VYPR

CWE-639

Authorization Bypass Through User-Controlled Key

BaseIncompleteLikelihood: High

Description

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (1,068)

page 35 of 54
  • CVE-2024-10797MedDec 21, 2024
    risk 0.28cvss 4.3epss 0.00

    The Full Screen Menu for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.7 via the Full Screen Menu Elementor Widget due to insufficient restrictions on which posts can be included. This makes it possible for…

  • CVE-2024-10690MedDec 14, 2024
    risk 0.28cvss 4.3epss 0.00

    The Shortcodes for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.4 via the 'SHORTCODE_ELEMENTOR' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated…

  • CVE-2024-12447MedDec 14, 2024
    risk 0.28cvss 4.3epss 0.00

    The Get Post Content Shortcode plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.4 via the 'post-content' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated…

  • CVE-2024-11275MedDec 13, 2024
    risk 0.28cvss 4.3epss 0.00

    The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the /wp-json/timetics/v1/customers/ REST API endpoint in all versions up to, and including,…

  • CVE-2024-12306MedDec 9, 2024
    risk 0.28cvss 4.3epss 0.00

    Multiple access control vulnerabilities in Unifiedtransform version 2.0 and potentially earlier versions allow unauthorized access to personal information of students and teachers. The vulnerabilities include both function-level access control issues in list viewing endpoints…

  • CVE-2024-12305MedDec 9, 2024
    risk 0.28cvss 4.3epss 0.00

    An object-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows unauthorized access to student grades. A malicious student user can view grades of other students by manipulating the student_id parameter in the marks viewing…

  • CVE-2024-10689MedDec 6, 2024
    risk 0.28cvss 4.3epss 0.00

    The XLTab – Accordions and Tabs for Elementor Page Builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4 via the 'XLTAB_INSERT_TPL' shortcode due to insufficient restrictions on which posts can be included. This makes it…

  • CVE-2024-10777MedDec 5, 2024
    risk 0.28cvss 4.3epss 0.00

    The AnyWhere Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.11 via the 'INSERT_ELEMENTOR' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated…

  • CVE-2024-12099MedDec 4, 2024
    risk 0.28cvss 4.3epss 0.00

    The Dollie Hub – Build Your Own WordPress Cloud Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.2.0 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it…

  • CVE-2024-12062MedDec 3, 2024
    risk 0.28cvss 4.3epss 0.00

    The Charity Addon for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.3.3 via the 'nacharity_elementor_template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for…

  • CVE-2024-10868MedNov 23, 2024
    risk 0.28cvss 4.3epss 0.00

    The Enter Addons – Ultimate Template Builder for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.1.9 via the Advanced Tabs widget due to insufficient restrictions on which posts can be included. This makes it…

  • CVE-2024-10666MedNov 22, 2024
    risk 0.28cvss 4.3epss 0.00

    The Easy Twitter Feed – Twitter feeds plugin for WP plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.6 via the [etf] shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to…

  • CVE-2024-10782MedNov 21, 2024
    risk 0.28cvss 4.3epss 0.00

    The Theme Builder For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.2 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated…

  • CVE-2024-10795MedNov 16, 2024
    risk 0.28cvss 4.3epss 0.00

    The Popularis Extra plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.7 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers,…

  • CVE-2024-10778MedNov 13, 2024
    risk 0.28cvss 4.3epss 0.00

    The BuddyPress Builder for Elementor – BuddyBuilder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.4 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it…

  • CVE-2024-10669MedNov 9, 2024
    risk 0.28cvss 4.3epss 0.00

    The Countdown Timer block – Display the event's date into a timer. plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.4 via the [ctb] shortcode due to insufficient restrictions on which posts can be included. This makes it…

  • CVE-2024-47316MedOct 5, 2024
    risk 0.28cvss 4.3epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Dimitri Grassi Salon booking system salon-booking-system.This issue affects Salon booking system: from n/a through <= 10.9.

  • CVE-2024-43239MedAug 18, 2024
    risk 0.28cvss 4.3epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in masteriyo Masteriyo - LMS learning-management-system.This issue affects Masteriyo - LMS: from n/a through <= 1.11.4.

  • CVE-2024-4874MedJun 22, 2024
    risk 0.28cvss 4.3epss 0.00

    The Bricks Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.8 via the postId parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with…

  • CVE-2024-4873MedJun 19, 2024
    risk 0.28cvss 4.3epss 0.00

    The Replace Image plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.10 via the image replacement functionality due to missing validation on a user controlled key. This makes it possible for authenticated attackers,…