Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3255 vulnerabilities reference this CWE, most recent first.

GHSA-PF8R-282H-75WR

Vulnerability from github – Published: 2022-01-15 00:01 – Updated: 2022-01-25 00:03
VLAI
Details

Certain HP DesignJet products may be vulnerable to unauthenticated HTTP requests which allow viewing and downloading of print job previews.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3965"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-14T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Certain HP DesignJet products may be vulnerable to unauthenticated HTTP requests which allow viewing and downloading of print job previews.",
  "id": "GHSA-pf8r-282h-75wr",
  "modified": "2022-01-25T00:03:16Z",
  "published": "2022-01-15T00:01:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3965"
    },
    {
      "type": "WEB",
      "url": "https://support.hp.com/us-en/document/ish_5268198-5268230-16"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PFQ9-5P8F-GP4M

Vulnerability from github – Published: 2025-08-14 12:30 – Updated: 2026-04-01 18:35
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Stylemix Motors allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Motors: from n/a through 1.4.80.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54691"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-14T11:15:50Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Stylemix Motors allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Motors: from n/a through 1.4.80.",
  "id": "GHSA-pfq9-5p8f-gp4m",
  "modified": "2026-04-01T18:35:50Z",
  "published": "2025-08-14T12:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54691"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/motors-car-dealership-classified-listings/vulnerability/wordpress-motors-plugin-plugin-1-4-80-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PFWQ-MR9G-GQ6M

Vulnerability from github – Published: 2025-10-13 21:31 – Updated: 2025-10-13 23:12
VLAI
Summary
Liferay is Vulnerable to Authorization Bypass Through User-Controlled Key
Details

Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users in one virtual instance to assign an organization to a user in a different virtual instance via the _com_liferay_users_admin_web_portlet_UsersAdminPortlet_addUserIds parameter.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:com.liferay.portal.impl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "99.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62252"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-13T23:12:07Z",
    "nvd_published_at": "2025-10-13T21:15:35Z",
    "severity": "MODERATE"
  },
  "details": "Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users in one virtual instance to assign an organization to a user in a different virtual instance via the _com_liferay_users_admin_web_portlet_UsersAdminPortlet_addUserIds parameter.",
  "id": "GHSA-pfwq-mr9g-gq6m",
  "modified": "2025-10-13T23:12:07Z",
  "published": "2025-10-13T21:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62252"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/8c3fc088f82ffc981a21935e8b6dcf8f36e27152"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/e7b6074a320a8872ffe9423c3d1a64dada4f3238"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "https://liferay.atlassian.net/browse/LPE-17941"
    },
    {
      "type": "WEB",
      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62252"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Liferay is Vulnerable to Authorization Bypass Through User-Controlled Key"
}

GHSA-PG6G-JF8C-49P7

Vulnerability from github – Published: 2026-07-10 15:31 – Updated: 2026-07-10 15:31
VLAI
Details

Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, enabling permission escalation to admin-level shares. The GetTaskAttachment endpoint performs permission checks against user-supplied task IDs but fetches attachments by sequential ID without verifying ownership, allowing attackers to download and delete all file attachments across all projects instance-wide.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-56765"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-10T15:16:43Z",
    "severity": "CRITICAL"
  },
  "details": "Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, enabling permission escalation to admin-level shares. The GetTaskAttachment endpoint performs permission checks against user-supplied task IDs but fetches attachments by sequential ID without verifying ownership, allowing attackers to download and delete all file attachments across all projects instance-wide.",
  "id": "GHSA-pg6g-jf8c-49p7",
  "modified": "2026-07-10T15:31:40Z",
  "published": "2026-07-10T15:31:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2pv8-4c52-mf8j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56765"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/vikunja-unauthenticated-instance-wide-data-breach-via-link-share-hash-disclosure-chained-with-cross-project-attachment-idor"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-PGFM-8CHM-HCV4

Vulnerability from github – Published: 2025-02-04 09:31 – Updated: 2025-02-04 09:31
VLAI
Details

The JS Help Desk – The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.8 via the 'exportusereraserequest' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level permissions and above, to export ticket data for any user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13607"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-04T07:15:12Z",
    "severity": "MODERATE"
  },
  "details": "The JS Help Desk \u2013 The Ultimate Help Desk \u0026 Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.8 via the \u0027exportusereraserequest\u0027 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level permissions and above, to export ticket data for any user.",
  "id": "GHSA-pgfm-8chm-hcv4",
  "modified": "2025-02-04T09:31:07Z",
  "published": "2025-02-04T09:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13607"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/js-support-ticket/tags/2.8.8/modules/gdpr/controller.php#L110"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3230977"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f57fbbc-ed5a-4452-bd8a-6fc0a4536d76?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PGPF-M8M4-6CG6

Vulnerability from github – Published: 2026-03-12 14:07 – Updated: 2026-03-12 14:07
VLAI
Summary
Winter vulnerable to privilege escalation by authenticated backend users
Details

Impact

Affected versions of Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their account through specially crafted requests to the backend while logged in.

To actively exploit this security issue, an attacker would need access to the Backend with a user account with any level of access.

The Winter CMS maintainers strongly recommend that all Winter CMS sites that have any reliance on the roles & permissions system to update immediately. Security fixes have been backported to all major versions of Winter (1.0, 1.1, and 1.2).

Patches

Multiple fixes and defence in depth has been applied to prevent current and future privilege escalation attacks at the lowest level possible.

This security issue has been fixed as of https://wintercms.com/releases/v1.0.477, https://wintercms.com/releases/v1.1.12, https://wintercms.com/releases/v1.2.12.

Workarounds

If you cannot upgrade, you may apply the changes from the releases to your Winter CMS installation manually to resolve this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "winter/wn-backend-module"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0"
            },
            {
              "fixed": "1.2.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "winter/wn-backend-module"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "1.1.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "winter/wn-backend-module"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.477"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27591"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-12T14:07:39Z",
    "nvd_published_at": "2026-03-11T22:16:32Z",
    "severity": "CRITICAL"
  },
  "details": "## Impact\nAffected versions of Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their account through specially crafted requests to the backend while logged in.\n\nTo actively exploit this security issue, an attacker would need access to the Backend with a user account with any level of access.\n\nThe Winter CMS maintainers strongly recommend that all Winter CMS sites that have any reliance on the roles \u0026 permissions system to update immediately. Security fixes have been backported to all major versions of Winter (1.0, 1.1, and 1.2).\n\n## Patches\nMultiple fixes and defence in depth has been applied to prevent current and future privilege escalation attacks at the lowest level possible.\n\nThis security issue has been fixed as of https://wintercms.com/releases/v1.0.477, https://wintercms.com/releases/v1.1.12, https://wintercms.com/releases/v1.2.12.\n\n## Workarounds\nIf you cannot upgrade, you may apply the changes from the releases to your Winter CMS installation manually to resolve this issue.",
  "id": "GHSA-pgpf-m8m4-6cg6",
  "modified": "2026-03-12T14:07:39Z",
  "published": "2026-03-12T14:07:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/wintercms/winter/security/advisories/GHSA-pgpf-m8m4-6cg6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27591"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/wintercms/winter"
    },
    {
      "type": "WEB",
      "url": "https://wintercms.com/releases/v1.0.477"
    },
    {
      "type": "WEB",
      "url": "https://wintercms.com/releases/v1.1.12"
    },
    {
      "type": "WEB",
      "url": "https://wintercms.com/releases/v1.2.12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Winter vulnerable to privilege escalation by authenticated backend users"
}

GHSA-PGXQ-P76C-X9CG

Vulnerability from github – Published: 2026-05-29 22:19 – Updated: 2026-05-29 22:19
VLAI
Summary
formie's unauthenticated front-end submission editing can overwrite existing submissions
Details

Impact

Unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission.

Patches

2.2.21, 3.1.26

Workarounds

Block unauthenticated access to actions/formie/submissions/save-submission, or disable/customize front-end submission editing until patched.

Credit

formie extends many thanks to: - Florian (Cyber Security Engineer, arcade solutions ag) - Contact: security@arcade.ch

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "verbb/formie"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "verbb/formie"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47266"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-29T22:19:19Z",
    "nvd_published_at": "2026-05-29T20:16:28Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nUnauthenticated users could modify existing submissions by posting a known or guessed submission ID to `formie/submissions/save-submission`.\n\n### Patches\n[2.2.21](https://github.com/verbb/formie/releases/tag/2.2.21), [3.1.26](https://github.com/verbb/formie/releases/tag/3.1.26)\n\n### Workarounds\nBlock unauthenticated access to `actions/formie/submissions/save-submission`, or disable/customize front-end submission editing until patched.\n\n### Credit\nformie extends many thanks to:\n- Florian (Cyber Security Engineer, arcade solutions ag)\n- Contact: [security@arcade.ch](mailto:security@arcade.ch)",
  "id": "GHSA-pgxq-p76c-x9cg",
  "modified": "2026-05-29T22:19:19Z",
  "published": "2026-05-29T22:19:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/verbb/formie/security/advisories/GHSA-pgxq-p76c-x9cg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47266"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/verbb/formie"
    },
    {
      "type": "WEB",
      "url": "https://github.com/verbb/formie/releases/tag/2.2.21"
    },
    {
      "type": "WEB",
      "url": "https://github.com/verbb/formie/releases/tag/3.1.26"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "formie\u0027s unauthenticated front-end submission editing can overwrite existing submissions"
}

GHSA-PJ5G-V5V3-3C22

Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2025-01-31 12:33
VLAI
Details

In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. Specifically, an unprivileged user can send a PATCH request to the project's endpoint with a new name for a project, despite not having the necessary permissions or being assigned to the project. This issue allows for unauthorized modification of project names, potentially leading to confusion or unauthorized access to project resources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4154"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-821"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T18:15:09Z",
    "severity": "HIGH"
  },
  "details": "In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. Specifically, an unprivileged user can send a PATCH request to the project\u0027s endpoint with a new name for a project, despite not having the necessary permissions or being assigned to the project. This issue allows for unauthorized modification of project names, potentially leading to confusion or unauthorized access to project resources.",
  "id": "GHSA-pj5g-v5v3-3c22",
  "modified": "2025-01-31T12:33:01Z",
  "published": "2024-05-21T18:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4154"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lunary-ai/lunary/commit/c43b6c62035f32ca455f66d5fd22ba661648cde7"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/e56509af-f7af-4e1e-a04b-9cb53545f30f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PJ87-HX3M-256X

Vulnerability from github – Published: 2025-01-11 09:30 – Updated: 2025-01-11 09:30
VLAI
Details

The RRAddons for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.0 via the Popup block due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts that they should not have access to.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11915"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-11T08:15:24Z",
    "severity": "MODERATE"
  },
  "details": "The RRAddons for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.0 via the Popup block due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts that they should not have access to.",
  "id": "GHSA-pj87-hx3m-256x",
  "modified": "2025-01-11T09:30:30Z",
  "published": "2025-01-11T09:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11915"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/rrdevs-for-elementor"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f7e300f-06b5-4f59-9deb-9771bf86a204?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PJFR-44XR-RRW5

Vulnerability from github – Published: 2026-07-01 06:31 – Updated: 2026-07-01 06:31
VLAI
Details

The Kadence Blocks – Gutenberg Blocks for Page Builder Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.7.7. This is due to a mismatch between the object used for authorization and the object actually accessed in the Optimize_Rest_Controller's create_item(), get_item(), delete_item(), and bulk_delete_items() endpoints — authorization is checked via current_user_can('edit_post'/'delete_post', $post_id) against the user-supplied post_id, while the storage layer keys analysis records on sha256($post_path) from a separately supplied, attacker-controlled post_path parameter, with no enforcement that post_path corresponds to post_id. This makes it possible for authenticated attackers, with Contributor-level access and above, to read or delete optimizer analysis records belonging to posts owned by other users by submitting their own post_id (which passes the capability check) together with the victim post's path.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12904"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-01T05:16:17Z",
    "severity": "MODERATE"
  },
  "details": "The Kadence Blocks \u2013 Gutenberg Blocks for Page Builder Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.7.7. This is due to a mismatch between the object used for authorization and the object actually accessed in the Optimize_Rest_Controller\u0027s create_item(), get_item(), delete_item(), and bulk_delete_items() endpoints \u2014 authorization is checked via current_user_can(\u0027edit_post\u0027/\u0027delete_post\u0027, $post_id) against the user-supplied post_id, while the storage layer keys analysis records on sha256($post_path) from a separately supplied, attacker-controlled post_path parameter, with no enforcement that post_path corresponds to post_id. This makes it possible for authenticated attackers, with Contributor-level access and above, to read or delete optimizer analysis records belonging to posts owned by other users by submitting their own post_id (which passes the capability check) together with the victim post\u0027s path.",
  "id": "GHSA-pjfr-44xr-rrw5",
  "modified": "2026-07-01T06:31:34Z",
  "published": "2026-07-01T06:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12904"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Path/Path.php#L60"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L153"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L197"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L232"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L339"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L383"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L420"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L458"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Store/Table_Store.php#L96"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Path/Path.php#L60"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L153"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L197"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L232"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L339"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L383"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L420"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L458"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Store/Table_Store.php#L96"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3590217%40kadence-blocks\u0026new=3590217%40kadence-blocks\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/24cdd50f-742c-457c-85f7-9cccaf366e87?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.