CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14602 vulnerabilities reference this CWE, most recent first.
GHSA-6R8W-JHG7-GPR9
Vulnerability from github – Published: 2024-05-02 18:30 – Updated: 2024-05-02 18:30The WP Datepicker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpdp_add_new_datepicker_ajax() function in all versions up to, and including, 2.1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options that can be used for privilege escalation. This was partially patched in 2.0.9 and 2.1.0, and fully patched in 2.1.1.
{
"affected": [],
"aliases": [
"CVE-2024-3895"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-02T17:15:32Z",
"severity": "HIGH"
},
"details": "The WP Datepicker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpdp_add_new_datepicker_ajax() function in all versions up to, and including, 2.1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options that can be used for privilege escalation. This was partially patched in 2.0.9 and 2.1.0, and fully patched in 2.1.1.",
"id": "GHSA-6r8w-jhg7-gpr9",
"modified": "2024-05-02T18:30:55Z",
"published": "2024-05-02T18:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3895"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3073525/wp-datepicker/trunk/inc/functions_inner.php"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3071975%40wp-datepicker\u0026new=3071975%40wp-datepicker\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3073221%40wp-datepicker\u0026new=3073221%40wp-datepicker\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/45a42f20-a4d7-4c8e-a144-505a6723a2a0?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6R8X-GFGQ-MG6W
Vulnerability from github – Published: 2026-04-08 09:31 – Updated: 2026-04-10 18:31Missing Authorization vulnerability in WP Delicious WP Delicious delicious-recipes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Delicious: from n/a through <= 1.9.5.
{
"affected": [],
"aliases": [
"CVE-2026-39528"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-08T09:16:26Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in WP Delicious WP Delicious delicious-recipes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Delicious: from n/a through \u003c= 1.9.5.",
"id": "GHSA-6r8x-gfgq-mg6w",
"modified": "2026-04-10T18:31:15Z",
"published": "2026-04-08T09:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39528"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/delicious-recipes/vulnerability/wordpress-wp-delicious-plugin-1-9-5-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6R9F-MHJV-GFJC
Vulnerability from github – Published: 2026-04-08 09:31 – Updated: 2026-04-29 12:33Missing Authorization vulnerability in eshipper eShipper Commerce eshipper-commerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects eShipper Commerce: from n/a through <= 2.16.12.
{
"affected": [],
"aliases": [
"CVE-2026-39689"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-08T09:16:40Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in eshipper eShipper Commerce eshipper-commerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects eShipper Commerce: from n/a through \u003c= 2.16.12.",
"id": "GHSA-6r9f-mhjv-gfjc",
"modified": "2026-04-29T12:33:04Z",
"published": "2026-04-08T09:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39689"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/eshipper-commerce/vulnerability/wordpress-eshipper-commerce-plugin-2-16-12-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-6R9V-XG29-4GFG
Vulnerability from github – Published: 2025-06-06 06:30 – Updated: 2025-06-06 06:30The Art Theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'arttheme_theme_option_restore' AJAX function in all versions up to, and including, 3.12.2.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete the theme option.
{
"affected": [],
"aliases": [
"CVE-2025-1778"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-06T06:15:31Z",
"severity": "MODERATE"
},
"details": "The Art Theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the \u0027arttheme_theme_option_restore\u0027 AJAX function in all versions up to, and including, 3.12.2.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete the theme option.",
"id": "GHSA-6r9v-xg29-4gfg",
"modified": "2025-06-06T06:30:26Z",
"published": "2025-06-06T06:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1778"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/art-simple-clean-wordpress-theme-for-creatives/20170299"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c54c1fab-634d-4d1a-8234-8f1ae41c7cd4?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6RGM-GR97-X3J5
Vulnerability from github – Published: 2026-05-07 01:58 – Updated: 2026-06-08 23:46Summary
PCF Npcf_SMPolicyControl missing authentication middleware allows unauthenticated access to SM policy handlers and disclosure of subscriber SUPI
Details
In NewServer(), the smPolicyGroup route group is created and routes are applied without attaching the router authorization middleware. In contrast, other PCF service groups such as Npcf_PolicyAuthorization do attach RouterAuthorizationCheck before route registration.
Because the middleware is missing, requests to the following endpoints can reach business logic even when no valid OAuth token is provided:
POST /npcf-smpolicycontrol/v1/sm-policiesGET /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}POST /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/updatePOST /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/delete
This is visible at runtime because unauthenticated requests return business-level responses such as 400 or 404 instead of being rejected with 401 before handler execution. Under valid lab preconditions (existing UE/session context and related policy data), unauthenticated POST /sm-policies can succeed with 201, and unauthenticated GET /sm-policies/{id} can succeed with 200 and return policy context containing subscriber identifiers including supi.
The root cause is missing router auth enforcement for Npcf_SMPolicyControl.
Upstream also fixed this by adding RouterAuthorizationCheck to smPolicyGroup (and uePolicyGroup) in free5gc/pcf PR #63.
PoC
- Deploy free5GC with PCF reachable on the SBI network.
- Use the PoC against the PCF service without an
Authorizationheader: ```bash go run /home/ubuntu/free5gc/tools/npcf-smpolicy-noauth-poc/main.go \ --pcf-root /home/ubuntu/free5gc/NFs/pcf \ --pcf-url http://10.100.200.9:8000 \ --timeout 4s Observe that unauthenticated requests to Npcf_SMPolicyControl return business responses instead of 401.
Impact
This is an authentication/authorization bypass on a network-accessible SBI service. Any unauthenticated actor able to reach the PCF SBI interface can invoke Npcf_SMPolicyControl handlers directly.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/free5gc/pcf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42083"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T01:58:42Z",
"nvd_published_at": "2026-05-27T17:16:35Z",
"severity": "HIGH"
},
"details": "### Summary\nPCF Npcf_SMPolicyControl missing authentication middleware allows unauthenticated access to SM policy handlers and disclosure of subscriber SUPI\n### Details\nIn `NewServer()`, the `smPolicyGroup` route group is created and routes are applied without attaching the router authorization middleware. In contrast, other PCF service groups such as `Npcf_PolicyAuthorization` do attach `RouterAuthorizationCheck` before route registration.\n\nBecause the middleware is missing, requests to the following endpoints can reach business logic even when no valid OAuth token is provided:\n\n- `POST /npcf-smpolicycontrol/v1/sm-policies`\n- `GET /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}`\n- `POST /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/update`\n- `POST /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/delete`\n\nThis is visible at runtime because unauthenticated requests return business-level responses such as `400` or `404` instead of being rejected with `401` before handler execution. Under valid lab preconditions (existing UE/session context and related policy data), unauthenticated `POST /sm-policies` can succeed with `201`, and unauthenticated `GET /sm-policies/{id}` can succeed with `200` and return policy context containing subscriber identifiers including `supi`.\n\nThe root cause is missing router auth enforcement for `Npcf_SMPolicyControl`. \nUpstream also fixed this by adding `RouterAuthorizationCheck` to `smPolicyGroup` (and `uePolicyGroup`) in free5gc/pcf PR #63.\n\n### PoC\n1. Deploy free5GC with PCF reachable on the SBI network.\n2. Use the PoC against the PCF service **without** an `Authorization` header:\n ```bash\n go run /home/ubuntu/free5gc/tools/npcf-smpolicy-noauth-poc/main.go \\\n --pcf-root /home/ubuntu/free5gc/NFs/pcf \\\n --pcf-url http://10.100.200.9:8000 \\\n --timeout 4s\nObserve that unauthenticated requests to Npcf_SMPolicyControl return business responses instead of 401.\n### Impact\n\nThis is an authentication/authorization bypass on a network-accessible SBI service. Any unauthenticated actor able to reach the PCF SBI interface can invoke Npcf_SMPolicyControl handlers directly.",
"id": "GHSA-6rgm-gr97-x3j5",
"modified": "2026-06-08T23:46:45Z",
"published": "2026-05-07T01:58:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-6rgm-gr97-x3j5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42083"
},
{
"type": "WEB",
"url": "https://github.com/free5gc/free5gc/issues/844"
},
{
"type": "WEB",
"url": "https://github.com/free5gc/pcf/pull/63"
},
{
"type": "WEB",
"url": "https://github.com/free5gc/pcf/commit/8c4d457cdf58bb239ee30e88c56b370b22073964"
},
{
"type": "PACKAGE",
"url": "https://github.com/free5gc/free5gc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Free5GC PCF: Missing authentication middleware in Npcf_SMPolicyControl allows access to SM policy handlers and disclosure of subscriber SUPI"
}
GHSA-6RJQ-282F-P3MR
Vulnerability from github – Published: 2024-12-13 15:30 – Updated: 2026-04-23 15:33Missing Authorization vulnerability in Surfer Surfer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Surfer: from n/a through 1.3.2.357.
{
"affected": [],
"aliases": [
"CVE-2023-35037"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-13T15:15:15Z",
"severity": "HIGH"
},
"details": "Missing Authorization vulnerability in Surfer Surfer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Surfer: from n/a through 1.3.2.357.",
"id": "GHSA-6rjq-282f-p3mr",
"modified": "2026-04-23T15:33:47Z",
"published": "2024-12-13T15:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35037"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/surferseo/vulnerability/wordpress-surfer-plugin-1-1-2-298-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-6RP4-QW27-52VX
Vulnerability from github – Published: 2025-04-24 18:31 – Updated: 2026-04-01 18:34Missing Authorization vulnerability in vinodvaswani9 Bulk Assign Linked Products For WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Bulk Assign Linked Products For WooCommerce: from n/a through 2.1.
{
"affected": [],
"aliases": [
"CVE-2025-46489"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-24T16:15:39Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in vinodvaswani9 Bulk Assign Linked Products For WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Bulk Assign Linked Products For WooCommerce: from n/a through 2.1.",
"id": "GHSA-6rp4-qw27-52vx",
"modified": "2026-04-01T18:34:57Z",
"published": "2025-04-24T18:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46489"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/wc-bulk-assign-linked-products/vulnerability/wordpress-bulk-assign-linked-products-for-woocommerce-2-1-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6RPH-38R5-8HHP
Vulnerability from github – Published: 2025-05-23 15:31 – Updated: 2026-04-28 21:35Missing Authorization vulnerability in UX Design Experts Experto CTA Widget – Call To Action, Sticky CTA, Floating Button Plugin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Experto CTA Widget – Call To Action, Sticky CTA, Floating Button Plugin: from n/a through 1.1.1.
{
"affected": [],
"aliases": [
"CVE-2025-47529"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-23T13:15:38Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in UX Design Experts Experto CTA Widget \u0026#8211; Call To Action, Sticky CTA, Floating Button Plugin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Experto CTA Widget \u0026#8211; Call To Action, Sticky CTA, Floating Button Plugin: from n/a through 1.1.1.",
"id": "GHSA-6rph-38r5-8hhp",
"modified": "2026-04-28T21:35:39Z",
"published": "2025-05-23T15:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47529"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/experto-cta-widget/vulnerability/wordpress-experto-cta-widget-call-to-action-sticky-cta-floating-button-plugin-1-1-1-settings-change-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-6RQ8-WQXH-2Q3F
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2026-04-01 18:36Missing Authorization vulnerability in Themeum Qubely allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Qubely: from n/a through 1.8.14.
{
"affected": [],
"aliases": [
"CVE-2025-58663"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-22T19:16:16Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Themeum Qubely allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Qubely: from n/a through 1.8.14.",
"id": "GHSA-6rq8-wqxh-2q3f",
"modified": "2026-04-01T18:36:16Z",
"published": "2025-09-22T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58663"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/qubely/vulnerability/wordpress-qubely-plugin-1-8-14-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6RRQ-CW26-CGX2
Vulnerability from github – Published: 2025-01-02 12:32 – Updated: 2026-04-23 15:34Missing Authorization vulnerability in WowStore Team ProductX – Gutenberg WooCommerce Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ProductX – Gutenberg WooCommerce Blocks: from n/a through 2.7.8.
{
"affected": [],
"aliases": [
"CVE-2023-45271"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-02T12:15:09Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in WowStore Team ProductX \u2013 Gutenberg WooCommerce Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ProductX \u2013 Gutenberg WooCommerce Blocks: from n/a through 2.7.8.",
"id": "GHSA-6rrq-cw26-cgx2",
"modified": "2026-04-23T15:34:12Z",
"published": "2025-01-02T12:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45271"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/product-blocks/vulnerability/wordpress-productx-gutenberg-woocommerce-blocks-plugin-2-7-8-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.