CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14556 vulnerabilities reference this CWE, most recent first.
GHSA-J8JX-64CG-5V4F
Vulnerability from github – Published: 2023-06-07 03:30 – Updated: 2024-04-04 04:38The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the download_orderdetail_list(), change_orderlist(), and download_member_list() functions called via admin_init hooks in versions up to, and including, 2.2.7. This makes it possible for unauthenticated attackers to download lists of members, products and orders.
{
"affected": [],
"aliases": [
"CVE-2021-4355"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-07T02:15:13Z",
"severity": "MODERATE"
},
"details": "The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the download_orderdetail_list(), change_orderlist(), and download_member_list() functions called via admin_init hooks in versions up to, and including, 2.2.7. This makes it possible for unauthenticated attackers to download lists of members, products and orders.",
"id": "GHSA-j8jx-64cg-5v4f",
"modified": "2024-04-04T04:38:14Z",
"published": "2023-06-07T03:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4355"
},
{
"type": "WEB",
"url": "https://blog.nintechnet.com/wordpress-welcart-e-commerce-plugin-fixed-vulnerabilities"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/671f5ba5-1f18-49fa-aa97-eaebdb3417bb?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J8MJ-5FPW-2PC8
Vulnerability from github – Published: 2023-11-06 18:30 – Updated: 2023-11-06 18:30An authorization issue affecting GitLab EE affecting all versions from 14.7 prior to 16.3.6, 16.4 prior to 16.4.2, and 16.5 prior to 16.5.1, allowed a user to run jobs in protected environments, bypassing any required approvals.
{
"affected": [],
"aliases": [
"CVE-2023-4700"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-06T18:15:08Z",
"severity": "LOW"
},
"details": "An authorization issue affecting GitLab EE affecting all versions from 14.7 prior to 16.3.6, 16.4 prior to 16.4.2, and 16.5 prior to 16.5.1, allowed a user to run jobs in protected environments, bypassing any required approvals.",
"id": "GHSA-j8mj-5fpw-2pc8",
"modified": "2023-11-06T18:30:19Z",
"published": "2023-11-06T18:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4700"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2129826"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/421937"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J8PH-6CV6-W3VQ
Vulnerability from github – Published: 2025-02-01 06:31 – Updated: 2025-02-01 06:31The RapidLoad – Optimize Web Vitals Automatically plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_deactivate() function in all versions up to, and including, 2.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset some of the plugin's settings.
{
"affected": [],
"aliases": [
"CVE-2024-13651"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-01T04:15:30Z",
"severity": "MODERATE"
},
"details": "The RapidLoad \u2013 Optimize Web Vitals Automatically plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_deactivate() function in all versions up to, and including, 2.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset some of the plugin\u0027s settings.",
"id": "GHSA-j8ph-6cv6-w3vq",
"modified": "2025-02-01T06:31:00Z",
"published": "2025-02-01T06:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13651"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3232560%40unusedcss\u0026new=3232560%40unusedcss\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/87f9f052-2963-4548-9ff8-91dc2b4ecb43?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J8R6-V8QR-PF69
Vulnerability from github – Published: 2022-05-13 01:46 – Updated: 2025-04-20 03:32Firejail before 0.9.44.4 and 0.9.38.x LTS before 0.9.38.8 LTS does not consider the .Xauthority case during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option.
{
"affected": [],
"aliases": [
"CVE-2017-5180"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-09T18:59:00Z",
"severity": "HIGH"
},
"details": "Firejail before 0.9.44.4 and 0.9.38.x LTS before 0.9.38.8 LTS does not consider the .Xauthority case during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option.",
"id": "GHSA-j8r6-v8qr-pf69",
"modified": "2025-04-20T03:32:39Z",
"published": "2022-05-13T01:46:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5180"
},
{
"type": "WEB",
"url": "https://firejail.wordpress.com/download-2/release-notes"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201701-62"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2017/01/04/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95298"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J8V8-G9CX-5QF4
Vulnerability from github – Published: 2026-07-07 20:57 – Updated: 2026-07-07 20:57Am I affected?
Users are affected if all of these hold:
- They install and register the
@better-auth/scimplugin (plugins: [scim()]). - They create SCIM providers without an
organizationId, that is, non-organization ("personal") providers. Organization-scoped providers are not affected because they enforce organization membership and role. - Their application's deployment has more than one authenticated user, so one account can target another user's provider.
- They have not set
providerOwnership: { enabled: true }.
The SCIM management endpoints first shipped in 1.5.0, so every stable release from 1.5.0 onward is affected, and the stable line is not patched. On the pre-release line, builds through 1.7.0-beta.3 are affected, and 1.7.0-beta.4 carries the fix.
Fix:
- Upgrade to
@better-auth/scim@1.7.0-beta.4(then1.7.0). This is a breaking change: it removes theproviderOwnershipoption, makes owner binding mandatory, and adds a permanentscimProvider.userIdcolumn. - Run the schema migration after upgrading (
npx auth migrate). Connections created before the upgrade carry no owner and become unreachable through the management endpoints, so reclaim them at the database level. - The
1.6.xstable line is not patched. If developers stay on it, apply the workaround below.
Summary
@better-auth/scim does not bind non-organization SCIM providers to their creator in the default configuration. Any authenticated user can manage another user's non-org provider, including reading its metadata, listing connections, regenerating its SCIM bearer token, and deleting the connection. Regenerating the token rotates it: the legitimate token stops working and the attacker holds a valid one.
Details
The plugin tracks provider ownership through an opt-in providerOwnership option and a scimProvider.userId column. Both default to off. When ownership is disabled, a non-org provider row is created without a userId, and the management access check denies access only when a stored owner id is present and differs from the caller:
// non-organization branch of the access check
} else if (provider.userId && provider.userId !== userId) {
throw new APIError("FORBIDDEN", { message: "You must be the owner to access this provider" });
}
Because the default row has no userId, the condition is false and the request is allowed. The same gap reaches every management operation: token generation and regeneration, single-provider read, the connection list (which returns providers where p.userId === userId || !p.userId), and provider deletion.
The most sensitive operation is token regeneration. If Alice creates a non-org provider corp-idp, Bob can call the same generate-token endpoint with providerId: "corp-idp". The existing row passes the ownerless access check, so the plugin deletes it, creates a fresh row, and returns a new SCIM bearer token to Bob. Alice's previous token is now invalid, and Bob's token authenticates against that provider's SCIM API routes.
This requires no organization membership and no elevated role. It is reachable in the default scim() configuration whenever non-organization providers are used.
Proof of concept
Two authenticated users, Alice and Bob, in a default scim() setup:
- Alice signs in and creates a non-org provider:
POST /scim/generate-tokenwith{ "providerId": "corp-idp" }. - Bob signs in and reads Alice's provider:
GET /scim/get-provider-connection?providerId=corp-idpreturns200with{ "providerId": "corp-idp" }. - Bob regenerates the token:
POST /scim/generate-tokenwith{ "providerId": "corp-idp" }returns201and a newscimToken. - Alice's old token is rejected at
GET /scim/v2/Users(401); Bob's regenerated token is accepted (200).
The behavior is reproducible through Better Auth's public API surface with two distinct sessions.
Patches
Fixed in @better-auth/scim@1.7.0-beta.4 (then 1.7.0). The fix makes owner binding mandatory: generateSCIMToken records the creator's userId on every personal connection, and the management endpoints grant access only to that owner. Organization-scoped connections keep their existing membership and role checks. The 1.6.x stable line is not patched.
This release is breaking. It removes the providerOwnership option, owner binding can no longer be disabled, and the scimProvider.userId column becomes a permanent part of the schema, so run npx auth migrate after upgrading. Connections created before the upgrade carry no owner and fail closed; reclaim them by deleting scimProvider rows that have neither organizationId nor userId, or by setting userId to the intended owner, then regenerating tokens.
Workarounds
Until a patched version is available:
- Set
providerOwnership: { enabled: true }when registering the plugin, then run the schema update so thescimProvider.userIdcolumn exists (npx auth generateornpx auth migrate). New non-org providers are then owner-bound and non-owners are denied. Providers created before enabling ownership stay ownerless until recreated. - Or scope every SCIM provider to an organization by always passing
organizationId. Organization providers enforce membership and role and are not exposed. - Or restrict access to the SCIM management endpoints at the edge while non-org providers remain ownerless.
Impact
Any authenticated user can take over non-organization SCIM providers created by other users when the plugin runs with its default ownership configuration. An attacker can discover non-org provider connections, read provider metadata, regenerate another user's SCIM token (invalidating the legitimate one), authenticate to the SCIM API routes with the new token, manage SCIM-provisioned users subject to the enabled SCIM functionality, and delete the provider connection.
Credit
Reported by Jvr2022 through a private GitHub Security Advisory.
Resources
- CWE-862 Missing Authorization: https://cwe.mitre.org/data/definitions/862.html
- CWE-639 Authorization Bypass Through User-Controlled Key: https://cwe.mitre.org/data/definitions/639.html
- SCIM 2.0 Protocol (RFC 7644): https://datatracker.ietf.org/doc/html/rfc7644
- OAuth 2.0 Bearer Token Usage (RFC 6750): https://datatracker.ietf.org/doc/html/rfc6750
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@better-auth/scim"
},
"ranges": [
{
"events": [
{
"introduced": "1.5.0"
},
{
"fixed": "1.7.0-beta.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-07T20:57:05Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Am I affected?\n\nUsers are affected if all of these hold:\n\n- They install and register the `@better-auth/scim` plugin (`plugins: [scim()]`).\n- They create SCIM providers without an `organizationId`, that is, non-organization (\"personal\") providers. Organization-scoped providers are not affected because they enforce organization membership and role.\n- Their application\u0027s deployment has more than one authenticated user, so one account can target another user\u0027s provider.\n- They have not set `providerOwnership: { enabled: true }`.\n\nThe SCIM management endpoints first shipped in `1.5.0`, so every stable release from `1.5.0` onward is affected, and the stable line is not patched. On the pre-release line, builds through `1.7.0-beta.3` are affected, and `1.7.0-beta.4` carries the fix.\n\nFix:\n\n1. Upgrade to `@better-auth/scim@1.7.0-beta.4` (then `1.7.0`). This is a breaking change: it removes the `providerOwnership` option, makes owner binding mandatory, and adds a permanent `scimProvider.userId` column.\n2. Run the schema migration after upgrading (`npx auth migrate`). Connections created before the upgrade carry no owner and become unreachable through the management endpoints, so reclaim them at the database level.\n3. The `1.6.x` stable line is not patched. If developers stay on it, apply the workaround below.\n\n### Summary\n\n`@better-auth/scim` does not bind non-organization SCIM providers to their creator in the default configuration. Any authenticated user can manage another user\u0027s non-org provider, including reading its metadata, listing connections, regenerating its SCIM bearer token, and deleting the connection. Regenerating the token rotates it: the legitimate token stops working and the attacker holds a valid one.\n\n### Details\n\nThe plugin tracks provider ownership through an opt-in `providerOwnership` option and a `scimProvider.userId` column. Both default to off. When ownership is disabled, a non-org provider row is created without a `userId`, and the management access check denies access only when a stored owner id is present and differs from the caller:\n\n```ts\n// non-organization branch of the access check\n} else if (provider.userId \u0026\u0026 provider.userId !== userId) {\n throw new APIError(\"FORBIDDEN\", { message: \"You must be the owner to access this provider\" });\n}\n```\n\nBecause the default row has no `userId`, the condition is false and the request is allowed. The same gap reaches every management operation: token generation and regeneration, single-provider read, the connection list (which returns providers where `p.userId === userId || !p.userId`), and provider deletion.\n\nThe most sensitive operation is token regeneration. If Alice creates a non-org provider `corp-idp`, Bob can call the same generate-token endpoint with `providerId: \"corp-idp\"`. The existing row passes the ownerless access check, so the plugin deletes it, creates a fresh row, and returns a new SCIM bearer token to Bob. Alice\u0027s previous token is now invalid, and Bob\u0027s token authenticates against that provider\u0027s SCIM API routes.\n\nThis requires no organization membership and no elevated role. It is reachable in the default `scim()` configuration whenever non-organization providers are used.\n\n### Proof of concept\n\nTwo authenticated users, Alice and Bob, in a default `scim()` setup:\n\n1. Alice signs in and creates a non-org provider: `POST /scim/generate-token` with `{ \"providerId\": \"corp-idp\" }`.\n2. Bob signs in and reads Alice\u0027s provider: `GET /scim/get-provider-connection?providerId=corp-idp` returns `200` with `{ \"providerId\": \"corp-idp\" }`.\n3. Bob regenerates the token: `POST /scim/generate-token` with `{ \"providerId\": \"corp-idp\" }` returns `201` and a new `scimToken`.\n4. Alice\u0027s old token is rejected at `GET /scim/v2/Users` (`401`); Bob\u0027s regenerated token is accepted (`200`).\n\nThe behavior is reproducible through Better Auth\u0027s public API surface with two distinct sessions.\n\n### Patches\n\nFixed in `@better-auth/scim@1.7.0-beta.4` (then `1.7.0`). The fix makes owner binding mandatory: `generateSCIMToken` records the creator\u0027s `userId` on every personal connection, and the management endpoints grant access only to that owner. Organization-scoped connections keep their existing membership and role checks. The `1.6.x` stable line is not patched.\n\nThis release is breaking. It removes the `providerOwnership` option, owner binding can no longer be disabled, and the `scimProvider.userId` column becomes a permanent part of the schema, so run `npx auth migrate` after upgrading. Connections created before the upgrade carry no owner and fail closed; reclaim them by deleting `scimProvider` rows that have neither `organizationId` nor `userId`, or by setting `userId` to the intended owner, then regenerating tokens.\n\n### Workarounds\n\nUntil a patched version is available:\n\n- Set `providerOwnership: { enabled: true }` when registering the plugin, then run the schema update so the `scimProvider.userId` column exists (`npx auth generate` or `npx auth migrate`). New non-org providers are then owner-bound and non-owners are denied. Providers created before enabling ownership stay ownerless until recreated.\n- Or scope every SCIM provider to an organization by always passing `organizationId`. Organization providers enforce membership and role and are not exposed.\n- Or restrict access to the SCIM management endpoints at the edge while non-org providers remain ownerless.\n\n### Impact\n\nAny authenticated user can take over non-organization SCIM providers created by other users when the plugin runs with its default ownership configuration. An attacker can discover non-org provider connections, read provider metadata, regenerate another user\u0027s SCIM token (invalidating the legitimate one), authenticate to the SCIM API routes with the new token, manage SCIM-provisioned users subject to the enabled SCIM functionality, and delete the provider connection.\n\n### Credit\n\nReported by Jvr2022 through a private GitHub Security Advisory.\n\n### Resources\n\n- CWE-862 Missing Authorization: https://cwe.mitre.org/data/definitions/862.html\n- CWE-639 Authorization Bypass Through User-Controlled Key: https://cwe.mitre.org/data/definitions/639.html\n- SCIM 2.0 Protocol (RFC 7644): https://datatracker.ietf.org/doc/html/rfc7644\n- OAuth 2.0 Bearer Token Usage (RFC 6750): https://datatracker.ietf.org/doc/html/rfc6750",
"id": "GHSA-j8v8-g9cx-5qf4",
"modified": "2026-07-07T20:57:06Z",
"published": "2026-07-07T20:57:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-j8v8-g9cx-5qf4"
},
{
"type": "PACKAGE",
"url": "https://github.com/better-auth/better-auth"
},
{
"type": "WEB",
"url": "https://github.com/better-auth/better-auth/releases/tag/v1.7.0-beta.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "@better-auth/scim: Account/provider takeover via missing owner binding on non-org SCIM providers"
}
GHSA-J8X8-H75R-56QJ
Vulnerability from github – Published: 2025-06-06 15:30 – Updated: 2026-04-01 18:35Missing Authorization vulnerability in cmoreira Team Showcase allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Team Showcase: from n/a through n/a.
