VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 3 of 278
  • CVE-2026-2446CriMar 6, 2026
    risk 0.64cvss 9.8epss 0.00

    The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to update arbitrary WordPress options (such as default_role etc) and create arbitrary admin users

  • CVE-2025-69052CriJan 22, 2026
    risk 0.64cvss 9.8epss 0.00

    Missing Authorization vulnerability in FmeAddons Registration & Login with Mobile Phone Number for WooCommerce registration-login-with-mobile-phone-number allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Registration & Login with Mobile…

  • CVE-2025-39477CriJan 6, 2026
    risk 0.64cvss 9.8epss 0.00

    Missing Authorization vulnerability in Sfwebservice InWave Jobs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InWave Jobs: from n/a through 3.5.8.

  • CVE-2025-68270CriDec 16, 2025
    risk 0.64cvss 9.9epss 0.00

    The Open edX Platform is a learning management platform. Prior to commit 05d0d0936daf82c476617257aa6c35f0cd4ca060, CourseLimitedStaffRole users are able to access and edit courses in studio if they are granted the role on an org rather than on a course, and…

  • CVE-2025-12963CriDec 12, 2025
    risk 0.64cvss 9.8epss 0.00

    The LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.29. This is due to the plugin not properly validating a user's…

  • CVE-2025-12158CriNov 4, 2025
    risk 0.64cvss 9.8epss 0.00

    The Simple User Capabilities plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the suc_submit_capabilities() function in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to elevate the role…

  • CVE-2025-9054CriSep 24, 2025
    risk 0.64cvss 9.8epss 0.00

    The MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'wcmlim_settings_ajax_handler' function in all versions up to,…

  • CVE-2025-10690CriSep 19, 2025
    risk 0.64cvss 9.8epss 0.01

    The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to unauthorized arbitrary file uploads due to a missing capability check on the 'beplus_import_pack_install_plugin' function in all versions up to, and including, 3.2.2. This makes it possible for…

  • CVE-2024-32832CriAug 31, 2025
    risk 0.64cvss 9.8epss 0.00

    Missing Authorization vulnerability in Hamid Alinia Login with phone number login-with-phone-number.This issue affects Login with phone number: from n/a through <= 1.6.93.

  • CVE-2025-52352CriAug 21, 2025
    risk 0.64cvss 9.8epss 0.01

    Aikaan IoT management platform v3.25.0325-5-g2e9c59796 provides a configuration to disable user sign-up in distributed deployments by hiding the sign-up option on the login page UI. However, the sign-up API endpoint remains publicly accessible and functional, allowing…

  • CVE-2025-6380CriJul 24, 2025
    risk 0.64cvss 9.8epss 0.01

    The ONLYOFFICE Docs plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its oo.callback REST endpoint in versions 1.1.0 to 2.2.0. The plugin’s permission callback only verifies that the supplied, encrypted attachment ID maps to an…

  • CVE-2025-6187CriJul 22, 2025
    risk 0.64cvss 9.8epss 0.01

    The bSecure plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its order_info REST endpoint in versions 1.3.7 through 1.7.9. The plugin registers the /webhook/v2/order_info/ route with a permission_callback that always returns true,…

  • CVE-2025-5288CriJun 13, 2025
    risk 0.64cvss 9.8epss 0.01

    The REST API | Custom API Generator For Cross Platform And Import Export In WP plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the process_handler() function in versions 1.0.0 to 2.0.3. This makes it possible for unauthenticated…

  • CVE-2025-5486CriJun 6, 2025
    risk 0.64cvss 9.8epss 0.00

    The WP Email Debug plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the WPMDBUG_handle_settings() function in versions 1.0 to 1.1.0. This makes it possible for unauthenticated attackers to enable debugging and send all emails to an…

  • CVE-2025-3746CriMay 2, 2025
    risk 0.64cvss 9.8epss 0.00

    The OTP-less one tap Sign in plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.14 to 2.0.59. This is due to the plugin not properly validating a user's identity prior to updating their details, like email. This makes it possible for…

  • CVE-2025-37087CriApr 22, 2025
    risk 0.64cvss 9.8epss 0.00

    A vulnerability in the cmdb service of the HPE Performance Cluster Manager (HPCM) could allow an attacker to gain access to an arbitrary file on the server host.

  • CVE-2025-31194CriMar 31, 2025
    risk 0.64cvss 9.8epss 0.01

    An authentication issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. A Shortcut may run with admin privileges without authentication.

  • CVE-2025-31182CriMar 31, 2025
    risk 0.64cvss 9.8epss 0.01

    This issue was addressed with improved handling of symlinks. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, visionOS 2.4, watchOS 11.4. An app may be able to delete files for which it does not have…

  • CVE-2025-24259CriMar 31, 2025
    risk 0.64cvss 9.8epss 0.01

    This issue was addressed with additional entitlement checks. This issue is fixed in iPadOS 17.7.7, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to retrieve Safari bookmarks without an entitlement check.

  • CVE-2025-24249CriMar 31, 2025
    risk 0.64cvss 9.8epss 0.01

    A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to check the existence of an arbitrary path on the file system.