CWE-288

Authentication Bypass Using an Alternate Path or Channel

Parent: CWE-306 - Missing Authentication for Critical Function

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

568 vulnerabilities with CWE-288
CVE-2026-49764 CRITICAL
WordPress RegistrationMagic plugin <= 6.0.8.6 - Broken Authentication vulnerability
CVSS 9.8
CVE-2026-48970 HIGH
WordPress Really Simple SSL plugin <= 9.5.10 - Broken Authentication vulnerability
CVSS 8.1
CVE-2026-42668 HIGH
WordPress Email Marketing for WooCommerce by Omnisend plugin <= 1.18.0 - Broken Authentication vulnerability
CVSS 7.5
CVE-2026-42411 HIGH
WordPress CloudSecure WP Security plugin <= 1.4.7 - Broken Authentication vulnerability
CVSS 8.1
CVE-2026-42378 MEDIUM
WordPress WP Full Stripe Free plugin <= 8.4.1 - Broken Authentication vulnerability
CVSS 6.5
CVE-2026-40799 MEDIUM
WordPress Simple Cloudflare Turnstile plugin <= 1.38.0 - Broken Authentication vulnerability
CVSS 5.3
CVE-2026-40790 MEDIUM
WordPress WP SMS plugin <= 7.2.1 - Sensitive Data Exposure vulnerability
CVSS 6.5
CVE-2026-40785 HIGH
WordPress AutomatorWP plugin <= 5.6.7 - Broken Authentication vulnerability
CVSS 7.1
CVE-2026-40781 HIGH
WordPress ReviewX plugin <= 2.3.6 - Broken Authentication vulnerability
CVSS 7.5
CVE-2026-39450 HIGH
WordPress FunnelKit Automations plugin <= 3.7.3 - Broken Authentication vulnerability
CVSS 7.1
CVE-2026-49062 HIGH
WordPress Faust.js plugin <= 1.8.7 - Broken Authentication vulnerability
CVSS 8.8
CVE-2026-47200 MEDIUM
Nuxt: Route middleware not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`
CVSS 5.3
CVE-2026-10523 CRITICAL
Ivanti Sentry - Authentication Bypass Using an Alternate Path or Channel
CVSS 9.9
CVE-2026-5415 HIGH
WP Captcha PRO <= 5.38 - Authenticated (Subscriber+) Authentication Bypass via Temporary Login Link
CVSS 8.8
CVE-2026-36175 MEDIUM
GNCC GP5 v7.1.76 - Authentication Bypass via U-Boot Kernel Boot Argument Injection
CVSS 6.8
CVE-2026-42654 HIGH
WordPress Wallet System for WooCommerce plugin <= 2.7.5 - Broken Authentication vulnerability
CVSS 7.1
CVE-2026-40780 HIGH
WordPress BookIt plugin < 2.5.4.1 - Broken Authentication vulnerability
CVSS 7.5
CVE-2026-45577 MEDIUM
Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass
CVE-2026-8697 HIGH
Improper Authentication Rate Limiting on TP-Link's Archer C64
CVSS 8.8
CVE-2026-8990 MEDIUM
Authentication Bypass in Kidsview
CVE-2026-35090 CRITICAL
Authentication Bypass in Slican telephone exchanges
CVE-2026-35087 CRITICAL
Authentication Bypass in Slican telephone exchanges
CVE-2026-42760 HIGH
WordPress Backup and Staging by WP Time Capsule plugin <= 1.22.25 - Broken Authentication vulnerability
CVSS 7.5
CVE-2026-42749 HIGH
WordPress Disable Comments for Any Post Types (Remove comments) plugin <= 1.3.0 - Broken Authentication vulnerability
CVSS 7.1
CVE-2026-42745 HIGH
WordPress Smart Online Order for Clover plugin <= 1.6.0 - Broken Authentication vulnerability
CVSS 7.3
Details
Vulnerabilities 568
Links
MITRE CWE Entry Search this CWE With Exploits