{
"affected": [],
"aliases": [
"CVE-2025-49248"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-06T13:15:42Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in cmoreira Team Showcase allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Team Showcase: from n/a through n/a.",
"id": "GHSA-j8x8-h75r-56qj",
"modified": "2026-04-01T18:35:22Z",
"published": "2025-06-06T15:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49248"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/team-showcase-cm/vulnerability/wordpress-team-showcase-25-05-13-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J8XV-PR77-4G5M
Vulnerability from github – Published: 2024-03-13 18:31 – Updated: 2026-04-08 21:32The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_attendees_email_by_event_id() function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to to retrieve the attendees list for any event.
{
"affected": [],
"aliases": [
"CVE-2024-1126"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-13T16:15:17Z",
"severity": "MODERATE"
},
"details": "The EventPrime \u2013 Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_attendees_email_by_event_id() function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to to retrieve the attendees list for any event.",
"id": "GHSA-j8xv-pr77-4g5m",
"modified": "2026-04-08T21:32:20Z",
"published": "2024-03-13T18:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1126"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3033882%40eventprime-event-calendar-management\u0026new=3033882%40eventprime-event-calendar-management\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d266b6ee-24ec-4363-a986-5ccd4db5ae3c?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J92H-624P-JHFP
Vulnerability from github – Published: 2025-01-31 06:30 – Updated: 2025-01-31 06:30The Food Menu – Restaurant Menu & Online Ordering for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the response() function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's settings.
{
"affected": [],
"aliases": [
"CVE-2024-13415"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-31T06:15:29Z",
"severity": "MODERATE"
},
"details": "The Food Menu \u2013 Restaurant Menu \u0026 Online Ordering for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the response() function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin\u0027s settings.",
"id": "GHSA-j92h-624p-jhfp",
"modified": "2025-01-31T06:30:53Z",
"published": "2025-01-31T06:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13415"
},
{
"type": "WEB",
"url": "https://plugins.svn.wordpress.org/tlp-food-menu/tags/5.1.4/app/Controllers/Admin/Ajax/Settings.php"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3231030%40tlp-food-menu\u0026new=3231030%40tlp-food-menu\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab6dd645-8831-49bc-b6b1-bb153ef79204?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J95J-FRQ6-6X8G
Vulnerability from github – Published: 2025-04-04 18:31 – Updated: 2026-04-01 18:34Missing Authorization vulnerability in Anzar Ahmed Display product variations dropdown on shop page allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Display product variations dropdown on shop page: from n/a through 1.1.3.
{
"affected": [],
"aliases": [
"CVE-2025-32226"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-04T16:15:31Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Anzar Ahmed Display product variations dropdown on shop page allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Display product variations dropdown on shop page: from n/a through 1.1.3.",
"id": "GHSA-j95j-frq6-6x8g",
"modified": "2026-04-01T18:34:32Z",
"published": "2025-04-04T18:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32226"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/display-product-variations-dropdown-on-shop-page/vulnerability/wordpress-display-product-variations-dropdown-on-shop-page-plugin-1-1-3-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J96X-Q273-MH9J
Vulnerability from github – Published: 2024-06-11 15:31 – Updated: 2024-06-11 15:31Missing Authorization vulnerability in WP EasyCart.This issue affects WP EasyCart: from n/a through 5.5.19.
{
"affected": [],
"aliases": [
"CVE-2024-35667"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-11T15:16:08Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in WP EasyCart.This issue affects WP EasyCart: from n/a through 5.5.19.",
"id": "GHSA-j96x-q273-mh9j",
"modified": "2024-06-11T15:31:15Z",
"published": "2024-06-11T15:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35667"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/wp-easycart/wordpress-shopping-cart-ecommerce-store-plugin-5-5-19-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.