VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 7 of 278
  • CVE-2026-4119CriApr 22, 2026
    risk 0.59cvss 9.1epss 0.01

    The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without…

  • CVE-2026-4365CriApr 14, 2026
    risk 0.59cvss 9.1epss 0.01

    The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function in all versions up to, and including, 4.3.2.8. The plugin exposes a `wp_rest` nonce in public frontend HTML (`lpData`) to…

  • CVE-2026-34184CriApr 9, 2026
    risk 0.59cvss 9.1epss 0.00

    Hydrosystem Control System does not enforce authorization for some directories. This allows an unauthorized attacker to read all files in these directories and even execute some of them. Critically the attacker could run PHP scripts directly on the connected database.This issue…

  • CVE-2026-27071CriMar 25, 2026
    risk 0.59cvss 9.1epss 0.00

    Missing Authorization vulnerability in Arraytics WPCafe wp-cafe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCafe: from n/a through <= 3.0.7.

  • CVE-2026-4283CriMar 24, 2026
    risk 0.59cvss 9.1epss 0.00

    The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the `super-unsubscribe` AJAX action accepting a `process_now` parameter from unauthenticated users, which bypasses the…

  • CVE-2025-11158CriMar 10, 2026
    risk 0.59cvss 9.1epss 0.00

    Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE.

  • CVE-2025-14741CriJan 9, 2026
    risk 0.59cvss 9.1epss 0.00

    The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for…

  • CVE-2025-13828CriDec 2, 2025
    risk 0.59cvss epss 0.00

    SummaryA non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. ImpactA low-privileged user of the platform can install malicious code to obtain…

  • CVE-2020-36852CriOct 1, 2025
    risk 0.59cvss 9.1epss 0.00

    The Custom Searchable Data Entry System plugin for WordPress is vulnerable to unauthenticated database wiping in versions up to, and including 1.7.1, due to a missing capability check and lack of sufficient validation on the ghazale_sds_delete_entries_table_row() function. This…

  • CVE-2025-53499CriJul 7, 2025
    risk 0.59cvss 9.1epss 0.00

    Missing Authorization vulnerability in Wikimedia Foundation Mediawiki - AbuseFilter Extension allows Unauthorized Access.This issue affects Mediawiki - AbuseFilter Extension: from 1.43.X before 1.43.2.

  • CVE-2025-53495CriJul 7, 2025
    risk 0.59cvss 9.1epss 0.00

    Missing Authorization vulnerability in Wikimedia Foundation Mediawiki - AbuseFilter Extension allows Unauthorized Access.This issue affects Mediawiki - AbuseFilter Extension: from 1.43.X before 1.43.2.

  • CVE-2025-30448CriMay 12, 2025
    risk 0.59cvss 9.1epss 0.01

    This issue was addressed with additional entitlement checks. This issue is fixed in iOS 18.5 and iPadOS 18.5, iPadOS 17.7.7, macOS Sequoia 15.4, macOS Sonoma 14.7.6, macOS Ventura 13.7.6, visionOS 2.5. An attacker may be able to turn on sharing of an iCloud folder without…

  • CVE-2024-54542CriJan 27, 2025
    risk 0.59cvss 9.1epss 0.01

    An authentication issue was addressed with improved state management. This issue is fixed in Safari 18.2, iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, watchOS 11.2. Private Browsing tabs may be accessed without authentication.

  • CVE-2024-12542HigJan 9, 2025
    risk 0.59cvss 8.6epss 0.01

    The linkID plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when including the 'phpinfo' function in all versions up to, and including, 0.1.2. This makes it possible for unauthenticated attackers to read configuration settings…

  • CVE-2023-47179HigJan 2, 2025
    risk 0.59cvss 8.8epss 0.01

    Missing Authorization vulnerability in mdalabar WooODT Lite byconsole-woo-order-delivery-time allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooODT Lite: from n/a through <= 2.4.6.

  • CVE-2022-46838CriDec 13, 2024
    risk 0.59cvss 9.1epss 0.01

    Missing Authorization vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.7.1.

  • CVE-2024-53810CriDec 6, 2024
    risk 0.59cvss 9.1epss 0.00

    Missing Authorization vulnerability in N-Media Simple User Registration wp-registration allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Simple User Registration: from n/a through <= 5.5.

  • CVE-2024-4352HigMay 16, 2024
    risk 0.59cvss 8.8epss 0.01

    The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on the 'get_calendar_materials' function. The plugin is also vulnerable to SQL Injection via the ‘year’ parameter of that…

  • CVE-2024-32948CriApr 24, 2024
    risk 0.59cvss 9.1epss 0.01

    Missing Authorization vulnerability in Repute Infosystems ARMember.This issue affects ARMember: from n/a through 4.0.28.

  • CVE-2023-44208CriOct 4, 2023
    risk 0.59cvss 9.1epss 0.00

    Sensitive information disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40713, Acronis True Image OEM (Windows) before build 42575.