CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14602 vulnerabilities reference this CWE, most recent first.
GHSA-VW75-3C43-6G3P
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12An issue was discovered in PrimeKey EJBCA before 7.6.0. CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enrollment enforces multi tenancy constraints (by verifying that the client certificate has access to the CA and Profiles being enrolled against), this check was not performed when authenticating revocation operations, allowing a known tenant to revoke a certificate belonging to another tenant.
{
"affected": [],
"aliases": [
"CVE-2021-40088"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-25T02:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in PrimeKey EJBCA before 7.6.0. CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enrollment enforces multi tenancy constraints (by verifying that the client certificate has access to the CA and Profiles being enrolled against), this check was not performed when authenticating revocation operations, allowing a known tenant to revoke a certificate belonging to another tenant.",
"id": "GHSA-vw75-3c43-6g3p",
"modified": "2022-05-24T19:12:13Z",
"published": "2022-05-24T19:12:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40088"
},
{
"type": "WEB",
"url": "https://support.primekey.com/news/posts/51"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VWC6-3MWX-3PRQ
Vulnerability from github – Published: 2026-01-16 06:30 – Updated: 2026-01-16 06:30The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the database, including personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other users.
{
"affected": [],
"aliases": [
"CVE-2025-14982"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-16T05:16:12Z",
"severity": "MODERATE"
},
"details": "The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the database, including personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other users.",
"id": "GHSA-vwc6-3mwx-3prq",
"modified": "2026-01-16T06:30:15Z",
"published": "2026-01-16T06:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14982"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/core/any/class-admin-menu.php#L22"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/core/wpbc-activation.php#L661"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__listing.php#L150"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__listing.php#L158"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__sql.php#L722"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__sql.php#L918"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fbooking\u0026old=3436482\u0026new_path=%2Fbooking\u0026new=3436482\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3432649%40booking%2Ftrunk\u0026old=3416518%40booking%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/161d92e3-d255-4967-9449-be263a46bec8?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VWCH-X387-PMJH
Vulnerability from github – Published: 2023-10-09 06:30 – Updated: 2024-04-04 08:25An issue was discovered in the SportsTeams extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. SportsTeams: Special:SportsManagerLogo and Special:SportsTeamsManagerLogo do not check for the sportsteamsmanager user right, and thus an attacker may be able to affect pages that are concerned with sports teams.
{
"affected": [],
"aliases": [
"CVE-2023-45370"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-09T06:15:10Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in the SportsTeams extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. SportsTeams: Special:SportsManagerLogo and Special:SportsTeamsManagerLogo do not check for the sportsteamsmanager user right, and thus an attacker may be able to affect pages that are concerned with sports teams.",
"id": "GHSA-vwch-x387-pmjh",
"modified": "2024-04-04T08:25:36Z",
"published": "2023-10-09T06:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45370"
},
{
"type": "WEB",
"url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SportsTeams/+/959699"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T345680"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VWFF-X332-54CR
Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2026-01-20 15:32Missing Authorization vulnerability in rtCamp GoDAM godam allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GoDAM: from n/a through <= 1.4.6.
{
"affected": [],
"aliases": [
"CVE-2025-67584"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-09T16:18:36Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in rtCamp GoDAM godam allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GoDAM: from n/a through \u003c= 1.4.6.",
"id": "GHSA-vwff-x332-54cr",
"modified": "2026-01-20T15:32:12Z",
"published": "2025-12-09T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67584"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/godam/vulnerability/wordpress-godam-plugin-1-4-6-broken-access-control-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/godam/vulnerability/wordpress-godam-plugin-1-4-6-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VWJ4-QQ98-X49W
Vulnerability from github – Published: 2024-12-13 15:30 – Updated: 2026-04-28 21:35Missing Authorization vulnerability in Link Whisper Link Whisper Free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Link Whisper Free: from n/a through 0.6.3.
{
"affected": [],
"aliases": [
"CVE-2023-32506"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-13T15:15:11Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Link Whisper Link Whisper Free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Link Whisper Free: from n/a through 0.6.3.",
"id": "GHSA-vwj4-qq98-x49w",
"modified": "2026-04-28T21:35:23Z",
"published": "2024-12-13T15:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32506"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/link-whisper/vulnerability/wordpress-link-whisper-free-plugin-0-6-3-unauthenticated-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VWJ5-26VQ-WVX2
Vulnerability from github – Published: 2024-02-06 00:30 – Updated: 2026-04-08 21:32The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'create_view' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber access and above, to create form views.
{
"affected": [],
"aliases": [
"CVE-2024-0371"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-05T22:16:00Z",
"severity": "MODERATE"
},
"details": "The Views for WPForms \u2013 Display \u0026 Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027create_view\u0027 function in all versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber access and above, to create form views.",
"id": "GHSA-vwj5-26vq-wvx2",
"modified": "2026-04-08T21:32:13Z",
"published": "2024-02-06T00:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0371"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.2\u0026old=3026471\u0026new_path=%2Fviews-for-wpforms-lite%2Ftags%2F3.2.3\u0026new=3026471\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a9565693-fd0b-4412-944c-81b3cd79492e?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VWM3-9RH9-V735
Vulnerability from github – Published: 2025-10-31 00:30 – Updated: 2025-11-06 15:31Nagios XI versions prior to 2012R1.6 contain an authorization flaw in the Auto-Discovery functionality. Users with read-only roles could directly reach Auto-Discovery endpoints and pages that should require elevated permissions, exposing discovery results and allowing unintended access to discovery operations.
{
"affected": [],
"aliases": [
"CVE-2013-10072"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-30T22:15:36Z",
"severity": "HIGH"
},
"details": "Nagios XI versions prior to\u00a02012R1.6 contain an authorization flaw in the Auto-Discovery functionality. Users with read-only roles could directly reach Auto-Discovery endpoints and pages that should require elevated permissions, exposing discovery results and allowing unintended access to discovery operations.",
"id": "GHSA-vwm3-9rh9-v735",
"modified": "2025-11-06T15:31:02Z",
"published": "2025-10-31T00:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-10072"
},
{
"type": "WEB",
"url": "https://www.nagios.com/changelog/nagios-xi"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/nagios-xi-auto-discovery-missing-authorization"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VWMV-CX3V-9RVW
Vulnerability from github – Published: 2025-04-01 15:31 – Updated: 2026-04-01 18:34Missing Authorization vulnerability in Shiptimize Shiptimize for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Shiptimize for WooCommerce: from n/a through 3.1.86.
{
"affected": [],
"aliases": [
"CVE-2025-31802"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-01T15:16:19Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Shiptimize Shiptimize for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Shiptimize for WooCommerce: from n/a through 3.1.86.",
"id": "GHSA-vwmv-cx3v-9rvw",
"modified": "2026-04-01T18:34:21Z",
"published": "2025-04-01T15:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31802"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/shiptimize-for-woocommerce/vulnerability/wordpress-shiptimize-for-woocommerce-plugin-3-1-86-settings-change-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VWQ3-XP85-FQFH
Vulnerability from github – Published: 2026-03-25 18:31 – Updated: 2026-03-26 18:31Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through <= 4.2.5.
{
"affected": [],
"aliases": [
"CVE-2026-24364"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T17:16:37Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through \u003c= 4.2.5.",
"id": "GHSA-vwq3-xp85-fqfh",
"modified": "2026-03-26T18:31:32Z",
"published": "2026-03-25T18:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24364"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/wp-user-frontend/vulnerability/wordpress-wp-user-frontend-plugin-4-2-5-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VWV8-8WCH-7M4G
Vulnerability from github – Published: 2024-05-17 12:30 – Updated: 2025-03-12 09:30Missing Authorization vulnerability in PluginEver Serial Numbers for WooCommerce – License Manager.This issue affects Serial Numbers for WooCommerce – License Manager: from n/a through 1.7.3.
{
"affected": [],
"aliases": [
"CVE-2024-35173"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-17T11:15:08Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in PluginEver Serial Numbers for WooCommerce \u2013 License Manager.This issue affects Serial Numbers for WooCommerce \u2013 License Manager: from n/a through 1.7.3.",
"id": "GHSA-vwv8-8wch-7m4g",
"modified": "2025-03-12T09:30:52Z",
"published": "2024-05-17T12:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35173"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/wc-serial-numbers/wordpress-wc-serial-numbers-plugin-1-7-2-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.