CWE-288
AllowedAuthentication Bypass Using an Alternate Path or Channel
Abstraction: Base · Status: Incomplete
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
1072 vulnerabilities reference this CWE, most recent first.
GHSA-HX9W-QRWW-76V2
Vulnerability from github – Published: 2024-10-16 03:31 – Updated: 2024-10-16 03:31The UltimateAI plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.8.3. This is due to insufficient verification on the user being supplied in the 'ultimate_ai_register_or_login_with_google' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
{
"affected": [],
"aliases": [
"CVE-2024-9105"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-16T02:15:06Z",
"severity": "CRITICAL"
},
"details": "The UltimateAI plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.8.3. This is due to insufficient verification on the user being supplied in the \u0027ultimate_ai_register_or_login_with_google\u0027 function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.",
"id": "GHSA-hx9w-qrww-76v2",
"modified": "2024-10-16T03:31:33Z",
"published": "2024-10-16T03:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9105"
},
{
"type": "WEB",
"url": "https://codecanyon.net/item/ultimateai-ai-enhanced-wordpress-plugin-with-saas-for-content-code-chat-and-image-generation/51201953"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2475643-a0b4-444a-a2c6-a5c45e90e1dd?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J2MJ-6C7W-RH5M
Vulnerability from github – Published: 2023-10-03 03:31 – Updated: 2024-04-04 08:01Authentication bypass vulnerability in ACERA 1320 firmware ver.01.26 and earlier, and ACERA 1310 firmware ver.01.26 and earlier allows a network-adjacent unauthenticated attacker who can access the affected product to download configuration files and/or log files, and upload configuration files and/or firmware. They are affected when running in ST(Standalone) mode.
{
"affected": [],
"aliases": [
"CVE-2023-42771"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-03T01:15:56Z",
"severity": "HIGH"
},
"details": "Authentication bypass vulnerability in ACERA 1320 firmware ver.01.26 and earlier, and ACERA 1310 firmware ver.01.26 and earlier allows a network-adjacent unauthenticated attacker who can access the affected product to download configuration files and/or log files, and upload configuration files and/or firmware. They are affected when running in ST(Standalone) mode.",
"id": "GHSA-j2mj-6c7w-rh5m",
"modified": "2024-04-04T08:01:55Z",
"published": "2023-10-03T03:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42771"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU94497038"
},
{
"type": "WEB",
"url": "https://www.furunosystems.co.jp/news/info/vulner20231002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J2RC-XV8G-VH3W
Vulnerability from github – Published: 2025-10-15 09:30 – Updated: 2026-04-08 21:33The Orion SMS OTP Verification plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.7. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's password to a one-time password if the attacker knows the user's phone number
{
"affected": [],
"aliases": [
"CVE-2025-9967"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-15T09:15:43Z",
"severity": "CRITICAL"
},
"details": "The Orion SMS OTP Verification plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.7. This is due to the plugin not properly validating a user\u0027s identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s password to a one-time password if the attacker knows the user\u0027s phone number",
"id": "GHSA-j2rc-xv8g-vh3w",
"modified": "2026-04-08T21:33:07Z",
"published": "2025-10-15T09:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9967"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/orion-sms-otp-verification/trunk/vendor/js/reset-password.js"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/log/orion-sms-otp-verification"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b121fdb4-93a8-400c-89c2-3195cb40e03c?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J2V9-CQ8F-8CH7
Vulnerability from github – Published: 2025-08-02 12:30 – Updated: 2025-08-02 12:30The Brave Conversion Engine (PRO) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.7.7. This is due to the plugin not properly restricting a claimed identity while authenticating with Facebook. This makes it possible for unauthenticated attackers to log in as other users, including administrators.
{
"affected": [],
"aliases": [
"CVE-2025-7710"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-02T12:15:28Z",
"severity": "CRITICAL"
},
"details": "The Brave Conversion Engine (PRO) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.7.7. This is due to the plugin not properly restricting a claimed identity while authenticating with Facebook. This makes it possible for unauthenticated attackers to log in as other users, including administrators.",
"id": "GHSA-j2v9-cq8f-8ch7",
"modified": "2025-08-02T12:30:32Z",
"published": "2025-08-02T12:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7710"
},
{
"type": "WEB",
"url": "https://getbrave.io/brave-pro-changelog"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/604249c6-b23a-40e9-984d-2014f5c97249?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J368-Q2MR-VHV4
Vulnerability from github – Published: 2026-02-20 18:31 – Updated: 2026-02-24 21:31Authentication Bypass Using an Alternate Path or Channel vulnerability in Case-Themes Booked booked allows Authentication Abuse.This issue affects Booked: from n/a through <= 3.0.0.
{
"affected": [],
"aliases": [
"CVE-2026-22341"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-20T16:22:32Z",
"severity": "MODERATE"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Case-Themes Booked booked allows Authentication Abuse.This issue affects Booked: from n/a through \u003c= 3.0.0.",
"id": "GHSA-j368-q2mr-vhv4",
"modified": "2026-02-24T21:31:38Z",
"published": "2026-02-20T18:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22341"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/booked/vulnerability/wordpress-booked-plugin-3-0-0-account-takeover-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J3JP-GMVH-PPVR
Vulnerability from github – Published: 2026-01-09 21:31 – Updated: 2026-01-10 00:30A vulnerability exists in Intelbras CFTV IP NVD 9032 R Ftd V2.800.00IB00C.0.T, which allows an unauthenticated attacker to bypass the multi-factor authentication (MFA) mechanism during the password recovery process. This results in the ability to change the admin password and gain full access to the administrative panel.
{
"affected": [],
"aliases": [
"CVE-2025-67070"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-09T19:16:06Z",
"severity": "HIGH"
},
"details": "A vulnerability exists in Intelbras CFTV IP NVD 9032 R Ftd V2.800.00IB00C.0.T, which allows an unauthenticated attacker to bypass the multi-factor authentication (MFA) mechanism during the password recovery process. This results in the ability to change the admin password and gain full access to the administrative panel.",
"id": "GHSA-j3jp-gmvh-ppvr",
"modified": "2026-01-10T00:30:29Z",
"published": "2026-01-09T21:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67070"
},
{
"type": "WEB",
"url": "https://github.com/teteco/intelbras-cftv-admin-bypass"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J3RF-GQ9Q-V8HX
Vulnerability from github – Published: 2022-07-01 00:01 – Updated: 2022-07-13 00:01PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances.
{
"affected": [],
"aliases": [
"CVE-2022-23725"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-288",
"CWE-732"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-30T20:15:00Z",
"severity": "MODERATE"
},
"details": "PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances.",
"id": "GHSA-j3rf-gq9q-v8hx",
"modified": "2022-07-13T00:01:52Z",
"published": "2022-07-01T00:01:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23725"
},
{
"type": "WEB",
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
},
{
"type": "WEB",
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J4C9-W69R-CW33
Vulnerability from github – Published: 2026-03-29 15:50 – Updated: 2026-04-10 19:43Summary
Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State
Affected Packages / Versions
- Package:
openclaw - Affected versions:
<= 2026.3.24 - First patched version:
2026.3.25 - Latest published npm version at verification time:
2026.3.24
Details
Telegram callback queries from direct messages previously used weaker callback-only authorization and could mutate session state without satisfying normal DM pairing. Commit 269282ac69ab6030d5f30d04822668f607f13065 enforces DM authorization for callbacks.
Verified vulnerable on tag v2026.3.24 and fixed on main by commit 269282ac69ab6030d5f30d04822668f607f13065.
Fix Commit(s)
269282ac69ab6030d5f30d04822668f607f13065
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.24"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.28"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35661"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-288",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-29T15:50:23Z",
"nvd_published_at": "2026-04-10T17:17:07Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nTelegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `\u003c= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nTelegram callback queries from direct messages previously used weaker callback-only authorization and could mutate session state without satisfying normal DM pairing. Commit `269282ac69ab6030d5f30d04822668f607f13065` enforces DM authorization for callbacks.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `269282ac69ab6030d5f30d04822668f607f13065`.\n\n## Fix Commit(s)\n\n- `269282ac69ab6030d5f30d04822668f607f13065`",
"id": "GHSA-j4c9-w69r-cw33",
"modified": "2026-04-10T19:43:56Z",
"published": "2026-03-29T15:50:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j4c9-w69r-cw33"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35661"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/269282ac69ab6030d5f30d04822668f607f13065"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-telegram-dm-scoped-inline-button-callback-authorization-bypass"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State"
}
GHSA-J4G8-8JW2-7WW9
Vulnerability from github – Published: 2024-09-11 09:31 – Updated: 2024-09-11 09:31The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.3.13.2. This is due to the plugin not properly validating what user transient is being used in the login() function and not properly verifying the user's identity. This makes it possible for unauthenticated attackers to log in as user that has dismissed an admin notice in the past 30 days, which is often an administrator. Alternatively, a user can log in as any user with any transient that has a valid user_id as the value, though it would be more difficult to exploit this successfully.
{
"affected": [],
"aliases": [
"CVE-2024-8277"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-11T09:15:02Z",
"severity": "CRITICAL"
},
"details": "The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.3.13.2. This is due to the plugin not properly validating what user transient is being used in the login() function and not properly verifying the user\u0027s identity. This makes it possible for unauthenticated attackers to log in as user that has dismissed an admin notice in the past 30 days, which is often an administrator. Alternatively, a user can log in as any user with any transient that has a valid user_id as the value, though it would be more difficult to exploit this successfully.",
"id": "GHSA-j4g8-8jw2-7ww9",
"modified": "2024-09-11T09:31:12Z",
"published": "2024-09-11T09:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8277"
},
{
"type": "WEB",
"url": "https://codecanyon.net/item/woocommerce-photo-reviews/21245349"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a1e2d370-a716-4d6b-8e23-74db2fbd0760?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J568-7WM8-FM52
Vulnerability from github – Published: 2026-03-25 18:31 – Updated: 2026-03-25 21:30Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.This issue affects Login Disable: from 0.0.0 before 2.1.3.
{
"affected": [],
"aliases": [
"CVE-2026-1917"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T16:16:10Z",
"severity": "HIGH"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.This issue affects Login Disable: from 0.0.0 before 2.1.3.",
"id": "GHSA-j568-7wm8-fm52",
"modified": "2026-03-25T21:30:32Z",
"published": "2026-03-25T18:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1917"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2026-008"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.