Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3255 vulnerabilities reference this CWE, most recent first.

GHSA-9R3H-R6G3-69F5

Vulnerability from github – Published: 2023-10-03 12:30 – Updated: 2024-04-04 08:07
VLAI
Details

The QSige Monitor application does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4099"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-03T12:15:10Z",
    "severity": "MODERATE"
  },
  "details": "The QSige Monitor application does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application.",
  "id": "GHSA-9r3h-r6g3-69f5",
  "modified": "2024-04-04T08:07:20Z",
  "published": "2023-10-03T12:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4099"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-idm-sistemas-qsige"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9R82-FF34-6W3X

Vulnerability from github – Published: 2025-05-21 18:33 – Updated: 2025-05-21 18:33
VLAI
Details

A vulnerability in the API of Cisco Unified Intelligence Center could allow an authenticated, remote attacker to perform a horizontal privilege escalation attack on an affected system.

This vulnerability is due to insufficient validation of user-supplied parameters in API requests. An attacker could exploit this vulnerability by submitting crafted API requests to an affected system to execute an insecure direct object reference attack. A successful exploit could allow the attacker to access specific data that is associated with different users on the affected system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20114"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-21T17:15:55Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the API of Cisco Unified Intelligence Center could allow an authenticated, remote attacker to perform a horizontal privilege escalation attack on an affected system.\n\nThis vulnerability is due to insufficient validation of user-supplied parameters in API requests. An attacker could exploit this vulnerability by submitting crafted API requests to an affected system to execute an insecure direct object reference attack. A successful exploit could allow the attacker to access specific data that is associated with different users on the affected system.",
  "id": "GHSA-9r82-ff34-6w3x",
  "modified": "2025-05-21T18:33:31Z",
  "published": "2025-05-21T18:33:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20114"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuis-priv-esc-3Pk96SU4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9RJW-3GWP-F59V

Vulnerability from github – Published: 2026-07-06 20:55 – Updated: 2026-07-06 20:55
VLAI
Summary
Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID
Details

Summary

UpsertWorkspaceApp overwrites an existing app's agent_id on a primary-key conflict and insertAgentApp accepts the app ID from the provisioner's CompleteJob payload without verifying it belongs to the workspace being built. CompleteJob runs under dbauthz.AsProvisionerd so the authorization layer does not block the cross-workspace upsert.

Note: Exploitation requires elevated access as a template author or external provisioner operator.

Impact

A user with template authorship or external provisioner access can submit a CompleteJob payload with a known victim app UUID and an attacker-controlled agent ID. On completion of the attacker's build the victim's app row is rebound to the attacker's agent so later app traffic such as IDE and terminal sessions is proxied to the attacker's workspace. App UUIDs are discoverable through the public API.

Patches

The fix verifies that any existing workspace_apps row matching the supplied ID belongs to the workspace being built and rejects cross-workspace agent reassignment.

The fix was backported to all supported release lines:

Release line Patched version
2.34 v2.34.2
2.33 v2.33.8
2.32 v2.32.7
2.29 (ESR) v2.29.17

Workarounds

None. Upgrading is required.

Resources

  • Fix: #26103

Credits

Coder would like to thank Anthropic's Security Team (ANT-2026-22441) for independently disclosing this issue!

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coder/coder/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.34.0"
            },
            {
              "fixed": "2.34.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coder/coder/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.33.0"
            },
            {
              "fixed": "2.33.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coder/coder/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.30.0"
            },
            {
              "fixed": "2.32.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coder/coder/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.29.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55429"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-06T20:55:37Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\n`UpsertWorkspaceApp` overwrites an existing app\u0027s `agent_id` on a primary-key conflict and `insertAgentApp` accepts the app ID from the provisioner\u0027s `CompleteJob` payload without verifying it belongs to the workspace being built. `CompleteJob` runs under `dbauthz.AsProvisionerd` so the authorization layer does not block the cross-workspace upsert.\n\n\u003e **Note:** Exploitation requires elevated access as a template author or external provisioner operator.\n\n### Impact\n\nA user with template authorship or external provisioner access can submit a `CompleteJob` payload with a known victim app UUID and an attacker-controlled agent ID. On completion of the attacker\u0027s build the victim\u0027s app row is rebound to the attacker\u0027s agent so later app traffic such as IDE and terminal sessions is proxied to the attacker\u0027s workspace. App UUIDs are discoverable through the public API.\n\n### Patches\n\nThe fix verifies that any existing `workspace_apps` row matching the supplied ID belongs to the workspace being built and rejects cross-workspace agent reassignment.\n\nThe fix was backported to all supported release lines:\n\n| Release line | Patched version |\n|---|---|\n| 2.34 | [v2.34.2](https://github.com/coder/coder/releases/tag/v2.34.2) |\n| 2.33 | [v2.33.8](https://github.com/coder/coder/releases/tag/v2.33.8) |\n| 2.32 | [v2.32.7](https://github.com/coder/coder/releases/tag/v2.32.7) |\n| 2.29 (ESR) | [v2.29.17](https://github.com/coder/coder/releases/tag/v2.29.17) |\n\n### Workarounds\n\nNone. Upgrading is required.\n\n### Resources\n\n- Fix: #26103\n\n### Credits\n\nCoder would like to thank Anthropic\u0027s Security Team (ANT-2026-22441) for independently disclosing this issue!",
  "id": "GHSA-9rjw-3gwp-f59v",
  "modified": "2026-07-06T20:55:37Z",
  "published": "2026-07-06T20:55:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/coder/coder/security/advisories/GHSA-9rjw-3gwp-f59v"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coder/coder/pull/26103"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/coder/coder"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Coder\u0027s workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID"
}

