VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 45 of 278
  • CVE-2026-44554HigMay 15, 2026
    risk 0.46cvss 8.1epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/retrieval/process/web endpoint accepts a user-supplied collection_name and an overwrite query parameter (default: True). It performs no…

  • CVE-2026-4094HigMay 15, 2026
    risk 0.46cvss 8.1epss 0.00

    The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'admin_head' function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers,…

  • CVE-2026-4030HigMay 14, 2026
    risk 0.46cvss 8.1epss 0.00

    The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized arbitrary file read and deletion in all versions up to, and including, 2.5.2. This is due to the plugin not properly enforcing the return value of its authorization check combined with a…

  • CVE-2026-5371HigMay 12, 2026
    risk 0.46cvss 7.1epss 0.00

    The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability checks on the get_ads_access_token() and reset_experience() functions in all…

  • CVE-2026-41394HigApr 28, 2026
    risk 0.46cvss 8.2epss 0.00

    OpenClaw before 2026.3.31 contains an authentication bypass vulnerability where unauthenticated plugin-auth HTTP routes receive operator runtime write scopes. Attackers can access these routes without authentication to perform privileged runtime actions intended for authorized…

  • CVE-2026-40581HigApr 18, 2026
    risk 0.46cvss 8.1epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An…

  • CVE-2026-34256HigApr 14, 2026
    risk 0.46cvss 7.1epss 0.00

    Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is…

  • CVE-2026-35660HigApr 10, 2026
    risk 0.46cvss 8.1epss 0.00

    OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /reset or /new messages with an…

  • CVE-2026-4162HigApr 10, 2026
    risk 0.46cvss 7.1epss 0.00

    The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with…

  • CVE-2026-39429HigApr 8, 2026
    risk 0.46cvss 8.2epss 0.00

    kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can…

  • CVE-2026-3445HigApr 4, 2026
    risk 0.46cvss 7.1epss 0.00

    The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to unauthorized membership payment bypass in all versions up to, and including, 4.16.11. This is due to a missing…

  • CVE-2026-34759HigApr 2, 2026
    risk 0.46cvss 8.1epss 0.01

    OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServic…

  • CVE-2026-34042HigMar 31, 2026
    risk 0.46cvss 8.2epss 0.00

    act is a project which allows for local running of github actions. Prior to version 0.2.86, act's built in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it including someone anywhere on the internet to create caches with…

  • CVE-2026-32501HigMar 25, 2026
    risk 0.46cvss 7.1epss 0.00

    Missing Authorization vulnerability in wp-configurator WP Configurator Pro wp-configurator-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Configurator Pro: from n/a through <= 3.7.9.

  • CVE-2026-24369HigMar 25, 2026
    risk 0.46cvss 7.1epss 0.00

    Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Grid: from n/a through < 2.8.0.

  • CVE-2026-2992HigMar 18, 2026
    risk 0.46cvss 8.2epss 0.00

    The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization on the `/wp-json/kivicare/v1/setup-wizard/clinic` REST API endpoint in all versions up to, and including, 4.1.2. This makes it…

  • CVE-2026-1321HigMar 5, 2026
    risk 0.46cvss 8.1epss 0.00

    The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.20. This is due to the `rcp_setup_registration_init()` function accepting any membership level ID via the `rcp_level` POST parameter…

  • CVE-2025-69381HigFeb 20, 2026
    risk 0.46cvss 7.1epss 0.00

    Missing Authorization vulnerability in vanquish WooCommerce Bulk Product Editor woocommerce-quick-product-editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Bulk Product Editor: from n/a through <= 3.0.

  • CVE-2025-68069HigFeb 20, 2026
    risk 0.46cvss 7.1epss 0.00

    Missing Authorization vulnerability in wpWax Directorist directorist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directorist: from n/a through <= 8.6.6.

  • CVE-2026-23547HigFeb 19, 2026
    risk 0.46cvss 7.1epss 0.00

    Missing Authorization vulnerability in cmsmasters CMSMasters Content Composer cmsmasters-content-composer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CMSMasters Content Composer: from n/a through <= 2.5.8.