CWE-285— Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.— MITRE CWE catalog
1,351 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-285page 17 of 28
- CVE-2025-12360MEDIUMCVSS 4.3EG 4.32025-11-06
The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to unauthorized API usage due to a missing capability check on the rtafar_ajax() function in all versions up to, and including, 1.7.7. This makes it …
- CVE-2025-12367MEDIUMCVSS 4.3EG 4.32025-11-01
The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.3.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes…
- CVE-2025-12435MEDIUMCVSS 5.4EG 5.42025-11-10
Incorrect security UI in Omnibox in Google Chrome on Android prior to 142.0.7444.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2025-12494MEDIUMCVSS 4.3EG 4.32025-11-15
The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajax_import_file function in all versions up to, and including, 2.12.28. This ma…
- CVE-2025-12505MEDIUMCVSS 5.4EG 5.42025-12-06
The weDocs plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.1.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the create_item_permissio…
- CVE-2025-12623LOWCVSS 3.1EG 3.12025-11-03
A vulnerability was identified in fushengqian fuint up to 41e26be8a2c609413a0feaa69bdad33a71ae8032. Affected by this issue is some unknown functionality of the file fuint-application/src/main/java/com/fuint/module/clientApi/controller/Clie…
- CVE-2025-12720MEDIUMCVSS 5.3EG 5.32025-12-06
The g-FFL Cockpit plugin for WordPress is vulnerable to unauthorized modification of data due to IP-based authorization that can be spoofed in the handle_enqueue_only() function in all versions up to, and including, 1.7.1. This makes it po…
- CVE-2025-12777MEDIUMCVSS 5.3EG 5.32025-11-19
The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.10.0. This is due to the plugin not properly verifying that a user is authorized to perform actions on the RES…
- CVE-2025-12814MEDIUMCVSS 5.3EG 5.32025-11-19
The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to unauthorized modification of data due to n incorrect capability check on the siteseo_reset_settings function in all versions up to, and including, 1.3.2. This makes it po…
- CVE-2025-12854LOWCVSS 3.7EG 3.72025-11-07
A vulnerability was identified in newbee-mall-plus up to 2.4.1. This vulnerability affects the function executeSeckill of the file /seckillExecution/. The manipulation of the argument userid leads to authorization bypass. It is possible to…
- CVE-2025-12958LOWCVSS 2.7EG 2.72026-01-07
The Rankology SEO and Analytics Tool plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect capability check on the 'rankology_code_block' page in all versions up to, and including, 2.0. This makes it p…
- CVE-2025-13085MEDIUMCVSS 4.3EG 4.32025-11-19
The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to Improper Authorization leading to Sensitive Post Meta Disclosure in versions up to and including 1.3.2. This is due to missing object-level authorization checks in the re…
- CVE-2025-13114MEDIUMCVSS 6.3EG 6.32025-11-13
A vulnerability was identified in macrozheng mall-swarm up to 1.0.3. This affects the function updateAttr of the file /cart/update/attr. Such manipulation leads to improper authorization. The attack may be performed from remote. The exploi…
- CVE-2025-13115MEDIUMCVSS 4.3EG 4.32025-11-13
A security flaw has been discovered in macrozheng mall-swarm and mall up to 1.0.3. This impacts the function detail of the file /order/detail/ of the component Order Details Handler. Performing manipulation of the argument orderId results …
- CVE-2025-13116MEDIUMCVSS 5.4EG 5.42025-11-13
A weakness has been identified in macrozheng mall-swarm and mall up to 1.0.3. Affected is the function cancelUserOrder of the file /order/cancelUserOrder. Executing manipulation of the argument orderId can lead to improper authorization. I…
- CVE-2025-13117MEDIUMCVSS 5.4EG 5.42025-11-13
A security vulnerability has been detected in macrozheng mall-swarm and mall up to 1.0.3. Affected by this vulnerability is the function cancelOrder of the file /order/cancelOrder. The manipulation of the argument orderId leads to improper…
- CVE-2025-13118MEDIUMCVSS 6.3EG 6.32025-11-13
A vulnerability was detected in macrozheng mall-swarm up to 1.0.3. Affected by this issue is the function paySuccess of the file /order/paySuccess. The manipulation of the argument orderID results in improper authorization. The attack can …
- CVE-2025-13576MEDIUMCVSS 6.3EG 6.32025-11-24
A vulnerability was detected in code-projects Blog Site 1.0. The affected element is an unknown function of the file /admin.php. Performing manipulation results in improper authorization. It is possible to initiate the attack remotely. The…
- CVE-2025-1361HIGHCVSS 7.5EG 7.52025-02-22
The IP2Location Country Blocker plugin for WordPress is vulnerable to Regular Information Exposure in all versions up to, and including, 2.38.8 due to missing capability checks on the admin_init() function. This makes it possible for unaut…
- CVE-2025-13806HIGHCVSS 7.3EG 7.32025-12-01
A security vulnerability has been detected in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This impacts an unknown function of the file nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/main/java/io/nutz/demo/simple/module/EthModu…
- CVE-2025-13807MEDIUMCVSS 4.3EG 4.32025-12-01
A vulnerability was detected in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1. Affected is the function MachineKeyController of the file orion-ops-api/orion-ops-web/src/main/java/cn/orionsec/ops/controller/MachineKeyCon…
- CVE-2025-13808HIGHCVSS 7.3EG 7.32025-12-01
A flaw has been found in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1. Affected by this vulnerability is the function update of the file orion-ops-api/orion-ops-web/src/main/java/cn/orionsec/ops/controller/UserControll…
- CVE-2025-14016MEDIUMCVSS 5.4EG 5.42025-12-04
A security vulnerability has been detected in macrozheng mall-swarm up to 1.0.3. Affected is the function delete of the file /member/readHistory/delete. Such manipulation of the argument ids leads to improper authorization. The attack can …
- CVE-2025-14088MEDIUMCVSS 6.3EG 6.32025-12-05
A vulnerability was determined in ketr JEPaaS up to 7.2.8. Affected by this vulnerability is an unknown functionality of the file /je/load. This manipulation of the argument Authorization causes improper authorization. The attack is possib…
- CVE-2025-14089MEDIUMCVSS 6.3EG 6.32025-12-05
A vulnerability was identified in Himool ERP up to 2.2. Affected by this issue is the function update_account of the file /api/admin/update_account/ of the component AdminActionViewSet. Such manipulation leads to improper authorization. Th…
- CVE-2025-14206MEDIUMCVSS 6.5EG 6.52025-12-08
A vulnerability was determined in SourceCodester Online Student Clearance System 1.0. The affected element is an unknown function of the file /Admin/delete-fee.php of the component Fee Table Handler. Executing manipulation of the argument …
- CVE-2025-14348MEDIUMCVSS 5.3EG 5.32026-01-20
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. This is due to the plugin's …
- CVE-2025-14546MEDIUMCVSS 6.3EG 6.32025-12-19
Versions of the package fastapi-sso before 0.19.0 are vulnerable to Cross-site Request Forgery (CSRF) due to the improper validation of the OAuth state parameter during the authentication callback. While the get_login_url method allows for…
- CVE-2025-14889MEDIUMCVSS 5.4EG 5.42025-12-18
A security flaw has been discovered in Campcodes Advanced Voting Management System 1.0. The impacted element is an unknown function of the file /admin/voters_edit.php of the component Password Handler. Performing a manipulation of the argu…
- CVE-2025-15085MEDIUMCVSS 4.3EG 4.32025-12-25
A security flaw has been discovered in youlaitech youlai-mall 1.0.0/2.0.0. This affects the function deductBalance of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java of the component Balanc…
- CVE-2025-15087MEDIUMCVSS 4.3EG 4.32025-12-25
A security vulnerability has been detected in youlaitech youlai-mall 1.0.0/2.0.0. Affected is the function submitOrderPayment of the file mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java. Such manipul…
- CVE-2025-15106MEDIUMCVSS 6.3EG 6.32025-12-27
A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper auth…
- CVE-2025-15118MEDIUMCVSS 4.3EG 4.32025-12-28
A security vulnerability has been detected in macrozheng mall up to 1.0.3. This vulnerability affects unknown code of the file /member/address/update/ of the component Member Endpoint. The manipulation leads to improper authorization. Remo…
- CVE-2025-15119LOWCVSS 3.1EG 3.12025-12-28
A vulnerability was detected in JeecgBoot up to 3.9.0. This issue affects the function queryPageList of the file /sys/sysDepartRole/list. The manipulation of the argument deptId results in improper authorization. The attack can be executed…
- CVE-2025-15120LOWCVSS 3.1EG 3.12025-12-28
A flaw has been found in JeecgBoot up to 3.9.0. Impacted is the function getDeptRoleList of the file /sys/sysDepartRole/getDeptRoleList. This manipulation of the argument departId causes improper authorization. The attack is possible to be…
- CVE-2025-15122LOWCVSS 3.1EG 3.12025-12-28
A vulnerability was found in JeecgBoot up to 3.9.0. The impacted element is the function loadDatarule of the file /sys/sysDepartRole/datarule/. Performing manipulation of the argument departId/roleId results in improper authorization. It i…
- CVE-2025-15123LOWCVSS 3.1EG 3.12025-12-28
A vulnerability was determined in JeecgBoot up to 3.9.0. This affects an unknown function of the file /sys/sysDepartPermission/datarule/. Executing manipulation can lead to improper authorization. It is possible to launch the attack remote…
- CVE-2025-15124LOWCVSS 3.1EG 3.12025-12-28
A vulnerability was identified in JeecgBoot up to 3.9.0. This impacts the function getParameterMap of the file /sys/sysDepartPermission/list. The manipulation of the argument departId leads to improper authorization. The attack can be init…
- CVE-2025-15125LOWCVSS 3.1EG 3.12025-12-28
A security flaw has been discovered in JeecgBoot up to 3.9.0. Affected is the function queryDepartPermission of the file /sys/permission/queryDepartPermission. The manipulation of the argument departId results in improper authorization. Th…
- CVE-2025-15126LOWCVSS 3.1EG 3.12025-12-28
A weakness has been identified in JeecgBoot up to 3.9.0. Affected by this vulnerability is the function getPositionUserList of the file /sys/position/getPositionUserList. This manipulation of the argument positionId causes improper authori…
- CVE-2025-15213MEDIUMCVSS 4.3EG 4.32025-12-30
A vulnerability has been found in code-projects Student File Management System 1.0. The affected element is an unknown function of the file /download.php of the component File Download Handler. The manipulation of the argument store_id lea…
- CVE-2025-15582MEDIUMCVSS 5.4EG 5.42026-02-20
A security flaw has been discovered in detronetdip E-commerce 1.0.0. The impacted element is the function Delete/Update of the component Product Management Module. Performing a manipulation of the argument ID results in authorization bypas…
- CVE-2025-1607MEDIUMCVSS 4.3EG 4.32025-02-24
A vulnerability, which was classified as problematic, has been found in SourceCodester Best Employee Management System 1.0. This issue affects some unknown processing of the file /admin/salary_slip.php. The manipulation of the argument id …
- CVE-2025-1806MEDIUMCVSS 4.3EG 4.32025-03-02
A vulnerability, which was classified as problematic, has been found in Eastnets PaymentSafe 2.5.26.0. Affected by this issue is some unknown functionality of the file /Default.aspx of the component URL Handler. The manipulation leads to i…
- CVE-2025-1815HIGHCVSS 7.3EG 7.32025-03-02
A vulnerability, which was classified as critical, was found in pbrong hrms up to 1.0.1. This affects the function HrmsDB of the file \resource\resource.go. The manipulation of the argument user_cookie leads to improper authorization. It i…
- CVE-2025-1847MEDIUMCVSS 6.3EG 6.32025-03-03
A vulnerability was found in zj1983 zz up to 2024-8. It has been rated as critical. This issue affects some unknown processing. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been di…
- CVE-2025-20125CRITICALCVSS 9.1EG 9.12025-02-05
A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node. This vulnerability is due to a lack…
- CVE-2025-20264MEDIUMCVSS 6.4EG 6.42025-06-25
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to bypass the authorization mechanisms for specific administrative functions. This vulnerability…
- CVE-2025-2114LOWCVSS 3.7EG 3.72025-03-09
A vulnerability, which was classified as problematic, has been found in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 7. This issue affects some unknown processing of the file /WebPages/Adm/OperatorStop.asp of the…
- CVE-2025-21275HIGHCVSS 7.8EG 7.82025-01-14
Windows App Package Installer Elevation of Privilege Vulnerability
Map vulnerabilities like CWE-285 to your infrastructure
EchelonGraph correlates every CVE — across CWE-285 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →