CWE-862
Missing Authorization
Description
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-665
CVEs mapped to this weakness (5,549)
page 28 of 278| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-0869 | Hig | 0.50 | 8.8 | 0.01 | Feb 5, 2024 | The Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels plugin for WordPress is vulnerable to unauthorized arbitrary options update due to an insufficient check that neglects to verify whether the updated option belongs to the plugin on the… | ||
| CVE-2023-6700 | Hig | 0.50 | 8.8 | 0.01 | Feb 5, 2024 | The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler in versions up to, and including, 2.0.22. This makes it possible for authenticated attackers, with… | ||
| CVE-2023-5425 | Hig | 0.50 | 8.8 | 0.01 | Oct 28, 2023 | The Post Meta Data Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pmdm_wp_change_user_meta and pmdm_wp_change_post_meta functions in versions up to, and including, 1.2.0. This makes it possible for… | ||
| CVE-2023-5311 | Hig | 0.50 | 8.8 | 0.01 | Oct 25, 2023 | The WP EXtra plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the register() function in versions up to, and including, 6.2. This makes it possible for authenticated attackers, with subscriber-level permissions and… | ||
| CVE-2023-33265 | Hig | 0.50 | 8.8 | 0.01 | Jul 18, 2023 | In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, executor services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted. | ||
| CVE-2023-3713 | Hig | 0.50 | 8.8 | 0.01 | Jul 18, 2023 | The ProfileGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'profile_magic_check_smtp_connection' function in versions up to, and including, 5.5.1. This makes it possible for authenticated attackers, with… | ||
| CVE-2022-4950 | Hig | 0.50 | 8.8 | 0.01 | Jun 7, 2023 | Several WordPress plugins developed by Cool Plugins are vulnerable to arbitrary plugin installation and activation that can lead to remote code execution by authenticated attackers with minimal permissions, such as a subscriber. | ||
| CVE-2022-30951 | — | Hig | 0.50 | 8.8 | 0.01 | May 17, 2022 | Jenkins WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote Command library does not implement access control, potentially allowing users to start processes even if they're not allowed to log in. | |
| CVE-2022-22111 | Hig | 0.50 | 8.8 | 0.01 | Jan 5, 2022 | In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. Any application user in the application who has update user permission enabled is able to change the password of other users, including the administrator’s. This allows the attacker to gain access to the… | ||
| CVE-2021-39236 | — | Hig | 0.50 | 8.8 | 0.02 | Nov 19, 2021 | In Apache Ozone before 1.2.0, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user. | |
| CVE-2021-21695 | Hig | 0.50 | 8.8 | 0.02 | Nov 4, 2021 | FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | ||
| CVE-2019-10339 | — | Hig | 0.50 | 8.8 | 0.02 | Jun 11, 2019 | A missing permission check in Jenkins JX Resources Plugin 1.0.36 and earlier in GlobalPluginConfiguration#doValidateClient allowed users with Overall/Read access to have Jenkins connect to an attacker-specified Kubernetes server, potentially leaking credentials. | |
| CVE-2019-10301 | Hig | 0.50 | 8.8 | 0.01 | Apr 18, 2019 | A missing permission check in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained… | ||
| CVE-2019-1003025 | Hig | 0.50 | 8.8 | 0.01 | Feb 20, 2019 | A exposure of sensitive information vulnerability exists in Jenkins Cloud Foundry Plugin 2.3.1 and earlier in AbstractCloudFoundryPushDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs… | ||
| CVE-2019-1003006 | Hig | 0.50 | 8.8 | 0.02 | Feb 6, 2019 | A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.0 and earlier in src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code… | ||
| CVE-2013-3703 | Hig | 0.50 | 8.8 | 0.01 | Jun 8, 2018 | The controller of the Open Build Service API prior to version 2.4.4 is missing a write permission check, allowing an authenticated attacker to add or remove user roles from packages and/or project meta data. | ||
| CVE-2026-52711 | Hig | 0.49 | 7.5 | 0.00 | Jun 16, 2026 | Unauthenticated Broken Access Control in WooCommerce POS <= 1.8.14 versions. | ||
| CVE-2026-39490 | Hig | 0.49 | 7.5 | 0.00 | Jun 16, 2026 | Unauthenticated Broken Access Control in JupiterX Core <= 4.14.1 versions. | ||
| CVE-2025-68045 | Hig | 0.49 | 7.5 | 0.00 | Jun 16, 2026 | Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.12 versions. | ||
| CVE-2026-49070 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in Knit Pay <= 9.4.0.0 versions. |
- risk 0.50cvss 8.8epss 0.01
The Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels plugin for WordPress is vulnerable to unauthorized arbitrary options update due to an insufficient check that neglects to verify whether the updated option belongs to the plugin on the…
- risk 0.50cvss 8.8epss 0.01
The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler in versions up to, and including, 2.0.22. This makes it possible for authenticated attackers, with…
- risk 0.50cvss 8.8epss 0.01
The Post Meta Data Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pmdm_wp_change_user_meta and pmdm_wp_change_post_meta functions in versions up to, and including, 1.2.0. This makes it possible for…
- risk 0.50cvss 8.8epss 0.01
The WP EXtra plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the register() function in versions up to, and including, 6.2. This makes it possible for authenticated attackers, with subscriber-level permissions and…
- risk 0.50cvss 8.8epss 0.01
In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, executor services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted.
- risk 0.50cvss 8.8epss 0.01
The ProfileGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'profile_magic_check_smtp_connection' function in versions up to, and including, 5.5.1. This makes it possible for authenticated attackers, with…
- risk 0.50cvss 8.8epss 0.01
Several WordPress plugins developed by Cool Plugins are vulnerable to arbitrary plugin installation and activation that can lead to remote code execution by authenticated attackers with minimal permissions, such as a subscriber.
- risk 0.50cvss 8.8epss 0.01
Jenkins WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote Command library does not implement access control, potentially allowing users to start processes even if they're not allowed to log in.
- risk 0.50cvss 8.8epss 0.01
In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. Any application user in the application who has update user permission enabled is able to change the password of other users, including the administrator’s. This allows the attacker to gain access to the…
- risk 0.50cvss 8.8epss 0.02
In Apache Ozone before 1.2.0, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user.
- risk 0.50cvss 8.8epss 0.02
FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
- risk 0.50cvss 8.8epss 0.02
A missing permission check in Jenkins JX Resources Plugin 1.0.36 and earlier in GlobalPluginConfiguration#doValidateClient allowed users with Overall/Read access to have Jenkins connect to an attacker-specified Kubernetes server, potentially leaking credentials.
- risk 0.50cvss 8.8epss 0.01
A missing permission check in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained…
- risk 0.50cvss 8.8epss 0.01
A exposure of sensitive information vulnerability exists in Jenkins Cloud Foundry Plugin 2.3.1 and earlier in AbstractCloudFoundryPushDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs…
- risk 0.50cvss 8.8epss 0.02
A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.0 and earlier in src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code…
- risk 0.50cvss 8.8epss 0.01
The controller of the Open Build Service API prior to version 2.4.4 is missing a write permission check, allowing an authenticated attacker to add or remove user roles from packages and/or project meta data.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Broken Access Control in WooCommerce POS <= 1.8.14 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Broken Access Control in JupiterX Core <= 4.14.1 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.12 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Broken Access Control in Knit Pay <= 9.4.0.0 versions.