CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3237 vulnerabilities reference this CWE, most recent first.
GHSA-X9PQ-RG5G-M83P
Vulnerability from github – Published: 2023-08-14 21:30 – Updated: 2024-04-04 06:55The Simple Author Box WordPress plugin before 2.52 does not verify a user ID before outputting information about that user, leading to arbitrary user information disclosure to users with a role as low as Contributor.
{
"affected": [],
"aliases": [
"CVE-2023-3601"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-14T20:15:11Z",
"severity": "MODERATE"
},
"details": "The Simple Author Box WordPress plugin before 2.52 does not verify a user ID before outputting information about that user, leading to arbitrary user information disclosure to users with a role as low as Contributor.",
"id": "GHSA-x9pq-rg5g-m83p",
"modified": "2024-04-04T06:55:38Z",
"published": "2023-08-14T21:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3601"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/c0cc513e-c306-4920-9afb-e33d95a7292f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X9V7-MGG6-WJFR
Vulnerability from github – Published: 2025-06-10 12:30 – Updated: 2025-10-22 15:31An Insecure Direct Object Reference (IDOR) vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to access the private area setting the option parameter equal to 0, 1 or 2 in /administer/select node/data.asp?mode=catalogue&id1=1&id2=1session=&cod=1&networks=0.
{
"affected": [],
"aliases": [
"CVE-2025-40660"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-10T10:15:28Z",
"severity": "MODERATE"
},
"details": "An Insecure Direct Object Reference (IDOR) vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to access the private area setting the\u00a0option parameter equal to 0, 1 or 2 in /administer/select node/data.asp?mode=catalogue\u0026id1=1\u0026id2=1session=\u0026cod=1\u0026networks=0.",
"id": "GHSA-x9v7-mgg6-wjfr",
"modified": "2025-10-22T15:31:04Z",
"published": "2025-06-10T12:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40660"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-dm-corporative-cms-dmacroweb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-X9XP-VJFV-M6VR
Vulnerability from github – Published: 2026-06-09 21:32 – Updated: 2026-06-09 21:32A flaw exists in the FlashArray Purity management interface where an authenticated low-privileged user may, under specific conditions, access functionality beyond their assigned privileges.
{
"affected": [],
"aliases": [
"CVE-2026-6444"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T20:17:02Z",
"severity": "HIGH"
},
"details": "A flaw exists in the FlashArray Purity management interface where an authenticated low-privileged user may, under specific conditions, access functionality beyond their assigned privileges.",
"id": "GHSA-x9xp-vjfv-m6vr",
"modified": "2026-06-09T21:32:37Z",
"published": "2026-06-09T21:32:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6444"
},
{
"type": "WEB",
"url": "https://support.purestorage.com/bundle/m_security_bulletins/page/Pure_Security/topics/concept/c_security_bulletins.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XC4H-36V7-XRRW
Vulnerability from github – Published: 2026-02-08 00:30 – Updated: 2026-02-11 00:30WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.
{
"affected": [],
"aliases": [
"CVE-2026-25564"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-07T22:16:01Z",
"severity": "HIGH"
},
"details": "WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.",
"id": "GHSA-xc4h-36v7-xrrw",
"modified": "2026-02-11T00:30:14Z",
"published": "2026-02-08T00:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25564"
},
{
"type": "WEB",
"url": "https://github.com/wekan/wekan/commit/08a6f084eba09487743a7c807fb4a9000fcfa9ac"
},
{
"type": "WEB",
"url": "https://wekan.fi"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/wekan-checklist-deletion-idor-via-missing-relationship-validation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XC7F-H2V5-WX39
Vulnerability from github – Published: 2026-05-28 09:31 – Updated: 2026-05-28 09:31The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing ownership validation on a user-controlled attachment ID, allowing the plugin to store and subsequently delete arbitrary media attachments without verifying that the referenced attachment belongs to the requesting user. This makes it possible for authenticated attackers, with subscriber-level access and above, to permanently delete arbitrary media attachments uploaded by any other user, including administrators.
{
"affected": [],
"aliases": [
"CVE-2026-7651"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T08:16:37Z",
"severity": "MODERATE"
},
"details": "The User Registration \u0026 Membership \u2013 Free \u0026 Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration \u0026 Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing ownership validation on a user-controlled attachment ID, allowing the plugin to store and subsequently delete arbitrary media attachments without verifying that the referenced attachment belongs to the requesting user. This makes it possible for authenticated attackers, with subscriber-level access and above, to permanently delete arbitrary media attachments uploaded by any other user, including administrators.",
"id": "GHSA-xc7f-h2v5-wx39",
"modified": "2026-05-28T09:31:19Z",
"published": "2026-05-28T09:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7651"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/frontend/class-ur-frontend.php#L114"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/frontend/class-ur-frontend.php#L86"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/functions-ur-core.php#L4262"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3539426/user-registration/tags/5.2.0/includes/frontend/class-ur-frontend.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0def7637-edf4-4ae2-a2e7-31ccb3b52d71?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XC8Q-RH3X-H9M3
Vulnerability from github – Published: 2026-03-13 21:31 – Updated: 2026-03-13 21:31The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the frm_strp_amount AJAX handler (update_intent_ajax) overwriting the global $_POST data with attacker-controlled JSON input and then using those values to recalculate payment amounts via field shortcode resolution in generate_false_entry(). The handler relies on a nonce that is publicly exposed in the page's JavaScript (frm_stripe_vars.nonce), which provides CSRF protection but not authorization. This makes it possible for unauthenticated attackers to manipulate PaymentIntent amounts before payment completion on forms using dynamic pricing with field shortcodes, effectively paying a reduced amount for goods or services.
{
"affected": [],
"aliases": [
"CVE-2026-2888"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-13T19:54:34Z",
"severity": "MODERATE"
},
"details": "The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the `frm_strp_amount` AJAX handler (`update_intent_ajax`) overwriting the global `$_POST` data with attacker-controlled JSON input and then using those values to recalculate payment amounts via field shortcode resolution in `generate_false_entry()`. The handler relies on a nonce that is publicly exposed in the page\u0027s JavaScript (`frm_stripe_vars.nonce`), which provides CSRF protection but not authorization. This makes it possible for unauthenticated attackers to manipulate PaymentIntent amounts before payment completion on forms using dynamic pricing with field shortcodes, effectively paying a reduced amount for goods or services.",
"id": "GHSA-xc8q-rh3x-h9m3",
"modified": "2026-03-13T21:31:47Z",
"published": "2026-03-13T21:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2888"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/controllers/FrmStrpLiteHooksController.php#L88"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/models/FrmStrpLiteAuth.php#L322"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/models/FrmStrpLiteAuth.php#L402"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3480574%40formidable%2Ftrunk\u0026old=3460198%40formidable%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b8be3b6e-a035-4e6f-ba2b-ce9e59ebf2e0?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XCH6-9RQG-692Q
Vulnerability from github – Published: 2025-04-13 12:30 – Updated: 2025-04-13 12:30A vulnerability was found in Tutorials-Website Employee Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/delete-user.php. The manipulation of the argument ID leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-3536"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-13T12:15:15Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Tutorials-Website Employee Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/delete-user.php. The manipulation of the argument ID leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-xch6-9rqg-692q",
"modified": "2025-04-13T12:30:31Z",
"published": "2025-04-13T12:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3536"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.304574"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.304574"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.545810"
},
{
"type": "WEB",
"url": "https://www.websecurityinsights.my.id/2025/03/tutorials-website-employee-management.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XCVC-5HGV-PHQG
Vulnerability from github – Published: 2024-10-09 21:31 – Updated: 2025-10-15 15:58An Insecure Direct Object Reference (IDOR) vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoint http://0.0.0.0:3000/api/v1/memories/{id}/update, where the decentralization design is flawed, allowing attackers to edit other users' memories without proper authorization.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.3.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-7041"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-09T22:10:34Z",
"nvd_published_at": "2024-10-09T20:15:09Z",
"severity": "MODERATE"
},
"details": "An Insecure Direct Object Reference (IDOR) vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoint `http://0.0.0.0:3000/api/v1/memories/{id}/update`, where the decentralization design is flawed, allowing attackers to edit other users\u0027 memories without proper authorization.",
"id": "GHSA-xcvc-5hgv-phqg",
"modified": "2025-10-15T15:58:58Z",
"published": "2024-10-09T21:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7041"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
},
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/blob/main/backend/apps/webui/routers/memories.py#L71"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/6855227f-1237-47b8-8d37-29aad7ddec3a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "open-webui Insecure Direct Object Reference (IDOR) vulnerability"
}
GHSA-XCVJ-JV6G-QQ33
Vulnerability from github – Published: 2023-08-31 06:30 – Updated: 2024-04-04 07:18The BadgeOS plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.7.1.6. This is due to improper validation and authorization checks within the badgeos_update_steps_ajax_handler, badgeos_update_award_steps_ajax_handler, badgeos_update_deduct_steps_ajax_handler, and badgeos_update_ranks_req_steps_ajax_handler functions. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to overwrite arbitrary post titles.
{
"affected": [],
"aliases": [
"CVE-2023-2172"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-31T06:15:08Z",
"severity": "MODERATE"
},
"details": "The BadgeOS plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.7.1.6. This is due to improper validation and authorization checks within the badgeos_update_steps_ajax_handler, badgeos_update_award_steps_ajax_handler, badgeos_update_deduct_steps_ajax_handler, and badgeos_update_ranks_req_steps_ajax_handler functions. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to overwrite arbitrary post titles.",
"id": "GHSA-xcvj-jv6g-qq33",
"modified": "2024-04-04T07:18:23Z",
"published": "2023-08-31T06:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2172"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/badgeos/trunk/includes/points/award-steps-ui.php#L397"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/badgeos/trunk/includes/points/deduct-steps-ui.php#L454"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/badgeos/trunk/includes/ranks/rank-steps-ui.php#L388"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/badgeos/trunk/includes/steps-ui.php#L396"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5dae8e82-e252-48d9-ae1f-62acfcd17e2b?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XF3J-2PWF-M9RM
Vulnerability from github – Published: 2026-05-05 09:31 – Updated: 2026-05-05 09:31The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not properly verifying that a user is authorized to perform an action when processing attacker-supplied Stripe PaymentIntent identifiers in the public payment flow. This makes it possible for unauthenticated attackers to submit high-value paid forms as completed by reusing a previously succeeded low-value Stripe PaymentIntent, resulting in underpayment/payment bypass conditions.
{
"affected": [],
"aliases": [
"CVE-2026-2729"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-05T07:15:59Z",
"severity": "MODERATE"
},
"details": "The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not properly verifying that a user is authorized to perform an action when processing attacker-supplied Stripe PaymentIntent identifiers in the public payment flow. This makes it possible for unauthenticated attackers to submit high-value paid forms as completed by reusing a previously succeeded low-value Stripe PaymentIntent, resulting in underpayment/payment bypass conditions.",
"id": "GHSA-xf3j-2pwf-m9rm",
"modified": "2026-05-05T09:31:54Z",
"published": "2026-05-05T09:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2729"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3500669/forminator"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1afb94ab-b3ba-4598-8ff4-f9ffc6717371?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.