CWE-862
Missing Authorization
ClassIncompleteLikelihood: High
Description
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-665
CVEs mapped to this weakness (4,561)
page 216 of 229| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-2222 | Med | 0.28 | 4.3 | 0.00 | Apr 9, 2024 | The Advanced Classifieds & Directory Pro plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ajax_callback_delete_attachment function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with subscriber access or higher, to delete arbitrary media uploads. | |
| CVE-2024-2033 | Med | 0.28 | 4.3 | 0.00 | Apr 9, 2024 | The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.5 via the get_assign_host_id AJAX action. This makes it possible for authenticated attackers, with subscriber access or higher, to enumerate usernames, emails and IDs of all users on a site. | |
| CVE-2024-1904 | Med | 0.28 | 4.3 | 0.00 | Apr 9, 2024 | The MasterStudy LMS plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the search_posts function in all versions up to, and including, 3.2.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to expose draft post titles and excerpts. | |
| CVE-2024-1637 | Med | 0.28 | 4.3 | 0.00 | Apr 9, 2024 | The 360 Javascript Viewer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and nonce exposure on several AJAX actions in all versions up to, and including, 1.7.12. This makes it possible for authenticated attackers, with subscriber access or higher, to update plugin settings. | |
| CVE-2024-1387 | Med | 0.28 | 4.3 | 0.00 | Apr 9, 2024 | The Happy Addons for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to insufficient authorization on the duplicate_thing() function in all versions up to, and including, 3.10.4. This makes it possible for attackers, with contributor-level access and above, to clone arbitrary posts (including private and password protected ones) which may lead to information exposure. | |
| CVE-2023-6965 | Med | 0.28 | 4.3 | 0.00 | Apr 9, 2024 | The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.0.10 (with the exception of 2.7.31.2, 2.8.23.2, 2.9.19.2). This is due to the fact that the plugin allows the use of a file inclusion feature via shortcode. This makes it possible for authenticated attackers, with contributor access or higher, to create pods and users (with default role). | |
| CVE-2024-30217 | Med | 0.28 | 4.3 | 0.00 | Apr 9, 2024 | Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can approve or reject a bank account application affecting the integrity of the application. Confidentiality and Availability are not impacted. | |
| CVE-2024-30216 | Med | 0.28 | 4.3 | 0.00 | Apr 9, 2024 | Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, attacker can add notes in the review request with 'completed' status affecting the integrity of the application. Confidentiality and Availability are not impacted. | |
| CVE-2024-1994 | Med | 0.28 | 4.3 | 0.00 | Apr 6, 2024 | The Image Watermark plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the watermark_action_ajax() function in all versions up to, and including, 1.7.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to apply and remove watermarks from images. | |
| CVE-2024-30463 | Med | 0.28 | 4.3 | 0.00 | Mar 29, 2024 | Missing Authorization vulnerability in realmag777 BEAR.This issue affects BEAR: from n/a through 1.1.4.3. | |
| CVE-2024-2476 | Med | 0.28 | 4.3 | 0.00 | Mar 29, 2024 | The OceanWP theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_theme_panel_pane function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to expose sensitive information such as system/environment data and API keys. | |
| CVE-2024-2844 | Med | 0.28 | 4.3 | 0.00 | Mar 29, 2024 | The Easy Appointments plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient user validation on the ajax_cancel_appointment() function in all versions up to, and including, 3.11.18. This makes it possible for unauthenticated attackers to cancel other users orders. | |
| CVE-2024-30235 | Med | 0.28 | 4.3 | 0.01 | Mar 26, 2024 | Missing Authorization vulnerability in Themeisle Multiple Page Generator Plugin – MPG.This issue affects Multiple Page Generator Plugin – MPG: from n/a through 3.4.0. | |
| CVE-2023-52214 | Med | 0.28 | 4.3 | 0.00 | Mar 26, 2024 | Missing Authorization vulnerability in voidCoders Void Contact Form 7 Widget For Elementor Page Builder.This issue affects Void Contact Form 7 Widget For Elementor Page Builder: from n/a through 2.3. | |
| CVE-2024-24719 | Med | 0.28 | 4.3 | 0.00 | Mar 26, 2024 | Missing Authorization vulnerability in Uriahs Victor Location Picker at Checkout for WooCommerce.This issue affects Location Picker at Checkout for WooCommerce: from n/a through 1.8.9. | |
| CVE-2024-24718 | Med | 0.28 | 4.3 | 0.00 | Mar 26, 2024 | Missing Authorization vulnerability in PropertyHive.This issue affects PropertyHive: from n/a through 2.0.6. | |
| CVE-2024-24711 | Med | 0.28 | 4.3 | 0.00 | Mar 26, 2024 | Missing Authorization vulnerability in weDevs WooCommerce Conversion Tracking.This issue affects WooCommerce Conversion Tracking: from n/a through 2.0.11. | |
| CVE-2024-23520 | Med | 0.28 | 4.3 | 0.00 | Mar 26, 2024 | Missing Authorization vulnerability in AccessAlly PopupAlly.This issue affects PopupAlly: from n/a through 2.1.0. | |
| CVE-2023-25039 | Med | 0.28 | 4.3 | 0.00 | Mar 25, 2024 | Missing Authorization vulnerability in CodePeople Google Maps CP.This issue affects Google Maps CP: from n/a through 1.0.43. | |
| CVE-2022-45349 | Med | 0.28 | 4.3 | 0.00 | Mar 25, 2024 | Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a through 26.6.1. |