目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CWE-266 特权授予不正确 类漏洞列表 424

CWE-266 特权授予不正确 类弱点 424 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-266属于权限分配错误漏洞,指软件将特权错误地授予特定主体,导致其获得非预期的控制范围。攻击者通常利用此缺陷,通过身份伪造或会话劫持等手段,以低权限身份获取高权限操作能力,从而执行未授权行为。开发者应避免在代码中硬编码权限逻辑,采用基于角色的访问控制(RBAC)机制,并在每次权限检查时动态验证主体身份与权限的匹配性,确保最小权限原则。

MITRE CWE 官方描述
CWE:CWE-266 不正确的权限分配 (Incorrect Privilege Assignment) 英文:产品将权限错误地分配给特定主体 (actor),从而为该主体创建了非预期的控制范围 (sphere of control)。
常见影响 (1)
Access ControlGain Privileges or Assume Identity
A user can access restricted functionality and/or sensitive information that may include administrative functionality and user accounts.
缓解措施 (2)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and Design, OperationRun your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database ad…
代码示例 (2)
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
The following example demonstrates the weakness.
AccessController.doPrivileged(new PrivilegedAction() { public Object run() { // privileged code goes here, for example: System.loadLibrary("awt"); return null; // nothing to return }
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2026-54807 ThemeGrill Registration Form for WooCommerce 权限许可和访问控制问题漏洞 — Registration Form for WooCommerce 9.8 Critical2026-06-17
CVE-2026-54805 WordPress Falang 多语言插件 <= 1.4.2 权限提升漏洞 — Falang multilanguage 8.8 High2026-06-17
CVE-2026-54196 Jetmonsters JetFormBuilder 权限许可和访问控制问题漏洞 — JetFormBuilder 6.8 Medium2026-06-17
CVE-2026-49058 WordPress LoginPress Pro <= 6.2.2 权限提升漏洞 — LoginPress Pro 9.8 Critical2026-06-17
CVE-2026-39546 WordPress MultiLoca插件<=4.2.15权限提升漏洞 — MultiLoca 7.6 High2026-06-17
CVE-2025-69179 WordPress Support Ticket Management System <= 1.9 权限提升漏洞 — Support Ticket Management System 9.8 Critical2026-06-17
CVE-2025-69138 WordPress Genemy 主题 <=1.6.6 提权漏洞 — Genemy 8.8 High2026-06-17
CVE-2025-59563 SONAAR MUSIC Sonaar 权限许可和访问控制问题漏洞 — Sonaar 8.8 High2026-06-17
CVE-2026-27395 WordPress Support Board插件<3.8.9权限提升漏洞 — Support Board 9.8 Critical2026-06-16
CVE-2026-53862 OpenClaw < 2026.5.12 启动令牌重放漏洞 — OpenClaw 4.2 Medium2026-06-16
CVE-2026-53847 OpenClaw 2026.5.6 以下版本提权漏洞 — OpenClaw 5.4 Medium2026-06-16
CVE-2026-49780 Dokan 权限许可和访问控制问题漏洞 — Dokan 8.8 High2026-06-15
CVE-2026-49083 LatePoint 权限许可和访问控制问题漏洞 — LatePoint 7.5 High2026-06-15
CVE-2026-49063 Webilia Listdom 权限许可和访问控制问题漏洞 — Listdom 7.3 High2026-06-15
CVE-2026-48889 Melograno Venture Studio Amelia 权限许可和访问控制问题漏洞 — Amelia 8.8 High2026-06-15
CVE-2026-39587 Hakan Ozevin WP BASE Booking 权限许可和访问控制问题漏洞 — WP BASE Booking 8.1 High2026-06-15
CVE-2026-39583 Datalogics Ecommerce Delivery 权限许可和访问控制问题漏洞 — Datalogics Ecommerce Delivery 9.8 Critical2026-06-15
CVE-2026-39579 bPlugins bBlocks 权限许可和访问控制问题漏洞 — B Blocks 8.8 High2026-06-15
CVE-2026-39470 Brainstorm Force Cart Abandonment Recovery for WooCommerce 权限许可和访问控制问题漏洞 — WooCommerce Cart Abandonment Recovery 7.2 High2026-06-15
CVE-2026-34901 Paul iControlWP 权限许可和访问控制问题漏洞 — iControlWP 9.8 Critical2026-06-15
CVE-2026-27407 Meow Apps AI Engine 权限许可和访问控制问题漏洞 — AI Engine 7.2 High2026-06-15
CVE-2026-49111 Masteriyo LMS 权限许可和访问控制问题漏洞 — Masteriyo - LMS 8.8 High2026-06-15
CVE-2026-49060 WordPress plugin Hippoo Mobile App for WooCommerce 安全漏洞 — Hippoo Mobile App for WooCommerce 9.8 Critical2026-06-11
CVE-2026-53814 OpenClaw 安全漏洞 — OpenClaw 8.3 High2026-06-11
CVE-2026-47169 Quest Bot 安全漏洞 — quest-bot--2026-06-11
CVE-2025-15656 wordpress plugin School Management 安全漏洞 — School Management 8.8 High2026-06-03
CVE-2025-53209 WordPress plugin Masteriyo LMS PRO 安全漏洞 — Masteriyo LMS PRO 9.8 Critical2026-06-02
CVE-2026-42680 WordPress plugin Contest Gallery Pro 安全漏洞 — Contest Gallery Pro 9.8 Critical2026-06-01
CVE-2026-48879 WordPress plugin AIWU 安全漏洞 — AIWU 9.8 Critical2026-06-01
CVE-2026-35671 phpMyFAQ 安全漏洞 — phpMyFAQ 8.8 High2026-05-28

CWE-266(特权授予不正确) 是常见的弱点类别,本平台收录该类弱点关联的 424 条 CVE 漏洞。