CWE-862— Missing Authorization
7,685 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 59 of 154
- CVE-2023-53923CRITICALCVSS 9.8EG 9.82025-12-17
UliCMS 2023.1 contains a privilege escalation vulnerability that allows unauthenticated attackers to create administrative accounts through the UserController endpoint. Attackers can send a crafted POST request to /dist/admin/index.php wit…
- CVE-2023-5411MEDIUMCVSS 4.3EG 4.32023-11-22
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_save_post function in versions up to, and including, 3.4. This makes it possible for authenticat…
- CVE-2023-5415MEDIUMCVSS 4.3EG 4.32023-11-22
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_add_category function in versions up to, and including, 3.4. This makes it possible for authenticate…
- CVE-2023-5416MEDIUMCVSS 4.3EG 4.32023-11-22
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_delete_category function in versions up to, and including, 3.4. This makes it possible for authentic…
- CVE-2023-5417MEDIUMCVSS 4.3EG 4.32023-11-22
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_update_category function in versions up to, and including, 3.4. This makes it possible for authentic…
- CVE-2023-5419MEDIUMCVSS 4.3EG 4.32023-11-22
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_test_mail function in versions up to, and including, 3.4. This makes it possible for authenticat…
- CVE-2023-5425HIGHCVSS 8.8EG 8.82023-10-28
The Post Meta Data Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pmdm_wp_change_user_meta and pmdm_wp_change_post_meta functions in versions up to, and including, 1…
- CVE-2023-5426HIGHCVSS 7.5EG 7.52023-10-28
The Post Meta Data Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pmdm_wp_delete_user_meta, pmdm_wp_delete_term_meta, and pmdm_wp_ajax_delete_meta functions in vers…
- CVE-2023-54327CRITICALCVSS 9.8EG 7.52025-12-30
Tinycontrol LAN Controller 1.58a contains an authentication bypass vulnerability that allows unauthenticated attackers to change admin passwords through a crafted API request. Attackers can exploit the /stm.cgi endpoint with a specially cr…
- CVE-2023-5454HIGHCVSS 7.5EG 7.52023-11-06
The Templately WordPress plugin before 2.2.6 does not properly authorize the `saved-templates/delete` REST API call, allowing unauthenticated users to delete arbitrary posts.
- CVE-2023-5506MEDIUMCVSS 5.4EG 4.32023-11-07
The ImageMapper plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'imgmap_delete_area_ajax' function in versions up to, and including, 1.2.6. This makes it possible for authenticated a…
- CVE-2023-5525MEDIUMCVSS 4.3EG 4.32023-11-27
The Limit Login Attempts Reloaded WordPress plugin before 2.25.26 is missing authorization on the `toggle_auto_update` AJAX action, allowing any user with a valid nonce to toggle the auto-update status of the plugin.
- CVE-2023-5533MEDIUMCVSS 5.3EG 5.32023-10-20
The AI ChatBot plugin for WordPress is vulnerable to unauthorized use of AJAX actions due to missing capability checks on the corresponding functions in versions up to, and including, 4.8.9 as well as 4.9.2. This makes it possible for unau…
- CVE-2023-5600LOWCVSS 3.1EG 3.12025-06-20
An issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. Arbitrary access to the titles of an private s…
- CVE-2023-5611MEDIUMCVSS 5.3EG 5.32023-11-27
The Seraphinite Accelerator WordPress plugin before 2.20.32 does not have authorisation and CSRF checks when resetting and importing its settings, allowing unauthenticated users to reset them
- CVE-2023-5612MEDIUMCVSS 5.3EG 5.32024-01-26
An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It was possible to read the user email address via tags feed although the visibility in the user profile has been …
- CVE-2023-5710MEDIUMCVSS 4.3EG 4.32023-12-07
The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_constants() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it po…
- CVE-2023-5711MEDIUMCVSS 4.3EG 4.32023-12-07
The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_php_info() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it pos…
- CVE-2023-5712MEDIUMCVSS 4.3EG 4.32023-12-07
The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_global_value() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it…
- CVE-2023-5713MEDIUMCVSS 4.3EG 4.32023-12-07
The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_option_value() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it…
- CVE-2023-5714MEDIUMCVSS 4.3EG 4.32023-12-07
The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_db_specs() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it pos…
- CVE-2023-5737MEDIUMCVSS 4.3EG 4.32023-11-27
The WordPress Backup & Migration WordPress plugin before 1.4.4 does not authorize some AJAX requests, allowing users with a role as low as Subscriber to update some plugin settings.
- CVE-2023-5862LOWCVSS 3.3EG 5.12023-10-31
Missing Authorization in GitHub repository hamza417/inure prior to Build95.
- CVE-2023-5877CRITICALCVSS 9.8EG 9.82024-01-01
The affiliate-toolkit WordPress plugin before 3.4.3 lacks authorization and authentication for requests to it's affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint, allowing unauthenticated visitors to make requests to arbitrar…
- CVE-2023-5900LOWCVSS 3.5EG 5.42023-11-07
Cross-Site Request Forgery in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
- CVE-2023-5905HIGHCVSS 8.1EG 8.12024-01-15
The DeMomentSomTres WordPress Export Posts With Images WordPress plugin through 20220825 does not check authorization of requests to export the blog data, allowing any logged in user, such as subscribers to export the contents of the blog,…
- CVE-2023-5949HIGHCVSS 7.5EG 7.52023-12-18
The SmartCrawl WordPress plugin before 3.8.3 does not prevent unauthorised users from accessing password-protected posts' content.
- CVE-2023-6001MEDIUMCVSS 5.3EG 5.82023-11-08
Prometheus metrics are available without authentication. These expose detailed and sensitive information about the YugabyteDB Anywhere environment.
- CVE-2023-6007HIGHCVSS 7.3EG 7.32023-11-22
The UserPro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.1.1. This makes it possible f…
- CVE-2023-6020HIGHCVSS 7.5EG 7.52023-11-16
LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.
- CVE-2023-6029HIGHCVSS 7.5EG 7.52024-01-15
The EazyDocs WordPress plugin before 2.3.6 does not have authorization and CSRF checks when handling documents and does not ensure that they are documents from the plugin, allowing unauthenticated users to delete arbitrary posts, as well a…
- CVE-2023-6038HIGHCVSS 7.5EG 9.32023-11-16
A Local File Inclusion (LFI) vulnerability exists in the h2o-3 REST API, allowing unauthenticated remote attackers to read arbitrary files on the server with the permissions of the user running the h2o-3 instance. This issue affects the de…
- CVE-2023-6048MEDIUMCVSS 6.5EG 6.52024-01-15
The Estatik Real Estate Plugin WordPress plugin before 4.1.1 does not prevent user with low privileges on the site, like subscribers, from setting any of the site's options to 1, which could be used to break sites and lead to DoS when cert…
- CVE-2023-6066MEDIUMCVSS 4.3EG 4.32024-01-15
The WP Custom Widget area WordPress plugin through 1.2.5 does not properly apply capability and nonce checks on any of its AJAX action callback functions, which could allow attackers with subscriber+ privilege to create, delete or modify m…
- CVE-2023-6158MEDIUMCVSS 6.5EG 6.52024-01-10
The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the evo_eventpost_update_meta function in all versions up t…
- CVE-2023-6279HIGHCVSS 7.1EG 7.12024-01-29
The Woostify Sites Library WordPress plugin before 1.4.8 does not have authorisation in an AJAX action, allowing any authenticated users, such as subscriber to update arbitrary blog options and set them to 'activated' which could lead to D…
- CVE-2023-6325MEDIUMCVSS 5.3EG 5.32024-05-23
The RomethemeForm For Elementor plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the export_entries, rtformnewform, and rtformupdate functions in all versions up to, an…
- CVE-2023-6327MEDIUMCVSS 5.3EG 5.32024-05-14
The ShopLentor (formerly WooLentor) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the purchased_new_products function in all versions up to, and including, 2.8.7. This makes it possi…
- CVE-2023-6368MEDIUMCVSS 5.9EG 5.92023-12-14
In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate information related to a registered device being monitored by…
- CVE-2023-6369MEDIUMCVSS 5.4EG 5.42024-01-11
The Export WP Page to Static HTML/CSS plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 2.1.9. This m…
- CVE-2023-6383HIGHCVSS 7.5EG 7.52024-01-08
The Debug Log Manager WordPress plugin before 2.3.0 contains a Directory listing vulnerability was discovered, which allows you to download the debug log without authorization and gain access to sensitive data
- CVE-2023-6394HIGHCVSS 7.4EG 7.42023-12-09
A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secure…
- CVE-2023-6491MEDIUMCVSS 4.3EG 4.32024-06-07
The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the wpmtst_save_view_sticky function in all versions up to, and including, 3.1.12. This makes it possibl…
- CVE-2023-6496MEDIUMCVSS 5.3EG 5.32024-01-11
The Manage Notification E-mails plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.8.5 via the card_famne_export_settings function. This makes it possible for unauthenticated attackers to ob…
- CVE-2023-6504MEDIUMCVSS 4.3EG 4.32024-01-11
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wppb_toolbox_usermeta_handler funct…
- CVE-2023-6554MEDIUMCVSS 6.5EG 6.52024-01-11
When access to the "admin" folder is not protected by some external authorization mechanisms e.g. Apache Basic Auth, it is possible for any user to download protected information like exam answers.
- CVE-2023-6557MEDIUMCVSS 5.3EG 5.32024-02-05
The The Events Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.2.8.2 via the route function hooked into wp_ajax_nopriv_tribe_dropdown. This makes it possible for unauthe…
- CVE-2023-6595HIGHCVSS 7.5EG 7.52023-12-14
In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate ancillary credential information stored within WhatsUp Gold.
- CVE-2023-6598MEDIUMCVSS 4.3EG 4.32024-01-11
The SpeedyCache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the speedycache_save_varniship, speedycache_img_update_settings, speedycache_preloading_add_settings, and speedyca…
- CVE-2023-6600HIGHCVSS 8.6EG 8.62024-01-03
The OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting due to a missing capability check on the update_settings() function hooked …
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →