CWE-862— Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.— MITRE CWE catalog
8,575 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 112 of 172
- CVE-2025-32542HIGHCVSS 8.8EG 8.82025-04-11
Missing Authorization vulnerability in EazyPlugins Eazy Plugin Manager plugins-on-steroids allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eazy Plugin Manager: from n/a through <= 4.3.0.
- CVE-2025-32544HIGHCVSS 7.5EG 7.52025-04-17
Missing Authorization vulnerability in The Right Software WooCommerce Loyal Customers woocommerce-loyal-customer allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WooCommerce Loyal Customers: from n/a throu…
- CVE-2025-3257MEDIUMCVSS 4.3EG 4.32025-04-04
A vulnerability classified as problematic has been found in xujiangfei admintwo 1.0. This affects an unknown part of the file /user/updateSet. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remo…
- CVE-2025-32593HIGHCVSS 8.2EG 8.22025-04-17
Missing Authorization vulnerability in Bytes Technolab Add Product Frontend for WooCommerce add-product-frontend-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Add Product Fronten…
- CVE-2025-32620HIGHCVSS 7.1EG 7.12025-04-17
Missing Authorization vulnerability in fromdoppler Doppler Forms doppler-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Doppler Forms: from n/a through <= 2.4.6.
- CVE-2025-32624HIGHCVSS 7.1EG 7.12025-04-09
Missing Authorization vulnerability in czater Czater.pl – live chat i telefon czater allows Cross Site Request Forgery.This issue affects Czater.pl – live chat i telefon: from n/a through <= 1.0.5.
- CVE-2025-32684MEDIUMCVSS 5.0EG 5.02025-04-09
Missing Authorization vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MapSVG: from n/a through <= 8.6.4.
- CVE-2025-32688MEDIUMCVSS 5.4EG 5.42025-09-09
Missing Authorization vulnerability in Nebojsa Target Video Easy Publish brid-video-easy-publish.This issue affects Target Video Easy Publish: from n/a through <= 3.8.9.
- CVE-2025-32781MEDIUMCVSS 6.5EG 6.52026-07-13
Apollo is a reliable configuration management system suitable for microservice configuration management scenarios. Prior to 2.5.0, Apollo Portal does not verify application and namespace permissions when an authenticated user requests a re…
- CVE-2025-32929HIGHCVSS 7.5EG 7.52025-04-15
Missing Authorization vulnerability in Dmitry V. (CEO of "UKR Solution") Barcode Generator for WooCommerce embedding-barcodes-into-product-pages-and-orders allows Exploiting Incorrectly Configured Access Control Security Levels.This issue …
- CVE-2025-32973CRITICALCVSS 9.0EG 9.02025-04-30
XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, when a user with programming rights edits a document in XWiki that was…
- CVE-2025-33182HIGHCVSS 7.6EG 7.62025-10-14
NVIDIA Jetson Linux contains a vulnerability in UEFI, where improper authentication may allow a privileged user to cause corruption of the Linux Device Tree. A successful exploitation of this vulnerability might lead to data tampering, den…
- CVE-2025-33185MEDIUMCVSS 5.3EG 5.32025-11-11
NVIDIA AIStore contains a vulnerability in AuthN where an unauthenticated user may cause information disclosure. A successful exploit of this vulnerability may lead to information disclosure.
- CVE-2025-3417HIGHCVSS 8.8EG 8.82025-04-10
The Embedder plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajax_set_global_option() function in versions 1.3 to 1.3.5. This makes it p…
- CVE-2025-34171MEDIUMCVSS 5.3EG 5.32026-01-02
CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user…
- CVE-2025-3437MEDIUMCVSS 4.3EG 4.32025-04-08
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in the ajax_actions.php file in all versions up to, a…
- CVE-2025-3452MEDIUMCVSS 4.3EG 4.32025-04-29
The SecuPress Free — WordPress Security plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'secupress_reinstall_plugins_admin_ajax_cb' function in all versions up to, and incl…
- CVE-2025-3527MEDIUMCVSS 6.4EG 6.42025-05-17
The EventON Pro plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'assets/lib/settings/settings.js' file in all versions up to, and including, 4.9.6. This makes it possible for…
- CVE-2025-3557MEDIUMCVSS 4.3EG 4.32025-04-14
A vulnerability, which was classified as problematic, has been found in ScriptAndTools eCommerce-website-in-PHP 3.0. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. The attack may…
- CVE-2025-3561MEDIUMCVSS 4.3EG 4.32025-04-14
A vulnerability was found in ghostxbh uzy-ssm-mall 1.0.0. It has been classified as problematic. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The explo…
- CVE-2025-3604CRITICALCVSS 9.8EG 9.82025-04-24
The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their deta…
- CVE-2025-36192MEDIUMCVSS 6.7EG 6.72025-12-26
IBM DS8A00( R10.1) 10.10.106.0 and IBM DS8A00 ( R10.0) 10.1.3.010.2.45.0 and IBM DS8900F ( R9.4) 89.40.83.089.42.18.089.44.5.0 IBM System Storage DS8000 could allow a local user with authorized CCW update permissions to delete or corrupt b…
- CVE-2025-3624MEDIUMCVSS 4.3EG 4.32025-05-16
Missing Authorization vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.4-00.
- CVE-2025-36361MEDIUMCVSS 6.3EG 6.32025-10-24
IBM App Connect Enterprise 13.0.1.0 through 13.0.4.2, and 12.0.1.0 through 12.0.12.17 could allow an authenticated user to perform unauthorized actions on customer defined resources due to missing authorization.
- CVE-2025-36367HIGHCVSS 8.8EG 8.82025-11-01
IBM i 7.6, 7.5, 7.4, 7.3, and 7.2 is vulnerable to privilege escalation caused by an invalid IBM i SQL services authorization check. A malicious actor can use the elevated privileges of another user profile to gain root access to the host …
- CVE-2025-36756MEDIUMCVSS 5.8EG 5.82025-09-10
A problem with missing authorization on SolaX Cloud platform allows taking over any SolaX solarpanel inverter of which the serial number is known.
- CVE-2025-3687MEDIUMCVSS 4.3EG 4.32025-04-16
A vulnerability, which was classified as problematic, has been found in misstt123 oasys 1.0. Affected by this issue is some unknown functionality of the component Sticky Notes Handler. The manipulation leads to cross-site request forgery. …
- CVE-2025-3701MEDIUMCVSS 4.3EG 4.32025-09-03
Missing Authorization vulnerability in Malcure Web Security Malcure Malware Scanner wp-malware-removal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Malcure Malware Scanner: from n/a through <= …
- CVE-2025-3702MEDIUMCVSS 5.4EG 5.42025-07-03
Missing Authorization vulnerability in Melapress Melapress File Monitor website-file-changes-monitor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Melapress File Monitor: from n/a through < 2.2.…
- CVE-2025-37087CRITICALCVSS 9.8EG 9.82025-04-22
A vulnerability in the cmdb service of the HPE Performance Cluster Manager (HPCM) could allow an attacker to gain access to an arbitrary file on the server host.
- CVE-2025-3746CRITICALCVSS 9.8EG 9.82025-05-02
The OTP-less one tap Sign in plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.14 to 2.0.59. This is due to the plugin not properly validating a user's identity prior to updating their details,…
- CVE-2025-3766MEDIUMCVSS 5.4EG 5.42025-05-07
The Login Lockdown & Protection plugin for WordPress is vulnerable to unauthorized nonce access due to a missing capability check on the ajax_run_tool function in all versions up to, and including, 2.11. This makes it possible for authenti…
- CVE-2025-3780MEDIUMCVSS 6.5EG 6.52025-07-09
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfm_redirect_to_setup func…
- CVE-2025-3808MEDIUMCVSS 4.3EG 4.32025-04-19
A vulnerability has been found in zhenfeng13 My-BBS 1.0 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has bee…
- CVE-2025-3843MEDIUMCVSS 4.3EG 4.32025-04-21
A vulnerability was found in panhainan DS-Java 1.0. It has been classified as problematic. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has…
- CVE-2025-3863MEDIUMCVSS 4.3EG 4.32025-06-26
The Post Carousel Slider for Elementor plugin for WordPress is vulnerable to improper authorization due to a missing capability check on the process_wbelps_promo_form() function in all versions up to, and including, 1.6.0. This makes it po…
- CVE-2025-3871MEDIUMCVSS 5.3EG 5.32025-07-16
Broken access control in Fortra's GoAnywhere MFT prior to 7.8.1 allows an attacker to create a denial of service situation when configured to use GoAnywhere One-Time Password (GOTP) email two-factor authentication (2FA) and the user has no…
- CVE-2025-3876HIGHCVSS 8.8EG 8.82025-05-10
The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to insufficient user OTP validation in the handleWpLoginCreateUserAction() function in all versions up to, and including, 3.8.…
- CVE-2025-3906HIGHCVSS 8.8EG 8.82025-04-26
The Integração entre Eduzz e Woocommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wep_opcoes' function in all versions up to, and including, 1.7.5. This makes it po…
- CVE-2025-3912MEDIUMCVSS 5.3EG 5.32025-04-25
The WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_config' function in all versions up to, and including, 1.10…
- CVE-2025-3915MEDIUMCVSS 4.3EG 4.32025-04-26
The Aeropage Sync for Airtable plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'aeropageDeletePost' function in all versions up to, and including, 3.2.0. This makes it possible for a…
- CVE-2025-3927CRITICALCVSS 9.8EG 9.82025-05-02
Digigram's PYKO-OUT audio-over-IP (AoIP) web-server does not require a password by default, allowing any attacker with the target IP address to connect and compromise the device, potentially pivoting to connected network or hardware device…
- CVE-2025-39350HIGHCVSS 8.2EG 8.22025-05-19
Missing Authorization vulnerability in Rocket Apps wProject.This issue affects wProject: from n/a before 5.8.0.
- CVE-2025-39352HIGHCVSS 8.2EG 8.22025-05-19
Missing Authorization vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Grand Restaurant: from n/a through <= 7.0.
- CVE-2025-39353MEDIUMCVSS 5.3EG 5.32025-05-19
Missing Authorization vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Grand Restaurant: from n/a through <= 7.0.
- CVE-2025-39362MEDIUMCVSS 6.5EG 6.52025-07-02
Missing Authorization vulnerability in Mollie Mollie Payments for WooCommerce mollie-payments-for-woocommerce.This issue affects Mollie Payments for WooCommerce: from n/a through <= 8.0.2.
- CVE-2025-39367MEDIUMCVSS 5.3EG 5.32025-04-28
Missing Authorization vulnerability in SeventhQueen Kleo kleo.This issue affects Kleo: from n/a through < 5.4.4.
- CVE-2025-39368MEDIUMCVSS 5.3EG 5.32025-05-19
Missing Authorization vulnerability in ed4becky Rootspersona rootspersona allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rootspersona: from n/a through <= 3.7.5.
- CVE-2025-39373MEDIUMCVSS 5.3EG 5.32025-05-19
Missing Authorization vulnerability in jegtheme JNews jnews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JNews: from n/a through <= 11.6.16.
- CVE-2025-39376MEDIUMCVSS 4.3EG 4.32025-05-19
Missing Authorization vulnerability in QuanticaLabs Car Park Booking System for WordPress car-park-booking-system-for-wordpress.This issue affects Car Park Booking System for WordPress: from n/a through <= 2.6.
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →