CWE-639
Authorization Bypass Through User-Controlled Key
Description
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Hierarchy (View 1000)
CVEs mapped to this weakness (1,068)
page 31 of 54| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-11532 | Med | 0.34 | 5.3 | 0.00 | Nov 11, 2025 | The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the 'wishlist_id' user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other… | ||
| CVE-2025-11741 | Med | 0.34 | 5.3 | 0.00 | Oct 18, 2025 | The WPC Smart Quick View for WooCommerce plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.2.5 via the 'woosq_quickview' AJAX endpoint due to insufficient restrictions on which posts can be included. This makes it possible for… | ||
| CVE-2025-11518 | Med | 0.34 | 5.3 | 0.00 | Oct 11, 2025 | The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via several wishlist AJAX functions due to missing validation on a user controlled key that is exposed when wishlists are… | ||
| CVE-2025-40676 | Med | 0.34 | — | 0.00 | Oct 7, 2025 | Insecure Direct Object Reference (IDOR) in Negotiator v3.15.2 from Biobanking and Biomolecular Resources - European Research Infrastructure (BBMRI-ERIC). This vulnerability allows an attacker to access or modify unauthorised resources by manipulating requests that use the… | ||
| CVE-2025-10947 | Med | 0.34 | 5.3 | 0.00 | Sep 25, 2025 | A flaw has been found in Sistemas Pleno Gestão de Locação up to 2025.7.x. The impacted element is an unknown function of the file /api/areacliente/pessoa/validarCpf of the component CPF Handler. Executing a manipulation of the argument pes_cpf can lead to authorization… | ||
| CVE-2025-8463 | Med | 0.34 | 5.3 | 0.00 | Sep 17, 2025 | Authorization Bypass Through User-Controlled Key vulnerability in SecHard Information Technologies SecHard allows Forceful Browsing. This issue affects SecHard: before 3.6.2-20250805. | ||
| CVE-2025-54691 | Med | 0.34 | 5.3 | 0.00 | Aug 14, 2025 | Authorization Bypass Through User-Controlled Key vulnerability in Stylemix Motors motors-car-dealership-classified-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Motors: from n/a through <= 1.4.80. | ||
| CVE-2025-3089 | Med | 0.34 | — | 0.00 | Aug 12, 2025 | ServiceNow has addressed a Broken Access Control vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could allow a low privileged user to bypass access controls and perform a limited set of actions typically reserved for higher privileged users,… | ||
| CVE-2025-8794 | Med | 0.34 | 5.3 | 0.00 | Aug 10, 2025 | A vulnerability, which was classified as problematic, has been found in LitmusChaos Litmus up to 3.19.0. Affected by this issue is some unknown functionality of the component LocalStorage Handler. The manipulation of the argument projectID leads to authorization bypass. Local… | ||
| CVE-2025-49995 | Med | 0.34 | 5.3 | 0.00 | Jun 20, 2025 | Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Attachments: from n/a through <= 1.3.1. | ||
| CVE-2024-8988 | Med | 0.34 | 5.3 | 0.00 | May 14, 2025 | The PeepSo Core: File Uploads plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.6.0 via the file_download REST API endpoint due to missing validation on a user controlled key. This makes it possible for… | ||
| CVE-2025-26965 | Med | 0.34 | 5.3 | 0.00 | Feb 25, 2025 | Authorization Bypass Through User-Controlled Key vulnerability in ameliabooking Amelia ameliabooking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Amelia: from n/a through <= 1.2.16. | ||
| CVE-2024-13719 | Med | 0.34 | 5.3 | 0.00 | Feb 19, 2025 | The PeproDev Ultimate Invoice plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.9 via the invoicing viewer due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to… | ||
| CVE-2024-43350 | Med | 0.34 | 5.3 | 0.00 | Aug 18, 2024 | Authorization Bypass Through User-Controlled Key vulnerability in Propovoice Propovoice CRM.This issue affects Propovoice CRM: from n/a through 1.7.6.4. | ||
| CVE-2024-34383 | Med | 0.34 | 5.3 | 0.01 | May 6, 2024 | Authorization Bypass Through User-Controlled Key vulnerability in The SEO Guys at SEOPress SEOPress.This issue affects SEOPress: from n/a through 7.7.1. | ||
| CVE-2024-32823 | Med | 0.34 | 5.3 | 0.00 | Apr 24, 2024 | Authorization Bypass Through User-Controlled Key vulnerability in FeedbackWP Rate my Post – WP Rating System.This issue affects Rate my Post – WP Rating System: from n/a through 3.4.4. | ||
| CVE-2024-32683 | Med | 0.34 | 5.3 | 0.00 | Apr 19, 2024 | Authorization Bypass Through User-Controlled Key vulnerability in Wpmet Wp Ultimate Review.This issue affects Wp Ultimate Review: from n/a through 2.2.5. | ||
| CVE-2024-31095 | Med | 0.34 | 5.3 | 0.00 | Mar 31, 2024 | Authorization Bypass Through User-Controlled Key vulnerability in Ricard Torres Thumbs Rating.This issue affects Thumbs Rating: from n/a through 5.1.0. | ||
| CVE-2024-0839 | Med | 0.34 | 5.3 | 0.01 | Mar 13, 2024 | The FeedWordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2022.0222 due to missing validation on the user controlled 'guid' key. This makes it possible for unauthenticated attackers to view draft posts that may… | ||
| CVE-2023-41796 | Med | 0.34 | 5.3 | 0.00 | Dec 20, 2023 | Authorization Bypass Through User-Controlled Key vulnerability in WP Sunshine Sunshine Photo Cart: Free Client Galleries for Photographers.This issue affects Sunshine Photo Cart: Free Client Galleries for Photographers: from n/a before 3.0.0. |
- risk 0.34cvss 5.3epss 0.00
The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the 'wishlist_id' user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other…
- risk 0.34cvss 5.3epss 0.00
The WPC Smart Quick View for WooCommerce plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.2.5 via the 'woosq_quickview' AJAX endpoint due to insufficient restrictions on which posts can be included. This makes it possible for…
- risk 0.34cvss 5.3epss 0.00
The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via several wishlist AJAX functions due to missing validation on a user controlled key that is exposed when wishlists are…
- risk 0.34cvss —epss 0.00
Insecure Direct Object Reference (IDOR) in Negotiator v3.15.2 from Biobanking and Biomolecular Resources - European Research Infrastructure (BBMRI-ERIC). This vulnerability allows an attacker to access or modify unauthorised resources by manipulating requests that use the…
- risk 0.34cvss 5.3epss 0.00
A flaw has been found in Sistemas Pleno Gestão de Locação up to 2025.7.x. The impacted element is an unknown function of the file /api/areacliente/pessoa/validarCpf of the component CPF Handler. Executing a manipulation of the argument pes_cpf can lead to authorization…
- risk 0.34cvss 5.3epss 0.00
Authorization Bypass Through User-Controlled Key vulnerability in SecHard Information Technologies SecHard allows Forceful Browsing. This issue affects SecHard: before 3.6.2-20250805.
- risk 0.34cvss 5.3epss 0.00
Authorization Bypass Through User-Controlled Key vulnerability in Stylemix Motors motors-car-dealership-classified-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Motors: from n/a through <= 1.4.80.
- risk 0.34cvss —epss 0.00
ServiceNow has addressed a Broken Access Control vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could allow a low privileged user to bypass access controls and perform a limited set of actions typically reserved for higher privileged users,…
- risk 0.34cvss 5.3epss 0.00
A vulnerability, which was classified as problematic, has been found in LitmusChaos Litmus up to 3.19.0. Affected by this issue is some unknown functionality of the component LocalStorage Handler. The manipulation of the argument projectID leads to authorization bypass. Local…
- risk 0.34cvss 5.3epss 0.00
Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Attachments: from n/a through <= 1.3.1.
- risk 0.34cvss 5.3epss 0.00
The PeepSo Core: File Uploads plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.6.0 via the file_download REST API endpoint due to missing validation on a user controlled key. This makes it possible for…
- risk 0.34cvss 5.3epss 0.00
Authorization Bypass Through User-Controlled Key vulnerability in ameliabooking Amelia ameliabooking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Amelia: from n/a through <= 1.2.16.
- risk 0.34cvss 5.3epss 0.00
The PeproDev Ultimate Invoice plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.9 via the invoicing viewer due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to…
- risk 0.34cvss 5.3epss 0.00
Authorization Bypass Through User-Controlled Key vulnerability in Propovoice Propovoice CRM.This issue affects Propovoice CRM: from n/a through 1.7.6.4.
- risk 0.34cvss 5.3epss 0.01
Authorization Bypass Through User-Controlled Key vulnerability in The SEO Guys at SEOPress SEOPress.This issue affects SEOPress: from n/a through 7.7.1.
- risk 0.34cvss 5.3epss 0.00
Authorization Bypass Through User-Controlled Key vulnerability in FeedbackWP Rate my Post – WP Rating System.This issue affects Rate my Post – WP Rating System: from n/a through 3.4.4.
- risk 0.34cvss 5.3epss 0.00
Authorization Bypass Through User-Controlled Key vulnerability in Wpmet Wp Ultimate Review.This issue affects Wp Ultimate Review: from n/a through 2.2.5.
- risk 0.34cvss 5.3epss 0.00
Authorization Bypass Through User-Controlled Key vulnerability in Ricard Torres Thumbs Rating.This issue affects Thumbs Rating: from n/a through 5.1.0.
- risk 0.34cvss 5.3epss 0.01
The FeedWordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2022.0222 due to missing validation on the user controlled 'guid' key. This makes it possible for unauthenticated attackers to view draft posts that may…
- risk 0.34cvss 5.3epss 0.00
Authorization Bypass Through User-Controlled Key vulnerability in WP Sunshine Sunshine Photo Cart: Free Client Galleries for Photographers.This issue affects Sunshine Photo Cart: Free Client Galleries for Photographers: from n/a before 3.0.0.