CWE-862— Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.— MITRE CWE catalog
8,556 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 90 of 172
- CVE-2024-6590MEDIUMCVSS 6.3EG 6.32024-09-25
The Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table. plugin for WordPress is vulnerable to unauthorized modification of data due to a missing…
- CVE-2024-6591MEDIUMCVSS 5.8EG 5.82024-07-27
The Ultimate WordPress Auction Plugin plugin for WordPress is vulnerable to unauthorized email creation and sending due to a missing capability check on the 'send_auction_email_callback' and 'resend_auction_email_callback' functions in all…
- CVE-2024-6599MEDIUMCVSS 4.3EG 4.32024-07-18
The Meks Video Importer plugin for WordPress is vulnerable to unauthorized API key modification due to a missing capability check on the ajax_save_settings function in all versions up to, and including, 1.0.12. This makes it possible for a…
- CVE-2024-6621MEDIUMCVSS 4.3EG 4.32024-07-16
The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wprss_activate_feed_source' and 'wprss_pause_fe…
- CVE-2024-6626MEDIUMCVSS 5.3EG 5.32024-11-06
The EleForms – All In One Form Integration including DB for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on several functions in all versions up to, and including, 2.9.9.9.…
- CVE-2024-6631MEDIUMCVSS 5.0EG 5.02024-08-24
The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX actions in all versions up to, and including, 3.1.14. This makes it possible…
- CVE-2024-6636CRITICALCVSS 9.8EG 9.82024-07-20
The WooCommerce - Social Login plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'woo_slg_login_email' function in all versions up to, and including, 2.7.3. This makes it possi…
- CVE-2024-6660HIGHCVSS 8.8EG 8.82024-07-17
The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the bo…
- CVE-2024-6688MEDIUMCVSS 4.3EG 4.32024-08-27
The Oxygen Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the oxy_save_css_from_admin AJAX action in all versions up to, and including, 4.8.3. This makes it possible for…
- CVE-2024-6698HIGHCVSS 8.8EG 8.82024-08-01
The FundEngine plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.7.0. This is due to the plugin not properly verifying user meta updated through the update_user_meta function. This makes it …
- CVE-2024-6709MEDIUMCVSS 4.3EG 4.32024-08-03
The Sync Post With Other Site plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'sps_add_update_post' function in all versions up to, and including, 1.6. This makes it possible…
- CVE-2024-6750HIGHCVSS 7.3EG 7.32024-07-24
The Social Auto Poster plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.3.14. This makes it possible f…
- CVE-2024-6754MEDIUMCVSS 5.4EG 5.42024-07-24
The Social Auto Poster plugin for WordPress is vulnerable to unauthorized modification of data to a missing capability check on the ‘wpw_auto_poster_update_tweet_template’ function in all versions up to, and including, 5.3.14. This mak…
- CVE-2024-6755MEDIUMCVSS 6.5EG 6.52024-07-24
The Social Auto Poster plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the ‘wpw_auto_poster_quick_delete_multiple’ function in all versions up to, and including, 5.3…
- CVE-2024-6760HIGHCVSS 7.5EG 7.52024-08-12
A logic bug in the code which disables kernel tracing for setuid programs meant that tracing was not disabled when it should have, allowing unprivileged users to trace and inspect the behavior of setuid programs. The bug may be used by an…
- CVE-2024-6799MEDIUMCVSS 4.3EG 4.32024-07-19
The YITH Essential Kit for WooCommerce #1 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activate_module', 'deactivate_module', and 'install_module' functions in all versio…
- CVE-2024-6805HIGHCVSS 7.5EG 7.52024-07-22
The NI VeriStand Gateway is missing authorization checks when an actor attempts to access File Transfer resources. These missing checks may result in information disclosure or remote code execution. This affects NI VeriStand 2024 Q2 and …
- CVE-2024-6806CRITICALCVSS 9.8EG 9.82024-07-22
The NI VeriStand Gateway is missing authorization checks when an actor attempts to access Project resources. These missing checks may result in remote code execution. This affects NI VeriStand 2024 Q2 and prior versions.
- CVE-2024-6824MEDIUMCVSS 4.3EG 4.32024-08-08
The Premium Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'check_temp_validity' and 'update_template_title' functions in all versions up to, a…
- CVE-2024-6836MEDIUMCVSS 4.3EG 4.32024-07-24
The Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capabili…
- CVE-2024-6845MEDIUMCVSS 5.3EG 5.32024-09-25
The Chatbot with ChatGPT WordPress plugin before 2.4.6 does not have proper authorization in one of its REST endpoint, allowing unauthenticated users to retrieve the encoded key and then decode it, thereby leaking the OpenAI API key
- CVE-2024-6869MEDIUMCVSS 5.4EG 5.42024-08-08
The Falang multilanguage for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.3.52. This makes it possible for …
- CVE-2024-6872MEDIUMCVSS 4.3EG 4.32024-08-03
The Build Your Dream Website Fast with 400+ Starter Templates and Landing Pages, No Coding Needed, One-Click Import for Elementor & Gutenberg Blocks! – TemplateSpare plugin for WordPress is vulnerable to unauthorized modification of data…
- CVE-2024-6883MEDIUMCVSS 4.3EG 4.32024-08-21
The Event Espresso 4 Decaf – Event Registration Event Ticketing plugin for WordPress is vulnerable to limited unauthorized plugin settings modification due to a missing capability check on the saveTimezoneString and some other functions …
- CVE-2024-6987MEDIUMCVSS 4.3EG 4.32024-08-08
The Orchid Store theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'orchid_store_activate_plugin' function in all versions up to, and including, 1.5.6. This makes it possible fo…
- CVE-2024-7030MEDIUMCVSS 4.3EG 4.32024-08-21
The Smart Online Order for Clover plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.5.6. This makes it possible for authen…
- CVE-2024-7031HIGHCVSS 7.5EG 7.52024-08-03
The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'njt_fs_saveSettingRestrictions' function in all versions up to, and including, 1.8.2. This …
- CVE-2024-7032MEDIUMCVSS 6.5EG 6.52024-08-21
The Smart Online Order for Clover plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'moo_deactivateAndClean' function in all versions up to, and including, 1.5.6. This makes it possibl…
- CVE-2024-7043HIGHCVSS 8.8EG 8.12025-03-20
An improper access control vulnerability in open-webui/open-webui v0.3.8 allows attackers to view and delete any files. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the GE…
- CVE-2024-7045MEDIUMCVSS 4.3EG 4.32025-03-20
In version v0.3.8 of open-webui/open-webui, improper access control vulnerabilities allow an attacker to view any prompts. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the…
- CVE-2024-7046MEDIUMCVSS 4.3EG 4.32025-03-20
An improper access control vulnerability in open-webui/open-webui v0.3.8 allows an attacker to view admin details. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the /api/v1…
- CVE-2024-7135MEDIUMCVSS 6.5EG 6.52024-07-31
The Tainacan plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_file' function in all versions up to, and including, 0.21.7. The function is also vulnerable to directory traversa…
- CVE-2024-7258HIGHCVSS 8.8EG 8.82024-08-23
The WooCommerce Google Feed Manager plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wppfm_removeFeedFile' function in all versions up to, and including, 2.8.0. This makes it possibl…
- CVE-2024-7380MEDIUMCVSS 4.3EG 4.32024-09-05
The Geo Controller plugin for WordPress is vulnerable to unauthorized menu creation/deletion due to missing capability checks on the ajax__geolocate_menu and ajax__geolocate_remove_menu functions in all versions up to, and including, 8.7.3…
- CVE-2024-7381MEDIUMCVSS 5.3EG 5.32024-09-05
The Geo Controller plugin for WordPress is vulnerable to unauthorized shortcode execution due to missing authorization and capability checks on the ajax__shortcode_cache function in all versions up to, and including, 8.6.9. This makes it p…
- CVE-2024-7390MEDIUMCVSS 5.3EG 5.32024-08-21
The WP Testimonial Widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnSaveTestimonailOrder function in all versions up to, and including, 3.1. This makes it possible fo…
- CVE-2024-7429MEDIUMCVSS 4.3EG 4.32024-11-05
The Zotpress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Zotpress_process_accounts_AJAX function in all versions up to, and including, 7.3.12. This makes it possible for …
- CVE-2024-7447MEDIUMCVSS 5.3EG 5.32024-08-28
The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'fnsf_af2_handel_file_up…
- CVE-2024-7475CRITICALCVSS 9.1EG 9.12024-10-29
An improper access control vulnerability in lunary-ai/lunary version 1.3.2 allows an attacker to update the SAML configuration without authorization. This vulnerability can lead to manipulation of authentication processes, fraudulent login…
- CVE-2024-7491MEDIUMCVSS 5.3EG 5.32024-09-25
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.6.1 via the woof_messenger_remove_subscr AJAX action due to missing…
- CVE-2024-7605MEDIUMCVSS 4.3EG 4.32024-09-05
The HelloAsso plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ha_ajax' function in all versions up to, and including, 1.1.10. This makes it possible for authenticated attack…
- CVE-2024-7621MEDIUMCVSS 5.4EG 5.42024-08-12
The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the process_wpfeedback_misc_options() function in all v…
- CVE-2024-7622MEDIUMCVSS 4.3EG 4.32024-09-06
The Revision Manager TMC plugin for WordPress is vulnerable to unauthorized arbitrary email sending due to a missing capability check on the _a_ajaxQuickEmailTestCallback() function in all versions up to, and including, 2.8.19. This makes …
- CVE-2024-7648MEDIUMCVSS 4.3EG 4.32024-08-12
The Opal Membership plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.4 via the private notes functionality on payments which utilizes WordPress comments. This makes it possible …
- CVE-2024-7721MEDIUMCVSS 4.3EG 4.32024-09-11
The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_password' function in all versions up to, and including, 2.…
- CVE-2024-7727MEDIUMCVSS 5.3EG 5.32024-09-11
The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions called via the 'h5vp_ajax_handler' ajax action in all ve…
- CVE-2024-7767HIGHCVSS 8.1EG 6.52025-03-20
An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. This vulnerability allows the first user created in the system to view, modify, and delete chats created by an Admin. This can lead to unauthorized acce…
- CVE-2024-7856HIGHCVSS 8.1EG 9.12024-08-29
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to unauthorized arbitrary file deletion due to a missing capability check on the removeTempFiles() function and insufficient path va…
- CVE-2024-7858MEDIUMCVSS 6.3EG 6.32024-08-30
The Media Library Folders plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several AJAX functions in the media-library-plus.php file in all versions up to, and including, 8.2.3. This makes it po…
- CVE-2024-7888MEDIUMCVSS 6.3EG 6.32024-09-13
The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions like export_forms(), import_forms(), update_fb_options()…
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →