CWE-862
Missing Authorization
Description
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-665
CVEs mapped to this weakness (5,549)
page 41 of 278| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-56070 | Hig | 0.48 | 7.4 | 0.00 | Dec 31, 2024 | Missing Authorization vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP SuperBackup: from n/a through <= 2.3.3. | ||
| CVE-2023-40004 | Hig | 0.48 | 7.3 | 0.10 | Jun 19, 2024 | Missing Authorization vulnerability in ServMask All-in-One WP Migration Box Extension, ServMask All-in-One WP Migration OneDrive Extension, ServMask All-in-One WP Migration Dropbox Extension, ServMask All-in-One WP Migration Google Drive Extension.This issue affects All-in-One… | ||
| CVE-2024-2544 | Hig | 0.48 | 7.4 | 0.00 | Jun 15, 2024 | The Popup Builder plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on all AJAX actions. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform multiple… | ||
| CVE-2020-36716 | Hig | 0.48 | 7.3 | 0.01 | Jun 7, 2023 | The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the setup_page function in versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to run the setup wizard (if it has not been… | ||
| CVE-2020-36697 | Hig | 0.48 | 7.3 | 0.01 | Jun 7, 2023 | The WP GDPR plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in versions up to, and including, 2.1.1. This makes it possible for unauthenticated attackers to delete any comment and modify the plugin’s settings. | ||
| CVE-2023-2757 | Hig | 0.48 | 7.4 | 0.00 | May 18, 2023 | The Waiting: One-click countdowns plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on 'saveLang' functions in versions up to, and including, 0.6.2. This could lead to Cross-Site Scripting due to insufficient input sanitization and… | ||
| CVE-2022-4940 | Hig | 0.48 | 7.3 | 0.01 | Apr 5, 2023 | The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide… | ||
| CVE-2022-21953 | Hig | 0.48 | 7.4 | 0.00 | Feb 7, 2023 | A Missing Authorization vulnerability in of SUSE Rancher allows authenticated user to create an unauthorized shell pod and kubectl access in the local cluster This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions… | ||
| CVE-2026-40775 | Hig | 0.47 | 7.3 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in Royal MCP <= 1.4.2 versions. | ||
| CVE-2026-47197 | Hig | 0.47 | — | 0.00 | Jun 12, 2026 | Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, a moderator with the relevant Discord permission bit can use the bot to moderate users above them in the Discord role hierarchy, as long as the bot itself outranks the target. This bypasses Discord’s normal role… | ||
| CVE-2026-47163 | Hig | 0.47 | — | 0.00 | Jun 11, 2026 | Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.1, any guild member who can invoke slash commands can use /automod add, /automod remove, and /automod list because the command has no Discord default permission… | ||
| CVE-2026-46558 | Hig | 0.47 | 8.3 | 0.00 | Jun 10, 2026 | Plane is an open-source project management tool. Prior to version 1.3.1, there is a cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in other Plane workspaces. This issue has been patched in version 1.3.1. | ||
| CVE-2026-42675 | Hig | 0.47 | 7.3 | 0.00 | Jun 1, 2026 | Missing Authorization vulnerability in Themefic Hydra Booking allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hydra Booking: from n/a through 1.1.41. | ||
| CVE-2026-32905 | Hig | 0.47 | 8.3 | 0.00 | May 29, 2026 | OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without proper scope validation. Attackers with chat command access can create setup… | ||
| CVE-2026-42753 | Hig | 0.47 | 7.3 | 0.00 | May 27, 2026 | Missing Authorization vulnerability in WC Lovers WCFM Membership wc-multivendor-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM Membership: from n/a through <= 2.11.10. | ||
| CVE-2026-9350 | Hig | 0.47 | 7.3 | 0.00 | May 24, 2026 | A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. This affects the function check_all_command_guards of the file tools/approval.py of the component Batch Runner. Such manipulation leads to missing authorization. The attack can be launched remotely. The… | ||
| CVE-2026-45371 | Hig | 0.47 | — | 0.00 | May 14, 2026 | SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs. POST /api/graph/getGraph, POST /api/graph/getLocalGraph, POST /api/sync/setSyncInterval, POST… | ||
| CVE-2026-42297 | Hig | 0.47 | 8.3 | 0.01 | May 9, 2026 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD… | ||
| CVE-2026-42377 | Hig | 0.47 | 7.3 | 0.00 | Apr 29, 2026 | Missing Authorization vulnerability in Brainstorm Force SureForms Pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SureForms Pro: from n/a through 2.8.0. | ||
| CVE-2026-5464 | Hig | 0.47 | 7.2 | 0.01 | Apr 23, 2026 | The ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the… |
- risk 0.48cvss 7.4epss 0.00
Missing Authorization vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP SuperBackup: from n/a through <= 2.3.3.
- risk 0.48cvss 7.3epss 0.10
Missing Authorization vulnerability in ServMask All-in-One WP Migration Box Extension, ServMask All-in-One WP Migration OneDrive Extension, ServMask All-in-One WP Migration Dropbox Extension, ServMask All-in-One WP Migration Google Drive Extension.This issue affects All-in-One…
- risk 0.48cvss 7.4epss 0.00
The Popup Builder plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on all AJAX actions. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform multiple…
- risk 0.48cvss 7.3epss 0.01
The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the setup_page function in versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to run the setup wizard (if it has not been…
- risk 0.48cvss 7.3epss 0.01
The WP GDPR plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in versions up to, and including, 2.1.1. This makes it possible for unauthenticated attackers to delete any comment and modify the plugin’s settings.
- risk 0.48cvss 7.4epss 0.00
The Waiting: One-click countdowns plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on 'saveLang' functions in versions up to, and including, 0.6.2. This could lead to Cross-Site Scripting due to insufficient input sanitization and…
- risk 0.48cvss 7.3epss 0.01
The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide…
- risk 0.48cvss 7.4epss 0.00
A Missing Authorization vulnerability in of SUSE Rancher allows authenticated user to create an unauthorized shell pod and kubectl access in the local cluster This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions…
- risk 0.47cvss 7.3epss 0.00
Unauthenticated Broken Access Control in Royal MCP <= 1.4.2 versions.
- risk 0.47cvss —epss 0.00
Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, a moderator with the relevant Discord permission bit can use the bot to moderate users above them in the Discord role hierarchy, as long as the bot itself outranks the target. This bypasses Discord’s normal role…
- risk 0.47cvss —epss 0.00
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.1, any guild member who can invoke slash commands can use /automod add, /automod remove, and /automod list because the command has no Discord default permission…
- risk 0.47cvss 8.3epss 0.00
Plane is an open-source project management tool. Prior to version 1.3.1, there is a cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in other Plane workspaces. This issue has been patched in version 1.3.1.
- risk 0.47cvss 7.3epss 0.00
Missing Authorization vulnerability in Themefic Hydra Booking allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hydra Booking: from n/a through 1.1.41.
- risk 0.47cvss 8.3epss 0.00
OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without proper scope validation. Attackers with chat command access can create setup…
- risk 0.47cvss 7.3epss 0.00
Missing Authorization vulnerability in WC Lovers WCFM Membership wc-multivendor-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM Membership: from n/a through <= 2.11.10.
- risk 0.47cvss 7.3epss 0.00
A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. This affects the function check_all_command_guards of the file tools/approval.py of the component Batch Runner. Such manipulation leads to missing authorization. The attack can be launched remotely. The…
- risk 0.47cvss —epss 0.00
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs. POST /api/graph/getGraph, POST /api/graph/getLocalGraph, POST /api/sync/setSyncInterval, POST…
- risk 0.47cvss 8.3epss 0.01
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD…
- risk 0.47cvss 7.3epss 0.00
Missing Authorization vulnerability in Brainstorm Force SureForms Pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SureForms Pro: from n/a through 2.8.0.
- risk 0.47cvss 7.2epss 0.01
The ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the…