CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Parents

CWE-285

Children

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (4,588)

page 84 of 230

CVE	Vendor / Product	Sev	Risk	CVSS	Published	Description
CVE-2025-62925	WordPress Enhanced E Commerce For Woocommerce Store	Med	0.35	5.4	Oct 27, 2025	Missing Authorization vulnerability in Conversios Conversios.io enhanced-e-commerce-for-woocommerce-store allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Conversios.io: from n/a through <= 7.2.13.
CVE-2025-62919	WordPress Ts Demo Importer	Med	0.35	5.4	Oct 27, 2025	Missing Authorization vulnerability in themeshopy TS Demo Importer ts-demo-importer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TS Demo Importer: from n/a through <= 0.1.3.
CVE-2025-62918	WordPress Ignitiondeck	Med	0.35	5.4	Oct 27, 2025	Missing Authorization vulnerability in ignitionwp IgnitionDeck ignitiondeck allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects IgnitionDeck: from n/a through <= 2.0.15.
CVE-2025-62916	WordPress Adiaha Hotel	Med	0.35	5.4	Oct 27, 2025	Missing Authorization vulnerability in Travon WP Flights & Hotels Booking WP Plugin adiaha-hotel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flights & Hotels Booking WP Plugin: from n/a through <= 3.1.
CVE-2025-10749	Microsoft Windows Azure Sdk	Med	0.35	5.4	Oct 24, 2025	The Microsoft Azure Storage for WordPress plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Deletion in all versions up to, and including, 4.5.1. This is due to missing capability checks on the 'azure-storage-media-replace' AJAX action. This makes it possible for authenticated attackers with subscriber-level access and above to delete arbitrary media files from the WordPress Media Library via the replace_attachment parameter granted they can access the nonce which is exposed to all authenticated users.
CVE-2025-62048	WordPress Smartcrawl Seo	Med	0.35	5.4	Oct 22, 2025	Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform SmartCrawl smartcrawl-seo.This issue affects SmartCrawl: from n/a through <= 3.14.3.
CVE-2025-62027	WordPress Event Tickets	Med	0.35	5.4	Oct 22, 2025	Missing Authorization vulnerability in StellarWP Event Tickets event-tickets.This issue affects Event Tickets: from n/a through <= 5.26.3.
CVE-2025-62006	Veronalabs Wp Sms	Med	0.35	5.4	Oct 22, 2025	Missing Authorization vulnerability in VeronaLabs WP SMS wp-sms.This issue affects WP SMS: from n/a through <= 7.0.1.
CVE-2025-49949	WordPress Templazee	Med	0.35	5.4	Oct 22, 2025	Missing Authorization vulnerability in templazee Templazee templazee allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Templazee: from n/a through <= 1.0.2.
CVE-2025-49920	WordPress Accessibe	Med	0.35	5.4	Oct 22, 2025	Missing Authorization vulnerability in accessiBe Web Accessibility By accessiBe accessibe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Web Accessibility By accessiBe: from n/a through <= 2.10.
CVE-2025-11372	Learnpress Learnpress	Med	0.35	6.5	Oct 18, 2025	The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to modification of data in all versions up to, and including, 4.2.9.2. This is due to missing capability checks on the Admin Tools REST endpoints which are registered with permission_callback set to __return_true. This makes it possible for unauthenticated attackers to perform destructive database operations including dropping indexes on any table (including WordPress core tables like wp_options), creating duplicate configuration entries, and degrading site performance via the /wp-json/lp/v1/admin/tools/create-indexs endpoint granted they can provide table names.
CVE-2025-60127	Artistscope Copysafe Web Protection	Med	0.35	5.4	Sep 26, 2025	Missing Authorization vulnerability in ArtistScope CopySafe Web Protection wp-copysafe-web allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CopySafe Web Protection: from n/a through <= 5.1.
CVE-2025-60116	Themegoods Grand Conference	Med	0.35	5.4	Sep 26, 2025	Missing Authorization vulnerability in ThemeGoods Grand Conference Theme Custom Post Type grandconference-custom-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Grand Conference Theme Custom Post Type: from n/a through < 2.6.4.
CVE-2025-60103	Cridio Listingpro	Med	0.35	5.4	Sep 26, 2025	Missing Authorization vulnerability in CridioStudio ListingPro listingpro-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingPro: from n/a through <= 2.9.8.
CVE-2025-60097	CodexThemes Thegem	Med	0.35	5.4	Sep 26, 2025	Missing Authorization vulnerability in CodexThemes TheGem thegem allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TheGem: from n/a through <= 5.10.5.
CVE-2025-60096	WordPress Thegem Elements Elementor	Med	0.35	5.4	Sep 26, 2025	Missing Authorization vulnerability in CodexThemes TheGem (Elementor) thegem-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TheGem (Elementor): from n/a through <= 5.10.5.
CVE-2025-58672	WordPress Wp User Frontend	Med	0.35	5.4	Sep 22, 2025	Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through <= 4.1.12.
CVE-2025-58667	Cridio Listingpro	Med	0.35	5.4	Sep 22, 2025	Missing Authorization vulnerability in CridioStudio ListingPro Reviews listingpro-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingPro Reviews: from n/a through < 2.9.11.
CVE-2025-58660	WordPress Oshine Core	Med	0.35	5.4	Sep 22, 2025	Missing Authorization vulnerability in brandexponents Oshine Core oshine-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Oshine Core: from n/a through <= 1.5.5.
CVE-2025-58650	WordPress All In One Seo Pack	Med	0.35	5.4	Sep 22, 2025	Missing Authorization vulnerability in Syed Balkhi All In One SEO Pack all-in-one-seo-pack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects All In One SEO Pack: from n/a through <= 4.8.7.1.

