VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 2 of 278
  • CVE-2025-5394CriJul 15, 2025
    risk 0.65cvss 9.8epss 0.48

    The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for…

  • CVE-2024-52416CriNov 16, 2024
    risk 0.65cvss 10.0epss 0.00

    Missing Authorization vulnerability in Eugen Bobrowski Debug Tool debug-tool allows Upload a Web Shell to a Web Server.This issue affects Debug Tool: from n/a through <= 2.2.

  • CVE-2024-52382CriNov 14, 2024
    risk 0.65cvss 9.8epss 0.01

    Missing Authorization vulnerability in medmatech Matix Popup Builder medma-matix allows Privilege Escalation.This issue affects Matix Popup Builder: from n/a through <= 1.0.0.

  • CVE-2024-6500CriAug 17, 2024
    risk 0.65cvss 10.0epss 0.01

    The InPost for WooCommerce plugin and InPost PL plugin for WordPress are vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'parse_request' function in all versions up to, and including, 1.4.0 (for InPost for WooCommerce) as well as…

  • CVE-2024-6071CriJun 27, 2024
    risk 0.65cvss 10.0epss 0.01

    PTC Creo Elements/Direct License Server exposes a web interface which can be used by unauthenticated remote attackers to execute arbitrary OS commands on the server.

  • CVE-2024-33566CriApr 29, 2024
    risk 0.65cvss 10.0epss 0.01

    Missing Authorization vulnerability in N-Media OrderConvo allows OS Command Injection.This issue affects OrderConvo: from n/a through 12.4.

  • CVE-2021-4368CriJun 7, 2023
    risk 0.65cvss 9.9epss 0.02

    The Frontend File Manager plugin for WordPress is vulnerable to Authenticated Settings Change in versions up to, and including, 18.2. This is due to lacking capability checks and a security nonce, all on the wpfm_save_settings AJAX action. This makes it possible for…

  • CVE-2022-4939CriApr 5, 2023
    risk 0.65cvss 9.8epss 0.02

    THe WCFM Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including 2.10.0, due to a missing capability check on the wp_ajax_nopriv_wcfm_ajax_controller AJAX action that controls membership settings. This makes it possible for…

  • CVE-2026-45552CriJun 10, 2026
    risk 0.64cvss 9.9epss 0.00

    Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.before_request → @jwt_required() (app/routes/install/routes.py:36-39). The individual endpoints install_exporter,…

  • CVE-2026-39910CriJun 8, 2026
    risk 0.64cvss 9.8epss 0.00

    STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the…

  • CVE-2026-45632CriMay 29, 2026
    risk 0.64cvss 9.9epss 0.00

    Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.7 and earlier, the schedule router does not enforce organization/role checks. As a result, any authenticated user can create, update, run, or delete schedules belonging to other organizations if they know the…

  • CVE-2026-8495CriMay 19, 2026
    risk 0.64cvss 9.8epss 0.00

    Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing. This issue affects Date iCal: from 0.0.0 before 4.0.15.

  • CVE-2026-6510CriMay 14, 2026
    risk 0.64cvss 9.8epss 0.00

    The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and including, 5.1.2. This is due to missing nonce verification and capability checks in the iwar_save_recipe() AJAX handler. This makes it possible for…

  • CVE-2026-26083CriMay 12, 2026
    risk 0.64cvss 9.8epss 0.01

    A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, FortiSandbox PaaS 23.4 all versions, FortiSandbox PaaS 23.3 all versions, FortiSandbox PaaS 23.1 all versions,…

  • CVE-2021-47932CriMay 10, 2026
    risk 0.64cvss 9.8epss 0.00

    WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler. Attackers can send POST requests to the tcp_register_and_login_ajax action…

  • CVE-2026-6235CriApr 22, 2026
    risk 0.64cvss 9.8epss 0.01

    The Sendmachine for WordPress plugin for WordPress is vulnerable to authorization bypass via the 'manage_admin_requests' function in all versions up to, and including, 1.0.20. This is due to the plugin not properly verifying that a user is authorized to perform an action. This…

  • CVE-2026-3596CriApr 16, 2026
    risk 0.64cvss 9.8epss 0.01

    The Riaxe Product Customizer plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.2. The plugin registers an unauthenticated AJAX action ('wp_ajax_nopriv_install-imprint') that maps to the ink_pd_add_option() function. This…

  • CVE-2026-4003CriApr 8, 2026
    risk 0.64cvss 9.8epss 0.01

    The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within the…

  • CVE-2026-4038CriMar 20, 2026
    risk 0.64cvss 9.8epss 0.00

    The Aimogen Pro plugin for WordPress is vulnerable to Arbitrary Function Call that can lead to privilege escalation due to a missing capability check on the 'aiomatic_call_ai_function_realtime' function in all versions up to, and including, 2.7.5. This makes it possible for…

  • CVE-2026-29515CriMar 11, 2026
    risk 0.64cvss 9.8epss 0.00

    MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log in without valid credentials. Attackers can send arbitrary username and password combinations to the PASS command handler, which…