CWE-862— Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.— MITRE CWE catalog
8,567 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 98 of 172
- CVE-2025-13859MEDIUMCVSS 6.4EG 6.42026-01-15
The AffiliateX – Amazon Affiliate Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_customization_settings AJAX action in versions 1.0.0 to 1.3.9.3. This makes it…
- CVE-2025-13864MEDIUMCVSS 5.3EG 5.32026-02-19
The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered …
- CVE-2025-13866MEDIUMCVSS 6.4EG 6.42025-12-12
The Flow-Flow Social Feed Stream plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the flow_flow_social_auth AJAX action in versions 3.0.0 to 4.7.5. This makes it possible for auth…
- CVE-2025-13880MEDIUMCVSS 6.5EG 6.52025-12-17
The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability…
- CVE-2025-13921MEDIUMCVSS 4.3EG 4.32026-01-23
The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capa…
- CVE-2025-13930MEDIUMCVSS 5.3EG 5.32026-02-19
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. This is due to the plugin not properly verifying that a user is authorized to…
- CVE-2025-13934MEDIUMCVSS 4.3EG 4.32026-01-09
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validatio…
- CVE-2025-13935MEDIUMCVSS 4.3EG 4.32026-01-09
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_com…
- CVE-2025-13950MEDIUMCVSS 5.3EG 5.32025-12-15
The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the settings handling functionality in all versions up to, and including, 3.6.1. This is …
- CVE-2025-13956MEDIUMCVSS 5.3EG 5.32025-12-16
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions up to, and including, 4.3.1. This makes it possible for u…
- CVE-2025-13964MEDIUMCVSS 5.3EG 5.32026-01-06
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the catch_lp_ajax function in all versions up to, and including, 4.3.2. This makes it poss…
- CVE-2025-14001MEDIUMCVSS 5.4EG 5.42026-01-13
The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. …
- CVE-2025-14003MEDIUMCVSS 4.3EG 4.32025-12-15
The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `add_images_to_gallery_callback()` function in all versions up to, and includ…
- CVE-2025-1402MEDIUMCVSS 5.3EG 5.32025-02-21
The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ajax_ticket_delete' function in all versions up to, and including, 5.19.1.1. This makes it possibl…
- CVE-2025-14029MEDIUMCVSS 5.3EG 5.32026-01-17
The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. This makes it possible …
- CVE-2025-14034MEDIUMCVSS 5.3EG 5.32026-01-06
The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'delete_single_ticket_callback' and 'change_ticket_status_callback' functi…
- CVE-2025-14038HIGHCVSS 7.0EG 7.02025-12-15
EDB Hybrid Manager contains a flaw that allows an unauthenticated attacker to directly access certain gRPC endpoints. This could allow an attacker to read potentially sensitive data or possibly cause a denial-of-service by writing malforme…
- CVE-2025-1404MEDIUMCVSS 5.3EG 5.32025-03-01
The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_sccp_reports_user_search() function in all versions up to, and including,…
- CVE-2025-14043MEDIUMCVSS 5.3EG 5.32025-12-21
The Tainacan plugin for WordPress is vulnerable to unauthorized metadata section creation due to missing authorization checks in all versions up to, and including, 1.0.1. This is due to the `create_item_permissions_check()` function uncond…
- CVE-2025-14045MEDIUMCVSS 4.3EG 4.32025-12-12
The URL Media Uploader plugin for WordPress is vulnerable to unauthorized safe file uploads due to a missing capability check on the url_media_uploader_url_upload_ajax_handler() function in all versions up to, and including, 1.0.1. This ma…
- CVE-2025-14047MEDIUMCVSS 5.3EG 5.32026-01-02
The Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'Fr…
- CVE-2025-14061MEDIUMCVSS 5.3EG 5.32025-12-17
The Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the gd…
- CVE-2025-14064MEDIUMCVSS 5.4EG 6.52025-12-12
The BuddyTask plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple AJAX endpoints in all versions up to, and including, 1.3.0. This makes it possible for authentic…
- CVE-2025-14065MEDIUMCVSS 4.3EG 5.32025-12-12
The Simple Bike Rental plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'simpbire_carica_prenotazioni' AJAX action in all versions up to, and including, 1.0.6. This makes it possibl…
- CVE-2025-14067MEDIUMCVSS 5.3EG 5.32026-02-14
The Easy Form Builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attack…
- CVE-2025-14070HIGHCVSS 7.5EG 7.52026-01-07
The Reviewify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'send_test_email' AJAX action in all versions up to, and including, 1.0.7. This makes it possible for authentica…
- CVE-2025-14074MEDIUMCVSS 4.3EG 5.32025-12-12
The PDF for Contact Form 7 + Drag and Drop Template Builder plugin for WordPress is vulnerable to unauthorized post duplication due to a missing capability check on the 'rednumber_duplicate' function in all versions up to, and including, 6…
- CVE-2025-14078MEDIUMCVSS 5.3EG 5.32026-01-17
The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygen…
- CVE-2025-14079MEDIUMCVSS 5.3EG 5.32026-02-05
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.5. This is due to missing capability checks on the eh_crm_ticket_general function…
- CVE-2025-1408MEDIUMCVSS 4.3EG 4.32025-03-22
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pm_decline_join_group_request and pm_approve_join_group_request func…
- CVE-2025-14080MEDIUMCVSS 5.3EG 5.32025-12-21
The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.5. This is due to missing authorization checks on the post update functionality in the fpsml_fo…
- CVE-2025-14117MEDIUMCVSS 4.3EG 4.32025-12-06
A vulnerability has been found in fit2cloud Halo 2.21.10. Impacted is an unknown function. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be …
- CVE-2025-14146MEDIUMCVSS 5.3EG 5.32026-01-09
The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally…
- CVE-2025-14155MEDIUMCVSS 5.3EG 5.32025-12-23
The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_template_content' function in all versions up to, a…
- CVE-2025-14170MEDIUMCVSS 4.3EG 5.32025-12-12
The Vimeo SimpleGallery plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 0.2. This is due to missing authorization checks on the `vimeogallery_admin` function hooked to `admin_menu`. This ma…
- CVE-2025-14172MEDIUMCVSS 6.5EG 6.52026-01-09
The WP Page Permalink Extension plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.4. This is due to missing authorization checks on the `cwpp_trigger_flush_rewrite_rules` function hooked …
- CVE-2025-14173MEDIUMCVSS 5.3EG 5.32026-01-14
The Perfit WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. This is due to missing authorization checks on the `logout` function called via the `actions` function hooked t…
- CVE-2025-14270LOWCVSS 2.7EG 2.72026-02-19
The OneClick Chat to Order plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.9. This is due to the plugin not properly verifying that a user is authorized to perform an action in the wa_order_…
- CVE-2025-14272HIGHCVSS 0.0EG 0.02026-06-16
A security issue was identified in Pavilion due to improper authorization enforcement in API... A security issue was identified in Pavilion due to improper authorization enforcement in API endpoints. This vulnerability can allow…
- CVE-2025-14288MEDIUMCVSS 4.3EG 4.32025-12-13
The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to unauthorized modification of plugin settings in all versions up to, and inc…
- CVE-2025-14339MEDIUMCVSS 6.5EG 6.52026-02-21
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. This is due to the `Fo…
- CVE-2025-14342MEDIUMCVSS 4.3EG 4.32026-02-19
The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the sq_ajax_uninstall function in all versions up to, and including, 12.4.14. This makes it possibl…
- CVE-2025-14350MEDIUMCVSS 4.3EG 4.32026-02-16
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names …
- CVE-2025-14351MEDIUMCVSS 5.3EG 5.32026-01-20
The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and in…
- CVE-2025-14357MEDIUMCVSS 5.3EG 5.32026-02-19
The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setup_widgets() function in core/includes/importer/whizzie.php in all versions up to, and including,…
- CVE-2025-14358HIGHCVSS 7.5EG 9.82026-01-08
Missing Authorization vulnerability in sizam REHub Framework rehub-framework allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects REHub Framework: from n/a through <= 19.9.5.
- CVE-2025-14360HIGHCVSS 7.5EG 9.82026-01-08
Missing Authorization vulnerability in Kaira Blockons blockons allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Blockons: from n/a through <= 1.2.19.
- CVE-2025-14361HIGHCVSS 7.1EG 7.12026-05-26
Missing Authorization vulnerability in AA-Team Woocommerce Envato Affiliates allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Woocommerce Envato Affiliates: from n/a through 1.2.1.
- CVE-2025-14364HIGHCVSS 8.8EG 8.82025-12-18
The Demo Importer Plus plugin for WordPress is vulnerable to unauthorized modification of data, loss of data, and privilege escalation due to a missing capability check on the Ajax::handle_request() function in all versions up to, and incl…
- CVE-2025-14365MEDIUMCVSS 5.3EG 5.32025-12-13
The Eyewear prescription form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.0.1. This is due to missing capability checks on the RemoveItems AJAX action. This makes it possible for unau…
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →