Common Weakness Enumeration

CWE-862

Allowed-with-Review

Missing Authorization

Abstraction: Class · Status: Incomplete

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

14606 vulnerabilities reference this CWE, most recent first.

GHSA-VMVQ-FH49-9M4Q

Vulnerability from github – Published: 2025-01-02 15:31 – Updated: 2025-01-02 15:31
VLAI
Details

Missing Authorization vulnerability in Galleryape Gallery Images Ape allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gallery Images Ape: from n/a through 2.2.8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-41995"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-02T15:15:17Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in Galleryape Gallery Images Ape allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gallery Images Ape: from n/a through 2.2.8.",
  "id": "GHSA-vmvq-fh49-9m4q",
  "modified": "2025-01-02T15:31:58Z",
  "published": "2025-01-02T15:31:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41995"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/gallery-images-ape/vulnerability/wordpress-gallery-images-ape-plugin-2-2-8-auth-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VMWX-8PMG-4MRR

Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-04-04 05:34
VLAI
Details

The WordPress Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 5.12.8 does not ensure that posts to be displayed via some shortcodes are already public and can be accessed by the user making the request, allowing any authenticated users such as subscriber to view draft, private or even password protected posts. It is also possible to leak the password of protected posts

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0890"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-20T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The WordPress Shortcodes Plugin \u2014 Shortcodes Ultimate WordPress plugin before 5.12.8 does not ensure that posts to be displayed via some shortcodes are already public and can be accessed by the user making the request, allowing any authenticated users such as subscriber to view draft, private or even password protected posts. It is also possible to leak the password of protected posts",
  "id": "GHSA-vmwx-8pmg-4mrr",
  "modified": "2024-04-04T05:34:51Z",
  "published": "2023-07-06T19:24:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0890"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/8a466f15-f112-4527-8b02-4544a8032671"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VMWX-M75V-QVCH

Vulnerability from github – Published: 2026-07-08 20:24 – Updated: 2026-07-08 20:24
VLAI
Summary
Sharp Missing Authorization Check in Quick Creation Command Endpoints
Details

Impact

The create and store endpoints of the Quick Creation Command feature did not enforce any authorization check. An authenticated Sharp user without create permission on a given entity could bypass the authorization layer and either retrieve the creation form or submit new records for that entity, as long as it had a Quick Creation Command handler configured.

Patches

Yes. The fix is included in version 9.22.3. Users should upgrade to that version or later.

Workarounds

Remove or disable Quick Creation Command handlers (quickCreationCommandHandler()) on any entity list where unauthorized access is a concern, until an upgrade is possible.

Resources

PR #729

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "code16/sharp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.22.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53634"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-08T20:24:36Z",
    "nvd_published_at": "2026-06-10T22:17:01Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThe create and store endpoints of the Quick Creation Command feature did not enforce any authorization check. An authenticated Sharp user without create permission on a given entity could bypass the authorization layer and either retrieve the creation form or submit new records for that entity, as long as it had a Quick Creation Command handler configured.\n\n### Patches\nYes. The fix is included in version 9.22.3. Users should upgrade to that version or later.\n\n### Workarounds\nRemove or disable Quick Creation Command handlers (quickCreationCommandHandler()) on any entity list where unauthorized access is a concern, until an upgrade is possible.\n\n### Resources\n[PR #729](https://github.com/code16/sharp/pull/729)",
  "id": "GHSA-vmwx-m75v-qvch",
  "modified": "2026-07-08T20:24:36Z",
  "published": "2026-07-08T20:24:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/code16/sharp/security/advisories/GHSA-vmwx-m75v-qvch"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53634"
    },
    {
      "type": "WEB",
      "url": "https://github.com/code16/sharp/pull/729"
    },
    {
      "type": "WEB",
      "url": "https://github.com/code16/sharp/commit/aa18a85fd8fef830988a336cad2278986729d21a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/code16/sharp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/code16/sharp/releases/tag/v9.22.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sharp Missing Authorization Check in Quick Creation Command Endpoints"
}

GHSA-VMX5-XFWF-9F82

Vulnerability from github – Published: 2024-06-11 18:30 – Updated: 2024-06-11 18:30
VLAI
Details

Missing Authorization vulnerability in Wpmet WP Fundraising Donation and Crowdfunding Platform.This issue affects WP Fundraising Donation and Crowdfunding Platform: from n/a through 1.6.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-34758"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-11T17:16:00Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in Wpmet WP Fundraising Donation and Crowdfunding Platform.This issue affects WP Fundraising Donation and Crowdfunding Platform: from n/a through 1.6.4.",
  "id": "GHSA-vmx5-xfwf-9f82",
  "modified": "2024-06-11T18:30:50Z",
  "published": "2024-06-11T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34758"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/wp-fundraising-donation/wordpress-fundengine-donation-and-crowdfunding-platform-plugin-1-6-4-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VMX9-CF98-29XX

Vulnerability from github – Published: 2025-01-07 18:30 – Updated: 2026-04-28 21:35
VLAI
Details

Missing Authorization vulnerability in DearHive Social Media Share Buttons | MashShare.This issue affects Social Media Share Buttons | MashShare: from n/a through 4.0.47.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-22319"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-07T17:15:32Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in DearHive Social Media Share Buttons | MashShare.This issue affects Social Media Share Buttons | MashShare: from n/a through 4.0.47.",
  "id": "GHSA-vmx9-cf98-29xx",
  "modified": "2026-04-28T21:35:30Z",
  "published": "2025-01-07T18:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22319"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/mashsharer/vulnerability/wordpress-mashshare-plugin-4-0-47-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VP28-9CM6-HPWG

Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2024-05-14 15:32
VLAI
Details

The SimpleShop plugin for WordPress is vulnerable to unauthorized disconnection from SimpleShop due to a missing capability check on the maybe_disconnect_simpleshop function in all versions up to, and including, 2.10.2. This makes it possible for unauthenticated attackers to disconnect the SimpleShop.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T14:45:42Z",
    "severity": "MODERATE"
  },
  "details": "The SimpleShop plugin for WordPress is vulnerable to unauthorized disconnection from SimpleShop due to a missing capability check on the maybe_disconnect_simpleshop function in all versions up to, and including, 2.10.2. This makes it possible for unauthenticated attackers to disconnect the SimpleShop.",
  "id": "GHSA-vp28-9cm6-hpwg",
  "modified": "2024-05-14T15:32:51Z",
  "published": "2024-05-14T15:32:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1229"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/simpleshop-cz/trunk/src/Settings.php?rev=3019145#L341"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3080151%40simpleshop-cz\u0026new=3080151%40simpleshop-cz\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4dc39c47-3b99-4e43-b25d-a025f3d228b5?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VP38-57W4-9685

Vulnerability from github – Published: 2023-03-10 21:30 – Updated: 2026-04-08 18:32
VLAI
Details

The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the clear_page_cache function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to delete the plugin's cache.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-1333"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-10T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the clear_page_cache function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to delete the plugin\u0027s cache.",
  "id": "GHSA-vp38-57w4-9685",
  "modified": "2026-04-08T18:32:03Z",
  "published": "2023-03-10T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1333"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/2877726/unusedcss/trunk/includes/modules/unused-css/UnusedCSS_Admin.php?contextall=1\u0026old=2847136\u0026old_path=%2Funusedcss%2Ftrunk%2Fincludes%2Fmodules%2Funused-css%2FUnusedCSS_Admin.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2cba74f7-7183-4297-8f04-4818c01358ef"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2cba74f7-7183-4297-8f04-4818c01358ef?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VP55-5C2V-3597

Vulnerability from github – Published: 2026-07-15 12:32 – Updated: 2026-07-15 12:32
VLAI
Details

PraisonAI Platform before 0.1.9 fails to properly authorize label and issue-label mutations, allowing workspace members to rename and recolor shared labels and add or remove labels on owner-created issues. Attackers with workspace member privileges can exploit PATCH and POST/DELETE endpoints to alter shared label taxonomy and manipulate issue-label associations without owner or admin authorization.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-61440"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-15T12:18:19Z",
    "severity": "HIGH"
  },
  "details": "PraisonAI Platform before 0.1.9 fails to properly authorize label and issue-label mutations, allowing workspace members to rename and recolor shared labels and add or remove labels on owner-created issues. Attackers with workspace member privileges can exploit PATCH and POST/DELETE endpoints to alter shared label taxonomy and manipulate issue-label associations without owner or admin authorization.",
  "id": "GHSA-vp55-5c2v-3597",
  "modified": "2026-07-15T12:32:04Z",
  "published": "2026-07-15T12:32:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-xxgv-vgvj-qvxh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-61440"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/commit/846568c7a5d8ce9e71e56e4c213f027c04909753"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/praisonai-platform-before-authorization-bypass-via-label-endpoints"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VP66-4GGH-RG32

Vulnerability from github – Published: 2023-03-10 21:30 – Updated: 2023-03-16 18:30
VLAI
Details

In telephony service, there is a missing permission check. This could lead to local denial of service in telephone service with no additional execution privileges needed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47484"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-10T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In telephony service, there is a missing permission check. This could lead to local denial of service in telephone service with no additional execution privileges needed.",
  "id": "GHSA-vp66-4ggh-rg32",
  "modified": "2023-03-16T18:30:32Z",
  "published": "2023-03-10T21:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47484"
    },
    {
      "type": "WEB",
      "url": "https://www.unisoc.com/en_us/secy/announcementDetail/1632612109718192129"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VP68-5Q7H-58F3

Vulnerability from github – Published: 2025-10-31 12:30 – Updated: 2025-10-31 12:30
VLAI
Details

The ERI File Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'erifl_file' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to download files restricted to specific user roles.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12041"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-31T10:15:42Z",
    "severity": "MODERATE"
  },
  "details": "The ERI File Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027erifl_file\u0027 AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to download files restricted to specific user roles.",
  "id": "GHSA-vp68-5q7h-58f3",
  "modified": "2025-10-31T12:30:20Z",
  "published": "2025-10-31T12:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12041"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3385895%40eri-file-library\u0026new=3385895%40eri-file-library"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/16e1d37a-4eb7-45dc-8993-a501fb2aaf73?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.