Common Weakness Enumeration

CWE-862

Allowed-with-Review

Missing Authorization

Abstraction: Class · Status: Incomplete

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

14602 vulnerabilities reference this CWE, most recent first.

GHSA-VQ86-GXF4-Q6GH

Vulnerability from github – Published: 2024-03-28 09:31 – Updated: 2024-03-28 09:31
VLAI
Details

Missing authorization vulnerability in GetStmUrlPath webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain sensitive information via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-29228"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-28T07:16:00Z",
    "severity": "HIGH"
  },
  "details": "Missing authorization vulnerability in GetStmUrlPath webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain sensitive information via unspecified vectors.",
  "id": "GHSA-vq86-gxf4-q6gh",
  "modified": "2024-03-28T09:31:13Z",
  "published": "2024-03-28T09:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29228"
    },
    {
      "type": "WEB",
      "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VQC4-QHX7-82XG

Vulnerability from github – Published: 2024-05-21 09:31 – Updated: 2024-05-21 09:31
VLAI
Details

The ShopLentor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_dismiss function in all versions up to, and including, 2.8.8. This makes it possible for authenticated attackers, with contributor-level access and above, to set arbitrary WordPress options to "true". NOTE: This vulnerability can be exploited by attackers with subscriber- or customer-level access and above if (1) the WooCommerce plugin is deactivated or (2) access to the default WordPress admin dashboard is explicitly enabled for authenticated users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4566"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T09:15:08Z",
    "severity": "HIGH"
  },
  "details": "The ShopLentor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_dismiss function in all versions up to, and including, 2.8.8. This makes it possible for authenticated attackers, with contributor-level access and above, to set arbitrary WordPress options to \"true\". NOTE: This vulnerability can be exploited by attackers with subscriber- or customer-level access and above if (1) the WooCommerce plugin is deactivated or (2) access to the default WordPress admin dashboard is explicitly enabled for authenticated users.",
  "id": "GHSA-vqc4-qhx7-82xg",
  "modified": "2024-05-21T09:31:17Z",
  "published": "2024-05-21T09:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4566"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/includes/admin/include/class.notice.php#L52"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3088881/woolentor-addons/trunk/includes/admin/include/class.notice.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c6aaabe9-4f55-4c01-b350-573e6a944353?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VQJ8-H258-QP79

Vulnerability from github – Published: 2025-12-31 18:30 – Updated: 2026-04-01 18:36
VLAI
Details

Missing Authorization vulnerability in Magnigenie RestroPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RestroPress: from n/a through 3.2.4.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-62129"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-31T16:15:45Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in Magnigenie RestroPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RestroPress: from n/a through 3.2.4.2.",
  "id": "GHSA-vqj8-h258-qp79",
  "modified": "2026-04-01T18:36:28Z",
  "published": "2025-12-31T18:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62129"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/restropress/vulnerability/wordpress-restropress-plugin-3-2-4-2-broken-access-control-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/wordpress/plugin/restropress/vulnerability/wordpress-restropress-plugin-3-2-4-2-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VQR6-3H85-Q7HP

Vulnerability from github – Published: 2026-07-11 00:31 – Updated: 2026-07-13 18:30
VLAI
Details

Missing Authorization vulnerability in Drupal AI Agents allows Forceful Browsing. This issue affects AI Agents versions: from 0.0.0 to 1.1.4, from 1.2.0 to 1.2.5, from 1.3.0 to 1.3.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-13236"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-10T22:16:39Z",
    "severity": "CRITICAL"
  },
  "details": "Missing Authorization vulnerability in Drupal AI Agents allows Forceful Browsing. This issue affects AI Agents versions: from 0.0.0 to 1.1.4, from 1.2.0 to 1.2.5, from 1.3.0 to 1.3.1.",
  "id": "GHSA-vqr6-3h85-q7hp",
  "modified": "2026-07-13T18:30:33Z",
  "published": "2026-07-11T00:31:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13236"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2026-056"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VQRW-78H5-GQQR

Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30
VLAI
Details

Missing Authorization vulnerability in VideoWhisper.Com Paid Videochat Turnkey Site allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Paid Videochat Turnkey Site: from n/a through 7.3.23.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-24590"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-26T09:16:19Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in VideoWhisper.Com Paid Videochat Turnkey Site allows Exploiting Incorrectly Configured Access Control Security Levels.\n\nThis issue affects Paid Videochat Turnkey Site: from n/a through 7.3.23.",
  "id": "GHSA-vqrw-78h5-gqqr",
  "modified": "2026-05-26T13:30:55Z",
  "published": "2026-05-26T13:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24590"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/ppv-live-webcams/vulnerability/wordpress-paid-videochat-turnkey-site-plugin-7-3-23-broken-access-control-vulnerability-2?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VQVG-86CC-CG83

Vulnerability from github – Published: 2026-03-30 18:59 – Updated: 2026-03-30 18:59
VLAI
Summary
OpenClaw: Mutating internal `/allowlist` chat commands missed `operator.admin` scope enforcement
Details

Fixed in OpenClaw 2026.3.24, the current shipping release.

Title
Mutating internal /allowlist chat commands missed operator.admin scope enforcement

CWE
CWE-862 Missing Authorization

CVSS v3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Base score: 6.5 (Medium)

Severity Assessment
Medium. This is a real authorization flaw in OpenClaw’s internal control plane. The issue does not require host access, trusted local state tampering, or multi-tenant assumptions, but exploitation does require an already authenticated internal Gateway caller with operator.write.

Impact
An authenticated internal Gateway caller limited to operator.write can perform state-changing /allowlist actions without operator.admin, even though comparable mutating internal chat commands already require operator.admin. The reachable effects are persistent changes to config-backed allowFrom entries and pairing-store-backed allowlist entries.

This is not a semantic-modeling complaint and not a generic “trusted operator can do things” claim. It is a missing authorization check inside OpenClaw’s own internal scope model, where peer mutating command surfaces already distinguish operator.write from operator.admin.

Affected Component
Verified against the latest published GitHub release tag v2026.3.23 (ccfeecb6887cd97937e33a71877ad512741e82b2), published 2026-03-23T23:15:50Z.

Exact vulnerable path on the shipped tag: - src/auto-reply/reply/commands-allowlist.ts:251-254 - /allowlist authorization uses only rejectUnauthorizedCommand(...). - src/auto-reply/reply/commands-allowlist.ts:386-524 - mutating config and pairing-store writes happen here, but there is no requireGatewayClientScopeForInternalChannel(..., operator.admin, ...).

Reachability and scope model: - src/gateway/method-scopes.ts:94-109 - chat.send is a write-scoped method. - src/gateway/server.chat.gateway-server-chat.test.ts:539-559 - existing runtime coverage proves chat.send routes slash commands without an agent run. - src/auto-reply/command-auth.ts:574-577 - internal callers become senderIsOwner only when GatewayClientScopes includes operator.admin.

Comparable internal mutating command paths already enforce operator.admin: - src/auto-reply/reply/commands-config.ts:64-73 - src/auto-reply/reply/commands-mcp.ts:89-96 - src/auto-reply/reply/commands-plugins.ts:387-394 - src/auto-reply/reply/commands-acp.ts:98-106

Version history: - Introduced by commit 555b2578a8cc6e1b93f717496935ead97bfbed8b (feat: add /allowlist command) - Earliest released affected tag found: v2026.1.20 - Latest released affected tag verified: v2026.3.23

Technical Reproduction
1. Check out the shipped release tag v2026.3.23. 2. Use an internal command context with: - Provider = "webchat" - Surface = "webchat" - GatewayClientScopes = ["operator.write"] - params.command.channel = "webchat" 3. Route a slash command through chat.send. 4. Execute either of these mutating commands: - /allowlist add dm channel=telegram 789 - /allowlist add dm --store channel=telegram 789 5. Confirm the command context is authorized but not owner-equivalent: - isAuthorizedSender === true - senderIsOwner === false 6. Observe that the commands still succeed and perform persistent writes.

