CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3238 vulnerabilities reference this CWE, most recent first.
GHSA-2W3F-X9P7-9W42
Vulnerability from github – Published: 2023-06-09 06:30 – Updated: 2024-04-04 04:41The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_payment_status' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about the payment status of arbitrary form submissions.
{
"affected": [],
"aliases": [
"CVE-2023-0692"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-09T06:15:51Z",
"severity": "MODERATE"
},
"details": "The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the \u0027mf_payment_status\u0027 shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about the payment status of arbitrary form submissions.",
"id": "GHSA-2w3f-x9p7-9w42",
"modified": "2024-04-04T04:41:09Z",
"published": "2023-06-09T06:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0692"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/metform/trunk/base/shortcode.php?rev=2845078"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/2910040"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ddd85ff2-6607-4ac8-b91c-88f6f2fa6c56?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2W5H-CXQX-M45H
Vulnerability from github – Published: 2025-06-20 15:30 – Updated: 2026-04-01 18:35Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Download Attachments: from n/a through 1.3.1.
{
"affected": [],
"aliases": [
"CVE-2025-49995"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-20T15:15:25Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Download Attachments: from n/a through 1.3.1.",
"id": "GHSA-2w5h-cxqx-m45h",
"modified": "2026-04-01T18:35:32Z",
"published": "2025-06-20T15:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49995"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/download-attachments/vulnerability/wordpress-download-attachments-plugin-1-3-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2WM9-HF6C-P5CR
Vulnerability from github – Published: 2026-06-12 18:31 – Updated: 2026-06-30 03:37A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.
{
"affected": [],
"aliases": [
"CVE-2026-45830"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-12T16:16:28Z",
"severity": "HIGH"
},
"details": "A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant\u0027s collection regardless of which tenant they belong to.",
"id": "GHSA-2wm9-hf6c-p5cr",
"modified": "2026-06-30T03:37:02Z",
"published": "2026-06-12T18:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45830"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-45830"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488408"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45830.json"
},
{
"type": "WEB",
"url": "https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2WR7-99VR-6M4H
Vulnerability from github – Published: 2024-03-18 12:30 – Updated: 2024-10-10 18:31Improper authorization in the report management and creation module of BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users to read and make unauthorized changes to any reports available within the application, even without proper permissions. The attacker must know the unique identifier of the report they want to manipulate.
Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.201.
{
"affected": [],
"aliases": [
"CVE-2024-1604"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-18T10:15:19Z",
"severity": "MODERATE"
},
"details": "Improper authorization in the report management and creation module of BMC Control-M branches\u00a09.0.20 and 9.0.21 allows logged-in users to read and make unauthorized changes to any reports available within the application, even without proper permissions. The attacker must know the unique identifier of the report they want to manipulate.\n\nFix for 9.0.20 branch was released in version 9.0.20.238.\u00a0Fix for 9.0.21 branch was released in version 9.0.21.201. \n",
"id": "GHSA-2wr7-99vr-6m4h",
"modified": "2024-10-10T18:31:07Z",
"published": "2024-03-18T12:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1604"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2024/03/CVE-2024-1604"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2024/03/CVE-2024-1604"
},
{
"type": "WEB",
"url": "https://www.bmc.com/it-solutions/control-m.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2X59-2XMG-FGCX
Vulnerability from github – Published: 2022-09-08 00:00 – Updated: 2022-09-13 00:00WeDayCare B.V Ouderapp before v1.1.22 allows attackers to alter the ID value within intercepted calls to gain access to data of other parents and children.
{
"affected": [],
"aliases": [
"CVE-2022-36539"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-07T17:15:00Z",
"severity": "HIGH"
},
"details": "WeDayCare B.V Ouderapp before v1.1.22 allows attackers to alter the ID value within intercepted calls to gain access to data of other parents and children.",
"id": "GHSA-2x59-2xmg-fgcx",
"modified": "2022-09-13T00:00:35Z",
"published": "2022-09-08T00:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36539"
},
{
"type": "WEB",
"url": "https://apps.apple.com/nl/app/eigen-wijzer-ouderapp/id1331059326"
},
{
"type": "WEB",
"url": "https://github.com/Fopje/CVE-2022-36539"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2XC6-348P-C2X6
Vulnerability from github – Published: 2026-03-11 00:12 – Updated: 2026-03-11 05:46Impact
An authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via #[LiveArg] parameters. Unlike props, which are protected by LiveComponent's @checksum, args are fully user-controlled - any action that accepts a resource ID via #[LiveArg] and loads it with ->find() without ownership validation is vulnerable.
Checkout address FormComponent (addressFieldUpdated action): Accepts an addressId via #[LiveArg] and loads it without verifying ownership, exposing another user's first name, last name, company, phone number, street, city, postcode, and country.
Cart WidgetComponent (refreshCart action): Accepts a cartId via #[LiveArg] and loads any order directly from the repository, exposing order total and item count.
Cart SummaryComponent (refreshCart action): Accepts a cartId via #[LiveArg] and loads any order directly from the repository, exposing subtotal, discount, shipping cost, taxes (excluded and included), and order total.
Since sylius_order contains both active carts (state=cart) and completed orders (state=new/fulfilled) in the same ID space, the cart IDOR exposes data from all orders, not just active carts.
Patches
The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
Workarounds
Override vulnerable LiveComponent classes at the project level to add authorization checks to #[LiveArg] parameters.
Step 1. Exclude component overrides from default autowiring
In config/services.yaml, add Twig/Component to the exclude list to prevent duplicate service registration:
App\:
resource: '../src/*'
exclude: '../src/{Entity,Kernel.php,Twig/Components}'
Step 2. Override checkout address FormComponent
Create src/Twig/Components/Checkout/Address/FormComponent.php:
<?php
declare(strict_types=1);
namespace App\Twig\Components\Checkout\Address;
use Sylius\Bundle\ShopBundle\Twig\Component\Checkout\Address\AddressBookComponent;
use Sylius\Bundle\UiBundle\Twig\Component\ResourceFormComponentTrait;
use Sylius\Bundle\UiBundle\Twig\Component\TemplatePropTrait;
use Sylius\Component\Core\Model\OrderInterface;
use Sylius\Component\Core\Model\ShopUserInterface;
use Sylius\Component\Core\Repository\AddressRepositoryInterface;
use Sylius\Component\Core\Repository\OrderRepositoryInterface;
use Sylius\Component\Customer\Context\CustomerContextInterface;
use Sylius\Component\User\Repository\UserRepositoryInterface;
use Symfony\Component\Form\FormFactoryInterface;
use Symfony\Component\Form\FormInterface;
use Symfony\UX\LiveComponent\Attribute\AsLiveComponent;
use Symfony\UX\LiveComponent\Attribute\LiveArg;
use Symfony\UX\LiveComponent\Attribute\LiveListener;
use Symfony\UX\LiveComponent\Attribute\LiveProp;
use Symfony\UX\LiveComponent\Attribute\PreReRender;
#[AsLiveComponent]
class FormComponent
{
/** @use ResourceFormComponentTrait<OrderInterface> */
use ResourceFormComponentTrait;
use TemplatePropTrait;
#[LiveProp]
public bool $emailExists = false;
/**
* @param OrderRepositoryInterface<OrderInterface> $repository
* @param UserRepositoryInterface<ShopUserInterface> $shopUserRepository
*/
public function __construct(
OrderRepositoryInterface $repository,
FormFactoryInterface $formFactory,
string $resourceClass,
string $formClass,
protected readonly CustomerContextInterface $customerContext,
protected readonly UserRepositoryInterface $shopUserRepository,
protected readonly AddressRepositoryInterface $addressRepository,
) {
$this->initialize($repository, $formFactory, $resourceClass, $formClass);
}
#[PreReRender(priority: -100)]
public function checkEmailExist(): void
{
$email = $this->formValues['customer']['email'] ?? null;
if (null !== $email) {
$this->emailExists = $this->shopUserRepository->findOneByEmail($email) !== null;
}
}
#[LiveListener(AddressBookComponent::SYLIUS_SHOP_ADDRESS_UPDATED)]
public function addressFieldUpdated(#[LiveArg] mixed $addressId, #[LiveArg] string $field): void
{
$customer = $this->customerContext->getCustomer();
if (null === $customer) {
return;
}
// Fix: findOneByCustomer instead of find — validates ownership
$address = $this->addressRepository->findOneByCustomer((string) $addressId, $customer);
if (null === $address) {
return;
}
$newAddress = [];
$newAddress['firstName'] = $address->getFirstName();
$newAddress['lastName'] = $address->getLastName();
$newAddress['phoneNumber'] = $address->getPhoneNumber();
$newAddress['company'] = $address->getCompany();
$newAddress['countryCode'] = $address->getCountryCode();
if ($address->getProvinceCode() !== null) {
$newAddress['provinceCode'] = $address->getProvinceCode();
}
if ($address->getProvinceName() !== null) {
$newAddress['provinceName'] = $address->getProvinceName();
}
$newAddress['street'] = $address->getStreet();
$newAddress['city'] = $address->getCity();
$newAddress['postcode'] = $address->getPostcode();
$this->formValues[$field] = $newAddress;
}
protected function instantiateForm(): FormInterface
{
return $this->formFactory->create(
$this->formClass,
$this->resource,
['customer' => $this->customerContext->getCustomer()],
);
}
}
Step 3. Override cart WidgetComponent
Create src/Twig/Components/Cart/WidgetComponent.php:
<?php
declare(strict_types=1);
namespace App\Twig\Components\Cart;
use Sylius\Bundle\ShopBundle\Twig\Component\Cart\FormComponent;
use Sylius\Bundle\UiBundle\Twig\Component\ResourceLivePropTrait;
use Sylius\Bundle\UiBundle\Twig\Component\TemplatePropTrait;
use Sylius\Component\Core\Model\OrderInterface;
use Sylius\Component\Core\Repository\OrderRepositoryInterface;
use Sylius\Component\Order\Context\CartContextInterface;
use Sylius\Component\Order\Context\CartNotFoundException;
use Sylius\Resource\Model\ResourceInterface;
use Sylius\TwigHooks\LiveComponent\HookableLiveComponentTrait;
use Symfony\UX\LiveComponent\Attribute\AsLiveComponent;
use Symfony\UX\LiveComponent\Attribute\LiveArg;
use Symfony\UX\LiveComponent\Attribute\LiveListener;
use Symfony\UX\LiveComponent\Attribute\LiveProp;
use Symfony\UX\LiveComponent\DefaultActionTrait;
use Symfony\UX\TwigComponent\Attribute\PreMount;
#[AsLiveComponent]
class WidgetComponent
{
use DefaultActionTrait;
use HookableLiveComponentTrait;
use TemplatePropTrait;
/** @use ResourceLivePropTrait<OrderInterface> */
use ResourceLivePropTrait;
#[LiveProp(hydrateWith: 'hydrateResource', dehydrateWith: 'dehydrateResource')]
public ?ResourceInterface $cart = null;
public function __construct(
protected readonly CartContextInterface $cartContext,
OrderRepositoryInterface $orderRepository,
) {
$this->initialize($orderRepository);
}
#[PreMount]
public function initializeCart(): void
{
$this->cart = $this->getCart();
}
#[LiveListener(FormComponent::SYLIUS_SHOP_CART_CHANGED)]
#[LiveListener(FormComponent::SYLIUS_SHOP_CART_CLEARED)]
public function refreshCart(#[LiveArg] mixed $cartId = null): void
{
// Fix: ignore user-supplied cartId, always load from session
$this->cart = $this->getCart();
}
private function getCart(): ?OrderInterface
{
try {
return $this->cartContext->getCart();
} catch (CartNotFoundException) {
return null;
}
return $cart;
}
}
Step 4. Override cart SummaryComponent
Create src/Twig/Components/Cart/SummaryComponent.php:
<?php
declare(strict_types=1);
namespace App\Twig\Components\Cart;
use Sylius\Bundle\ShopBundle\Twig\Component\Cart\FormComponent;
use Sylius\Bundle\UiBundle\Twig\Component\ResourceLivePropTrait;
use Sylius\Bundle\UiBundle\Twig\Component\TemplatePropTrait;
use Sylius\Component\Core\Model\OrderInterface;
use Sylius\Component\Core\Repository\OrderRepositoryInterface;
use Sylius\Resource\Model\ResourceInterface;
use Sylius\TwigHooks\LiveComponent\HookableLiveComponentTrait;
use Symfony\UX\LiveComponent\Attribute\AsLiveComponent;
use Symfony\UX\LiveComponent\Attribute\LiveArg;
use Symfony\UX\LiveComponent\Attribute\LiveListener;
use Symfony\UX\LiveComponent\Attribute\LiveProp;
use Symfony\UX\LiveComponent\DefaultActionTrait;
#[AsLiveComponent]
class SummaryComponent
{
use DefaultActionTrait;
use HookableLiveComponentTrait;
/** @use ResourceLivePropTrait<OrderInterface> */
use ResourceLivePropTrait;
use TemplatePropTrait;
#[LiveProp(hydrateWith: 'hydrateResource', dehydrateWith: 'dehydrateResource')]
public ?ResourceInterface $cart = null;
/** @param OrderRepositoryInterface<OrderInterface> $orderRepository */
public function __construct(OrderRepositoryInterface $orderRepository)
{
$this->initialize($orderRepository);
}
#[LiveListener(FormComponent::SYLIUS_SHOP_CART_CHANGED)]
public function refreshCart(#[LiveArg] mixed $cartId): void
{
// Fix: ignore user-supplied cartId, reload from checksummed cart prop
if ($this->cart === null) {
return;
}
$this->cart = $this->hydrateResource($this->cart->getId());
}
}
Step 5. Register overridden services
In config/services.yaml, add:
sylius_shop.twig.component.checkout.address.form:
class: App\Twig\Components\Checkout\Address\FormComponent
arguments:
$repository: '@sylius.repository.order'
$formFactory: '@form.factory'
$resourceClass: '%sylius.model.order.class%'
$formClass: 'Sylius\Bundle\ShopBundle\Form\Type\Checkout\AddressType'
$customerContext: '@sylius.context.customer'
$shopUserRepository: '@sylius.repository.shop_user'
$addressRepository: '@sylius.repository.address'
tags:
- { name: 'sylius.live_component.shop', key: 'sylius_shop:checkout:address:form' }
sylius_shop.twig.component.cart.widget:
class: App\Twig\Components\Cart\WidgetComponent
arguments:
$cartContext: '@sylius.context.cart.composite'
$orderRepository: '@sylius.repository.order'
tags:
- { name: 'sylius.live_component.shop', key: 'sylius_shop:cart:widget' }
sylius_shop.twig.component.cart.summary:
class: App\Twig\Components\Cart\SummaryComponent
arguments:
$orderRepository: '@sylius.repository.order'
tags:
- { name: 'sylius.live_component.shop', key: 'sylius_shop:cart:summary' }
Step 6. Clear cache
php bin/console cache:clear
Reporters
We would like to extend our gratitude to the following individuals for their detailed reporting and responsible disclosure of this vulnerability: - Peter Stöckli (@p-) - Man Yue Mo (@m-y-mo) - The GitHub Security Lab team
For more information
If you have any questions or comments about this advisory:
- Open an issue in Sylius issues
- Email us at security@sylius.com
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.0.15"
},
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.1.11"
},
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.2.2"
},
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-31820"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-11T00:12:47Z",
"nvd_published_at": "2026-03-10T22:16:19Z",
"severity": "HIGH"
},
"details": "### Impact\nAn authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via `#[LiveArg]` parameters. Unlike props, which are protected by LiveComponent\u0027s `@checksum`, `args` are fully user-controlled - any action that accepts a resource ID via `#[LiveArg]` and loads it with `-\u003efind()` without ownership validation is vulnerable.\n\nCheckout address **FormComponent** (`addressFieldUpdated` action): Accepts an `addressId` via `#[LiveArg]` and loads it without verifying ownership, exposing another user\u0027s first name, last name, company, phone number, street, city, postcode, and country.\n\nCart **WidgetComponent** (`refreshCart` action): Accepts a `cartId` via `#[LiveArg]` and loads any order directly from the repository, exposing order total and item count.\n\nCart **SummaryComponent** (`refreshCart` action): Accepts a `cartId` via `#[LiveArg]` and loads any order directly from the repository, exposing subtotal, discount, shipping cost, taxes (excluded and included), and order total.\n\nSince `sylius_order` contains both active carts (`state=cart`) and completed orders (`state=new/fulfilled`) in the same ID space, the cart IDOR exposes data from all orders, not just active carts.\n\n### Patches\nThe issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.\n\n### Workarounds\n\nOverride vulnerable LiveComponent classes at the project level to add authorization checks to `#[LiveArg]` parameters.\n\n#### Step 1. Exclude component overrides from default autowiring\n\nIn `config/services.yaml`, add `Twig/Component` to the exclude list to prevent duplicate service registration:\n\n```yaml\nApp\\:\n resource: \u0027../src/*\u0027\n exclude: \u0027../src/{Entity,Kernel.php,Twig/Components}\u0027\n```\n\n#### Step 2. Override checkout address FormComponent\n\nCreate `src/Twig/Components/Checkout/Address/FormComponent.php`:\n\n```php\n\u003c?php\n\ndeclare(strict_types=1);\n\nnamespace App\\Twig\\Components\\Checkout\\Address;\n\nuse Sylius\\Bundle\\ShopBundle\\Twig\\Component\\Checkout\\Address\\AddressBookComponent;\nuse Sylius\\Bundle\\UiBundle\\Twig\\Component\\ResourceFormComponentTrait;\nuse Sylius\\Bundle\\UiBundle\\Twig\\Component\\TemplatePropTrait;\nuse Sylius\\Component\\Core\\Model\\OrderInterface;\nuse Sylius\\Component\\Core\\Model\\ShopUserInterface;\nuse Sylius\\Component\\Core\\Repository\\AddressRepositoryInterface;\nuse Sylius\\Component\\Core\\Repository\\OrderRepositoryInterface;\nuse Sylius\\Component\\Customer\\Context\\CustomerContextInterface;\nuse Sylius\\Component\\User\\Repository\\UserRepositoryInterface;\nuse Symfony\\Component\\Form\\FormFactoryInterface;\nuse Symfony\\Component\\Form\\FormInterface;\nuse Symfony\\UX\\LiveComponent\\Attribute\\AsLiveComponent;\nuse Symfony\\UX\\LiveComponent\\Attribute\\LiveArg;\nuse Symfony\\UX\\LiveComponent\\Attribute\\LiveListener;\nuse Symfony\\UX\\LiveComponent\\Attribute\\LiveProp;\nuse Symfony\\UX\\LiveComponent\\Attribute\\PreReRender;\n\n#[AsLiveComponent]\nclass FormComponent\n{\n /** @use ResourceFormComponentTrait\u003cOrderInterface\u003e */\n use ResourceFormComponentTrait;\n use TemplatePropTrait;\n\n #[LiveProp]\n public bool $emailExists = false;\n\n /**\n * @param OrderRepositoryInterface\u003cOrderInterface\u003e $repository\n * @param UserRepositoryInterface\u003cShopUserInterface\u003e $shopUserRepository\n */\n public function __construct(\n OrderRepositoryInterface $repository,\n FormFactoryInterface $formFactory,\n string $resourceClass,\n string $formClass,\n protected readonly CustomerContextInterface $customerContext,\n protected readonly UserRepositoryInterface $shopUserRepository,\n protected readonly AddressRepositoryInterface $addressRepository,\n ) {\n $this-\u003einitialize($repository, $formFactory, $resourceClass, $formClass);\n }\n\n #[PreReRender(priority: -100)]\n public function checkEmailExist(): void\n {\n $email = $this-\u003eformValues[\u0027customer\u0027][\u0027email\u0027] ?? null;\n if (null !== $email) {\n $this-\u003eemailExists = $this-\u003eshopUserRepository-\u003efindOneByEmail($email) !== null;\n }\n }\n\n #[LiveListener(AddressBookComponent::SYLIUS_SHOP_ADDRESS_UPDATED)]\n public function addressFieldUpdated(#[LiveArg] mixed $addressId, #[LiveArg] string $field): void\n {\n $customer = $this-\u003ecustomerContext-\u003egetCustomer();\n if (null === $customer) {\n return;\n }\n\n // Fix: findOneByCustomer instead of find \u2014 validates ownership\n $address = $this-\u003eaddressRepository-\u003efindOneByCustomer((string) $addressId, $customer);\n if (null === $address) {\n return;\n }\n\n $newAddress = [];\n $newAddress[\u0027firstName\u0027] = $address-\u003egetFirstName();\n $newAddress[\u0027lastName\u0027] = $address-\u003egetLastName();\n $newAddress[\u0027phoneNumber\u0027] = $address-\u003egetPhoneNumber();\n $newAddress[\u0027company\u0027] = $address-\u003egetCompany();\n $newAddress[\u0027countryCode\u0027] = $address-\u003egetCountryCode();\n if ($address-\u003egetProvinceCode() !== null) {\n $newAddress[\u0027provinceCode\u0027] = $address-\u003egetProvinceCode();\n }\n if ($address-\u003egetProvinceName() !== null) {\n $newAddress[\u0027provinceName\u0027] = $address-\u003egetProvinceName();\n }\n $newAddress[\u0027street\u0027] = $address-\u003egetStreet();\n $newAddress[\u0027city\u0027] = $address-\u003egetCity();\n $newAddress[\u0027postcode\u0027] = $address-\u003egetPostcode();\n\n $this-\u003eformValues[$field] = $newAddress;\n }\n\n protected function instantiateForm(): FormInterface\n {\n return $this-\u003eformFactory-\u003ecreate(\n $this-\u003eformClass,\n $this-\u003eresource,\n [\u0027customer\u0027 =\u003e $this-\u003ecustomerContext-\u003egetCustomer()],\n );\n }\n}\n```\n\n#### Step 3. Override cart WidgetComponent\n\nCreate `src/Twig/Components/Cart/WidgetComponent.php`:\n\n```php\n\u003c?php\n\ndeclare(strict_types=1);\n\nnamespace App\\Twig\\Components\\Cart;\n\nuse Sylius\\Bundle\\ShopBundle\\Twig\\Component\\Cart\\FormComponent;\nuse Sylius\\Bundle\\UiBundle\\Twig\\Component\\ResourceLivePropTrait;\nuse Sylius\\Bundle\\UiBundle\\Twig\\Component\\TemplatePropTrait;\nuse Sylius\\Component\\Core\\Model\\OrderInterface;\nuse Sylius\\Component\\Core\\Repository\\OrderRepositoryInterface;\nuse Sylius\\Component\\Order\\Context\\CartContextInterface;\nuse Sylius\\Component\\Order\\Context\\CartNotFoundException;\nuse Sylius\\Resource\\Model\\ResourceInterface;\nuse Sylius\\TwigHooks\\LiveComponent\\HookableLiveComponentTrait;\nuse Symfony\\UX\\LiveComponent\\Attribute\\AsLiveComponent;\nuse Symfony\\UX\\LiveComponent\\Attribute\\LiveArg;\nuse Symfony\\UX\\LiveComponent\\Attribute\\LiveListener;\nuse Symfony\\UX\\LiveComponent\\Attribute\\LiveProp;\nuse Symfony\\UX\\LiveComponent\\DefaultActionTrait;\nuse Symfony\\UX\\TwigComponent\\Attribute\\PreMount;\n\n#[AsLiveComponent]\nclass WidgetComponent\n{\n use DefaultActionTrait;\n use HookableLiveComponentTrait;\n use TemplatePropTrait;\n\n /** @use ResourceLivePropTrait\u003cOrderInterface\u003e */\n use ResourceLivePropTrait;\n\n #[LiveProp(hydrateWith: \u0027hydrateResource\u0027, dehydrateWith: \u0027dehydrateResource\u0027)]\n public ?ResourceInterface $cart = null;\n\n public function __construct(\n protected readonly CartContextInterface $cartContext,\n OrderRepositoryInterface $orderRepository,\n ) {\n $this-\u003einitialize($orderRepository);\n }\n\n #[PreMount]\n public function initializeCart(): void\n {\n $this-\u003ecart = $this-\u003egetCart();\n }\n\n #[LiveListener(FormComponent::SYLIUS_SHOP_CART_CHANGED)]\n #[LiveListener(FormComponent::SYLIUS_SHOP_CART_CLEARED)]\n public function refreshCart(#[LiveArg] mixed $cartId = null): void\n {\n // Fix: ignore user-supplied cartId, always load from session\n $this-\u003ecart = $this-\u003egetCart();\n }\n\n private function getCart(): ?OrderInterface\n {\n try {\n return $this-\u003ecartContext-\u003egetCart();\n } catch (CartNotFoundException) {\n return null;\n }\n\n return $cart;\n }\n}\n```\n\n#### Step 4. Override cart SummaryComponent\n\nCreate `src/Twig/Components/Cart/SummaryComponent.php`:\n\n```php\n\u003c?php\n\ndeclare(strict_types=1);\n\nnamespace App\\Twig\\Components\\Cart;\n\nuse Sylius\\Bundle\\ShopBundle\\Twig\\Component\\Cart\\FormComponent;\nuse Sylius\\Bundle\\UiBundle\\Twig\\Component\\ResourceLivePropTrait;\nuse Sylius\\Bundle\\UiBundle\\Twig\\Component\\TemplatePropTrait;\nuse Sylius\\Component\\Core\\Model\\OrderInterface;\nuse Sylius\\Component\\Core\\Repository\\OrderRepositoryInterface;\nuse Sylius\\Resource\\Model\\ResourceInterface;\nuse Sylius\\TwigHooks\\LiveComponent\\HookableLiveComponentTrait;\nuse Symfony\\UX\\LiveComponent\\Attribute\\AsLiveComponent;\nuse Symfony\\UX\\LiveComponent\\Attribute\\LiveArg;\nuse Symfony\\UX\\LiveComponent\\Attribute\\LiveListener;\nuse Symfony\\UX\\LiveComponent\\Attribute\\LiveProp;\nuse Symfony\\UX\\LiveComponent\\DefaultActionTrait;\n\n#[AsLiveComponent]\nclass SummaryComponent\n{\n use DefaultActionTrait;\n use HookableLiveComponentTrait;\n\n /** @use ResourceLivePropTrait\u003cOrderInterface\u003e */\n use ResourceLivePropTrait;\n use TemplatePropTrait;\n\n #[LiveProp(hydrateWith: \u0027hydrateResource\u0027, dehydrateWith: \u0027dehydrateResource\u0027)]\n public ?ResourceInterface $cart = null;\n\n /** @param OrderRepositoryInterface\u003cOrderInterface\u003e $orderRepository */\n public function __construct(OrderRepositoryInterface $orderRepository)\n {\n $this-\u003einitialize($orderRepository);\n }\n\n #[LiveListener(FormComponent::SYLIUS_SHOP_CART_CHANGED)]\n public function refreshCart(#[LiveArg] mixed $cartId): void\n {\n // Fix: ignore user-supplied cartId, reload from checksummed cart prop\n if ($this-\u003ecart === null) {\n return;\n }\n\n $this-\u003ecart = $this-\u003ehydrateResource($this-\u003ecart-\u003egetId());\n }\n}\n```\n\n#### Step 5. Register overridden services\n\nIn `config/services.yaml`, add:\n\n```yaml\n sylius_shop.twig.component.checkout.address.form:\n class: App\\Twig\\Components\\Checkout\\Address\\FormComponent\n arguments:\n $repository: \u0027@sylius.repository.order\u0027\n $formFactory: \u0027@form.factory\u0027\n $resourceClass: \u0027%sylius.model.order.class%\u0027\n $formClass: \u0027Sylius\\Bundle\\ShopBundle\\Form\\Type\\Checkout\\AddressType\u0027\n $customerContext: \u0027@sylius.context.customer\u0027\n $shopUserRepository: \u0027@sylius.repository.shop_user\u0027\n $addressRepository: \u0027@sylius.repository.address\u0027\n tags:\n - { name: \u0027sylius.live_component.shop\u0027, key: \u0027sylius_shop:checkout:address:form\u0027 }\n\n sylius_shop.twig.component.cart.widget:\n class: App\\Twig\\Components\\Cart\\WidgetComponent\n arguments:\n $cartContext: \u0027@sylius.context.cart.composite\u0027\n $orderRepository: \u0027@sylius.repository.order\u0027\n tags:\n - { name: \u0027sylius.live_component.shop\u0027, key: \u0027sylius_shop:cart:widget\u0027 }\n\n sylius_shop.twig.component.cart.summary:\n class: App\\Twig\\Components\\Cart\\SummaryComponent\n arguments:\n $orderRepository: \u0027@sylius.repository.order\u0027\n tags:\n - { name: \u0027sylius.live_component.shop\u0027, key: \u0027sylius_shop:cart:summary\u0027 }\n```\n\n#### Step 6. Clear cache\n\n```bash\nphp bin/console cache:clear\n```\n\n### Reporters\n\nWe would like to extend our gratitude to the following individuals for their detailed reporting and responsible disclosure of this vulnerability:\n- Peter St\u00f6ckli (@p-)\n- Man Yue Mo (@m-y-mo)\n- The [GitHub Security Lab](https://securitylab.github.com) team\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues?q=sort%3Aupdated-desc+is%3Aissue+is%3Aopen)\n- Email us at [security@sylius.com](mailto:security@sylius.com)",
"id": "GHSA-2xc6-348p-c2x6",
"modified": "2026-03-11T05:46:26Z",
"published": "2026-03-11T00:12:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-2xc6-348p-c2x6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31820"
},
{
"type": "PACKAGE",
"url": "https://github.com/Sylius/Sylius"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Sylius affected by IDOR in Cart and Checkout LiveComponents"
}
GHSA-2XCP-X87W-Q377
Vulnerability from github – Published: 2026-04-25 23:45 – Updated: 2026-05-19 15:56Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
< 2026.4.20 - Patched version:
2026.4.20
Impact
Templated hook mapping sessionKey values were treated differently from request-supplied session keys. A hook mapping could render an externally influenced session key even when hooks.allowRequestSessionKey was disabled, bypassing the intended routing opt-in for hook callers.
This affects webhook routing isolation. It does not grant host execution by itself. Severity is medium.
Fix
Template-rendered mapping session keys are now treated as externally supplied routing input and require hooks.allowRequestSessionKey=true plus the existing prefix policy checks.
Fix commit:
5275d008ed33203dba3f98e969ad683a65c416c3
Release
Fixed in OpenClaw 2026.4.20.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.20"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45002"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-25T23:45:11Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nTemplated hook mapping `sessionKey` values were treated differently from request-supplied session keys. A hook mapping could render an externally influenced session key even when `hooks.allowRequestSessionKey` was disabled, bypassing the intended routing opt-in for hook callers.\n\nThis affects webhook routing isolation. It does not grant host execution by itself. Severity is medium.\n\n## Fix\n\nTemplate-rendered mapping session keys are now treated as externally supplied routing input and require `hooks.allowRequestSessionKey=true` plus the existing prefix policy checks.\n\nFix commit:\n\n- `5275d008ed33203dba3f98e969ad683a65c416c3`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.",
"id": "GHSA-2xcp-x87w-q377",
"modified": "2026-05-19T15:56:34Z",
"published": "2026-04-25T23:45:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2xcp-x87w-q377"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45002"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/5275d008ed33203dba3f98e969ad683a65c416c3"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-hook-session-key-bypass-via-template-mapping"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Hook mapping templates could bypass hook session-key opt-in"
}
GHSA-2XFC-G69J-X2MP
Vulnerability from github – Published: 2026-03-03 21:00 – Updated: 2026-03-04 18:39Description
The entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others.
Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively "spoofs" the authorship.
Proof of Concept
Prerequisites
- A user account with "Create Entries" permission for a section.
- Victim's account ID (e.g.,
1for the default Admin).
Steps to Reproduce
- Log in as the attacker
- Navigate to the "Entries" section and click "New Entry"
- Fill in the required fields
- Enable a proxy tool (e.g., Burp Suite) to intercept requests
- Click "Save" & Intercept the request
- In the request body, add a new parameter to the body params:
&authorIds[]=<Victim_ID> - Forward the request
- Log in as an admin / as with the victim account
- Go to entries & Observe the newly created entry is listed and the author is the victim account, not the actual creator
Impact
- A user can create entries that appear to belong to higher-privileged users, potentially bypassing review processes or gaining trust based on false authorship.
- An attacker could post malicious or inappropriate content attributed to an administrator or other trusted users.
Resources
https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542 https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-RC1"
},
{
"fixed": "5.9.0-beta.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-RC1"
},
{
"fixed": "4.17.0-beta.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28781"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T21:00:51Z",
"nvd_published_at": "2026-03-04T17:16:21Z",
"severity": "MODERATE"
},
"details": "## Description\nThe entry creation process allows for **Mass Assignment** of the `authorId` attribute. A user with \"Create Entries\" permission can inject the `authorIds[]` (or `authorId`) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others.\n\nNormally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively \"spoofs\" the authorship.\n\n## Proof of Concept\n### Prerequisites\n- A user account with \"Create Entries\" permission for a section.\n- Victim\u0027s account ID (e.g., `1` for the default Admin).\n\n### Steps to Reproduce\n1. Log in as the attacker\n1. Navigate to the \"Entries\" section and click \"New Entry\"\n1. Fill in the required fields\n1. Enable a proxy tool (e.g., Burp Suite) to intercept requests\n1. Click \"Save\" \u0026 Intercept the request\n1. In the request body, add a new parameter to the body params: `\u0026authorIds[]=\u003cVictim_ID\u003e`\n1. Forward the request\n1. Log in as an admin / as with the victim account\n1. Go to entries \u0026 Observe the newly created entry is listed and the author is the victim account, not the actual creator\n\n## Impact\n- A user can create entries that appear to belong to higher-privileged users, potentially bypassing review processes or gaining trust based on false authorship.\n- An attacker could post malicious or inappropriate content attributed to an administrator or other trusted users.\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542\nhttps://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8",
"id": "GHSA-2xfc-g69j-x2mp",
"modified": "2026-03-04T18:39:05Z",
"published": "2026-03-03T21:00:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28781"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Craft CMS: Entries Authorship Spoofing via Mass Assignment"
}
GHSA-2XG8-969F-84GV
Vulnerability from github – Published: 2026-05-28 06:31 – Updated: 2026-05-28 06:31The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user has permission to access the requested object's metadata. This makes it possible for authenticated attackers, with Contributor-level access and above, to read arbitrary user meta, post meta, and term meta data from any object in the database. On sites using plugins that store sensitive data in meta fields (e.g., WooCommerce billing/shipping information), this could lead to the exposure of Personally Identifiable Information (PII) including names, email addresses, phone numbers, and physical addresses.
{
"affected": [],
"aliases": [
"CVE-2026-3173"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T06:16:26Z",
"severity": "MODERATE"
},
"details": "The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user has permission to access the requested object\u0027s metadata. This makes it possible for authenticated attackers, with Contributor-level access and above, to read arbitrary user meta, post meta, and term meta data from any object in the database. On sites using plugins that store sensitive data in meta fields (e.g., WooCommerce billing/shipping information), this could lead to the exposure of Personally Identifiable Information (PII) including names, email addresses, phone numbers, and physical addresses.",
"id": "GHSA-2xg8-969f-84gv",
"modified": "2026-05-28T06:31:09Z",
"published": "2026-05-28T06:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3173"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/display-a-meta-field-as-block/trunk/meta-field-block.php#L206"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/display-a-meta-field-as-block/trunk/meta-field-block.php#L328"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3472303"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/247df9e2-0a63-49ad-86fa-cb4c6e62c4cf?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2XGC-784M-6J64
Vulnerability from github – Published: 2026-06-15 21:30 – Updated: 2026-06-15 21:30Unauthenticated Insecure Direct Object References (IDOR) in VikRentCar <= 1.4.5 versions.
{
"affected": [],
"aliases": [
"CVE-2026-52699"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-15T21:17:24Z",
"severity": "HIGH"
},
"details": "Unauthenticated Insecure Direct Object References (IDOR) in VikRentCar \u003c= 1.4.5 versions.",
"id": "GHSA-2xgc-784m-6j64",
"modified": "2026-06-15T21:30:50Z",
"published": "2026-06-15T21:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52699"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/vikrentcar/vulnerability/wordpress-vikrentcar-plugin-1-4-5-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.