VYPR

CWE-472

External Control of Assumed-Immutable Web Parameter

BaseDraft

Description

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-146 · CAPEC-226 · CAPEC-31 · CAPEC-39

CVEs mapped to this weakness (88)

page 5 of 5
  • CVE-2025-3743MedApr 25, 2025
    risk 0.27cvss 5.3epss 0.00

    The Upsell Funnel Builder for WooCommerce plugin for WordPress is vulnerable to order manipulation in all versions up to, and including, 3.0.0. This is due to the plugin allowing the additional product ID and discount field to be manipulated prior to processing via the…

  • CVE-2024-3649MedMay 2, 2024
    risk 0.27cvss 5.3epss 0.01

    The Contact Form by WPForms – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to price manipulation in versions up to, and including, 1.8.7.2. This is due to a lack of controls on several product parameters. This makes it possible for unauthenticated…

  • CVE-2025-32816LowApr 11, 2025
    risk 0.13cvss 3.1epss 0.00

    CodeLit CourseLit before 0.57.5 allows Parameter Tampering via a payment plan associated with the wrong entity.

  • CVE-2025-59382LowJun 10, 2026
    risk 0.08cvss epss 0.00

    QTS, QuTS hero, QuTScloud are not affected. We have already fixed the vulnerability in the following version:

  • CVE-2025-35939KEVMay 7, 2025
    risk 0.05cvss epss 0.01

    Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session…

  • CVE-2024-50703Dec 30, 2024
    risk 0.00cvss epss 0.00

    TeamPass before 3.1.3.1 does not properly prevent a user from acting with the privileges of a different user_id.

  • CVE-2024-22049Jan 4, 2024
    risk 0.00cvss epss 0.01

    httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.

  • CVE-2022-30597May 18, 2022
    risk 0.00cvss epss 0.01

    A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field.