CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Parents

CWE-285

Children

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (4,561)

page 213 of 229

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2024-24833	Med	0.28	4.3	0.01	May 8, 2024	Missing Authorization vulnerability in HappyMonster Happy Addons for Elementor happy-elementor-addons.This issue affects Happy Addons for Elementor: from n/a through <= 3.10.1.
CVE-2024-33570	Med	0.28	4.3	0.00	May 6, 2024	Missing Authorization vulnerability in Roxnor Metform metform.This issue affects Metform: from n/a through <= 3.8.3.
CVE-2024-34389	Med	0.28	4.3	0.00	May 6, 2024	Missing Authorization vulnerability in AF themes WP Post Author.This issue affects WP Post Author: from n/a through 3.6.4.
CVE-2024-34387	Med	0.28	4.3	0.00	May 6, 2024	Missing Authorization vulnerability in AF themes WP Post Author.This issue affects WP Post Author: from n/a through 3.6.4.
CVE-2024-34377	Med	0.28	4.3	0.00	May 6, 2024	Missing Authorization vulnerability in A WP Life Video Gallery – Api Gallery, YouTube and Vimeo, Link Gallery.This issue affects Video Gallery – Api Gallery, YouTube and Vimeo, Link Gallery: from n/a through 1.5.3.
CVE-2024-34371	Med	0.28	4.3	0.00	May 6, 2024	Missing Authorization vulnerability in Hamid Alinia Login with phone number login-with-phone-number.This issue affects Login with phone number: from n/a through <= 1.7.18.
CVE-2024-1050	Med	0.28	4.3	0.00	May 4, 2024	The Import and export users and customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_force_reset_password_delete_metas() function in all versions up to, and including, 1.26.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete all forced password resets. CVE-2024-34815 is a duplicate of this issue.
CVE-2024-33937	Med	0.28	4.3	0.00	May 3, 2024	Missing Authorization vulnerability in Nico Martin Progressive WordPress (PWA).This issue affects Progressive WordPress (PWA): from n/a through 2.1.13.
CVE-2024-33925	Med	0.28	4.3	0.00	May 3, 2024	Missing Authorization vulnerability in Adrian Mörchen Embed Google Fonts.This issue affects Embed Google Fonts: from n/a through 3.1.0.
CVE-2024-33915	Med	0.28	4.3	0.00	May 3, 2024	Missing Authorization vulnerability in Bowo Debug Log Manager.This issue affects Debug Log Manager: from n/a through 2.3.1.
CVE-2024-33914	Med	0.28	4.3	0.00	May 3, 2024	Missing Authorization vulnerability in Exclusive Addons Exclusive Addons Elementor.This issue affects Exclusive Addons Elementor: from n/a through 2.6.9.1.
CVE-2024-24710	Med	0.28	4.3	0.00	May 3, 2024	Missing Authorization vulnerability in SlickRemix Feed Them Social.This issue affects Feed Them Social: from n/a through 4.2.0.
CVE-2023-44472	Med	0.28	4.3	0.00	May 3, 2024	Missing Authorization vulnerability in ThemeFuse Unyson.This issue affects Unyson: from n/a through 2.7.28.
CVE-2024-3936	Med	0.28	4.3	0.00	May 2, 2024	The The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rtTPGSaveSettings function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with subscriber access or higher, to change the plugin's settings and invoke other functions hooked by AJAX actions.
CVE-2024-3607	Med	0.28	4.3	0.00	May 2, 2024	The PropertyHive plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_key_date() function in all versions up to, and including, 2.0.12. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts
CVE-2024-3606	Med	0.28	4.3	0.00	May 2, 2024	The ProfileGrid – User Profiles, Memberships, Groups and Communities plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the pm_upload_cover_image function in all versions up to, and including, 5.8.3. This makes it possible for authenticated attackers, with subscriber access or higher, to delete attachments.
CVE-2024-3581	Med	0.28	4.3	0.00	May 2, 2024	The MaxGalleria plugin for WordPress is vulnerable to unauthorized image upload due to a missing capability check on the add_media_library_images_to_gallery function in all versions up to, and including, 6.4.2. This makes it possible for authenticated attackers, with subscriber access or above, to upload arbitrary images to a gallery.
CVE-2024-3546	Med	0.28	4.3	0.00	May 2, 2024	The WordPress Backup & Migration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wp_mgdp_populate_popup function in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with subscriber access or above, to invoke this function and access log files maintained by the plugin. Additionally, the file name is user-provided and not properly sanitized, which allows attackers to read arbitrary log files on the file system.
CVE-2024-3520	Med	0.28	4.3	0.00	May 2, 2024	The Country State City Dropdown CF7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tc_csca_patch_settings function in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with subscriber access and above, to add states or cities to the dropdown.
CVE-2024-3275	Med	0.28	4.3	0.00	May 2, 2024	The eRoom – Zoom Meetings & Webinars plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.18 via the search_posts function. This makes it possible for authenticated attackers, with subscriber access and higher, to obtain post excerpts including those of draft and pending posts.

