VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 41 of 278
  • CVE-2024-56070HigDec 31, 2024
    risk 0.48cvss 7.4epss 0.00

    Missing Authorization vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP SuperBackup: from n/a through <= 2.3.3.

  • CVE-2023-40004HigJun 19, 2024
    risk 0.48cvss 7.3epss 0.10

    Missing Authorization vulnerability in ServMask All-in-One WP Migration Box Extension, ServMask All-in-One WP Migration OneDrive Extension, ServMask All-in-One WP Migration Dropbox Extension, ServMask All-in-One WP Migration Google Drive Extension.This issue affects All-in-One…

  • CVE-2024-2544HigJun 15, 2024
    risk 0.48cvss 7.4epss 0.00

    The Popup Builder plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on all AJAX actions. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform multiple…

  • CVE-2020-36716HigJun 7, 2023
    risk 0.48cvss 7.3epss 0.01

    The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the setup_page function in versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to run the setup wizard (if it has not been…

  • CVE-2020-36697HigJun 7, 2023
    risk 0.48cvss 7.3epss 0.01

    The WP GDPR plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in versions up to, and including, 2.1.1. This makes it possible for unauthenticated attackers to delete any comment and modify the plugin’s settings.

  • CVE-2023-2757HigMay 18, 2023
    risk 0.48cvss 7.4epss 0.00

    The Waiting: One-click countdowns plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on 'saveLang' functions in versions up to, and including, 0.6.2. This could lead to Cross-Site Scripting due to insufficient input sanitization and…

  • CVE-2022-4940HigApr 5, 2023
    risk 0.48cvss 7.3epss 0.01

    The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide…

  • CVE-2022-21953HigFeb 7, 2023
    risk 0.48cvss 7.4epss 0.00

    A Missing Authorization vulnerability in of SUSE Rancher allows authenticated user to create an unauthorized shell pod and kubectl access in the local cluster This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions…

  • CVE-2026-40775HigJun 15, 2026
    risk 0.47cvss 7.3epss 0.00

    Unauthenticated Broken Access Control in Royal MCP <= 1.4.2 versions.

  • CVE-2026-47197HigJun 12, 2026
    risk 0.47cvss epss 0.00

    Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, a moderator with the relevant Discord permission bit can use the bot to moderate users above them in the Discord role hierarchy, as long as the bot itself outranks the target. This bypasses Discord’s normal role…

  • CVE-2026-47163HigJun 11, 2026
    risk 0.47cvss epss 0.00

    Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.1, any guild member who can invoke slash commands can use /automod add, /automod remove, and /automod list because the command has no Discord default permission…

  • CVE-2026-46558HigJun 10, 2026
    risk 0.47cvss 8.3epss 0.00

    Plane is an open-source project management tool. Prior to version 1.3.1, there is a cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in other Plane workspaces. This issue has been patched in version 1.3.1.

  • CVE-2026-42675HigJun 1, 2026
    risk 0.47cvss 7.3epss 0.00

    Missing Authorization vulnerability in Themefic Hydra Booking allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hydra Booking: from n/a through 1.1.41.

  • CVE-2026-32905HigMay 29, 2026
    risk 0.47cvss 8.3epss 0.00

    OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without proper scope validation. Attackers with chat command access can create setup…

  • CVE-2026-42753HigMay 27, 2026
    risk 0.47cvss 7.3epss 0.00

    Missing Authorization vulnerability in WC Lovers WCFM Membership wc-multivendor-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM Membership: from n/a through <= 2.11.10.

  • CVE-2026-9350HigMay 24, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. This affects the function check_all_command_guards of the file tools/approval.py of the component Batch Runner. Such manipulation leads to missing authorization. The attack can be launched remotely. The…

  • CVE-2026-45371HigMay 14, 2026
    risk 0.47cvss epss 0.00

    SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs. POST /api/graph/getGraph, POST /api/graph/getLocalGraph, POST /api/sync/setSyncInterval, POST…

  • CVE-2026-42297HigMay 9, 2026
    risk 0.47cvss 8.3epss 0.01

    Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD…

  • CVE-2026-42377HigApr 29, 2026
    risk 0.47cvss 7.3epss 0.00

    Missing Authorization vulnerability in Brainstorm Force SureForms Pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SureForms Pro: from n/a through 2.8.0.

  • CVE-2026-5464HigApr 23, 2026
    risk 0.47cvss 7.2epss 0.01

    The ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the…