CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3226 vulnerabilities reference this CWE, most recent first.
GHSA-5WW9-JG6Q-38R7
Vulnerability from github – Published: 2026-06-12 21:00 – Updated: 2026-06-12 21:00Summary
A low-privileged authenticated user of filebrowser (with create + delete permissions in their own isolated scope) can silently destroy share-link records belonging to any other user — including the administrator — by performing a legitimate DELETE on a file in their own directory whose logical path happens to be a byte-prefix of another user's stored share.Link.Path. The file contents of the victim are not exposed, but the victim's share links are irrevocably wiped.
Details
resourceDeleteHandler in http/resource.go cleans up any share records that reference a deleted file by calling:
// http/resource.go
err = d.store.Share.DeleteWithPathPrefix(file.Path)
file.Path here is the logical path from the URL of the deleting user's request (e.g. /a), not the absolute filesystem path. It is passed as-is to the bolt backend:
// storage/bolt/share.go
func (s shareBackend) DeleteWithPathPrefix(pathPrefix string) error {
var links []share.Link
if err := s.db.Prefix("Path", pathPrefix, &links); err != nil {
return err
}
for _, link := range links {
err = errors.Join(err, s.db.DeleteStruct(&share.Link{Hash: link.Hash}))
}
return err
}
Why the design contradicts this behavior. share.Link carries a UserID field and the application elsewhere treats shares as per-user owned resources. shareDeleteHandler explicitly enforces link.UserID != d.user.ID && !d.user.Perm.Admin → 403. The file-deletion side-effect path is the only location that bypasses this rule.
Impact
- Integrity: unauthorized deletion of share-link metadata belonging to arbitrary users, including administrators.
- Availability: effective denial-of-service of the share-link feature — a cooperating (or malicious) low-priv user can wipe the bulk of existing share links by iterating a short set of one- and two-character prefixes.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/filebrowser/filebrowser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.11.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.63.5"
},
"package": {
"ecosystem": "Go",
"name": "github.com/filebrowser/filebrowser/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.63.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54097"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-12T21:00:55Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nA low-privileged authenticated user of filebrowser (with `create` + `delete` permissions in their own isolated scope) can silently destroy share-link records belonging to any other user \u2014 including the administrator \u2014 by performing a legitimate DELETE on a file in their own directory whose logical path happens to be a byte-prefix of another user\u0027s stored `share.Link.Path`. The file contents of the victim are not exposed, but the victim\u0027s share links are irrevocably wiped.\n\n### Details\n`resourceDeleteHandler` in `http/resource.go` cleans up any share records that reference a deleted file by calling:\n\n```go\n// http/resource.go\nerr = d.store.Share.DeleteWithPathPrefix(file.Path)\n```\n\n`file.Path` here is the *logical* path from the URL of the deleting user\u0027s request (e.g. `/a`), not the absolute filesystem path. It is passed as-is to the bolt backend:\n\n```go\n// storage/bolt/share.go\nfunc (s shareBackend) DeleteWithPathPrefix(pathPrefix string) error {\n var links []share.Link\n if err := s.db.Prefix(\"Path\", pathPrefix, \u0026links); err != nil {\n return err\n }\n for _, link := range links {\n err = errors.Join(err, s.db.DeleteStruct(\u0026share.Link{Hash: link.Hash}))\n }\n return err\n}\n```\n**Why the design contradicts this behavior.** `share.Link` carries a `UserID` field and the application elsewhere treats shares as per-user owned resources. `shareDeleteHandler` explicitly enforces `link.UserID != d.user.ID \u0026\u0026 !d.user.Perm.Admin \u2192 403`. The file-deletion side-effect path is the only location that bypasses this rule.\n\n\n\n### Impact\n- Integrity: unauthorized deletion of share-link metadata belonging to arbitrary users, including administrators.\n- Availability: effective denial-of-service of the share-link feature \u2014 a cooperating (or malicious) low-priv user can wipe the bulk of existing share links by iterating a short set of one- and two-character prefixes.",
"id": "GHSA-5ww9-jg6q-38r7",
"modified": "2026-06-12T21:00:55Z",
"published": "2026-06-12T21:00:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-5ww9-jg6q-38r7"
},
{
"type": "WEB",
"url": "https://github.com/filebrowser/filebrowser/commit/0231b7ebdfbe77a6c54027d30c4856c3fd81ee4d"
},
{
"type": "PACKAGE",
"url": "https://github.com/filebrowser/filebrowser"
},
{
"type": "WEB",
"url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.63.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix"
}
GHSA-5WXC-3JFW-W94P
Vulnerability from github – Published: 2025-09-11 18:35 – Updated: 2025-12-20 02:57An Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.6, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to access, create, edit, relate data/object entries/definitions to an object in a different virtual instance.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay:com.liferay.object.service"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.197"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-43790"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-12T19:49:10Z",
"nvd_published_at": "2025-09-11T18:15:34Z",
"severity": "HIGH"
},
"details": "An Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.6, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to access, create, edit, relate data/object entries/definitions to an object in a different virtual instance.",
"id": "GHSA-5wxc-3jfw-w94p",
"modified": "2025-12-20T02:57:24Z",
"published": "2025-09-11T18:35:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43790"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/66b9a7dc4d40a10dec03e169ca8735add81e9bd9"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal"
},
{
"type": "WEB",
"url": "https://liferay.atlassian.net/browse/LPE-18065"
},
{
"type": "WEB",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43790"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Liferay Portal is vulnerable to Insecure Direct Object Reference (IDOR) attack through Authentication Bypass"
}
GHSA-5WXP-QJGQ-FX6M
Vulnerability from github – Published: 2026-05-14 14:54 – Updated: 2026-06-09 13:10Summary
A Mass Assignment vulnerability exists in the chatflow update endpoint of FlowiseAI.
The endpoint allows clients to modify server-controlled properties such as deployed, isPublic, workspaceId, createdDate, and updatedDate when updating a chatflow object.
Due to missing server-side validation and authorization checks, an authenticated user can manipulate internal attributes of a chatflow and reassign it to another workspace. This allows cross-workspace resource reassignment and unauthorized modification of deployment and visibility settings.
Details
The endpoint responsible for updating chatflows:
PUT /api/v1/chatflows/{chatflowId}
accepts a JSON request body containing the chatflow configuration (flowData) along with other metadata fields.
However, the server does not restrict which properties may be modified by the client. As a result, user-controlled request bodies can include additional fields that should normally be controlled only by the backend.
Examples of server-controlled fields that can be manipulated include:
- deployed
- isPublic
- workspaceId
- createdDate
- updatedDate
- category
- type
These fields appear to be directly mapped to the underlying database entity when processing the update request, suggesting that the server performs a direct merge of the request body into the chatflow model without applying a strict DTO whitelist or authorization checks.
For example, modifying the request body with:
{
"deployed": true,
"isPublic": true,
"createdDate": "1999-03-06T10:59:32.000Z",
"updatedDate": "1999-03-06T13:21:34.000Z",
"workspaceId": "11111111-2222-3333-4444-555555555555"
}
results in the server accepting and persisting these values.
In testing, a second workspace was created in the database and the workspaceId field was successfully modified through the API request. The chatflow was reassigned to the attacker-controlled workspace, confirming that the application does not enforce workspace ownership validation.
PoC
Authenticate to the Flowise interface.
Capture the request used to update a chatflow:
PUT /api/v1/chatflows/<CHATFLOW_ID>
Content-Type: application/json
Modify the request body by injecting additional fields:
{
"name": "test-flow",
"flowData": "{...}",
"deployed": true,
"isPublic": true,
"workspaceId": "11111111-2222-3333-4444-555555555555"
}
Send the request.
Observe that the response returns the manipulated values:
{
"deployed": true,
"isPublic": true,
"workspaceId": "11111111-2222-3333-4444-555555555555"
}
Verify in the database that the chatflow has been reassigned:
SELECT id, workspaceId FROM chat_flow WHERE id='<CHATFLOW_ID>';
The workspaceId value reflects the attacker-supplied workspace.
Impact
This vulnerability allows authenticated users to manipulate server-controlled attributes of chatflows.
Confirmed impacts include:
- Unauthorized modification of chatflow visibility (isPublic)
- Unauthorized deployment state changes (deployed)
- Cross-workspace reassignment of chatflows (workspaceId)
- Unauthorized modification of metadata (createdDate, updatedDate)
In multi-tenant environments, this allows an attacker to move chatflows between workspaces without authorization, breaking tenant isolation boundaries.
This may enable:
- Cross-workspace workflow takeover
- Unauthorized exposure of private workflows
- Manipulation of deployed agent workflows
The issue stems from missing authorization checks and improper handling of client-controlled input in the chatflow update endpoint.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.1"
},
"package": {
"ecosystem": "npm",
"name": "flowise"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42863"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T14:54:28Z",
"nvd_published_at": "2026-06-08T16:16:39Z",
"severity": "HIGH"
},
"details": "### Summary\nA Mass Assignment vulnerability exists in the chatflow update endpoint of FlowiseAI.\n\nThe endpoint allows clients to modify server-controlled properties such as deployed, isPublic, workspaceId, createdDate, and updatedDate when updating a chatflow object.\n\nDue to missing server-side validation and authorization checks, an authenticated user can manipulate internal attributes of a chatflow and reassign it to another workspace. This allows cross-workspace resource reassignment and unauthorized modification of deployment and visibility settings.\n\n### Details\nThe endpoint responsible for updating chatflows:\n\n**PUT /api/v1/chatflows/{chatflowId}**\n\naccepts a JSON request body containing the chatflow configuration (flowData) along with other metadata fields.\n\nHowever, the server does not restrict which properties may be modified by the client. As a result, user-controlled request bodies can include additional fields that should normally be controlled only by the backend.\n\nExamples of server-controlled fields that can be manipulated include:\n\n1. deployed\n2. isPublic\n3. workspaceId\n4. createdDate\n5. updatedDate\n6. category\n7. type\n\nThese fields appear to be directly mapped to the underlying database entity when processing the update request, suggesting that the server performs a direct merge of the request body into the chatflow model without applying a strict DTO whitelist or authorization checks.\n\nFor example, modifying the request body with:\n\n```json\n{\n \"deployed\": true,\n \"isPublic\": true,\n \"createdDate\": \"1999-03-06T10:59:32.000Z\",\n \"updatedDate\": \"1999-03-06T13:21:34.000Z\",\n \"workspaceId\": \"11111111-2222-3333-4444-555555555555\"\n}\n```\n\nresults in the server accepting and persisting these values.\n\nIn testing, a second workspace was created in the database and the workspaceId field was successfully modified through the API request. The chatflow was reassigned to the attacker-controlled workspace, confirming that the application does not enforce workspace ownership validation.\n\n\n### PoC\nAuthenticate to the Flowise interface.\n\nCapture the request used to update a chatflow:\n\n```http\nPUT /api/v1/chatflows/\u003cCHATFLOW_ID\u003e\nContent-Type: application/json\n\nModify the request body by injecting additional fields:\n\n{\n \"name\": \"test-flow\",\n \"flowData\": \"{...}\",\n \"deployed\": true,\n \"isPublic\": true,\n \"workspaceId\": \"11111111-2222-3333-4444-555555555555\"\n}\n```\n\nSend the request.\n\nObserve that the response returns the manipulated values:\n\n```json\n{\n \"deployed\": true,\n \"isPublic\": true,\n \"workspaceId\": \"11111111-2222-3333-4444-555555555555\"\n}\n```\n\nVerify in the database that the chatflow has been reassigned:\n\n```sql\nSELECT id, workspaceId FROM chat_flow WHERE id=\u0027\u003cCHATFLOW_ID\u003e\u0027;\n```\n\nThe workspaceId value reflects the attacker-supplied workspace.\n\n### Impact\nThis vulnerability allows authenticated users to manipulate server-controlled attributes of chatflows.\n\nConfirmed impacts include:\n\n- Unauthorized modification of chatflow visibility (isPublic)\n- Unauthorized deployment state changes (deployed)\n- Cross-workspace reassignment of chatflows (workspaceId)\n- Unauthorized modification of metadata (createdDate, updatedDate)\n\nIn multi-tenant environments, this allows an attacker to move chatflows between workspaces without authorization, breaking tenant isolation boundaries.\n\nThis may enable:\n\n- Cross-workspace workflow takeover\n- Unauthorized exposure of private workflows\n- Manipulation of deployed agent workflows\n\nThe issue stems from missing authorization checks and improper handling of client-controlled input in the chatflow update endpoint.",
"id": "GHSA-5wxp-qjgq-fx6m",
"modified": "2026-06-09T13:10:02Z",
"published": "2026-05-14T14:54:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5wxp-qjgq-fx6m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42863"
},
{
"type": "PACKAGE",
"url": "https://github.com/FlowiseAI/Flowise"
},
{
"type": "WEB",
"url": "https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment"
}
GHSA-5X67-FRFJ-MMVH
Vulnerability from github – Published: 2022-05-24 17:20 – Updated: 2022-05-24 17:20** VERSION NOT SUPPORTED WHEN ASSIGNED ** Citrix XenApp 6.5, when 2FA is enabled, allows a remote unauthenticated attacker to ascertain whether a user exists on the server, because the 2FA error page only occurs after a valid username is entered.
{
"affected": [],
"aliases": [
"CVE-2020-13998"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-203",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-11T02:15:00Z",
"severity": "MODERATE"
},
"details": "** VERSION NOT SUPPORTED WHEN ASSIGNED ** Citrix XenApp 6.5, when 2FA is enabled, allows a remote unauthenticated attacker to ascertain whether a user exists on the server, because the 2FA error page only occurs after a valid username is entered.",
"id": "GHSA-5x67-frfj-mmvh",
"modified": "2022-05-24T17:20:22Z",
"published": "2022-05-24T17:20:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13998"
},
{
"type": "WEB",
"url": "https://gist.github.com/kampji/11e259d68ad98a6f0f898132f1961a96"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5XJ8-9PP7-W546
Vulnerability from github – Published: 2024-04-19 15:30 – Updated: 2024-08-01 15:31Webid v1.2.1 suffers from an Insecure Direct Object Reference (IDOR) - Broken Access Control vulnerability, allowing attackers to buy now an auction that is suspended (horizontal privilege escalation).
{
"affected": [],
"aliases": [
"CVE-2024-32166"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-19T14:15:11Z",
"severity": "HIGH"
},
"details": "Webid v1.2.1 suffers from an Insecure Direct Object Reference (IDOR) - Broken Access Control vulnerability, allowing attackers to buy now an auction that is suspended (horizontal privilege escalation).",
"id": "GHSA-5xj8-9pp7-w546",
"modified": "2024-08-01T15:31:41Z",
"published": "2024-04-19T15:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32166"
},
{
"type": "WEB",
"url": "https://github.com/Fewword/Poc/blob/main/webid/webid-poc14.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6288-WF2G-3FWM
Vulnerability from github – Published: 2026-05-05 09:31 – Updated: 2026-05-05 09:31The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that the user has the edit_posts capability but does not verify the user has permission to access the specific post or its associated data referenced by attacker-controlled id parameters in dynamic tag content. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive information from arbitrary posts including author email addresses and non-protected post meta values by crafting dynamic tag payloads such as {{post_meta id:|key:}} and {{post_title id:|link:author_email}}.
{
"affected": [],
"aliases": [
"CVE-2026-3454"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-05T07:16:00Z",
"severity": "MODERATE"
},
"details": "The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that the user has the edit_posts capability but does not verify the user has permission to access the specific post or its associated data referenced by attacker-controlled id parameters in dynamic tag content. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive information from arbitrary posts including author email addresses and non-protected post meta values by crafting dynamic tag payloads such as {{post_meta id:\u003ctarget\u003e|key:\u003cmeta_key\u003e}} and {{post_title id:\u003ctarget\u003e|link:author_email}}.",
"id": "GHSA-6288-wf2g-3fwm",
"modified": "2026-05-05T09:31:55Z",
"published": "2026-05-05T09:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3454"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/class-meta-handler.php#L335"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tag-callbacks.php#L364"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tag-callbacks.php#L64"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tags.php#L392"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tags.php#L424"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tags.php#L501"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3495827%40generateblocks%2Ftrunk\u0026old=3415721%40generateblocks%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0297d524-e016-4f8d-920c-d58c62edb2a0?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-62GQ-FGJ3-92V6
Vulnerability from github – Published: 2023-02-27 18:32 – Updated: 2023-03-03 18:30The User Activity WordPress plugin through 1.0.1 checks headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing
{
"affected": [],
"aliases": [
"CVE-2022-4550"
],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-27T16:15:00Z",
"severity": "HIGH"
},
"details": "The User Activity WordPress plugin through 1.0.1 checks headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing",
"id": "GHSA-62gq-fgj3-92v6",
"modified": "2023-03-03T18:30:26Z",
"published": "2023-02-27T18:32:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4550"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/a1179959-2044-479f-a5ca-3c9ffc46d00e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-62M2-79CV-F29W
Vulnerability from github – Published: 2025-11-06 18:32 – Updated: 2026-01-20 15:31Authorization Bypass Through User-Controlled Key vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous Core Plugin: from n/a through < 2.0.9.
{
"affected": [],
"aliases": [
"CVE-2025-58627"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-06T16:15:59Z",
"severity": "CRITICAL"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous Core Plugin: from n/a through \u003c 2.0.9.",
"id": "GHSA-62m2-79cv-f29w",
"modified": "2026-01-20T15:31:48Z",
"published": "2025-11-06T18:32:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58627"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/miraculouscore/vulnerability/wordpress-miraculous-core-plugin-plugin-2-0-9-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/miraculouscore/vulnerability/wordpress-miraculous-core-plugin-plugin-2-0-9-insecure-direct-object-references-idor-vulnerability"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/miraculouscore/vulnerability/wordpress-miraculous-core-plugin-plugin-2-0-9-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-62Q8-JG47-5WPW
Vulnerability from github – Published: 2026-06-02 15:32 – Updated: 2026-06-02 15:32CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users.
{
"affected": [],
"aliases": [
"CVE-2026-7201"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-02T14:17:14Z",
"severity": "HIGH"
},
"details": "CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users.",
"id": "GHSA-62q8-jg47-5wpw",
"modified": "2026-06-02T15:32:13Z",
"published": "2026-06-02T15:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7201"
},
{
"type": "WEB",
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-62WV-MF7J-H7RG
Vulnerability from github – Published: 2022-09-20 00:00 – Updated: 2022-09-22 00:00The Site Offline Or Coming Soon Or Maintenance Mode WordPress plugin before 1.5.3 prevents users from accessing a website but does not do so if the URL contained certain keywords. Adding those keywords to the URL's query string would bypass the plugin's main feature.
{
"affected": [],
"aliases": [
"CVE-2022-1580"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-19T14:15:00Z",
"severity": "MODERATE"
},
"details": "The Site Offline Or Coming Soon Or Maintenance Mode WordPress plugin before 1.5.3 prevents users from accessing a website but does not do so if the URL contained certain keywords. Adding those keywords to the URL\u0027s query string would bypass the plugin\u0027s main feature.",
"id": "GHSA-62wv-mf7j-h7rg",
"modified": "2022-09-22T00:00:30Z",
"published": "2022-09-20T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1580"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/7b6f91cd-5a00-49ca-93ff-db7220d2630a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.