CWE-862— Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.— MITRE CWE catalog
8,570 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 101 of 172
- CVE-2025-1644MEDIUMCVSS 4.3EG 4.32025-02-25
A vulnerability classified as problematic has been found in Benner ModernaNet up to 1.2.0. Affected is an unknown function of the file /DadosPessoais/SG_Gravar. The manipulation of the argument idItAg leads to cross-site request forgery. I…
- CVE-2025-1657HIGHCVSS 8.8EG 8.82025-03-15
The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to unauthorized modification of data and PHP Object Injection due to a missing capability check on the stm_listing_ajax AJAX action in all versions up …
- CVE-2025-1666MEDIUMCVSS 4.3EG 4.32025-03-06
The Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the send_uninstall_survey() function in all versions up t…
- CVE-2025-1667HIGHCVSS 8.8EG 8.82025-03-15
The School Management System – WPSchoolPress plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wpsp_UpdateTeacher() function in all versions up to, and including, 2.2.16. This makes it po…
- CVE-2025-1668MEDIUMCVSS 4.3EG 4.32025-03-15
The School Management System – WPSchoolPress plugin for WordPress is vulnerable to arbitrary user deletion due to a missing capability check on the wpsp_DeleteUser() function in all versions up to, and including, 2.2.16. This makes it po…
- CVE-2025-1681MEDIUMCVSS 5.4EG 5.42025-02-28
The Cardealer theme for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check and missing filename sanitization on the demo theme scheme AJAX functions in versions up to, and includ…
- CVE-2025-1682HIGHCVSS 8.8EG 8.82025-02-28
The Cardealer theme for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.4 due to missing capability check on the 'save_settings' function. This makes it possible for authenticated attackers, with subsc…
- CVE-2025-1745MEDIUMCVSS 4.3EG 4.32025-02-27
A vulnerability has been found in LinZhaoguan pb-cms 2.0 and classified as problematic. This vulnerability affects unknown code of the component Logout. The manipulation leads to cross-site request forgery. The attack can be initiated remo…
- CVE-2025-1766MEDIUMCVSS 5.3EG 5.32025-03-20
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'payment_complete' function in all versions up to, and …
- CVE-2025-1777MEDIUMCVSS 6.4EG 6.42025-06-06
The BM Content Builder plugin for WordPress is vulnerable to unauthorized modification of data to a missing capability check on the 'ux_cb_page_options_save' function in all versions up to, and including, 3.16.2.1. This makes it possible f…
- CVE-2025-1778MEDIUMCVSS 4.3EG 4.32025-06-06
The Art Theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'arttheme_theme_option_restore' AJAX function in all versions up to, and including, 3.12.2.3. This makes it possible for authenticate…
- CVE-2025-1780MEDIUMCVSS 4.3EG 4.32025-03-01
The BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wc4bp_delete_page() function in all versions up to, and i…
- CVE-2025-1813MEDIUMCVSS 4.3EG 4.32025-03-02
A vulnerability classified as problematic was found in zj1983 zz up to 2024-08. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The expl…
- CVE-2025-1891MEDIUMCVSS 4.3EG 4.32025-03-04
A vulnerability was found in shishuocms 1.1 and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclos…
- CVE-2025-20125CRITICALCVSS 9.1EG 9.12025-02-05
A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node. This vulnerability is due to a lack…
- CVE-2025-20164HIGHCVSS 8.3EG 8.32025-05-07
A vulnerability in the Cisco Industrial Ethernet Switch Device Manager (DM) of Cisco IOS Software could allow an authenticated, remote attacker to elevate privileges. This vulnerability is due to insufficient validation of authorization…
- CVE-2025-2025MEDIUMCVSS 6.5EG 6.52025-03-15
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the give_reports_earnings() function in all versions up to, and including, 3.22.…
- CVE-2025-20301MEDIUMCVSS 6.5EG 6.52025-08-14
A vulnerability in the web-based management interface of Cisco Secure FMC Software could allow an authenticated, low-privileged, remote attacker to access troubleshoot files for a different domain. This vulnerability is due to missing a…
- CVE-2025-20302MEDIUMCVSS 4.3EG 4.32025-08-14
A vulnerability in the web-based management interface of Cisco Secure FMC Software could allow an authenticated, low-privileged, remote attacker to retrieve a generated report from a different domain. This vulnerability is due to missin…
- CVE-2025-20362MEDIUMCVSS 6.5EG 9.0⚠ KEV2025-09-25
Update: On November 5, 2025, Cisco became aware of a new attack variant against devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases that are affected by CVE-2025-20333 and CVE-2025-20362. This attack can cause u…
- CVE-2025-2042MEDIUMCVSS 4.3EG 4.32025-03-06
A vulnerability has been found in huang-yk student-manage 1.0 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit h…
- CVE-2025-2075HIGHCVSS 8.8EG 8.82025-04-04
The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.3.0.2. This is due to add_role() and user_role() functio…
- CVE-2025-2103HIGHCVSS 8.8EG 8.82025-03-14
The SoundRise Music plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on theironMusic_ajax() function in all versions up to, and including, 1.6.1…
- CVE-2025-2104MEDIUMCVSS 4.3EG 4.32025-03-13
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to unauthorized post publication due to insufficient validation on the pagelayer_save_content() function in all versions up to, and including,…
- CVE-2025-2110HIGHCVSS 8.8EG 8.82025-03-26
The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on its on its AJAX functions in all versions up to, and…
- CVE-2025-21396HIGHCVSS 8.2EG 7.52025-01-29
Missing authorization in Microsoft Account allows an unauthorized attacker to elevate privileges over a network.
- CVE-2025-21416HIGHCVSS 8.5EG 8.52025-04-30
Missing authorization in Azure Virtual Desktop allows an authorized attacker to elevate privileges over a network.
- CVE-2025-21498MEDIUMCVSS 5.3EG 5.32025-01-21
Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via…
- CVE-2025-21514MEDIUMCVSS 5.3EG 5.32025-01-21
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows unauthenticated attacker wit…
- CVE-2025-21527MEDIUMCVSS 6.1EG 6.12025-01-21
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Design Tools SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows unauthenticated attacker wi…
- CVE-2025-22178MEDIUMCVSS 4.3EG 4.32025-10-22
Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view items on the "Why" page.
- CVE-2025-2224MEDIUMCVSS 5.3EG 5.32025-03-25
The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'parse_query' function in all v…
- CVE-2025-22260MEDIUMCVSS 4.3EG 4.32025-02-03
Missing Authorization vulnerability in Marcus (aka @msykes) Meta Tag Manager meta-tag-manager.This issue affects Meta Tag Manager: from n/a through <= 3.1.
- CVE-2025-22265MEDIUMCVSS 6.5EG 6.52025-01-31
Missing Authorization vulnerability in mgplugin EMI Calculator emi-calculator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EMI Calculator: from n/a through <= 1.1.
- CVE-2025-22280HIGHCVSS 7.6EG 7.62025-02-27
Missing Authorization vulnerability in revmakx DefendWP Firewall defend-wp-firewall allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DefendWP Firewall: from n/a through <= 1.1.0.
- CVE-2025-22285MEDIUMCVSS 6.5EG 6.52025-04-04
Missing Authorization vulnerability in enituretechnology Pallet Packaging for WooCommerce pallet-packaging-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pallet Packaging for WooC…
- CVE-2025-22287MEDIUMCVSS 5.4EG 5.42025-05-19
Missing Authorization vulnerability in enituretechnology LTL Freight Quotes – FreightQuote Edition ltl-freight-quotes-freightquote-edition allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LTL Fre…
- CVE-2025-22289MEDIUMCVSS 6.5EG 6.52025-02-16
Missing Authorization vulnerability in enituretechnology LTL Freight Quotes – Unishippers Edition ltl-freight-quotes-unishippers-edition allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LTL Freig…
- CVE-2025-22291MEDIUMCVSS 5.3EG 5.32025-02-16
Missing Authorization vulnerability in enituretechnology LTL Freight Quotes – Worldwide Express Edition ltl-freight-quotes-worldwide-express-edition allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affec…
- CVE-2025-22298MEDIUMCVSS 4.3EG 4.32025-01-07
Missing Authorization vulnerability in Hive Support Hive Support hive-support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hive Support: from n/a through <= 1.1.6.
- CVE-2025-22299MEDIUMCVSS 4.3EG 4.32025-01-07
Missing Authorization vulnerability in Space Codes AI for SEO ai-for-seo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI for SEO: from n/a through <= 1.2.9.
- CVE-2025-22302MEDIUMCVSS 5.3EG 5.32025-01-07
Missing Authorization vulnerability in WP Grids WP Wand ai-content-generation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Wand: from n/a through <= 1.2.5.
- CVE-2025-22304MEDIUMCVSS 4.3EG 4.32025-01-07
Missing Authorization vulnerability in osama.esh WP Visitor Statistics (Real Time Traffic) wp-stats-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Visitor Statistics (Real Time Traffic…
- CVE-2025-22318HIGHCVSS 7.5EG 7.52025-01-21
Missing Authorization vulnerability in enituretechnology Standard Box Sizes – for WooCommerce standard-box-sizes.This issue affects Standard Box Sizes – for WooCommerce: from n/a through <= 1.6.13.
- CVE-2025-22319MEDIUMCVSS 4.3EG 4.32025-01-07
Missing Authorization vulnerability in DearHive Social Media Share Buttons | MashShare.This issue affects Social Media Share Buttons | MashShare: from n/a through 4.0.47.
- CVE-2025-22363MEDIUMCVSS 5.3EG 5.32025-01-07
Missing Authorization vulnerability in Hermann LAHAMI Allada T-shirt Designer for Woocommerce allada-tshirt-designer-for-woocommerce.This issue affects Allada T-shirt Designer for Woocommerce: from n/a through <= 1.1.
- CVE-2025-22385MEDIUMCVSS 5.9EG 5.92025-01-04
An issue was discovered in Optimizely Configured Commerce before 5.2.2408. For newly created accounts, the Commerce B2B application does not require email confirmation. This medium-severity issue allows the mass creation of accounts. This …
- CVE-2025-22414HIGHCVSS 7.8EG 7.82025-09-04
In FrpBypassAlertActivity of FrpBypassAlertActivity.java, there is a possible way to bypass FRP due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User intera…
- CVE-2025-22439HIGHCVSS 7.3EG 7.32025-09-02
In onLastAccessedStackLoaded of ActionHandler.java , there is a possible way to bypass storage restrictions across apps due to a missing permission check. This could lead to local escalation of privilege with no additional execution privil…
- CVE-2025-2246MEDIUMCVSS 5.8EG 5.82025-08-27
An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that could have allowed unauthenticated users to access sensitive manual CI/CD variables by querying the GraphQL …
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →