Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3227 vulnerabilities reference this CWE, most recent first.

GHSA-4GGR-F4XW-9446

Vulnerability from github – Published: 2026-02-20 18:31 – Updated: 2026-02-25 21:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs Paid Member Subscriptions paid-member-subscriptions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Paid Member Subscriptions: from n/a through <= 2.16.8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-68514"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-20T16:22:10Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs Paid Member Subscriptions paid-member-subscriptions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Paid Member Subscriptions: from n/a through \u003c= 2.16.8.",
  "id": "GHSA-4ggr-f4xw-9446",
  "modified": "2026-02-25T21:31:17Z",
  "published": "2026-02-20T18:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68514"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/paid-member-subscriptions/vulnerability/wordpress-paid-member-subscriptions-plugin-2-16-8-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4GJ5-PMGW-233C

Vulnerability from github – Published: 2025-11-01 06:30 – Updated: 2025-11-01 06:30
VLAI
Details

The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's identity prior to processing a password change request. This makes it possible for authenticated attackers with subscriber access or higher to reset other users' passwords, including those of admins.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-5949"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-01T05:16:02Z",
    "severity": "HIGH"
  },
  "details": "The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user\u0027s identity prior to processing a password change request. This makes it possible for authenticated attackers with subscriber access or higher to reset other users\u0027 passwords, including those of admins.",
  "id": "GHSA-4gj5-pmgw-233c",
  "modified": "2025-11-01T06:30:36Z",
  "published": "2025-11-01T06:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5949"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a2874a5f-71f4-4bcd-87e8-a20bb19a5847?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4GWP-27PH-2QRJ

Vulnerability from github – Published: 2025-04-16 00:31 – Updated: 2025-04-16 00:31
VLAI
Details

Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27929"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-15T22:15:25Z",
    "severity": "MODERATE"
  },
  "details": "Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts.",
  "id": "GHSA-4gwp-27ph-2qrj",
  "modified": "2025-04-16T00:31:38Z",
  "published": "2025-04-16T00:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27929"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4H4R-6VCH-G23V

Vulnerability from github – Published: 2026-06-01 15:30 – Updated: 2026-06-01 15:30
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Akinsoft MyRezzta allows Forceful Browsing.

This issue affects MyRezzta: from s2.02.02 before v2.05.01.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13063"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-03T09:15:33Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Akinsoft MyRezzta allows Forceful Browsing.\n\nThis issue affects MyRezzta: from s2.02.02 before v2.05.01.",
  "id": "GHSA-4h4r-6vch-g23v",
  "modified": "2026-06-01T15:30:33Z",
  "published": "2026-06-01T15:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13063"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0205"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-25-0205"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4H7H-XHV3-2G96

Vulnerability from github – Published: 2023-11-03 06:36 – Updated: 2025-11-11 18:30
VLAI
Details

Lost and Found Information System 1.0 allows account takeover via username and password to a /classes/Users.php?f=save URI.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-38965"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-03T05:15:29Z",
    "severity": "CRITICAL"
  },
  "details": "Lost and Found Information System 1.0 allows account takeover via username and password to a /classes/Users.php?f=save URI.",
  "id": "GHSA-4h7h-xhv3-2g96",
  "modified": "2025-11-11T18:30:14Z",
  "published": "2023-11-03T06:36:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38965"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Or4ngm4n/vulnreability-code-review-php/blob/main/Lost%20and%20Found%20Information%20System%20v1.0.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/51795"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/175077/Lost-And-Found-Information-System-1.0-Insecure-Direct-Object-Reference.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4H7J-7XP4-WP5P

Vulnerability from github – Published: 2026-07-13 09:31 – Updated: 2026-07-13 09:31
VLAI
Details

Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local users or other remotes via crafted sync messages referencing arbitrary post IDs in channels shared with that remote.. Mattermost Advisory ID: MMSA-2026-00689

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-10103"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-13T09:16:23Z",
    "severity": "MODERATE"
  },
  "details": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local users or other remotes via crafted sync messages referencing arbitrary post IDs in channels shared with that remote.. Mattermost Advisory ID: MMSA-2026-00689",
  "id": "GHSA-4h7j-7xp4-wp5p",
  "modified": "2026-07-13T09:31:42Z",
  "published": "2026-07-13T09:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10103"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4HC6-GPQP-6HFP

Vulnerability from github – Published: 2024-10-17 06:30 – Updated: 2024-10-17 06:30
VLAI
Details

The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to Account Takeover/Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 1.0.25 via the save() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to reset the emails and passwords of arbitrary user accounts, including administrators, which makes account takeover and privilege escalation possible.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9263"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-17T04:15:05Z",
    "severity": "CRITICAL"
  },
  "details": "The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to Account Takeover/Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 1.0.25 via the save() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to reset the emails and passwords of arbitrary user accounts, including administrators, which makes account takeover and privilege escalation possible.",
  "id": "GHSA-4hc6-gpqp-6hfp",
  "modified": "2024-10-17T06:30:32Z",
  "published": "2024-10-17T06:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9263"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/timetics/tags/1.0.25/core/customers/customer.php#L299"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3169771/timetics/trunk/core/customers/api-customer.php"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3169771/timetics/trunk/core/customers/customer.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74bd595b-d2fa-4c62-82d2-dba2c2b128f0?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4HJJ-956W-4CWM

Vulnerability from github – Published: 2026-05-20 09:30 – Updated: 2026-05-20 09:30
VLAI
Details

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for DELETE /imagely/v1/images/{id} only checks 'NextGEN Manage gallery' permissions and does not enforce gallery ownership or 'NextGEN Manage others gallery' permissions. This makes it possible for authenticated attackers, with Subscriber-level privileges and 'NextGEN Manage gallery' capability, to delete gallery images belonging to other users as well as their associated image files from disk when deleteImg is enabled (default).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6566"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-20T07:16:16Z",
    "severity": "MODERATE"
  },
  "details": "The Photo Gallery, Sliders, Proofing and Themes \u2013 NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for DELETE /imagely/v1/images/{id} only checks \u0027NextGEN Manage gallery\u0027 permissions and does not enforce gallery ownership or \u0027NextGEN Manage others gallery\u0027 permissions. This makes it possible for authenticated attackers, with Subscriber-level privileges and \u0027NextGEN Manage gallery\u0027 capability, to delete gallery images belonging to other users as well as their associated image files from disk when deleteImg is enabled (default).",
  "id": "GHSA-4hjj-956w-4cwm",
  "modified": "2026-05-20T09:30:34Z",
  "published": "2026-05-20T09:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6566"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3533432/nextgen-gallery"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/439809ad-21ea-4a0b-b1fd-5de9f8f5ee7a?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4HV6-WVV9-JH2F

Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-04-04 02:25
VLAI
Details

An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka the "support debug text file").

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-17574"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-14T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka the \"support debug text file\").",
  "id": "GHSA-4hv6-wvv9-jh2f",
  "modified": "2024-04-04T02:25:52Z",
  "published": "2022-05-24T16:58:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17574"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PopupMaker/Popup-Maker/blob/master/CHANGELOG.md"
    },
    {
      "type": "WEB",
      "url": "https://wpvulndb.com/vulnerabilities/9907"
    },
    {
      "type": "WEB",
      "url": "http://blog.redyops.com/wordpress-plugin-popup-maker"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4JX9-685F-C6RH

Vulnerability from github – Published: 2024-06-08 18:30 – Updated: 2026-04-01 18:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in KiviCare.This issue affects KiviCare: from n/a through 3.6.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35659"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-08T16:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in KiviCare.This issue affects KiviCare: from n/a through 3.6.2.",
  "id": "GHSA-4jx9-685f-c6rh",
  "modified": "2026-04-01T18:31:48Z",
  "published": "2024-06-08T18:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35659"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/kivicare-clinic-management-system/vulnerability/wordpress-kivicare-plugin-3-6-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/kivicare-clinic-management-system/wordpress-kivicare-plugin-3-6-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.