CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

We have discovered 703,137 live websites that are affected by CWE-863.

Available Reports

Website List

CVEs

Count - 88

CWE References

cwe.mitre.org

CWE-863 usage by Country

United States	241,849 websites

Germany	69,510 websites
France	44,319 websites
Japan	33,171 websites
GB	24,758 websites
Italy	23,257 websites
Russia	22,168 websites
Netherlands	19,932 websites
Spain	16,301 websites
Poland	14,006 websites

CWE-863 usage by TLD

.com	292,346 websites
.org	34,534 websites
.de	30,089 websites
.net	18,902 websites
.ru	18,432 websites
.it	18,197 websites
.fr	18,019 websites
.nl	17,332 websites
.co.uk	16,627 websites
.pl	11,496 websites

Newest CVEs

List of the most recent CVEs that are part of CWE-863

Discovered	CVE	Description	Websites
Apr, 2025	CVE-2025-3861	Prevent Direct Access 2.8.6 - 2.8.8.2 - Incorrect Authorization to Authenticated (Contributor+) Multiple Media Actions	14
Apr, 2025	CVE-2025-41423	Unauthorized Playbooks Post Deletion in Mattermost Playbooks Plugin	147
Apr, 2025	CVE-2025-3453	Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products <= 2.7.7 - Unauthenticated Sensitive Information Exposure	7
Apr, 2025	CVE-2025-2564	Unauthorized View Access to Archived Channel Member Info	187
Apr, 2025	CVE-2025-24839	Unauthorized AI bot activation via Wrangler plugin	187
Apr, 2025	CVE-2025-27571	Channel metadata visible in archived channels despite configuration setting	187
Apr, 2025	CVE-2025-2424	Leaked Metadata of Deleted Files via Bookmark Creation	123
Apr, 2025	CVE-2025-32093	Syatem admin profile modification by delegated granular administration role	187
Apr, 2025	CVE-2025-32068	Revoking authorization of OAuth2 consumer does not invalidate refresh tokens	5,597
Apr, 2025	CVE-2025-24866	Unauthorized Access to User Activity Logs API by delegated granular administration roles	70

The most widespread CVEs

List of the most common CVEs that are part of CWE-863

Discovered	CVE	Description	Websites
Jan, 2024	CVE-2022-0775	WooCommerce < 6.2.1 - Subscriber+ Arbitrary Comment Deletion	267,562
Nov, 2024	CVE-2024-9926	Jetpack < 13.9.1 - Subscriber+ Arbitrary Feedback Access	219,797
Mar, 2025	CVE-2025-31673	Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002	128,792
Jan, 2023	CVE-2022-45353	WordPress Betheme theme <= 26.6.1 is vulnerable to Broken Access Control	51,413
Jun, 2023	CVE-2023-2877	Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution	13,098
Jan, 2024	CVE-2023-6421	Download Manager < 3.2.83 - Unauthenticated Protected File Download Password Leak	10,420
Apr, 2020	CVE-2020-8142	A security restriction bypass vulnerability has been discovered in Revive Adserver version < 5.0.5 b...	6,181
Apr, 2025	CVE-2025-32068	Revoking authorization of OAuth2 consumer does not invalidate refresh tokens	5,597
Jun, 2024	CVE-2023-38389	WordPress Jupiter X Core plugin <= 3.3.8 - Unauthenticated Account Takeover vulnerability	5,100
Dec, 2024	CVE-2024-9654	Easy Digital Downloads 3.1 - 3.3.4 - Improper Authorization to Paywall Bypass	4,059

Websites affected by CWE-863

Top websites that are affected by CWE-863. Please click on the "Contact us" link to get more information.

Domain	Country	Rank
*..uk	United States	***
***.gov	United States	***
****.fr	France	***
*********.com	United States	***
***.gov	United States	***
****************.de	Germany	***
****.*****.org	United States	***
***.gov	United States	,**
********.com	United States	,**
***.org	France	,**

See full domain list