VYPR

CWE-345

Insufficient Verification of Data Authenticity

ClassDraft

Description

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-141 · CAPEC-142 · CAPEC-148 · CAPEC-218 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-665 · CAPEC-701

CVEs mapped to this weakness (306)

page 9 of 16
  • CVE-2018-10894MedAug 1, 2018
    risk 0.28cvss 5.4epss 0.00

    It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks.

  • CVE-2018-2434MedJul 10, 2018
    risk 0.28cvss 4.3epss 0.01

    A content spoofing vulnerability in the following components allows to render html pages containing arbitrary plain text content, which might fool an end user: UI add-on for SAP NetWeaver (UI_Infra, 1.0), SAP UI Implementation for Decoupled Innovations (UI_700, 2.0): SAP…

  • CVE-2017-13083MedOct 18, 2017
    risk 0.28cvss 5.3epss 0.01

    Akeo Consulting Rufus prior to version 2.17.1187 does not adequately validate the integrity of updates downloaded over HTTP, allowing an attacker to easily convince a user to execute arbitrary code

  • CVE-2026-7792MedJun 6, 2026
    risk 0.27cvss 5.3epss 0.00

    The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to and including 1.10.0.1. This is due to the PayPal Commerce webhook endpoint…

  • CVE-2026-9189MedMay 29, 2026
    risk 0.27cvss 5.3epss 0.00

    The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Although `cf7pp_paypal_ipn_handler()` correctly validates IPN authenticity by…

  • CVE-2026-44999MedMay 11, 2026
    risk 0.27cvss 5.3epss 0.00

    OpenClaw before 2026.4.20 fails to properly preserve untrusted labels for isolated cron awareness events, allowing webhook-triggered cron agent output to be recorded as trusted system events. Attackers can exploit this trust-labeling issue to strengthen prompt-injection attacks…

  • CVE-2026-6498MedApr 30, 2026
    risk 0.27cvss 5.3epss 0.00

    The Five Star Restaurant Reservations plugin for WordPress is vulnerable to a payment bypass via PHP type juggling in versions up to, and including, 2.7.16 This is due to the valid_payment() function using a PHP loose comparison (==) between the attacker-controlled payment_id…

  • CVE-2026-3177MedApr 7, 2026
    risk 0.27cvss 5.3epss 0.00

    The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 1.8.9.7. This is due to missing cryptographic verification of…

  • CVE-2026-34511MedApr 3, 2026
    risk 0.27cvss 5.3epss 0.00

    OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling…

  • CVE-2026-33221MedMar 20, 2026
    risk 0.27cvss 5.3epss 0.00

    Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an…

  • CVE-2026-2385MedFeb 22, 2026
    risk 0.27cvss 5.3epss 0.00

    The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.4.7. This is due to the plugin decrypting and…

  • CVE-2025-14444MedFeb 18, 2026
    risk 0.27cvss 5.3epss 0.00

    The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to payment bypass due to insufficient verification of data authenticity on the 'process_paypal_sdk_payment' function in all versions up to, and…

  • CVE-2026-0939MedJan 16, 2026
    risk 0.27cvss 5.3epss 0.00

    The Rede Itaú for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and including, 5.1.2. This is due to the plugin failing to verify the authenticity of payment callbacks.…

  • CVE-2025-24882MedJan 29, 2025
    risk 0.27cvss 5.2epss 0.00

    regclient is a Docker and OCI Registry Client in Go. A malicious registry could return a different digest for a pinned manifest without detection. This vulnerability is fixed in 0.7.1.

  • CVE-2024-35175MedMay 14, 2024
    risk 0.27cvss 5.3epss 0.00

    sshpiper is a reverse proxy for sshd. Starting in version 1.0.50 and prior to version 1.3.0, the way the proxy protocol listener is implemented in sshpiper can allow an attacker to forge their connecting address. Commit 2ddd69876a1e1119059debc59fe869cb4e754430 added the proxy…

  • CVE-2026-48096MedJun 10, 2026
    risk 0.26cvss 5.0epss 0.00

    OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. This issue has…

  • CVE-2026-39411MedApr 8, 2026
    risk 0.26cvss 5.0epss 0.00

    LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated.…

  • CVE-2017-1773MedJan 31, 2018
    risk 0.26cvss 4.0epss 0.00

    IBM DataPower Gateways 7.1, 7,2, 7.5, and 7.6 could allow an attacker using man-in-the-middle techniques to spoof DNS responses to perform DNS cache poisoning and redirect Internet traffic. IBM X-Force ID: 136817.

  • CVE-2026-34061MedApr 3, 2026
    risk 0.25cvss 4.9epss 0.00

    nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an elected validator proposer can send an election macro block whose header.interlink does not match the canonical next…

  • CVE-2026-7689LowMay 3, 2026
    risk 0.24cvss 3.7epss 0.00

    A security flaw has been discovered in Dolibarr ERP CRM up to 23.0.2. This vulnerability affects the function dol_verifyHash in the library htdocs/core/lib/security.lib.php of the component Online Signature Module. The manipulation results in improper verification of…