VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 44 of 278
  • CVE-2024-4222HigMay 16, 2024
    risk 0.47cvss 7.3epss 0.00

    The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to…

  • CVE-2024-3600HigApr 19, 2024
    risk 0.47cvss 7.2epss 0.00

    The Poll Maker – Best WordPress Poll Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check on the ays_poll_maker_quick_start AJAX action in addition to insufficient escaping and sanitization in all versions up to, and…

  • CVE-2024-2395HigMar 12, 2024
    risk 0.47cvss 7.3epss 0.00

    The Bulgarisation for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.14. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to…

  • CVE-2024-0702HigFeb 29, 2024
    risk 0.47cvss 7.3epss 0.01

    The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions hooked via AJAX in the includes/class-pos-bridge-install.php file in all versions up to, and including, 2.4.2.1…

  • CVE-2023-6751HigJan 11, 2024
    risk 0.47cvss 7.3epss 0.00

    The Hostinger plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the function publish_website in all versions up to, and including, 1.9.7. This makes it possible for unauthenticated attackers to enable and disable…

  • CVE-2023-6007HigNov 22, 2023
    risk 0.47cvss 7.3epss 0.00

    The UserPro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.1.1. This makes it possible for unauthenticated attackers to add,…

  • CVE-2023-2078HigJul 11, 2023
    risk 0.47cvss 7.3epss 0.00

    The "Buy Me a Coffee – Button and Widget Plugin" plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the recieve_post, bmc_disconnect, name_post, and widget_post functions in versions up to, and including, 3.7. This makes…

  • CVE-2023-36815HigJul 3, 2023
    risk 0.47cvss 7.3epss 0.01

    Sealos is a Cloud Operating System designed for managing cloud-native applications. In version 4.2.0 and prior, there is a permission flaw in the Sealos billing system, which allows users to control the recharge resource account `sealos[.] io/v1/Payment`, resulting in the…

  • CVE-2021-4350HigJun 7, 2023
    risk 0.47cvss 7.2epss 0.01

    The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated HTML Injection in versions up to, and including, 18.2. This is due to lacking authentication protections on the wpfm_send_file_in_email AJAX action. This makes it possible for unauthenticated…

  • CVE-2009-3168HigSep 11, 2009
    risk 0.47cvss 7.2epss 0.03

    Mevin Productions Basic PHP Events Lister 2.0 does not properly restrict access to (1) admin/reset.php and (2) admin/user_add.php, which allows remote authenticated users to reset administrative passwords or add administrators via a direct request.

  • CVE-2026-53866HigJun 16, 2026
    risk 0.46cvss 8.1epss 0.00

    OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows authenticated operators to execute unapproved commands. A command request using shell inline-command forms could route through a parser case missing the expected…

  • CVE-2026-40788HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    Subscriber Broken Access Control in ChatBot <= 7.9.7 versions.

  • CVE-2026-5230HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    Improper Access Control, Missing Authorization vulnerability in MIA Technology Inc. Pizzy Library allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.

  • CVE-2026-49948HigJun 9, 2026
    risk 0.46cvss 8.1epss 0.00

    Mem0 versions through 0.2.8, fixed in commit ae7f406, contain a missing authorization vulnerability in the self-hosted server component where the POST /configure endpoint modifies global LLM provider and embedder configuration but only verifies authentication via JWT or…

  • CVE-2026-44751HigJun 9, 2026
    risk 0.46cvss 7.1epss 0.00

    Application server ABAP does not perform necessary authorization checks for an authenticated user allowing an attacker to execute a report generation command which could overwrite information belonging to another user, resulting in escalation of privileges. This has high impact…

  • CVE-2026-47740HigMay 29, 2026
    risk 0.46cvss 8.1epss 0.00

    Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel,…

  • CVE-2026-44328HigMay 27, 2026
    risk 0.46cvss 8.2epss 0.00

    free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. On top of that, the DELETE /upi/v1/upNodesLinks/{upNodeRef} handler unconditionally dereferences upNode.UPF…

  • CVE-2026-42083HigMay 27, 2026
    risk 0.46cvss 8.2epss 0.00

    free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, PCF Npcf_SMPolicyControl missing authentication middleware allows unauthenticated access to SM policy handlers and disclosure of subscriber SUPI. In NewServer(), the smPolicyGroup route group is…

  • CVE-2025-14361HigMay 26, 2026
    risk 0.46cvss 7.1epss 0.00

    Missing Authorization vulnerability in AA-Team Woocommerce Envato Affiliates allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Woocommerce Envato Affiliates: from n/a through 1.2.1.

  • CVE-2026-9284HigMay 23, 2026
    risk 0.46cvss 8.2epss 0.00

    The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the `ppc-create-order` and `ppc-get-order` WC-AJAX endpoints in all versions up to, and including, 4.0.1. The…