerce	Med	0.34	5.3	Feb 4, 2026	The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to an inverted nonce check in the 'check_fortis_notify_response' function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update…
CVE-2026-25019	Atarim Atarim	Med	0.34	5.3	Feb 3, 2026	Missing Authorization vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Atarim: from n/a through <= 4.3.1.
CVE-2026-25012	gfazioli WP Bannerize Pro	Med	0.34	5.3	Feb 3, 2026	Missing Authorization vulnerability in gfazioli WP Bannerize Pro wp-bannerize-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Bannerize Pro: from n/a through <= 1.11.0.
CVE-2026-25010	WordPress Share This Image	Med	0.34	5.3	Feb 3, 2026	Missing Authorization vulnerability in ILLID Share This Image share-this-image allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Share This Image: from n/a through <= 2.09.
CVE-2026-24997	WordPress Wired Impact Volunteer Management	Med	0.34	5.3	Feb 3, 2026	Missing Authorization vulnerability in Wired Impact Wired Impact Volunteer Management wired-impact-volunteer-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wired Impact Volunteer Management: from n/a through <= 2.8.
CVE-2026-24994	Sunshinephotocart Sunshine Photo Cart	Med	0.34	5.3	Feb 3, 2026	Missing Authorization vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sunshine Photo Cart: from n/a through <= 3.5.7.2.
CVE-2026-24982	Brainstormforce Spectra	Med	0.34	5.3	Feb 3, 2026	Missing Authorization vulnerability in Brainstorm Force Spectra ultimate-addons-for-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through <= 2.19.17.

CVE-2026-23543MedFeb 19, 2026
Wpdeveloper
Essential Addons For Elementor
risk 0.34cvss 5.3epss 0.00
Missing Authorization vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Addons for Elementor: from n/a through <= 6.5.5.
CVE-2025-14357MedFeb 19, 2026
Mega Store Woocommerce theme
Mega Store Woocommerce theme
risk 0.34cvss 5.3epss 0.00
The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setup_widgets() function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. This makes it possible for…
CVE-2025-13930MedFeb 19, 2026
WordPress
Bitpay Checkout For Woocommerce
risk 0.34cvss 5.3epss 0.00
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. This is due to the plugin not properly verifying that a user is authorized to delete an attachment combined with…
CVE-2025-13864MedFeb 19, 2026
WordPress
Breeze
risk 0.34cvss 5.3epss 0.00
The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with `permission_callback =>…
CVE-2026-1657MedFeb 17, 2026
WordPress
Eventprime
risk 0.34cvss 5.3epss 0.00
The EventPrime plugin for WordPress is vulnerable to unauthorized image file upload in all versions up to, and including, 4.2.8.4. This is due to the plugin registering the upload_file_media AJAX action as publicly accessible (nopriv-enabled) without implementing any…
CVE-2026-1944MedFeb 14, 2026
CallbackKiller
service widget
risk 0.34cvss 5.3epss 0.00
The CallbackKiller service widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cbk_save() function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to modify the…
CVE-2026-1303MedFeb 14, 2026
WordPress
MailChimp Campaigns
risk 0.34cvss 5.3epss 0.00
The MailChimp Campaigns plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.2.4. This is due to missing capability checks on the `mailchimp_campaigns_manager_disconnect_app` function that is hooked to the AJAX action of the same…
CVE-2026-1932MedFeb 14, 2026
WordPress
Appointment Booking Calendar
risk 0.34cvss 5.3epss 0.00
The Appointment Booking Calendar Plugin – Bookr plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update-appointment REST API endpoint in all versions up to, and including, 1.0.2. This makes it possible for…
CVE-2026-1537MedFeb 12, 2026
Latepoint
Latepoint
risk 0.34cvss 5.3epss 0.00
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_step() function in all versions up to, and including, 5.2.6. This makes it possible for…
CVE-2026-1833MedFeb 11, 2026
risk 0.34cvss 5.3epss 0.00
The WaMate Confirm – Order Confirmation plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for…
CVE-2026-1722MedFeb 10, 2026
WordPress
Woocommerce Multivendor Marketplace
risk 0.34cvss 5.3epss 0.00
The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0. This is due to the plugin not implementing authorization checks in the `wcfm-refund-requests-form`…
CVE-2026-24095MedFeb 9, 2026
Checkmk
Checkmk
risk 0.34cvss —epss 0.00
Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p21, 2.3.0 before 2.3.0p43, and 2.2.0 (EOL) allows users with the "Use WATO" permission to access the "Analyze configuration" page by directly navigating to its URL, bypassing the intended "Access analyze…
CVE-2025-10753MedFeb 6, 2026
WordPress
OAuth Single Sign On
risk 0.34cvss 5.3epss 0.00
The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 6.26.14. This is due to missing capability checks and authentication verification on the OAuth redirect functionality accessible via…
CVE-2026-0679MedFeb 4, 2026
Fortis
Fortis for WooCommerce
risk 0.34cvss 5.3epss 0.00
The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to an inverted nonce check in the 'check_fortis_notify_response' function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update…
CVE-2026-25019MedFeb 3, 2026
Atarim
Atarim
risk 0.34cvss 5.3epss 0.00
Missing Authorization vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Atarim: from n/a through <= 4.3.1.
CVE-2026-25012MedFeb 3, 2026
gfazioli
WP Bannerize Pro
risk 0.34cvss 5.3epss 0.00
Missing Authorization vulnerability in gfazioli WP Bannerize Pro wp-bannerize-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Bannerize Pro: from n/a through <= 1.11.0.
CVE-2026-25010MedFeb 3, 2026
WordPress
Share This Image
risk 0.34cvss 5.3epss 0.00
Missing Authorization vulnerability in ILLID Share This Image share-this-image allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Share This Image: from n/a through <= 2.09.
CVE-2026-24997MedFeb 3, 2026
WordPress
Wired Impact Volunteer Management
risk 0.34cvss 5.3epss 0.00
Missing Authorization vulnerability in Wired Impact Wired Impact Volunteer Management wired-impact-volunteer-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wired Impact Volunteer Management: from n/a through <= 2.8.
CVE-2026-24994MedFeb 3, 2026
Sunshinephotocart
Sunshine Photo Cart
risk 0.34cvss 5.3epss 0.00
Missing Authorization vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sunshine Photo Cart: from n/a through <= 3.5.7.2.
CVE-2026-24982MedFeb 3, 2026
Brainstormforce
Spectra
risk 0.34cvss 5.3epss 0.00
Missing Authorization vulnerability in Brainstorm Force Spectra ultimate-addons-for-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through <= 2.19.17.