CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Parents

CWE-285

Children

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (4,593)

page 99 of 230

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2024-3235	WordPress Essential Grid	Med	0.35	5.3	0.01	Apr 10, 2024	The Essential Grid Gallery WordPress Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.1 via the on_front_ajax_action() function. This makes it possible for unauthenticated attackers to view private and password protected posts that may have private or sensitive information.
CVE-2024-1641	WordPress Accordions	Med	0.35	5.4	0.00	Apr 9, 2024	The Accordion plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'accordions_duplicate_post_as_draft' function in all versions up to, and including, 2.2.96. This makes it possible for authenticated attackers, with contributor access and above, to duplicate arbitrary posts, allowing access to the contents of password-protected posts.
CVE-2024-1587	Blazethemes Newsmatic	Med	0.35	5.3	0.01	Apr 9, 2024	The Newsmatic theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.0 via the 'newsmatic_filter_posts_load_tab_content'. This makes it possible for unauthenticated attackers to view draft posts and post content.
CVE-2024-31375	WordPress Wp2leads	Med	0.35	5.4	0.00	Apr 8, 2024	Missing Authorization vulnerability in Saleswonder Team: Tobias WP2LEADS wp2leads.This issue affects WP2LEADS: from n/a through <= 3.2.7.
CVE-2024-28004	Extendthemes Colibri Page Builder	Med	0.35	5.4	0.00	Mar 28, 2024	Missing Authorization vulnerability in ExtendThemes Colibri Page Builder.This issue affects Colibri Page Builder: from n/a through 1.0.248.
CVE-2024-28003	WordPress Megamenu	Med	0.35	5.4	0.00	Mar 28, 2024	Missing Authorization vulnerability in Megamenu Max Mega Menu.This issue affects Max Mega Menu: from n/a through 3.3.
CVE-2023-22699	Mainwp Mainwp Wordfence Extension	Med	0.35	5.4	0.00	Mar 25, 2024	Missing Authorization vulnerability in MainWP MainWP Wordfence Extension.This issue affects MainWP Wordfence Extension: from n/a through 4.0.7.
CVE-2022-45851	WordPress Googleanalytics	Med	0.35	5.4	0.00	Mar 25, 2024	Missing Authorization vulnerability in ShareThis ShareThis Dashboard for Google Analytics.This issue affects ShareThis Dashboard for Google Analytics: from n/a through 3.1.4.
CVE-2022-45356	Muffingroup Betheme	Med	0.35	5.4	0.00	Mar 25, 2024	Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a through 26.6.1.
CVE-2022-45352	Muffingroup Betheme	Med	0.35	5.4	0.00	Mar 25, 2024	Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a through 26.6.1.
CVE-2022-45351	Muffingroup Betheme	Med	0.35	5.4	0.00	Mar 25, 2024	Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a through 26.6.1.
CVE-2023-37886	Inspirythemes Realhomes	Med	0.35	5.4	0.00	Mar 25, 2024	Missing Authorization vulnerability in InspiryThemes RealHomes.This issue affects RealHomes: from n/a through 4.0.2.
CVE-2024-1502	Themeum Tutor Lms	Med	0.35	5.4	0.00	Mar 21, 2024	The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tutor_delete_announcement() function in all versions up to, and including, 2.6.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts.
CVE-2024-2538	Permalink Manager Lite Project Permalink Manager Lite	Med	0.35	5.4	0.00	Mar 20, 2024	The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_permalink' function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and above, to modify the permalinks of arbitrary posts.
CVE-2023-50898	Sirv Sirv	Med	0.35	5.4	0.00	Mar 15, 2024	Missing Authorization vulnerability in sirv.Com Sirv.This issue affects Sirv: from n/a through 7.1.2.
CVE-2024-0828	Hammadh Play.ht	Med	0.35	5.4	0.00	Mar 13, 2024	The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 3.6.4. This makes it possible for authenticated attackers, with subscriber access or higher, to delete, retrieve, or modify post metadata, retrieve posts contents of protected posts, modify conversion data and delete article audio.
CVE-2024-1125	Metagauss Eventprime	Med	0.35	5.4	0.00	Mar 9, 2024	The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the calendar_events_delete() function in all versions up to, and including, 3.4.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts.
CVE-2024-1095	Themeperch Build \& Control Block Pattern	Med	0.35	5.3	0.01	Mar 5, 2024	The Build & Control Block Patterns – Boost up Gutenberg Editor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the settings_export() function in all versions up to, and including, 1.3.5.4. This makes it possible for unauthenticated attackers to export the plugin's settings.
CVE-2024-27950	Sirv Sirv	Med	0.35	5.4	0.00	Mar 1, 2024	Missing Authorization vulnerability in Sirv CDN and Image Hosting Sirv sirv.This issue affects Sirv: from n/a through <= 7.2.0.
CVE-2023-47874	Perfmatters Perfmatters	Med	0.35	5.4	0.00	Feb 29, 2024	Missing Authorization vulnerability in Perfmatters.This issue affects Perfmatters: from n/a through 2.1.6.

CVE-2024-3235MedApr 10, 2024
WordPress
Essential Grid
risk 0.35cvss 5.3epss 0.01
The Essential Grid Gallery WordPress Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.1 via the on_front_ajax_action() function. This makes it possible for unauthenticated attackers to view private and password protected posts that may have private or sensitive information.
CVE-2024-1641MedApr 9, 2024
WordPress
Accordions
risk 0.35cvss 5.4epss 0.00
The Accordion plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'accordions_duplicate_post_as_draft' function in all versions up to, and including, 2.2.96. This makes it possible for authenticated attackers, with contributor access and above, to duplicate arbitrary posts, allowing access to the contents of password-protected posts.
CVE-2024-1587MedApr 9, 2024
Blazethemes
Newsmatic
risk 0.35cvss 5.3epss 0.01
The Newsmatic theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.0 via the 'newsmatic_filter_posts_load_tab_content'. This makes it possible for unauthenticated attackers to view draft posts and post content.
CVE-2024-31375MedApr 8, 2024
WordPress
Wp2leads
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in Saleswonder Team: Tobias WP2LEADS wp2leads.This issue affects WP2LEADS: from n/a through <= 3.2.7.
CVE-2024-28004MedMar 28, 2024
Extendthemes
Colibri Page Builder
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in ExtendThemes Colibri Page Builder.This issue affects Colibri Page Builder: from n/a through 1.0.248.
CVE-2024-28003MedMar 28, 2024
WordPress
Megamenu
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in Megamenu Max Mega Menu.This issue affects Max Mega Menu: from n/a through 3.3.
CVE-2023-22699MedMar 25, 2024
Mainwp
Mainwp Wordfence Extension
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in MainWP MainWP Wordfence Extension.This issue affects MainWP Wordfence Extension: from n/a through 4.0.7.
CVE-2022-45851MedMar 25, 2024
WordPress
Googleanalytics
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in ShareThis ShareThis Dashboard for Google Analytics.This issue affects ShareThis Dashboard for Google Analytics: from n/a through 3.1.4.
CVE-2022-45356MedMar 25, 2024
Muffingroup
Betheme
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a through 26.6.1.
CVE-2022-45352MedMar 25, 2024
Muffingroup
Betheme
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a through 26.6.1.
CVE-2022-45351MedMar 25, 2024
Muffingroup
Betheme
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a through 26.6.1.
CVE-2023-37886MedMar 25, 2024
Inspirythemes
Realhomes
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in InspiryThemes RealHomes.This issue affects RealHomes: from n/a through 4.0.2.
CVE-2024-1502MedMar 21, 2024
Themeum
Tutor Lms
risk 0.35cvss 5.4epss 0.00
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tutor_delete_announcement() function in all versions up to, and including, 2.6.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts.
CVE-2024-2538MedMar 20, 2024
Permalink Manager Lite Project
Permalink Manager Lite
risk 0.35cvss 5.4epss 0.00
The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_permalink' function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and above, to modify the permalinks of arbitrary posts.
CVE-2023-50898MedMar 15, 2024
Sirv
Sirv
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in sirv.Com Sirv.This issue affects Sirv: from n/a through 7.1.2.
CVE-2024-0828MedMar 13, 2024
Hammadh
Play.ht
risk 0.35cvss 5.4epss 0.00
The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 3.6.4. This makes it possible for authenticated attackers, with subscriber access or higher, to delete, retrieve, or modify post metadata, retrieve posts contents of protected posts, modify conversion data and delete article audio.
CVE-2024-1125MedMar 9, 2024
Metagauss
Eventprime
risk 0.35cvss 5.4epss 0.00
The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the calendar_events_delete() function in all versions up to, and including, 3.4.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts.
CVE-2024-1095MedMar 5, 2024
Themeperch
Build \& Control Block Pattern
risk 0.35cvss 5.3epss 0.01
The Build & Control Block Patterns – Boost up Gutenberg Editor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the settings_export() function in all versions up to, and including, 1.3.5.4. This makes it possible for unauthenticated attackers to export the plugin's settings.
CVE-2024-27950MedMar 1, 2024
Sirv
Sirv
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in Sirv CDN and Image Hosting Sirv sirv.This issue affects Sirv: from n/a through <= 7.2.0.
CVE-2023-47874MedFeb 29, 2024
Perfmatters
Perfmatters
risk 0.35cvss 5.4epss 0.00
Missing Authorization vulnerability in Perfmatters.This issue affects Perfmatters: from n/a through 2.1.6.