CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3255 vulnerabilities reference this CWE, most recent first.
GHSA-9R3H-R6G3-69F5
Vulnerability from github – Published: 2023-10-03 12:30 – Updated: 2024-04-04 08:07The QSige Monitor application does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application.
{
"affected": [],
"aliases": [
"CVE-2023-4099"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-03T12:15:10Z",
"severity": "MODERATE"
},
"details": "The QSige Monitor application does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application.",
"id": "GHSA-9r3h-r6g3-69f5",
"modified": "2024-04-04T08:07:20Z",
"published": "2023-10-03T12:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4099"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-idm-sistemas-qsige"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-9R82-FF34-6W3X
Vulnerability from github – Published: 2025-05-21 18:33 – Updated: 2025-05-21 18:33A vulnerability in the API of Cisco Unified Intelligence Center could allow an authenticated, remote attacker to perform a horizontal privilege escalation attack on an affected system.
This vulnerability is due to insufficient validation of user-supplied parameters in API requests. An attacker could exploit this vulnerability by submitting crafted API requests to an affected system to execute an insecure direct object reference attack. A successful exploit could allow the attacker to access specific data that is associated with different users on the affected system.
{
"affected": [],
"aliases": [
"CVE-2025-20114"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-21T17:15:55Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the API of Cisco Unified Intelligence Center could allow an authenticated, remote attacker to perform a horizontal privilege escalation attack on an affected system.\n\nThis vulnerability is due to insufficient validation of user-supplied parameters in API requests. An attacker could exploit this vulnerability by submitting crafted API requests to an affected system to execute an insecure direct object reference attack. A successful exploit could allow the attacker to access specific data that is associated with different users on the affected system.",
"id": "GHSA-9r82-ff34-6w3x",
"modified": "2025-05-21T18:33:31Z",
"published": "2025-05-21T18:33:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20114"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuis-priv-esc-3Pk96SU4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9RJW-3GWP-F59V
Vulnerability from github – Published: 2026-07-06 20:55 – Updated: 2026-07-06 20:55Summary
UpsertWorkspaceApp overwrites an existing app's agent_id on a primary-key conflict and insertAgentApp accepts the app ID from the provisioner's CompleteJob payload without verifying it belongs to the workspace being built. CompleteJob runs under dbauthz.AsProvisionerd so the authorization layer does not block the cross-workspace upsert.
Note: Exploitation requires elevated access as a template author or external provisioner operator.
Impact
A user with template authorship or external provisioner access can submit a CompleteJob payload with a known victim app UUID and an attacker-controlled agent ID. On completion of the attacker's build the victim's app row is rebound to the attacker's agent so later app traffic such as IDE and terminal sessions is proxied to the attacker's workspace. App UUIDs are discoverable through the public API.
Patches
The fix verifies that any existing workspace_apps row matching the supplied ID belongs to the workspace being built and rejects cross-workspace agent reassignment.
The fix was backported to all supported release lines:
| Release line | Patched version |
|---|---|
| 2.34 | v2.34.2 |
| 2.33 | v2.33.8 |
| 2.32 | v2.32.7 |
| 2.29 (ESR) | v2.29.17 |
Workarounds
None. Upgrading is required.
Resources
- Fix: #26103
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22441) for independently disclosing this issue!
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.34.0"
},
{
"fixed": "2.34.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.33.0"
},
{
"fixed": "2.33.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.30.0"
},
{
"fixed": "2.32.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.29.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55429"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-06T20:55:37Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\n`UpsertWorkspaceApp` overwrites an existing app\u0027s `agent_id` on a primary-key conflict and `insertAgentApp` accepts the app ID from the provisioner\u0027s `CompleteJob` payload without verifying it belongs to the workspace being built. `CompleteJob` runs under `dbauthz.AsProvisionerd` so the authorization layer does not block the cross-workspace upsert.\n\n\u003e **Note:** Exploitation requires elevated access as a template author or external provisioner operator.\n\n### Impact\n\nA user with template authorship or external provisioner access can submit a `CompleteJob` payload with a known victim app UUID and an attacker-controlled agent ID. On completion of the attacker\u0027s build the victim\u0027s app row is rebound to the attacker\u0027s agent so later app traffic such as IDE and terminal sessions is proxied to the attacker\u0027s workspace. App UUIDs are discoverable through the public API.\n\n### Patches\n\nThe fix verifies that any existing `workspace_apps` row matching the supplied ID belongs to the workspace being built and rejects cross-workspace agent reassignment.\n\nThe fix was backported to all supported release lines:\n\n| Release line | Patched version |\n|---|---|\n| 2.34 | [v2.34.2](https://github.com/coder/coder/releases/tag/v2.34.2) |\n| 2.33 | [v2.33.8](https://github.com/coder/coder/releases/tag/v2.33.8) |\n| 2.32 | [v2.32.7](https://github.com/coder/coder/releases/tag/v2.32.7) |\n| 2.29 (ESR) | [v2.29.17](https://github.com/coder/coder/releases/tag/v2.29.17) |\n\n### Workarounds\n\nNone. Upgrading is required.\n\n### Resources\n\n- Fix: #26103\n\n### Credits\n\nCoder would like to thank Anthropic\u0027s Security Team (ANT-2026-22441) for independently disclosing this issue!",
"id": "GHSA-9rjw-3gwp-f59v",
"modified": "2026-07-06T20:55:37Z",
"published": "2026-07-06T20:55:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coder/coder/security/advisories/GHSA-9rjw-3gwp-f59v"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/pull/26103"
},
{
"type": "PACKAGE",
"url": "https://github.com/coder/coder"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Coder\u0027s workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID"
}
GHSA-9RM8-2H7M-56CH
Vulnerability from github – Published: 2024-12-04 06:31 – Updated: 2024-12-04 06:31The Dollie Hub – Build Your Own WordPress Cloud Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.2.0 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.
{
"affected": [],
"aliases": [
"CVE-2024-12099"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-04T04:15:04Z",
"severity": "MODERATE"
},
"details": "The Dollie Hub \u2013 Build Your Own WordPress Cloud Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.2.0 via the \u0027elementor-template\u0027 shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.",
"id": "GHSA-9rm8-2h7m-56ch",
"modified": "2024-12-04T06:31:02Z",
"published": "2024-12-04T06:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12099"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3201770%40dollie\u0026new=3201770%40dollie\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f29514d0-20a5-43f2-bf36-660579103220?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9RVM-XPXJ-3CHJ
Vulnerability from github – Published: 2023-12-20 15:30 – Updated: 2026-04-28 21:33Authorization Bypass Through User-Controlled Key vulnerability in MarketingFire Editorial Calendar.This issue affects Editorial Calendar: from n/a through 3.7.12.
{
"affected": [],
"aliases": [
"CVE-2023-36520"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-20T15:15:08Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in MarketingFire Editorial Calendar.This issue affects Editorial Calendar: from n/a through 3.7.12.",
"id": "GHSA-9rvm-xpxj-3chj",
"modified": "2026-04-28T21:33:28Z",
"published": "2023-12-20T15:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36520"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/editorial-calendar/wordpress-editorial-calendar-plugin-3-7-12-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-9V7C-RJ74-PC33
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:02An issue was discovered in the Voyager package through 1.2.7 for Laravel. An attacker with admin privileges and Compass access can read or delete arbitrary files, such as the .env file. NOTE: a software maintainer has suggested a solution in which Compass is switched off in a production environment.
{
"affected": [],
"aliases": [
"CVE-2019-17050"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-30T19:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the Voyager package through 1.2.7 for Laravel. An attacker with admin privileges and Compass access can read or delete arbitrary files, such as the .env file. NOTE: a software maintainer has suggested a solution in which Compass is switched off in a production environment.",
"id": "GHSA-9v7c-rj74-pc33",
"modified": "2024-04-04T02:02:24Z",
"published": "2022-05-24T16:57:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17050"
},
{
"type": "WEB",
"url": "https://github.com/the-control-group/voyager/issues/4322"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9V82-XRM4-MP52
Vulnerability from github – Published: 2026-03-12 14:49 – Updated: 2026-03-12 14:49Summary
The updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity.
Details
The vulnerable handler is in packages/studiocms/frontend/pages/studiocms_api/_handlers/dashboard/users.ts:257-311:
.handle(
'updateUserNotifications',
Effect.fn(function* ({ payload: { id, notifications } }) {
// ...demo mode checks...
const [sdk, userData] = yield* Effect.all([SDKCore, CurrentUser]);
// Line 274: Only checks login + visitor level — any authenticated user passes
if (!userData.isLoggedIn || !userData.userPermissionLevel.isVisitor) {
return yield* new DashboardAPIError({ error: 'Unauthorized' });
}
// Line 280: Uses 'id' from payload — NOT userData.user.id
const existingUser = yield* sdk.GET.users.byId(id);
// Line 288: Updates target user using attacker-controlled 'id'
const updatedData = yield* sdk.AUTH.user.update({
userId: id, // ← attacker controls this
userData: {
id, // ← attacker controls this
name: existingUser.name,
username: existingUser.username,
updatedAt: new Date().toISOString(),
emailVerified: existingUser.emailVerified,
createdAt: undefined,
notifications, // ← attacker controls this
},
});
})
)
For comparison, the updateUserProfile handler in dashboard/profile.ts correctly uses userData.user.id instead of a user-supplied ID, preventing IDOR.
PoC
# 1. Log in as a visitor-role user, obtain session cookie
# 2. Disable all notifications for the admin user
curl -X POST 'http://localhost:4321/studiocms_api/dashboard/update-user-notifications' \
-H 'Cookie: studiocms-session=<visitor-session-token>' \
-H 'Content-Type: application/json' \
-d '{
"id": "<admin-user-id>",
"notifications": ""
}'
# Expected: 403 Forbidden
# Actual: 200 {"message":"User notifications updated successfully"}
Impact
- Any authenticated visitor can disable notification preferences for admin/owner accounts, suppressing alerts about new user creation, account changes, and user deletions
- Enables attack chaining — suppress admin notifications first, then perform other malicious actions with reduced detection risk
- Can modify any user's notification preferences (enable unwanted notifications or disable critical ones)
Recommended Fix
Add an ownership check in packages/studiocms/frontend/pages/studiocms_api/_handlers/dashboard/users.ts:
// After the login check at line 274, add:
if (id !== userData.user?.id && !userData.userPermissionLevel.isAdmin) {
return yield* new DashboardAPIError({
error: 'Unauthorized: cannot modify another user\'s notification preferences',
});
}
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.4.2"
},
"package": {
"ecosystem": "npm",
"name": "studiocms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32104"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-12T14:49:41Z",
"nvd_published_at": "2026-03-11T21:16:16Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nThe `updateUserNotifications` endpoint accepts a user ID from the request payload and uses it to update that user\u0027s notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (`id !== userData.user.id`). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity.\n\n## Details\n\nThe vulnerable handler is in `packages/studiocms/frontend/pages/studiocms_api/_handlers/dashboard/users.ts:257-311`:\n\n```typescript\n.handle(\n \u0027updateUserNotifications\u0027,\n Effect.fn(function* ({ payload: { id, notifications } }) {\n // ...demo mode checks...\n\n const [sdk, userData] = yield* Effect.all([SDKCore, CurrentUser]);\n\n // Line 274: Only checks login + visitor level \u2014 any authenticated user passes\n if (!userData.isLoggedIn || !userData.userPermissionLevel.isVisitor) {\n return yield* new DashboardAPIError({ error: \u0027Unauthorized\u0027 });\n }\n\n // Line 280: Uses \u0027id\u0027 from payload \u2014 NOT userData.user.id\n const existingUser = yield* sdk.GET.users.byId(id);\n\n // Line 288: Updates target user using attacker-controlled \u0027id\u0027\n const updatedData = yield* sdk.AUTH.user.update({\n userId: id, // \u2190 attacker controls this\n userData: {\n id, // \u2190 attacker controls this\n name: existingUser.name,\n username: existingUser.username,\n updatedAt: new Date().toISOString(),\n emailVerified: existingUser.emailVerified,\n createdAt: undefined,\n notifications, // \u2190 attacker controls this\n },\n });\n })\n)\n```\n\nFor comparison, the `updateUserProfile` handler in `dashboard/profile.ts` correctly uses `userData.user.id` instead of a user-supplied ID, preventing IDOR.\n\n## PoC\n\n```bash\n# 1. Log in as a visitor-role user, obtain session cookie\n\n# 2. Disable all notifications for the admin user\ncurl -X POST \u0027http://localhost:4321/studiocms_api/dashboard/update-user-notifications\u0027 \\\n -H \u0027Cookie: studiocms-session=\u003cvisitor-session-token\u003e\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\n \"id\": \"\u003cadmin-user-id\u003e\",\n \"notifications\": \"\"\n }\u0027\n\n# Expected: 403 Forbidden\n# Actual: 200 {\"message\":\"User notifications updated successfully\"}\n```\n\n## Impact\n\n- Any authenticated visitor can disable notification preferences for admin/owner accounts, suppressing alerts about new user creation, account changes, and user deletions\n- Enables attack chaining \u2014 suppress admin notifications first, then perform other malicious actions with reduced detection risk\n- Can modify any user\u0027s notification preferences (enable unwanted notifications or disable critical ones)\n\n## Recommended Fix\n\nAdd an ownership check in `packages/studiocms/frontend/pages/studiocms_api/_handlers/dashboard/users.ts`:\n\n```typescript\n// After the login check at line 274, add:\nif (id !== userData.user?.id \u0026\u0026 !userData.userPermissionLevel.isAdmin) {\n return yield* new DashboardAPIError({\n error: \u0027Unauthorized: cannot modify another user\\\u0027s notification preferences\u0027,\n });\n}\n```",
"id": "GHSA-9v82-xrm4-mp52",
"modified": "2026-03-12T14:49:41Z",
"published": "2026-03-12T14:49:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-9v82-xrm4-mp52"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32104"
},
{
"type": "PACKAGE",
"url": "https://github.com/withstudiocms/studiocms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User\u0027s Settings"
}
GHSA-9VQ7-9H42-J88H
Vulnerability from github – Published: 2026-04-14 12:31 – Updated: 2026-04-15 19:42MCPHub in versions below 0.11.0 is vulnerable to authentication bypass. Some endpoints are not protected by authentication middleware, allowing an unauthenticated attacker to perform actions in the name of other users and using their privileges.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@samanhappy/mcphub"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-13822"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-15T19:42:53Z",
"nvd_published_at": "2026-04-14T11:16:24Z",
"severity": "MODERATE"
},
"details": "MCPHub in versions below\u00a00.11.0 is vulnerable to authentication bypass. Some endpoints are not protected by authentication middleware, allowing an unauthenticated attacker to perform actions in the name of other users and using their privileges.",
"id": "GHSA-9vq7-9h42-j88h",
"modified": "2026-04-15T19:42:53Z",
"published": "2026-04-14T12:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13822"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2026/04/CVE-2025-13822"
},
{
"type": "PACKAGE",
"url": "https://github.com/samanhappy/mcphub"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MCPHub has an authentication bypass"
}
GHSA-9VQH-HHJJ-X3J9
Vulnerability from github – Published: 2025-11-25 09:31 – Updated: 2026-04-08 18:33The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 14. This makes it possible for unauthenticated attackers to view sensitive WooCommerce order details and private conversation messages between customers and store administrators for any order by supplying an arbitrary order ID.
{
"affected": [],
"aliases": [
"CVE-2025-13389"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-25T08:15:51Z",
"severity": "MODERATE"
},
"details": "The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `get_order_by_id()` function in all versions up to, and including, 14. This makes it possible for unauthenticated attackers to view sensitive WooCommerce order details and private conversation messages between customers and store administrators for any order by supplying an arbitrary order ID.",
"id": "GHSA-9vqh-hhjj-x3j9",
"modified": "2026-04-08T18:33:59Z",
"published": "2025-11-25T09:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13389"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/tags/14/includes/wprest.class.php#L142"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/trunk/includes/wprest.class.php#L142"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3439999"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9149d2c6-b6c7-430d-8886-c8c5de483220?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9VXV-JFQW-372J
Vulnerability from github – Published: 2026-03-11 09:31 – Updated: 2026-03-11 09:31The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the ha_condition_update AJAX action. This is due to the validate_reqeust() method using current_user_can('edit_posts', $template_id) instead of current_user_can('edit_post', $template_id) — failing to perform object-level authorization. Additionally, the ha_get_current_condition AJAX action lacks a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify the display conditions of any published ha_library template. Because the cond_to_html() renderer outputs condition values into HTML attributes without proper escaping (using string concatenation instead of esc_attr()), an attacker can inject event handler attributes (e.g., onmouseover) that execute JavaScript when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting.
{
"affected": [],
"aliases": [
"CVE-2026-2918"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-11T08:16:03Z",
"severity": "MODERATE"
},
"details": "The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is due to the `validate_reqeust()` method using `current_user_can(\u0027edit_posts\u0027, $template_id)` instead of `current_user_can(\u0027edit_post\u0027, $template_id)` \u2014 failing to perform object-level authorization. Additionally, the `ha_get_current_condition` AJAX action lacks a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify the display conditions of any published `ha_library` template. Because the `cond_to_html()` renderer outputs condition values into HTML attributes without proper escaping (using string concatenation instead of `esc_attr()`), an attacker can inject event handler attributes (e.g., `onmouseover`) that execute JavaScript when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting.",
"id": "GHSA-9vxv-jfqw-372j",
"modified": "2026-03-11T09:31:54Z",
"published": "2026-03-11T09:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2918"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/condition-manager.php#L237"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/condition-manager.php#L525"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/condition-manager.php#L237"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/condition-manager.php#L525"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3475242%40happy-elementor-addons%2Ftrunk\u0026old=3463375%40happy-elementor-addons%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a3fe49b-cc0d-4b29-aae5-46307483b8d4?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.