CWE-862
Missing Authorization
ClassIncompleteLikelihood: High
Description
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-665
CVEs mapped to this weakness (4,561)
page 225 of 229| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-5770 | Med | 0.27 | 4.2 | 0.00 | Jun 8, 2024 | The WP Force SSL & HTTPS SSL Redirect plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_setting' function in versions up to, and including, 1.66. This makes it possible for authenticated attackers, subscriber-level permissions and above, to update the plugin settings. | |
| CVE-2024-1322 | Med | 0.27 | 5.3 | 0.00 | Feb 29, 2024 | The Directorist – WordPress Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'setup_wizard' function in all versions up to, and including, 7.8.4. This makes it possible for unauthenticated attackers to recreate default pages and enable or disable monetization and change map provider. | |
| CVE-2024-1110 | Med | 0.27 | 5.3 | 0.00 | Feb 7, 2024 | The Podlove Podcast Publisher plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the init() function in all versions up to, and including, 4.0.11. This makes it possible for unauthenticated attackers to import the plugin's settings. | |
| CVE-2024-1109 | Med | 0.27 | 5.3 | 0.00 | Feb 7, 2024 | The Podlove Podcast Publisher plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the init_download() and init() functions in all versions up to, and including, 4.0.11. This makes it possible for unauthenticated attackers to export the plugin's tracking data and podcast information. | |
| CVE-2022-3622 | Med | 0.27 | 4.1 | 0.00 | Oct 20, 2023 | The Blog2Social plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in versions up to, and including, 6.9.11. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change some plugin settings intended to be modifiable by admins only. | |
| CVE-2026-25423 | Low | 0.25 | 3.8 | 0.00 | Feb 19, 2026 | Missing Authorization vulnerability in creativeinteractivemedia Real 3D FlipBook real3d-flipbook-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Real 3D FlipBook: from n/a through <= 4.19.1. | |
| CVE-2025-69015 | Low | 0.25 | 3.8 | 0.00 | Dec 30, 2025 | Missing Authorization vulnerability in Automattic Crowdsignal Forms crowdsignal-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Crowdsignal Forms: from n/a through <= 1.7.2. | |
| CVE-2025-64350 | Low | 0.25 | 3.8 | 0.00 | Oct 31, 2025 | Missing Authorization vulnerability in Rank Math SEO Rank Math SEO seo-by-rank-math allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rank Math SEO: from n/a through <= 1.0.252.1. | |
| CVE-2025-58009 | Low | 0.25 | 3.8 | 0.00 | Sep 22, 2025 | Missing Authorization vulnerability in codepeople CP Multi View Event Calendar cp-multi-view-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CP Multi View Event Calendar : from n/a through <= 1.4.35. | |
| CVE-2023-23814 | Low | 0.25 | 3.8 | 0.00 | Dec 9, 2024 | Missing Authorization vulnerability in CodePeople CP Multi View Event Calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CP Multi View Event Calendar : from n/a through 1.4.13. | |
| CVE-2023-2434 | Low | 0.25 | 3.8 | 0.00 | May 31, 2023 | The Nested Pages plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'reset' function in versions up to, and including, 3.2.3. This makes it possible for authenticated attackers, with editor-level permissions and above, to reset plugin settings. | |
| CVE-2026-35448 | Low | 0.24 | 3.7 | 0.00 | Apr 6, 2026 | WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page, but it performs no access control checks of its own. Since Bitcoin addresses are publicly visible on the blockchain, an attacker can query payment records for any address used on the platform. | |
| CVE-2025-9218 | Low | 0.24 | 3.7 | 0.00 | Dec 13, 2025 | The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handle_rest_pre_dispatch() function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to retrieve media items associated with draft or private posts. | |
| CVE-2025-12826 | Med | 0.24 | 4.8 | 0.00 | Dec 4, 2025 | The Custom Post Type UI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.18.0. This is due to the plugin not verifying that a user has the required capability to perform actions in the "cptui_process_post_type" function. This makes it possible for authenticated attackers, with subscriber level access and above, to add, edit, or delete custom post types in limited situations. | |
| CVE-2024-12300 | Low | 0.24 | 3.7 | 0.00 | Dec 13, 2024 | The AR for WordPress plugin for WordPress is vulnerable to unauthorized double extension file upload due to a missing capability check on the set_ar_featured_image() function in all versions up to, and including, 7.3. This makes it possible for unauthenticated attackers to upload php files leveraging a double extension attack. It's important to note the file is deleted immediately and double extension attacks only work on select servers making this unlikely to be successfully exploited. | |
| CVE-2023-28168 | Low | 0.24 | 3.7 | 0.00 | Dec 9, 2024 | Missing Authorization vulnerability in Jerod Santo WordPress Console allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Console: from n/a through 0.3.9. | |
| CVE-2023-27437 | Low | 0.24 | 3.7 | 0.00 | Jun 3, 2024 | Missing Authorization vulnerability in Event Espresso Event Espresso 4 Decaf allows Functionality Misuse.This issue affects Event Espresso 4 Decaf: from n/a through 4.10.44.Decaf. | |
| CVE-2023-23985 | Low | 0.24 | 3.7 | 0.00 | Apr 24, 2024 | Missing Authorization vulnerability in Quiz Maker team Quiz Maker.This issue affects Quiz Maker: from n/a through 6.3.9.4. | |
| CVE-2017-17433 | Low | 0.24 | 3.7 | 0.02 | Dec 6, 2017 | The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended access restrictions. | |
| CVE-2017-5930 | Low | 0.24 | 2.7 | 0.40 | Mar 20, 2017 | The AliasHandler component in PostfixAdmin before 3.0.2 allows remote authenticated domain admins to delete protected aliases via the delete parameter to delete.php, involving a missing permission check. |