CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14623 vulnerabilities reference this CWE, most recent first.
GHSA-H8H7-J779-2PWX
Vulnerability from github – Published: 2026-03-20 09:32 – Updated: 2026-03-20 09:32The RockPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.17. This is due to missing capability checks on multiple AJAX actions (rockpress_import, rockpress_import_status, rockpress_last_import, rockpress_reset_import, and rockpress_check_services) combined with the plugin's nonce being exposed to all authenticated users via an unconditionally enqueued admin script. The plugin enqueues the 'rockpress-admin' script on all admin pages (including profile.php) without any page or capability restrictions, and the nonce for the 'rockpress-nonce' action is passed to this script via wp_localize_script. Since the AJAX handlers only verify this nonce and do not check current_user_can(), any authenticated user, including Subscribers, can extract the nonce from any admin page's HTML source and use it to trigger imports, reset import data (deleting options), check service connectivity, and read import status information. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger resource-intensive import operations, reset import tracking data, and perform system connection checks that should be restricted to administrators.
{
"affected": [],
"aliases": [
"CVE-2026-3550"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-20T09:16:16Z",
"severity": "MODERATE"
},
"details": "The RockPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.17. This is due to missing capability checks on multiple AJAX actions (rockpress_import, rockpress_import_status, rockpress_last_import, rockpress_reset_import, and rockpress_check_services) combined with the plugin\u0027s nonce being exposed to all authenticated users via an unconditionally enqueued admin script. The plugin enqueues the \u0027rockpress-admin\u0027 script on all admin pages (including profile.php) without any page or capability restrictions, and the nonce for the \u0027rockpress-nonce\u0027 action is passed to this script via wp_localize_script. Since the AJAX handlers only verify this nonce and do not check current_user_can(), any authenticated user, including Subscribers, can extract the nonce from any admin page\u0027s HTML source and use it to trigger imports, reset import data (deleting options), check service connectivity, and read import status information. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger resource-intensive import operations, reset import tracking data, and perform system connection checks that should be restricted to administrators.",
"id": "GHSA-h8h7-j779-2pwx",
"modified": "2026-03-20T09:32:11Z",
"published": "2026-03-20T09:32:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3550"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/admin/admin-ajax.php#L33"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/admin/admin-scripts.php#L50"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/admin/admin-scripts.php#L88"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L125"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L145"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L184"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/tags/1.0.17/includes/class-rockpress-import.php#L206"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/admin/admin-ajax.php#L33"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/admin/admin-scripts.php#L50"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/admin/admin-scripts.php#L88"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L125"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L145"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L184"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ft-rockpress/trunk/includes/class-rockpress-import.php#L206"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3477205%40ft-rockpress\u0026new=3477205%40ft-rockpress\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d5031631-9f12-47d3-997d-4418d348ab40?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H8JM-WWC9-QXGJ
Vulnerability from github – Published: 2026-03-13 21:31 – Updated: 2026-03-13 21:31Missing Authorization vulnerability in Wombat Plugins Advanced Product Fields (Product Addons) for WooCommerce advanced-product-fields-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Product Fields (Product Addons) for WooCommerce: from n/a through <= 1.6.18.
{
"affected": [],
"aliases": [
"CVE-2026-32457"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-13T19:55:07Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Wombat Plugins Advanced Product Fields (Product Addons) for WooCommerce advanced-product-fields-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Product Fields (Product Addons) for WooCommerce: from n/a through \u003c= 1.6.18.",
"id": "GHSA-h8jm-wwc9-qxgj",
"modified": "2026-03-13T21:31:51Z",
"published": "2026-03-13T21:31:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32457"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/advanced-product-fields-for-woocommerce/vulnerability/wordpress-advanced-product-fields-product-addons-for-woocommerce-plugin-1-6-18-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H8MG-WF4C-MJW7
Vulnerability from github – Published: 2026-01-01 18:30 – Updated: 2026-01-01 18:30The All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'my_sticky_elements_bulks' function in all versions up to, and including, 2.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all contact form leads stored by the plugin.
{
"affected": [],
"aliases": [
"CVE-2025-14428"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-01T17:15:41Z",
"severity": "MODERATE"
},
"details": "The All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the \u0027my_sticky_elements_bulks\u0027 function in all versions up to, and including, 2.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all contact form leads stored by the plugin.",
"id": "GHSA-h8mg-wf4c-mjw7",
"modified": "2026-01-01T18:30:27Z",
"published": "2026-01-01T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14428"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/mystickyelements/trunk/mystickyelements-admin.php#L1788"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/mystickyelements/trunk/mystickyelements-admin.php#L29"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/mystickyelements/trunk/mystickyelements-front.php#L121"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3423407"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1b82ce74-11ac-4719-961d-a16717ce023b?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H8MM-C463-WJQ3
Vulnerability from github – Published: 2026-04-28 22:44 – Updated: 2026-05-08 15:28Summary
CoreDNS' transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. A permissive parent-zone transfer rule can override a restrictive subzone rule (name-dependent), allowing an unauthorized client to perform AXFR/IXFR for the subzone and retrieve its zone contents.
Details
In plugin/transfer/transfer.go, stanza selection is implemented by longestMatch(), which is documented as "longest zone match wins", but it actually chooses the winner via a lexicographic string comparison: - zone := "" // longest zone match wins (plugin/transfer/transfer.go) - if z > zone { zone = z; x = xfr } (plugin/transfer/transfer.go)
So, a parent zone like example.org. can beat a child zone like a.example.org. purely due to lexicographic ordering ("example.org." > "a.example.org."), even though the child zone is the longer/more specific suffix match. The bypass is data-dependent (some child labels will win, some will lose), making it operationally non-intuitive.
PoC
- Adjust COREDNS_BIN in the PoC to point at right path (see the top-level const definitions for tunables as well)
- Run python3 ./acl-repro.py
- Expected output: *** Baseline (only subzone transfer rule) *** axfr a.example.org.: rcode=5 ancount=0 (expected REFUSED=5)
*** Candidate (add permissive parent transfer rule) *** axfr a.example.org.: rcode=0 ancount=5 (expected NOERROR=0 with ancount>0)
*** OK *** Subzone transfer ACL bypass reproduced: adding a permissive parent-zone stanza can override a stricter child-zone stanza due to lexicographic zone selection.
Impact
Unauthorized zone transfer can expose full zone contents to a remote network client that was intended to be denied by a subzone-specific transfer policy.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/coredns/coredns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33489"
],
"database_specific": {
"cwe_ids": [
"CWE-862",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-28T22:44:39Z",
"nvd_published_at": "2026-05-05T20:16:36Z",
"severity": "HIGH"
},
"details": "### Summary\nCoreDNS\u0027 transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. A permissive parent-zone transfer rule can override a restrictive subzone rule (name-dependent), allowing an unauthorized client to perform AXFR/IXFR for the subzone and retrieve its zone contents.\n\n### Details\nIn plugin/transfer/transfer.go, stanza selection is implemented by longestMatch(), which is documented as \"longest zone match wins\", but it actually chooses the winner via a lexicographic string comparison:\n- zone := \"\" // longest zone match wins (plugin/transfer/transfer.go)\n- if z \u003e zone { zone = z; x = xfr } (plugin/transfer/transfer.go)\n\nSo, a parent zone like example.org. can beat a child zone like a.example.org. purely due to lexicographic ordering (\"example.org.\" \u003e \"a.example.org.\"), even though the child zone is the longer/more specific suffix match. The bypass is data-dependent (some child labels will win, some will lose), making it operationally non-intuitive.\n\n### PoC\n1. Adjust COREDNS_BIN in the PoC to point at right path (see the top-level const definitions for tunables as well)\n2. Run python3 ./acl-repro.py\n3. Expected output:\n*** Baseline (only subzone transfer rule) ***\naxfr a.example.org.: rcode=5 ancount=0 (expected REFUSED=5)\n\n*** Candidate (add permissive parent transfer rule) ***\naxfr a.example.org.: rcode=0 ancount=5 (expected NOERROR=0 with ancount\u003e0)\n\n*** OK ***\nSubzone transfer ACL bypass reproduced: adding a permissive parent-zone stanza can override a stricter child-zone stanza due to lexicographic zone selection.\n\n### Impact\nUnauthorized zone transfer can expose full zone contents to a remote network client that was intended to be denied by a subzone-specific transfer policy.",
"id": "GHSA-h8mm-c463-wjq3",
"modified": "2026-05-08T15:28:38Z",
"published": "2026-04-28T22:44:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-h8mm-c463-wjq3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33489"
},
{
"type": "PACKAGE",
"url": "https://github.com/coredns/coredns"
},
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/releases/tag/v1.14.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "CoreDNS\u0027 transfer stanza selection uses lexicographic compare (subzone ACL bypass)"
}
GHSA-H8MP-P8XW-22G5
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-07-13 00:01When a user has already allowed a website to access microphone and camera, disabling camera sharing would not fully prevent the website from re-enabling it without an additional prompt. This was only possible if the website kept recording with the microphone until re-enabling the camera. This vulnerability affects Firefox < 89.
{
"affected": [],
"aliases": [
"CVE-2021-29959"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-24T14:15:00Z",
"severity": "MODERATE"
},
"details": "When a user has already allowed a website to access microphone and camera, disabling camera sharing would not fully prevent the website from re-enabling it without an additional prompt. This was only possible if the website kept recording with the microphone until re-enabling the camera. This vulnerability affects Firefox \u003c 89.",
"id": "GHSA-h8mp-p8xw-22g5",
"modified": "2022-07-13T00:01:18Z",
"published": "2022-05-24T19:06:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29959"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1395819"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202107-09"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2021-23"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H8QW-944W-6VHW
Vulnerability from github – Published: 2022-08-29 20:06 – Updated: 2022-09-02 00:01The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers
{
"affected": [],
"aliases": [
"CVE-2022-2034"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-29T18:15:00Z",
"severity": "MODERATE"
},
"details": "The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers",
"id": "GHSA-h8qw-944w-6vhw",
"modified": "2022-09-02T00:01:15Z",
"published": "2022-08-29T20:06:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2034"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1590237"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/aba3dd58-7a8e-4129-add5-4dd5972c0426"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H8R9-GX27-98GJ
Vulnerability from github – Published: 2023-07-13 00:30 – Updated: 2024-04-04 06:05In getAvailabilityStatus of WifiScanningMainSwitchPreferenceController.java, there is a possible way to bypass a device policy restriction due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2023-21248"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-13T00:15:23Z",
"severity": "HIGH"
},
"details": "In getAvailabilityStatus of WifiScanningMainSwitchPreferenceController.java, there is a possible way to bypass a device policy restriction due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n",
"id": "GHSA-h8r9-gx27-98gj",
"modified": "2024-04-04T06:05:27Z",
"published": "2023-07-13T00:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21248"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/packages/apps/Settings/+/edd4023805bc7fa54ae31de222cde02b9012bbc4"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2023-07-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H8V4-R2Q6-Q979
Vulnerability from github – Published: 2023-05-09 03:30 – Updated: 2024-04-04 03:54In audio service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges.
{
"affected": [],
"aliases": [
"CVE-2022-48250"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-09T02:15:10Z",
"severity": "HIGH"
},
"details": "In audio service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges.",
"id": "GHSA-h8v4-r2q6-q979",
"modified": "2024-04-04T03:54:32Z",
"published": "2023-05-09T03:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48250"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/1654776866982133761"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H8VW-7X98-J7C4
Vulnerability from github – Published: 2023-01-28 00:30 – Updated: 2026-04-08 18:32The ContentStudio plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several functions in versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to obtain the blog metadata (via the function cstu_get_metadata) that includes the plugin's contentstudio_token. Knowing this token allows for other interactions with the plugin such as creating posts in versions prior to 1.2.5, which added other requirements to posting and updating.
{
"affected": [],
"aliases": [
"CVE-2023-0556"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-27T22:15:00Z",
"severity": "MODERATE"
},
"details": "The ContentStudio plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several functions in versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to obtain the blog metadata (via the function cstu_get_metadata) that includes the plugin\u0027s contentstudio_token. Knowing this token allows for other interactions with the plugin such as creating posts in versions prior to 1.2.5, which added other requirements to posting and updating.",
"id": "GHSA-h8vw-7x98-j7c4",
"modified": "2026-04-08T18:32:01Z",
"published": "2023-01-28T00:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0556"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/contentstudio/tags/1.2.1/contentstudio-plugin.php#L517"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=2851006%40contentstudio%2Ftrunk\u0026old=2844028%40contentstudio%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/52db8d41-859a-4d68-8b83-3d3af8f1bf64"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/52db8d41-859a-4d68-8b83-3d3af8f1bf64?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H8W4-623W-34F7
Vulnerability from github – Published: 2024-11-01 15:31 – Updated: 2026-04-01 18:32Missing Authorization vulnerability in Masteriyo Masteriyo - LMS allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Masteriyo - LMS: from n/a through 1.11.4.
{
"affected": [],
"aliases": [
"CVE-2024-43158"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-01T15:15:40Z",
"severity": "HIGH"
},
"details": "Missing Authorization vulnerability in Masteriyo Masteriyo - LMS allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Masteriyo - LMS: from n/a through 1.11.4.",
"id": "GHSA-h8w4-623w-34f7",
"modified": "2026-04-01T18:32:16Z",
"published": "2024-11-01T15:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43158"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/learning-management-system/vulnerability/wordpress-masteriyo-lms-plugin-1-11-4-broken-access-control-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/learning-management-system/wordpress-masteriyo-lms-plugin-1-11-4-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.