Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3238 vulnerabilities reference this CWE, most recent first.

GHSA-2W3F-X9P7-9W42

Vulnerability from github – Published: 2023-06-09 06:30 – Updated: 2024-04-04 04:41
VLAI
Details

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_payment_status' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about the payment status of arbitrary form submissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0692"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-09T06:15:51Z",
    "severity": "MODERATE"
  },
  "details": "The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the \u0027mf_payment_status\u0027 shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about the payment status of arbitrary form submissions.",
  "id": "GHSA-2w3f-x9p7-9w42",
  "modified": "2024-04-04T04:41:09Z",
  "published": "2023-06-09T06:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0692"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/metform/trunk/base/shortcode.php?rev=2845078"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/2910040"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ddd85ff2-6607-4ac8-b91c-88f6f2fa6c56?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2W5H-CXQX-M45H

Vulnerability from github – Published: 2025-06-20 15:30 – Updated: 2026-04-01 18:35
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Download Attachments: from n/a through 1.3.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-49995"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-20T15:15:25Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Download Attachments: from n/a through 1.3.1.",
  "id": "GHSA-2w5h-cxqx-m45h",
  "modified": "2026-04-01T18:35:32Z",
  "published": "2025-06-20T15:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49995"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/download-attachments/vulnerability/wordpress-download-attachments-plugin-1-3-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2WM9-HF6C-P5CR

Vulnerability from github – Published: 2026-06-12 18:31 – Updated: 2026-06-30 03:37
VLAI
Details

A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-45830"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-12T16:16:28Z",
    "severity": "HIGH"
  },
  "details": "A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant\u0027s collection regardless of which tenant they belong to.",
  "id": "GHSA-2wm9-hf6c-p5cr",
  "modified": "2026-06-30T03:37:02Z",
  "published": "2026-06-12T18:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45830"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-45830"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488408"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45830.json"
    },
    {
      "type": "WEB",
      "url": "https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2WR7-99VR-6M4H

Vulnerability from github – Published: 2024-03-18 12:30 – Updated: 2024-10-10 18:31
VLAI
Details

Improper authorization in the report management and creation module of BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users to read and make unauthorized changes to any reports available within the application, even without proper permissions. The attacker must know the unique identifier of the report they want to manipulate.

Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1604"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-18T10:15:19Z",
    "severity": "MODERATE"
  },
  "details": "Improper authorization in the report management and creation module of BMC Control-M branches\u00a09.0.20 and 9.0.21 allows logged-in users to read and make unauthorized changes to any reports available within the application, even without proper permissions. The attacker must know the unique identifier of the report they want to manipulate.\n\nFix for 9.0.20 branch was released in version 9.0.20.238.\u00a0Fix for 9.0.21 branch was released in version 9.0.21.201. \n",
  "id": "GHSA-2wr7-99vr-6m4h",
  "modified": "2024-10-10T18:31:07Z",
  "published": "2024-03-18T12:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1604"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2024/03/CVE-2024-1604"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/posts/2024/03/CVE-2024-1604"
    },
    {
      "type": "WEB",
      "url": "https://www.bmc.com/it-solutions/control-m.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2X59-2XMG-FGCX

Vulnerability from github – Published: 2022-09-08 00:00 – Updated: 2022-09-13 00:00
VLAI
Details

WeDayCare B.V Ouderapp before v1.1.22 allows attackers to alter the ID value within intercepted calls to gain access to data of other parents and children.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-36539"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-07T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "WeDayCare B.V Ouderapp before v1.1.22 allows attackers to alter the ID value within intercepted calls to gain access to data of other parents and children.",
  "id": "GHSA-2x59-2xmg-fgcx",
  "modified": "2022-09-13T00:00:35Z",
  "published": "2022-09-08T00:00:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36539"
    },
    {
      "type": "WEB",
      "url": "https://apps.apple.com/nl/app/eigen-wijzer-ouderapp/id1331059326"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Fopje/CVE-2022-36539"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2XC6-348P-C2X6

Vulnerability from github – Published: 2026-03-11 00:12 – Updated: 2026-03-11 05:46
VLAI
Summary
Sylius affected by IDOR in Cart and Checkout LiveComponents
Details

Impact

An authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via #[LiveArg] parameters. Unlike props, which are protected by LiveComponent's @checksum, args are fully user-controlled - any action that accepts a resource ID via #[LiveArg] and loads it with ->find() without ownership validation is vulnerable.

Checkout address FormComponent (addressFieldUpdated action): Accepts an addressId via #[LiveArg] and loads it without verifying ownership, exposing another user's first name, last name, company, phone number, street, city, postcode, and country.

Cart WidgetComponent (refreshCart action): Accepts a cartId via #[LiveArg] and loads any order directly from the repository, exposing order total and item count.

Cart SummaryComponent (refreshCart action): Accepts a cartId via #[LiveArg] and loads any order directly from the repository, exposing subtotal, discount, shipping cost, taxes (excluded and included), and order total.

Since sylius_order contains both active carts (state=cart) and completed orders (state=new/fulfilled) in the same ID space, the cart IDOR exposes data from all orders, not just active carts.

Patches

The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.

Workarounds

Override vulnerable LiveComponent classes at the project level to add authorization checks to #[LiveArg] parameters.

Step 1. Exclude component overrides from default autowiring

In config/services.yaml, add Twig/Component to the exclude list to prevent duplicate service registration:

App\:
    resource: '../src/*'
    exclude: '../src/{Entity,Kernel.php,Twig/Components}'

Step 2. Override checkout address FormComponent

Create src/Twig/Components/Checkout/Address/FormComponent.php:

<?php

declare(strict_types=1);

namespace App\Twig\Components\Checkout\Address;

use Sylius\Bundle\ShopBundle\Twig\Component\Checkout\Address\AddressBookComponent;
use Sylius\Bundle\UiBundle\Twig\Component\ResourceFormComponentTrait;
use Sylius\Bundle\UiBundle\Twig\Component\TemplatePropTrait;
use Sylius\Component\Core\Model\OrderInterface;
use Sylius\Component\Core\Model\ShopUserInterface;
use Sylius\Component\Core\Repository\AddressRepositoryInterface;
use Sylius\Component\Core\Repository\OrderRepositoryInterface;
use Sylius\Component\Customer\Context\CustomerContextInterface;
use Sylius\Component\User\Repository\UserRepositoryInterface;
use Symfony\Component\Form\FormFactoryInterface;
use Symfony\Component\Form\FormInterface;
use Symfony\UX\LiveComponent\Attribute\AsLiveComponent;
use Symfony\UX\LiveComponent\Attribute\LiveArg;
use Symfony\UX\LiveComponent\Attribute\LiveListener;
use Symfony\UX\LiveComponent\Attribute\LiveProp;
use Symfony\UX\LiveComponent\Attribute\PreReRender;

#[AsLiveComponent]
class FormComponent
{
    /** @use ResourceFormComponentTrait<OrderInterface> */
    use ResourceFormComponentTrait;
    use TemplatePropTrait;

    #[LiveProp]
    public bool $emailExists = false;

    /**
     * @param OrderRepositoryInterface<OrderInterface> $repository
     * @param UserRepositoryInterface<ShopUserInterface> $shopUserRepository
     */
    public function __construct(
        OrderRepositoryInterface $repository,
        FormFactoryInterface $formFactory,
        string $resourceClass,
        string $formClass,
        protected readonly CustomerContextInterface $customerContext,
        protected readonly UserRepositoryInterface $shopUserRepository,
        protected readonly AddressRepositoryInterface $addressRepository,
    ) {
        $this->initialize($repository, $formFactory, $resourceClass, $formClass);
    }

    #[PreReRender(priority: -100)]
    public function checkEmailExist(): void
    {
        $email = $this->formValues['customer']['email'] ?? null;
        if (null !== $email) {
            $this->emailExists = $this->shopUserRepository->findOneByEmail($email) !== null;
        }
    }

    #[LiveListener(AddressBookComponent::SYLIUS_SHOP_ADDRESS_UPDATED)]
    public function addressFieldUpdated(#[LiveArg] mixed $addressId, #[LiveArg] string $field): void
    {
        $customer = $this->customerContext->getCustomer();
        if (null === $customer) {
            return;
        }

        // Fix: findOneByCustomer instead of find — validates ownership
        $address = $this->addressRepository->findOneByCustomer((string) $addressId, $customer);
        if (null === $address) {
            return;
        }

        $newAddress = [];
        $newAddress['firstName'] = $address->getFirstName();
        $newAddress['lastName'] = $address->getLastName();
        $newAddress['phoneNumber'] = $address->getPhoneNumber();
        $newAddress['company'] = $address->getCompany();
        $newAddress['countryCode'] = $address->getCountryCode();
        if ($address->getProvinceCode() !== null) {
            $newAddress['provinceCode'] = $address->getProvinceCode();
        }
        if ($address->getProvinceName() !== null) {
            $newAddress['provinceName'] = $address->getProvinceName();
        }
        $newAddress['street'] = $address->getStreet();
        $newAddress['city'] = $address->getCity();
        $newAddress['postcode'] = $address->getPostcode();

        $this->formValues[$field] = $newAddress;
    }

    protected function instantiateForm(): FormInterface
    {
        return $this->formFactory->create(
            $this->formClass,
            $this->resource,
            ['customer' => $this->customerContext->getCustomer()],
        );
    }
}

Step 3. Override cart WidgetComponent

Create src/Twig/Components/Cart/WidgetComponent.php:

<?php

declare(strict_types=1);

namespace App\Twig\Components\Cart;

use Sylius\Bundle\ShopBundle\Twig\Component\Cart\FormComponent;
use Sylius\Bundle\UiBundle\Twig\Component\ResourceLivePropTrait;
use Sylius\Bundle\UiBundle\Twig\Component\TemplatePropTrait;
use Sylius\Component\Core\Model\OrderInterface;
use Sylius\Component\Core\Repository\OrderRepositoryInterface;
use Sylius\Component\Order\Context\CartContextInterface;
use Sylius\Component\Order\Context\CartNotFoundException;
use Sylius\Resource\Model\ResourceInterface;
use Sylius\TwigHooks\LiveComponent\HookableLiveComponentTrait;
use Symfony\UX\LiveComponent\Attribute\AsLiveComponent;
use Symfony\UX\LiveComponent\Attribute\LiveArg;
use Symfony\UX\LiveComponent\Attribute\LiveListener;
use Symfony\UX\LiveComponent\Attribute\LiveProp;
use Symfony\UX\LiveComponent\DefaultActionTrait;
use Symfony\UX\TwigComponent\Attribute\PreMount;

#[AsLiveComponent]
class WidgetComponent
{
    use DefaultActionTrait;
    use HookableLiveComponentTrait;
    use TemplatePropTrait;

    /** @use ResourceLivePropTrait<OrderInterface> */
    use ResourceLivePropTrait;

    #[LiveProp(hydrateWith: 'hydrateResource', dehydrateWith: 'dehydrateResource')]
    public ?ResourceInterface $cart = null;

    public function __construct(
        protected readonly CartContextInterface $cartContext,
        OrderRepositoryInterface $orderRepository,
    ) {
        $this->initialize($orderRepository);
    }

    #[PreMount]
    public function initializeCart(): void
    {
        $this->cart = $this->getCart();
    }

    #[LiveListener(FormComponent::SYLIUS_SHOP_CART_CHANGED)]
    #[LiveListener(FormComponent::SYLIUS_SHOP_CART_CLEARED)]
    public function refreshCart(#[LiveArg] mixed $cartId = null): void
    {
        // Fix: ignore user-supplied cartId, always load from session
        $this->cart = $this->getCart();
    }

    private function getCart(): ?OrderInterface
    {
        try {
            return $this->cartContext->getCart();
        } catch (CartNotFoundException) {
            return null;
        }

       return $cart;
    }
}

Step 4. Override cart SummaryComponent

Create src/Twig/Components/Cart/SummaryComponent.php:

<?php

declare(strict_types=1);

namespace App\Twig\Components\Cart;

use Sylius\Bundle\ShopBundle\Twig\Component\Cart\FormComponent;
use Sylius\Bundle\UiBundle\Twig\Component\ResourceLivePropTrait;
use Sylius\Bundle\UiBundle\Twig\Component\TemplatePropTrait;
use Sylius\Component\Core\Model\OrderInterface;
use Sylius\Component\Core\Repository\OrderRepositoryInterface;
use Sylius\Resource\Model\ResourceInterface;
use Sylius\TwigHooks\LiveComponent\HookableLiveComponentTrait;
use Symfony\UX\LiveComponent\Attribute\AsLiveComponent;
use Symfony\UX\LiveComponent\Attribute\LiveArg;
use Symfony\UX\LiveComponent\Attribute\LiveListener;
use Symfony\UX\LiveComponent\Attribute\LiveProp;
use Symfony\UX\LiveComponent\DefaultActionTrait;

#[AsLiveComponent]
class SummaryComponent
{
    use DefaultActionTrait;
    use HookableLiveComponentTrait;

    /** @use ResourceLivePropTrait<OrderInterface> */
    use ResourceLivePropTrait;
    use TemplatePropTrait;

    #[LiveProp(hydrateWith: 'hydrateResource', dehydrateWith: 'dehydrateResource')]
    public ?ResourceInterface $cart = null;

    /** @param OrderRepositoryInterface<OrderInterface> $orderRepository */
    public function __construct(OrderRepositoryInterface $orderRepository)
    {
        $this->initialize($orderRepository);
    }

    #[LiveListener(FormComponent::SYLIUS_SHOP_CART_CHANGED)]
    public function refreshCart(#[LiveArg] mixed $cartId): void
    {
        // Fix: ignore user-supplied cartId, reload from checksummed cart prop
        if ($this->cart === null) {
            return;
        }

        $this->cart = $this->hydrateResource($this->cart->getId());
    }
}

Step 5. Register overridden services

In config/services.yaml, add:

    sylius_shop.twig.component.checkout.address.form:
        class: App\Twig\Components\Checkout\Address\FormComponent
        arguments:
            $repository: '@sylius.repository.order'
            $formFactory: '@form.factory'
            $resourceClass: '%sylius.model.order.class%'
            $formClass: 'Sylius\Bundle\ShopBundle\Form\Type\Checkout\AddressType'
            $customerContext: '@sylius.context.customer'
            $shopUserRepository: '@sylius.repository.shop_user'
            $addressRepository: '@sylius.repository.address'
        tags:
            - { name: 'sylius.live_component.shop', key: 'sylius_shop:checkout:address:form' }

    sylius_shop.twig.component.cart.widget:
        class: App\Twig\Components\Cart\WidgetComponent
        arguments:
            $cartContext: '@sylius.context.cart.composite'
            $orderRepository: '@sylius.repository.order'
        tags:
            - { name: 'sylius.live_component.shop', key: 'sylius_shop:cart:widget' }

    sylius_shop.twig.component.cart.summary:
        class: App\Twig\Components\Cart\SummaryComponent
        arguments:
            $orderRepository: '@sylius.repository.order'
        tags:
            - { name: 'sylius.live_component.shop', key: 'sylius_shop:cart:summary' }

Step 6. Clear cache

php bin/console cache:clear

Reporters

We would like to extend our gratitude to the following individuals for their detailed reporting and responsible disclosure of this vulnerability: - Peter Stöckli (@p-) - Man Yue Mo (@m-y-mo) - The GitHub Security Lab team

For more information

If you have any questions or comments about this advisory:

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.15"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.11"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.2"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31820"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-11T00:12:47Z",
    "nvd_published_at": "2026-03-10T22:16:19Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nAn authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via `#[LiveArg]` parameters. Unlike props, which are protected by LiveComponent\u0027s `@checksum`, `args` are fully user-controlled - any action that accepts a resource ID via `#[LiveArg]` and loads it with `-\u003efind()` without ownership validation is vulnerable.\n\nCheckout address **FormComponent** (`addressFieldUpdated` action): Accepts an `addressId` via `#[LiveArg]` and loads it without verifying ownership, exposing another user\u0027s first name, last name, company, phone number, street, city, postcode, and country.\n\nCart **WidgetComponent** (`refreshCart` action): Accepts a `cartId` via `#[LiveArg]` and loads any order directly from the repository, exposing order total and item count.\n\nCart **SummaryComponent** (`refreshCart` action): Accepts a `cartId` via `#[LiveArg]` and loads any order directly from the repository, exposing subtotal, discount, shipping cost, taxes (excluded and included), and order total.\n\nSince `sylius_order` contains both active carts (`state=cart`) and completed orders (`state=new/fulfilled`) in the same ID space, the cart IDOR exposes data from all orders, not just active carts.\n\n### Patches\nThe issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.\n\n### Workarounds\n\nOverride vulnerable LiveComponent classes at the project level to add authorization checks to `#[LiveArg]` parameters.\n\n#### Step 1. Exclude component overrides from default autowiring\n\nIn `config/services.yaml`, add `Twig/Component` to the exclude list to prevent duplicate service registration:\n\n```yaml\nApp\\:\n    resource: \u0027../src/*\u0027\n    exclude: \u0027../src/{Entity,Kernel.php,Twig/Components}\u0027\n```\n\n#### Step 2. Override checkout address FormComponent\n\nCreate `src/Twig/Components/Checkout/Address/FormComponent.php`:\n\n```php\n\u003c?php\n\ndeclare(strict_types=1);\n\nnamespace App\\Twig\\Components\\Checkout\\Address;\n\nuse Sylius\\Bundle\\ShopBundle\\Twig\\Component\\Checkout\\Address\\AddressBookComponent;\nuse Sylius\\Bundle\\UiBundle\\Twig\\Component\\ResourceFormComponentTrait;\nuse Sylius\\Bundle\\UiBundle\\Twig\\Component\\TemplatePropTrait;\nuse Sylius\\Component\\Core\\Model\\OrderInterface;\nuse Sylius\\Component\\Core\\Model\\ShopUserInterface;\nuse Sylius\\Component\\Core\\Repository\\AddressRepositoryInterface;\nuse Sylius\\Component\\Core\\Repository\\OrderRepositoryInterface;\nuse Sylius\\Component\\Customer\\Context\\CustomerContextInterface;\nuse Sylius\\Component\\User\\Repository\\UserRepositoryInterface;\nuse Symfony\\Component\\Form\\FormFactoryInterface;\nuse Symfony\\Component\\Form\\FormInterface;\nuse Symfony\\UX\\LiveComponent\\Attribute\\AsLiveComponent;\nuse Symfony\\UX\\LiveComponent\\Attribute\\LiveArg;\nuse Symfony\\UX\\LiveComponent\\Attribute\\LiveListener;\nuse Symfony\\UX\\LiveComponent\\Attribute\\LiveProp;\nuse Symfony\\UX\\LiveComponent\\Attribute\\PreReRender;\n\n#[AsLiveComponent]\nclass FormComponent\n{\n    /** @use ResourceFormComponentTrait\u003cOrderInterface\u003e */\n    use ResourceFormComponentTrait;\n    use TemplatePropTrait;\n\n    #[LiveProp]\n    public bool $emailExists = false;\n\n    /**\n     * @param OrderRepositoryInterface\u003cOrderInterface\u003e $repository\n     * @param UserRepositoryInterface\u003cShopUserInterface\u003e $shopUserRepository\n     */\n    public function __construct(\n        OrderRepositoryInterface $repository,\n        FormFactoryInterface $formFactory,\n        string $resourceClass,\n        string $formClass,\n        protected readonly CustomerContextInterface $customerContext,\n        protected readonly UserRepositoryInterface $shopUserRepository,\n        protected readonly AddressRepositoryInterface $addressRepository,\n    ) {\n        $this-\u003einitialize($repository, $formFactory, $resourceClass, $formClass);\n    }\n\n    #[PreReRender(priority: -100)]\n    public function checkEmailExist(): void\n    {\n        $email = $this-\u003eformValues[\u0027customer\u0027][\u0027email\u0027] ?? null;\n        if (null !== $email) {\n            $this-\u003eemailExists = $this-\u003eshopUserRepository-\u003efindOneByEmail($email) !== null;\n        }\n    }\n\n    #[LiveListener(AddressBookComponent::SYLIUS_SHOP_ADDRESS_UPDATED)]\n    public function addressFieldUpdated(#[LiveArg] mixed $addressId, #[LiveArg] string $field): void\n    {\n        $customer = $this-\u003ecustomerContext-\u003egetCustomer();\n        if (null === $customer) {\n            return;\n        }\n\n        // Fix: findOneByCustomer instead of find \u2014 validates ownership\n        $address = $this-\u003eaddressRepository-\u003efindOneByCustomer((string) $addressId, $customer);\n        if (null === $address) {\n            return;\n        }\n\n        $newAddress = [];\n        $newAddress[\u0027firstName\u0027] = $address-\u003egetFirstName();\n        $newAddress[\u0027lastName\u0027] = $address-\u003egetLastName();\n        $newAddress[\u0027phoneNumber\u0027] = $address-\u003egetPhoneNumber();\n        $newAddress[\u0027company\u0027] = $address-\u003egetCompany();\n        $newAddress[\u0027countryCode\u0027] = $address-\u003egetCountryCode();\n        if ($address-\u003egetProvinceCode() !== null) {\n            $newAddress[\u0027provinceCode\u0027] = $address-\u003egetProvinceCode();\n        }\n        if ($address-\u003egetProvinceName() !== null) {\n            $newAddress[\u0027provinceName\u0027] = $address-\u003egetProvinceName();\n        }\n        $newAddress[\u0027street\u0027] = $address-\u003egetStreet();\n        $newAddress[\u0027city\u0027] = $address-\u003egetCity();\n        $newAddress[\u0027postcode\u0027] = $address-\u003egetPostcode();\n\n        $this-\u003eformValues[$field] = $newAddress;\n    }\n\n    protected function instantiateForm(): FormInterface\n    {\n        return $this-\u003eformFactory-\u003ecreate(\n            $this-\u003eformClass,\n            $this-\u003eresource,\n            [\u0027customer\u0027 =\u003e $this-\u003ecustomerContext-\u003egetCustomer()],\n        );\n    }\n}\n```\n\n#### Step 3. Override cart WidgetComponent\n\nCreate `src/Twig/Components/Cart/WidgetComponent.php`:\n\n```php\n\u003c?php\n\ndeclare(strict_types=1);\n\nnamespace App\\Twig\\Components\\Cart;\n\nuse Sylius\\Bundle\\ShopBundle\\Twig\\Component\\Cart\\FormComponent;\nuse Sylius\\Bundle\\UiBundle\\Twig\\Component\\ResourceLivePropTrait;\nuse Sylius\\Bundle\\UiBundle\\Twig\\Component\\TemplatePropTrait;\nuse Sylius\\Component\\Core\\Model\\OrderInterface;\nuse Sylius\\Component\\Core\\Repository\\OrderRepositoryInterface;\nuse Sylius\\Component\\Order\\Context\\CartContextInterface;\nuse Sylius\\Component\\Order\\Context\\CartNotFoundException;\nuse Sylius\\Resource\\Model\\ResourceInterface;\nuse Sylius\\TwigHooks\\LiveComponent\\HookableLiveComponentTrait;\nuse Symfony\\UX\\LiveComponent\\Attribute\\AsLiveComponent;\nuse Symfony\\UX\\LiveComponent\\Attribute\\LiveArg;\nuse Symfony\\UX\\LiveComponent\\Attribute\\LiveListener;\nuse Symfony\\UX\\LiveComponent\\Attribute\\LiveProp;\nuse Symfony\\UX\\LiveComponent\\DefaultActionTrait;\nuse Symfony\\UX\\TwigComponent\\Attribute\\PreMount;\n\n#[AsLiveComponent]\nclass WidgetComponent\n{\n    use DefaultActionTrait;\n    use HookableLiveComponentTrait;\n    use TemplatePropTrait;\n\n    /** @use ResourceLivePropTrait\u003cOrderInterface\u003e */\n    use ResourceLivePropTrait;\n\n    #[LiveProp(hydrateWith: \u0027hydrateResource\u0027, dehydrateWith: \u0027dehydrateResource\u0027)]\n    public ?ResourceInterface $cart = null;\n\n    public function __construct(\n        protected readonly CartContextInterface $cartContext,\n        OrderRepositoryInterface $orderRepository,\n    ) {\n        $this-\u003einitialize($orderRepository);\n    }\n\n    #[PreMount]\n    public function initializeCart(): void\n    {\n        $this-\u003ecart = $this-\u003egetCart();\n    }\n\n    #[LiveListener(FormComponent::SYLIUS_SHOP_CART_CHANGED)]\n    #[LiveListener(FormComponent::SYLIUS_SHOP_CART_CLEARED)]\n    public function refreshCart(#[LiveArg] mixed $cartId = null): void\n    {\n        // Fix: ignore user-supplied cartId, always load from session\n        $this-\u003ecart = $this-\u003egetCart();\n    }\n\n    private function getCart(): ?OrderInterface\n    {\n        try {\n            return $this-\u003ecartContext-\u003egetCart();\n        } catch (CartNotFoundException) {\n            return null;\n        }\n\n       return $cart;\n    }\n}\n```\n\n#### Step 4. Override cart SummaryComponent\n\nCreate `src/Twig/Components/Cart/SummaryComponent.php`:\n\n```php\n\u003c?php\n\ndeclare(strict_types=1);\n\nnamespace App\\Twig\\Components\\Cart;\n\nuse Sylius\\Bundle\\ShopBundle\\Twig\\Component\\Cart\\FormComponent;\nuse Sylius\\Bundle\\UiBundle\\Twig\\Component\\ResourceLivePropTrait;\nuse Sylius\\Bundle\\UiBundle\\Twig\\Component\\TemplatePropTrait;\nuse Sylius\\Component\\Core\\Model\\OrderInterface;\nuse Sylius\\Component\\Core\\Repository\\OrderRepositoryInterface;\nuse Sylius\\Resource\\Model\\ResourceInterface;\nuse Sylius\\TwigHooks\\LiveComponent\\HookableLiveComponentTrait;\nuse Symfony\\UX\\LiveComponent\\Attribute\\AsLiveComponent;\nuse Symfony\\UX\\LiveComponent\\Attribute\\LiveArg;\nuse Symfony\\UX\\LiveComponent\\Attribute\\LiveListener;\nuse Symfony\\UX\\LiveComponent\\Attribute\\LiveProp;\nuse Symfony\\UX\\LiveComponent\\DefaultActionTrait;\n\n#[AsLiveComponent]\nclass SummaryComponent\n{\n    use DefaultActionTrait;\n    use HookableLiveComponentTrait;\n\n    /** @use ResourceLivePropTrait\u003cOrderInterface\u003e */\n    use ResourceLivePropTrait;\n    use TemplatePropTrait;\n\n    #[LiveProp(hydrateWith: \u0027hydrateResource\u0027, dehydrateWith: \u0027dehydrateResource\u0027)]\n    public ?ResourceInterface $cart = null;\n\n    /** @param OrderRepositoryInterface\u003cOrderInterface\u003e $orderRepository */\n    public function __construct(OrderRepositoryInterface $orderRepository)\n    {\n        $this-\u003einitialize($orderRepository);\n    }\n\n    #[LiveListener(FormComponent::SYLIUS_SHOP_CART_CHANGED)]\n    public function refreshCart(#[LiveArg] mixed $cartId): void\n    {\n        // Fix: ignore user-supplied cartId, reload from checksummed cart prop\n        if ($this-\u003ecart === null) {\n            return;\n        }\n\n        $this-\u003ecart = $this-\u003ehydrateResource($this-\u003ecart-\u003egetId());\n    }\n}\n```\n\n#### Step 5. Register overridden services\n\nIn `config/services.yaml`, add:\n\n```yaml\n    sylius_shop.twig.component.checkout.address.form:\n        class: App\\Twig\\Components\\Checkout\\Address\\FormComponent\n        arguments:\n            $repository: \u0027@sylius.repository.order\u0027\n            $formFactory: \u0027@form.factory\u0027\n            $resourceClass: \u0027%sylius.model.order.class%\u0027\n            $formClass: \u0027Sylius\\Bundle\\ShopBundle\\Form\\Type\\Checkout\\AddressType\u0027\n            $customerContext: \u0027@sylius.context.customer\u0027\n            $shopUserRepository: \u0027@sylius.repository.shop_user\u0027\n            $addressRepository: \u0027@sylius.repository.address\u0027\n        tags:\n            - { name: \u0027sylius.live_component.shop\u0027, key: \u0027sylius_shop:checkout:address:form\u0027 }\n\n    sylius_shop.twig.component.cart.widget:\n        class: App\\Twig\\Components\\Cart\\WidgetComponent\n        arguments:\n            $cartContext: \u0027@sylius.context.cart.composite\u0027\n            $orderRepository: \u0027@sylius.repository.order\u0027\n        tags:\n            - { name: \u0027sylius.live_component.shop\u0027, key: \u0027sylius_shop:cart:widget\u0027 }\n\n    sylius_shop.twig.component.cart.summary:\n        class: App\\Twig\\Components\\Cart\\SummaryComponent\n        arguments:\n            $orderRepository: \u0027@sylius.repository.order\u0027\n        tags:\n            - { name: \u0027sylius.live_component.shop\u0027, key: \u0027sylius_shop:cart:summary\u0027 }\n```\n\n#### Step 6. Clear cache\n\n```bash\nphp bin/console cache:clear\n```\n\n### Reporters\n\nWe would like to extend our gratitude to the following individuals for their detailed reporting and responsible disclosure of this vulnerability:\n- Peter St\u00f6ckli (@p-)\n- Man Yue Mo (@m-y-mo)\n- The [GitHub Security Lab](https://securitylab.github.com) team\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues?q=sort%3Aupdated-desc+is%3Aissue+is%3Aopen)\n- Email us at [security@sylius.com](mailto:security@sylius.com)",
  "id": "GHSA-2xc6-348p-c2x6",
  "modified": "2026-03-11T05:46:26Z",
  "published": "2026-03-11T00:12:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-2xc6-348p-c2x6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31820"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Sylius/Sylius"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Sylius affected by IDOR in Cart and Checkout LiveComponents"
}

GHSA-2XCP-X87W-Q377

Vulnerability from github – Published: 2026-04-25 23:45 – Updated: 2026-05-19 15:56
VLAI
Summary
OpenClaw: Hook mapping templates could bypass hook session-key opt-in
Details

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: < 2026.4.20
  • Patched version: 2026.4.20

Impact

Templated hook mapping sessionKey values were treated differently from request-supplied session keys. A hook mapping could render an externally influenced session key even when hooks.allowRequestSessionKey was disabled, bypassing the intended routing opt-in for hook callers.

This affects webhook routing isolation. It does not grant host execution by itself. Severity is medium.

Fix

Template-rendered mapping session keys are now treated as externally supplied routing input and require hooks.allowRequestSessionKey=true plus the existing prefix policy checks.

Fix commit:

  • 5275d008ed33203dba3f98e969ad683a65c416c3

Release

Fixed in OpenClaw 2026.4.20.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.4.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45002"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-25T23:45:11Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nTemplated hook mapping `sessionKey` values were treated differently from request-supplied session keys. A hook mapping could render an externally influenced session key even when `hooks.allowRequestSessionKey` was disabled, bypassing the intended routing opt-in for hook callers.\n\nThis affects webhook routing isolation. It does not grant host execution by itself. Severity is medium.\n\n## Fix\n\nTemplate-rendered mapping session keys are now treated as externally supplied routing input and require `hooks.allowRequestSessionKey=true` plus the existing prefix policy checks.\n\nFix commit:\n\n- `5275d008ed33203dba3f98e969ad683a65c416c3`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.",
  "id": "GHSA-2xcp-x87w-q377",
  "modified": "2026-05-19T15:56:34Z",
  "published": "2026-04-25T23:45:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2xcp-x87w-q377"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45002"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/5275d008ed33203dba3f98e969ad683a65c416c3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-hook-session-key-bypass-via-template-mapping"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Hook mapping templates could bypass hook session-key opt-in"
}

GHSA-2XFC-G69J-X2MP

Vulnerability from github – Published: 2026-03-03 21:00 – Updated: 2026-03-04 18:39
VLAI
Summary
Craft CMS: Entries Authorship Spoofing via Mass Assignment
Details

Description

The entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others.

Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively "spoofs" the authorship.

Proof of Concept

Prerequisites

  • A user account with "Create Entries" permission for a section.
  • Victim's account ID (e.g., 1 for the default Admin).

Steps to Reproduce

  1. Log in as the attacker
  2. Navigate to the "Entries" section and click "New Entry"
  3. Fill in the required fields
  4. Enable a proxy tool (e.g., Burp Suite) to intercept requests
  5. Click "Save" & Intercept the request
  6. In the request body, add a new parameter to the body params: &authorIds[]=<Victim_ID>
  7. Forward the request
  8. Log in as an admin / as with the victim account
  9. Go to entries & Observe the newly created entry is listed and the author is the victim account, not the actual creator

Impact

  • A user can create entries that appear to belong to higher-privileged users, potentially bypassing review processes or gaining trust based on false authorship.
  • An attacker could post malicious or inappropriate content attributed to an administrator or other trusted users.

Resources

https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542 https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-RC1"
            },
            {
              "fixed": "5.9.0-beta.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-RC1"
            },
            {
              "fixed": "4.17.0-beta.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28781"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T21:00:51Z",
    "nvd_published_at": "2026-03-04T17:16:21Z",
    "severity": "MODERATE"
  },
  "details": "## Description\nThe entry creation process allows for **Mass Assignment** of the `authorId` attribute. A user with \"Create Entries\" permission can inject the `authorIds[]` (or `authorId`) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others.\n\nNormally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively \"spoofs\" the authorship.\n\n## Proof of Concept\n### Prerequisites\n- A user account with \"Create Entries\" permission for a section.\n- Victim\u0027s account ID (e.g., `1` for the default Admin).\n\n### Steps to Reproduce\n1. Log in as the attacker\n1. Navigate to the \"Entries\" section and click \"New Entry\"\n1. Fill in the required fields\n1. Enable a proxy tool (e.g., Burp Suite) to intercept requests\n1. Click \"Save\" \u0026 Intercept the request\n1. In the request body, add a new parameter to the body params: `\u0026authorIds[]=\u003cVictim_ID\u003e`\n1. Forward the request\n1. Log in as an admin / as with the victim account\n1. Go to entries \u0026 Observe the newly created entry is listed and the author is the victim account, not the actual creator\n\n## Impact\n- A user can create entries that appear to belong to higher-privileged users, potentially bypassing review processes or gaining trust based on false authorship.\n- An attacker could post malicious or inappropriate content attributed to an administrator or other trusted users.\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542\nhttps://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8",
  "id": "GHSA-2xfc-g69j-x2mp",
  "modified": "2026-03-04T18:39:05Z",
  "published": "2026-03-03T21:00:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28781"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS: Entries Authorship Spoofing via Mass Assignment"
}

GHSA-2XG8-969F-84GV

Vulnerability from github – Published: 2026-05-28 06:31 – Updated: 2026-05-28 06:31
VLAI
Details

The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user has permission to access the requested object's metadata. This makes it possible for authenticated attackers, with Contributor-level access and above, to read arbitrary user meta, post meta, and term meta data from any object in the database. On sites using plugins that store sensitive data in meta fields (e.g., WooCommerce billing/shipping information), this could lead to the exposure of Personally Identifiable Information (PII) including names, email addresses, phone numbers, and physical addresses.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-3173"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T06:16:26Z",
    "severity": "MODERATE"
  },
  "details": "The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user has permission to access the requested object\u0027s metadata. This makes it possible for authenticated attackers, with Contributor-level access and above, to read arbitrary user meta, post meta, and term meta data from any object in the database. On sites using plugins that store sensitive data in meta fields (e.g., WooCommerce billing/shipping information), this could lead to the exposure of Personally Identifiable Information (PII) including names, email addresses, phone numbers, and physical addresses.",
  "id": "GHSA-2xg8-969f-84gv",
  "modified": "2026-05-28T06:31:09Z",
  "published": "2026-05-28T06:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3173"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/display-a-meta-field-as-block/trunk/meta-field-block.php#L206"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/display-a-meta-field-as-block/trunk/meta-field-block.php#L328"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3472303"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/247df9e2-0a63-49ad-86fa-cb4c6e62c4cf?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2XGC-784M-6J64

Vulnerability from github – Published: 2026-06-15 21:30 – Updated: 2026-06-15 21:30
VLAI
Details

Unauthenticated Insecure Direct Object References (IDOR) in VikRentCar <= 1.4.5 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-52699"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-15T21:17:24Z",
    "severity": "HIGH"
  },
  "details": "Unauthenticated Insecure Direct Object References (IDOR) in VikRentCar \u003c= 1.4.5 versions.",
  "id": "GHSA-2xgc-784m-6j64",
  "modified": "2026-06-15T21:30:50Z",
  "published": "2026-06-15T21:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52699"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/vikrentcar/vulnerability/wordpress-vikrentcar-plugin-1-4-5-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.