Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1004

1004 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2023-50890 WordPress Ultimate Addons for Elementor plugin <= 1.36.20 - Privilege Escalation vulnerability — Ultimate Addons for Elementor 8.8 High2024-05-17
CVE-2023-48757 WordPress JetEngine plugin <= 3.2.4 - Privilege Escalation vulnerability — JetEngine 8.8 High2024-05-17
CVE-2023-48319 WordPress Salon booking system plugin < 8.7 - Editor+ Privilege Escalation vulnerability — Salon booking system 6.8 Medium2024-05-17
CVE-2023-47868 WordPress wpForo plugin <= 2.2.3 - Privilege Escalation vulnerability — wpForo Forum 7.3 High2024-05-17
CVE-2023-47782 WordPress Thrive Theme Builder theme < 3.24.0 - Authenticated Privilege Escalation vulnerability — Thrive Theme Builder 8.8 High2024-05-17
CVE-2023-47683 WordPress Social Login, Social Sharing by miniOrange plugin <= 7.6.6 - Authenticated Privilege Escalation vulnerability — WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) 8.0 High2024-05-17
CVE-2023-47682 WordPress WP User Frontend plugin <= 3.6.5 - Authenticated Privilege Escalation vulnerability — WP User Frontend 7.2 High2024-05-17
CVE-2023-46145 WordPress Themify Ultra theme <= 7.3.5 - Authenticated Privilege Escalation vulnerability — Themify Ultra 8.8 High2024-05-17
CVE-2024-33549 WordPress WZone plugin <= 14.0.10 - Privilege Escalation vulnerability — WZone 8.8 High2024-05-17
CVE-2024-33550 WordPress WP Masquerade plugin <= 1.1.0 - Authenticated Account Takeover vulnerability — WP Masquerade 8.8 High2024-05-17
CVE-2024-33552 WordPress XStore Core plugin <= 5.3.8 - Unauthenticated Account Takeover vulnerability — XStore Core 9.8 Critical2024-05-17
CVE-2024-33567 WordPress Barcode Scanner with Inventory & Order Manager plugin <= 1.5.3 - Unauthenticated Privilege Escalation vulnerability — Barcode Scanner with Inventory & Order Manager 9.8 Critical2024-05-17
CVE-2024-33569 WordPress Instant Images plugin <= 6.1.0 - Arbitrary Option Update to Privilege Escalation vulnerability — Instant Images 7.2 High2024-05-17
CVE-2024-34370 WordPress EAN for WooCommerce plugin <= 4.8.9 - Arbitrary Option Update to Privilege Escalation vulnerability — EAN for WooCommerce 7.2 High2024-05-17
CVE-2023-41957 WordPress Simple Membership plugin <= 4.3.4 - Unauthenticated Membership Role Privilege Escalation vulnerability — Simple Membership 8.6 High2024-05-17
CVE-2023-41955 WordPress Essential Addons for Elementor plugin <= 5.8.8 - Contributor+ Privilege Escalation vulnerability — Essential Addons for Elementor 8.8 High2024-05-17
CVE-2023-41954 WordPress ProfilePress plugin <= 4.13.1 - Unauthenticated Limited Privilege Escalation vulnerability — ProfilePress 8.6 High2024-05-17
CVE-2023-41665 WordPress GiveWP plugin <= 2.33.0 - GiveWP Manager+ Privilege Escalation vulnerability — GiveWP 8.8 High2024-05-17
CVE-2023-41243 WordPress WPvivid Backup Plugin plugin <= 0.9.90 - Privilege Escalation on Staging Environment vulnerability — WPvivid Backup and Migration 8.8 High2024-05-17
CVE-2023-37999 WordPress HT Mega Absolute Addons for Elementor plugin <= 2.2.0 - Unauthenticated Privilege Escalation vulnerability — HT Mega 9.8 Critical2024-05-17
CVE-2023-37866 WordPress JetFormBuilder plugin <= 3.0.8 - Authenticated Privilege Escalation vulnerability — JetFormBuilder 7.2 High2024-05-17
CVE-2023-37389 WordPress Booking Package SAASPROJECT plugin <= 1.5.98 - Unauthenticated Privilege Escalation vulnerability — Booking Package 8.8 High2024-05-17
CVE-2023-32244 WordPress Woodmart Core plugin <= 1.0.36 - Privilege Escalation — Woodmart Core 9.8 Critical2024-05-17
CVE-2023-26540 WordPress Houzez theme <= 2.7.1 - Privilege Escalation — Houzez 9.8 Critical2024-05-17
CVE-2023-26009 WordPress Houzez Login Register plugin <= 2.6.3 - Privilege Escalation — Houzez Login Register 9.8 Critical2024-05-17
CVE-2023-25701 WordPress WatchTowerHQ plugin <= 3.6.16 - Privilege Escalation — WatchTowerHQ 9.8 Critical2024-05-17
CVE-2023-23990 WordPress Redirection for Contact Form 7 plugin <= 2.7.0 - Privilege Escalation vulnerability — Redirection for Contact Form 7 7.6 High2024-05-17
CVE-2024-34082 Grav Arbitrary File Read to Account Takeover — grav 8.5 High2024-05-15
CVE-2023-33327 WordPress Leyka plugin <= 3.30.2 - Privilege Escalation vulnerability — Leyka 8.8 High2024-05-14
CVE-2024-30007 Microsoft Brokering File System Elevation of Privilege Vulnerability — Windows Server 2022, 23H2 Edition (Server Core installation) 8.8 High2024-05-14

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1004 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.