CWE-862— Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.— MITRE CWE catalog
8,555 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 89 of 172
- CVE-2024-5710MEDIUMCVSS 6.5EG 6.52024-06-27
berriai/litellm version 1.34.34 is vulnerable to improper access control in its team management functionality. This vulnerability allows attackers to perform unauthorized actions such as creating, updating, viewing, deleting, blocking, and…
- CVE-2024-5768MEDIUMCVSS 6.4EG 6.42024-06-19
The MIMO Woocommerce Order Tracking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mimo_update_provider' function in all versions up to, and including, 1.0.2. This makes it…
- CVE-2024-57682MEDIUMCVSS 6.5EG 6.52025-01-16
An information disclosure vulnerability in the component d_status.asp of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to access sensitive information via a crafted POST request.
- CVE-2024-5769MEDIUMCVSS 4.3EG 4.32025-01-09
The MIMO Woocommerce Order Tracking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.0.2. This makes it possible for auth…
- CVE-2024-5770MEDIUMCVSS 4.2EG 4.22024-06-08
The WP Force SSL & HTTPS SSL Redirect plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_setting' function in versions up to, and including, 1.66. This makes it possi…
- CVE-2024-57726CRITICALCVSS 9.9EG 9.9⚠ KEV2025-01-15
SimpleHelp remote support software v5.5.7 and before has a vulnerability that allows low-privileges technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role.
- CVE-2024-57757HIGHCVSS 7.5EG 7.52025-01-15
JeeWMS before v2025.01.01 was discovered to contain a permission bypass in the component /interceptors/AuthInterceptor.cava.
- CVE-2024-5784HIGHCVSS 7.1EG 7.12024-08-30
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized administrative actions execution due to a missing capability checks on multiple functions like treport_quiz_atttempt_delete and tutor_gc_class_action in all versions up …
- CVE-2024-58101HIGHCVSS 8.1EG 8.12025-05-14
Samsung Galaxy Buds and Galaxy Buds 2 audio devices are Bluetooth pairable by default without user input nor a way to stop this mode. As a consequence, audio playback takeover or even microphone recording without user consent or notificati…
- CVE-2024-5820HIGHCVSS 8.8EG 7.62024-06-27
An unprotected WebSocket connection in the latest version of stitionai/devika (commit ecee79f) allows a malicious website to connect to the backend and issue commands on behalf of the user. The backend serves all listeners on the given soc…
- CVE-2024-58337MEDIUMCVSS 4.3EG 7.52025-12-30
Akuvox Smart Intercom S539 contains an improper access control vulnerability that allows users with 'User' privileges to modify API access settings and configurations. Attackers can exploit this vulnerability to escalate privileges and gai…
- CVE-2024-5855MEDIUMCVSS 4.3EG 4.32024-07-09
The Media Hygiene: Remove or Delete Unused Images and More! plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the bulk_action_delete and delete_single_image_call AJAX actions in all versio…
- CVE-2024-5856MEDIUMCVSS 4.3EG 4.32024-07-09
The Comment Images Reloaded plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the cir_delete_image AJAX action in all versions up to, and including, 2.2.1. This makes it possible for authe…
- CVE-2024-5857MEDIUMCVSS 5.3EG 5.32024-08-29
The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the af2_handel_file_remove AJAX acti…
- CVE-2024-5858MEDIUMCVSS 4.3EG 4.32024-06-15
The AI Infographic Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the qcld_openai_title_generate_desc AJAX action in all versions up to, and including, 4.7.4. This makes i…
- CVE-2024-5860MEDIUMCVSS 4.3EG 4.32024-06-18
The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tc_dl_delete_tickets AJAX action in all versions up to, and including, 3.5.2.8. This makes i…
- CVE-2024-5861MEDIUMCVSS 5.3EG 5.32024-07-24
The WP EasyPay – Square for WordPress plugin for WordPress is vulnerable to unauthorized modification of datadue to a missing capability check on the wpep_square_disconnect() function in all versions up to, and including, 4.2.3. This mak…
- CVE-2024-5863MEDIUMCVSS 5.4EG 5.42024-06-28
The Easy Image Collage plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ajax_image_collage() function in all versions up to, and including, 1.13.5. This makes it possible for authenti…
- CVE-2024-5864MEDIUMCVSS 4.3EG 4.32024-06-28
The Easy Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eafl_reset_settings AJAX action in all versions up to, and including, 3.7.3. This makes it possible f…
- CVE-2024-5899LOWCVSS 3.3EG 3.32024-06-18
When Bazel Plugin in intellij imports a project (either using "import project" or "Auto import") the dialog for trusting the project is not displayed. This comes from the fact that both call the method ProjectBuilder.createProject which …
- CVE-2024-5939MEDIUMCVSS 5.3EG 5.32024-08-20
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'setup_wizard' function in all versions up to, and including, 3.13.0. This m…
- CVE-2024-5940MEDIUMCVSS 6.5EG 6.52024-08-20
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_request' function in all versions up to, and including, 3.13.0…
- CVE-2024-5941MEDIUMCVSS 5.4EG 5.42024-08-20
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'handle_request' function in all versions up to, and including,…
- CVE-2024-5987MEDIUMCVSS 5.4EG 5.42024-08-29
The WP Accessibility Helper (WAH) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_contrast_variations' and 'save_empty_contrast_variations' functions in all versions up…
- CVE-2024-5992MEDIUMCVSS 6.5EG 6.52024-07-09
The Cliengo – Chatbot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_chatbot_token' and 'update_chatbot_position' functions in all versions up to, and including, 3…
- CVE-2024-5993MEDIUMCVSS 5.4EG 5.42024-07-09
The Cliengo – Chatbot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_session' function in all versions up to, and including, 3.0.2. This makes it possible for auth…
- CVE-2024-5997MEDIUMCVSS 4.3EG 4.32024-07-18
The Duplica – Duplicate Posts, Pages, Custom Posts or Users plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the duplicate_user and duplicate_post functions in all versions up t…
- CVE-2024-6012MEDIUMCVSS 4.3EG 4.32024-07-02
The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'embed-create-page' and 'embed-insert-pages' functions in all versions up to, and including, 3.2.1…
- CVE-2024-6033MEDIUMCVSS 4.3EG 4.32024-07-17
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized data importation due to a missing capability check on the 'import_file' function in all versions up to, and including…
- CVE-2024-6069HIGHCVSS 8.8EG 8.82024-07-09
The Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing …
- CVE-2024-6071CRITICALCVSS 10.0EG 10.02024-06-27
PTC Creo Elements/Direct License Server exposes a web interface which can be used by unauthenticated remote attackers to execute arbitrary OS commands on the server.
