CWE-288— Authentication Bypass Using an Alternate Path or Channel
509 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-288page 6 of 11
- CVE-2024-7027HIGHCVSS 7.3EG 7.32024-07-24
The WooCommerce - PDF Vouchers plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.9.3. This is due to insufficient verification on the user being supplied during a QR code login through the plug…
- CVE-2024-7125HIGHCVSS 7.8EG 7.82024-08-27
Authentication Bypass vulnerability in Hitachi Ops Center Common Services.This issue affects Hitachi Ops Center Common Services: from 10.9.3-00 before 11.0.2-01.
- CVE-2024-7314CRITICALCVSS 9.8EG 9.82024-08-02
anji-plus AJ-Report is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java on the victim server. Exploitat…
- CVE-2024-7350CRITICALCVSS 9.8EG 9.82024-08-08
The Appointment Booking Calendar Plugin and Online Scheduling Plugin – BookingPress plugin for WordPress is vulnerable to authentication bypass in versions 1.1.6 to 1.1.7. This is due to the plugin not properly verifying a user's identit…
- CVE-2024-7503CRITICALCVSS 9.8EG 9.82024-08-12
The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.5. This is due to the use of loose comparison of the activation code in the 'woo_slg_confirm_email_user' funct…
- CVE-2024-7628HIGHCVSS 8.1EG 8.12024-08-15
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.15.2. This is due to the use of loose comparison in the 'verify_id_token' func…
- CVE-2024-7781HIGHCVSS 8.1EG 8.12024-09-26
The Jupiter X Core plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.7.5. This is due to improper authentication via the Social Login widget. This makes it possible for unauthenticated atta…
- CVE-2024-8012HIGHCVSS 7.8EG 7.82024-09-10
An authentication bypass weakness in the message broker service of Ivanti Workspace Control before version 2025.2 (10.19.0.0) allows a local authenticated attacker to escalate their privileges.
- CVE-2024-8277CRITICALCVSS 9.8EG 9.82024-09-11
The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.3.13.2. This is due to the plugin not properly validating what user transient is being used in the lo…
- CVE-2024-8943CRITICALCVSS 9.8EG 9.82024-10-08
The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. This is due to insufficient verification on the user being supplied during the booking customer step. This makes it possib…
- CVE-2024-9105CRITICALCVSS 9.8EG 9.82024-10-16
The UltimateAI plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.8.3. This is due to insufficient verification on the user being supplied in the 'ultimate_ai_register_or_login_with_google' func…
- CVE-2024-9106CRITICALCVSS 9.8EG 9.82024-10-01
The Wechat Social login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.3.0. This is due to insufficient verification on the user being supplied during the social login. This makes it possibl…
- CVE-2024-9289CRITICALCVSS 9.8EG 9.82024-10-01
The WordPress & WooCommerce Affiliate Program plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 8.4.1. This is due to the rtwwwap_login_request_callback() function not properly validating a u…
- CVE-2024-9488CRITICALCVSS 9.8EG 9.82024-10-25
The Comments – wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes i…
- CVE-2024-9501CRITICALCVSS 9.8EG 9.82024-10-26
The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.0.7. This is due to insufficient verification on the user being returned by the social logi…
- CVE-2024-9522HIGHCVSS 8.8EG 8.82024-10-10
The WP Users Masquerade plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.0. This is due to incorrect authentication and capability checking in the 'ajax_masq_login' function. This makes it p…
- CVE-2024-9658HIGHCVSS 8.8EG 8.82025-03-07
The School Management System for Wordpress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 93.0.0. This is due to the plugin not properly validating a user's identity pr…
- CVE-2024-9822CRITICALCVSS 9.8EG 9.82024-10-11
The Pedalo Connector plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.5. This is due to insufficient restriction on the 'login_admin_user' function. This makes it possible for unauthenticate…
- CVE-2024-9861HIGHCVSS 8.1EG 8.12024-10-17
The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.6.0. This is due to missing validation on the token being supplied during the otp login through t…
- CVE-2024-9890HIGHCVSS 8.8EG 8.82024-10-26
The User Toolkit plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2.3. This is due to an improper capability check in the 'switchUser' function. This makes it possible for authenticated attack…
- CVE-2024-9893CRITICALCVSS 9.8EG 9.82024-10-16
The Nextend Social Login Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.1.14. This is due to insufficient verification on the user being returned by the social login token. This make…
- CVE-2024-9930CRITICALCVSS 9.8EG 9.82024-10-26
The Extensions by HocWP Team plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.2.3.2. This is due to missing validation on the user being supplied in the 'verify_email' action. This makes it po…
- CVE-2024-9931CRITICALCVSS 9.8EG 9.82024-10-26
The Wux Blog Editor plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.0.0. This is due to missing validation on the token being supplied during the autologin through the plugin. This makes it p…
- CVE-2024-9933CRITICALCVSS 9.8EG 9.82024-10-26
The WatchTowerHQ plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.10.1. This is due to the 'watchtower_ota_token' default value is empty, and the not empty check is missing in the 'Password_Le…
- CVE-2024-9988CRITICALCVSS 9.8EG 9.82024-10-29
The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.19. This is due to missing validation on the user being supplied in the 'crypto_connect_ajax_process::register' function. This makes…
- CVE-2024-9989CRITICALCVSS 9.8EG 9.82024-10-29
The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.18. This is due to a limited arbitrary method call to 'crypto_connect_ajax_process::log_in' function in the 'crypto_connect_ajax_pro…
- CVE-2025-0159CRITICALCVSS 9.1EG 9.12025-02-28
IBM FlashSystem (IBM Storage Virtualize (8.5.0.0 through 8.5.0.13, 8.5.1.0, 8.5.2.0 through 8.5.2.3, 8.5.3.0 through 8.5.3.1, 8.5.4.0, 8.6.0.0 through 8.6.0.5, 8.6.1.0, 8.6.2.0 through 8.6.2.1, 8.6.3.0, 8.7.0.0 through 8.7.0.2, 8.7.1.0, 8.…
- CVE-2025-0181CRITICALCVSS 9.8EG 9.82025-02-11
The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.8. This is due to the plugin not properly validating a user's identity prior to setting the current u…
- CVE-2025-0316CRITICALCVSS 9.8EG 9.82025-02-08
The WP Directorybox Manager plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.5. This is due to incorrect authentication in the 'wp_dp_enquiry_agent_contact_form_submit_callback' function. This…
- CVE-2025-0364CRITICALCVSS 9.8EG 9.82025-02-04
BigAntSoft BigAnt Server, up to and including version 5.6.06, is vulnerable to unauthenticated remote code execution via account registration. An unauthenticated remote attacker can create an administrative user through the default exposed…
- CVE-2025-0549MEDIUMCVSS 6.8EG 6.82025-05-09
An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.3 prior to 17.9.8, from 17.10 prior to 17.10.6, and from 17.11 prior to 17.11.2. A security vulnerability allows attackers to bypass Device OAuth flow pro…
- CVE-2025-0674CRITICALCVSS 9.8EG 9.82025-02-07
Multiple Elber products are affected by an authentication bypass vulnerability which allows unauthorized access to the password management functionality. Attackers can exploit this issue by manipulating the endpoint to overwrite any use…
- CVE-2025-0749HIGHCVSS 8.1EG 8.12025-03-07
The Homey theme for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.3. This is due to the 'verification_id' value being set to empty, and the not empty check is missing in the dashboard user profile p…
- CVE-2025-10294CRITICALCVSS 9.8EG 9.82025-10-15
The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is due to the plugin not properly checking if the ownid_shared_secret value is empty prior to authen…
- CVE-2025-10484CRITICALCVSS 9.8EG 9.82026-01-17
The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. This is due to the plugin not properly verifying a users identity pr…
- CVE-2025-10531MEDIUMCVSS 5.4EG 5.42025-09-16
Mitigation bypass in the Web Compatibility: Tooling component. This vulnerability was fixed in Firefox 143 and Thunderbird 143.
- CVE-2025-10538HIGHCVSS 8.8EG 0.02025-10-01
An authentication bypass vulnerability exists in LG Innotek camera models LND7210 and LNV7210R. The vulnerability allows a malicious actor to gain access to camera information including user account information.
- CVE-2025-10571CRITICALCVSS 9.6EG 9.62025-11-20
Authentication Bypass Using an Alternate Path or Channel vulnerability in ABB ABB Ability Edgenius.This issue affects ABB Ability Edgenius: 3.2.0.0, 3.2.1.1.
- CVE-2025-1061CRITICALCVSS 9.8EG 9.82025-02-07
The Nextend Social Login Pro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.1.16. This is due to insufficient verification on the user being supplied during the Apple OAuth authenticate requ…
- CVE-2025-10653HIGHCVSS 8.6EG 8.62025-10-02
An unauthenticated debug port may allow access to the device file system.
- CVE-2025-11522CRITICALCVSS 9.8EG 9.82025-10-09
The Search & Go - Directory WordPress Theme theme for WordPress is vulnerable to Authentication Bypass via account takeover in all versions up to, and including, 2.7. This is due to insufficient user validation in the search_and_go_elated_…
- CVE-2025-11534CRITICALCVSS 9.3EG 0.02025-10-21
The affected Raisecom devices allow SSH sessions to be established without completing user authentication. This could allow attackers to gain shell access without valid credentials.
- CVE-2025-11621HIGHCVSS 8.1EG 8.12025-10-23
Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability, CVE-2025-11…
- CVE-2025-11984MEDIUMCVSS 6.8EG 6.82025-12-11
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipul…
- CVE-2025-12431MEDIUMCVSS 6.5EG 6.52025-11-10
Inappropriate implementation in Extensions in Google Chrome prior to 142.0.7444.59 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium securi…
- CVE-2025-12445MEDIUMCVSS 6.5EG 6.52025-11-10
Policy bypass in Extensions in Google Chrome prior to 142.0.7444.59 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Low)
- CVE-2025-12466HIGHCVSS 7.5EG 7.52025-10-30
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypass.This issue affects Simple OAuth (OAuth2) & OpenID Connect: from 6.0.0 before 6.0.7.
- CVE-2025-12760MEDIUMCVSS 5.4EG 5.42025-11-18
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass.This issue affects Email TFA: from 0.0.0 before 2.0.6.
- CVE-2025-1283CRITICALCVSS 9.8EG 9.82025-02-13
The Dingtian DT-R0 Series is vulnerable to an exploit that allows attackers to bypass login requirements by directly navigating to the main page.
- CVE-2025-13013MEDIUMCVSS 6.1EG 6.12025-11-11
Mitigation bypass in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.
Map vulnerabilities like CWE-288 to your infrastructure
EchelonGraph correlates every CVE — across CWE-288 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →