CWE-862— Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.— MITRE CWE catalog
8,583 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 122 of 172
- CVE-2025-54378HIGHCVSS 8.3EG 8.32025-07-26
HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interactin…
- CVE-2025-54458MEDIUMCVSS 5.0EG 5.02025-08-11
Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to create a subscription for a Confluence space the user does not have access to via the create subscription e…
- CVE-2025-54608MEDIUMCVSS 6.2EG 6.22025-08-06
Vulnerability that allows setting screen rotation direction without permission verification in the screen management module. Impact: Successful exploitation of this vulnerability may cause device screen orientation to be arbitrarily set.
- CVE-2025-54679HIGHCVSS 7.5EG 7.52025-08-14
Missing Authorization vulnerability in vertim Neon Channel Product Customizer Free neon-channel-product-customizer-free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Neon Channel Product Customi…
- CVE-2025-54692HIGHCVSS 7.5EG 7.52025-08-14
Missing Authorization vulnerability in WP Swings Membership For WooCommerce membership-for-woocommerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Membership For WooCommerce: from n/a through <= 2.9.0.
- CVE-2025-54695MEDIUMCVSS 5.4EG 5.42025-08-14
Missing Authorization vulnerability in DevItems HT Mega ht-mega-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HT Mega: from n/a through <= 2.9.0.
- CVE-2025-54705MEDIUMCVSS 4.3EG 4.32025-08-14
Missing Authorization vulnerability in magepeopleteam WpEvently mage-eventpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpEvently: from n/a through <= 4.4.6.
- CVE-2025-54710HIGHCVSS 7.1EG 7.12025-08-28
Missing Authorization vulnerability in bPlugins Tiktok Feed b-tiktok-feed allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Tiktok Feed: from n/a through <= 1.0.21.
- CVE-2025-54711HIGHCVSS 7.1EG 7.12025-11-06
Missing Authorization vulnerability in bPlugins Info Cards info-cards allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Info Cards: from n/a through <= 1.0.11.
- CVE-2025-54712MEDIUMCVSS 4.3EG 4.32025-08-14
Missing Authorization vulnerability in hashthemes Easy Elementor Addons easy-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Elementor Addons: from n/a through <= 2.2.7.
- CVE-2025-54714HIGHCVSS 7.1EG 7.12025-08-28
Missing Authorization vulnerability in Dylan James Zephyr Project Manager zephyr-project-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zephyr Project Manager: from n/a through <= 3.3.201.
- CVE-2025-54717MEDIUMCVSS 5.4EG 5.42025-08-14
Missing Authorization vulnerability in e-plugins WP Membership wp-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Membership: from n/a through <= 1.6.3.
- CVE-2025-54730MEDIUMCVSS 5.3EG 5.32025-08-14
Missing Authorization vulnerability in PARETO Digital Embedder for Google Reviews embedder-for-google-reviews allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Embedder for Google Reviews: from n/a through …
- CVE-2025-54733MEDIUMCVSS 6.5EG 6.52025-08-28
Missing Authorization vulnerability in all_bootstrap_blocks All Bootstrap Blocks all-bootstrap-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects All Bootstrap Blocks: from n/a through <= 1.3.…
- CVE-2025-54734MEDIUMCVSS 5.8EG 5.82025-08-28
Missing Authorization vulnerability in bPlugins B Slider b-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects B Slider: from n/a through <= 1.1.30.
- CVE-2025-54739MEDIUMCVSS 5.3EG 5.32025-08-14
Missing Authorization vulnerability in POSIMYTH Nexter Blocks the-plus-addons-for-block-editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Nexter Blocks: from n/a through <= 4.5.4.
- CVE-2025-54741MEDIUMCVSS 6.5EG 8.62025-12-18
Missing Authorization vulnerability in Tyler Moore Super Blank super-blank allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Super Blank: from n/a through <= 1.2.0.
- CVE-2025-54743MEDIUMCVSS 5.8EG 5.32025-12-18
Missing Authorization vulnerability in mkscripts Download After Email download-after-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download After Email: from n/a through 2.1.5-2.1.6.
- CVE-2025-54744MEDIUMCVSS 6.5EG 6.52025-09-05
Missing Authorization vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MasterStudy LMS: from n/a through <= 3.6.…
- CVE-2025-54745MEDIUMCVSS 6.5EG 6.52025-12-18
Missing Authorization vulnerability in miniOrange miniOrange's Google Authenticator miniorange-2-factor-authentication allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects miniOrange's Google Authentic…
- CVE-2025-54751HIGHCVSS 7.1EG 7.12025-12-18
Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PostX: from n/a through <= 4.1.36.
- CVE-2025-5483HIGHCVSS 8.1EG 8.12025-11-07
The LC Wizard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check in the ghl-wizard/inc/wp_user.php file in versions 1.2.10 to 1.3.0. This makes it possible for unauthenticated attackers to create n…
- CVE-2025-5486CRITICALCVSS 9.8EG 9.82025-06-06
The WP Email Debug plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the WPMDBUG_handle_settings() function in versions 1.0 to 1.1.0. This makes it possible for unauthenticated attackers to ena…
- CVE-2025-54943CRITICALCVSS 9.8EG 9.82025-08-30
A missing authorization vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to perform unauthorized application deployment due to the absence of proper access control checks.
- CVE-2025-55038MEDIUMCVSS 6.8EG 6.82025-09-23
An authorization bypass vulnerability has been discovered in the Click Plus C2-03CPU2 device firmware version 3.60. Through the KOPR protocol utilized by the Remote PLC application, authenticated users with low-level access permissions can…
- CVE-2025-55141HIGHCVSS 8.8EG 8.82025-09-09
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows…
- CVE-2025-55142HIGHCVSS 8.8EG 8.82025-09-09
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows…
- CVE-2025-55144MEDIUMCVSS 5.4EG 5.42025-09-09
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows…
- CVE-2025-55145HIGHCVSS 8.9EG 8.92025-09-09
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allow…
- CVE-2025-55148HIGHCVSS 7.6EG 7.62025-09-09
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows…
- CVE-2025-5521HIGHCVSS 8.8EG 4.32025-06-03
A vulnerability was found in WuKongOpenSource WukongCRM 9.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /system/user/updataPassword. The manipulation leads to cross-site requ…
- CVE-2025-55471HIGHCVSS 7.5EG 7.52025-11-26
Incorrect access control in the getUserFormData function of youlai-boot v2.21.1 allows attackers to access sensitive information for other users.
- CVE-2025-55712MEDIUMCVSS 6.5EG 6.52025-08-14
Missing Authorization vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite the-plus-addons-for-elementor-page-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Plus …
- CVE-2025-55716MEDIUMCVSS 4.3EG 4.32025-08-14
Missing Authorization vulnerability in VeronaLabs WP Statistics wp-statistics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Statistics: from n/a through <= 14.15.
- CVE-2025-55734MEDIUMCVSS 6.5EG 6.52025-08-19
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" only when visiting the /admin page, but not when visiting its subroutes. Specifically, only the file routes/adminPanel.py checks the…
- CVE-2025-55741HIGHCVSS 8.1EG 8.12025-08-22
UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. In versions 0.3.0 and earlier, users without the Delete privilege for products are unable to delete individual products via the standard e…
- CVE-2025-5692MEDIUMCVSS 6.3EG 8.82025-07-02
The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ~/includes/LB_admin_ajax.php file in all versions up to, and including, 3.1. This …
- CVE-2025-5701HIGHCVSS 8.8EG 9.82025-06-05
The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.…
- CVE-2025-5732HIGHCVSS 8.8EG 4.32025-06-06
A vulnerability, which was classified as problematic, was found in code-projects Traffic Offense Reporting System 1.0. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attac…
- CVE-2025-57605HIGHCVSS 8.8EG 8.82025-09-22
Lack of server-side authorisation on department admin assignment APIs in AiKaan IoT Platform allows authenticated users to elevate their privileges by assigning themselves as admins of other departments. This results in unauthorized privil…
- CVE-2025-5766MEDIUMCVSS 4.3EG 4.32025-06-06
A vulnerability was found in code-projects Laundry System 1.0. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The ex…
- CVE-2025-57817HIGHCVSS 7.2EG 7.22025-09-08
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `…
- CVE-2025-57884MEDIUMCVSS 4.3EG 4.32025-08-22
Missing Authorization vulnerability in wpsoul Greenshift greenshift-animation-and-page-builder-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Greenshift: from n/a through <= 12.1.1.
- CVE-2025-57894MEDIUMCVSS 4.3EG 4.32025-08-22
Missing Authorization vulnerability in ollybach WPPizza wppizza allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPPizza: from n/a through <= 3.19.8.
- CVE-2025-57896MEDIUMCVSS 5.3EG 5.32025-08-22
Missing Authorization vulnerability in andy_moyle Church Admin church-admin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Church Admin: from n/a through <= 5.0.26.
- CVE-2025-57899MEDIUMCVSS 5.3EG 5.32025-09-22
Missing Authorization vulnerability in AresIT WP Compress wp-compress-image-optimizer allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP Compress: from n/a through <= 6.50.54.
- CVE-2025-57907MEDIUMCVSS 5.3EG 5.32025-09-22
Missing Authorization vulnerability in Heureka Group Heureka heureka allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Heureka: from n/a through <= 1.1.0.
- CVE-2025-57909MEDIUMCVSS 6.5EG 6.52025-09-22
Missing Authorization vulnerability in Rouergue Création Editor Custom Color Palette editor-custom-color-palette allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Editor Custom Color Palette: from …
- CVE-2025-57917MEDIUMCVSS 4.3EG 4.32025-09-22
Missing Authorization vulnerability in printcart Printcart Web to Print Product Designer for WooCommerce printcart-integration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Printcart Web to Prin…
- CVE-2025-57921MEDIUMCVSS 5.3EG 5.32025-09-22
Missing Authorization vulnerability in N-Media Frontend File Manager nmedia-user-file-uploader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Frontend File Manager: from n/a through <= 23.3.
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →