Common Weakness Enumeration

CWE-862

Allowed-with-Review

Missing Authorization

Abstraction: Class · Status: Incomplete

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

14622 vulnerabilities reference this CWE, most recent first.

GHSA-V5HR-3XCH-9H65

Vulnerability from github – Published: 2025-04-17 18:31 – Updated: 2026-04-01 18:34
VLAI
Details

Missing Authorization vulnerability in The Right Software WooCommerce Loyal Customers allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WooCommerce Loyal Customers: from n/a through 2.6.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-32544"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-17T16:15:42Z",
    "severity": "HIGH"
  },
  "details": "Missing Authorization vulnerability in The Right Software WooCommerce Loyal Customers allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WooCommerce Loyal Customers: from n/a through 2.6.",
  "id": "GHSA-v5hr-3xch-9h65",
  "modified": "2026-04-01T18:34:49Z",
  "published": "2025-04-17T18:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32544"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/woocommerce-loyal-customer/vulnerability/wordpress-woocommerce-loyal-customers-plugin-2-6-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5J6-5FX7-X2HP

Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2026-01-20 15:32
VLAI
Details

Missing Authorization vulnerability in tychesoftwares Order Delivery Date for WooCommerce order-delivery-date-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Delivery Date for WooCommerce: from n/a through <= 4.3.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-63024"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-09T16:18:07Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in tychesoftwares Order Delivery Date for WooCommerce order-delivery-date-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Delivery Date for WooCommerce: from n/a through \u003c= 4.3.1.",
  "id": "GHSA-v5j6-5fx7-x2hp",
  "modified": "2026-01-20T15:32:03Z",
  "published": "2025-12-09T18:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63024"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/order-delivery-date-for-woocommerce/vulnerability/wordpress-order-delivery-date-for-woocommerce-plugin-4-3-1-broken-access-control-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Plugin/order-delivery-date-for-woocommerce/vulnerability/wordpress-order-delivery-date-for-woocommerce-plugin-4-3-1-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5J9-4C4G-M94F

Vulnerability from github – Published: 2025-11-25 09:31 – Updated: 2026-04-08 21:33
VLAI
Details

The Ace Post Type Builder plugin for WordPress is vulnerable to unauthorized custom taxonomy deletion due to missing authorization validation on the cptb_delete_custom_taxonomy() function in all versions up to, and including, 1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary custom taxonomies.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13405"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-25T08:15:51Z",
    "severity": "MODERATE"
  },
  "details": "The Ace Post Type Builder plugin for WordPress is vulnerable to unauthorized custom taxonomy deletion due to missing authorization validation on the cptb_delete_custom_taxonomy() function in all versions up to, and including, 1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary custom taxonomies.",
  "id": "GHSA-v5j9-4c4g-m94f",
  "modified": "2026-04-08T21:33:08Z",
  "published": "2025-11-25T09:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13405"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/ace-post-type-builder/tags/1.9/includes/class-cptb-core.php#L400"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/ace-post-type-builder/trunk/includes/class-cptb-core.php#L400"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3412781"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b56cef33-057b-4c40-945f-68306597b00b?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5JP-594G-37V3

Vulnerability from github – Published: 2023-11-22 18:30 – Updated: 2023-11-22 18:30
VLAI
Details

The UserPro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.1.1. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6007"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-22T16:15:15Z",
    "severity": "HIGH"
  },
  "details": "The UserPro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.1.1. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options.",
  "id": "GHSA-v5jp-594g-37v3",
  "modified": "2023-11-22T18:30:56Z",
  "published": "2023-11-22T18:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6007"
    },
    {
      "type": "WEB",
      "url": "https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6c4f8798-c0f9-4d05-808e-375864a0ad95?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5JP-HVCV-P53F

Vulnerability from github – Published: 2025-01-02 12:32 – Updated: 2026-04-28 21:35
VLAI
Details

Missing Authorization vulnerability in David Cramer My Shortcodes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Shortcodes: from n/a through 2.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-46632"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-02T12:15:13Z",
    "severity": "HIGH"
  },
  "details": "Missing Authorization vulnerability in David Cramer My Shortcodes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Shortcodes: from n/a through 2.3.",
  "id": "GHSA-v5jp-hvcv-p53f",
  "modified": "2026-04-28T21:35:29Z",
  "published": "2025-01-02T12:32:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46632"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/my-shortcodes/vulnerability/wordpress-my-shortcodes-plugin-2-3-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5MH-H5HX-7V92

Vulnerability from github – Published: 2026-05-06 21:52 – Updated: 2026-05-06 21:52
VLAI
Summary
kube-router: GoBGP gRPC Admin Port Exposed on Node Primary IP Without Authentication, Allowing Cluster-Wide BGP Route Injection
Details

Summary

When the kube-router routing controller starts (--run-router), it binds the GoBGP gRPC management server to the node's primary IP (e.g., 192.168.1.10:50051) in addition to 127.0.0.1:50051. The default admin port is 50051 and the server is enabled by default with no TLS and no authentication. Any pod in the cluster can reach node IPs and therefore call the GoBGP gRPC API to inject arbitrary BGP routes, enumerate peer configurations, add unauthorized BGP neighbors, or withdraw legitimate routes. While kube-router's BGP export policy of ROUTE_ACTION_REJECT limits the attack surface to the local node's GoBGP RIB, an attacker can still impact local routing decisions.

Details

The gRPC server is started unconditionally when --run-router is active. In pkg/controllers/routing/network_routes_controller.go, the startBgpServer(true) call at line 365 passes grpcServer=true, and the binding logic at lines 1057–1061 is:

// pkg/controllers/routing/network_routes_controller.go:1057-1061
if grpcServer && nrc.goBGPAdminPort != 0 {
    nrc.bgpServer = gobgp.NewBgpServer(
        gobgp.GrpcListenAddress(net.JoinHostPort(nrc.krNode.GetPrimaryNodeIP().String(),
            strconv.FormatUint(uint64(nrc.goBGPAdminPort), 10)) + "," +
            fmt.Sprintf("127.0.0.1:%d", nrc.goBGPAdminPort)))
}

The default admin port is defined in pkg/options/options.go:

// pkg/options/options.go:16
defaultGoBGPAdminPort uint16 = 50051

No gobgp.GrpcOption is passed, meaning the gRPC server is started with no TLS credentials and no authentication interceptor. The GoBGP gRPC API (gobgpapi) exposes write-capable RPCs:

  • AddPath / DeletePath — inject or withdraw arbitrary BGP routes
  • AddPeer / DeletePeer / UpdatePeer — add/remove/modify BGP neighbors
  • AddPolicy / DeletePolicy — modify BGP routing policies
  • ListPeer / ListPath — enumerate all BGP peer configs and routing table entries

kube-router runs as a DaemonSet with hostNetwork: true. This means the gRPC server is reachable at <node-primary-ip>:50051 from any pod in the cluster — pod-to-node-IP connectivity is guaranteed by any Kubernetes-conformant CNI. The kube-router documentation in docs/pod-toolbox.md explicitly demonstrates cross-node usage: "To query a different node use gobgp --host node02.mydomain" — confirming the port is reachable across the cluster, but providing no guidance on restricting access.

PoC

From any pod running in the cluster:

Step 1 — Discover a node IP:

# Using the Kubernetes API (available to all pods via service account)
curl -s -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
  https://kubernetes.default.svc/api/v1/nodes \
  --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
  | grep -o '"internalIP":"[^"]*"' | head -1
# Expected output: "internalIP":"192.168.1.10"

Step 2 — Connect to the GoBGP gRPC API and inject a blackhole route:

# Install gobgp CLI (already available in kube-router image, or pull separately)
gobgp --host 192.168.1.10:50051 global rib add -a ipv4 10.96.0.0/12 nexthop blackhole
# Expected output: (no error — route accepted into the local GoBGP RIB)

Step 3 — Verify route propagated to BGP table:

gobgp --host 192.168.1.10:50051 global rib -a ipv4
# Expected output: shows 10.96.0.0/12 blackhole route in the local RIB
# This route does NOT propagate to peers or get added to the kernel routing table.

Step 4 — Enumerate BGP peer configurations:

gobgp --host 192.168.1.10:50051 neighbor
# Expected output: lists all configured BGP peers, their ASNs,
# session state, and configuration — without any Kubernetes credentials

Impact

  • BGP route injection: An attacker with a pod in the cluster can inject arbitrary routes into a node's local BGP RIB. While these routes are not propagated to the rest of the cluster or injected into the kernel's routing table, this allows an attacker to pollute the BGP state on a node and could be combined with misconfigurations/other vulnerabilities for additional exploits (e.g. if the ROUTE_ACTION_REJECT policy set in kube-router was ever changed/relaxed)
  • BGP peer enumeration: All BGP neighbor configurations, including remote ASNs and session metadata, are accessible without authentication.
  • BGP peer manipulation: Unauthorized BGP peers can be added, and are persisted until manually removed. Legitimate peer configurations can be removed temporarily, though they are automatically restored each sync tick.)
  • Routing policy modification: BGP import/export policies can be modified within the local RIB

The blast radius is cluster-wide: a single successful AddPath call on one node affects all pods' network connectivity through iBGP propagation.

Recommended Fix

The gRPC server should not be bound to the node's primary IP by default. Options in order of preference:

  1. Bind to localhost only (minimal change, immediate security improvement):
// pkg/controllers/routing/network_routes_controller.go:1057-1061
if grpcServer && nrc.goBGPAdminPort != 0 {
    nrc.bgpServer = gobgp.NewBgpServer(
        gobgp.GrpcListenAddress(fmt.Sprintf("127.0.0.1:%d", nrc.goBGPAdminPort)))
}
  1. Disable by default — change defaultGoBGPAdminPort from 50051 to 0, requiring operators to explicitly opt in with --gobgp-admin-port=50051 and accept responsibility for securing the port.

  2. Add mTLS authentication — pass gobgp.GrpcOption(grpc.Creds(...)) to require client certificates before allowing gRPC calls.

For users on affected versions, mitigation options include: - Set --gobgp-admin-port=0 to disable the gRPC server entirely - Add host-level iptables INPUT rules to block port 50051 from non-localhost sources - Apply Kubernetes NetworkPolicy (note: NodePort/host-network traffic bypasses NetworkPolicy in many CNI implementations)

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.8.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cloudnativelabs/kube-router"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T21:52:47Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nWhen the kube-router routing controller starts (`--run-router`), it binds the GoBGP gRPC management server to the node\u0027s primary IP (e.g., `192.168.1.10:50051`) in addition to `127.0.0.1:50051`. The default admin port is `50051` and the server is enabled by default with no TLS and no authentication. Any pod in the cluster can reach node IPs and therefore call the GoBGP gRPC API to inject arbitrary BGP routes, enumerate peer configurations, add unauthorized BGP neighbors, or withdraw legitimate routes. While kube-router\u0027s BGP export policy of `ROUTE_ACTION_REJECT` limits the attack surface to the local node\u0027s GoBGP RIB, an attacker can still impact local routing decisions.\n\n## Details\n\nThe gRPC server is started unconditionally when `--run-router` is active. In `pkg/controllers/routing/network_routes_controller.go`, the `startBgpServer(true)` call at line 365 passes `grpcServer=true`, and the binding logic at lines 1057\u20131061 is:\n\n```go\n// pkg/controllers/routing/network_routes_controller.go:1057-1061\nif grpcServer \u0026\u0026 nrc.goBGPAdminPort != 0 {\n    nrc.bgpServer = gobgp.NewBgpServer(\n        gobgp.GrpcListenAddress(net.JoinHostPort(nrc.krNode.GetPrimaryNodeIP().String(),\n            strconv.FormatUint(uint64(nrc.goBGPAdminPort), 10)) + \",\" +\n            fmt.Sprintf(\"127.0.0.1:%d\", nrc.goBGPAdminPort)))\n}\n```\n\nThe default admin port is defined in `pkg/options/options.go`:\n\n```go\n// pkg/options/options.go:16\ndefaultGoBGPAdminPort uint16 = 50051\n```\n\nNo `gobgp.GrpcOption` is passed, meaning the gRPC server is started with no TLS credentials and no authentication interceptor. The GoBGP gRPC API (`gobgpapi`) exposes write-capable RPCs:\n\n- `AddPath` / `DeletePath` \u2014 inject or withdraw arbitrary BGP routes\n- `AddPeer` / `DeletePeer` / `UpdatePeer` \u2014 add/remove/modify BGP neighbors\n- `AddPolicy` / `DeletePolicy` \u2014 modify BGP routing policies\n- `ListPeer` / `ListPath` \u2014 enumerate all BGP peer configs and routing table entries\n\nkube-router runs as a DaemonSet with `hostNetwork: true`. This means the gRPC server is reachable at `\u003cnode-primary-ip\u003e:50051` from any pod in the cluster \u2014 pod-to-node-IP connectivity is guaranteed by any Kubernetes-conformant CNI. The kube-router documentation in `docs/pod-toolbox.md` explicitly demonstrates cross-node usage: \"To query a different node use `gobgp --host node02.mydomain`\" \u2014 confirming the port is reachable across the cluster, but providing no guidance on restricting access.\n\n## PoC\n\nFrom any pod running in the cluster:\n\n**Step 1 \u2014 Discover a node IP:**\n```bash\n# Using the Kubernetes API (available to all pods via service account)\ncurl -s -H \"Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" \\\n  https://kubernetes.default.svc/api/v1/nodes \\\n  --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \\\n  | grep -o \u0027\"internalIP\":\"[^\"]*\"\u0027 | head -1\n# Expected output: \"internalIP\":\"192.168.1.10\"\n```\n\n**Step 2 \u2014 Connect to the GoBGP gRPC API and inject a blackhole route:**\n```bash\n# Install gobgp CLI (already available in kube-router image, or pull separately)\ngobgp --host 192.168.1.10:50051 global rib add -a ipv4 10.96.0.0/12 nexthop blackhole\n# Expected output: (no error \u2014 route accepted into the local GoBGP RIB)\n```\n\n**Step 3 \u2014 Verify route propagated to BGP table:**\n```bash\ngobgp --host 192.168.1.10:50051 global rib -a ipv4\n# Expected output: shows 10.96.0.0/12 blackhole route in the local RIB\n# This route does NOT propagate to peers or get added to the kernel routing table.\n```\n\n**Step 4 \u2014 Enumerate BGP peer configurations:**\n```bash\ngobgp --host 192.168.1.10:50051 neighbor\n# Expected output: lists all configured BGP peers, their ASNs,\n# session state, and configuration \u2014 without any Kubernetes credentials\n```\n\n## Impact\n\n- **BGP route injection**: An attacker with a pod in the cluster can inject arbitrary routes into a node\u0027s local BGP RIB. While these routes are not propagated to the rest of the cluster or injected into the kernel\u0027s routing table, this allows an attacker to pollute the BGP state on a node and could be combined with misconfigurations/other vulnerabilities for additional exploits (e.g. if the `ROUTE_ACTION_REJECT` policy set in kube-router was ever changed/relaxed)\n- **BGP peer enumeration**: All BGP neighbor configurations, including remote ASNs and session metadata, are accessible without authentication.\n- **BGP peer manipulation**: Unauthorized BGP peers can be added, and are persisted until manually removed. Legitimate peer configurations can be removed temporarily, though they are automatically restored each sync tick.) \n- **Routing policy modification**: BGP import/export policies can be modified within the local RIB\n\nThe blast radius is cluster-wide: a single successful `AddPath` call on one node affects all pods\u0027 network connectivity through iBGP propagation.\n\n## Recommended Fix\n\nThe gRPC server should not be bound to the node\u0027s primary IP by default. Options in order of preference:\n\n1. **Bind to localhost only** (minimal change, immediate security improvement):\n```go\n// pkg/controllers/routing/network_routes_controller.go:1057-1061\nif grpcServer \u0026\u0026 nrc.goBGPAdminPort != 0 {\n    nrc.bgpServer = gobgp.NewBgpServer(\n        gobgp.GrpcListenAddress(fmt.Sprintf(\"127.0.0.1:%d\", nrc.goBGPAdminPort)))\n}\n```\n\n2. **Disable by default** \u2014 change `defaultGoBGPAdminPort` from `50051` to `0`, requiring operators to explicitly opt in with `--gobgp-admin-port=50051` and accept responsibility for securing the port.\n\n3. **Add mTLS authentication** \u2014 pass `gobgp.GrpcOption(grpc.Creds(...))` to require client certificates before allowing gRPC calls.\n\nFor users on affected versions, mitigation options include:\n- Set `--gobgp-admin-port=0` to disable the gRPC server entirely\n- Add host-level iptables INPUT rules to block port 50051 from non-localhost sources\n- Apply Kubernetes NetworkPolicy (note: NodePort/host-network traffic bypasses NetworkPolicy in many CNI implementations)",
  "id": "GHSA-v5mh-h5hx-7v92",
  "modified": "2026-05-06T21:52:47Z",
  "published": "2026-05-06T21:52:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cloudnativelabs/kube-router/security/advisories/GHSA-v5mh-h5hx-7v92"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cloudnativelabs/kube-router"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "kube-router: GoBGP gRPC Admin Port Exposed on Node Primary IP Without Authentication, Allowing Cluster-Wide BGP Route Injection"
}

GHSA-V5MQ-3G8R-VP97

Vulnerability from github – Published: 2025-08-12 03:31 – Updated: 2025-08-12 03:31
VLAI
Details

Due to a missing authorization check in the ABAP Platform, an authenticated user with elevated privileges could bypass authorization restrictions for common transactions by leveraging the SQL Console. This could enable an attacker to access and read the contents of database tables without proper authorization, leading to a significant compromise of data confidentiality. However, the integrity and availability of the system remain unaffected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-42949"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-12T03:15:27Z",
    "severity": "MODERATE"
  },
  "details": "Due to a missing authorization check in the ABAP Platform, an authenticated user with elevated privileges could bypass authorization restrictions for common transactions by leveraging the SQL Console. This could enable an attacker to access and read the contents of database tables without proper authorization, leading to a significant compromise of data confidentiality. However, the integrity and availability of the system remain unaffected.",
  "id": "GHSA-v5mq-3g8r-vp97",
  "modified": "2025-08-12T03:31:52Z",
  "published": "2025-08-12T03:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-42949"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3626722"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5PW-5PRQ-Q5G5

Vulnerability from github – Published: 2025-01-25 09:30 – Updated: 2026-04-08 21:33
VLAI
Details

The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the youzify_offer_banner() function in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary site options to a value of one.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13368"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-25T08:15:08Z",
    "severity": "MODERATE"
  },
  "details": "The Youzify \u2013 BuddyPress Community, User Profile, Social Network \u0026 Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the youzify_offer_banner() function in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary site options to a value of one.",
  "id": "GHSA-v5pw-5prq-q5g5",
  "modified": "2026-04-08T21:33:00Z",
  "published": "2025-01-25T09:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13368"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/youzify/tags/1.3.2/includes/admin/core/functions/youzify-general-functions.php#L961"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/youzify/tags/1.3.3/includes/admin/core/functions/youzify-general-functions.php#L951"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3257383/youzify/trunk?contextall=1\u0026old=3236422\u0026old_path=%2Fyouzify%2Ftrunk"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ad2abd5b-3067-4dcd-a650-b543fa03437b?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5Q7-3FH7-5GFF

Vulnerability from github – Published: 2025-02-04 15:31 – Updated: 2026-04-01 18:33
VLAI
Details

Missing Authorization vulnerability in EmbedPress Document Block – Upload & Embed Docs. This issue affects Document Block – Upload & Embed Docs: from n/a through 1.1.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-22696"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-04T15:15:21Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in EmbedPress Document Block \u2013 Upload \u0026 Embed Docs. This issue affects Document Block \u2013 Upload \u0026 Embed Docs: from n/a through 1.1.0.",
  "id": "GHSA-v5q7-3fh7-5gff",
  "modified": "2026-04-01T18:33:33Z",
  "published": "2025-02-04T15:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22696"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/document/vulnerability/wordpress-document-block-upload-embed-docs-pdf-ppt-xls-or-any-documents-plugin-1-1-0-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5Q9-W576-R6PH

Vulnerability from github – Published: 2022-12-06 09:30 – Updated: 2022-12-07 21:30
VLAI
Details

In wlan driver, there is a possible missing permission check, This could lead to local information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42766"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-668",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-06T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In wlan driver, there is a possible missing permission check, This could lead to local information disclosure.",
  "id": "GHSA-v5q9-w576-r6ph",
  "modified": "2022-12-07T21:30:30Z",
  "published": "2022-12-06T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42766"
    },
    {
      "type": "WEB",
      "url": "https://www.unisoc.com/en_us/secy/announcementDetail/1599588060988411006"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.