CWE-472
External Control of Assumed-Immutable Web Parameter
Description
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-146 · CAPEC-226 · CAPEC-31 · CAPEC-39
CVEs mapped to this weakness (88)
page 5 of 5| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-3743 | Med | 0.27 | 5.3 | 0.00 | Apr 25, 2025 | The Upsell Funnel Builder for WooCommerce plugin for WordPress is vulnerable to order manipulation in all versions up to, and including, 3.0.0. This is due to the plugin allowing the additional product ID and discount field to be manipulated prior to processing via the… | ||
| CVE-2024-3649 | Med | 0.27 | 5.3 | 0.01 | May 2, 2024 | The Contact Form by WPForms – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to price manipulation in versions up to, and including, 1.8.7.2. This is due to a lack of controls on several product parameters. This makes it possible for unauthenticated… | ||
| CVE-2025-32816 | Low | 0.13 | 3.1 | 0.00 | Apr 11, 2025 | CodeLit CourseLit before 0.57.5 allows Parameter Tampering via a payment plan associated with the wrong entity. | ||
| CVE-2025-59382 | — | Low | 0.08 | — | 0.00 | Jun 10, 2026 | QTS, QuTS hero, QuTScloud are not affected. We have already fixed the vulnerability in the following version: | |
| CVE-2025-35939 | — | 0.05 | — | 0.01 | KEV | May 7, 2025 | Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session… | |
| CVE-2024-50703 | 0.00 | — | 0.00 | Dec 30, 2024 | TeamPass before 3.1.3.1 does not properly prevent a user from acting with the privileges of a different user_id. | |||
| CVE-2024-22049 | 0.00 | — | 0.01 | Jan 4, 2024 | httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written. | |||
| CVE-2022-30597 | 0.00 | — | 0.01 | May 18, 2022 | A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field. |
- risk 0.27cvss 5.3epss 0.00
The Upsell Funnel Builder for WooCommerce plugin for WordPress is vulnerable to order manipulation in all versions up to, and including, 3.0.0. This is due to the plugin allowing the additional product ID and discount field to be manipulated prior to processing via the…
- risk 0.27cvss 5.3epss 0.01
The Contact Form by WPForms – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to price manipulation in versions up to, and including, 1.8.7.2. This is due to a lack of controls on several product parameters. This makes it possible for unauthenticated…
- risk 0.13cvss 3.1epss 0.00
CodeLit CourseLit before 0.57.5 allows Parameter Tampering via a payment plan associated with the wrong entity.
- risk 0.08cvss —epss 0.00
QTS, QuTS hero, QuTScloud are not affected. We have already fixed the vulnerability in the following version:
- risk 0.05cvss —epss 0.01
Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session…
- CVE-2024-50703Dec 30, 2024risk 0.00cvss —epss 0.00
TeamPass before 3.1.3.1 does not properly prevent a user from acting with the privileges of a different user_id.
- CVE-2024-22049Jan 4, 2024risk 0.00cvss —epss 0.01
httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.
- CVE-2022-30597May 18, 2022risk 0.00cvss —epss 0.01
A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field.