Demonstrated Impact
The vulnerable handler performs real state mutation for a low-scope internal caller: - Config-backed mutation path: - src/auto-reply/reply/commands-allowlist.ts:398-503 - reads the config snapshot, applies the edit, validates, and writes the updated config to disk. - Store-backed mutation path: - src/auto-reply/reply/commands-allowlist.ts:479-485 - src/auto-reply/reply/commands-allowlist.ts:513-518 - updates the pairing-store allowlist without any admin-scope gate.

The result is successful persistence, not just a misleading success message.

Environment
- Product: OpenClaw - Verified shipped tag: v2026.3.23 - Shipped tag commit: ccfeecb6887cd97937e33a71877ad512741e82b2 - Published GitHub release time: 2026-03-23T23:15:50Z - Verification date: 2026-03-24

Duplicate Check
This is not a duplicate of: - GHSA-pjvx-rx66-r3fg - that advisory covered cross-account scoping in /allowlist ... --store, not missing internal operator.admin enforcement. - GHSA-hfpr-jhpq-x4rm - that advisory covered /config writes through chat.send, not /allowlist. - GHSA-3w6x-gv34-mqpf - same authorization class, but different command path (/acp, not /allowlist).

In Scope Check
This report is in scope under SECURITY.md because: - it does not rely on adversarial operators sharing one gateway host or config; - it does not target the HTTP compatibility endpoints that SECURITY.md explicitly treats as full operator-access surfaces; - it demonstrates a real authorization mismatch inside OpenClaw’s own internal control-plane scope model (operator.write vs operator.admin); - peer mutating internal chat commands already enforce operator.admin, so this is not a request for a new boundary but a missing check on an existing one.

This is therefore a concrete authorization bug, not a trusted-operator hardening suggestion.

Remediation Advice
1. Add requireGatewayClientScopeForInternalChannel(..., allowedScopes: ["operator.admin"], ...) to the mutating internal /allowlist paths. 2. Add regression coverage for both mutation modes: - internal operator.write must be rejected; - internal operator.admin must be allowed. 3. Cover both config-backed and store-backed writes. 4. Audit other mutating internal chat-command paths for the same missing-scope pattern.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-30T18:59:16Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "\u003e Fixed in OpenClaw 2026.3.24, the current shipping release.\n\n**Title**  \nMutating internal `/allowlist` chat commands missed `operator.admin` scope enforcement\n\n**CWE**  \nCWE-862 Missing Authorization\n\n**CVSS v3.1**  \nCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N  \nBase score: **6.5 (Medium)**\n\n**Severity Assessment**  \nMedium. This is a real authorization flaw in OpenClaw\u2019s internal control plane. The issue does not require host access, trusted local state tampering, or multi-tenant assumptions, but exploitation does require an already authenticated internal Gateway caller with `operator.write`.\n\n**Impact**  \nAn authenticated internal Gateway caller limited to `operator.write` can perform state-changing `/allowlist` actions without `operator.admin`, even though comparable mutating internal chat commands already require `operator.admin`. The reachable effects are persistent changes to config-backed `allowFrom` entries and pairing-store-backed allowlist entries.\n\nThis is not a semantic-modeling complaint and not a generic \u201ctrusted operator can do things\u201d claim. It is a missing authorization check inside OpenClaw\u2019s own internal scope model, where peer mutating command surfaces already distinguish `operator.write` from `operator.admin`.\n\n**Affected Component**  \nVerified against the latest published GitHub release tag `v2026.3.23` (`ccfeecb6887cd97937e33a71877ad512741e82b2`), published `2026-03-23T23:15:50Z`.\n\nExact vulnerable path on the shipped tag:\n- `src/auto-reply/reply/commands-allowlist.ts:251-254`\n  - `/allowlist` authorization uses only `rejectUnauthorizedCommand(...)`.\n- `src/auto-reply/reply/commands-allowlist.ts:386-524`\n  - mutating config and pairing-store writes happen here, but there is no `requireGatewayClientScopeForInternalChannel(..., operator.admin, ...)`.\n\nReachability and scope model:\n- `src/gateway/method-scopes.ts:94-109`\n  - `chat.send` is a write-scoped method.\n- `src/gateway/server.chat.gateway-server-chat.test.ts:539-559`\n  - existing runtime coverage proves `chat.send` routes slash commands without an agent run.\n- `src/auto-reply/command-auth.ts:574-577`\n  - internal callers become `senderIsOwner` only when `GatewayClientScopes` includes `operator.admin`.\n\nComparable internal mutating command paths already enforce `operator.admin`:\n- `src/auto-reply/reply/commands-config.ts:64-73`\n- `src/auto-reply/reply/commands-mcp.ts:89-96`\n- `src/auto-reply/reply/commands-plugins.ts:387-394`\n- `src/auto-reply/reply/commands-acp.ts:98-106`\n\nVersion history:\n- Introduced by commit `555b2578a8cc6e1b93f717496935ead97bfbed8b` (`feat: add /allowlist command`)\n- Earliest released affected tag found: `v2026.1.20`\n- Latest released affected tag verified: `v2026.3.23`\n\n**Technical Reproduction**  \n1. Check out the shipped release tag `v2026.3.23`.\n2. Use an internal command context with:\n   - `Provider = \"webchat\"`\n   - `Surface = \"webchat\"`\n   - `GatewayClientScopes = [\"operator.write\"]`\n   - `params.command.channel = \"webchat\"`\n3. Route a slash command through `chat.send`.\n4. Execute either of these mutating commands:\n   - `/allowlist add dm channel=telegram 789`\n   - `/allowlist add dm --store channel=telegram 789`\n5. Confirm the command context is authorized but not owner-equivalent:\n   - `isAuthorizedSender === true`\n   - `senderIsOwner === false`\n6. Observe that the commands still succeed and perform persistent writes.\n\n**Demonstrated Impact**  \nThe vulnerable handler performs real state mutation for a low-scope internal caller:\n- Config-backed mutation path:\n  - `src/auto-reply/reply/commands-allowlist.ts:398-503`\n  - reads the config snapshot, applies the edit, validates, and writes the updated config to disk.\n- Store-backed mutation path:\n  - `src/auto-reply/reply/commands-allowlist.ts:479-485`\n  - `src/auto-reply/reply/commands-allowlist.ts:513-518`\n  - updates the pairing-store allowlist without any admin-scope gate.\n\nThe result is successful persistence, not just a misleading success message.\n\n**Environment**  \n- Product: OpenClaw\n- Verified shipped tag: `v2026.3.23`\n- Shipped tag commit: `ccfeecb6887cd97937e33a71877ad512741e82b2`\n- Published GitHub release time: `2026-03-23T23:15:50Z`\n- Verification date: `2026-03-24`\n\n**Duplicate Check**  \nThis is not a duplicate of:\n- `GHSA-pjvx-rx66-r3fg`\n  - that advisory covered cross-account scoping in `/allowlist ... --store`, not missing internal `operator.admin` enforcement.\n- `GHSA-hfpr-jhpq-x4rm`\n  - that advisory covered `/config` writes through `chat.send`, not `/allowlist`.\n- `GHSA-3w6x-gv34-mqpf`\n  - same authorization class, but different command path (`/acp`, not `/allowlist`).\n\n**In Scope Check**  \nThis report is in scope under `SECURITY.md` because:\n- it does **not** rely on adversarial operators sharing one gateway host or config;\n- it does **not** target the HTTP compatibility endpoints that `SECURITY.md` explicitly treats as full operator-access surfaces;\n- it demonstrates a real authorization mismatch inside OpenClaw\u2019s own internal control-plane scope model (`operator.write` vs `operator.admin`);\n- peer mutating internal chat commands already enforce `operator.admin`, so this is not a request for a new boundary but a missing check on an existing one.\n\nThis is therefore a concrete authorization bug, not a trusted-operator hardening suggestion.\n\n**Remediation Advice**  \n1. Add `requireGatewayClientScopeForInternalChannel(..., allowedScopes: [\"operator.admin\"], ...)` to the mutating internal `/allowlist` paths.\n2. Add regression coverage for both mutation modes:\n   - internal `operator.write` must be rejected;\n   - internal `operator.admin` must be allowed.\n3. Cover both config-backed and store-backed writes.\n4. Audit other mutating internal chat-command paths for the same missing-scope pattern.",
  "id": "GHSA-vqvg-86cc-cg83",
  "modified": "2026-03-30T18:59:16Z",
  "published": "2026-03-30T18:59:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vqvg-86cc-cg83"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw: Mutating internal `/allowlist` chat commands missed `operator.admin` scope enforcement"
}

GHSA-VQW4-HC5H-3HJF

Vulnerability from github – Published: 2026-05-02 06:30 – Updated: 2026-05-02 06:30
VLAI
Details

The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wmg_save_provider_config AJAX action in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update SMTP settings and redirect mail which can be used for privilege escalation by triggering a password reset email and using that to access and administrator's account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6963"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-02T05:16:01Z",
    "severity": "HIGH"
  },
  "details": "The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wmg_save_provider_config AJAX action in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update SMTP settings and redirect mail which can be used for privilege escalation by triggering a password reset email and using that to access and administrator\u0027s account.",
  "id": "GHSA-vqw4-hc5h-3hjf",
  "modified": "2026-05-02T06:30:24Z",
  "published": "2026-05-02T06:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6963"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wp-mail-gateway/tags/1.8/src/Bootstrap.php#L47"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wp-mail-gateway/tags/1.8/src/Functions.php#L111"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wp-mail-gateway/trunk/src/Bootstrap.php#L47"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wp-mail-gateway/trunk/src/Functions.php#L111"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3515205%40wp-mail-gateway\u0026new=3515205%40wp-mail-gateway\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7caf1f4-a8dd-4016-91eb-2adbeed5290a?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VQXG-8XHM-JF4P

Vulnerability from github – Published: 2025-05-19 18:30 – Updated: 2026-04-01 18:35
VLAI
Details

Missing Authorization vulnerability in PressMaximum Customify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Customify: from n/a through 0.4.8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-26920"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-19T17:15:23Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in PressMaximum Customify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Customify: from n/a through 0.4.8.",
  "id": "GHSA-vqxg-8xhm-jf4p",
  "modified": "2026-04-01T18:35:10Z",
  "published": "2025-05-19T18:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26920"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/theme/customify-theme/vulnerability/wordpress-customify-theme-0-4-8-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VR29-G79F-FJ5P

Vulnerability from github – Published: 2025-06-27 12:31 – Updated: 2026-04-01 18:35
VLAI
Details

Missing Authorization vulnerability in Dejan Jasnic Trusty Whistleblowing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Trusty Whistleblowing: from n/a through 1.5.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-52818"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-27T12:15:43Z",
    "severity": "HIGH"
  },
  "details": "Missing Authorization vulnerability in Dejan Jasnic Trusty Whistleblowing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Trusty Whistleblowing: from n/a through 1.5.2.",
  "id": "GHSA-vr29-g79f-fj5p",
  "modified": "2026-04-01T18:35:36Z",
  "published": "2025-06-27T12:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52818"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/trusty-whistleblowing-solution/vulnerability/wordpress-trusty-whistleblowing-1-5-2-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VR29-VX49-CPQ4

Vulnerability from github – Published: 2025-04-08 09:31 – Updated: 2025-04-08 09:31
VLAI
Details

Under specific conditions and prerequisites, an unauthenticated attacker could access customer coupon codes exposed in the URL parameters of the Coupon Campaign URL in SAP Commerce. This could allow the attacker to use the disclosed coupon code, hence posing a low impact on confidentiality and integrity of the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27435"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-08T08:15:16Z",
    "severity": "MODERATE"
  },
  "details": "Under specific conditions and prerequisites, an unauthenticated attacker could access customer coupon codes exposed in the URL parameters of the Coupon Campaign URL in SAP Commerce. This could allow the attacker to use the disclosed coupon code, hence posing a low impact on confidentiality and integrity of the application.",
  "id": "GHSA-vr29-vx49-cpq4",
  "modified": "2025-04-08T09:31:10Z",
  "published": "2025-04-08T09:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27435"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3539465"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.