VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 80 of 278
  • CVE-2023-1843MedJun 9, 2023
    risk 0.42cvss 6.5epss 0.01

    The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to unauthorized permalink structure update due to a missing capability check on the permalink_setup function in versions up to, and including, 3.3.0. This makes it possible for unauthenticated…

  • CVE-2021-4379MedJun 7, 2023
    risk 0.42cvss 6.5epss 0.01

    The WooCommerce Multi Currency plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wmc_bulk_fixed_price function in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers, with subscriber-level…

  • CVE-2023-3125MedJun 7, 2023
    risk 0.42cvss 6.5epss 0.01

    The B2BKing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'b2bking_save_price_import' function in versions up to, and including, 4.6.00. This makes it possible for Authenticated attackers with subscriber or…

  • CVE-2021-4359MedJun 7, 2023
    risk 0.42cvss 6.5epss 0.01

    The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary Post Deletion in versions up to, and including, 18.2. This is due to lacking authentication protections and lacking a security nonce on the wpfm_delete_file AJAX action. This makes it…

  • CVE-2021-4345MedJun 7, 2023
    risk 0.42cvss 6.5epss 0.01

    The uListing plugin for WordPress is vulnerable to authorization bypass due to missing capability and nonce checks on the UlistingUserRole::save_role_api method in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to remove or add roles,…

  • CVE-2020-36721MedJun 7, 2023
    risk 0.42cvss 6.5epss 0.01

    The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activello_deactivate_plugin' functions in the 'inc/welcome-screen/class-activello-welco…

  • CVE-2019-25139MedJun 7, 2023
    risk 0.42cvss 6.5epss 0.01

    The Coming Soon Page & Maintenance Mode plugin for WordPress is vulnerable to unauthenticated settings reset in versions up to, and including 1.8.1 due to missing capability checks in the ~/functions/data-reset-post.php file which makes it possible for unauthenticated attackers…

  • CVE-2023-30532MedApr 12, 2023
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins TurboScript Plugin 1.3 and earlier allows attackers with Item/Read permission to trigger builds of jobs corresponding to the attacker-specified repository.

  • CVE-2023-30526MedApr 12, 2023
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Report Portal Plugin 0.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified bearer token authentication.

  • CVE-2023-1865MedApr 5, 2023
    risk 0.42cvss 6.5epss 0.01

    The YourChannel plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check when resetting plugin settings via the yrc_nuke GET parameter in versions up to, and including, 1.2.3. This makes it possible for unauthenticated attackers to…

  • CVE-2023-28672MedApr 2, 2023
    risk 0.42cvss 6.5epss 0.01

    Jenkins OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through…

  • CVE-2023-28640MedMar 27, 2023
    risk 0.42cvss 6.4epss 0.00

    Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes…

  • CVE-2023-0619MedFeb 1, 2023
    risk 0.42cvss 6.5epss 0.01

    The Kraken.io Image Optimizer plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on its AJAX actions in versions up to, and including, 2.6.8. This makes it possible for authenticated attackers, with subscriber-level permissions and…

  • CVE-2023-24459MedJan 26, 2023
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins BearyChat Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

  • CVE-2023-24453MedJan 26, 2023
    risk 0.42cvss 6.5epss 0.01

    A missing check in Jenkins TestQuality Updater Plugin 1.3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.

  • CVE-2023-24448MedJan 26, 2023
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified AMQP(S) URL using attacker-specified username and password.

  • CVE-2023-24438MedJan 26, 2023
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing…

  • CVE-2023-24435MedJan 26, 2023
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials…

  • CVE-2023-24433MedJan 26, 2023
    risk 0.42cvss 6.5epss 0.01

    Missing permission checks in Jenkins Orka by MacStadium Plugin 1.31 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…

  • CVE-2022-4555MedDec 16, 2022
    risk 0.42cvss 6.5epss 0.01

    The WP Shamsi plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the deactivate() function hooked via init() in versions up to, and including, 4.1.0. This makes it possible for unauthenticated attackers to deactivate arbitrary plugins…