CWE-862
Missing Authorization
ClassIncompleteLikelihood: High
Description
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-665
CVEs mapped to this weakness (4,561)
page 218 of 229| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-1400 | Med | 0.28 | 4.3 | 0.00 | Mar 11, 2024 | The Mollie Forms plugin for WordPress is vulnerable to unauthorized post or page duplication due to a missing capability check on the duplicateForm function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to duplicate arbitrary posts and pages. | |
| CVE-2024-1870 | Med | 0.28 | 4.3 | 0.00 | Mar 9, 2024 | The Colibri Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callActivateLicenseEndpoint function in all versions up to, and including, 1.0.260. This makes it possible for authenticated attackers, with subscriber access or higher, to update the license key. | |
| CVE-2024-1124 | Med | 0.28 | 4.3 | 0.00 | Mar 9, 2024 | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the ep_send_attendees_email() function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to send arbitrary emails with arbitrary content from the site. | |
| CVE-2024-2298 | Med | 0.28 | 4.3 | 0.00 | Mar 8, 2024 | The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the atkp_import_product() function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to to perform unauthorized actions such as creating importing products. | |
| CVE-2024-1771 | Med | 0.28 | 4.3 | 0.00 | Mar 6, 2024 | The Total theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the total_order_sections() function in all versions up to, and including, 2.1.59. This makes it possible for authenticated attackers, with subscriber-level access and above, to repeat sections on the homepage. | |
| CVE-2024-1390 | Med | 0.28 | 4.3 | 0.00 | Feb 29, 2024 | The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the creating_pricing_table_page function in all versions up to, and including, 2.11.1. This makes it possible for authenticated attackers, with subscriber access or higher, to create pricing tables. | |
| CVE-2024-1337 | Med | 0.28 | 4.3 | 0.00 | Feb 29, 2024 | The SKT Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saveSktbuilderPageData' function in all versions up to, and including, 4.1. This makes it possible for authenticated attackers, with subscriber access and above, to inject arbitrary content into pages. | |
| CVE-2024-1288 | Med | 0.28 | 4.3 | 0.00 | Feb 29, 2024 | The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saswp_reviews_form_render' function in all versions up to, and including, 1.26. This makes it possible for authenticated attackers, with contributor access and above, to modify the plugin's stored reCaptcha site and secret keys, potentially breaking the reCaptcha functionality. | |
| CVE-2024-1218 | Med | 0.28 | 4.3 | 0.00 | Feb 29, 2024 | The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized access and modification of data via API due to an inconsistent capability check on several REST endpoints in all versions up to, and including, 2.3.41. This makes it possible for authenticated attackers, with contributor access and higher, to obtain access to or modify forms or entries. | |
| CVE-2024-1133 | Med | 0.28 | 4.3 | 0.00 | Feb 29, 2024 | The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of restricted Q&A content due to a missing capability check when interacting with questions in all versions up to, and including, 2.6.0. This makes it possible for authenticated attackers, with subscriber access or higher, to interact with questions in courses in which they are not enrolled including private courses. | |
| CVE-2024-1091 | Med | 0.28 | 4.3 | 0.00 | Feb 29, 2024 | The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reinitialize function in all versions up to, and including, 3.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to remove all plugin data. | |
| CVE-2024-1090 | Med | 0.28 | 4.3 | 0.00 | Feb 29, 2024 | The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the stopOptimizeAll function in all versions up to, and including, 3.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify image optimization settings. | |
| CVE-2024-1089 | Med | 0.28 | 4.3 | 0.00 | Feb 29, 2024 | The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the optimizeAllOn function in all versions up to, and including, 3.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify image optimization settings. | |
| CVE-2024-0984 | Med | 0.28 | 4.3 | 0.00 | Feb 29, 2024 | The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disableOptimization function in all versions up to, and including, 3.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to disable the image optimization setting. | |
| CVE-2024-0983 | Med | 0.28 | 4.3 | 0.00 | Feb 29, 2024 | The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enableOptimization function in all versions up to, and including, 3.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to enable image optimization. | |
| CVE-2023-51692 | Med | 0.28 | 4.3 | 0.00 | Feb 28, 2024 | Missing Authorization vulnerability in CusRev Customer Reviews for WooCommerce.This issue affects Customer Reviews for WooCommerce: from n/a through 5.38.1. | |
| CVE-2024-1861 | Med | 0.28 | 4.3 | 0.00 | Feb 28, 2024 | The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the antihacker_truncate_scan_table() function in all versions up to, and including, 4.52. This makes it possible for authenticated attackers, with subscriber-level access and above, to truncate the scan table. | |
| CVE-2024-0766 | Med | 0.28 | 4.3 | 0.00 | Feb 28, 2024 | The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the templates_ajax_request function in all versions up to, and including, 1.4.4. This makes it possible for subscribers and higher to create templates. | |
| CVE-2024-1388 | Med | 0.28 | 4.3 | 0.00 | Feb 28, 2024 | The Yuki theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_customizer_options() function in all versions up to, and including, 1.3.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to reset the theme's settings. | |
| CVE-2024-1653 | Med | 0.28 | 4.3 | 0.00 | Feb 27, 2024 | The Categorify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the categorifyAjaxUpdateFolderPosition in all versions up to, and including, 1.0.7.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the folder position of categories as well as update the metadata of other taxonomies. |