Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-48016

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-17 Jul, 2026 | 17:54
Updated At-17 Jul, 2026 | 17:54
Rejected At-
Credits

Shopware: Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the Store API endpoint /store-api/handle-payment in src/Core/Checkout/Payment/SalesChannel/HandlePaymentMethodRoute.php accepts a user-controlled orderId and forwards it to src/Core/Checkout/Payment/PaymentProcessor.php without verifying order ownership or guest-order authentication, allowing a normal customer or guest context to trigger the payment flow for another user's order while /store-api/order enforces the expected ownership model. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:17 Jul, 2026 | 17:54
Updated At:17 Jul, 2026 | 17:54
Rejected At:
▼CVE Numbering Authority (CNA)
Shopware: Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the Store API endpoint /store-api/handle-payment in src/Core/Checkout/Payment/SalesChannel/HandlePaymentMethodRoute.php accepts a user-controlled orderId and forwards it to src/Core/Checkout/Payment/PaymentProcessor.php without verifying order ownership or guest-order authentication, allowing a normal customer or guest context to trigger the payment flow for another user's order while /store-api/order enforces the expected ownership model. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.

Affected Products
Vendor
shopware
Product
shopware
Versions
Affected
  • < 6.6.10.18
  • >= 6.7.0.0, < 6.7.10.1
Vendor
shopware
Product
platform
Versions
Affected
  • < 6.6.10.18
  • >= 6.7.0.0, < 6.7.10.1
Problem Types
TypeCWE IDDescription
CWECWE-639CWE-639: Authorization Bypass Through User-Controlled Key
Type: CWE
CWE ID: CWE-639
Description: CWE-639: Authorization Bypass Through User-Controlled Key
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/shopware/shopware/security/advisories/GHSA-9v5m-39wh-5chq
x_refsource_CONFIRM
https://github.com/shopware/shopware/commit/69dd5b6cb01d3c2aea49ac29dd4512a87836ac3f
x_refsource_MISC
https://github.com/shopware/shopware/commit/df15f2e607dcf9ebc4a26ec622ffcf452dc25090
x_refsource_MISC
https://github.com/shopware/shopware/releases/tag/v6.6.10.18
x_refsource_MISC
https://github.com/shopware/shopware/releases/tag/v6.7.10.1
x_refsource_MISC
Hyperlink: https://github.com/shopware/shopware/security/advisories/GHSA-9v5m-39wh-5chq
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/shopware/shopware/commit/69dd5b6cb01d3c2aea49ac29dd4512a87836ac3f
Resource:
x_refsource_MISC
Hyperlink: https://github.com/shopware/shopware/commit/df15f2e607dcf9ebc4a26ec622ffcf452dc25090
Resource:
x_refsource_MISC
Hyperlink: https://github.com/shopware/shopware/releases/tag/v6.6.10.18
Resource:
x_refsource_MISC
Hyperlink: https://github.com/shopware/shopware/releases/tag/v6.7.10.1
Resource:
x_refsource_MISC
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:17 Jul, 2026 | 18:17
Updated At:17 Jul, 2026 | 18:30

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the Store API endpoint /store-api/handle-payment in src/Core/Checkout/Payment/SalesChannel/HandlePaymentMethodRoute.php accepts a user-controlled orderId and forwards it to src/Core/Checkout/Payment/PaymentProcessor.php without verifying order ownership or guest-order authentication, allowing a normal customer or guest context to trigger the payment flow for another user's order while /store-api/order enforces the expected ownership model. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-639Primarysecurity-advisories@github.com
CWE ID: CWE-639
Type: Primary
Source: security-advisories@github.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/shopware/shopware/commit/69dd5b6cb01d3c2aea49ac29dd4512a87836ac3fsecurity-advisories@github.com
N/A
https://github.com/shopware/shopware/commit/df15f2e607dcf9ebc4a26ec622ffcf452dc25090security-advisories@github.com
N/A
https://github.com/shopware/shopware/releases/tag/v6.6.10.18security-advisories@github.com
N/A
https://github.com/shopware/shopware/releases/tag/v6.7.10.1security-advisories@github.com
N/A
https://github.com/shopware/shopware/security/advisories/GHSA-9v5m-39wh-5chqsecurity-advisories@github.com
N/A
Hyperlink: https://github.com/shopware/shopware/commit/69dd5b6cb01d3c2aea49ac29dd4512a87836ac3f
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/shopware/shopware/commit/df15f2e607dcf9ebc4a26ec622ffcf452dc25090
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/shopware/shopware/releases/tag/v6.6.10.18
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/shopware/shopware/releases/tag/v6.7.10.1
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/shopware/shopware/security/advisories/GHSA-9v5m-39wh-5chq
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

162Records found

CVE-2021-37709
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.77% / 51.62%
||
7 Day CHG~0.00%
Published-16 Aug, 2021 | 22:05
Updated-04 Aug, 2024 | 01:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure direct object reference of log files of the Import/Export feature

Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.

Action-Not Available
Vendor-shopwareshopware
Product-shopwareplatform
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-57634
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 8.27%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 14:53
Updated-26 Jun, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress PPWP plugin <= 1.9.19 - Insecure Direct Object References (IDOR) vulnerability

Contributor Insecure Direct Object References (IDOR) in PPWP <= 1.9.19 versions.

Action-Not Available
Vendor-WP Folio Team
Product-PPWP
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2024-5639
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.41% / 33.15%
||
7 Day CHG~0.00%
Published-21 Jun, 2024 | 06:58
Updated-08 Apr, 2026 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
User Profile Picture <= 2.6.1 - Authenticated (Author+) Insecure Direct Object Reference to Profile Picture Update

The User Profile Picture plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.1 via the 'rest_api_change_profile_image' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to update the profile picture of any user.

Action-Not Available
Vendor-cozmoslabscozmoslabs
Product-user_profile_pictureUser Profile Picture
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-27436
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 13.18%
||
7 Day CHG~0.00%
Published-11 Mar, 2025 | 00:39
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Broken Access Control vulnerabilities in SAP S/4HANA (Manage Bank Statements)

The Manage Bank Statements in SAP S/4HANA does not perform required access control checks for an authenticated user to confirm whether a request to interact with a resource is legitimate, allowing the attacker to delete the attachment of a posted bank statement. This leads to a low impact on integrity, with no impact on the confidentiality of the data or the availability of the application.

Action-Not Available
Vendor-SAP SE
Product-SAP S/4HANA (Manage Bank Statements)
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2024-5438
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.34% / 26.45%
||
7 Day CHG~0.00%
Published-07 Jun, 2024 | 12:33
Updated-08 Apr, 2026 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tutor LMS – eLearning and online course solution <= 2.7.1 - Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Quiz Attempt Deletion

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.7.1 via the 'attempt_delete' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Instructor-level access and above, to delete arbitrary quiz attempts.

Action-Not Available
Vendor-Themeum
Product-tutor_lmsTutor LMS – eLearning and online course solutiontutor_lms
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-54006
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 7.59%
||
7 Day CHG~0.00%
Published-23 Jun, 2026 | 16:50
Updated-25 Jun, 2026 | 13:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open WebUI: Calendar event re-parenting allows writing events into another user's calendar

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, POST /api/v1/calendars/events/{event_id}/update validates that the caller has write access to the calendar the event currently belongs to, but does not validate the destination calendar_id supplied in the request body. The model layer then persists the new calendar_id unconditionally. A regular user-role account can therefore create an event in their own calendar and immediately move it into any other user's calendar whose ID they know — bypassing the authorization check that create_event correctly performs. This vulnerability is fixed in 0.9.6.

Action-Not Available
Vendor-openwebuiopen-webui
Product-open_webuiopen-webui
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2020-9468
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.58% / 43.93%
||
7 Day CHG~0.00%
Published-26 Mar, 2020 | 19:12
Updated-04 Aug, 2024 | 10:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission, by manipulating the image_id parameter.

Action-Not Available
Vendor-n/aPiwigo
Product-piwigon/a
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2024-52294
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.37% / 29.59%
||
7 Day CHG~0.00%
Published-30 Dec, 2024 | 16:14
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
khoj has an IDOR in subscription management that allows unauthorized subscription modifications

Khoj is a self-hostable artificial intelligence app. Prior to version 1.29.10, an Insecure Direct Object Reference (IDOR) vulnerability in the update_subscription endpoint allows any authenticated user to manipulate other users' Stripe subscriptions by simply modifying the email parameter in the request. The vulnerability exists in the subscription endpoint at `/api/subscription`. The endpoint uses an email parameter as a direct reference to user subscriptions without verifying object ownership. While authentication is required, there is no authorization check to verify if the authenticated user owns the referenced subscription. The issue was fixed in version 1.29.10. Support for arbitrarily presenting an email for update has been deprecated.

Action-Not Available
Vendor-khoj-ai
Product-khoj
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2023-2172
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.52% / 40.62%
||
7 Day CHG~0.00%
Published-31 Aug, 2023 | 05:33
Updated-08 Apr, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BadgeOS <= 3.7.1.6 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Title Overwrite

The BadgeOS plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.7.1.6. This is due to improper validation and authorization checks within the badgeos_update_steps_ajax_handler, badgeos_update_award_steps_ajax_handler, badgeos_update_deduct_steps_ajax_handler, and badgeos_update_ranks_req_steps_ajax_handler functions. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to overwrite arbitrary post titles.

Action-Not Available
Vendor-badgeoslearningtimes
Product-badgeosBadgeOS
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2023-2173
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.52% / 40.62%
||
7 Day CHG~0.00%
Published-31 Aug, 2023 | 05:33
Updated-08 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BadgeOS <= 3.7.1.6 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion

The BadgeOS plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.7.1.6. This is due to improper validation and authorization checks within the badgeos_delete_step_ajax_handler, badgeos_delete_award_step_ajax_handler, badgeos_delete_deduct_step_ajax_handler, and badgeos_delete_rank_req_step_ajax_handler functions. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts.

Action-Not Available
Vendor-badgeoslearningtimes
Product-badgeosBadgeOS
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-15147
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 17.02%
||
7 Day CHG~0.00%
Published-09 Feb, 2026 | 23:23
Updated-08 Apr, 2026 | 17:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.11.8 - Insecure Direct Object Reference to Update Membership Payment

The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.8 via the 'WCFMvm_Memberships_Payment_Controller::processing' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify other users' membership payments.

Action-Not Available
Vendor-wclovers
Product-WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-45386
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 10.48%
||
7 Day CHG~0.00%
Published-15 May, 2026 | 20:36
Updated-19 May, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open WebUI: An IDOR vulnerability exists in the pin_channel_message API endpoint

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, Pin/Unpin is a write operation (modifies the message's is_pinned , pinned_by, pinned_at fields), but in standard channels it only checks read permission, allowing users with read-only access to pin/unpin any message. This vulnerability is fixed in 0.9.5.

Action-Not Available
Vendor-openwebuiopen-webui
Product-open_webuiopen-webui
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-44732
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 10.13%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 19:39
Updated-29 Jun, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenProject: IDOR on OpenProject through /api/v3/documents/{id} via PATCH parameter "project_id" leads to Unauthorized Modification of Resources

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, OpenProject exposes a document update endpoint used to modify existing documents. The target document is loaded with visibility checks and then updated. During update, attacker-controlled attributes are applied to the persisted record before authorization is enforced. As a result, a user without :manage_documents in the source project can move and modify foreign project documents by setting project_id in a single PATCH request. This vulnerability is fixed in 17.3.2 and 17.4.0.

Action-Not Available
Vendor-opf
Product-openproject
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-4330
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.54% / 41.87%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 07:43
Updated-24 Apr, 2026 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Blog2Social: Social Media Auto Post & Scheduler <= 8.8.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Schedule Modification via 'b2s_id' Parameter

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to authorization bypass through user-controlled key in all versions up to, and including, 8.8.3. This is due to the plugin's AJAX handlers failing to validate that the user-supplied 'b2s_id' parameter belongs to the current user before performing UPDATE and DELETE operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify, reschedule, or delete other users' scheduled social media posts.

Action-Not Available
Vendor-pr-gateway
Product-Blog2Social: Social Media Auto Post & Scheduler
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2023-1417
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.65% / 47.05%
||
7 Day CHG~0.00%
Published-05 Apr, 2023 | 00:00
Updated-11 Feb, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible for an unauthorised user to add child epics linked to victim's epic in an unrelated group.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-41160
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 21.13%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 16:24
Updated-28 May, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
EspoCRM: Broken Access Control / IDOR in Note Pinning API allows unauthorized modification of notes

EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw (Broken Access Control) in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary notes without having the required edit permissions for the parent object. Due to a "write first, authorize later" execution flaw in the backend API, even though the server correctly returns a 403 Forbidden error, the targeted note's pinned status is already persistently modified in the database. The root cause lies in the server-side processing of the POST /api/v1/Note/{id}/pin endpoint. In application/Espo/Tools/Stream/Api/PostNotePin.php, the process() method first calls getNote($id) before calling checkParent($note). This vulnerability is fixed in 9.3.5.

Action-Not Available
Vendor-espocrm
Product-espocrm
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-862
Missing Authorization
CVE-2026-40590
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 11.69%
||
7 Day CHG~0.00%
Published-21 Apr, 2026 | 16:52
Updated-22 Apr, 2026 | 21:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FreeScout's Customer AJAX Create Modifies Hidden Existing Customer

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the Change Customer modal exposes a “Create a new customer” flow via POST /customers/ajax with action=create. Under limited visibility, the endpoint drops unique-email validation. If the supplied email already belongs to a hidden customer, Customer::create() reuses that hidden customer object and fills empty profile fields from attacker-controlled input. Version 1.8.214 fixes the vulnerability.

Action-Not Available
Vendor-freescout-help-desk
Product-freescout
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-3306
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.32% / 24.20%
||
7 Day CHG~0.00%
Published-10 Mar, 2026 | 17:46
Updated-12 Mar, 2026 | 18:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper authorization in GitHub Projects allows modification of issue and pull request metadata without repository write access

An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed a user with read access to a repository and write access to a project to modify issue and pull request metadata through the project. When adding an item to a project that already existed, column value updates were applied without verifying the actor's repository write permissions. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 and 3.19.3.

Action-Not Available
Vendor-GitHub, Inc.
Product-enterprise_serverEnterprise Server
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-12833
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 12.61%
||
7 Day CHG+0.02%
Published-12 Nov, 2025 | 04:29
Updated-08 Apr, 2026 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GeoDirectory – WP Business Directory Plugin and Classified Listings Directory <= 2.8.139 - Missing Authorization to Authenticated (Author+) Arbitrary Image Attachment

The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the 'post_attachment_upload' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to attach arbitrary image files to arbitrary places.

Action-Not Available
Vendor-paoltaia
Product-GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2024-4886
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.38% / 29.74%
||
7 Day CHG~0.00%
Published-05 Jun, 2024 | 06:00
Updated-27 Mar, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BuddyBoss Platform < 2.6.0 - Subscriber+ Comment on Private Post via IDOR

The contains an IDOR vulnerability that allows a user to comment on a private post by manipulating the ID included in the request

Action-Not Available
Vendor-UnknownBUDDYBOSS LLC
Product-buddyboss_platformbuddyboss-platform
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-13452
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 12.47%
||
7 Day CHG+0.01%
Published-25 Nov, 2025 | 07:28
Updated-08 Apr, 2026 | 17:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Admin and Customer Messages After Order for WooCommerce: OrderConvo <= 14 - Missing Authorization to Unauthenticated User Impersonation in Order Messages

The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14. This is due to a flawed permission check in the REST API permission callback that returns true when no nonce is provided. This makes it possible for unauthenticated attackers to impersonate any WordPress user and inject arbitrary messages into any WooCommerce order conversation by directly calling the REST endpoint with controlled user_id, order_id, and context parameters.

Action-Not Available
Vendor-nmedia
Product-Admin and Customer Messages After Order for WooCommerce: OrderConvo
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-13382
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 10.24%
||
7 Day CHG~0.00%
Published-25 Nov, 2025 | 07:28
Updated-08 Apr, 2026 | 19:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frontend File Manager Plugin <= 23.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary File Renaming

The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.4. This is due to the plugin not validating file ownership before processing file rename requests in the '/wpfm/v1/file-rename' REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to rename files uploaded by other users via the 'fileid' parameter.

Action-Not Available
Vendor-nmedia
Product-Frontend File Manager Plugin
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-3371
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 28.05%
||
7 Day CHG~0.00%
Published-11 Apr, 2026 | 01:25
Updated-24 Apr, 2026 | 18:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tutor LMS <= 3.9.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Course Content Modification

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by the `tutor_update_course_content_order` AJAX handler. While the handler's `content_parent` branch includes a `can_user_manage()` check, the `save_course_content_order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content, and reassign lessons between topics in any course, including admin-owned courses, by sending a crafted AJAX request with manipulated topic and lesson IDs.

Action-Not Available
Vendor-Themeum
Product-Tutor LMS – eLearning and online course solution
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-12071
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 5.37%
||
7 Day CHG~0.00%
Published-18 Feb, 2026 | 04:35
Updated-08 Apr, 2026 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frontend User Notes <= 2.1.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Note Modification

The Frontend User Notes plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the 'funp_ajax_modify_notes' AJAX endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary notes that do not belong to them.

Action-Not Available
Vendor-absikandar
Product-Frontend User Notes
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-12366
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 14.09%
||
7 Day CHG+0.02%
Published-13 Nov, 2025 | 03:27
Updated-08 Apr, 2026 | 16:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.5 - Authenticated (Author+) Insecure Direct Object Reference

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.5 via the pagelayer_replace_page function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace media files belonging to other users, including administrators.

Action-Not Available
Vendor-softaculous
Product-Page Builder: Pagelayer – Drag and Drop website builder
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2024-43239
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 21.13%
||
7 Day CHG~0.00%
Published-18 Aug, 2024 | 21:36
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Masteriyo LMS plugin <= 1.11.4 - Insecure Direct Object Reference (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in masteriyo Masteriyo - LMS learning-management-system.This issue affects Masteriyo - LMS: from n/a through <= 1.11.4.

Action-Not Available
Vendor-masteriyomasteriyo
Product-masteriyoMasteriyo - LMS
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-10570
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 7.51%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 06:40
Updated-08 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Flexible Refund and Return Order for WooCommerce <= 1.0.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order Refund

The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.38 via the save_refund_request() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit refund requests for arbitrary orders that they do not own.

Action-Not Available
Vendor-wpdesk
Product-Flexible Refund and Return Order for WooCommerce
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2024-43288
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.31% / 22.97%
||
7 Day CHG~0.00%
Published-18 Aug, 2024 | 21:33
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress wpForo Forum plugin <= 2.3.4 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team wpForo Forum.This issue affects wpForo Forum: from n/a through 2.3.4.

Action-Not Available
Vendor-gvectorsgVectors Team
Product-wpforo_forumwpForo Forum
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-3073
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 12.22%
||
7 Day CHG~0.00%
Published-14 May, 2026 | 05:36
Updated-16 May, 2026 | 03:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authorization Bypass Through User-Controlled Key in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.6 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass PyPI package protection rules and upload restricted packages due to improper authorization checks.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-30954
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.20% / 10.13%
||
7 Day CHG~0.00%
Published-10 Mar, 2026 | 20:40
Updated-17 Mar, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LinkAce has a Cross-User Tag/List Attachment IDOR in processTaxonomy()

LinkAce is a self-hosted archive to collect website links. In 2.1.0 and earlier, the processTaxonomy() method in LinkRepository.php allows authenticated users to attach other users' private tags and lists to their own links by passing integer IDs.

Action-Not Available
Vendor-linkaceKovah
Product-linkaceLinkAce
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-30825
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||NONE
EPSS-0.22% / 13.19%
||
7 Day CHG~0.00%
Published-07 Mar, 2026 | 05:13
Updated-11 Mar, 2026 | 19:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
hoppscotch: IDOR - Any authenticated user can revoke any other user's Personal Access Token

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification. This issue has been patched in version 2026.2.1.

Action-Not Available
Vendor-hoppscotchhoppscotch
Product-hoppscotchhoppscotch
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-3139
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 6.68%
||
7 Day CHG~0.00%
Published-31 Mar, 2026 | 11:18
Updated-24 Apr, 2026 | 18:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.15.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Post Author Reassignment via Avatar Field

The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.15.5 via the wppb_save_avatar_value() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to reassign ownership of arbitrary posts and attachments by changing 'post_author'.

Action-Not Available
Vendor-cozmoslabs
Product-User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-28782
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.23% / 14.28%
||
7 Day CHG~0.00%
Published-04 Mar, 2026 | 16:36
Updated-05 Mar, 2026 | 19:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Craft has a Permission Bypass and IDOR in Duplicate Entry Action

Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the "Duplicate" action is restricted in the UI), a user can bypass this restriction by sending a direct request. Furthermore, this vulnerability allows duplicating other users' entries by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.

Action-Not Available
Vendor-craftcmscraftcms
Product-craft_cmscms
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2022-40205
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.48% / 38.56%
||
7 Day CHG~0.00%
Published-08 Nov, 2022 | 18:26
Updated-28 Apr, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress wpForo Forum plugin <= 2.0.5 - Insecure direct object references (IDOR) vulnerability

Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as solved/unsolved.

Action-Not Available
Vendor-gvectorsgVectors Team
Product-wpforo_forumwpForo Forum (WordPress plugin)
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2022-40206
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.3||MEDIUM
EPSS-0.46% / 36.70%
||
7 Day CHG~0.00%
Published-08 Nov, 2022 | 18:31
Updated-28 Apr, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress wpForo Forum plugin <= 2.0.5 - Insecure direct object references (IDOR) vulnerability

Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as private/public.

Action-Not Available
Vendor-gvectorsgVectors Team
Product-wpforo_forumwpForo Forum (WordPress plugin)
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-3568
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.33%
||
7 Day CHG~0.00%
Published-09 Apr, 2026 | 02:25
Updated-24 Apr, 2026 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MStore API <= 4.18.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Meta Update

The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the update_user_profile() function in controllers/flutter-user.php processing the 'meta_data' JSON parameter without any allowlist, blocklist, or validation of meta keys. The function reads raw JSON from php://input (line 1012), decodes it (line 1013), authenticates the user via cookie validation (line 1015), and then directly iterates over the user-supplied meta_data array passing arbitrary keys and values to update_user_meta() (line 1080) with no sanitization or restrictions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary user meta fields on their own accounts, including sensitive fields like wp_user_level (to escalate to administrator-level legacy checks), plugin-specific authorization flags (e.g., _wpuf_user_active, aiowps_account_status), and billing/profile fields with unsanitized values (potentially enabling Stored XSS in admin contexts). Note that wp_capabilities cannot be directly exploited this way because it requires a serialized array value, but wp_user_level (a simple integer) and numerous plugin-specific meta keys are exploitable.

Action-Not Available
Vendor-inspireui
Product-MStore API – Create Native Android & iOS Apps On The Cloud
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2022-3794
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.64% / 46.75%
||
7 Day CHG~0.00%
Published-22 Dec, 2022 | 20:27
Updated-08 Apr, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jeg Elementor Kit <= 2.5.6 - Authorization Bypass

The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various AJAX actions in versions up to, and including, 2.5.6. Authenticated users can use an easily available nonce value to create header templates and make additional changes to the site, as the plugin does not use capability checks for this purpose.

Action-Not Available
Vendor-jegthemejegtheme
Product-jeg_elementor_kitJeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2024-52507
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-3.5||LOW
EPSS-0.41% / 33.08%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 17:24
Updated-01 Oct, 2025 | 18:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Share information of the Nextcloud Tables app is not limited to affected users

Nextcloud Tables allows users to to create tables with individual columns. The information which Table (numeric ID) is shared with which groups and users and the respective permissions was not limited to affected users. It is recommended that the Nextcloud Tables app is upgraded to 0.8.1.

Action-Not Available
Vendor-Nextcloud GmbH
Product-tablessecurity-advisories
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2024-6534
Matching Score-4
Assigner-Fluid Attacks
ShareView Details
Matching Score-4
Assigner-Fluid Attacks
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 24.73%
||
7 Day CHG~0.00%
Published-15 Aug, 2024 | 03:10
Updated-19 May, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Directus 10.13.0 - Insecure object reference via PATH presets

Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.

Action-Not Available
Vendor-monospaceDirectusmonospace
Product-directusDirectusdirectus
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2022-30852
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.89% / 55.16%
||
7 Day CHG~0.00%
Published-08 Jul, 2022 | 11:10
Updated-03 Aug, 2024 | 07:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Known v1.3.1 was discovered to contain an Insecure Direct Object Reference (IDOR).

Action-Not Available
Vendor-withknownn/a
Product-knownn/a
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2022-29159
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5||MEDIUM
EPSS-0.94% / 56.84%
||
7 Day CHG+0.02%
Published-20 May, 2022 | 15:40
Updated-22 Apr, 2025 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Possibility for anyone to add a stack with existing tasks on anyone's board in Nextcloud Deck

Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud. In versions prior to 1.4.8, 1.5.6, and 1.6.1, an authenticated user can move stacks with cards from their own board to a board of another user. The Nextcloud Deck app contains a patch for this issue in versions 1.4.8, 1.5.6, and 1.6.1. There are no known currently-known workarounds available.

