VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 28 of 278
  • CVE-2024-0869HigFeb 5, 2024
    risk 0.50cvss 8.8epss 0.01

    The Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels plugin for WordPress is vulnerable to unauthorized arbitrary options update due to an insufficient check that neglects to verify whether the updated option belongs to the plugin on the…

  • CVE-2023-6700HigFeb 5, 2024
    risk 0.50cvss 8.8epss 0.01

    The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler in versions up to, and including, 2.0.22. This makes it possible for authenticated attackers, with…

  • CVE-2023-5425HigOct 28, 2023
    risk 0.50cvss 8.8epss 0.01

    The Post Meta Data Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pmdm_wp_change_user_meta and pmdm_wp_change_post_meta functions in versions up to, and including, 1.2.0. This makes it possible for…

  • CVE-2023-5311HigOct 25, 2023
    risk 0.50cvss 8.8epss 0.01

    The WP EXtra plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the register() function in versions up to, and including, 6.2. This makes it possible for authenticated attackers, with subscriber-level permissions and…

  • CVE-2023-33265HigJul 18, 2023
    risk 0.50cvss 8.8epss 0.01

    In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, executor services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted.

  • CVE-2023-3713HigJul 18, 2023
    risk 0.50cvss 8.8epss 0.01

    The ProfileGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'profile_magic_check_smtp_connection' function in versions up to, and including, 5.5.1. This makes it possible for authenticated attackers, with…

  • CVE-2022-4950HigJun 7, 2023
    risk 0.50cvss 8.8epss 0.01

    Several WordPress plugins developed by Cool Plugins are vulnerable to arbitrary plugin installation and activation that can lead to remote code execution by authenticated attackers with minimal permissions, such as a subscriber.

  • CVE-2022-30951HigMay 17, 2022
    risk 0.50cvss 8.8epss 0.01

    Jenkins WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote Command library does not implement access control, potentially allowing users to start processes even if they're not allowed to log in.

  • CVE-2022-22111HigJan 5, 2022
    risk 0.50cvss 8.8epss 0.01

    In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. Any application user in the application who has update user permission enabled is able to change the password of other users, including the administrator’s. This allows the attacker to gain access to the…

  • CVE-2021-39236HigNov 19, 2021
    risk 0.50cvss 8.8epss 0.02

    In Apache Ozone before 1.2.0, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user.

  • CVE-2021-21695HigNov 4, 2021
    risk 0.50cvss 8.8epss 0.02

    FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

  • CVE-2019-10339HigJun 11, 2019
    risk 0.50cvss 8.8epss 0.02

    A missing permission check in Jenkins JX Resources Plugin 1.0.36 and earlier in GlobalPluginConfiguration#doValidateClient allowed users with Overall/Read access to have Jenkins connect to an attacker-specified Kubernetes server, potentially leaking credentials.

  • CVE-2019-10301HigApr 18, 2019
    risk 0.50cvss 8.8epss 0.01

    A missing permission check in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained…

  • CVE-2019-1003025HigFeb 20, 2019
    risk 0.50cvss 8.8epss 0.01

    A exposure of sensitive information vulnerability exists in Jenkins Cloud Foundry Plugin 2.3.1 and earlier in AbstractCloudFoundryPushDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs…

  • CVE-2019-1003006HigFeb 6, 2019
    risk 0.50cvss 8.8epss 0.02

    A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.0 and earlier in src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code…

  • CVE-2013-3703HigJun 8, 2018
    risk 0.50cvss 8.8epss 0.01

    The controller of the Open Build Service API prior to version 2.4.4 is missing a write permission check, allowing an authenticated attacker to add or remove user roles from packages and/or project meta data.

  • CVE-2026-52711HigJun 16, 2026
    risk 0.49cvss 7.5epss 0.00

    Unauthenticated Broken Access Control in WooCommerce POS <= 1.8.14 versions.

  • CVE-2026-39490HigJun 16, 2026
    risk 0.49cvss 7.5epss 0.00

    Unauthenticated Broken Access Control in JupiterX Core <= 4.14.1 versions.

  • CVE-2025-68045HigJun 16, 2026
    risk 0.49cvss 7.5epss 0.00

    Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.12 versions.

  • CVE-2026-49070HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Unauthenticated Broken Access Control in Knit Pay <= 9.4.0.0 versions.