Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3255 vulnerabilities reference this CWE, most recent first.

GHSA-MFMF-M5JW-CFQH

Vulnerability from github – Published: 2023-06-28 03:31 – Updated: 2024-04-04 05:13
VLAI
Details

This issue was addressed with improved data protection. This issue is fixed in macOS Ventura 13. An app may be able to modify protected parts of the file system

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48505"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-28T02:15:49Z",
    "severity": "MODERATE"
  },
  "details": "This issue was addressed with improved data protection. This issue is fixed in macOS Ventura 13. An app may be able to modify protected parts of the file system",
  "id": "GHSA-mfmf-m5jw-cfqh",
  "modified": "2024-04-04T05:13:40Z",
  "published": "2023-06-28T03:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48505"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213488"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MFMP-8MQG-Q4WM

Vulnerability from github – Published: 2022-12-28 15:30 – Updated: 2023-01-10 15:46
VLAI
Summary
usememos/memos Improper Access Control vulnerability
Details

usememos/memos 0.9.0 and prior is vulnerable to Improper Access Control.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.9.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/usememos/memos"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-4803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-30T19:58:20Z",
    "nvd_published_at": "2022-12-28T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "usememos/memos 0.9.0 and prior is vulnerable to Improper Access Control.",
  "id": "GHSA-mfmp-8mqg-q4wm",
  "modified": "2023-01-10T15:46:53Z",
  "published": "2022-12-28T15:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4803"
    },
    {
      "type": "WEB",
      "url": "https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/usememos/memos"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/0fba72b9-db10-4d9f-a707-2acf2004a286"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "usememos/memos Improper Access Control vulnerability"
}

GHSA-MFP8-Q392-37MJ

Vulnerability from github – Published: 2025-04-16 00:31 – Updated: 2025-04-16 00:31
VLAI
Details

An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., "rooms").

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31654"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-15T22:15:27Z",
    "severity": "MODERATE"
  },
  "details": "An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., \"rooms\").",
  "id": "GHSA-mfp8-q392-37mj",
  "modified": "2025-04-16T00:31:38Z",
  "published": "2025-04-16T00:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31654"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MG36-6HJ2-XJ8Q

Vulnerability from github – Published: 2023-12-31 18:30 – Updated: 2026-04-28 21:33
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments – Fully Integrated Solution Built and Supported by Woo: from n/a through 6.9.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-51503"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-31T18:15:51Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Automattic WooPayments \u2013 Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments \u2013 Fully Integrated Solution Built and Supported by Woo: from n/a through 6.9.2.",
  "id": "GHSA-mg36-6hj2-xj8q",
  "modified": "2026-04-28T21:33:41Z",
  "published": "2023-12-31T18:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51503"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/woocommerce-payments/wordpress-woopayments-plugin-6-6-2-unauthenticated-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MG5F-QX7F-GF9J

Vulnerability from github – Published: 2026-07-15 06:31 – Updated: 2026-07-15 12:32
VLAI
Details

The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not perform a per-object capability check in its post-duplication AJAX action, allowing users with Contributor-level access or above to duplicate any post (regardless of owner, post type, or status) into a published post they own and read its private post metadata, including secrets stored by other Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11580"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-15T06:16:43Z",
    "severity": "MODERATE"
  },
  "details": "The Kali Forms \u2014 Contact Form \u0026 Drag-and-Drop Builder WordPress plugin before 2.4.17 does not perform a per-object capability check in its post-duplication AJAX action, allowing users with Contributor-level access or above to duplicate any post (regardless of owner, post type, or status) into a published post they own and read its private post metadata, including secrets stored by other Kali Forms \u2014 Contact Form \u0026 Drag-and-Drop Builder WordPress plugin before 2.4.17.",
  "id": "GHSA-mg5f-qx7f-gf9j",
  "modified": "2026-07-15T12:32:00Z",
  "published": "2026-07-15T06:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11580"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/d73500e1-a8bc-4d31-ad9b-d1f71212bcc7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MG8C-3XFC-654P

Vulnerability from github – Published: 2026-01-06 06:31 – Updated: 2026-01-06 06:31
VLAI
Details

The FS Registration Password plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.1. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-15001"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-06T05:16:04Z",
    "severity": "CRITICAL"
  },
  "details": "The FS Registration Password plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.1. This is due to the plugin not properly validating a user\u0027s identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s passwords, including administrators, and leverage that to gain access to their account.",
  "id": "GHSA-mg8c-3xfc-654p",
  "modified": "2026-01-06T06:31:28Z",
  "published": "2026-01-06T06:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15001"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/registration-password/tags/1.0.1/src/WP/Auth.php"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3431651/registration-password"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/22351b90-fc34-44ce-9241-4a0f01eb7b1c?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MG8Q-6JQJ-3R4R

Vulnerability from github – Published: 2024-07-10 06:33 – Updated: 2026-04-08 18:33
VLAI
Details

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.8.9 via the 'pm_upload_image' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the profile picture of any user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6410"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-10T05:15:12Z",
    "severity": "MODERATE"
  },
  "details": "The ProfileGrid \u2013 User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.8.9 via the \u0027pm_upload_image\u0027 function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the profile picture of any user.",
  "id": "GHSA-mg8q-6jqj-3r4r",
  "modified": "2026-04-08T18:33:32Z",
  "published": "2024-07-10T06:33:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6410"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/js/profile-magic-admin-power.js#L361"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/js/profile-magic-admin-power.js#L390"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3111609/profilegrid-user-profiles-groups-and-communities/trunk/public/partials/crop.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8679f4cd-2cb8-48ad-a531-a00c1b85ed2e?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MGQX-9848-6J3Q

Vulnerability from github – Published: 2024-02-06 00:30 – Updated: 2026-04-08 18:32
VLAI
Details

The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to maintenance mode bypass and information disclosure in all versions up to, and including, 2.37. This is due to the plugin improperly validating the request path. This makes it possible for unauthenticated attackers to bypass maintenance mode and view pages that should be hidden.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1075"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-05T22:16:07Z",
    "severity": "LOW"
  },
  "details": "The Minimal Coming Soon \u2013 Coming Soon Page plugin for WordPress is vulnerable to maintenance mode bypass and information disclosure in all versions up to, and including, 2.37. This is due to the plugin improperly validating the request path. This makes it possible for unauthenticated attackers to bypass maintenance mode and view pages that should be hidden.",
  "id": "GHSA-mgqx-9848-6j3q",
  "modified": "2026-04-08T18:32:34Z",
  "published": "2024-02-06T00:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1075"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/trunk/framework/public/init.php#L67"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3031149/minimal-coming-soon-maintenance-mode/trunk/framework/public/init.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/78203b98-15bc-4d8e-9278-c472b518be07?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MGV9-4GVV-8W9C

Vulnerability from github – Published: 2024-07-09 12:30 – Updated: 2024-07-09 12:30
VLAI
Details

A BOLA vulnerability in POST /admins allows a low privileged user to create a high privileged user (admin) in the system. This results in privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3287"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-09T11:15:12Z",
    "severity": "CRITICAL"
  },
  "details": "A BOLA vulnerability in POST /admins allows a low privileged user to create a high privileged user (admin) in the system. This results in privilege escalation.",
  "id": "GHSA-mgv9-4gvv-8w9c",
  "modified": "2024-07-09T12:30:56Z",
  "published": "2024-07-09T12:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3287"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alextselegidis/easyappointments"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MH75-3225-9WCJ

Vulnerability from github – Published: 2025-11-26 21:31 – Updated: 2025-11-28 15:30
VLAI
Details

An Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows students to access sensitive admin/teacher endpoints by manipulating course IDs in URLs, resulting in unauthorized disclosure of sensitive course, admin, and student data. The leak occurs momentarily before the system reverts to a normal state restricting access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-65670"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-26T20:15:49Z",
    "severity": "MODERATE"
  },
  "details": "An Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows students to access sensitive admin/teacher endpoints by manipulating course IDs in URLs, resulting in unauthorized disclosure of sensitive course, admin, and student data. The leak occurs momentarily before the system reverts to a normal state restricting access.",
  "id": "GHSA-mh75-3225-9wcj",
  "modified": "2025-11-28T15:30:30Z",
  "published": "2025-11-26T21:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65670"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Rivek619/CVE-2025-65670"
    },
    {
      "type": "WEB",
      "url": "https://github.com/classroomio/classroomio"
    },
    {
      "type": "WEB",
      "url": "http://classroomio.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.