CWE-862— Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.— MITRE CWE catalog
8,559 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 94 of 172
- CVE-2025-11581MEDIUMCVSS 5.3EG 5.32025-10-10
A security vulnerability has been detected in PowerJob up to 5.1.2. This vulnerability affects unknown code of the file /openApi/runJob of the component OpenAPIController. Such manipulation leads to missing authorization. The attack can be…
- CVE-2025-11587MEDIUMCVSS 4.3EG 4.32025-10-29
The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate function in all versions up to, and including, 1.5.…
- CVE-2025-11620HIGHCVSS 7.2EG 7.22025-11-18
The Multiple Roles per User plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mrpu_add_multiple_roles_ui' and 'mrpu_save_multiple_user_roles' functions in all versions up to, …
- CVE-2025-11632MEDIUMCVSS 4.3EG 4.32025-10-29
The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.5.4. This m…
- CVE-2025-11669HIGHCVSS 8.1EG 8.12026-01-13
Zohocorp ManageEngine PAM360 versions before 8202; Password Manager Pro versions before 13221; Access Manager Plus versions prior to 4401 are vulnerable to an authorization issue in the initiate remote session functionality.
- CVE-2025-11692MEDIUMCVSS 5.3EG 5.32025-10-15
The Zip Attachments plugin for WordPress is vulnerable to unauthorized loss of data due to a missing authorization and capability checks on the download.php file in all versions up to, and including, 1.6. This makes it possible for unauthe…
- CVE-2025-11701MEDIUMCVSS 5.3EG 5.32025-10-15
The Zip Attachments plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check as well as missing post status validation in the za_create_zip_callback function in all versions up to, and including, …
- CVE-2025-11702HIGHCVSS 8.5EG 8.52025-10-29
GitLab has remediated an issue in EE affecting all versions from 17.1 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker with specific permissions to hijack project runners from othe…
- CVE-2025-11705MEDIUMCVSS 6.5EG 6.52025-10-29
The Anti-Malware Security and Brute-Force Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4.23.81 due to a missing capability check combined with an information exposure in several G…
- CVE-2025-11725MEDIUMCVSS 6.5EG 6.52026-02-19
The Aruba HiSpeed Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the multiple functions in all versions up to, and including, 3.0.2. This makes it possible for unauthenti…
- CVE-2025-11726MEDIUMCVSS 4.3EG 4.32025-12-02
The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.9.4. This is due to insufficient capability checks in the REST API endpoints under the 'fl-co…
- CVE-2025-11734MEDIUMCVSS 5.4EG 5.42025-11-18
The Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization in all versions up to, and including, 1.2.5. This is due…
- CVE-2025-11742MEDIUMCVSS 4.3EG 4.32025-10-18
The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wishlist_quickview' AJAX action in all versions up to, and including, 5.0.4. This makes it p…
- CVE-2025-11754HIGHCVSS 7.5EG 7.52026-02-19
The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for…
- CVE-2025-11758MEDIUMCVSS 6.5EG 6.52025-11-04
The All in One Time Clock Lite plugin for WordPress is vulnerable to unauthorized access due to a missing authorization check in all versions up to, and including, 2.0.3. This is due to the plugin exposing admin-level AJAX actions to unau…
- CVE-2025-11762MEDIUMCVSS 4.3EG 4.32026-04-24
The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This …
- CVE-2025-11773MEDIUMCVSS 4.3EG 4.32025-11-21
The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saveDeployedContract' function in all version…
- CVE-2025-11816MEDIUMCVSS 5.3EG 5.32025-11-01
The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disconnect_account_request() func…
- CVE-2025-11833CRITICALCVSS 9.8EG 9.82025-11-01
The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and…
- CVE-2025-11835MEDIUMCVSS 5.3EG 5.32025-11-05
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability and validation check on the PMS_AJAX…
- CVE-2025-11877HIGHCVSS 7.5EG 7.52026-01-07
The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_op…
- CVE-2025-11881MEDIUMCVSS 5.3EG 5.32025-10-30
The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'myappp_verify' function in all versions up to, and including, 4.5.0. This makes it possible…
- CVE-2025-11887MEDIUMCVSS 4.3EG 4.32025-10-24
The Supervisor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX functions in all versions up to, and including, 1.3.2. This makes it possible for authenticated attack…
- CVE-2025-11890HIGHCVSS 7.5EG 7.52025-11-04
The Crypto Payment Gateway with Payeer for WooCommerce plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 1.0.3. This is due to the plugin not properly verifying a payments status through server-side…
- CVE-2025-11894MEDIUMCVSS 5.3EG 5.32025-11-11
The Shelf Planner plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several REST API endpoints in all versions up to, and including, 2.8.1. This makes it possible for unauthenticat…
- CVE-2025-11975MEDIUMCVSS 4.3EG 4.32025-10-31
The FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the sav…
- CVE-2025-11985HIGHCVSS 8.8EG 8.82025-11-21
The Realty Portal plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'rp_save_property_settings' function in versions 0.1 to 0.4.1. This ma…
- CVE-2025-11988MEDIUMCVSS 5.3EG 5.32025-11-11
The Crypto plugin for WordPress is vulnerable to unauthorized manipulation of data in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action (wp_ajax_nopriv_crypto_connect_ajax_process…
- CVE-2025-11989LOWCVSS 3.7EG 3.72025-10-27
GitLab has remediated an issue in GitLab EE affecting all versions from 17.6.0 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker to execute unauthorized quick actions by including m…
- CVE-2025-11991MEDIUMCVSS 5.3EG 5.32025-12-16
The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the run_callback function in all versions up to, and including, 3.5.3. This mak…
- CVE-2025-11996MEDIUMCVSS 5.3EG 5.32025-11-11
The Find Unused Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the fui_delete_image() and fui_delete_all_images() functiosn in all versions up to, and including, 1.0.7. This make…
- CVE-2025-11999MEDIUMCVSS 5.3EG 5.32025-11-11
The Add Multiple Marker plugin for WordPress is vulnerable to unauthorized modification of data to due to a missing capability check on the addmultiplemarker_reset_map() and amm_save_map_api() functions in all versions up to, and including…
- CVE-2025-12014MEDIUMCVSS 4.3EG 4.32025-10-24
The NGINX Cache Optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'nginxcacheoptimizer-blacklist-update' AJAX action in all versions up to, and including, 1.1. This m…
- CVE-2025-12015MEDIUMCVSS 4.3EG 4.32025-11-13
The Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_wpqai_d…
- CVE-2025-12022MEDIUMCVSS 4.3EG 4.32025-11-21
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_restore_trash' AJAX endpoint in all versions up to, a…
- CVE-2025-12023MEDIUMCVSS 4.3EG 4.32025-11-21
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eh_crm_restore_data() function in all versions up to, and including, 3…
- CVE-2025-12027MEDIUMCVSS 4.3EG 4.32026-02-19
The Mesmerize Companion plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the "openPageInCustomizer" and "openPageInDefaultEditor" functions in all versions up to, and i…
- CVE-2025-12041MEDIUMCVSS 5.3EG 5.32025-10-31
The ERI File Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'erifl_file' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticate…
- CVE-2025-12042MEDIUMCVSS 5.3EG 5.32025-11-08
The Course Booking System plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in the csv-export.php file in all versions up to, and including, 6.1.5. This makes it possible for unauthenticate…
- CVE-2025-12043MEDIUMCVSS 5.3EG 5.32025-11-25
The Autochat Automatic Conversation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_auycht_saveCid' AJAX endpoint in all versions up to, and including, 1.1.9.…
- CVE-2025-12061HIGHCVSS 8.6EG 8.62025-11-26
The TAX SERVICE Electronic HDM WordPress plugin before 1.2.1 does not authorization and CSRF checks in an AJAX action, allowing unauthenticated users to import and execute arbitrary SQL statements
- CVE-2025-12075MEDIUMCVSS 4.3EG 4.32026-02-18
The Order Splitter for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wos_troubleshooting' AJAX endpoint in all versions up to, and including, 5.3.5. This makes it po…
- CVE-2025-12081MEDIUMCVSS 4.3EG 4.32026-02-19
The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "acf_photo_gallery_edit_save" function in all versions up to, and including, 3.0. This makes it po…
- CVE-2025-12085MEDIUMCVSS 4.3EG 4.32025-11-21
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_empty_trash' function in all versions up to, and incl…
- CVE-2025-12091MEDIUMCVSS 4.3EG 4.32025-12-06
The Search, Filters & Merchandising for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wcis_save_email' endpoint in all versions up to, and including, 3.0.67. T…
- CVE-2025-12093MEDIUMCVSS 5.3EG 5.32025-12-05
The Voidek Employee Portal plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX actions in all versions up to, and including, 1.0.7. This makes it possible for unauthenticated attacker…
- CVE-2025-12113MEDIUMCVSS 4.3EG 4.32025-11-12
The Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the atgai_delete_api_key() function in all versions up to, …
- CVE-2025-12133MEDIUMCVSS 4.3EG 4.32025-12-05
The EPROLO Dropshipping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data AJAX endpoints in all versions up…
- CVE-2025-12134MEDIUMCVSS 5.3EG 5.32025-10-24
The ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_popup_stat…
- CVE-2025-1214MEDIUMCVSS 6.3EG 6.32025-02-12
A vulnerability classified as critical has been found in pihome-shc PiHome 2.0. This affects an unknown part of the file /user_accounts.php?uid of the component Role-Based Access Control. The manipulation leads to missing authorization. It…
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →