CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14630 vulnerabilities reference this CWE, most recent first.
GHSA-QXQ7-73M9-XJ3M
Vulnerability from github – Published: 2026-05-07 09:31 – Updated: 2026-05-07 09:31Missing Authorization vulnerability in bPlugins PDF Poster allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects PDF Poster: from n/a through 2.4.1.
{
"affected": [],
"aliases": [
"CVE-2026-27416"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-07T09:16:27Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in bPlugins PDF Poster allows Exploiting Incorrectly Configured Access Control Security Levels.\n\nThis issue affects PDF Poster: from n/a through 2.4.1.",
"id": "GHSA-qxq7-73m9-xj3m",
"modified": "2026-05-07T09:31:27Z",
"published": "2026-05-07T09:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27416"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/pdf-poster/vulnerability/wordpress-pdf-poster-plugin-2-4-1-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QXR2-7V5G-F58P
Vulnerability from github – Published: 2024-12-12 06:30 – Updated: 2024-12-12 06:30The AI Post Generator | AutoWriter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ai_post_generator_delete_Post AJAX action in all versions up to, and including, 3.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary pages and posts.
{
"affected": [],
"aliases": [
"CVE-2024-11709"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-12T05:15:08Z",
"severity": "MODERATE"
},
"details": "The AI Post Generator | AutoWriter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ai_post_generator_delete_Post AJAX action in all versions up to, and including, 3.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary pages and posts.",
"id": "GHSA-qxr2-7v5g-f58p",
"modified": "2024-12-12T06:30:50Z",
"published": "2024-12-12T06:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11709"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ai-post-generator/trunk/inc/insert-head.php#L430"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ai-post-generator/trunk/inc/insert-head.php#L512"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f00ac468-870a-4c43-af25-9febea5e4d67?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QXVM-PCFM-QC39
Vulnerability from github – Published: 2026-06-16 21:30 – Updated: 2026-06-16 21:30Summary
Daytona's organization role update and delete endpoints authorized the caller as an owner of the organization named in the request path, but resolved and mutated the target role by its identifier alone, without verifying the role belonged to that organization. An authenticated user who owns any organization (organizations are self-service) could therefore modify the permissions of, or delete, a role belonging to a different organization, given that role's identifier.
Impact
This is a cross-tenant broken access control (IDOR) issue affecting multi-tenant deployments, including the managed Daytona platform. Using a target role's identifier, an attacker with owner rights over their own organization could:
- Overwrite the target role's name and permission set, escalating or stripping privileges for every member and API key in the victim organization that holds that role.
- Delete the target role, removing the associated permissions from its holders.
- Observe the victim role's current permission set returned in the update response (limited information disclosure).
Exploitation requires knowledge of the target role's identifier, which is not enumerable across organizations and is not exposed to non-members through the API.
Affected versions
All versions up to and including 0.184.0.
Patches
Fixed in 0.185.0. The role update, delete, and role-assignment lookups are now scoped to the caller's organization, so a role belonging to another organization resolves to "not found" before any read or mutation. The managed Daytona platform was updated on release of 0.185.0.
Workarounds
None. Upgrade to 0.185.0. Single-organization self-hosted deployments are not exploitable, as the issue requires a second organization to target.
Credit
Reported by @vnth4nhnt.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.184.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/daytonaio/daytona"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.185.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54322"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-16T21:30:08Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nDaytona\u0027s organization role update and delete endpoints authorized the caller as an owner of the organization named in the request path, but resolved and mutated the target role by its identifier alone, without verifying the role belonged to that organization. An authenticated user who owns any organization (organizations are self-service) could therefore modify the permissions of, or delete, a role belonging to a different organization, given that role\u0027s identifier.\n\n### Impact\nThis is a cross-tenant broken access control (IDOR) issue affecting multi-tenant deployments, including the managed Daytona platform. Using a target role\u0027s identifier, an attacker with owner rights over their own organization could:\n\n- Overwrite the target role\u0027s name and permission set, escalating or stripping privileges for every member and API key in the victim organization that holds that role.\n- Delete the target role, removing the associated permissions from its holders.\n- Observe the victim role\u0027s current permission set returned in the update response (limited information disclosure).\n\nExploitation requires knowledge of the target role\u0027s identifier, which is not enumerable across organizations and is not exposed to non-members through the API.\n\n### Affected versions\nAll versions up to and including 0.184.0.\n\n### Patches\nFixed in 0.185.0. The role update, delete, and role-assignment lookups are now scoped to the caller\u0027s organization, so a role belonging to another organization resolves to \"not found\" before any read or mutation. The managed Daytona platform was updated on release of 0.185.0.\n\n### Workarounds\nNone. Upgrade to 0.185.0. Single-organization self-hosted deployments are not exploitable, as the issue requires a second organization to target.\n\n### Credit\nReported by @vnth4nhnt.",
"id": "GHSA-qxvm-pcfm-qc39",
"modified": "2026-06-16T21:30:08Z",
"published": "2026-06-16T21:30:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/daytonaio/daytona/security/advisories/GHSA-qxvm-pcfm-qc39"
},
{
"type": "PACKAGE",
"url": "https://github.com/daytonaio/daytona"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Daytona: Cross-org IDOR in organization role update/delete \u2014 any org owner can rewrite or destroy another org\u0027s roles"
}
GHSA-QXVQ-6PWW-3W8Q
Vulnerability from github – Published: 2026-01-06 09:30 – Updated: 2026-04-08 18:34The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the qsm_dashboard_delete_result function in all versions up to, and including, 10.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete quiz results.
