Common Weakness Enumeration

CWE-288

Allowed

Authentication Bypass Using an Alternate Path or Channel

Abstraction: Base · Status: Incomplete

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

1072 vulnerabilities reference this CWE, most recent first.

GHSA-HX9W-QRWW-76V2

Vulnerability from github – Published: 2024-10-16 03:31 – Updated: 2024-10-16 03:31
VLAI
Details

The UltimateAI plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.8.3. This is due to insufficient verification on the user being supplied in the 'ultimate_ai_register_or_login_with_google' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9105"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-16T02:15:06Z",
    "severity": "CRITICAL"
  },
  "details": "The UltimateAI plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.8.3. This is due to insufficient verification on the user being supplied in the \u0027ultimate_ai_register_or_login_with_google\u0027 function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.",
  "id": "GHSA-hx9w-qrww-76v2",
  "modified": "2024-10-16T03:31:33Z",
  "published": "2024-10-16T03:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9105"
    },
    {
      "type": "WEB",
      "url": "https://codecanyon.net/item/ultimateai-ai-enhanced-wordpress-plugin-with-saas-for-content-code-chat-and-image-generation/51201953"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2475643-a0b4-444a-a2c6-a5c45e90e1dd?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J2MJ-6C7W-RH5M

Vulnerability from github – Published: 2023-10-03 03:31 – Updated: 2024-04-04 08:01
VLAI
Details

Authentication bypass vulnerability in ACERA 1320 firmware ver.01.26 and earlier, and ACERA 1310 firmware ver.01.26 and earlier allows a network-adjacent unauthenticated attacker who can access the affected product to download configuration files and/or log files, and upload configuration files and/or firmware. They are affected when running in ST(Standalone) mode.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42771"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-03T01:15:56Z",
    "severity": "HIGH"
  },
  "details": "Authentication bypass vulnerability in ACERA 1320 firmware ver.01.26 and earlier, and ACERA 1310 firmware ver.01.26 and earlier allows a network-adjacent unauthenticated attacker who can access the affected product to download configuration files and/or log files, and upload configuration files and/or firmware. They are affected when running in ST(Standalone) mode.",
  "id": "GHSA-j2mj-6c7w-rh5m",
  "modified": "2024-04-04T08:01:55Z",
  "published": "2023-10-03T03:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42771"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU94497038"
    },
    {
      "type": "WEB",
      "url": "https://www.furunosystems.co.jp/news/info/vulner20231002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J2RC-XV8G-VH3W

Vulnerability from github – Published: 2025-10-15 09:30 – Updated: 2026-04-08 21:33
VLAI
Details

The Orion SMS OTP Verification plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.7. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's password to a one-time password if the attacker knows the user's phone number

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9967"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-15T09:15:43Z",
    "severity": "CRITICAL"
  },
  "details": "The Orion SMS OTP Verification plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.7. This is due to the plugin not properly validating a user\u0027s identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s password to a one-time password if the attacker knows the user\u0027s phone number",
  "id": "GHSA-j2rc-xv8g-vh3w",
  "modified": "2026-04-08T21:33:07Z",
  "published": "2025-10-15T09:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9967"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/orion-sms-otp-verification/trunk/vendor/js/reset-password.js"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/log/orion-sms-otp-verification"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b121fdb4-93a8-400c-89c2-3195cb40e03c?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J2V9-CQ8F-8CH7

Vulnerability from github – Published: 2025-08-02 12:30 – Updated: 2025-08-02 12:30
VLAI
Details

The Brave Conversion Engine (PRO) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.7.7. This is due to the plugin not properly restricting a claimed identity while authenticating with Facebook. This makes it possible for unauthenticated attackers to log in as other users, including administrators.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7710"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-02T12:15:28Z",
    "severity": "CRITICAL"
  },
  "details": "The Brave Conversion Engine (PRO) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.7.7. This is due to the plugin not properly restricting a claimed identity while authenticating with Facebook. This makes it possible for unauthenticated attackers to log in as other users, including administrators.",
  "id": "GHSA-j2v9-cq8f-8ch7",
  "modified": "2025-08-02T12:30:32Z",
  "published": "2025-08-02T12:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7710"
    },
    {
      "type": "WEB",
      "url": "https://getbrave.io/brave-pro-changelog"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/604249c6-b23a-40e9-984d-2014f5c97249?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J368-Q2MR-VHV4

Vulnerability from github – Published: 2026-02-20 18:31 – Updated: 2026-02-24 21:31
VLAI
Details

Authentication Bypass Using an Alternate Path or Channel vulnerability in Case-Themes Booked booked allows Authentication Abuse.This issue affects Booked: from n/a through <= 3.0.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22341"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-20T16:22:32Z",
    "severity": "MODERATE"
  },
  "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Case-Themes Booked booked allows Authentication Abuse.This issue affects Booked: from n/a through \u003c= 3.0.0.",
  "id": "GHSA-j368-q2mr-vhv4",
  "modified": "2026-02-24T21:31:38Z",
  "published": "2026-02-20T18:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22341"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/booked/vulnerability/wordpress-booked-plugin-3-0-0-account-takeover-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J3JP-GMVH-PPVR

Vulnerability from github – Published: 2026-01-09 21:31 – Updated: 2026-01-10 00:30
VLAI
Details

A vulnerability exists in Intelbras CFTV IP NVD 9032 R Ftd V2.800.00IB00C.0.T, which allows an unauthenticated attacker to bypass the multi-factor authentication (MFA) mechanism during the password recovery process. This results in the ability to change the admin password and gain full access to the administrative panel.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-67070"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-09T19:16:06Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability exists in Intelbras CFTV IP NVD 9032 R Ftd V2.800.00IB00C.0.T, which allows an unauthenticated attacker to bypass the multi-factor authentication (MFA) mechanism during the password recovery process. This results in the ability to change the admin password and gain full access to the administrative panel.",
  "id": "GHSA-j3jp-gmvh-ppvr",
  "modified": "2026-01-10T00:30:29Z",
  "published": "2026-01-09T21:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67070"
    },
    {
      "type": "WEB",
      "url": "https://github.com/teteco/intelbras-cftv-admin-bypass"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J3RF-GQ9Q-V8HX

Vulnerability from github – Published: 2022-07-01 00:01 – Updated: 2022-07-13 00:01
VLAI
Details

PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-23725"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-288",
      "CWE-732"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-30T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances.",
  "id": "GHSA-j3rf-gq9q-v8hx",
  "modified": "2022-07-13T00:01:52Z",
  "published": "2022-07-01T00:01:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23725"
    },
    {
      "type": "WEB",
      "url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
    },
    {
      "type": "WEB",
      "url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J4C9-W69R-CW33

Vulnerability from github – Published: 2026-03-29 15:50 – Updated: 2026-04-10 19:43
VLAI
Summary
OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State
Details

Summary

Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State

Affected Packages / Versions

  • Package: openclaw
  • Affected versions: <= 2026.3.24
  • First patched version: 2026.3.25
  • Latest published npm version at verification time: 2026.3.24

Details

Telegram callback queries from direct messages previously used weaker callback-only authorization and could mutate session state without satisfying normal DM pairing. Commit 269282ac69ab6030d5f30d04822668f607f13065 enforces DM authorization for callbacks.

Verified vulnerable on tag v2026.3.24 and fixed on main by commit 269282ac69ab6030d5f30d04822668f607f13065.

Fix Commit(s)

  • 269282ac69ab6030d5f30d04822668f607f13065
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.24"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35661"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-288",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-29T15:50:23Z",
    "nvd_published_at": "2026-04-10T17:17:07Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nTelegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `\u003c= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nTelegram callback queries from direct messages previously used weaker callback-only authorization and could mutate session state without satisfying normal DM pairing. Commit `269282ac69ab6030d5f30d04822668f607f13065` enforces DM authorization for callbacks.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `269282ac69ab6030d5f30d04822668f607f13065`.\n\n## Fix Commit(s)\n\n- `269282ac69ab6030d5f30d04822668f607f13065`",
  "id": "GHSA-j4c9-w69r-cw33",
  "modified": "2026-04-10T19:43:56Z",
  "published": "2026-03-29T15:50:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j4c9-w69r-cw33"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35661"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/269282ac69ab6030d5f30d04822668f607f13065"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-telegram-dm-scoped-inline-button-callback-authorization-bypass"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State"
}

GHSA-J4G8-8JW2-7WW9

Vulnerability from github – Published: 2024-09-11 09:31 – Updated: 2024-09-11 09:31
VLAI
Details

The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.3.13.2. This is due to the plugin not properly validating what user transient is being used in the login() function and not properly verifying the user's identity. This makes it possible for unauthenticated attackers to log in as user that has dismissed an admin notice in the past 30 days, which is often an administrator. Alternatively, a user can log in as any user with any transient that has a valid user_id as the value, though it would be more difficult to exploit this successfully.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8277"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-11T09:15:02Z",
    "severity": "CRITICAL"
  },
  "details": "The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.3.13.2. This is due to the plugin not properly validating what user transient is being used in the login() function and not properly verifying the user\u0027s identity. This makes it possible for unauthenticated attackers to log in as user that has dismissed an admin notice in the past 30 days, which is often an administrator. Alternatively, a user can log in as any user with any transient that has a valid user_id as the value, though it would be more difficult to exploit this successfully.",
  "id": "GHSA-j4g8-8jw2-7ww9",
  "modified": "2024-09-11T09:31:12Z",
  "published": "2024-09-11T09:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8277"
    },
    {
      "type": "WEB",
      "url": "https://codecanyon.net/item/woocommerce-photo-reviews/21245349"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a1e2d370-a716-4d6b-8e23-74db2fbd0760?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J568-7WM8-FM52

Vulnerability from github – Published: 2026-03-25 18:31 – Updated: 2026-03-25 21:30
VLAI
Details

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.This issue affects Login Disable: from 0.0.0 before 2.1.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1917"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T16:16:10Z",
    "severity": "HIGH"
  },
  "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.This issue affects Login Disable: from 0.0.0 before 2.1.3.",
  "id": "GHSA-j568-7wm8-fm52",
  "modified": "2026-03-25T21:30:32Z",
  "published": "2026-03-25T18:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1917"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2026-008"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.

CAPEC-127: Directory Indexing

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.