VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (4,575)

page 49 of 229
  • CVE-2025-68039MedJan 22, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing Authorization vulnerability in Chris Simmons WP BackItUp wp-backitup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP BackItUp: from n/a through <= 2.1.0.

  • CVE-2025-68020MedJan 22, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing Authorization vulnerability in WANotifier Notifier notifier allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Notifier: from n/a through <= 2.7.13.

  • CVE-2025-68019MedJan 22, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing Authorization vulnerability in cleverplugins SEO Booster seo-booster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SEO Booster: from n/a through <= 6.1.8.

  • CVE-2025-68016MedJan 22, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing Authorization vulnerability in Onepay Sri Lanka onepay Payment Gateway For WooCommerce onepay-payment-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects onepay Payment Gateway For WooCommerce: from n/a through <= 1.1.2.

  • CVE-2025-68013MedJan 22, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing Authorization vulnerability in cardpaysolutions Payment Gateway Authorize.Net CIM for WooCommerce authnet-cim-for-woo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payment Gateway Authorize.Net CIM for WooCommerce: from n/a through <= 2.1.2.

  • CVE-2025-68009MedJan 22, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing Authorization vulnerability in Codeless Slider Templates slider-templates allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Slider Templates: from n/a through <= 1.0.3.

  • CVE-2025-68007MedJan 22, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing Authorization vulnerability in Event Espresso Event Espresso 4 Decaf event-espresso-decaf allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Espresso 4 Decaf: from n/a through <= 5.0.37.decaf.

  • CVE-2025-68003MedJan 22, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing Authorization vulnerability in renatoatshown Shown Connector shown-connector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shown Connector: from n/a through <= 1.2.10.

  • CVE-2025-67958MedJan 22, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing Authorization vulnerability in Taxcloud TaxCloud for WooCommerce simple-sales-tax allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TaxCloud for WooCommerce: from n/a through <= 8.3.8.

  • CVE-2025-67942MedJan 22, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing Authorization vulnerability in peachpayments Peach Payments Gateway wc-peach-payments-gateway allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Peach Payments Gateway: from n/a through <= 3.3.6.

  • CVE-2025-67939MedJan 22, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tickera: from n/a through <= 3.5.6.2.

  • CVE-2025-5805MedJan 22, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing Authorization vulnerability in Ninetheme Electron electron allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Electron: from n/a through <= 1.8.2.

  • CVE-2025-54002MedJan 22, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing Authorization vulnerability in Jthemes xSmart xsmart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects xSmart: from n/a through <= 1.2.9.4.

  • CVE-2025-14450MedJan 17, 2026
    risk 0.42cvss 6.5epss 0.00

    The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'change_wallet_fund_request_status_callback' function in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to manipulate wallet withdrawal requests and arbitrarily increase their wallet balance or decrease other users' balances.

  • CVE-2026-1000MedJan 16, 2026
    risk 0.42cvss 6.5epss 0.00

    The MailerLite - WooCommerce integration plugin for WordPress is vulnerable to unauthorized data modification and deletion in all versions up to, and including, 3.1.3. This is due to missing capability checks on the resetIntegration() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's integration settings, delete all plugin options, and drop the plugin's database tables (woo_mailerlite_carts and woo_mailerlite_jobs), resulting in complete loss of plugin data including customer abandoned cart information and sync job history.

  • CVE-2025-12641MedJan 16, 2026
    risk 0.42cvss 6.5epss 0.00

    The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce.

  • CVE-2025-13859MedJan 15, 2026
    risk 0.42cvss 6.4epss 0.00

    The AffiliateX – Amazon Affiliate Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_customization_settings AJAX action in versions 1.0.0 to 1.3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to store arbitrary JavaScript that executes whenever an AffiliateX block renders on the site.

  • CVE-2026-0503MedJan 13, 2026
    risk 0.42cvss 6.4epss 0.00

    Due to missing authorization check in the SAP ERP Central Component (SAP ECC) and SAP S/4HANA (SAP EHS Management), an attacker could extract hardcoded clear-text credentials and bypass the password authentication check by manipulating user parameters. Upon successful exploitation, the attacker can access, modify or delete certain change pointer information within EHS objects in the application which might further affect the subsequent systems. This vulnerability leads to a low impact on confidentiality and integrity of the application with no affect on the availability.

  • CVE-2025-14172MedJan 9, 2026
    risk 0.42cvss 6.5epss 0.00

    The WP Page Permalink Extension plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.4. This is due to missing authorization checks on the `cwpp_trigger_flush_rewrite_rules` function hooked to `wp_ajax_cwpp_trigger_flush_rewrite_rules`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to flush the site's rewrite rules via the `action` parameter.

  • CVE-2026-22522MedJan 8, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing Authorization vulnerability in Munir Kamal Block Slider block-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Block Slider: from n/a through <= 2.2.3.