CWE-862— Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.— MITRE CWE catalog
8,522 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 62 of 171
- CVE-2024-10326MEDIUMCVSS 4.3EG 4.32025-03-08
The RomethemeKit For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_options and reset_widgets functions in all versions up to, and including, 1.5.3. This make…
- CVE-2024-10330MEDIUMCVSS 6.5EG 6.52025-03-20
In lunary-ai/lunary version 1.5.6, the `/v1/evaluators/` endpoint lacks proper access control, allowing any user associated with a project to fetch all evaluator data regardless of their role. This vulnerability permits low-privilege users…
- CVE-2024-10363MEDIUMCVSS 5.4EG 5.42025-03-20
In version 0.7.5 of danny-avila/LibreChat, there is an improper access control vulnerability. Users can share, use, and create prompts without being granted permission by the admin. This can break application logic and permissions, allowin…
- CVE-2024-10390MEDIUMCVSS 6.4EG 6.42024-11-18
The Elfsight Telegram Chat CC plugin for WordPress is vulnerable to unauthorized modification of data to a missing capability check on the 'updatePreferences' function in all versions up to, and including, 1.1.0. This makes it possible for…
- CVE-2024-10393MEDIUMCVSS 5.3EG 5.32024-11-21
The Tutor LMS plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 2.7.6. This is due to a missing check for the 'users_can_register' option in the 'register_instructor' function. This makes i…
- CVE-2024-10399MEDIUMCVSS 4.3EG 4.32024-10-30
The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_search_users function in all versions up to, and including, 5.0.13. This makes it possible for authe…
- CVE-2024-10402HIGHCVSS 7.5EG 7.52024-10-26
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.35.1. This makes it…
- CVE-2024-1041MEDIUMCVSS 6.4EG 6.42024-04-10
The WP Radio – Worldwide Online Radio Stations Directory for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings in all versions up to, and including, 3.1.9 due to insufficient input sani…
- CVE-2024-1042MEDIUMCVSS 6.4EG 6.42024-04-10
The WP Radio – Worldwide Online Radio Stations Directory for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in all versions up to, and includ…
- CVE-2024-1043MEDIUMCVSS 6.5EG 6.52024-02-29
The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'amppb_remove_saved_layout_data' function in all versions up to, and including, 1.0.93.1. …
- CVE-2024-10437MEDIUMCVSS 4.3EG 4.32024-10-29
The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to unauthorized Smar Message activation/deactivation due to a missing capability check on the ajax_enable function in all versions up to, and including, 4.2.1. This …
- CVE-2024-1044MEDIUMCVSS 5.3EG 5.32024-02-29
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_review' function in all versions up to, and including, 5.38.12. This makes it pos…
- CVE-2024-1047MEDIUMCVSS 5.3EG 5.32024-02-02
Multiple plugins and/or themes for WordPress with the ThemeIsle SDK are vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in various versions. This makes it possible for …
- CVE-2024-10486MEDIUMCVSS 5.3EG 5.32024-11-18
The Google for WooCommerce plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.8.6. This is due to publicly accessible print_php_information.php file. This makes it possible for unauthentica…
- CVE-2024-1050MEDIUMCVSS 4.3EG 4.32024-05-04
The Import and export users and customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_force_reset_password_delete_metas() function in all versions up to, and includi…
- CVE-2024-10520MEDIUMCVSS 5.3EG 5.32024-11-20
The WP Project Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'check' method of the 'Create_Milestone', 'Create_Task_List', 'Create_Task', and 'Delete_Task' classes …
- CVE-2024-10527LOWCVSS 3.1EG 3.12025-01-07
The Spacer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the motech_spacer_callback() function in all versions up to, and including, 3.0.7. This makes it possible for authenticated a…
- CVE-2024-10528MEDIUMCVSS 4.3EG 4.32024-11-21
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to unauthorized profile picture updates due to a missing capability check on the wp_aja…
- CVE-2024-10529MEDIUMCVSS 5.3EG 5.32024-11-13
The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_assistant() function in all versions up to, and including, 2.1.7. This makes it pos…
- CVE-2024-1053MEDIUMCVSS 4.3EG 4.32024-02-22
The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'email' action in all versions up to, and including, 5.8.1. This makes it possible for authentica…
- CVE-2024-10530MEDIUMCVSS 4.3EG 4.32024-11-13
The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the add_new_assistant() function in all versions up to, and including, 2.1.7. This makes it po…
- CVE-2024-10531MEDIUMCVSS 5.3EG 5.32024-11-13
The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_assistant() function in all versions up to, and including, 2.1.7. This makes it pos…
- CVE-2024-10532MEDIUMCVSS 4.3EG 4.32024-11-21
The Bard Extra plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bardxtra_import_xml() function in all versions up to, and including, 1.2.7. This makes it possible for authenti…
- CVE-2024-10533MEDIUMCVSS 4.3EG 4.32024-11-16
The WP Chat App plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the ajax_install_plugin() function in all versions up to, and including, 3.6.8. This makes it possible for authenti…
- CVE-2024-10535MEDIUMCVSS 5.3EG 5.32024-11-06
The Video Gallery for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the remove_unused_thumbnails() function in all versions up to, and including, 1.31. This makes i…
- CVE-2024-10536MEDIUMCVSS 4.3EG 4.32025-01-07
The FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_block_shortcode_ex…
- CVE-2024-10537MEDIUMCVSS 4.3EG 4.32024-11-23
The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the validate_user_meta_key() function in all versions up to, and including, 2.…
- CVE-2024-10542CRITICALCVSS 9.8EG 9.82024-11-26
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all version…
- CVE-2024-10543MEDIUMCVSS 4.3EG 4.32024-11-06
The Tumult Hype Animations plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hypeanimations_getcontent function in all versions up to, and including, 1.9.14. This makes it possible f…
- CVE-2024-10567HIGHCVSS 7.5EG 7.52024-12-04
The TI WooCommerce Wishlist plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wizard' function in all versions up to, and including, 2.9.1. This makes it possible for unauthen…
- CVE-2024-10574HIGHCVSS 7.2EG 7.22025-01-26
The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ays_save_google_credentials' function in all versions up to, and including, 8…
- CVE-2024-10575CRITICALCVSS 9.8EG 9.82024-11-13
CWE-862: Missing Authorization vulnerability exists that could cause unauthorized access when enabled on the network and potentially impacting connected devices.
- CVE-2024-10579MEDIUMCVSS 4.3EG 4.32024-11-26
The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the preview_module() function in all versions up to, and including, 7.8.…
- CVE-2024-10580MEDIUMCVSS 5.3EG 5.32024-11-27
The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized form submissions due to a missing capability check on the submit_form() function in all versions up to, and including, 7.8.5…
- CVE-2024-10582MEDIUMCVSS 4.3EG 4.32024-11-15
The Music Player for Elementor – Audio Player & Podcast Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_mpfe_template() function in all versions up to, and in…
- CVE-2024-10586CRITICALCVSS 9.8EG 9.82024-11-09
The Debug Tool plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check on the dbt_pull_image() function and missing file type validation in all versions up to, and including, 2.2. This makes it possi…
- CVE-2024-10588MEDIUMCVSS 4.3EG 4.32024-11-09
The Debug Tool plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the info() function in all versions up to, and including, 2.2. This makes it possible for authenticated attackers, with s…
- CVE-2024-10589CRITICALCVSS 9.8EG 9.82024-11-09
The Leopard - WordPress Offload Media plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the import_settings() function in all versions up to, …
- CVE-2024-10591HIGHCVSS 8.8EG 8.82025-01-30
The MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capab…
- CVE-2024-10598MEDIUMCVSS 5.3EG 5.32024-10-31
A vulnerability classified as critical was found in Tongda OA 11.2/11.3/11.4/11.5/11.6. This vulnerability affects unknown code of the file general/hr/setting/attendance/leave/data.php of the component Annual Leave Handler. The manipulatio…
- CVE-2024-10606MEDIUMCVSS 4.3EG 4.32024-11-23
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpte_onboard_save_function_callback() function in all …
- CVE-2024-10614MEDIUMCVSS 4.3EG 4.32024-11-16
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the cancel_import() function in all versions up to, and including, 5.61.0. This makes it possible for authe…
- CVE-2024-10629HIGHCVSS 8.8EG 8.82024-11-13
The GPX Viewer plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check and file type validation in the gpxv_file_upload() function in all versions up to, and including, 2.2.9. This makes it possible …
- CVE-2024-10663MEDIUMCVSS 4.3EG 4.32024-12-04
The Eleblog – Elementor Blog And Magazine Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the goodbye_form_callback() function in all versions up to, and including, 1.8.…
- CVE-2024-10664MEDIUMCVSS 4.3EG 4.32024-12-04
The Knowledge Base documentation & wiki plugin – BasePress Docs plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the basepress_db_posts_update() function in all versions up to, …
- CVE-2024-10665MEDIUMCVSS 5.4EG 5.42024-11-20
The Yaad Sarig Payment Gateway For WC plugin for WordPress is vulnerable to unauthorized modification & access of data due to a missing capability check on the yaadpay_view_log_callback() and yaadpay_delete_log_callback() functions in all …
- CVE-2024-10673HIGHCVSS 8.8EG 8.82024-11-09
The Top Store theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the top_store_install_and_activate_callback() function in all versions up to, and including, 1.5.4. This mak…
- CVE-2024-10674HIGHCVSS 8.8EG 8.82024-11-09
The Th Shop Mania theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the th_shop_mania_install_and_activate_callback() function in all versions up to, and including, 1.4.9. …
- CVE-2024-10717MEDIUMCVSS 6.5EG 6.52024-11-13
The Styler for Ninja Forms plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the deactivate_license function in all versions up to, and includi…
- CVE-2024-1072HIGHCVSS 8.2EG 8.22024-02-05
The Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the seedprod_lite_new_…
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →