VYPR

CWE-639

Authorization Bypass Through User-Controlled Key

BaseIncompleteLikelihood: High

Description

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (1,068)

page 25 of 54
  • CVE-2026-22426MedJan 22, 2026
    risk 0.35cvss 5.4epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Elated-Themes Sweet Jane sweetjane allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sweet Jane: from n/a through <= 1.2.

  • CVE-2026-22400MedJan 22, 2026
    risk 0.35cvss 5.4epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Holmes holmes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Holmes: from n/a through <= 1.7.

  • CVE-2026-22398MedJan 22, 2026
    risk 0.35cvss 5.4epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Fleur fleur allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fleur: from n/a through <= 2.0.

  • CVE-2026-22396MedJan 22, 2026
    risk 0.35cvss 5.4epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Fiorello fiorello allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fiorello: from n/a through <= 1.0.

  • CVE-2026-22393MedJan 22, 2026
    risk 0.35cvss 5.4epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Curly curly allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Curly: from n/a through <= 3.3.

  • CVE-2026-22391MedJan 22, 2026
    risk 0.35cvss 5.4epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Cocco cocco allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cocco: from n/a through <= 1.5.1.

  • CVE-2025-14802MedJan 7, 2026
    risk 0.35cvss 5.4epss 0.00

    The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and…

  • CVE-2025-69032MedDec 30, 2025
    risk 0.35cvss 5.4epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes FiveStar fivestar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FiveStar: from n/a through <= 1.7.

  • CVE-2025-69030MedDec 30, 2025
    risk 0.35cvss 5.4epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Backpack Traveler backpacktraveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Backpack Traveler: from n/a through <= 2.10.3.

  • CVE-2025-69029MedDec 30, 2025
    risk 0.35cvss 5.4epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Select-Themes Struktur struktur allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Struktur: from n/a through <= 2.5.1.

  • CVE-2025-12881MedNov 21, 2025
    risk 0.35cvss 5.4epss 0.00

    The Return Refund and Exchange For WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.5.5 via the wps_rma_fetch_order_msgs() due to missing validation on a user controlled key. This makes it possible for…

  • CVE-2025-12524MedNov 18, 2025
    risk 0.35cvss 5.4epss 0.00

    The Post Type Switcher plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.0.0 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to…

  • CVE-2025-63291MedNov 14, 2025
    risk 0.35cvss 5.4epss 0.00

    When processing API requests, the Alteryx server 2022.1.1.42654 and 2024.1 used MongoDB object IDs to uniquely identify the data being requested by the caller. The Alteryx server did not check whether the authenticated user had permission to access the specified MongoDB object…

  • CVE-2025-12126MedNov 11, 2025
    risk 0.35cvss 5.4epss 0.00

    The The Total Book Project plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0 via several functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with…

  • CVE-2025-57994MedSep 22, 2025
    risk 0.35cvss 5.4epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Sayful Islam Upcoming Events Lists upcoming-events-lists allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Upcoming Events Lists: from n/a through <= 1.4.0.

  • CVE-2025-57886MedAug 22, 2025
    risk 0.35cvss 5.4epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Equalize Digital Accessibility Checker by Equalize Digital accessibility-checker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accessibility Checker by Equalize…

  • CVE-2025-9264MedAug 21, 2025
    risk 0.35cvss 5.4epss 0.00

    A vulnerability was found in Xuxueli xxl-job up to 3.1.1. Affected by this issue is the function remove of the file /src/main/java/com/xxl/job/admin/controller/JobInfoController.java of the component Jobs Handler. Performing manipulation of the argument ID results in improper…

  • CVE-2025-7947MedJul 22, 2025
    risk 0.35cvss 5.4epss 0.00

    A vulnerability classified as critical has been found in jshERP up to 3.5. Affected is an unknown function of the file /user/delete of the component Account Handler. The manipulation of the argument ID leads to improper authorization. It is possible to launch the attack…

  • CVE-2025-6329MedJun 20, 2025
    risk 0.35cvss 5.4epss 0.00

    A vulnerability was found in ScriptAndTools Real Estate Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file userdelete.php of the component User Delete Handler. The manipulation of the argument ID leads to authorization…

  • CVE-2025-31867MedApr 1, 2025
    risk 0.35cvss 5.4epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in JoomSky JS Job Manager js-jobs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JS Job Manager: from n/a through <= 2.0.2.