CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3255 vulnerabilities reference this CWE, most recent first.
CVE-2026-13450 (GCVE-0-2026-13450)
Vulnerability from cvelistv5 – Published: 2026-07-09 07:55 – Updated: 2026-07-09 14:02- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| rubengc | GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress |
Affected:
0 , ≤ 7.9.4
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13450",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T14:00:37.351405Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:02:29.719Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "GamiPress \u2013 Gamification plugin to reward points, achievements, badges \u0026 ranks in WordPress",
"vendor": "rubengc",
"versions": [
{
"lessThanOrEqual": "7.9.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Niv Kochan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The GamiPress \u2013 Gamification plugin to reward points, achievements, badges \u0026 ranks in WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.9.4 via the \u0027access\u0027 parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view private GamiPress activity log entries belonging to any user, including badge earnings, points balance changes, and event records from integrated plugins such as WooCommerce, LearnDash, and BuddyPress. This is exploitable by any unauthenticated visitor because the required \u0027gamipress\u0027 nonce is broadcast to all front-end users via wp_localize_script on the wp_enqueue_scripts hook, making the sole authentication barrier trivially bypassable."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T07:55:12.923Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3006261b-a09e-4cff-b49f-49e992c6fe0b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gamipress/tags/7.9.3/includes/ajax-functions.php#L51"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gamipress/tags/7.9.3/includes/ajax-functions.php#L48"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gamipress/tags/7.9.3/includes/shortcodes/gamipress_logs.php#L272"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gamipress/tags/7.9.3/includes/shortcodes/gamipress_logs.php#L329"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gamipress/tags/7.9.3/includes/ajax-functions.php#L73"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gamipress/tags/7.9.3/includes/scripts.php#L51"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gamipress/tags/7.8.6/includes/ajax-functions.php#L51"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gamipress/tags/7.8.6/includes/ajax-functions.php#L48"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gamipress/tags/7.8.6/includes/shortcodes/gamipress_logs.php#L272"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gamipress/tags/7.8.6/includes/shortcodes/gamipress_logs.php#L329"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gamipress/tags/7.8.6/includes/ajax-functions.php#L73"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gamipress/tags/7.8.6/includes/scripts.php#L51"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3593749%40gamipress\u0026new=3593749%40gamipress"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-08T19:22:27.000Z",
"value": "Disclosed"
}
],
"title": "GamiPress \u003c= 7.9.4 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via \u0027access\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-13450",
"datePublished": "2026-07-09T07:55:12.923Z",
"dateReserved": "2026-06-26T17:47:07.730Z",
"dateUpdated": "2026-07-09T14:02:29.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13445 (GCVE-0-2026-13445)
Vulnerability from cvelistv5 – Published: 2026-07-17 20:44 – Updated: 2026-07-17 20:44- CWE-639 - Authorization Bypass Through User-Controlled Key
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7279990 | vendor-advisorypatch |
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Langflow OSS |
Affected:
1.0.0 , ≤ 1.10.1
(semver)
cpe:2.3:a:ibm:langflow_oss:1.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:langflow_oss:1.10.1:*:*:*:*:*:*:* |
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:langflow_oss:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:langflow_oss:1.10.1:*:*:*:*:*:*:*"
],
"product": "Langflow OSS",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "1.10.1",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Langflow OSS 1.0.0 through 1.10.1 can allow an authenticated attacker to exploit the SaveToFile component to read and modify another user\u0027s uploaded files by specifying absolute paths pointing to victim storage locations. In append mode, the attacker\u0027s workflow reads victim file contents, appends attacker-controlled data, and uploads a copy containing victim data to the attacker\u0027s namespace (confidentiality breach). In overwrite mode, the attacker can replace victim file contents with arbitrary data (integrity breach). This breaks the storage ownership boundary between users.\u003c/p\u003e"
}
],
"value": "IBM Langflow OSS 1.0.0 through 1.10.1 can allow an authenticated attacker to exploit the SaveToFile component to read and modify another user\u0027s uploaded files by specifying absolute paths pointing to victim storage locations. In append mode, the attacker\u0027s workflow reads victim file contents, appends attacker-controlled data, and uploads a copy containing victim data to the attacker\u0027s namespace (confidentiality breach). In overwrite mode, the attacker can replace victim file contents with arbitrary data (integrity breach). This breaks the storage ownership boundary between users."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T20:44:38.924Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7279990"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerability now by upgrading \u003ca href=\"https://pypi.org/project/langflow/\" rel=\"nofollow\"\u003eLangflow OSS to version 1.10.2\u003c/a\u003e\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerability now by upgrading Langflow OSS to version 1.10.2 https://pypi.org/project/langflow/"
}
],
"title": "Langflow is affected by remote code execution, denial of service, path traversal, and exposed credentials due to multiple unauthenticated and insufficiently authorized API endpoints",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2026-13445",
"datePublished": "2026-07-17T20:44:38.924Z",
"dateReserved": "2026-06-26T16:40:55.714Z",
"dateUpdated": "2026-07-17T20:44:38.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13350 (GCVE-0-2026-13350)
Vulnerability from cvelistv5 – Published: 2026-06-25 16:05 – Updated: 2026-06-25 18:15- CWE-639 - Authorization bypass through User-Controlled key
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13350",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T18:15:06.143068Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T18:15:25.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Venueless",
"vendor": "pretix",
"versions": [
{
"lessThan": "0a35457f",
"status": "affected",
"version": "0.0.0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rokkam Vamshi"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn\u0027t be allowed to create."
}
],
"value": "Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn\u0027t be allowed to create."
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization bypass through User-Controlled key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T16:05:11.500Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"url": "https://github.com/venueless/venueless/security/advisories/GHSA-hj6j-wpgc-qrp5"
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-13350",
"datePublished": "2026-06-25T16:05:11.500Z",
"dateReserved": "2026-06-25T16:01:43.504Z",
"dateUpdated": "2026-06-25T18:15:25.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13116 (GCVE-0-2026-13116)
Vulnerability from cvelistv5 – Published: 2026-07-11 03:44 – Updated: 2026-07-13 14:25- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| wpovernight | PDF Invoices & Packing Slips for WooCommerce |
Affected:
0 , ≤ 5.14.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13116",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T14:25:41.219012Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T14:25:51.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PDF Invoices \u0026 Packing Slips for WooCommerce",
"vendor": "wpovernight",
"versions": [
{
"lessThanOrEqual": "5.14.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PDF Invoices \u0026 Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.14.0 via the generate_document_shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to mint publicly accessible, session-free download links for arbitrary third-party orders, exposing customer names, billing and shipping addresses, email addresses, phone numbers, order and invoice numbers, line items, totals, payment details, and customer notes contained in those orders\u0027 invoices and packing slips. Exploitation requires the plugin\u0027s Document link access type setting to be configured to \u0027full\u0027; with the default \u0027logged_in\u0027 value, generated URLs are signed with a per-session nonce rather than the order_key, making the shortcode path unexploitable for unauthorized access to third-party orders."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-11T03:44:22.778Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6525195e-5d90-4dd4-b9ee-612a8295c262?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.14.0/includes/Frontend.php#L284"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.14.0/includes/Frontend.php#L271"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.14.0/includes/Endpoint.php#L111"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.9.2/includes/Frontend.php#L284"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.9.2/includes/Frontend.php#L271"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.9.2/includes/Endpoint.php#L111"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3590578%40woocommerce-pdf-invoices-packing-slips\u0026new=3590578%40woocommerce-pdf-invoices-packing-slips"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-26T07:39:38.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-10T14:36:35.000Z",
"value": "Disclosed"
}
],
"title": "PDF Invoices \u0026 Packing Slips for WooCommerce \u003c= 5.14.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via \u0027order_id\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-13116",
"datePublished": "2026-07-11T03:44:22.778Z",
"dateReserved": "2026-06-23T20:49:36.674Z",
"dateUpdated": "2026-07-13T14:25:51.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12904 (GCVE-0-2026-12904)
Vulnerability from cvelistv5 – Published: 2026-07-01 03:43 – Updated: 2026-07-01 10:42- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| stellarwp | Kadence Blocks — Page Builder Toolkit for Gutenberg Editor |
Affected:
0 , ≤ 3.7.7
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12904",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T10:32:05.309457Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T10:42:11.715Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Kadence Blocks \u2014 Page Builder Toolkit for Gutenberg Editor",
"vendor": "stellarwp",
"versions": [
{
"lessThanOrEqual": "3.7.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "se1en"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Kadence Blocks \u2013 Gutenberg Blocks for Page Builder Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.7.7. This is due to a mismatch between the object used for authorization and the object actually accessed in the Optimize_Rest_Controller\u0027s create_item(), get_item(), delete_item(), and bulk_delete_items() endpoints \u2014 authorization is checked via current_user_can(\u0027edit_post\u0027/\u0027delete_post\u0027, $post_id) against the user-supplied post_id, while the storage layer keys analysis records on sha256($post_path) from a separately supplied, attacker-controlled post_path parameter, with no enforcement that post_path corresponds to post_id. This makes it possible for authenticated attackers, with Contributor-level access and above, to read or delete optimizer analysis records belonging to posts owned by other users by submitting their own post_id (which passes the capability check) together with the victim post\u0027s path."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T03:43:34.639Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/24cdd50f-742c-457c-85f7-9cccaf366e87?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L232"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L458"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L197"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L420"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L153"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L383"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L339"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Store/Table_Store.php#L96"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Path/Path.php#L60"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L232"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L458"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L197"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L420"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L153"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L383"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L339"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Store/Table_Store.php#L96"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Path/Path.php#L60"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3590217%40kadence-blocks\u0026new=3590217%40kadence-blocks\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-22T14:49:11.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-30T14:57:59.000Z",
"value": "Disclosed"
}
],
"title": "Kadence Blocks \u003c= 3.7.7 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Optimizer Data Deletion/Read/Modification via \u0027post_path\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12904",
"datePublished": "2026-07-01T03:43:34.639Z",
"dateReserved": "2026-06-22T14:33:57.344Z",
"dateUpdated": "2026-07-01T10:42:11.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12693 (GCVE-0-2026-12693)
Vulnerability from cvelistv5 – Published: 2026-07-17 16:50 – Updated: 2026-07-17 17:55- CWE-639 - Authorization bypass through User-Controlled key
| URL | Tags |
|---|---|
| https://siberguvenlik.gov.tr/guvenlik-bildirimler… | government-resource |
| Vendor | Product | Version | |
|---|---|---|---|
| Vimesoft Inc. | Enterprise Video Platform |
Affected:
3.11.0.0 , < 3.25.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12693",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-17T17:55:19.466388Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T17:55:25.716Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Enterprise Video Platform",
"vendor": "Vimesoft Inc.",
"versions": [
{
"lessThan": "3.25.0",
"status": "affected",
"version": "3.11.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Musa ATALAY"
}
],
"datePublic": "2026-07-17T16:47:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authorization bypass through User-Controlled key vulnerability in Vimesoft Inc. Enterprise Video Platform allows Accessing Functionality Not Properly Constrained by ACLs.\u003cp\u003eThis issue affects Enterprise Video Platform: from 3.11.0.0 before 3.25.0.\u003c/p\u003e"
}
],
"value": "Authorization bypass through User-Controlled key vulnerability in Vimesoft Inc. Enterprise Video Platform allows Accessing Functionality Not Properly Constrained by ACLs.\n\nThis issue affects Enterprise Video Platform: from 3.11.0.0 before 3.25.0."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization bypass through User-Controlled key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T16:50:54.125Z",
"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"shortName": "TR-CERT"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0574"
}
],
"source": {
"advisory": "TR-26-0574",
"defect": [
"TR-26-0574"
],
"discovery": "UNKNOWN"
},
"title": "IDOR in Vimesoft\u0027s Enterprise Video Platform",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"assignerShortName": "TR-CERT",
"cveId": "CVE-2026-12693",
"datePublished": "2026-07-17T16:50:54.125Z",
"dateReserved": "2026-06-19T09:01:27.281Z",
"dateUpdated": "2026-07-17T17:55:25.716Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12686 (GCVE-0-2026-12686)
Vulnerability from cvelistv5 – Published: 2026-07-06 08:48 – Updated: 2026-07-06 12:50- CWE-639 - Authorization bypass through User-Controlled key
| URL | Tags |
|---|---|
| https://www.incibe.es/en/incibe-cert/notices/avis… | patch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12686",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T12:50:50.832426Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T12:50:57.194Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Biloop",
"vendor": "Adiss",
"versions": [
{
"status": "affected",
"version": "6.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jean-Michel Junod"
}
],
"datePublic": "2026-07-06T08:46:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authenticated user could manipulate a company ID parameter in a POST request to the backend to gain unauthorised access to other companies hosted within the same subdomain environment. The application does not adequately verify whether the requested company ID belongs to the authenticated user\u2019s session, resulting in a cross-tenant authorisation bypass. If this vulnerability is successfully exploited, it allows unauthorised access to sensitive customer information, including billing data, and may enable the unauthorised modification of third-party data."
}
],
"value": "An authenticated user could manipulate a company ID parameter in a POST request to the backend to gain unauthorised access to other companies hosted within the same subdomain environment. The application does not adequately verify whether the requested company ID belongs to the authenticated user\u2019s session, resulting in a cross-tenant authorisation bypass. If this vulnerability is successfully exploited, it allows unauthorised access to sensitive customer information, including billing data, and may enable the unauthorised modification of third-party data."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization bypass through User-Controlled key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T08:48:54.613Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/incorrect-authorisation-adisss-biloop"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerability has now been fixed, so we recommend updating to the latest available version."
}
],
"value": "The vulnerability has now been fixed, so we recommend updating to the latest available version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Incorrect authorisation in Adiss\u2019s Biloop",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2026-12686",
"datePublished": "2026-07-06T08:48:54.613Z",
"dateReserved": "2026-06-19T08:38:05.732Z",
"dateUpdated": "2026-07-06T12:50:57.194Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12657 (GCVE-0-2026-12657)
Vulnerability from cvelistv5 – Published: 2026-07-02 08:33 – Updated: 2026-07-02 12:37- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| latepoint | LatePoint – Calendar Booking Plugin for Appointments and Events |
Affected:
0 , ≤ 5.6.2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12657",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-02T12:37:41.638345Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:37:48.368Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
"vendor": "latepoint",
"versions": [
{
"lessThanOrEqual": "5.6.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "gidget smith"
}
],
"descriptions": [
{
"lang": "en",
"value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the \u0027service_id\u0027 parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to create approved bookings against services explicitly restricted to admins and agents, consuming restricted appointment capacity and triggering unauthorized bookings for admin/agent-only services. The bypass works via both the params[booking][service_id] parameter in steps__load_step and the presets[selected_service] parameter in steps__start, both of which are publicly accessible without authentication."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T08:33:04.988Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/09588c2a-1631-4924-8277-d47f096493c5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/steps_helper.php#L1202"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/steps_controller.php#L341"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/steps_controller.php#L244"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/steps_helper.php#L1710"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/steps_helper.php#L1618"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1202"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/controllers/steps_controller.php#L341"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/controllers/steps_controller.php#L244"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1710"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1618"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3584059%40latepoint\u0026new=3584059%40latepoint\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-18T19:04:30.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-01T20:02:14.000Z",
"value": "Disclosed"
}
],
"title": "LatePoint \u003c= 5.6.2 - Unauthenticated Insecure Direct Object Reference to Arbitrary Creation via \u0027service_id\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12657",
"datePublished": "2026-07-02T08:33:04.988Z",
"dateReserved": "2026-06-18T18:49:07.840Z",
"dateUpdated": "2026-07-02T12:37:48.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12433 (GCVE-0-2026-12433)
Vulnerability from cvelistv5 – Published: 2026-07-09 08:31 – Updated: 2026-07-09 14:37- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| themefic | Hydra Booking — Appointment Scheduling & Booking Calendar |
Affected:
0 , ≤ 1.2.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12433",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T14:37:03.212048Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:37:17.193Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Hydra Booking \u2014 Appointment Scheduling \u0026 Booking Calendar",
"vendor": "themefic",
"versions": [
{
"lessThanOrEqual": "1.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Quang"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Hydra Booking \u2013 Appointment Scheduling \u0026 Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/{id} REST endpoint. This is due to the getBookingDetails() callback only enforcing the tfhb_manage_options capability via tfhb_manage_options_permission(), without verifying that the requested booking belongs to the currently authenticated host (the lookup in getBookingDetailsData() filters solely on the booking id supplied in the URL). This makes it possible for authenticated attackers, with Hydra Host-level access and above (a role created by the plugin which grants tfhb_manage_options), to view sensitive booking records belonging to other hosts, including attendee names, emails, phone numbers, addresses, meeting details, payment method and status, transaction history, and internal notes by iterating booking IDs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T08:31:35.571Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa00fe53-dc65-4200-80bb-9167b4230194?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.44/admin/Controller/BookingController.php#L1418"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.44/admin/Controller/BookingController.php#L100"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.44/admin/Controller/RouteController.php#L55"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.44/includes/hooks/ActivationHooks.php#L38"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.41/admin/Controller/BookingController.php#L1418"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.41/admin/Controller/BookingController.php#L100"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.41/admin/Controller/RouteController.php#L55"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.41/includes/hooks/ActivationHooks.php#L38"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3600170%40hydra-booking\u0026new=3600170%40hydra-booking"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-16T18:35:40.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-08T20:27:39.000Z",
"value": "Disclosed"
}
],
"title": "Hydra Booking \u003c= 1.2.1 - Authenticated (Custom+) Insecure Direct Object Reference to Sensitive Information Exposure via \u0027booking_id\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12433",
"datePublished": "2026-07-09T08:31:35.571Z",
"dateReserved": "2026-06-16T18:20:28.369Z",
"dateUpdated": "2026-07-09T14:37:17.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12418 (GCVE-0-2026-12418)
Vulnerability from cvelistv5 – Published: 2026-07-09 07:55 – Updated: 2026-07-09 14:39- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| wedevs | User Frontend: AI Powered Frontend Posting, User Directory, Profile Builder, Membership & User Registration |
Affected:
0 , ≤ 4.3.7
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12418",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T13:32:23.613537Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:39:37.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "User Frontend: AI Powered Frontend Posting, User Directory, Profile Builder, Membership \u0026 User Registration",
"vendor": "wedevs",
"versions": [
{
"lessThanOrEqual": "4.3.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kim ChanYeop"
}
],
"descriptions": [
{
"lang": "en",
"value": "The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership \u0026 User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.7 via the \u0027wpuf_files_data\u0027 parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to overwrite the post_title, post_content, and post_excerpt of any arbitrary post on the site, including posts authored by administrators. Exploitation requires access to any WPUF post submission form; this is achievable by users with no WordPress role, as the wpuf_submit_post AJAX action is gated only by a nonce with no capability check for the downstream post-edit operation."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T07:55:13.665Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f66e25f-b67e-4227-95fe-69b40551af61?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.3.6/includes/Traits/FieldableTrait.php#L478"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.3.6/includes/Ajax/Frontend_Form_Ajax.php#L35"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.3.6/includes/Traits/FieldableTrait.php#L468"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.3.1/includes/Traits/FieldableTrait.php#L478"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.3.1/includes/Ajax/Frontend_Form_Ajax.php#L35"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.3.1/includes/Traits/FieldableTrait.php#L468"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3578622%40wp-user-frontend\u0026new=3578622%40wp-user-frontend"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-16T16:18:58.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-08T19:37:25.000Z",
"value": "Disclosed"
}
],
"title": "User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership \u0026 User Registration \u003c= 4.3.7 - Insecure Direct Object Reference to Unauthenticated Arbitrary Post Modification via \u0027wpuf_files_data\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12418",
"datePublished": "2026-07-09T07:55:13.665Z",
"dateReserved": "2026-06-16T16:03:46.619Z",
"dateUpdated": "2026-07-09T14:39:37.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.