Action-Not Available
Vendor-Nextcloud GmbH
Product-decksecurity-advisories
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2024-38701
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.37% / 29.41%
||
7 Day CHG~0.00%
Published-22 Jul, 2024 | 10:14
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Academy LMS plugin <= 2.0.4 - Broken Access Control vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Academy LMS.This issue affects Academy LMS: from n/a through 2.0.4.

Action-Not Available
Vendor-kodezenAcademy LMSkodezen
Product-academy_lmsAcademy LMSacademy_lms
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2022-27108
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.58% / 43.76%
||
7 Day CHG~0.00%
Published-06 Apr, 2022 | 14:40
Updated-03 Aug, 2024 | 05:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Any user can create a timesheet in another user's account.

Action-Not Available
Vendor-orangehrmn/a
Product-orangehrmn/a
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2024-55231
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 25.12%
||
7 Day CHG+0.01%
Published-18 Dec, 2024 | 00:00
Updated-26 Dec, 2024 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An IDOR vulnerability in the edit-notes.php module of PHPGurukul Online Notes Sharing Management System v1.0 allows unauthorized users to modify notes belonging to other accounts due to missing authorization checks. This flaw exposes sensitive data and enables attackers to alter another user's information.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2024-5258
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.4||MEDIUM
EPSS-0.27% / 19.40%
||
7 Day CHG~0.00%
Published-23 May, 2024 | 11:02
Updated-13 Dec, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authorization Bypass Through User-Controlled Key in GitLab

An authorization vulnerability exists within GitLab from versions 16.10 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1 where an authenticated attacker could utilize a crafted naming convention to bypass pipeline authorization logic.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-4819
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.82% / 53.05%
||
7 Day CHG~0.00%
Published-13 May, 2024 | 13:31
Updated-20 Feb, 2025 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Campcodes Online Laundry Management System admin_class.php improper authorization

A vulnerability was found in Campcodes Online Laundry Management System 1.0. It has been classified as problematic. Affected is an unknown function of the file admin_class.php. The manipulation of the argument type with the input 1 leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263940.

Action-Not Available
Vendor-CampCodes
Product-online_laundry_management_systemOnline Laundry Management Systemonline_laundry_management_system
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2024-4874
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.31% / 23.43%
||
7 Day CHG~0.00%
Published-22 Jun, 2024 | 04:32
Updated-08 Apr, 2026 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bricks Builder <= 1.9.8 - Insecure Direct Object Reference

The Bricks Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.8 via the postId parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify posts and pages created by other users including admins. As a requirement for this, an admin would have to enable access to the editor specifically for such a user or enable it for all users with a certain user account type.

Action-Not Available
Vendor-bricksbuilderBricksBuilder
Product-bricksBricks Builder
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2024-4873
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.35% / 26.78%
||
7 Day CHG~0.00%
Published-19 Jun, 2024 | 03:12
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Replace Image <= 1.1.10 - Insecure Direct Object Reference

The Replace Image plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.10 via the image replacement functionality due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace images uploaded by higher level users such as admins.

Action-Not Available
Vendor-aspengrovestudios
Product-Replace Image
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2024-47316
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.34% / 25.88%
||
7 Day CHG~0.00%
Published-05 Oct, 2024 | 12:27
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Salon Booking Wordpress Plugin plugin <= 10.9 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Dimitri Grassi Salon booking system salon-booking-system.This issue affects Salon booking system: from n/a through <= 10.9.

Action-Not Available
Vendor-salonbookingsystemDimitri Grassi
Product-salon_booking_systemSalon booking system
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2022-1810
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.9||CRITICAL
EPSS-0.79% / 51.98%
||
7 Day CHG~0.00%
Published-23 May, 2022 | 00:00
Updated-03 Aug, 2024 | 00:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authorization Bypass Through User-Controlled Key in publify/publify

Authorization Bypass Through User-Controlled Key in GitHub repository publify/publify prior to 9.2.9.

Action-Not Available
Vendor-publify_projectpublify
Product-publifypublify/publify
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found