CVE-2025-62925MedOct 27, 2025
WordPress
Enhanced E Commerce For Woocommerce Store
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in Conversios Conversios.io enhanced-e-commerce-for-woocommerce-store allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Conversios.io: from n/a through <= 7.2.13.
CVE-2025-62919MedOct 27, 2025
WordPress
Ts Demo Importer
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in themeshopy TS Demo Importer ts-demo-importer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TS Demo Importer: from n/a through <= 0.1.3.
CVE-2025-62918MedOct 27, 2025
WordPress
Ignitiondeck
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in ignitionwp IgnitionDeck ignitiondeck allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects IgnitionDeck: from n/a through <= 2.0.15.
CVE-2025-62916MedOct 27, 2025
WordPress
Adiaha Hotel
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in Travon WP Flights & Hotels Booking WP Plugin adiaha-hotel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flights & Hotels Booking WP Plugin: from n/a through <= 3.1.
CVE-2025-10749MedOct 24, 2025
Microsoft
Windows Azure Sdk
risk 0.35cvss 5.4epss 0.00
The Microsoft Azure Storage for WordPress plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Deletion in all versions up to, and including, 4.5.1. This is due to missing capability checks on the 'azure-storage-media-replace' AJAX action. This makes it possible for authenticated attackers with subscriber-level access and above to delete arbitrary media files from the WordPress Media Library via the replace_attachment parameter granted they can access the nonce which is exposed to all authenticated users.
CVE-2025-62048MedOct 22, 2025
WordPress
Smartcrawl Seo
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform SmartCrawl smartcrawl-seo.This issue affects SmartCrawl: from n/a through <= 3.14.3.
CVE-2025-62027MedOct 22, 2025
WordPress
Event Tickets
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in StellarWP Event Tickets event-tickets.This issue affects Event Tickets: from n/a through <= 5.26.3.
CVE-2025-62006MedOct 22, 2025
Veronalabs
Wp Sms
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in VeronaLabs WP SMS wp-sms.This issue affects WP SMS: from n/a through <= 7.0.1.
CVE-2025-49949MedOct 22, 2025
WordPress
Templazee
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in templazee Templazee templazee allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Templazee: from n/a through <= 1.0.2.
CVE-2025-49920MedOct 22, 2025
WordPress
Accessibe
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in accessiBe Web Accessibility By accessiBe accessibe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Web Accessibility By accessiBe: from n/a through <= 2.10.
CVE-2025-11372MedOct 18, 2025
Learnpress
Learnpress
risk 0.35cvss 6.5epss 0.00
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to modification of data in all versions up to, and including, 4.2.9.2. This is due to missing capability checks on the Admin Tools REST endpoints which are registered with permission_callback set to __return_true. This makes it possible for unauthenticated attackers to perform destructive database operations including dropping indexes on any table (including WordPress core tables like wp_options), creating duplicate configuration entries, and degrading site performance via the /wp-json/lp/v1/admin/tools/create-indexs endpoint granted they can provide table names.
CVE-2025-60127MedSep 26, 2025
Artistscope
Copysafe Web Protection
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in ArtistScope CopySafe Web Protection wp-copysafe-web allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CopySafe Web Protection: from n/a through <= 5.1.
CVE-2025-60116MedSep 26, 2025
Themegoods
Grand Conference
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in ThemeGoods Grand Conference Theme Custom Post Type grandconference-custom-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Grand Conference Theme Custom Post Type: from n/a through < 2.6.4.
CVE-2025-60103MedSep 26, 2025
Cridio
Listingpro
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in CridioStudio ListingPro listingpro-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingPro: from n/a through <= 2.9.8.
CVE-2025-60097MedSep 26, 2025
CodexThemes
Thegem
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in CodexThemes TheGem thegem allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TheGem: from n/a through <= 5.10.5.
CVE-2025-60096MedSep 26, 2025
WordPress
Thegem Elements Elementor
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in CodexThemes TheGem (Elementor) thegem-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TheGem (Elementor): from n/a through <= 5.10.5.
CVE-2025-58672MedSep 22, 2025
WordPress
Wp User Frontend
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through <= 4.1.12.
CVE-2025-58667MedSep 22, 2025
Cridio
Listingpro
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in CridioStudio ListingPro Reviews listingpro-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingPro Reviews: from n/a through < 2.9.11.
CVE-2025-58660MedSep 22, 2025
WordPress
Oshine Core
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in brandexponents Oshine Core oshine-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Oshine Core: from n/a through <= 1.5.5.
CVE-2025-58650MedSep 22, 2025
WordPress
All In One Seo Pack
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in Syed Balkhi All In One SEO Pack all-in-one-seo-pack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects All In One SEO Pack: from n/a through <= 4.8.7.1.