CWE-862— Missing Authorization
7,997 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 99 of 160
- CVE-2025-14441MEDIUMCVSS 4.3EG 5.32026-01-06
The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE `/subscribers` REST API endpoint in all versions up to, and including, 2.2.0. This is due to the `permission_c…
- CVE-2025-14446MEDIUMCVSS 5.4EG 6.52025-12-13
The Popup Builder (Easy Notify Lite) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the easynotify_cp_reset() function in all versions up to, and including, 1.1.37. This makes i…
- CVE-2025-14447MEDIUMCVSS 4.3EG 5.32025-12-13
The AnnunciFunebri Impresa plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the annfu_reset_options() function in all versions up to, and including, 4.7.0. This makes it possible …
- CVE-2025-14450MEDIUMCVSS 6.5EG 6.52026-01-17
The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'change_wallet_fund_request_status_callback' function in all versions up to, and including, …
- CVE-2025-14455MEDIUMCVSS 5.4EG 5.42025-12-19
The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.7. This is due to the plugin not properly verifying that a user is authorized to perform actions …
- CVE-2025-14457LOWCVSS 3.7EG 3.72026-01-15
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dnd_codedropz_upload_delete() function in all versions up to, and inc…
- CVE-2025-14460MEDIUMCVSS 5.3EG 5.32026-01-07
The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endp…
- CVE-2025-14461MEDIUMCVSS 5.3EG 5.32026-02-04
The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint (`wc_xe…
- CVE-2025-14463MEDIUMCVSS 5.3EG 5.32026-01-17
The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint (`wppaypalcheckout_ajax_process_order…
- CVE-2025-14481MEDIUMCVSS 4.3EG 4.32026-05-27
The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify pos…
- CVE-2025-14482MEDIUMCVSS 4.3EG 4.32026-01-14
The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7.…
- CVE-2025-14508MEDIUMCVSS 6.5EG 6.52025-12-13
The MediaCommander – Bring Folders to Media, Posts, and Pages plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the import-csv REST API endpoint in all versions up to, and including, 2.…
- CVE-2025-14540MEDIUMCVSS 4.3EG 4.32025-12-13
The Userback plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the userback_get_json function in all versions up to, and including, 1.0.15. This makes it possible for authenticated attac…
- CVE-2025-14573LOWCVSS 3.8EG 3.82026-02-16
Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Matterm…
- CVE-2025-14581MEDIUMCVSS 4.3EG 5.32025-12-13
The HAPPY – Helpdesk Support Ticket System plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'submit_form_reply' AJAX action in all versions up to, and including, 1.0.9. This makes it pos…
- CVE-2025-14592LOWCVSS 3.7EG 3.72026-02-11
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized opera…
- CVE-2025-14608MEDIUMCVSS 5.3EG 5.32026-02-14
The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata …
- CVE-2025-14609MEDIUMCVSS 5.3EG 5.32026-01-24
The Wise Analytics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.9. This is due to missing capability checks on the REST API endpoint '/wise-analytics/v1/report'. This makes it possib…
- CVE-2025-14618MEDIUMCVSS 4.3EG 4.32025-12-18
The Sweet Energy Efficiency plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on the 'sweet_energy_efficiency_action' AJAX handler in all versions up to, and includi…
- CVE-2025-14629MEDIUMCVSS 5.3EG 5.32026-01-24
The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. This makes it possible for unauthen…
- CVE-2025-14633MEDIUMCVSS 5.3EG 5.32025-12-20
The F70 Lead Document Download plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'file_download' function in all versions up to, and including, 1.4.4. This makes it possible for unau…
- CVE-2025-14657HIGHCVSS 7.2EG 7.22026-01-09
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to…
- CVE-2025-14718MEDIUMCVSS 5.4EG 5.42026-01-09
The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugin not properly verifying that a user is authorized to perfor…
- CVE-2025-14720MEDIUMCVSS 5.3EG 5.32026-01-09
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. This makes it pos…
- CVE-2025-14741CRITICALCVSS 9.1EG 9.12026-01-09
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and includ…
- CVE-2025-14755MEDIUMCVSS 5.3EG 5.32026-05-13
The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Price Manipulation and Insecure Direct Object Reference (IDOR) in all versions up to, and including, 4.0.1 only when used in combination with Cost Calculator…
- CVE-2025-14757MEDIUMCVSS 5.3EG 5.32026-01-16
The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete…
- CVE-2025-14782MEDIUMCVSS 5.3EG 5.32026-01-09
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_export' function. This is due to the …
- CVE-2025-14798MEDIUMCVSS 5.3EG 5.32026-01-20
The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. This makes it possible for unauthenticated attacke…
- CVE-2025-1481MEDIUMCVSS 6.5EG 6.52025-03-08
The Shortcode Cleaner Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_backup() function in all versions up to, and including, 1.0.9. This makes it possible for authen…
- CVE-2025-14817MEDIUMCVSS 6.5EG 6.52025-12-17
The component com.transsion.tranfacmode.entrance.main.MainActivity in com.transsion.tranfacmode has no permission control and can be accessed by third-party apps which can construct intents to directly open adb debugging functionality with…
- CVE-2025-1483MEDIUMCVSS 5.3EG 5.32025-02-20
The LTL Freight Quotes – GlobalTranz Edition plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the engtz_wd_save_dropship AJAX endpoint in all versions up to, and including, 2.3.…
- CVE-2025-14843MEDIUMCVSS 5.3EG 5.32026-01-24
The Wizit Gateway for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Order Cancellation in all versions up to, and including, 1.2.9. This is due to a lack of authentication and authorization checks in the 'hand…
- CVE-2025-14854MEDIUMCVSS 5.4EG 5.42026-01-14
The WP-CRM System plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on the wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status AJAX functions in all versions up to, and including, 3.…
- CVE-2025-14864MEDIUMCVSS 4.3EG 4.32026-02-19
The Virusdie - One-click website security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.7. This is due to missing capability checks on the `vd_get_apikey` function which is h…
- CVE-2025-14880MEDIUMCVSS 5.3EG 5.32026-01-14
The Netcash WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_return_url function in all versions up to, and including, 4.1.3. This makes it …
- CVE-2025-14886MEDIUMCVSS 5.3EG 5.32026-01-09
The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `order` REST API endpoint in all versions up to, and including, 2.7.17. This makes it possible f…
- CVE-2025-14895MEDIUMCVSS 5.4EG 5.42026-02-10
The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. Th…
- CVE-2025-14901MEDIUMCVSS 6.5EG 6.52026-01-07
The Bit Form – Contact Form Plugin plugin for WordPress is vulnerable to unauthorized workflow execution due to missing authorization in the triggerWorkFlow function in all versions up to, and including, 2.21.6. This is due to a logic fl…
- CVE-2025-14913MEDIUMCVSS 5.3EG 5.32025-12-26
The Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to an incorrect authorization check on the 'media_delete_action' function in all versions u…
- CVE-2025-14944MEDIUMCVSS 5.3EG 5.32026-04-07
The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verifi…
- CVE-2025-14947MEDIUMCVSS 6.5EG 6.52026-01-23
The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_call…
- CVE-2025-14948MEDIUMCVSS 5.3EG 5.32026-01-10
The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `enable_wc_sms_notification` AJAX action in all versions …
- CVE-2025-14971MEDIUMCVSS 5.3EG 5.32026-01-27
The Link Invoice Payment for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the createPartialPayment and cancelPartialPayment functions in all versions up to, and in…
- CVE-2025-14978MEDIUMCVSS 5.3EG 5.32026-01-20
The PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay web…
- CVE-2025-14982MEDIUMCVSS 4.3EG 4.32026-01-16
The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-…
- CVE-2025-1502MEDIUMCVSS 5.3EG 5.32025-03-01
The IP2Location Redirection plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'download_ip2location_redirection_backup' AJAX action in all versions up to, and including, 1.33.3. This…
- CVE-2025-1504MEDIUMCVSS 4.3EG 4.32025-03-08
The Post Lockdown plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.0.2 via the 'pl_autocomplete' AJAX action due to insufficient restrictions on which posts can be included. This makes it p…
- CVE-2025-15041HIGHCVSS 7.2EG 7.22026-02-19
The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function in all ve…
- CVE-2025-15043MEDIUMCVSS 5.4EG 5.42026-01-20
The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.1…
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →