VYPR

CWE-639

Authorization Bypass Through User-Controlled Key

BaseIncompleteLikelihood: High

Description

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (1,068)

page 31 of 54
  • CVE-2025-11532MedNov 11, 2025
    risk 0.34cvss 5.3epss 0.00

    The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the 'wishlist_id' user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other…

  • CVE-2025-11741MedOct 18, 2025
    risk 0.34cvss 5.3epss 0.00

    The WPC Smart Quick View for WooCommerce plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.2.5 via the 'woosq_quickview' AJAX endpoint due to insufficient restrictions on which posts can be included. This makes it possible for…

  • CVE-2025-11518MedOct 11, 2025
    risk 0.34cvss 5.3epss 0.00

    The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via several wishlist AJAX functions due to missing validation on a user controlled key that is exposed when wishlists are…

  • CVE-2025-40676MedOct 7, 2025
    risk 0.34cvss epss 0.00

    Insecure Direct Object Reference (IDOR) in Negotiator v3.15.2 from Biobanking and Biomolecular Resources - European Research Infrastructure (BBMRI-ERIC). This vulnerability allows an attacker to access or modify unauthorised resources by manipulating requests that use the…

  • CVE-2025-10947MedSep 25, 2025
    risk 0.34cvss 5.3epss 0.00

    A flaw has been found in Sistemas Pleno Gestão de Locação up to 2025.7.x. The impacted element is an unknown function of the file /api/areacliente/pessoa/validarCpf of the component CPF Handler. Executing a manipulation of the argument pes_cpf can lead to authorization…

  • CVE-2025-8463MedSep 17, 2025
    risk 0.34cvss 5.3epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in SecHard Information Technologies SecHard allows Forceful Browsing. This issue affects SecHard: before 3.6.2-20250805.

  • CVE-2025-54691MedAug 14, 2025
    risk 0.34cvss 5.3epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Stylemix Motors motors-car-dealership-classified-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Motors: from n/a through <= 1.4.80.

  • CVE-2025-3089MedAug 12, 2025
    risk 0.34cvss epss 0.00

    ServiceNow has addressed a Broken Access Control vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could allow a low privileged user to bypass access controls and perform a limited set of actions typically reserved for higher privileged users,…

  • CVE-2025-8794MedAug 10, 2025
    risk 0.34cvss 5.3epss 0.00

    A vulnerability, which was classified as problematic, has been found in LitmusChaos Litmus up to 3.19.0. Affected by this issue is some unknown functionality of the component LocalStorage Handler. The manipulation of the argument projectID leads to authorization bypass. Local…

  • CVE-2025-49995MedJun 20, 2025
    risk 0.34cvss 5.3epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Attachments: from n/a through <= 1.3.1.

  • CVE-2024-8988MedMay 14, 2025
    risk 0.34cvss 5.3epss 0.00

    The PeepSo Core: File Uploads plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.6.0 via the file_download REST API endpoint due to missing validation on a user controlled key. This makes it possible for…

  • CVE-2025-26965MedFeb 25, 2025
    risk 0.34cvss 5.3epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in ameliabooking Amelia ameliabooking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Amelia: from n/a through <= 1.2.16.

  • CVE-2024-13719MedFeb 19, 2025
    risk 0.34cvss 5.3epss 0.00

    The PeproDev Ultimate Invoice plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.9 via the invoicing viewer due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to…

  • CVE-2024-43350MedAug 18, 2024
    risk 0.34cvss 5.3epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Propovoice Propovoice CRM.This issue affects Propovoice CRM: from n/a through 1.7.6.4.

  • CVE-2024-34383MedMay 6, 2024
    risk 0.34cvss 5.3epss 0.01

    Authorization Bypass Through User-Controlled Key vulnerability in The SEO Guys at SEOPress SEOPress.This issue affects SEOPress: from n/a through 7.7.1.

  • CVE-2024-32823MedApr 24, 2024
    risk 0.34cvss 5.3epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in FeedbackWP Rate my Post – WP Rating System.This issue affects Rate my Post – WP Rating System: from n/a through 3.4.4.

  • CVE-2024-32683MedApr 19, 2024
    risk 0.34cvss 5.3epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Wpmet Wp Ultimate Review.This issue affects Wp Ultimate Review: from n/a through 2.2.5.

  • CVE-2024-31095MedMar 31, 2024
    risk 0.34cvss 5.3epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Ricard Torres Thumbs Rating.This issue affects Thumbs Rating: from n/a through 5.1.0.

  • CVE-2024-0839MedMar 13, 2024
    risk 0.34cvss 5.3epss 0.01

    The FeedWordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2022.0222 due to missing validation on the user controlled 'guid' key. This makes it possible for unauthenticated attackers to view draft posts that may…

  • CVE-2023-41796MedDec 20, 2023
    risk 0.34cvss 5.3epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in WP Sunshine Sunshine Photo Cart: Free Client Galleries for Photographers.This issue affects Sunshine Photo Cart: Free Client Galleries for Photographers: from n/a before 3.0.0.