{
"affected": [],
"aliases": [
"CVE-2025-9294"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-06T09:15:55Z",
"severity": "MODERATE"
},
"details": "The Quiz and Survey Master (QSM) \u2013 Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the qsm_dashboard_delete_result function in all versions up to, and including, 10.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete quiz results.",
"id": "GHSA-qxvq-6pww-3w8q",
"modified": "2026-04-08T18:34:01Z",
"published": "2026-01-06T09:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9294"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/admin/options-page-questions-tab.php#L1116"
},
{
"type": "WEB",
"url": "https://research.cleantalk.org/cve-2025-9294"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/55895508-d0ef-4855-8d15-b8a45ba0dcb2?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QXWH-J7J4-29G4
Vulnerability from github – Published: 2025-04-17 18:31 – Updated: 2026-04-01 18:34Missing Authorization vulnerability in Ays Pro Poll Maker allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Poll Maker: from n/a through 5.5.0.
{
"affected": [],
"aliases": [
"CVE-2025-24577"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-17T16:15:31Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Ays Pro Poll Maker allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Poll Maker: from n/a through 5.5.0.",
"id": "GHSA-qxwh-j7j4-29g4",
"modified": "2026-04-01T18:34:46Z",
"published": "2025-04-17T18:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24577"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/poll-maker/vulnerability/wordpress-poll-maker-plugin-5-5-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-QXWX-WVWC-842X
Vulnerability from github – Published: 2026-01-06 18:31 – Updated: 2026-01-20 15:33Missing Authorization vulnerability in BuddhaThemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.3.
{
"affected": [],
"aliases": [
"CVE-2025-69341"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-06T17:15:46Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in BuddhaThemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through \u003c= 1.0.3.",
"id": "GHSA-qxwx-wvwc-842x",
"modified": "2026-01-20T15:33:06Z",
"published": "2026-01-06T18:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69341"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/wedesigntech-ultimate-booking-addon/vulnerability/wordpress-wedesigntech-ultimate-booking-addon-plugin-1-0-3-broken-access-control-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/wedesigntech-ultimate-booking-addon/vulnerability/wordpress-wedesigntech-ultimate-booking-addon-plugin-1-0-3-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R22J-494Q-4PJG
Vulnerability from github – Published: 2023-04-19 21:30 – Updated: 2024-04-04 03:35In multiple functions of RunningTasks.java, there is a possible privilege escalation due to a missing privilege check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-243130512
{
"affected": [],
"aliases": [
"CVE-2023-20909"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-19T20:15:10Z",
"severity": "MODERATE"
},
"details": "In multiple functions of RunningTasks.java, there is a possible privilege escalation due to a missing privilege check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-243130512",
"id": "GHSA-r22j-494q-4pjg",
"modified": "2024-04-04T03:35:41Z",
"published": "2023-04-19T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20909"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2023-04-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R22Q-78J6-33WJ
Vulnerability from github – Published: 2024-03-07 12:30 – Updated: 2026-04-08 18:32The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized media upload due to a missing capability check on the buddyforms_upload_handle_dropped_media function in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to upload media files.
{
"affected": [],
"aliases": [
"CVE-2024-1169"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-07T11:15:06Z",
"severity": "HIGH"
},
"details": "The Post Form \u2013 Registration Form \u2013 Profile Form for User Profiles \u2013 Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized media upload due to a missing capability check on the buddyforms_upload_handle_dropped_media function in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to upload media files.",
"id": "GHSA-r22q-78j6-33wj",
"modified": "2026-04-08T18:32:41Z",
"published": "2024-03-07T12:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1169"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/buddyforms/trunk/includes/functions.php#L1466"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3046092/buddyforms/trunk/includes/functions.php?contextall=1\u0026old=3023795\u0026old_path=%2Fbuddyforms%2Ftrunk%2Fincludes%2Ffunctions.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d14a90d-65ea-45da-956b-0735e2e2b538?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R235-444X-J59R
Vulnerability from github – Published: 2024-12-13 15:30 – Updated: 2026-04-28 21:35Missing Authorization vulnerability in WPSchoolPress Team WPSchoolPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPSchoolPress: from n/a through 2.2.7.
{
"affected": [],
"aliases": [
"CVE-2023-37887"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-13T15:15:18Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in WPSchoolPress Team WPSchoolPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPSchoolPress: from n/a through 2.2.7.",
"id": "GHSA-r235-444x-j59r",
"modified": "2026-04-28T21:35:24Z",
"published": "2024-12-13T15:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37887"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/wpschoolpress/vulnerability/wordpress-wpschoolpress-plugin-2-2-3-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R24R-7CXR-HMCP
Vulnerability from github – Published: 2022-11-29 00:30 – Updated: 2022-12-02 00:30The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The user_token header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to accept their own bind request, without the end-users approval or interaction.
{
"affected": [],
"aliases": [
"CVE-2022-24190"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-28T22:15:00Z",
"severity": "HIGH"
},
"details": "The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The user_token header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to accept their own bind request, without the end-users approval or interaction.",
"id": "GHSA-r24r-7cxr-hmcp",
"modified": "2022-12-02T00:30:25Z",
"published": "2022-11-29T00:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24190"
},
{
"type": "WEB",
"url": "https://www.scrawledsecurityblog.com/2022/11/automating-unsolicited-richard-pics.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.