VYPR

CWE-639

Authorization Bypass Through User-Controlled Key

BaseIncompleteLikelihood: High

Description

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (1,068)

page 17 of 54
  • CVE-2026-4400MedMar 31, 2026
    risk 0.42cvss 6.5epss 0.00

    Insecure Direct Object Reference (IDOR) vulnerability in 1millionbot Millie chat that allows private conversations of other users being viewed by simply changing the conversation ID. The vulnerability is present in the endpoint 'api.1millionbot.com/api/public/conversations/'…

  • CVE-2026-3124HigMar 30, 2026
    risk 0.42cvss 7.5epss 0.00

    The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to…

  • CVE-2026-32535MedMar 25, 2026
    risk 0.42cvss 6.5epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in JoomSky JS Help Desk js-support-ticket allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JS Help Desk: from n/a through <= 3.0.3.

  • CVE-2026-32533MedMar 25, 2026
    risk 0.42cvss 6.5epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in LatePoint LatePoint latepoint allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LatePoint: from n/a through <= 5.2.6.

  • CVE-2025-32223MedMar 19, 2026
    risk 0.42cvss 6.5epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.4.

  • CVE-2026-27397MedMar 19, 2026
    risk 0.42cvss 6.5epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Really Simple Plugins B.V. Really Simple Security Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Really Simple Security Pro: from n/a through 9.5.4.0.

  • CVE-2026-1947HigMar 16, 2026
    risk 0.42cvss 7.5epss 0.00

    The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 9.1.9 via the submit_nex_form() function due to missing validation on a user controlled key. This makes it possible…

  • CVE-2026-2257MedMar 13, 2026
    risk 0.42cvss 6.4epss 0.00

    The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authenticated attackers, with Author-level…

  • CVE-2026-2918MedMar 11, 2026
    risk 0.42cvss 6.4epss 0.00

    The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is due to the `validate_reqeust()` method using `current_user_can('edit_posts',…

  • CVE-2025-68514MedFeb 20, 2026
    risk 0.42cvss 6.5epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs Paid Member Subscriptions paid-member-subscriptions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Paid Member Subscriptions: from n/a through <= 2.16.8.

  • CVE-2026-24379MedJan 22, 2026
    risk 0.42cvss 6.5epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Portal: from n/a through <= 2.4.3.

  • CVE-2025-13457HigJan 10, 2026
    risk 0.42cvss 7.5epss 0.00

    The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to…

  • CVE-2025-67919MedJan 8, 2026
    risk 0.42cvss 6.5epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in WofficeIO Woffice Core woffice-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Woffice Core: from n/a through <= 5.4.30.

  • CVE-2025-10019MedDec 18, 2025
    risk 0.42cvss 6.5epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.60.

  • CVE-2025-68071MedDec 16, 2025
    risk 0.42cvss 6.5epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through <= 5.3.2.

  • CVE-2025-12040MedNov 25, 2025
    risk 0.42cvss 6.5epss 0.00

    The Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.3 via several functions in class-th-wishlist-frontend.php due to missing validation on a user controlled key. This makes it possible for…

  • CVE-2025-64283MedOct 29, 2025
    risk 0.42cvss 6.5epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Rometheme RTMKit rometheme-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RTMKit: from n/a through <= 1.6.7.

  • CVE-2025-49952MedOct 22, 2025
    risk 0.42cvss 6.5epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in favethemes Houzez houzez allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Houzez: from n/a through <= 4.2.5.

  • CVE-2025-11517HigOct 18, 2025
    risk 0.42cvss 7.5epss 0.00

    The Event Tickets and Registration plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 5.26.5. This is due to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint not verifying that a ticket type should be free allowing the user to…

  • CVE-2025-9342MedSep 23, 2025
    risk 0.42cvss 6.5epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Anadolu Hayat Emeklilik Inc. AHE Mobile allows Privilege Abuse. This issue affects AHE Mobile: from 1.9.7 before 1.9.9.