CVE-2024-24833MedMay 8, 2024
risk 0.28cvss 4.3epss 0.01
Missing Authorization vulnerability in HappyMonster Happy Addons for Elementor happy-elementor-addons.This issue affects Happy Addons for Elementor: from n/a through <= 3.10.1.
CVE-2024-33570MedMay 6, 2024
risk 0.28cvss 4.3epss 0.00
Missing Authorization vulnerability in Roxnor Metform metform.This issue affects Metform: from n/a through <= 3.8.3.
CVE-2024-34389MedMay 6, 2024
risk 0.28cvss 4.3epss 0.00
Missing Authorization vulnerability in AF themes WP Post Author.This issue affects WP Post Author: from n/a through 3.6.4.
CVE-2024-34387MedMay 6, 2024
risk 0.28cvss 4.3epss 0.00
Missing Authorization vulnerability in AF themes WP Post Author.This issue affects WP Post Author: from n/a through 3.6.4.
CVE-2024-34377MedMay 6, 2024
risk 0.28cvss 4.3epss 0.00
Missing Authorization vulnerability in A WP Life Video Gallery – Api Gallery, YouTube and Vimeo, Link Gallery.This issue affects Video Gallery – Api Gallery, YouTube and Vimeo, Link Gallery: from n/a through 1.5.3.
CVE-2024-34371MedMay 6, 2024
risk 0.28cvss 4.3epss 0.00
Missing Authorization vulnerability in Hamid Alinia Login with phone number login-with-phone-number.This issue affects Login with phone number: from n/a through <= 1.7.18.
CVE-2024-1050MedMay 4, 2024
risk 0.28cvss 4.3epss 0.00
The Import and export users and customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_force_reset_password_delete_metas() function in all versions up to, and including, 1.26.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete all forced password resets. CVE-2024-34815 is a duplicate of this issue.
CVE-2024-33937MedMay 3, 2024
risk 0.28cvss 4.3epss 0.00
Missing Authorization vulnerability in Nico Martin Progressive WordPress (PWA).This issue affects Progressive WordPress (PWA): from n/a through 2.1.13.
CVE-2024-33925MedMay 3, 2024
risk 0.28cvss 4.3epss 0.00
Missing Authorization vulnerability in Adrian Mörchen Embed Google Fonts.This issue affects Embed Google Fonts: from n/a through 3.1.0.
CVE-2024-33915MedMay 3, 2024
risk 0.28cvss 4.3epss 0.00
Missing Authorization vulnerability in Bowo Debug Log Manager.This issue affects Debug Log Manager: from n/a through 2.3.1.
CVE-2024-33914MedMay 3, 2024
risk 0.28cvss 4.3epss 0.00
Missing Authorization vulnerability in Exclusive Addons Exclusive Addons Elementor.This issue affects Exclusive Addons Elementor: from n/a through 2.6.9.1.
CVE-2024-24710MedMay 3, 2024
risk 0.28cvss 4.3epss 0.00
Missing Authorization vulnerability in SlickRemix Feed Them Social.This issue affects Feed Them Social: from n/a through 4.2.0.
CVE-2023-44472MedMay 3, 2024
risk 0.28cvss 4.3epss 0.00
Missing Authorization vulnerability in ThemeFuse Unyson.This issue affects Unyson: from n/a through 2.7.28.
CVE-2024-3936MedMay 2, 2024
risk 0.28cvss 4.3epss 0.00
The The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rtTPGSaveSettings function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with subscriber access or higher, to change the plugin's settings and invoke other functions hooked by AJAX actions.
CVE-2024-3607MedMay 2, 2024
risk 0.28cvss 4.3epss 0.00
The PropertyHive plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_key_date() function in all versions up to, and including, 2.0.12. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts
CVE-2024-3606MedMay 2, 2024
risk 0.28cvss 4.3epss 0.00
The ProfileGrid – User Profiles, Memberships, Groups and Communities plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the pm_upload_cover_image function in all versions up to, and including, 5.8.3. This makes it possible for authenticated attackers, with subscriber access or higher, to delete attachments.
CVE-2024-3581MedMay 2, 2024
risk 0.28cvss 4.3epss 0.00
The MaxGalleria plugin for WordPress is vulnerable to unauthorized image upload due to a missing capability check on the add_media_library_images_to_gallery function in all versions up to, and including, 6.4.2. This makes it possible for authenticated attackers, with subscriber access or above, to upload arbitrary images to a gallery.
CVE-2024-3546MedMay 2, 2024
risk 0.28cvss 4.3epss 0.00
The WordPress Backup & Migration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wp_mgdp_populate_popup function in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with subscriber access or above, to invoke this function and access log files maintained by the plugin. Additionally, the file name is user-provided and not properly sanitized, which allows attackers to read arbitrary log files on the file system.
CVE-2024-3520MedMay 2, 2024
risk 0.28cvss 4.3epss 0.00
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tc_csca_patch_settings function in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with subscriber access and above, to add states or cities to the dropdown.
CVE-2024-3275MedMay 2, 2024
risk 0.28cvss 4.3epss 0.00
The eRoom – Zoom Meetings & Webinars plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.18 via the search_posts function. This makes it possible for authenticated attackers, with subscriber access and higher, to obtain post excerpts including those of draft and pending posts.