CWE-862

High likelihood

Missing Authorization

Parent: CWE-285 - Improper Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

7,701 vulnerabilities with CWE-862
CVE-2026-39520 MEDIUM
WordPress weDocs plugin <= 2.1.18 - Broken Access Control vulnerability
CVSS 5.3
CVE-2026-39509 MEDIUM
WordPress Directorist plugin <= 8.5.10 - Broken Access Control vulnerability
CVSS 5.3
CVE-2026-39506 MEDIUM
WordPress AI Engine (Pro) plugin < 3.4.2 - Broken Access Control vulnerability
CVSS 4.3
CVE-2026-39505 MEDIUM
WordPress Seriously Simple Podcasting plugin <= 3.14.2 - Broken Access Control vulnerability
CVSS 5.3
CVE-2026-39504 MEDIUM
WordPress InstaWP Connect plugin <= 0.1.2.5 - Broken Access Control vulnerability
CVSS 5.4
CVE-2026-39501 MEDIUM
WordPress FOX plugin <= 1.4.5 - Broken Access Control vulnerability
CVSS 5.3
CVE-2026-39488 MEDIUM
WordPress SureCart plugin <= 4.0.2 - Broken Access Control vulnerability
CVSS 6.5
CVE-2026-39485 MEDIUM
WordPress Youtube Embed Plus plugin <= 14.2.4 - Broken Access Control vulnerability
CVSS 4.3
CVE-2026-39477 MEDIUM
WordPress CartFlows plugin <= 2.2.3 - Broken Access Control vulnerability
CVSS 4.3
CVE-2026-39476 MEDIUM
WordPress User Feedback plugin <= 1.10.1 - Broken Access Control vulnerability
CVSS 4.3
CVE-2026-3480 MEDIUM
WP Blockade <= 0.9.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution via 'shortcode' Parameter
CVSS 6.5
CVE-2026-3477 MEDIUM
PZ Frontend Manager <= 1.0.6 - Missing Authorization to Arbitrary User Deletion via 'dataType' Parameter
CVSS 5.3
CVE-2026-4299 MEDIUM
MainWP Child Reports <= 2.2.6 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via Heartbeat API
CVSS 5.3
CVE-2026-4003 CRITICAL
Users manager – PN <= 1.1.15 - Unauthenticated Privilege Escalation via Account Takeover via 'userspn_form_save' AJAX Action
CVSS 9.8
CVE-2026-3646 MEDIUM
LTL Freight Quotes – R+L Carriers Edition <= 3.3.13 - Missing Authorization to Unauthenticated Settings Update
CVSS 5.3
CVE-2026-2263 MEDIUM
Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.10.2 - Missing Authorization to Unauthenticated Conversion Tracking Data Manipulation
CVSS 5.3
CVE-2026-4065 MEDIUM
Smart Slider 3 <= 3.5.1.33 - Missing Authorization to Authenticated (Contributor+) Slider Data Read and Image Record Manipulation
CVSS 5.4
CVE-2026-39401 MEDIUM
Privilege Escalation via update_event Job Output in Cronicle
CVSS 5.4
CVE-2026-39397 CRITICAL
@delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections
CVSS 9.4
CVE-2026-39360 MEDIUM
RustFS has an authorization bypass in multipart UploadPartCopy enables cross-bucket object exfiltration
CVSS 4.3
CVE-2026-39355 CRITICAL
Genealogy is Missing Authorization in `TeamController::transferOwnership()` Allows Any Authenticated User to Hijack Any Team (Broken Access Control)
CVSS 9.9
CVE-2026-39351 CRITICAL
Frappe allows unrestricted Doctype access via API exploit
CVSS 9.1
CVE-2026-39348 MEDIUM
OrangeHRM is Missing Authorization Checks in AbstractFileController Subclasses Expose Job Specification and Vacancy Attachments
CVSS 4.3
CVE-2026-22680 MEDIUM
OpenViking < 0.3.3 Missing Authorization via Task Polling
CVSS 5.3
CVE-2026-35606 HIGH
File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check
CVSS 7.5
Details
Vulnerabilities 7,701
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits