Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3255 vulnerabilities reference this CWE, most recent first.

GHSA-PPGV-G9WW-9W9W

Vulnerability from github – Published: 2026-05-14 09:31 – Updated: 2026-05-14 09:31
VLAI
Details

The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the _get_post_property_from_querystring() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-14T09:16:27Z",
    "severity": "MODERATE"
  },
  "details": "The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the _get_post_property_from_querystring() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.",
  "id": "GHSA-ppgv-g9ww-9w9w",
  "modified": "2026-05-14T09:31:29Z",
  "published": "2026-05-14T09:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6206"
    },
    {
      "type": "WEB",
      "url": "https://github.com/web-soudan/mw-wp-form/commit/77aed98f56fdddc19bddf21c8f12faa5086d9202"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3516013/mw-wp-form"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f2c39f6-3d37-4765-99e8-023610856b61?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PPQC-P99X-6F72

Vulnerability from github – Published: 2025-07-21 21:31 – Updated: 2026-04-29 04:11
VLAI
Details

A vulnerability was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 1.0 and classified as critical. This issue affects the function updateGoods of the file GoodsController.java. The manipulation leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7938"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-21T20:15:56Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in jerryshensjf JPACookieShop \u86cb\u7cd5\u5546\u57ceJPA\u7248 1.0 and classified as critical. This issue affects the function updateGoods of the file GoodsController.java. The manipulation leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-ppqc-p99x-6f72",
  "modified": "2026-04-29T04:11:32Z",
  "published": "2025-07-21T21:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7938"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Bemcliu/cve-reports/blob/main/cve-02-%E8%9B%8B%E7%B3%95%E5%95%86%E5%9F%8EJPA%E7%89%88-Privilege%20Escalation/readme.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.317075"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.317075"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.618985"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-PPX8-VP24-FWPX

Vulnerability from github – Published: 2022-04-19 00:00 – Updated: 2022-04-28 00:00
VLAI
Details

An Insecure Direct Object Reference issue exists in the Tyler Odyssey platform before 17.1.20. This may allow an external party to access sensitive case records.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26665"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-18T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "An Insecure Direct Object Reference issue exists in the Tyler Odyssey platform before 17.1.20. This may allow an external party to access sensitive case records.",
  "id": "GHSA-ppx8-vp24-fwpx",
  "modified": "2022-04-28T00:00:57Z",
  "published": "2022-04-19T00:00:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26665"
    },
    {
      "type": "WEB",
      "url": "https://news.ycombinator.com/item?id=30502117"
    },
    {
      "type": "WEB",
      "url": "https://www.calbar.ca.gov/About-Us/News/Data-Breach-Updates"
    },
    {
      "type": "WEB",
      "url": "https://www.judyrecords.com/info"
    },
    {
      "type": "WEB",
      "url": "https://www.judyrecords.com/what-happened-with-tyler-technologies"
    },
    {
      "type": "WEB",
      "url": "https://www.tylertech.com/dataharvest"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQF3-28PM-5446

Vulnerability from github – Published: 2026-01-02 03:30 – Updated: 2026-01-02 03:30
VLAI
Details

The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-02T03:15:50Z",
    "severity": "CRITICAL"
  },
  "details": "The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24. This is due to the plugin not properly validating a user\u0027s identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s passwords, including administrators, and leverage that to gain access to their account.",
  "id": "GHSA-pqf3-28pm-5446",
  "modified": "2026-01-02T03:30:22Z",
  "published": "2026-01-02T03:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14998"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/branda-white-labeling/tags/3.4.24/inc/modules/login-screen/signup-password.php#L24"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3429115/branda-white-labeling#file1749"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ae46be82-570f-4172-9c3f-746b894b84b9?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQVW-XCM9-69PH

Vulnerability from github – Published: 2022-11-21 12:30 – Updated: 2022-11-23 18:30
VLAI
Details

The function check_is_login_page() uses headers for the IP check, which can be easily spoofed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1579"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-21T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "The function check_is_login_page() uses headers for the IP check, which can be easily spoofed.",
  "id": "GHSA-pqvw-xcm9-69ph",
  "modified": "2022-11-23T18:30:28Z",
  "published": "2022-11-21T12:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1579"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/6f3d40fa-458b-44f0-9407-763e80b29668"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQX7-WMPC-GGM9

Vulnerability from github – Published: 2026-03-25 21:30 – Updated: 2026-03-25 21:30
VLAI
Details

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable due to Insecure Direct Object Reference (IDOR).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14974"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T21:16:24Z",
    "severity": "MODERATE"
  },
  "details": "IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable due to Insecure Direct Object Reference (IDOR).",
  "id": "GHSA-pqx7-wmpc-ggm9",
  "modified": "2026-03-25T21:30:36Z",
  "published": "2026-03-25T21:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14974"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7266723"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PV42-3QX9-M56G

Vulnerability from github – Published: 2026-06-23 15:32 – Updated: 2026-06-24 00:30
VLAI
Details

OpenRemote Manager before 1.24.2 contains an insecure direct object reference vulnerability in the removeAlarms() method that allows authenticated users to delete alarms from other tenants by supplying arbitrary alarm IDs. The bulk deletion endpoint fails to validate that targeted alarm IDs belong to the caller's realm, enabling cross-tenant permanent destruction of safety-critical and security alerts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-56784"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-23T13:16:46Z",
    "severity": "HIGH"
  },
  "details": "OpenRemote Manager before 1.24.2 contains an insecure direct object reference vulnerability in the removeAlarms() method that allows authenticated users to delete alarms from other tenants by supplying arbitrary alarm IDs. The bulk deletion endpoint fails to validate that targeted alarm IDs belong to the caller\u0027s realm, enabling cross-tenant permanent destruction of safety-critical and security alerts.",
  "id": "GHSA-pv42-3qx9-m56g",
  "modified": "2026-06-24T00:30:30Z",
  "published": "2026-06-23T15:32:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openremote/openremote/security/advisories/GHSA-h3m5-97jq-qjrf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56784"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openremote-cross-tenant-idor-in-bulk-alarm-deletion"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openremote-manager-cross-tenant-idor-in-bulk-alarm-deletion"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-PVMQ-85F5-2WF6

Vulnerability from github – Published: 2025-05-07 03:30 – Updated: 2025-05-07 03:30
VLAI
Details

The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 2.0.0 to 2.6.0 via the callback_generate_api_key() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create valid API keys on behalf of other users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3853"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-07T03:15:18Z",
    "severity": "MODERATE"
  },
  "details": "The WPshop 2 \u2013 E-Commerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 2.0.0 to 2.6.0 via the callback_generate_api_key() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create valid API keys on behalf of other users.",
  "id": "GHSA-pvmq-85f5-2wf6",
  "modified": "2025-05-07T03:30:28Z",
  "published": "2025-05-07T03:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3853"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wpshop/tags/2.6.0/modules/api/action/class-api-action.php#L160"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/136d63c4-c985-413f-8d8b-b57e11d1d230?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PVQH-8QGJ-X6QM

Vulnerability from github – Published: 2024-04-18 12:30 – Updated: 2024-04-18 12:30
VLAI
Details

The EAN for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.9.2 via the the 'alg_wc_ean_product_meta' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to expose potentially sensitive post metadata.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6897"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-18T11:15:37Z",
    "severity": "MODERATE"
  },
  "details": "The EAN for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.9.2 via the the \u0027alg_wc_ean_product_meta\u0027 shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to expose potentially sensitive post metadata.",
  "id": "GHSA-pvqh-8qgj-x6qm",
  "modified": "2024-04-18T12:30:31Z",
  "published": "2024-04-18T12:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6897"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3070991/ean-for-woocommerce"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17b20df5-4adf-47ce-bddf-2ec0b9499de8?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PW86-QVX9-34R7

Vulnerability from github – Published: 2025-09-30 21:31 – Updated: 2025-12-17 00:00
VLAI
Summary
Liferay Portal Vulnerable to IDOR via audit events
Details

Insecure Direct Object Reference (IDOR) vulnerability with audit events in Liferay Portal 7.4.0 through 7.4.3.117, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users to from one virtual instance to view the audit events from a different virtual instance via the _com_liferay_portal_security_audit_web_portlet_AuditPortlet_auditEventId parameter.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay:com.liferay.portal.security.audit.web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.1"
            },
            {
              "fixed": "5.0.33"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay:com.liferay.portal.security.audit.storage.service"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.4"
            },
            {
              "fixed": "6.0.41"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-43827"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-01T15:56:54Z",
    "nvd_published_at": "2025-09-30T19:15:37Z",
    "severity": "MODERATE"
  },
  "details": "Insecure Direct Object Reference (IDOR) vulnerability with audit events in Liferay Portal 7.4.0 through 7.4.3.117, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users to from one virtual instance to view the audit events from a different virtual instance via the `_com_liferay_portal_security_audit_web_portlet_AuditPortlet_auditEventId` parameter.",
  "id": "GHSA-pw86-qvx9-34r7",
  "modified": "2025-12-17T00:00:18Z",
  "published": "2025-09-30T21:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43827"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/a14427e2338477001f86a9e65fdddb843c319818"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/d85c2f24397dcb7d9e51e7bd292dd29268efb132"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/f99602a23ce1b3aa12b2625441cfaa17bfbd22b6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "https://liferay.atlassian.net/browse/LPE-17938"
    },
    {
      "type": "WEB",
      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43827"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Liferay Portal Vulnerable to IDOR via audit events"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.