CWE-862— Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.— MITRE CWE catalog
8,567 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 97 of 172
- CVE-2025-13314MEDIUMCVSS 5.3EG 5.32025-12-12
The Product Filtering by Categories, Tags, Price Range for WooCommerce – Filter Plus plugin for WordPress is vulnerable to unauthorized modification of data in all versions up to, and including, 1.1.6 due to a missing capability check on…
- CVE-2025-13317MEDIUMCVSS 5.3EG 5.32025-11-22
The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.96. This is due to the plugin exposing an unauthenticated booking processing endpoint (cpabc_appointment…
- CVE-2025-13318MEDIUMCVSS 5.3EG 5.32025-11-22
The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the `dex_bccf_check_IPN_ver…
- CVE-2025-13334HIGHCVSS 8.1EG 8.12025-12-12
The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized database resets and file deletion due to a missing capability check on the "blaze_demo_importer_install_demo" function in all versions up to, and including, 1.0.13.…
- CVE-2025-13342CRITICALCVSS 9.8EG 9.82025-12-03
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validati…
- CVE-2025-13348HIGHCVSS 8.5EG 8.52026-02-02
An improper access control vulnerability exists in ASUS Secure Delete Driver of ASUS Business Manager. This vulnerability can be triggered by a local user sending a specially crafted request, potentially leading to the creation of arbitrar…
- CVE-2025-13354MEDIUMCVSS 4.3EG 4.32025-12-03
The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.40.1. This is due to the plugin not properly verifying that a user is …
- CVE-2025-13358MEDIUMCVSS 5.3EG 5.32025-12-06
The Accessiy By CodeConfig Accessibility plugin for WordPress is vulnerable to unauthorized page creation due to missing authorization checks in versions up to, and including, 1.0.0. This is due to the plugin not performing capability chec…
- CVE-2025-13381MEDIUMCVSS 5.3EG 5.32025-11-27
The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'ays_chatgpt_save_wp_media' function in all versions up to, and including, 2.7.0. T…
- CVE-2025-13384HIGHCVSS 7.5EG 7.52025-11-22
The CP Contact Form with PayPal plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.56. This is due to the plugin exposing an unauthenticated IPN-like endpoint (via the 'cp_contactformpp_ip…
- CVE-2025-13386MEDIUMCVSS 5.3EG 5.32025-11-25
The Social Images Widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'options_update' function in all versions up to, and including, 2.1. This makes it possible for unau…
- CVE-2025-13391MEDIUMCVSS 5.8EG 5.82026-02-11
The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'uni_cpo_remove_file' function in all version…
- CVE-2025-13403MEDIUMCVSS 4.3EG 5.32025-12-13
The Employee Spotlight – Team Member Showcase & Meet the Team Plugin for WordPress is vulnerable to unauthorized tracking settings modification due to missing authorization validation on the employee_spotlight_check_optin() function in a…
- CVE-2025-13404MEDIUMCVSS 5.3EG 5.32025-11-25
The atec Duplicate Page & Post plugin for WordPress is vulnerable to unauthorized post duplication due to missing authorization validation on the duplicate_post() function in all versions up to, and including, 1.2.20. This makes it possibl…
- CVE-2025-13405MEDIUMCVSS 5.3EG 5.32025-11-25
The Ace Post Type Builder plugin for WordPress is vulnerable to unauthorized custom taxonomy deletion due to missing authorization validation on the cptb_delete_custom_taxonomy() function in all versions up to, and including, 1.9. This mak…
- CVE-2025-13414MEDIUMCVSS 5.3EG 5.32025-11-25
The Chamber Dashboard Business Directory plugin for WordPress is vulnerable to unauthorized data export due to a missing capability check on the cdash_watch_for_export() function in all versions up to, and including, 3.3.11. This makes it …
- CVE-2025-13416MEDIUMCVSS 4.3EG 4.32026-02-05
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() function in all versions up to, and inclu…
- CVE-2025-13419MEDIUMCVSS 5.3EG 5.32026-01-07
The Guest posting / Frontend Posting / Front Editor – WP Front User Submit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bfe/v1/revert' REST API endpoint in all…
- CVE-2025-13440MEDIUMCVSS 5.3EG 5.32025-12-12
The Premmerce Wishlist for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.10. This is due to a missing capability check on the deleteWishlist() function. This makes it poss…
- CVE-2025-13441MEDIUMCVSS 5.3EG 5.32025-11-27
The Hide Category by User Role for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.1. This is due to a missing capability check on the admin_init hook that executes wp_cache…
- CVE-2025-13468MEDIUMCVSS 5.4EG 5.42025-11-20
A weakness has been identified in SourceCodester Alumni Management System 1.0. This issue affects the function delete_forum/delete_career/delete_comment/delete_gallery/delete_event of the file admin/admin_class.php of the component Delete …
- CVE-2025-13472MEDIUMCVSS 5.3EG 5.32025-12-03
A fix was made in BlazeMeter Jenkins Plugin version 4.27 to allow users only with certain permissions to see the list of available resources like credential IDs, bzm workspaces and bzm project Ids. Prior to this fix, anyone could see this …
- CVE-2025-13493HIGHCVSS 7.5EG 7.52026-01-07
The Latest Registered Users plugin for WordPress is vulnerable to unauthorized user data export in all versions up to, and including, 1.4. This is due to missing authorization and nonce validation in the rnd_handle_form_submit function hoo…
