VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 95 of 278
  • CVE-2026-33708MedApr 10, 2026
    risk 0.35cvss 6.5epss 0.00

    Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no…

  • CVE-2026-33141MedApr 10, 2026
    risk 0.35cvss 6.5epss 0.00

    Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the REST API stats endpoint allows any authenticated user (including low-privilege students with ROLE_USER) to read any other user's learning progress,…

  • CVE-2026-35621MedApr 10, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenClaw before 2026.3.24 contains a privilege escalation vulnerability where the /allowlist command fails to re-validate gateway client scopes for internal callers, allowing operator.write-scoped clients to mutate channel authorization policy. Attackers can exploit chat.send to…

  • CVE-2026-35631MedApr 9, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenClaw before 2026.3.22 fails to enforce operator.admin scope on mutating internal ACP chat commands, allowing unauthorized modifications. Attackers without admin privileges can execute mutating control-plane actions by directly invoking affected ACP commands to bypass…

  • CVE-2026-4124MedApr 9, 2026
    risk 0.35cvss 5.4epss 0.00

    The Ziggeo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1. The wp_ajax_ziggeo_ajax handler only verifies a nonce (check_ajax_referer) but performs no capability checks via current_user_can(). Furthermore, the nonce…

  • CVE-2026-39614MedApr 8, 2026
    risk 0.35cvss 5.4epss 0.00

    Missing Authorization vulnerability in ilGhera JW Player for WordPress jw-player-7-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JW Player for WordPress: from n/a through <= 2.3.6.

  • CVE-2026-39607MedApr 8, 2026
    risk 0.35cvss 5.4epss 0.00

    Missing Authorization vulnerability in Wpbens Filter Plus filter-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Filter Plus: from n/a through <= 1.1.17.

  • CVE-2026-39504MedApr 8, 2026
    risk 0.35cvss 5.4epss 0.00

    Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InstaWP Connect: from n/a through <= 0.1.2.5.

  • CVE-2026-4065MedApr 7, 2026
    risk 0.35cvss 5.4epss 0.00

    The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple wp_ajax_smart-slider3 controller actions in all versions up to, and including, 3.5.1.33. The display_admin_ajax() method does not…

  • CVE-2026-34903MedApr 7, 2026
    risk 0.35cvss 5.4epss 0.00

    Missing Authorization vulnerability in OceanWP Ocean Extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ocean Extra: from n/a through 2.5.3.

  • CVE-2026-35175MedApr 6, 2026
    risk 0.35cvss 6.5epss 0.00

    Ajenti is a Linux and BSD modular server admin panel. Prior to 2.2.15, an authenticated user (using the auth_users plugin authentication method) could install a custom package even if this user is not superuser. This vulnerability is fixed in 2.2.15.

  • CVE-2026-3571MedApr 4, 2026
    risk 0.35cvss 6.5epss 0.00

    The Pie Register – User Registration, Profiles & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pie_main() function in all versions up to, and including, 3.8.4.8. This makes it possible for…

  • CVE-2026-34737MedMar 31, 2026
    risk 0.35cvss 6.5epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription…

  • CVE-2026-34395MedMar 31, 2026
    risk 0.35cvss 6.5epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged() but does not…

  • CVE-2026-33576MedMar 31, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to the media store by sending messages that are subsequently rejected.

  • CVE-2025-15445MedMar 28, 2026
    risk 0.35cvss 5.4epss 0.00

    The Restaurant Cafeteria WordPress theme through 0.4.6 exposes insecure admin-ajax actions without nonce or capability checks, allowing any logged-in user, like subscriber, to perform privileged operations. An attacker can install and activate a from a user-supplied URL,…

  • CVE-2026-3098MedMar 27, 2026
    risk 0.35cvss 6.5epss 0.00

    The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.5.1.33 via the 'actionExportAll' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of…

  • CVE-2026-33495MedMar 26, 2026
    risk 0.35cvss 6.5epss 0.00

    ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Ory Oathkeeper is often deployed behind other components like CDNs, WAFs, or reverse proxies. Depending on the setup, another component…

  • CVE-2026-32562MedMar 25, 2026
    risk 0.35cvss 5.4epss 0.00

    Missing Authorization vulnerability in WP Folio Team PPWP password-protect-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PPWP: from n/a through <= 1.9.15.

  • CVE-2026-1217MedMar 18, 2026
    risk 0.35cvss 5.4epss 0.00

    The Yoast Duplicate Post plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clone_bulk_action_handler() and republish_request() functions in all versions up to, and including, 4.5. This makes it possible for…