CWE-862: Missing Authorization

This CVE describes a missing authorization vulnerability in Ivanti security products that allows authenticated users with read-only admin privileges t...

This vulnerability allows authenticated backend users in TYPO3 CMS to bypass authorization checks and directly access AJAX backend routes they shouldn...

This vulnerability allows authenticated remote attackers to escalate privileges on ATEN eco DC installations by exploiting missing authorization check...

The SEO Metrics WordPress plugin has a privilege escalation vulnerability that allows subscriber-level users to obtain administrator cookies and gain ...

The Hydra Booking WordPress plugin has a privilege escalation vulnerability that allows authenticated users with Subscriber-level access or higher to ...

The Dataverse Integration WordPress plugin versions 2.77 through 2.81 contain a privilege escalation vulnerability. Any authenticated user, even with ...

This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to escalate their privileges to Administrator by exploi...

The Ajax Load More WordPress plugin before version 2.8.1.2 lacks proper authorization checks in certain AJAX endpoints, allowing any authenticated use...

The B1.lt WordPress plugin has an SQL injection vulnerability that allows authenticated attackers with Subscriber-level access or higher to execute ar...

The aapanel WP Toolkit WordPress plugin versions 1.0 to 1.1 contain a privilege escalation vulnerability in the auto_login() function. Authenticated a...

CVE-2025-49723 is a missing authorization vulnerability in the Windows StateRepository API that allows authenticated local attackers to tamper with sy...

The WP Human Resource Management plugin for WordPress has a privilege escalation vulnerability that allows authenticated users with Employee-level acc...

This CVE describes a Missing Authorization vulnerability in MDJM Mobile DJ Manager WordPress plugin that allows privilege escalation. Attackers can ex...

This CVE describes a Missing Authorization vulnerability in the MaxiBlocks WordPress plugin that allows attackers to update arbitrary WordPress option...

The Property plugin for WordPress (versions 1.0.5-1.0.6) contains a privilege escalation vulnerability where authenticated users with Author-level per...

This vulnerability in the SMS Alert Order Notifications WooCommerce plugin allows authenticated attackers with Subscriber-level access or higher to im...

This vulnerability allows attackers to enable SSH and Telnet services on Victure RX1800 routers without authentication. Attackers can gain administrat...

This vulnerability in the Integração entre Eduzz e Woocommerce WordPress plugin allows authenticated attackers with Subscriber-level access or highe...

The BM Content Builder WordPress plugin has an authorization vulnerability that allows authenticated users with Subscriber-level access or higher to m...

The Xelion Webchat WordPress plugin has a privilege escalation vulnerability that allows authenticated users with Subscriber-level access or higher to...

This vulnerability allows attackers to update arbitrary WordPress options without proper authorization, leading to privilege escalation. It affects al...

A missing authorization vulnerability in AWEOS GmbH's Email Notifications for Updates WordPress plugin allows attackers to escalate privileges. This a...

The Embedder WordPress plugin (versions 1.3-1.3.5) contains a missing capability check that allows authenticated users with Subscriber-level access or...

This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to install and activate arbitrary plugins on sites runn...

The Email Notifications for Updates WordPress plugin has a privilege escalation vulnerability that allows authenticated attackers with Subscriber-leve...

The Shopper Approved Reviews WordPress plugin versions 2.0-2.1 contain a privilege escalation vulnerability where authenticated users with Subscriber-...

The Administrator Z WordPress plugin has an authorization bypass vulnerability that allows authenticated users with Subscriber-level access or higher ...

This vulnerability allows attackers to update arbitrary WordPress options without proper authorization, leading to privilege escalation. It affects Wo...

The WP Compress WordPress plugin has missing capability checks on AJAX functions, allowing authenticated users with Subscriber-level access or higher ...

An improper access control vulnerability in Open WebUI v0.3.8 allows unauthenticated attackers to view and delete any files uploaded by users. Attacke...

This vulnerability in the FoodBakery WordPress theme allows authenticated users with Subscriber-level access or higher to perform administrative actio...

The uListing WordPress plugin has a vulnerability that allows authenticated attackers with subscriber-level access or higher to modify post metadata a...

This vulnerability in the JobCareer WordPress theme allows authenticated users with Subscriber-level access or higher to perform administrative action...

The SoundRise Music WordPress plugin has an authorization vulnerability that allows authenticated users with subscriber-level access to modify WordPre...

CVE-2025-26661 is a missing authorization vulnerability in SAP NetWeaver ABAP Class Builder that allows authenticated attackers to escalate privileges...

The UiPress Lite WordPress plugin has a privilege escalation vulnerability that allows authenticated users with Subscriber-level access or higher to m...

This vulnerability in the WordPress Awesome Import & Export Plugin allows authenticated attackers with Subscriber-level access or higher to execute ar...

The Animation Addons for Elementor Pro WordPress plugin has a vulnerability that allows authenticated attackers with Subscriber-level access or higher...

The SurveyJS WordPress plugin has an arbitrary file deletion vulnerability that allows authenticated attackers with Subscriber-level access or higher ...

The Cardealer WordPress theme allows authenticated attackers with subscriber-level access to escalate privileges by modifying default user roles. This...

This vulnerability allows authenticated attackers with subscriber-level access or higher to change arbitrary users' email addresses in the GetBookings...

A missing authorization vulnerability in Q-Free MaxTime allows authenticated low-privileged users to reset passwords, including administrator accounts...

This vulnerability allows authenticated low-privileged attackers to add users to groups in Q-Free MaxTime systems via crafted HTTP requests. It affect...

This vulnerability allows authenticated low-privileged users in Q-Free MaxTime systems to create new user accounts with arbitrary administrative privi...

A missing authorization vulnerability in Q-Free MaxTime allows authenticated low-privileged users to escalate privileges by adding permissions to user...

The Zox News WordPress theme has a vulnerability that allows authenticated users with Subscriber-level access or higher to modify critical WordPress o...

This vulnerability allows remote attackers to execute arbitrary commands on Digiever DS-2105 Pro devices through command injection in the time_tzsetup...

The ELEX WordPress HelpDesk & Customer Ticketing System plugin has a privilege escalation vulnerability that allows authenticated attackers with Subsc...

The Media Manager for UserPro WordPress plugin has an authorization vulnerability that allows authenticated users (even with Subscriber role) to modif...

The Royal Core WordPress plugin has a privilege escalation vulnerability that allows authenticated users with Subscriber-level access or higher to mod...