GHSA-9RM8-2H7M-56CH

Vulnerability from github – Published: 2024-12-04 06:31 – Updated: 2024-12-04 06:31
VLAI
Details

The Dollie Hub – Build Your Own WordPress Cloud Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.2.0 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12099"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-04T04:15:04Z",
    "severity": "MODERATE"
  },
  "details": "The Dollie Hub \u2013 Build Your Own WordPress Cloud Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.2.0 via the \u0027elementor-template\u0027 shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.",
  "id": "GHSA-9rm8-2h7m-56ch",
  "modified": "2024-12-04T06:31:02Z",
  "published": "2024-12-04T06:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12099"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3201770%40dollie\u0026new=3201770%40dollie\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f29514d0-20a5-43f2-bf36-660579103220?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9RVM-XPXJ-3CHJ

Vulnerability from github – Published: 2023-12-20 15:30 – Updated: 2026-04-28 21:33
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in MarketingFire Editorial Calendar.This issue affects Editorial Calendar: from n/a through 3.7.12.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-36520"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-20T15:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in MarketingFire Editorial Calendar.This issue affects Editorial Calendar: from n/a through 3.7.12.",
  "id": "GHSA-9rvm-xpxj-3chj",
  "modified": "2026-04-28T21:33:28Z",
  "published": "2023-12-20T15:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36520"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/editorial-calendar/wordpress-editorial-calendar-plugin-3-7-12-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9V7C-RJ74-PC33

Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:02
VLAI
Details

An issue was discovered in the Voyager package through 1.2.7 for Laravel. An attacker with admin privileges and Compass access can read or delete arbitrary files, such as the .env file. NOTE: a software maintainer has suggested a solution in which Compass is switched off in a production environment.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-17050"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-30T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in the Voyager package through 1.2.7 for Laravel. An attacker with admin privileges and Compass access can read or delete arbitrary files, such as the .env file. NOTE: a software maintainer has suggested a solution in which Compass is switched off in a production environment.",
  "id": "GHSA-9v7c-rj74-pc33",
  "modified": "2024-04-04T02:02:24Z",
  "published": "2022-05-24T16:57:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17050"
    },
    {
      "type": "WEB",
      "url": "https://github.com/the-control-group/voyager/issues/4322"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9V82-XRM4-MP52

Vulnerability from github – Published: 2026-03-12 14:49 – Updated: 2026-03-12 14:49
VLAI
Summary
StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings
Details

Summary

The updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity.

Details

The vulnerable handler is in packages/studiocms/frontend/pages/studiocms_api/_handlers/dashboard/users.ts:257-311:

.handle(
    'updateUserNotifications',
    Effect.fn(function* ({ payload: { id, notifications } }) {
        // ...demo mode checks...

        const [sdk, userData] = yield* Effect.all([SDKCore, CurrentUser]);

        // Line 274: Only checks login + visitor level — any authenticated user passes
        if (!userData.isLoggedIn || !userData.userPermissionLevel.isVisitor) {
            return yield* new DashboardAPIError({ error: 'Unauthorized' });
        }

        // Line 280: Uses 'id' from payload — NOT userData.user.id
        const existingUser = yield* sdk.GET.users.byId(id);

        // Line 288: Updates target user using attacker-controlled 'id'
        const updatedData = yield* sdk.AUTH.user.update({
            userId: id,       // ← attacker controls this
            userData: {
                id,            // ← attacker controls this
                name: existingUser.name,
                username: existingUser.username,
                updatedAt: new Date().toISOString(),
                emailVerified: existingUser.emailVerified,
                createdAt: undefined,
                notifications,  // ← attacker controls this
            },
        });
    })
)

For comparison, the updateUserProfile handler in dashboard/profile.ts correctly uses userData.user.id instead of a user-supplied ID, preventing IDOR.

PoC

# 1. Log in as a visitor-role user, obtain session cookie

# 2. Disable all notifications for the admin user
curl -X POST 'http://localhost:4321/studiocms_api/dashboard/update-user-notifications' \
  -H 'Cookie: studiocms-session=<visitor-session-token>' \
  -H 'Content-Type: application/json' \
  -d '{
    "id": "<admin-user-id>",
    "notifications": ""
  }'

# Expected: 403 Forbidden
# Actual: 200 {"message":"User notifications updated successfully"}

Impact

  • Any authenticated visitor can disable notification preferences for admin/owner accounts, suppressing alerts about new user creation, account changes, and user deletions
  • Enables attack chaining — suppress admin notifications first, then perform other malicious actions with reduced detection risk
  • Can modify any user's notification preferences (enable unwanted notifications or disable critical ones)

Recommended Fix

Add an ownership check in packages/studiocms/frontend/pages/studiocms_api/_handlers/dashboard/users.ts:

// After the login check at line 274, add:
if (id !== userData.user?.id && !userData.userPermissionLevel.isAdmin) {
    return yield* new DashboardAPIError({
        error: 'Unauthorized: cannot modify another user\'s notification preferences',
    });
}
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.4.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "studiocms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32104"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-12T14:49:41Z",
    "nvd_published_at": "2026-03-11T21:16:16Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe `updateUserNotifications` endpoint accepts a user ID from the request payload and uses it to update that user\u0027s notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (`id !== userData.user.id`). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity.\n\n## Details\n\nThe vulnerable handler is in `packages/studiocms/frontend/pages/studiocms_api/_handlers/dashboard/users.ts:257-311`:\n\n```typescript\n.handle(\n    \u0027updateUserNotifications\u0027,\n    Effect.fn(function* ({ payload: { id, notifications } }) {\n        // ...demo mode checks...\n\n        const [sdk, userData] = yield* Effect.all([SDKCore, CurrentUser]);\n\n        // Line 274: Only checks login + visitor level \u2014 any authenticated user passes\n        if (!userData.isLoggedIn || !userData.userPermissionLevel.isVisitor) {\n            return yield* new DashboardAPIError({ error: \u0027Unauthorized\u0027 });\n        }\n\n        // Line 280: Uses \u0027id\u0027 from payload \u2014 NOT userData.user.id\n        const existingUser = yield* sdk.GET.users.byId(id);\n\n        // Line 288: Updates target user using attacker-controlled \u0027id\u0027\n        const updatedData = yield* sdk.AUTH.user.update({\n            userId: id,       // \u2190 attacker controls this\n            userData: {\n                id,            // \u2190 attacker controls this\n                name: existingUser.name,\n                username: existingUser.username,\n                updatedAt: new Date().toISOString(),\n                emailVerified: existingUser.emailVerified,\n                createdAt: undefined,\n                notifications,  // \u2190 attacker controls this\n            },\n        });\n    })\n)\n```\n\nFor comparison, the `updateUserProfile` handler in `dashboard/profile.ts` correctly uses `userData.user.id` instead of a user-supplied ID, preventing IDOR.\n\n## PoC\n\n```bash\n# 1. Log in as a visitor-role user, obtain session cookie\n\n# 2. Disable all notifications for the admin user\ncurl -X POST \u0027http://localhost:4321/studiocms_api/dashboard/update-user-notifications\u0027 \\\n  -H \u0027Cookie: studiocms-session=\u003cvisitor-session-token\u003e\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\n    \"id\": \"\u003cadmin-user-id\u003e\",\n    \"notifications\": \"\"\n  }\u0027\n\n# Expected: 403 Forbidden\n# Actual: 200 {\"message\":\"User notifications updated successfully\"}\n```\n\n## Impact\n\n- Any authenticated visitor can disable notification preferences for admin/owner accounts, suppressing alerts about new user creation, account changes, and user deletions\n- Enables attack chaining \u2014 suppress admin notifications first, then perform other malicious actions with reduced detection risk\n- Can modify any user\u0027s notification preferences (enable unwanted notifications or disable critical ones)\n\n## Recommended Fix\n\nAdd an ownership check in `packages/studiocms/frontend/pages/studiocms_api/_handlers/dashboard/users.ts`:\n\n```typescript\n// After the login check at line 274, add:\nif (id !== userData.user?.id \u0026\u0026 !userData.userPermissionLevel.isAdmin) {\n    return yield* new DashboardAPIError({\n        error: \u0027Unauthorized: cannot modify another user\\\u0027s notification preferences\u0027,\n    });\n}\n```",
  "id": "GHSA-9v82-xrm4-mp52",
  "modified": "2026-03-12T14:49:41Z",
  "published": "2026-03-12T14:49:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-9v82-xrm4-mp52"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32104"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/withstudiocms/studiocms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User\u0027s Settings"
}

GHSA-9VQ7-9H42-J88H

Vulnerability from github – Published: 2026-04-14 12:31 – Updated: 2026-04-15 19:42
VLAI
Summary
MCPHub has an authentication bypass
Details

MCPHub in versions below 0.11.0 is vulnerable to authentication bypass. Some endpoints are not protected by authentication middleware, allowing an unauthenticated attacker to perform actions in the name of other users and using their privileges.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@samanhappy/mcphub"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-13822"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-15T19:42:53Z",
    "nvd_published_at": "2026-04-14T11:16:24Z",
    "severity": "MODERATE"
  },
  "details": "MCPHub in versions below\u00a00.11.0 is vulnerable to authentication bypass. Some endpoints are not protected by authentication middleware, allowing an unauthenticated attacker to perform actions in the name of other users and using their privileges.",
  "id": "GHSA-9vq7-9h42-j88h",
  "modified": "2026-04-15T19:42:53Z",
  "published": "2026-04-14T12:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13822"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2026/04/CVE-2025-13822"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/samanhappy/mcphub"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MCPHub has an authentication bypass"
}

GHSA-9VQH-HHJJ-X3J9

Vulnerability from github – Published: 2025-11-25 09:31 – Updated: 2026-04-08 18:33
VLAI
Details

The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 14. This makes it possible for unauthenticated attackers to view sensitive WooCommerce order details and private conversation messages between customers and store administrators for any order by supplying an arbitrary order ID.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13389"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-25T08:15:51Z",
    "severity": "MODERATE"
  },
  "details": "The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `get_order_by_id()` function in all versions up to, and including, 14. This makes it possible for unauthenticated attackers to view sensitive WooCommerce order details and private conversation messages between customers and store administrators for any order by supplying an arbitrary order ID.",
  "id": "GHSA-9vqh-hhjj-x3j9",
  "modified": "2026-04-08T18:33:59Z",
  "published": "2025-11-25T09:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13389"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/tags/14/includes/wprest.class.php#L142"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/trunk/includes/wprest.class.php#L142"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3439999"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9149d2c6-b6c7-430d-8886-c8c5de483220?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9VXV-JFQW-372J

Vulnerability from github – Published: 2026-03-11 09:31 – Updated: 2026-03-11 09:31
VLAI
Details

The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the ha_condition_update AJAX action. This is due to the validate_reqeust() method using current_user_can('edit_posts', $template_id) instead of current_user_can('edit_post', $template_id) — failing to perform object-level authorization. Additionally, the ha_get_current_condition AJAX action lacks a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify the display conditions of any published ha_library template. Because the cond_to_html() renderer outputs condition values into HTML attributes without proper escaping (using string concatenation instead of esc_attr()), an attacker can inject event handler attributes (e.g., onmouseover) that execute JavaScript when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2918"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-11T08:16:03Z",
    "severity": "MODERATE"
  },
  "details": "The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is due to the `validate_reqeust()` method using `current_user_can(\u0027edit_posts\u0027, $template_id)` instead of `current_user_can(\u0027edit_post\u0027, $template_id)` \u2014 failing to perform object-level authorization. Additionally, the `ha_get_current_condition` AJAX action lacks a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify the display conditions of any published `ha_library` template. Because the `cond_to_html()` renderer outputs condition values into HTML attributes without proper escaping (using string concatenation instead of `esc_attr()`), an attacker can inject event handler attributes (e.g., `onmouseover`) that execute JavaScript when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting.",
  "id": "GHSA-9vxv-jfqw-372j",
  "modified": "2026-03-11T09:31:54Z",
  "published": "2026-03-11T09:31:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2918"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/condition-manager.php#L237"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.7/classes/condition-manager.php#L525"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/condition-manager.php#L237"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/condition-manager.php#L525"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3475242%40happy-elementor-addons%2Ftrunk\u0026old=3463375%40happy-elementor-addons%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a3fe49b-cc0d-4b29-aae5-46307483b8d4?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.