Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3254 vulnerabilities reference this CWE, most recent first.

GHSA-9GJ6-RWQC-4WVP

Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2026-01-20 15:32
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in ThimPress Thim Elementor Kit thim-elementor-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Thim Elementor Kit: from n/a through <= 1.3.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-67594"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-09T16:18:37Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in ThimPress Thim Elementor Kit thim-elementor-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Thim Elementor Kit: from n/a through \u003c= 1.3.3.",
  "id": "GHSA-9gj6-rwqc-4wvp",
  "modified": "2026-01-20T15:32:12Z",
  "published": "2025-12-09T18:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67594"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/thim-elementor-kit/vulnerability/wordpress-thim-elementor-kit-plugin-1-3-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Plugin/thim-elementor-kit/vulnerability/wordpress-thim-elementor-kit-plugin-1-3-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9GP9-G392-77V9

Vulnerability from github – Published: 2026-06-06 06:30 – Updated: 2026-06-06 06:30
VLAI
Details

The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint, where the handler only validates a nonce and the dispatcher invokes Schedule::updateUser() with the $administrator argument hard-coded to 1, bypassing the only owner-restriction check inside that function and allowing the target user to be determined solely by attacker-supplied input passed directly to wp_update_user(). This makes it possible for authenticated attackers, with Editor-level access and above, to change the email address and password of any account, including Administrator accounts, resulting in a full site takeover.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9851"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-06T05:16:30Z",
    "severity": "HIGH"
  },
  "details": "The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the \u0027updateUser\u0027 branch of the package_app_action AJAX endpoint, where the handler only validates a nonce and the dispatcher invokes Schedule::updateUser() with the $administrator argument hard-coded to 1, bypassing the only owner-restriction check inside that function and allowing the target user to be determined solely by attacker-supplied input passed directly to wp_update_user(). This makes it possible for authenticated attackers, with Editor-level access and above, to change the email address and password of any account, including Administrator accounts, resulting in a full site takeover.",
  "id": "GHSA-9gp9-g392-77v9",
  "modified": "2026-06-06T06:30:30Z",
  "published": "2026-06-06T06:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9851"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.13/index.php#L4416"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.13/index.php#L4477"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.13/lib/Schedule.php#L868"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3558752%40booking-package\u0026new=3558752%40booking-package\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/795c1fd6-137b-4414-8d6b-30053bfb5924?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9H3C-44HP-VC82

Vulnerability from github – Published: 2022-05-14 00:01 – Updated: 2022-05-25 00:00
VLAI
Details

onlinetolls in cdSoft Onlinetools-Smart Winhotel.MX 2021 allows an attacker to download sensitive information about any customer (e.g., data of birth, full address, mail information, and phone number) via GastKont Insecure Direct Object Reference.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-27247"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-13T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "onlinetolls in cdSoft Onlinetools-Smart Winhotel.MX 2021 allows an attacker to download sensitive information about any customer (e.g., data of birth, full address, mail information, and phone number) via GastKont Insecure Direct Object Reference.",
  "id": "GHSA-9h3c-44hp-vc82",
  "modified": "2022-05-25T00:00:35Z",
  "published": "2022-05-14T00:01:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27247"
    },
    {
      "type": "WEB",
      "url": "https://myses.de/#about"
    },
    {
      "type": "WEB",
      "url": "https://myses.de/pdf/CVE2022-27247.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9H89-8JMF-G7HG

Vulnerability from github – Published: 2022-11-02 19:00 – Updated: 2022-11-03 19:00
VLAI
Details

An improper access control vulnerability [CWE-284] in FortiMail 7.2.0, 7.0.0 through 7.0.3, 6.4 all versions, 6.2 all versions, 6.0 all versions may allow an authenticated admin user assigned to a specific domain to access and modify other domains information via insecure direct object references (IDOR).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-39945"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-02T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An improper access control vulnerability [CWE-284] in FortiMail 7.2.0, 7.0.0 through 7.0.3, 6.4 all versions, 6.2 all versions, 6.0 all versions may allow an authenticated admin user assigned to a specific domain to access and modify other domains information via insecure direct object references (IDOR).",
  "id": "GHSA-9h89-8jmf-g7hg",
  "modified": "2022-11-03T19:00:23Z",
  "published": "2022-11-02T19:00:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39945"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-22-066"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9H89-9CWP-Q9P5

Vulnerability from github – Published: 2024-10-17 03:31 – Updated: 2024-10-17 03:31
VLAI
Details

The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors plugin for WordPress is vulnerable to Insecure Direct Object Reference to Privilege Escalation/Account Takeover in all versions up to, and including, 4.7.1 via the action_edited_author() due to missing validation on the 'authors-user_id' user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to update arbitrary user accounts email addresses, including administrators, which can then be leveraged to reset that user's account password and gain access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-17T02:15:02Z",
    "severity": "HIGH"
  },
  "details": "The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors plugin for WordPress is vulnerable to Insecure Direct Object Reference to Privilege Escalation/Account Takeover in all versions up to, and including, 4.7.1 via the action_edited_author() due to missing validation on the \u0027authors-user_id\u0027 user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to update arbitrary user accounts email addresses, including administrators, which can then be leveraged to reset that user\u0027s account password and gain access.",
  "id": "GHSA-9h89-9cwp-q9p5",
  "modified": "2024-10-17T03:31:31Z",
  "published": "2024-10-17T03:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9215"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/publishpress-authors/tags/4.7.1/src/core/Classes/Author_Editor.php#L594"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3169244%40publishpress-authors\u0026new=3169244%40publishpress-authors\u0026sfp_email=\u0026sfph_mail=#file7"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d0506137-82e3-4988-9b23-370465a866c0?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9H8X-P9PV-89VV

Vulnerability from github – Published: 2023-05-23 21:30 – Updated: 2024-04-04 04:19
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Finex Media Competition Management System allows Authentication Abuse, Authentication Bypass.This issue affects Competition Management System: before 23.07.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2702"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-23T20:15:09Z",
    "severity": "HIGH"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Finex Media Competition Management System allows Authentication Abuse, Authentication Bypass.This issue affects Competition Management System: before 23.07.\n\n",
  "id": "GHSA-9h8x-p9pv-89vv",
  "modified": "2024-04-04T04:19:13Z",
  "published": "2023-05-23T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2702"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-23-0283"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9HF4-67FC-4VF4

Vulnerability from github – Published: 2024-09-20 14:40 – Updated: 2025-11-04 16:53
VLAI
Summary
Puma's header normalization allows for client to clobber proxy set headers
Details

Impact

Clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users trusting headers set by their proxy may be affected. Attackers may be able to downgrade connections to HTTP (non-SSL) or redirect responses, which could cause confidentiality leaks if combined with a separate MITM attack.

Patches

v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win.

Workarounds

Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level.

Any users that are implicitly trusting the proxy defined headers for security or availability should immediately cease doing so until upgraded to the fixed versions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "puma"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.6.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "puma"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45614"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-20T14:40:16Z",
    "nvd_published_at": "2024-09-19T23:15:11Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nClients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users trusting headers set by their proxy may be affected. Attackers may be able to downgrade connections to HTTP (non-SSL) or redirect responses, which could cause confidentiality leaks if combined with a separate MITM attack. \n\n### Patches\nv6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win.\n\n### Workarounds\nNginx has a [underscores_in_headers](https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers) configuration variable to discard these headers at the proxy level.\n\nAny users that are implicitly trusting the proxy defined headers for security or availability should immediately cease doing so until upgraded to the fixed versions.",
  "id": "GHSA-9hf4-67fc-4vf4",
  "modified": "2025-11-04T16:53:06Z",
  "published": "2024-09-20T14:40:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45614"
    },
    {
      "type": "WEB",
      "url": "https://github.com/puma/puma/commit/cac3fd18cf29ed43719ff5d52d9cfec215f0a043"
    },
    {
      "type": "WEB",
      "url": "https://github.com/puma/puma/commit/f196b23be24712fb8fb16051cc124798cc84f70e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/puma/puma"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-45614.yml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Puma\u0027s header normalization allows for client to clobber proxy set headers"
}

GHSA-9HJ4-M545-52WW

Vulnerability from github – Published: 2025-07-21 12:30 – Updated: 2026-06-06 09:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Akbim Software Online Exam Registration allows Exploitation of Trusted Identifiers.This issue affects Online Exam Registration: before 14.03.2025.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2301"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-21T12:15:24Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Akbim Software Online Exam Registration allows Exploitation of Trusted Identifiers.This issue affects Online Exam Registration: before 14.03.2025.",
  "id": "GHSA-9hj4-m545-52ww",
  "modified": "2026-06-06T09:31:12Z",
  "published": "2025-07-21T12:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2301"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0164"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-25-0164"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9HV3-3CV6-JRX3

Vulnerability from github – Published: 2026-07-16 15:33 – Updated: 2026-07-16 15:33
VLAI
Details

stoatchat (delta/Revolt) versions from 20241213-1 before 20250210-1 allow users with only ViewChannel (read) permission on a channel to fetch that channel's webhooks, including their tokens, because the webhook fetch endpoint checked for ViewChannel instead of ManageWebhooks. Using a retrieved token, an attacker can send arbitrary messages to the channel, bypassing channel permissions and impersonating a bot or webhook. Fixed in 20250210-1 (0.8.2).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-71388"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-16T13:16:24Z",
    "severity": "HIGH"
  },
  "details": "stoatchat (delta/Revolt) versions from 20241213-1 before 20250210-1 allow users with only ViewChannel (read) permission on a channel to fetch that channel\u0027s webhooks, including their tokens, because the webhook fetch endpoint checked for ViewChannel instead of ManageWebhooks. Using a retrieved token, an attacker can send arbitrary messages to the channel, bypassing channel permissions and impersonating a bot or webhook. Fixed in 20250210-1 (0.8.2).",
  "id": "GHSA-9hv3-3cv6-jrx3",
  "modified": "2026-07-16T15:33:10Z",
  "published": "2026-07-16T15:33:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/stoatchat/stoatchat/security/advisories/GHSA-8684-rvfj-v3jq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71388"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stoatchat/stoatchat/commit/e3723d647effb81ea3d3919d848faf64dbe89829"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/stoatchat-20241213-1-webhook-token-disclosure-via-read-permissions"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9J2M-4PQQ-WMH6

Vulnerability from github – Published: 2024-01-22 21:31 – Updated: 2025-06-11 18:35
VLAI
Details

The WP User Profile Avatar WordPress plugin before 1.0.1 does not properly check for authorisation, allowing authors to delete and update arbitrary avatar

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6384"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-22T20:15:47Z",
    "severity": "MODERATE"
  },
  "details": "The WP User Profile Avatar WordPress plugin before 1.0.1 does not properly check for authorisation, allowing authors to delete and update arbitrary avatar",
  "id": "GHSA-9j2m-4pqq-wmh6",
  "modified": "2025-06-11T18:35:38Z",
  "published": "2024-01-22T21:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6384"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/fbdefab4-614b-493b-a9ae-c5aeff8323ef"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.