Common Weakness Enumeration

CWE-862

Allowed-with-Review

Missing Authorization

Abstraction: Class · Status: Incomplete

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

14623 vulnerabilities reference this CWE, most recent first.

GHSA-V2V2-F783-358J

Vulnerability from github – Published: 2026-03-31 23:50 – Updated: 2026-04-06 17:34
VLAI
Summary
OpenClaw: Zalo channel downloads media before sender authorization
Details

Summary

The Zalo image path fetched and stored inbound media before the DM/pairing authorization checks ran.

Impact

Unauthorized senders could force network fetches and disk writes in the inbound media store even when the message itself was rejected.

Affected Component

extensions/zalo/src/monitor.ts

Fixed Versions

  • Affected: <= 2026.3.24
  • Patched: >= 2026.3.28
  • Latest stable 2026.3.28 contains the fix.

Fix

Fixed by commit 68ceaf7a5f (zalo: gate image downloads before DM auth).

OpenClaw thanks @AntAISecurityLab for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.24"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33576"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-31T23:50:44Z",
    "nvd_published_at": "2026-03-31T15:16:14Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe Zalo image path fetched and stored inbound media before the DM/pairing authorization checks ran.\n\n## Impact\n\nUnauthorized senders could force network fetches and disk writes in the inbound media store even when the message itself was rejected.\n\n## Affected Component\n\n`extensions/zalo/src/monitor.ts`\n\n## Fixed Versions\n\n- Affected: `\u003c= 2026.3.24`\n- Patched: `\u003e= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `68ceaf7a5f` (`zalo: gate image downloads before DM auth`).\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
  "id": "GHSA-v2v2-f783-358j",
  "modified": "2026-04-06T17:34:34Z",
  "published": "2026-03-31T23:50:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v2v2-f783-358j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33576"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/68ceaf7a5f64a23e78b95eff055e4b497218312a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-unauthorized-media-download-via-zalo-channel"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Zalo channel downloads media before sender authorization"
}

GHSA-V2V7-46GC-C2GH

Vulnerability from github – Published: 2023-06-28 18:30 – Updated: 2024-04-04 05:15
VLAI
Details

In requestAppKeyboardShortcuts of WindowManagerService.java, there is a possible way to infer the app a user is interacting with due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-273906410

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21177"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-28T18:15:14Z",
    "severity": "MODERATE"
  },
  "details": "In requestAppKeyboardShortcuts of WindowManagerService.java, there is a possible way to infer the app a user is interacting with due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-273906410",
  "id": "GHSA-v2v7-46gc-c2gh",
  "modified": "2024-04-04T05:15:07Z",
  "published": "2023-06-28T18:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21177"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2023-06-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V2W8-R4GC-FV4C

Vulnerability from github – Published: 2022-05-13 01:45 – Updated: 2025-04-20 03:32
VLAI
Details

A vulnerability in the Start Before Logon (SBL) module of Cisco AnyConnect Secure Mobility Client Software for Windows could allow an unauthenticated, local attacker to open Internet Explorer with the privileges of the SYSTEM user. The vulnerability is due to insufficient implementation of the access controls. An attacker could exploit this vulnerability by opening the Internet Explorer browser. An exploit could allow the attacker to use Internet Explorer with the privileges of the SYSTEM user. This may allow the attacker to execute privileged commands on the targeted system. This vulnerability affects versions prior to released versions 4.4.00243 and later and 4.3.05017 and later. Cisco Bug IDs: CSCvc43976.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-3813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-02-09T17:59:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the Start Before Logon (SBL) module of Cisco AnyConnect Secure Mobility Client Software for Windows could allow an unauthenticated, local attacker to open Internet Explorer with the privileges of the SYSTEM user. The vulnerability is due to insufficient implementation of the access controls. An attacker could exploit this vulnerability by opening the Internet Explorer browser. An exploit could allow the attacker to use Internet Explorer with the privileges of the SYSTEM user. This may allow the attacker to execute privileged commands on the targeted system. This vulnerability affects versions prior to released versions 4.4.00243 and later and 4.3.05017 and later. Cisco Bug IDs: CSCvc43976.",
  "id": "GHSA-v2w8-r4gc-fv4c",
  "modified": "2025-04-20T03:32:39Z",
  "published": "2022-05-13T01:45:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3813"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170208-anyconnect"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/41476"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96145"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1037796"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V2W9-CQF4-GVP2

Vulnerability from github – Published: 2026-05-14 09:31 – Updated: 2026-05-14 09:31
VLAI
Details

The User Registration & Membership plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.1.5. This is due to the is_admin_creation_process() method relying solely on the presence of action=createuser in the $_REQUEST superglobal without performing any authentication or capability check. This makes it possible for unauthenticated attackers to bypass the admin approval requirement when registering new accounts via the fallback submission path.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6145"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-14T09:16:26Z",
    "severity": "MODERATE"
  },
  "details": "The User Registration \u0026 Membership plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.1.5. This is due to the is_admin_creation_process() method relying solely on the presence of action=createuser in the $_REQUEST superglobal without performing any authentication or capability check. This makes it possible for unauthenticated attackers to bypass the admin approval requirement when registering new accounts via the fallback submission path.",
  "id": "GHSA-v2w9-cqf4-gvp2",
  "modified": "2026-05-14T09:31:29Z",
  "published": "2026-05-14T09:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6145"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3516468/user-registration/trunk/includes/class-ur-user-approval.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b6b349f2-24c9-4921-bb5f-a7726ebc5c2a?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V2X8-7QJ6-PC6F

Vulnerability from github – Published: 2025-05-07 06:30 – Updated: 2025-05-07 06:30
VLAI
Details

The Login Lockdown & Protection plugin for WordPress is vulnerable to unauthorized nonce access due to a missing capability check on the ajax_run_tool function in all versions up to, and including, 2.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain a valid nonce that can be used to generate a global unlock key, which can in turn be used to add arbitrary IP address to the plugin allowlist. This can only by exploited on new installations where the site administrator hasn't visited the loginlockdown page yet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3766"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-07T05:15:48Z",
    "severity": "MODERATE"
  },
  "details": "The Login Lockdown \u0026 Protection plugin for WordPress is vulnerable to unauthorized nonce access due to a missing capability check on the ajax_run_tool function in all versions up to, and including, 2.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain a valid nonce that can be used to generate a global unlock key, which can in turn be used to add arbitrary IP address to the plugin allowlist. This can only by exploited on new installations where the site administrator hasn\u0027t visited the loginlockdown page yet.",
  "id": "GHSA-v2x8-7qj6-pc6f",
  "modified": "2025-05-07T06:30:33Z",
  "published": "2025-05-07T06:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3766"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/login-lockdown/trunk/libs/ajax.php#L17"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3286814/login-lockdown"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ac9a3848-f486-475b-b2c7-ea1007bb30d3?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V33R-R6H2-8WR7

Vulnerability from github – Published: 2026-03-04 20:43 – Updated: 2026-03-06 15:17
VLAI
Summary
Kimai's API invoice endpoint missing customer-level access control (IDOR)
Details

Summary

GET /api/invoices/{id} only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams.

Affected Code

src/API/InvoiceController.php line 92-101:

#[IsGranted('view_invoice')]           // Role check only, no customer access check
#[Route(methods: ['GET'], path: '/{id}', name: 'get_invoice', requirements: ['id' => '\d+'])]
public function getAction(Invoice $invoice): Response
{
    $view = new View($invoice, 200);
    $view->getContext()->setGroups(self::GROUPS_ENTITY);
    return $this->viewHandler->handle($view);  // Returns ANY invoice by ID
}

The web controller (src/Controller/InvoiceController.php line 304-307) correctly checks customer access:

#[IsGranted('view_invoice')]
#[IsGranted(new Expression("is_granted('access', subject.getCustomer())"), 'invoice')]
public function downloadAction(Invoice $invoice, ...): Response { ... }

The access attribute in CustomerVoter (line 71-87) verifies team membership, but this check is entirely missing from the API endpoint.

PoC

Tested against Kimai v2.50.0 (Docker: kimai/kimai2:apache).

Setup: - TeamA with CustomerA ("SecretCorp"), TeamB with CustomerB ("BobCorp") - Bob is a teamlead in TeamB only - An invoice exists for SecretCorp (TeamA)

# Bob (TeamB) reads SecretCorp (TeamA) invoice
curl -H "Authorization: Bearer BOB_TOKEN" http://localhost:8888/api/invoices/1

Response (200 OK):

{
  "invoiceNumber": "INV-2026-001",
  "total": 15000.0,
  "currency": "USD",
  "customer": {"name": "SecretCorp", ...}
}

Bob can also enumerate all invoices via GET /api/invoices — the list endpoint uses setCurrentUser() in the query but the single-item endpoint bypasses this entirely via Symfony ParamConverter.

Impact

Any teamlead can read all invoices across the system regardless of team assignment. Invoice data typically contains sensitive financial information (amounts, customer details, payment terms). In multi-team deployments this breaks the intended data isolation between teams.

Suggested Fix

Add the customer access check to the API endpoint, matching the web controller:

 #[IsGranted('view_invoice')]
+#[IsGranted(new Expression("is_granted('access', subject.getCustomer())"), 'invoice')]
 #[Route(methods: ['GET'], path: '/{id}', name: 'get_invoice')]
 public function getAction(Invoice $invoice): Response
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.50.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "kimai/kimai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.51.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28685"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-04T20:43:17Z",
    "nvd_published_at": "2026-03-06T05:16:38Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n`GET /api/invoices/{id}` only checks the role-based `view_invoice` permission but does not verify the requesting user has `access` to the invoice\u0027s customer. Any user with `ROLE_TEAMLEAD` (which grants `view_invoice`) can read all invoices in the system, including those belonging to customers assigned to other teams.\n\n## Affected Code\n\n`src/API/InvoiceController.php` line 92-101:\n\n```php\n#[IsGranted(\u0027view_invoice\u0027)]           // Role check only, no customer access check\n#[Route(methods: [\u0027GET\u0027], path: \u0027/{id}\u0027, name: \u0027get_invoice\u0027, requirements: [\u0027id\u0027 =\u003e \u0027\\d+\u0027])]\npublic function getAction(Invoice $invoice): Response\n{\n    $view = new View($invoice, 200);\n    $view-\u003egetContext()-\u003esetGroups(self::GROUPS_ENTITY);\n    return $this-\u003eviewHandler-\u003ehandle($view);  // Returns ANY invoice by ID\n}\n```\n\nThe web controller (`src/Controller/InvoiceController.php` line 304-307) correctly checks customer access:\n\n```php\n#[IsGranted(\u0027view_invoice\u0027)]\n#[IsGranted(new Expression(\"is_granted(\u0027access\u0027, subject.getCustomer())\"), \u0027invoice\u0027)]\npublic function downloadAction(Invoice $invoice, ...): Response { ... }\n```\n\nThe `access` attribute in `CustomerVoter` (line 71-87) verifies team membership, but this check is entirely missing from the API endpoint.\n\n## PoC\n\nTested against Kimai v2.50.0 (Docker: `kimai/kimai2:apache`).\n\nSetup:\n- TeamA with CustomerA (\"SecretCorp\"), TeamB with CustomerB (\"BobCorp\")\n- Bob is a teamlead in TeamB only\n- An invoice exists for SecretCorp (TeamA)\n\n```bash\n# Bob (TeamB) reads SecretCorp (TeamA) invoice\ncurl -H \"Authorization: Bearer BOB_TOKEN\" http://localhost:8888/api/invoices/1\n```\n\nResponse (200 OK):\n```json\n{\n  \"invoiceNumber\": \"INV-2026-001\",\n  \"total\": 15000.0,\n  \"currency\": \"USD\",\n  \"customer\": {\"name\": \"SecretCorp\", ...}\n}\n```\n\nBob can also enumerate all invoices via `GET /api/invoices` \u2014 the list endpoint uses `setCurrentUser()` in the query but the single-item endpoint bypasses this entirely via Symfony ParamConverter.\n\n## Impact\n\nAny teamlead can read all invoices across the system regardless of team assignment. Invoice data typically contains sensitive financial information (amounts, customer details, payment terms). In multi-team deployments this breaks the intended data isolation between teams.\n\n## Suggested Fix\n\nAdd the customer access check to the API endpoint, matching the web controller:\n\n```diff\n #[IsGranted(\u0027view_invoice\u0027)]\n+#[IsGranted(new Expression(\"is_granted(\u0027access\u0027, subject.getCustomer())\"), \u0027invoice\u0027)]\n #[Route(methods: [\u0027GET\u0027], path: \u0027/{id}\u0027, name: \u0027get_invoice\u0027)]\n public function getAction(Invoice $invoice): Response\n```",
  "id": "GHSA-v33r-r6h2-8wr7",
  "modified": "2026-03-06T15:17:08Z",
  "published": "2026-03-04T20:43:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28685"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/commit/a0601c8cb28fed1cca19051a8272425069ab758f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kimai/kimai"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/releases/tag/2.51.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Kimai\u0027s API invoice endpoint missing customer-level access control (IDOR)"
}

GHSA-V364-6887-93GF

Vulnerability from github – Published: 2024-10-30 00:31 – Updated: 2026-04-01 18:32
VLAI
Details

Missing Authorization vulnerability in Templately allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Templately: from n/a through 3.1.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50423"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-29T22:15:04Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in Templately allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Templately: from n/a through 3.1.5.",
  "id": "GHSA-v364-6887-93gf",
  "modified": "2026-04-01T18:32:14Z",
  "published": "2024-10-30T00:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50423"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/templately/vulnerability/wordpress-templately-plugin-3-1-5-broken-access-control-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/templately/wordpress-templately-plugin-3-1-5-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V36C-X4C4-8WX6

Vulnerability from github – Published: 2026-02-20 18:31 – Updated: 2026-02-25 00:31
VLAI
Details

Missing Authorization vulnerability in soporteblue Plugin BlueX for WooCommerce bluex-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Plugin BlueX for WooCommerce: from n/a through <= 3.1.6.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-68022"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-20T16:22:07Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in soporteblue Plugin BlueX for WooCommerce bluex-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Plugin BlueX for WooCommerce: from n/a through \u003c= 3.1.6.",
  "id": "GHSA-v36c-x4c4-8wx6",
  "modified": "2026-02-25T00:31:21Z",
  "published": "2026-02-20T18:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68022"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/bluex-for-woocommerce/vulnerability/wordpress-plugin-bluex-for-woocommerce-plugin-3-1-4-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V36X-3FMP-47FP

Vulnerability from github – Published: 2025-06-05 12:31 – Updated: 2025-06-05 12:31
VLAI
Details

The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-5701"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-05T12:15:24Z",
    "severity": "CRITICAL"
  },
  "details": "The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.",
  "id": "GHSA-v36x-3fmp-47fp",
  "modified": "2025-06-05T12:31:10Z",
  "published": "2025-06-05T12:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5701"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/hypercomments/trunk/hypercomments.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/07fd6bee-5b00-4fc1-9f7a-3857fd35c763?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V383-2WGG-V483

Vulnerability from github – Published: 2026-06-16 21:32 – Updated: 2026-06-18 13:03
VLAI
Summary
Duplicate Advisory: Shell inline-command parsing could miss an allowlist check
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-f397-5vjw-v2c2. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows authenticated operators to execute unapproved commands. A command request using shell inline-command forms could route through a parser case missing the expected allowlist decision, enabling shell content execution without intended approval prompts.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2026.5.10-beta.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T13:03:41Z",
    "nvd_published_at": "2026-06-16T19:17:05Z",
    "severity": "HIGH"
  },
  "details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of\u00a0GHSA-f397-5vjw-v2c2. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows authenticated operators to execute unapproved commands. A command request using shell inline-command forms could route through a parser case missing the expected allowlist decision, enabling shell content execution without intended approval prompts.",
  "id": "GHSA-v383-2wgg-v483",
  "modified": "2026-06-18T13:03:41Z",
  "published": "2026-06-16T21:32:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f397-5vjw-v2c2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53866"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-in-shell-inline-command-parsing"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: Shell inline-command parsing could miss an allowlist check",
  "withdrawn": "2026-06-18T13:03:41Z"
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.