CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3214 vulnerabilities reference this CWE, most recent first.
GHSA-XC4H-36V7-XRRW
Vulnerability from github – Published: 2026-02-08 00:30 – Updated: 2026-02-11 00:30WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.
{
"affected": [],
"aliases": [
"CVE-2026-25564"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-07T22:16:01Z",
"severity": "HIGH"
},
"details": "WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.",
"id": "GHSA-xc4h-36v7-xrrw",
"modified": "2026-02-11T00:30:14Z",
"published": "2026-02-08T00:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25564"
},
{
"type": "WEB",
"url": "https://github.com/wekan/wekan/commit/08a6f084eba09487743a7c807fb4a9000fcfa9ac"
},
{
"type": "WEB",
"url": "https://wekan.fi"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/wekan-checklist-deletion-idor-via-missing-relationship-validation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XC7F-H2V5-WX39
Vulnerability from github – Published: 2026-05-28 09:31 – Updated: 2026-05-28 09:31The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing ownership validation on a user-controlled attachment ID, allowing the plugin to store and subsequently delete arbitrary media attachments without verifying that the referenced attachment belongs to the requesting user. This makes it possible for authenticated attackers, with subscriber-level access and above, to permanently delete arbitrary media attachments uploaded by any other user, including administrators.
{
"affected": [],
"aliases": [
"CVE-2026-7651"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T08:16:37Z",
"severity": "MODERATE"
},
"details": "The User Registration \u0026 Membership \u2013 Free \u0026 Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration \u0026 Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing ownership validation on a user-controlled attachment ID, allowing the plugin to store and subsequently delete arbitrary media attachments without verifying that the referenced attachment belongs to the requesting user. This makes it possible for authenticated attackers, with subscriber-level access and above, to permanently delete arbitrary media attachments uploaded by any other user, including administrators.",
"id": "GHSA-xc7f-h2v5-wx39",
"modified": "2026-05-28T09:31:19Z",
"published": "2026-05-28T09:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7651"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/frontend/class-ur-frontend.php#L114"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/frontend/class-ur-frontend.php#L86"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/functions-ur-core.php#L4262"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3539426/user-registration/tags/5.2.0/includes/frontend/class-ur-frontend.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0def7637-edf4-4ae2-a2e7-31ccb3b52d71?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XC8Q-RH3X-H9M3
Vulnerability from github – Published: 2026-03-13 21:31 – Updated: 2026-03-13 21:31The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the frm_strp_amount AJAX handler (update_intent_ajax) overwriting the global $_POST data with attacker-controlled JSON input and then using those values to recalculate payment amounts via field shortcode resolution in generate_false_entry(). The handler relies on a nonce that is publicly exposed in the page's JavaScript (frm_stripe_vars.nonce), which provides CSRF protection but not authorization. This makes it possible for unauthenticated attackers to manipulate PaymentIntent amounts before payment completion on forms using dynamic pricing with field shortcodes, effectively paying a reduced amount for goods or services.
{
"affected": [],
"aliases": [
"CVE-2026-2888"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-13T19:54:34Z",
"severity": "MODERATE"
},
"details": "The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the `frm_strp_amount` AJAX handler (`update_intent_ajax`) overwriting the global `$_POST` data with attacker-controlled JSON input and then using those values to recalculate payment amounts via field shortcode resolution in `generate_false_entry()`. The handler relies on a nonce that is publicly exposed in the page\u0027s JavaScript (`frm_stripe_vars.nonce`), which provides CSRF protection but not authorization. This makes it possible for unauthenticated attackers to manipulate PaymentIntent amounts before payment completion on forms using dynamic pricing with field shortcodes, effectively paying a reduced amount for goods or services.",
"id": "GHSA-xc8q-rh3x-h9m3",
"modified": "2026-03-13T21:31:47Z",
"published": "2026-03-13T21:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2888"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/controllers/FrmStrpLiteHooksController.php#L88"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/models/FrmStrpLiteAuth.php#L322"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/formidable/tags/6.28/stripe/models/FrmStrpLiteAuth.php#L402"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3480574%40formidable%2Ftrunk\u0026old=3460198%40formidable%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b8be3b6e-a035-4e6f-ba2b-ce9e59ebf2e0?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XCH6-9RQG-692Q
Vulnerability from github – Published: 2025-04-13 12:30 – Updated: 2025-04-13 12:30A vulnerability was found in Tutorials-Website Employee Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/delete-user.php. The manipulation of the argument ID leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-3536"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-13T12:15:15Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Tutorials-Website Employee Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/delete-user.php. The manipulation of the argument ID leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-xch6-9rqg-692q",
"modified": "2025-04-13T12:30:31Z",
"published": "2025-04-13T12:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3536"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.304574"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.304574"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.545810"
},
{
"type": "WEB",
"url": "https://www.websecurityinsights.my.id/2025/03/tutorials-website-employee-management.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XCVC-5HGV-PHQG
Vulnerability from github – Published: 2024-10-09 21:31 – Updated: 2025-10-15 15:58An Insecure Direct Object Reference (IDOR) vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoint http://0.0.0.0:3000/api/v1/memories/{id}/update, where the decentralization design is flawed, allowing attackers to edit other users' memories without proper authorization.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.3.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-7041"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-09T22:10:34Z",
"nvd_published_at": "2024-10-09T20:15:09Z",
"severity": "MODERATE"
},
"details": "An Insecure Direct Object Reference (IDOR) vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoint `http://0.0.0.0:3000/api/v1/memories/{id}/update`, where the decentralization design is flawed, allowing attackers to edit other users\u0027 memories without proper authorization.",
"id": "GHSA-xcvc-5hgv-phqg",
"modified": "2025-10-15T15:58:58Z",
"published": "2024-10-09T21:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7041"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
},
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/blob/main/backend/apps/webui/routers/memories.py#L71"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/6855227f-1237-47b8-8d37-29aad7ddec3a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "open-webui Insecure Direct Object Reference (IDOR) vulnerability"
}
GHSA-XCVJ-JV6G-QQ33
Vulnerability from github – Published: 2023-08-31 06:30 – Updated: 2024-04-04 07:18The BadgeOS plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.7.1.6. This is due to improper validation and authorization checks within the badgeos_update_steps_ajax_handler, badgeos_update_award_steps_ajax_handler, badgeos_update_deduct_steps_ajax_handler, and badgeos_update_ranks_req_steps_ajax_handler functions. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to overwrite arbitrary post titles.
{
"affected": [],
"aliases": [
"CVE-2023-2172"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-31T06:15:08Z",
"severity": "MODERATE"
},
"details": "The BadgeOS plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.7.1.6. This is due to improper validation and authorization checks within the badgeos_update_steps_ajax_handler, badgeos_update_award_steps_ajax_handler, badgeos_update_deduct_steps_ajax_handler, and badgeos_update_ranks_req_steps_ajax_handler functions. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to overwrite arbitrary post titles.",
"id": "GHSA-xcvj-jv6g-qq33",
"modified": "2024-04-04T07:18:23Z",
"published": "2023-08-31T06:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2172"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/badgeos/trunk/includes/points/award-steps-ui.php#L397"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/badgeos/trunk/includes/points/deduct-steps-ui.php#L454"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/badgeos/trunk/includes/ranks/rank-steps-ui.php#L388"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/badgeos/trunk/includes/steps-ui.php#L396"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5dae8e82-e252-48d9-ae1f-62acfcd17e2b?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XF3J-2PWF-M9RM
Vulnerability from github – Published: 2026-05-05 09:31 – Updated: 2026-05-05 09:31The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not properly verifying that a user is authorized to perform an action when processing attacker-supplied Stripe PaymentIntent identifiers in the public payment flow. This makes it possible for unauthenticated attackers to submit high-value paid forms as completed by reusing a previously succeeded low-value Stripe PaymentIntent, resulting in underpayment/payment bypass conditions.
{
"affected": [],
"aliases": [
"CVE-2026-2729"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-05T07:15:59Z",
"severity": "MODERATE"
},
"details": "The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not properly verifying that a user is authorized to perform an action when processing attacker-supplied Stripe PaymentIntent identifiers in the public payment flow. This makes it possible for unauthenticated attackers to submit high-value paid forms as completed by reusing a previously succeeded low-value Stripe PaymentIntent, resulting in underpayment/payment bypass conditions.",
"id": "GHSA-xf3j-2pwf-m9rm",
"modified": "2026-05-05T09:31:54Z",
"published": "2026-05-05T09:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2729"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3500669/forminator"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1afb94ab-b3ba-4598-8ff4-f9ffc6717371?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XF68-8HJW-7MPM
Vulnerability from github – Published: 2026-02-26 22:13 – Updated: 2026-04-15 20:42Summary
RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet return all users' repetition config data because their get_queryset() calls .all() instead of filtering by the authenticated user. Any registered user can enumerate every other user's workout structure.
Details
wger/manager/api/views.py:499 and :518:
# VULNERABLE
class RepetitionsConfigViewSet(viewsets.ModelViewSet):
def get_queryset(self):
return RepetitionsConfig.objects.all()
class MaxRepetitionsConfigViewSet(viewsets.ModelViewSet):
def get_queryset(self):
return MaxRepetitionsConfig.objects.all()
Every sibling viewset in the same file correctly filters by user. For example, WeightConfigViewSet at line 459:
# CORRECT — how it should work
def get_queryset(self):
return WeightConfig.objects.filter(
slot_entry__slot__day__routine__user=self.request.user
)
The same user filter is present on SetsConfig, RestConfig, RiRConfig, and their Max variants — only RepetitionsConfig and MaxRepetitionsConfig are missing it.
PoC
import requests
BASE = "http://localhost"
headers = {"Authorization": "Token YOUR_TOKEN"} # any registered user
r = requests.get(f"{BASE}/api/v2/repetitions-config/", headers=headers)
print(r.json()) # returns ALL users' repetition configs, not just your own
r = requests.get(f"{BASE}/api/v2/max-repetitions-config/", headers=headers)
print(r.json()) # same — all users' max repetition configs
Registration is open by default. Sequential IDs allow full enumeration.
Impact
Any authenticated user can read other users' repetition and max-repetitions configs, exposing workout structure (slot entry IDs, iteration values, operations, step counts, repeat flags, requirements JSON). This is a broken object-level authorization (BOLA/IDOR) vulnerability — the same class of issue as OWASP API1.
Fix: Add the same user filter used by every other config viewset:
def get_queryset(self):
return RepetitionsConfig.objects.filter(
slot_entry__slot__day__routine__user=self.request.user
)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "wger"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27835"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-26T22:13:13Z",
"nvd_published_at": "2026-02-26T22:20:49Z",
"severity": "MODERATE"
},
"details": "### Summary\n\n`RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users\u0027 repetition config data because their `get_queryset()` calls `.all()` instead of filtering by the authenticated user. Any registered user can enumerate every other user\u0027s workout structure.\n\n### Details\n\n`wger/manager/api/views.py:499` and `:518`:\n\n```python\n# VULNERABLE\nclass RepetitionsConfigViewSet(viewsets.ModelViewSet):\n def get_queryset(self):\n return RepetitionsConfig.objects.all()\n\nclass MaxRepetitionsConfigViewSet(viewsets.ModelViewSet):\n def get_queryset(self):\n return MaxRepetitionsConfig.objects.all()\n```\n\nEvery sibling viewset in the same file correctly filters by user. For example, `WeightConfigViewSet` at line 459:\n\n```python\n# CORRECT \u2014 how it should work\ndef get_queryset(self):\n return WeightConfig.objects.filter(\n slot_entry__slot__day__routine__user=self.request.user\n )\n```\n\nThe same user filter is present on `SetsConfig`, `RestConfig`, `RiRConfig`, and their Max variants \u2014 only `RepetitionsConfig` and `MaxRepetitionsConfig` are missing it.\n\n### PoC\n\n```python\nimport requests\n\nBASE = \"http://localhost\"\nheaders = {\"Authorization\": \"Token YOUR_TOKEN\"} # any registered user\n\nr = requests.get(f\"{BASE}/api/v2/repetitions-config/\", headers=headers)\nprint(r.json()) # returns ALL users\u0027 repetition configs, not just your own\n\nr = requests.get(f\"{BASE}/api/v2/max-repetitions-config/\", headers=headers)\nprint(r.json()) # same \u2014 all users\u0027 max repetition configs\n```\n\nRegistration is open by default. Sequential IDs allow full enumeration.\n\n### Impact\n\nAny authenticated user can read other users\u0027 repetition and max-repetitions configs, exposing workout structure (slot entry IDs, iteration values, operations, step counts, repeat flags, requirements JSON). This is a broken object-level authorization (BOLA/IDOR) vulnerability \u2014 the same class of issue as OWASP API1.\n\n**Fix**: Add the same user filter used by every other config viewset:\n```python\ndef get_queryset(self):\n return RepetitionsConfig.objects.filter(\n slot_entry__slot__day__routine__user=self.request.user\n )\n```",
"id": "GHSA-xf68-8hjw-7mpm",
"modified": "2026-04-15T20:42:17Z",
"published": "2026-02-26T22:13:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/wger-project/wger/security/advisories/GHSA-xf68-8hjw-7mpm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27835"
},
{
"type": "WEB",
"url": "https://github.com/wger-project/wger/commit/1fda5690b35706bb137850c8a084ec6a13317b64"
},
{
"type": "PACKAGE",
"url": "https://github.com/wger-project/wger"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users\u0027 workout data"
}
GHSA-XF7G-G8QV-QGGF
Vulnerability from github – Published: 2025-02-28 09:30 – Updated: 2026-04-08 18:33The Ultra Addons Lite for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.8 via the 'ut_elementor' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.
{
"affected": [],
"aliases": [
"CVE-2024-13832"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-28T09:15:10Z",
"severity": "MODERATE"
},
"details": "The Ultra Addons Lite for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.8 via the \u0027ut_elementor\u0027 shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.",
"id": "GHSA-xf7g-g8qv-qggf",
"modified": "2026-04-08T18:33:50Z",
"published": "2025-02-28T09:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13832"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ut-elementor-addons-lite/trunk/includes/queries.php#L506"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3258158/ut-elementor-addons-lite/trunk/includes/queries.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/476883a8-c258-477b-99d3-f35423d7a312?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XFP3-MM6F-4FW4
Vulnerability from github – Published: 2024-07-17 18:31 – Updated: 2024-11-07 18:31NATO NCI ANET 3.4.1 mishandles report ownership. A user can create a report and, despite the restrictions imposed by the UI, change the author of that report to an arbitrary user (without their consent or knowledge) via a modified UUID in a POST request.
{
"affected": [],
"aliases": [
"CVE-2024-38446"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-17T17:15:15Z",
"severity": "MODERATE"
},
"details": "NATO NCI ANET 3.4.1 mishandles report ownership. A user can create a report and, despite the restrictions imposed by the UI, change the author of that report to an arbitrary user (without their consent or knowledge) via a modified UUID in a POST request.",
"id": "GHSA-xfp3-mm6f-4fw4",
"modified": "2024-11-07T18:31:21Z",
"published": "2024-07-17T18:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38446"
},
{
"type": "WEB",
"url": "https://www.linkedin.com/pulse/idors-ncia-anet-v341-visionspace-technologies-hepxe"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.