- CVE-2024-6088MEDIUMCVSS 5.3EG 5.32024-07-02
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized user registration due to a missing capability check on the 'register' function in all versions up to, and including, 4.2.6.8.1. This makes it possib…
- CVE-2024-6120MEDIUMCVSS 6.5EG 6.52024-06-22
The Sparkle Demo Importer plugin for WordPress is vulnerable to unauthorized database reset and demo data import due to a missing capability check on the multiple functions in all versions up to and including 1.4.7. This makes it possible …
- CVE-2024-6155MEDIUMCVSS 6.4EG 6.42025-01-09
The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Authenticated (Subscriber+) Server-Side Request Forgery and Stored Cross Site Scripting in all versions up to, and including, 9.0.0 due to a missing…
- CVE-2024-6167MEDIUMCVSS 4.3EG 4.32024-07-09
The Just Custom Fields plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several AJAX functions in all versions up to, and including, 3.3.2. This makes it possible for authentic…
- CVE-2024-6175MEDIUMCVSS 5.4EG 5.42024-07-18
The Booking Ultra Pro Appointments Booking Calendar Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the multiple functions called via AJAX like save_fields_settings, bup_d…
- CVE-2024-6180HIGHCVSS 7.2EG 7.22024-07-09
The EventON plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eventon_import_settings' ajax action in all versions up to, and including, 2.2.15. This makes it possible for una…
- CVE-2024-6303CRITICALCVSS 9.9EG 9.92024-06-25
Missing authorization in Client-Server API in Conduit <=0.7.0, allowing for any alias to be removed and added to another room, which can be used for privilege escalation by moving the #admins alias to a room which they control, allowing th…
- CVE-2024-6328CRITICALCVSS 9.8EG 9.82024-07-12
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.14.7. This is due to insufficient verification on the 'phone' parameter of…
- CVE-2024-6332MEDIUMCVSS 6.5EG 6.52024-09-05
The Booking for Appointments and Events Calendar – Amelia Premium and Lite plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the 'ameliaButtonCommand' function in all versions up to,…
- CVE-2024-6375MEDIUMCVSS 5.4EG 5.42024-07-01
A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing sid…
- CVE-2024-6392MEDIUMCVSS 5.4EG 5.42024-07-11
The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to unauthorized plugin settings modification due to missing capability checks on the plugin functions in all versions up to, and including, 7.2.7. This makes …
- CVE-2024-6406HIGHCVSS 8.5EG 8.52024-09-18
Missing Authentication for Critical Function, Missing Authorization vulnerability in Yordam Information Technology Mobile Library Application allows Retrieve Embedded Sensitive Data. This issue affects Mobile Library Application: before 5…
- CVE-2024-6455MEDIUMCVSS 5.3EG 5.32024-07-18
The ElementsKit Elementor addons plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.2.0 due to a missing capability checks on ekit_widgetarea_content function. This makes it possible for unau…
- CVE-2024-6458MEDIUMCVSS 6.4EG 6.42024-07-27
The WooCommerce Product Table Lite plugin for WordPress is vulnerable to unauthorized post title modification due to a missing capability check on the wcpt_presets__duplicate_preset_to_table function in all versions up to, and including, 3…
- CVE-2024-6465MEDIUMCVSS 4.3EG 4.32024-07-13
The WP Links Page plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wplf_ajax_update_screenshots' function in all versions up to, and including, 4.9.5. This makes it possible …
- CVE-2024-6489MEDIUMCVSS 5.3EG 5.32024-07-20
The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the get_google_api_key function in all versions up to, and including, 2.0.10. This makes it possib…
- CVE-2024-6491MEDIUMCVSS 4.3EG 4.32024-07-20
The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mailchimp_api_key_manage function in all versions up to, and including, 2.0.10. This makes it …
- CVE-2024-6500CRITICALCVSS 10.0EG 10.02024-08-17
The InPost for WooCommerce plugin and InPost PL plugin for WordPress are vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'parse_request' function in all versions up to, and including, 1.4.0 (…
- CVE-2024-6579MEDIUMCVSS 4.3EG 4.32024-07-16
The Web and WooCommerce Addons for WPBakery Builder plugin for WordPress is vulnerable to unauthorized plugin settings modification due to a missing capability check on several plugin functions in all versions up to, and including, 1.4.5. …
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →