CWE-862
Missing Authorization
ClassIncompleteLikelihood: High
Description
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-665
CVEs mapped to this weakness (4,561)
page 217 of 229| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-37885 | Med | 0.28 | 4.3 | 0.00 | Mar 25, 2024 | Missing Authorization vulnerability in InspiryThemes RealHomes.This issue affects RealHomes: from n/a through 4.0.2. | |
| CVE-2023-33923 | Med | 0.28 | 4.3 | 0.00 | Mar 25, 2024 | Missing Authorization vulnerability in HashThemes Viral News, HashThemes Viral, HashThemes HashOne.This issue affects Viral News: from n/a through 1.4.5; Viral: from n/a through 1.8.0; HashOne: from n/a through 1.3.0. | |
| CVE-2023-30480 | Med | 0.28 | 4.3 | 0.00 | Mar 25, 2024 | Missing Authorization vulnerability in Sparkle WP Educenter.This issue affects Educenter: from n/a through 1.5.5. | |
| CVE-2024-24840 | Med | 0.28 | 4.3 | 0.00 | Mar 23, 2024 | Missing Authorization vulnerability in BdThemes Element Pack Elementor Addons.This issue affects Element Pack Elementor Addons: from n/a through 5.4.11. | |
| CVE-2024-24835 | Med | 0.28 | 4.3 | 0.00 | Mar 23, 2024 | Missing Authorization vulnerability in realmag777 BEAR.This issue affects BEAR: from n/a through 1.1.4. | |
| CVE-2024-27190 | Med | 0.28 | 4.3 | 0.01 | Mar 21, 2024 | Missing Authorization vulnerability in Jean-David Daviet Download Media.This issue affects Download Media: from n/a through 1.4.2. | |
| CVE-2024-1844 | Med | 0.28 | 4.3 | 0.00 | Mar 20, 2024 | The RevivePress – Keep your Old Content Evergreen plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the import_data and copy_data functions in all versions up to, and including, 1.5.6. This makes it possible for authenticated attackers, with subscriber-level access or higher, to overwrite plugin settings and view them. | |
| CVE-2024-1843 | Med | 0.28 | 4.3 | 0.00 | Mar 13, 2024 | The Auto Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the aalAddLink function in all versions up to, and including, 6.4.3. This makes it possible for authenticated attackers, with subscriber access or higher, to add arbitrary links to posts. | |
| CVE-2024-1690 | Med | 0.28 | 4.3 | 0.00 | Mar 13, 2024 | The TeraWallet – Best WooCommerce Wallet System With Cashback Rewards, Partial Payment, Wallet Refunds plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the terawallet_export_user_search() function in all versions up to, and including, 1.4.10. This makes it possible for authenticated attackers, with subscriber-level access and above, to export a list of registered users and their emails. | |
| CVE-2024-1158 | Med | 0.28 | 4.3 | 0.00 | Mar 13, 2024 | The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the buddyforms_new_page function in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber access or higher, to create pages with arbitrary titles. These pages are published. | |
| CVE-2024-1127 | Med | 0.28 | 4.3 | 0.00 | Mar 13, 2024 | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the booking_export_all() function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve all event booking which can contain PII. | |
| CVE-2024-1126 | Med | 0.28 | 4.3 | 0.00 | Mar 13, 2024 | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_attendees_email_by_event_id() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to to retrieve the attendees list for any event. | |
| CVE-2024-0829 | Med | 0.28 | 4.3 | 0.00 | Mar 13, 2024 | The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.0. This is due to missing or incorrect capability checks on several ajax actions. This makes it possible for authenticated attackers, with subscriber access or higher, to invoke those actions. As a result, they may modify comment form fields and update plugin settings. | |
| CVE-2024-0385 | Med | 0.28 | 4.3 | 0.02 | Mar 13, 2024 | The Categorify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the categorifyAjaxAddCategory function in all versions up to, and including, 1.0.7.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to add categories. | |
| CVE-2024-0377 | Med | 0.28 | 5.3 | 0.04 | Mar 13, 2024 | The LifterLMS – WordPress LMS Plugin for eLearning plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_review' function in all versions up to, and including, 7.5.1. This makes it possible for unauthenticated attackers to publish an unrestricted number of reviews on the site. | |
| CVE-2024-0369 | Med | 0.28 | 4.3 | 0.00 | Mar 13, 2024 | The Bulk Edit Post Titles plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulkUpdatePostTitles function in all versions up to, and including, 5.0.0. This makes it possible for authenticated attackers, with subscriber access and above, to modify the titles of arbitrary posts. | |
| CVE-2024-1137 | Med | 0.28 | 4.3 | 0.00 | Mar 12, 2024 | The Proxy and Client components of TIBCO Software Inc.'s TIBCO ActiveSpaces - Enterprise Edition contain a vulnerability that theoretically allows an Active Spaces client to passively observe data traffic to other clients. Affected releases are TIBCO Software Inc.'s TIBCO ActiveSpaces - Enterprise Edition: versions 4.4.0 through 4.9.0. | |
| CVE-2023-4728 | Med | 0.28 | 4.3 | 0.00 | Mar 12, 2024 | The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the publish_lp() function hooked via an AJAX action in versions up to, and including, 4.4. This makes it possible for authenticated attackers with subscriber-level access and above to change the LadiPage key (a key fully controlled by the attacker), enabling them to freely create new pages, including web pages that trigger stored XSS | |
| CVE-2023-4627 | Med | 0.28 | 4.3 | 0.00 | Mar 12, 2024 | The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_config() function in versions up to, and including, 4.4. This makes it possible for authenticated attackers with subscriber-level access and above to update the 'ladipage_config' option. | |
| CVE-2024-1645 | Med | 0.28 | 4.3 | 0.00 | Mar 11, 2024 | The Mollie Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exportRegistrations function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to export payment data collected by this plugin. |