Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3235 vulnerabilities reference this CWE, most recent first.

GHSA-VFF3-PQQ8-4CPQ

Vulnerability from github – Published: 2026-03-10 18:24 – Updated: 2026-03-11 20:57
VLAI
Summary
Craft Commerce: Potential IDOR in Commerce carts
Details

An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. This vulnerability enables the takeover of shopping sessions and potential exposure of PII.

Vulnerability Details

Root Cause

The CartController accepts a user-supplied number parameter to load and modify shopping carts. No ownership validation is performed - the code only checks if the order exists and is incomplete, not whether the requester has authorization to access it.

// CartController.php:374-389 - actionLoadCart()
public function actionLoadCart(): ?Response
{
    $number = $this->request->getParam('number');

    if ($number === null) {
        return $this->asFailure(Craft::t('commerce', 'A cart number must be specified.'));
    }

    // No ownership check - returns any cart to any requester
    $cart = Order::find()->number($number)->isCompleted(false)->one();

    // Cart is loaded into attacker's session without authorization
    ...
}
// CartController.php:606-616 - _getCart()
$orderNumber = $this->request->getBodyParam('number');
if ($orderNumber) {
    // Same issue - no ownership validation
    $cart = Order::find()->number($orderNumber)->isCompleted(false)->one();
    // Returns cart to any requester who knows the number
}

Attack Scenario

Prerequisites

  • Target Craft Commerce installation with active shopping carts
  • Knowledge of a victim’s cart number (32-character hex string)

Cart Number Acquisition Vectors

  1. Referrer Header Leakage: Cart URLs shared externally expose the number
  2. Browser History: Accessible on shared/compromised devices
  3. Proxy/WAF Logs: Cart numbers logged in URL parameters
  4. Social Engineering: Support tickets, screenshots containing cart URLs
  5. Brute Force: While impractical for random targeting, feasible for targeted attacks against recently-created carts

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/commerce"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/commerce"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T18:24:49Z",
    "nvd_published_at": "2026-03-11T18:16:25Z",
    "severity": "MODERATE"
  },
  "details": "An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerce\u2019s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. This vulnerability enables the takeover of shopping sessions and potential exposure of PII.\n\n## Vulnerability Details\n\n### Root Cause\n\nThe `CartController` accepts a user-supplied `number` parameter to load and modify shopping carts. No ownership validation is performed - the code only checks if the order exists and is incomplete, not whether the requester has authorization to access it.\n\n```php\n// CartController.php:374-389 - actionLoadCart()\npublic function actionLoadCart(): ?Response\n{\n    $number = $this-\u003erequest-\u003egetParam(\u0027number\u0027);\n\n    if ($number === null) {\n        return $this-\u003easFailure(Craft::t(\u0027commerce\u0027, \u0027A cart number must be specified.\u0027));\n    }\n\n    // No ownership check - returns any cart to any requester\n    $cart = Order::find()-\u003enumber($number)-\u003eisCompleted(false)-\u003eone();\n\n    // Cart is loaded into attacker\u0027s session without authorization\n    ...\n}\n```\n\n```php\n// CartController.php:606-616 - _getCart()\n$orderNumber = $this-\u003erequest-\u003egetBodyParam(\u0027number\u0027);\nif ($orderNumber) {\n    // Same issue - no ownership validation\n    $cart = Order::find()-\u003enumber($orderNumber)-\u003eisCompleted(false)-\u003eone();\n    // Returns cart to any requester who knows the number\n}\n```\n---\n\n## Attack Scenario\n\n### Prerequisites\n- Target Craft Commerce installation with active shopping carts\n- Knowledge of a victim\u2019s cart number (32-character hex string)\n\n### Cart Number Acquisition Vectors\n\n1. **Referrer Header Leakage**: Cart URLs shared externally expose the number\n2. **Browser History**: Accessible on shared/compromised devices\n3. **Proxy/WAF Logs**: Cart numbers logged in URL parameters\n4. **Social Engineering**: Support tickets, screenshots containing cart URLs\n5. **Brute Force**: While impractical for random targeting, feasible for targeted attacks against recently-created carts\n\n---",
  "id": "GHSA-vff3-pqq8-4cpq",
  "modified": "2026-03-11T20:57:29Z",
  "published": "2026-03-10T18:24:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-vff3-pqq8-4cpq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31867"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/pull/4207"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/commerce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft Commerce: Potential IDOR in Commerce carts"
}

GHSA-VFH4-9WWJ-77FX

Vulnerability from github – Published: 2025-09-10 09:30 – Updated: 2025-09-10 09:30
VLAI
Details

The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 67.7.0 via the 'MJ_gmgt_gmgt_add_user' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the email, password, and other details of any user, including Administrator users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7049"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-10T07:15:45Z",
    "severity": "HIGH"
  },
  "details": "The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 67.7.0 via the \u0027MJ_gmgt_gmgt_add_user\u0027 function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the email, password, and other details of any user, including Administrator users.",
  "id": "GHSA-vfh4-9wwj-77fx",
  "modified": "2025-09-10T09:30:58Z",
  "published": "2025-09-10T09:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7049"
    },
    {
      "type": "WEB",
      "url": "https://codecanyon.net/item/-wpgym-wordpress-gym-management-system/13352964"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17951f68-8481-477b-a940-cce637f6ec54?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VG32-RQH8-J8PM

Vulnerability from github – Published: 2026-06-25 21:31 – Updated: 2026-06-25 21:31
VLAI
Details

NewsBlur before 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notification feeds by supplying arbitrary user_id values to the GET /social/interactions endpoint without ownership verification. Attackers can enumerate user_id values to access another user's follows, replies, and social activity without authorization.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-56772"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T19:16:44Z",
    "severity": "MODERATE"
  },
  "details": "NewsBlur before 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notification feeds by supplying arbitrary user_id values to the GET /social/interactions endpoint without ownership verification. Attackers can enumerate user_id values to access another user\u0027s follows, replies, and social activity without authorization.",
  "id": "GHSA-vg32-rqh8-j8pm",
  "modified": "2026-06-25T21:31:30Z",
  "published": "2026-06-25T21:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56772"
    },
    {
      "type": "WEB",
      "url": "https://github.com/samuelclay/NewsBlur/commit/613c60b67cc46b3f4cae1dc2dfd8d717a39bc483"
    },
    {
      "type": "WEB",
      "url": "https://github.com/samuelclay/NewsBlur/releases/tag/Android_14.5.0"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/newsblur-insecure-direct-object-reference-in-social-interactions-endpoint"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VGF3-FPXC-H968

Vulnerability from github – Published: 2026-06-11 15:31 – Updated: 2026-06-11 15:31
VLAI
Details

openSIS Classic 9.3 contains an insecure direct object reference vulnerability in the messaging module. Any authenticated user with access to the messaging module can request sent-message details from modules/messaging/SentMail.php by supplying an arbitrary mail_id value.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8406"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-11T14:16:32Z",
    "severity": "HIGH"
  },
  "details": "openSIS Classic 9.3 contains an insecure direct object reference vulnerability in the messaging module. Any authenticated user with access to the messaging module can request sent-message details from modules/messaging/SentMail.php by supplying an arbitrary mail_id value.",
  "id": "GHSA-vgf3-fpxc-h968",
  "modified": "2026-06-11T15:31:34Z",
  "published": "2026-06-11T15:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8406"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OS4ED/openSIS-Classic/commit/c45d43146167324bae06bdf09de3e4bd2e5e478f"
    },
    {
      "type": "WEB",
      "url": "https://fluidattacks.com/es/advisories/melanie"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OS4ED/openSIS-Classic"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VH24-W6W7-Q6MW

Vulnerability from github – Published: 2026-07-07 09:37 – Updated: 2026-07-07 09:37
VLAI
Details

Authorization bypass through User-Controlled key vulnerability in Idvlabs Software and Consulting Services Inc. Ontime allows Exploitation of Trusted Identifiers.

This issue affects Ontime: through 04052026.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5799"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-07T08:16:25Z",
    "severity": "HIGH"
  },
  "details": "Authorization bypass through User-Controlled key vulnerability in Idvlabs Software and Consulting Services Inc. Ontime allows Exploitation of Trusted Identifiers.\n\nThis issue affects Ontime: through 04052026.",
  "id": "GHSA-vh24-w6w7-q6mw",
  "modified": "2026-07-07T09:37:54Z",
  "published": "2026-07-07T09:37:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5799"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0503"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VH45-GFXF-VR42

Vulnerability from github – Published: 2026-02-24 09:31 – Updated: 2026-02-24 09:31
VLAI
Details

An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account.

This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-40541"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-704"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-24T08:16:28Z",
    "severity": "CRITICAL"
  },
  "details": "An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account.\n\nThis issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.",
  "id": "GHSA-vh45-gfxf-vr42",
  "modified": "2026-02-24T09:31:21Z",
  "published": "2026-02-24T09:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40541"
    },
    {
      "type": "WEB",
      "url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4_release_notes.htm"
    },
    {
      "type": "WEB",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40541"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VHFH-VMQ7-84JF

Vulnerability from github – Published: 2024-11-22 09:33 – Updated: 2026-04-08 21:32
VLAI
Details

The Easy Twitter Feed – Twitter feeds plugin for WP plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.6 via the [etf] shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10666"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-22T06:15:18Z",
    "severity": "MODERATE"
  },
  "details": "The Easy Twitter Feed \u2013 Twitter feeds plugin for WP plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.6 via the [etf] shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.",
  "id": "GHSA-vhfh-vmq7-84jf",
  "modified": "2026-04-08T21:32:56Z",
  "published": "2024-11-22T09:33:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10666"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3206719%40easy-twitter-feeds\u0026new=3206719%40easy-twitter-feeds\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/easy-twitter-feeds"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d9cd3168-3261-4e36-8fbe-2058cd821937?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJ33-3XG6-G6WW

Vulnerability from github – Published: 2026-07-02 12:31 – Updated: 2026-07-02 12:31
VLAI
Details

Unauthenticated Insecure Direct Object References (IDOR) in Kirki <= 6.0.11 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-57680"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-02T12:17:38Z",
    "severity": "MODERATE"
  },
  "details": "Unauthenticated Insecure Direct Object References (IDOR) in Kirki \u003c= 6.0.11 versions.",
  "id": "GHSA-vj33-3xg6-g6ww",
  "modified": "2026-07-02T12:31:01Z",
  "published": "2026-07-02T12:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57680"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/kirki/vulnerability/wordpress-kirki-plugin-6-0-11-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJ6P-V8M8-9CJQ

Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2023-09-27 15:30
VLAI
Details

Sensitive information disclosure and manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-44206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-27T15:19:39Z",
    "severity": "HIGH"
  },
  "details": "Sensitive information disclosure and manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.",
  "id": "GHSA-vj6p-v8m8-9cjq",
  "modified": "2023-09-27T15:30:39Z",
  "published": "2023-09-27T15:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44206"
    },
    {
      "type": "WEB",
      "url": "https://security-advisory.acronis.com/advisories/SEC-5839"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJF2-9278-JMJ7

Vulnerability from github – Published: 2025-11-12 09:30 – Updated: 2025-11-12 09:30
VLAI
Details

The Payment Plugins Braintree For WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wc-braintree/v1/3ds/vaulted_nonce REST API endpoint in all versions up to, and including, 3.2.78. This is due to the endpoint being registered with permission_callback set to __return_true and processing user-supplied token IDs without verifying ownership or authentication. This makes it possible for unauthenticated attackers to retrieve payment method nonces for any stored payment token in the system, which can be used to create fraudulent transactions, charge customer credit cards, or attach payment methods to other subscriptions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12903"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-12T09:15:40Z",
    "severity": "HIGH"
  },
  "details": "The Payment Plugins Braintree For WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wc-braintree/v1/3ds/vaulted_nonce REST API endpoint in all versions up to, and including, 3.2.78. This is due to the endpoint being registered with permission_callback set to __return_true and processing user-supplied token IDs without verifying ownership or authentication. This makes it possible for unauthenticated attackers to retrieve payment method nonces for any stored payment token in the system, which can be used to create fraudulent transactions, charge customer credit cards, or attach payment methods to other subscriptions.",
  "id": "GHSA-vjf2-9278-jmj7",
  "modified": "2025-11-12T09:30:27Z",
  "published": "2025-11-12T09:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12903"
    },
    {
      "type": "WEB",
      "url": "https://developer.wordpress.org/rest-api/using-the-rest-api/authentication"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/woo-payment-gateway/tags/3.2.78/includes/api/class-wc-braintree-controller-3ds.php#L23"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/woo-payment-gateway/tags/3.2.78/includes/api/class-wc-braintree-controller-3ds.php#L35"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/woo-payment-gateway/tags/3.2.78/includes/api/class-wc-braintree-controller-3ds.php#L41"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3392259%40woo-payment-gateway\u0026new=3392259%40woo-payment-gateway\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/89cd5429-39a0-441f-ba69-dea111eae5ed?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.