VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 26 of 278
  • CVE-2026-29180HigMar 27, 2026
    risk 0.50cvss 8.8epss 0.00

    Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker…

  • CVE-2026-33631HigMar 26, 2026
    risk 0.50cvss 8.7epss 0.00

    ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. In versions on the 4.1 branch and earlier, the opfilter Endpoint Security system extension enforced file access policy exclusively by intercepting ES_EVENT_TYPE_AUTH_OPEN events.…

  • CVE-2026-4484HigMar 26, 2026
    risk 0.50cvss 8.8epss 0.00

    The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.6. This is due to the plugin allowing a user to update the user role through the 'InstructorsController::prepare_object_for_database' function. This makes it…

  • CVE-2026-32441HigMar 25, 2026
    risk 0.50cvss 7.7epss 0.00

    Missing Authorization vulnerability in WebToffee Comments Import & Export comments-import-export-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Comments Import & Export: from n/a through <= 2.4.9.

  • CVE-2026-32268HigMar 18, 2026
    risk 0.50cvss epss 0.00

    The Azure Blob Storage for Craft CMS plugin provides an Azure Blob Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.1.1, unauthenticated users can view a list of buckets the plugin has access to. The `DefaultController->actionLoadContainerData()`…

  • CVE-2026-1720HigMar 5, 2026
    risk 0.50cvss 8.8epss 0.00

    The WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the 'install_and_active_plugin' function in all versions up to, and…

  • CVE-2026-0974HigFeb 19, 2026
    risk 0.50cvss 8.8epss 0.01

    The Orderable – WordPress Restaurant Online Ordering System and Food Ordering Plugin plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the 'install_plugin' function in all versions up to, and including, 1.20.0. This…

  • CVE-2025-12845HigFeb 19, 2026
    risk 0.50cvss 8.8epss 0.00

    The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to unauthorized access of data that leads to privilege escalation due to a missing capability check on the get_table_data() function in versions 0.5.4 to…

  • CVE-2026-1104HigFeb 12, 2026
    risk 0.50cvss 8.8epss 0.00

    The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints in all versions up to, and including, 2.7.1. This makes it possible for authenticated…

  • CVE-2025-15347HigJan 20, 2026
    risk 0.50cvss 8.8epss 0.00

    The Creator LMS – The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and…

  • CVE-2023-25446HigDec 21, 2025
    risk 0.50cvss 7.7epss 0.00

    Missing Authorization vulnerability in HappyFiles HappyFiles Pro happyfiles-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HappyFiles Pro: from n/a through 1.8.1.

  • CVE-2025-14364HigDec 18, 2025
    risk 0.50cvss 8.8epss 0.00

    The Demo Importer Plus plugin for WordPress is vulnerable to unauthorized modification of data, loss of data, and privilege escalation due to a missing capability check on the Ajax::handle_request() function in all versions up to, and including, 2.0.8. This makes it possible for…

  • CVE-2025-64171HigNov 6, 2025
    risk 0.50cvss epss 0.00

    MARIN3R is a lightweight, CRD based envoy control plane for kubernetes. In versions 0.13.3 and below, there is a cross-namespace secret access vulnerability in the project's DiscoveryServiceCertificate which allows users to bypass RBAC and access secrets in unauthorized…

  • CVE-2025-62714HigOct 24, 2025
    risk 0.50cvss epss 0.01

    Karmada Dashboard is a general-purpose, web-based control panel for Karmada which is a multi-cluster management project. Prior to version 0.2.0, there is an authentication bypass vulnerability in the Karmada Dashboard API. The backend API endpoints (e.g., /api/v1/secret,…

  • CVE-2025-9018HigSep 11, 2025
    risk 0.50cvss 8.8epss 0.00

    The Time Tracker plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'tt_update_table_function' and 'tt_delete_record_function' functions in all versions up to, and including, 3.1.0. This makes it possible for…

  • CVE-2025-8418HigAug 12, 2025
    risk 0.50cvss 8.8epss 0.01

    The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Arbitrary Plugin Installation in all versions up to, and including, 1.1.30. This is due to missing capability checks on the activated_plugin function. This makes it possible for authenticated…

  • CVE-2025-7689HigJul 29, 2025
    risk 0.50cvss 8.8epss 0.00

    The Hydra Booking plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the tfhb_reset_password_callback() function in versions 1.1.0 to 1.1.18. This makes it possible for authenticated attackers, with Subscriber-level access and above,…

  • CVE-2025-42952HigJul 8, 2025
    risk 0.50cvss 7.7epss 0.00

    SAP Business Warehouse and SAP Plug-In Basis allows an authenticated attacker to add fields to arbitrary SAP database tables and/or structures, potentially rendering the system unusable. On successful exploitation, an attacker can render the system unusable by triggering short…

  • CVE-2025-5117HigMay 27, 2025
    risk 0.50cvss 8.8epss 0.00

    The Property plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the use of the property_package_user_role metadata in versions 1.0.5 to 1.0.6. This makes it possible for authenticated attackers, with Author‐level access and above,…

  • CVE-2025-43011HigMay 13, 2025
    risk 0.50cvss 7.7epss 0.00

    Under certain conditions, SAP Landscape Transformation's PCL Basis module does not perform the necessary authorization checks, allowing authenticated users to access restricted functionalities or data. This can lead to a high impact on confidentiality with no impact on the…