- CVE-2025-13496MEDIUMCVSS 5.3EG 5.32026-01-07
The Moosend Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the moosend_landings_auth_get function in all versions up to, and including, 1.1.6. This makes it possib…
- CVE-2025-13498MEDIUMCVSS 4.3EG 4.32025-12-18
The Download Manager plugin for WordPress is vulnerable to unauthorized access of sensitive information in all versions up to, and including, 3.3.32. This is due to missing authorization and capability checks on the `wpdm_media_access` AJA…
- CVE-2025-13528MEDIUMCVSS 5.3EG 5.32025-12-05
The Feedback Modal for Website plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'handle_export' function in all versions up to, and including, 1.0.1. This makes it possible for unau…
- CVE-2025-13529MEDIUMCVSS 5.3EG 5.32026-01-07
The Unify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'init' action in all versions up to, and including, 3.4.9. This makes it possible for unauthenticated attackers to d…
- CVE-2025-13558MEDIUMCVSS 5.4EG 5.42025-11-25
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'deleteUserCcDraftPost' function in all versions up to, and including, 8.7…
- CVE-2025-1358MEDIUMCVSS 4.3EG 4.32025-02-16
A vulnerability classified as problematic was found in Pix Software Vivaz 6.0.10. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been dis…
- CVE-2025-13603HIGHCVSS 8.8EG 8.82026-02-19
The WP AUDIO GALLERY plugin for WordPress is vulnerable to Unauthorized Arbitrary File Read in all versions up to, and including, 2.0. This is due to insufficient capability checks and lack of nonce verification on the "wpag_htaccess_callb…
- CVE-2025-1361HIGHCVSS 7.5EG 7.52025-02-22
The IP2Location Country Blocker plugin for WordPress is vulnerable to Regular Information Exposure in all versions up to, and including, 2.38.8 due to missing capability checks on the admin_init() function. This makes it possible for unaut…
- CVE-2025-13620MEDIUMCVSS 5.3EG 5.32025-12-05
The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to missing authorization in versions up to, and including, 3.1.3. This is due to the REST routes wslu/v1/check_cache/{type}, wslu/v1/save_cache/{type}, and …
- CVE-2025-13628MEDIUMCVSS 4.3EG 4.32026-01-09
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functi…
- CVE-2025-13643LOWCVSS 3.1EG 3.12025-11-25
A user with access to the cluster with a limited set of privilege actions may be able to terminate queries that are being executed by other users. This may cause a denial of service by preventing a fraction of queries from successfully com…
- CVE-2025-13666MEDIUMCVSS 5.3EG 5.32025-12-06
The Helloprint plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.2. This is due to the plugin registering a public REST API endpoint without implementing authorization checks to verify reques…
- CVE-2025-13679MEDIUMCVSS 6.5EG 6.52026-01-08
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This …
- CVE-2025-13717MEDIUMCVSS 5.3EG 5.32026-01-09
The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_gvccf_check_download_request' function in all versions up to, and including, 2.4. This makes it…
- CVE-2025-13722MEDIUMCVSS 5.3EG 5.32026-01-07
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.7. This is due to missing capability checks …
- CVE-2025-13741MEDIUMCVSS 4.3EG 4.32025-12-16
The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getAuthors function i…
- CVE-2025-13750MEDIUMCVSS 4.3EG 4.32025-12-17
The Converter for Media – Optimize images | Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `/webp-converter/v1/regenerate-attachment` REST endpoint in …
- CVE-2025-13754MEDIUMCVSS 5.3EG 5.32025-12-19
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.16. This is due to the plugin exposing its admin emb…
- CVE-2025-13756MEDIUMCVSS 4.3EG 4.32025-12-03
The Fluent Booking plugin for WordPress is vulnerable to unauthorized calendar import and management due to a missing capability check on the "importCalendar" function in all versions up to, and including, 1.9.11. This makes it possible fo…
- CVE-2025-13766MEDIUMCVSS 5.4EG 5.42026-01-06
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all version…
- CVE-2025-13772MEDIUMCVSS 4.3EG 7.12026-01-09
GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to access and utilize AI model settings from unauthorized …
- CVE-2025-13781MEDIUMCVSS 6.5EG 6.52026-01-09
GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to modify instance-wide AI feature provider settings by ex…
- CVE-2025-13790MEDIUMCVSS 4.3EG 4.32025-11-30
A vulnerability was determined in Scada-LTS up to 2.7.8.1. This impacts an unknown function. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been publicly disclosed and may be util…
- CVE-2025-13794MEDIUMCVSS 4.3EG 4.32025-12-16
The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulk_action_generate_handler function in all versions up to, and including, 4.2.…
- CVE-2025-13812MEDIUMCVSS 4.3EG 4.32026-01-06
The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the gamipress_ajax_get_posts and gamip…
- CVE-2025-13813MEDIUMCVSS 5.6EG 5.62025-12-01
A vulnerability was identified in moxi159753 Mogu Blog v2 up to 5.2. This issue affects some unknown processing of the file /storage/ of the component Storage Management Endpoint. The manipulation leads to missing authorization. The attack…
- CVE-2025-13828CRITICALCVSS 9.0EG 9.02025-12-02
SummaryA non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. ImpactA low-privileged user of the platf…
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →