Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3235 vulnerabilities reference this CWE, most recent first.

CVE-2025-13932 (GCVE-0-2025-13932)

Vulnerability from cvelistv5 – Published: 2025-12-04 21:17 – Updated: 2025-12-05 16:32
VLAI
Summary
The SolisCloud API suffers from a Broken Access Control vulnerability, specifically an Insecure Direct Object Reference (IDOR), where any authenticated user can access detailed data of any plant by altering the plant_id in the request.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Date Public
2025-12-04 00:00
Credits
James Gallagher (@5G)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13932",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-05T16:31:53.652860Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-05T16:32:02.592Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Monitoring Platform (Cloud API \u0026 Device Control API)",
          "vendor": "SolisCloud",
          "versions": [
            {
              "status": "affected",
              "version": "API v1"
            },
            {
              "status": "affected",
              "version": "API v2"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "James Gallagher (@5G)"
        }
      ],
      "datePublic": "2025-12-04T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The SolisCloud API suffers from a Broken Access Control vulnerability, specifically an Insecure Direct Object Reference (IDOR), where any authenticated user can access detailed data of any plant by altering the plant_id in the request."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "other": {
            "content": {
              "id": "CVE-2025-13932",
              "options": [
                {
                  "Exploitation": "none"
                },
                {
                  "Automatable": "no"
                },
                {
                  "Technical Impact": "partial"
                }
              ],
              "role": "CISA Coordinator",
              "timestamp": "2025-12-04T23:02:31.575317Z",
              "version": "2.0.3"
            },
            "type": "ssvc"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T23:02:41.998Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "name": "url",
          "tags": [
            "government-resource"
          ],
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-06"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2025-13932",
    "datePublished": "2025-12-04T21:17:03.206Z",
    "dateReserved": "2025-12-02T21:57:28.248Z",
    "dateUpdated": "2025-12-05T16:32:02.592Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13874 (GCVE-0-2025-13874)

Vulnerability from cvelistv5 – Published: 2026-05-14 05:38 – Updated: 2026-05-14 17:45
VLAI
Title
Authorization Bypass Through User-Controlled Key in GitLab
Summary
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with Guest permissions to view issues in projects they were not authorized to access.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
GitLab GitLab Affected: 15.1 , < 18.9.7 (semver)
Affected: 18.10 , < 18.10.6 (semver)
Affected: 18.11 , < 18.11.3 (semver)
    cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Thanks [go7f0](https://hackerone.com/go7f0) for reporting this vulnerability through our HackerOne bug bounty program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13874",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T17:44:55.100220Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T17:45:08.662Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "GitLab",
          "repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
          "vendor": "GitLab",
          "versions": [
            {
              "lessThan": "18.9.7",
              "status": "affected",
              "version": "15.1",
              "versionType": "semver"
            },
            {
              "lessThan": "18.10.6",
              "status": "affected",
              "version": "18.10",
              "versionType": "semver"
            },
            {
              "lessThan": "18.11.3",
              "status": "affected",
              "version": "18.11",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Thanks [go7f0](https://hackerone.com/go7f0) for reporting this vulnerability through our HackerOne bug bounty program"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with Guest permissions to view issues in projects they were not authorized to access."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T05:38:27.341Z",
        "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
        "shortName": "GitLab"
      },
      "references": [
        {
          "name": "HackerOne Bug Bounty Report #3445398",
          "tags": [
            "technical-description",
            "exploit",
            "permissions-required"
          ],
          "url": "https://hackerone.com/reports/3445398"
        },
        {
          "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/582634"
        },
        {
          "url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to versions 18.9.7, 18.10.6, 18.11.3 or above."
        }
      ],
      "title": "Authorization Bypass Through User-Controlled Key in GitLab"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
    "assignerShortName": "GitLab",
    "cveId": "CVE-2025-13874",
    "datePublished": "2026-05-14T05:38:27.341Z",
    "dateReserved": "2025-12-02T09:33:19.611Z",
    "dateUpdated": "2026-05-14T17:45:08.662Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13842 (GCVE-0-2025-13842)

Vulnerability from cvelistv5 – Published: 2026-02-19 04:36 – Updated: 2026-04-08 16:57
VLAI
Title
Breadcrumb NavXT <= 7.5.0 - Missing Authorization to Sensitive Information Exposure
Summary
The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusting the $_REQUEST['post_id'] parameter without verification in the includes/blocks/build/breadcrumb-trail/render.php file. This makes it possible for unauthenticated attackers to enumerate and view breadcrumb trails for draft or private posts by manipulating the post_id parameter, revealing post titles and hierarchy that should remain hidden.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
mtekk Breadcrumb NavXT Affected: 0 , ≤ 7.5.0 (semver)
Create a notification for this product.
Credits
NosleeP
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13842",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-19T17:22:52.111987Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-19T17:36:59.299Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Breadcrumb NavXT",
          "vendor": "mtekk",
          "versions": [
            {
              "lessThanOrEqual": "7.5.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "NosleeP"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusting the $_REQUEST[\u0027post_id\u0027] parameter without verification in the includes/blocks/build/breadcrumb-trail/render.php file. This makes it possible for unauthenticated attackers to enumerate and view breadcrumb trails for draft or private posts by manipulating the post_id parameter, revealing post titles and hierarchy that should remain hidden."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:57:10.579Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/62e25985-ac19-41a5-8027-eb053f4a6490?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/breadcrumb-navxt/trunk/includes/blocks/build/breadcrumb-trail/render.php#L17"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3425008"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-18T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Breadcrumb NavXT \u003c= 7.5.0 - Missing Authorization to Sensitive Information Exposure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-13842",
    "datePublished": "2026-02-19T04:36:13.093Z",
    "dateReserved": "2025-12-01T18:55:52.648Z",
    "dateUpdated": "2026-04-08T16:57:10.579Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13822 (GCVE-0-2025-13822)

Vulnerability from cvelistv5 – Published: 2026-04-14 10:23 – Updated: 2026-04-14 13:14
VLAI
Title
Authentication bypass in MCPHub
Summary
MCPHub in versions below 0.11.0 is vulnerable to authentication bypass. Some endpoints are not protected by authentication middleware, allowing an unauthenticated attacker to perform actions in the name of other users and using their privileges.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
MCPHub MCPHub Affected: 0 , < 0.11.0 (semver)
Create a notification for this product.
Date Public
2026-04-14 10:23
Credits
Eryk Winiarz
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13822",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-14T13:06:44.089169Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-14T13:14:16.888Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.npmjs.com/package/@samanhappy/mcphub",
          "defaultStatus": "unaffected",
          "packageName": "@samanhappy/mcphub",
          "product": "MCPHub",
          "repo": "https://github.com/samanhappy/mcphub",
          "vendor": "MCPHub",
          "versions": [
            {
              "lessThan": "0.11.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Eryk Winiarz"
        }
      ],
      "datePublic": "2026-04-14T10:23:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "MCPHub in versions below\u0026nbsp;0.11.0 is vulnerable to authentication bypass. Some endpoints are not protected by authentication middleware, allowing an unauthenticated attacker to perform actions in the name of other users and using their privileges.\u0026nbsp;\u003cbr\u003e"
            }
          ],
          "value": "MCPHub in versions below\u00a00.11.0 is vulnerable to authentication bypass. Some endpoints are not protected by authentication middleware, allowing an unauthenticated attacker to perform actions in the name of other users and using their privileges."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-14T10:23:49.910Z",
        "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "shortName": "CERT-PL"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/samanhappy/mcphub"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cert.pl/en/posts/2026/04/CVE-2025-13822"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Authentication bypass in MCPHub",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
    "assignerShortName": "CERT-PL",
    "cveId": "CVE-2025-13822",
    "datePublished": "2026-04-14T10:23:49.910Z",
    "dateReserved": "2025-12-01T13:03:39.659Z",
    "dateUpdated": "2026-04-14T13:14:16.888Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13768 (GCVE-0-2025-13768)

Vulnerability from cvelistv5 – Published: 2025-11-28 07:31 – Updated: 2025-11-28 14:56
VLAI
Title
Uniong|WebITR - Authorization Bypass
Summary
WebITR developed by Uniong has an Authentication Bypass vulnerability, allowing authenticated remote attackers to log into the system as any user by modifying a specific parameter. Attackers must first obtain a user ID to exploit this vulnerability.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
Uniong WebITR Affected: 0 , ≤ 2_1_0_33 (custom)
Create a notification for this product.
Date Public
2025-11-28 07:18
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13768",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-28T14:56:00.072593Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-28T14:56:17.174Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "WebITR",
          "vendor": "Uniong",
          "versions": [
            {
              "lessThanOrEqual": "2_1_0_33",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2025-11-28T07:18:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "WebITR developed by Uniong has an Authentication Bypass vulnerability, allowing authenticated remote attackers to log into the system as any user by modifying a specific parameter. Attackers must first obtain a user ID to exploit this vulnerability."
            }
          ],
          "value": "WebITR developed by Uniong has an Authentication Bypass vulnerability, allowing authenticated remote attackers to log into the system as any user by modifying a specific parameter. Attackers must first obtain a user ID to exploit this vulnerability."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-21",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-21 Exploitation of Trusted Identifiers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-28T07:31:08.294Z",
        "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "shortName": "twcert"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.twcert.org.tw/tw/cp-132-10538-6a26d-1.html"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.twcert.org.tw/en/cp-139-10539-21f45-2.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update to version 2_1_0_34 or later."
            }
          ],
          "value": "Update to version 2_1_0_34 or later."
        }
      ],
      "source": {
        "advisory": "TVN-202511012",
        "discovery": "EXTERNAL"
      },
      "title": "Uniong\uff5cWebITR - Authorization Bypass",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
    "assignerShortName": "twcert",
    "cveId": "CVE-2025-13768",
    "datePublished": "2025-11-28T07:31:08.294Z",
    "dateReserved": "2025-11-28T03:34:52.911Z",
    "dateUpdated": "2025-11-28T14:56:17.174Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13748 (GCVE-0-2025-13748)

Vulnerability from cvelistv5 – Published: 2025-12-06 06:39 – Updated: 2026-04-08 17:20
VLAI
Title
Fluent Forms <= 6.1.7 - Unauthenticated Insecure Direct Object Reference to Payment Status Tampering via submission_id
Summary
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the 'submission_id' parameter due to missing validation on a user controlled key within the confirmScaPayment() function. This makes it possible for unauthenticated attackers to mark arbitrary submissions as failed via crafted requests to the endpoint granted they can guess or enumerate a valid submission identifier.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Credits
Md. Moniruzzaman Prodhan
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13748",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-08T21:27:32.596858Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-08T21:27:44.087Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz, \u0026 Conversational Form Builder",
          "vendor": "techjewel",
          "versions": [
            {
              "lessThanOrEqual": "6.1.7",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Md. Moniruzzaman Prodhan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz, \u0026 Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the \u0027submission_id\u0027 parameter due to missing validation on a user controlled key within the confirmScaPayment() function. This makes it possible for unauthenticated attackers to mark arbitrary submissions as failed via crafted requests to the endpoint granted they can guess or enumerate a valid submission identifier."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:20:12.805Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2aee799-4e4c-4a41-8b76-e2ad576fe2e2?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3406804/fluentform/tags/6.1.8/app/Modules/Payments/PaymentMethods/Stripe/StripeInlineProcessor.php"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-11-26T16:13:14.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2025-12-05T18:10:08.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Fluent Forms \u003c= 6.1.7 - Unauthenticated Insecure Direct Object Reference to Payment Status Tampering via submission_id"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-13748",
    "datePublished": "2025-12-06T06:39:08.515Z",
    "dateReserved": "2025-11-26T15:56:07.294Z",
    "dateUpdated": "2026-04-08T17:20:12.805Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13615 (GCVE-0-2025-13615)

Vulnerability from cvelistv5 – Published: 2025-11-30 01:53 – Updated: 2026-04-08 17:17
VLAI
Title
StreamTube Core <= 4.78 - Unauthenticated Arbitrary User Password Change
Summary
The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited if the 'registration password fields' enabled in theme options.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
phpface StreamTube Core Affected: 0 , ≤ 4.78 (semver)
Create a notification for this product.
Credits
Friderika Baranyai
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13615",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-01T13:31:30.707915Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-01T14:10:13.887Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "StreamTube Core",
          "vendor": "phpface",
          "versions": [
            {
              "lessThanOrEqual": "4.78",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Friderika Baranyai"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited if the \u0027registration password fields\u0027 enabled in theme options."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:17:43.665Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b812a0d7-99a1-4f61-b78a-78cea6a2ada1?source=cve"
        },
        {
          "url": "https://themeforest.net/item/streamtube-responsive-video-wordpress-theme/33821786"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-11-29T12:14:32.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "StreamTube Core \u003c= 4.78 - Unauthenticated Arbitrary User Password Change"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-13615",
    "datePublished": "2025-11-30T01:53:13.258Z",
    "dateReserved": "2025-11-24T18:46:54.192Z",
    "dateUpdated": "2026-04-08T17:17:43.665Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13479 (GCVE-0-2025-13479)

Vulnerability from cvelistv5 – Published: 2026-05-21 13:21 – Updated: 2026-05-21 13:49
VLAI
Title
IDOR in PosCube's QR Menu
Summary
Authorization bypass through User-Controlled key vulnerability in PosCube Hardware Software and Consulting Ltd. QR Menu allows Exploitation of Trusted Identifiers. This issue affects QR Menu: through 21052026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization bypass through User-Controlled key
Assigner
References
Impacted products
Date Public
2026-05-21 13:16
Credits
Ahmet Umut OĞURLU
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13479",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-21T13:49:30.952933Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-21T13:49:38.991Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "QR Menu",
          "vendor": "PosCube Hardware Software and Consulting Ltd.",
          "versions": [
            {
              "lessThanOrEqual": "21052026",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Ahmet Umut O\u011eURLU"
        }
      ],
      "datePublic": "2026-05-21T13:16:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Authorization bypass through User-Controlled key vulnerability in PosCube Hardware Software and Consulting Ltd. QR Menu allows Exploitation of Trusted Identifiers.\u003cp\u003eThis issue affects QR Menu: through 21052026.\u0026nbsp;\u003cspan\u003eNOTE: The vendor was contacted early about this disclosure but did not respond in any way.\u003c/span\u003e\u003c/p\u003e"
            }
          ],
          "value": "Authorization bypass through User-Controlled key vulnerability in PosCube Hardware Software and Consulting Ltd. QR Menu allows Exploitation of Trusted Identifiers.\n\nThis issue affects QR Menu: through 21052026.\u00a0NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-21",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-21 Exploitation of Trusted Identifiers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization bypass through User-Controlled key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-21T13:21:46.938Z",
        "orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
        "shortName": "TR-CERT"
      },
      "references": [
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0285"
        }
      ],
      "source": {
        "advisory": "TR-26-0285",
        "defect": [
          "TR-26-0285"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "IDOR in PosCube\u0027s QR Menu",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
    "assignerShortName": "TR-CERT",
    "cveId": "CVE-2025-13479",
    "datePublished": "2026-05-21T13:21:46.938Z",
    "dateReserved": "2025-11-20T14:18:41.859Z",
    "dateUpdated": "2026-05-21T13:49:38.991Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13474 (GCVE-0-2025-13474)

Vulnerability from cvelistv5 – Published: 2025-12-16 11:25 – Updated: 2026-06-04 06:34
VLAI
Title
IDOR in Menulux Software's Mobile App
Summary
Authorization Bypass Through User-Controlled Key vulnerability in Menulux Software Inc. Mobile App allows Exploitation of Trusted Identifiers. This issue affects Mobile App: before 9.5.8.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
Menulux Software Inc. Mobile App Affected: 0 , < 9.5.8 (custom)
Create a notification for this product.
Date Public
2025-12-16 11:15
Credits
Osman BARUTCU
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13474",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-16T14:44:45.388193Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-16T14:45:34.973Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Mobile App",
          "vendor": "Menulux Software Inc.",
          "versions": [
            {
              "lessThan": "9.5.8",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Osman BARUTCU"
        }
      ],
      "datePublic": "2025-12-16T11:15:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Authorization Bypass Through User-Controlled Key vulnerability in Menulux Software Inc. Mobile App allows Exploitation of Trusted Identifiers.\u003cp\u003eThis issue affects Mobile App: before 9.5.8.\u003c/p\u003e"
            }
          ],
          "value": "Authorization Bypass Through User-Controlled Key vulnerability in Menulux Software Inc. Mobile App allows Exploitation of Trusted Identifiers.\n\nThis issue affects Mobile App: before 9.5.8."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-21",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-21 Exploitation of Trusted Identifiers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-04T06:34:18.531Z",
        "orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
        "shortName": "TR-CERT"
      },
      "references": [
        {
          "tags": [
            "government-resource",
            "broken-link"
          ],
          "url": "https://www.usom.gov.tr/bildirim/tr-25-0457"
        },
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0457"
        }
      ],
      "source": {
        "advisory": "TR-25-0457",
        "defect": [
          "TR-25-0457"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "IDOR in Menulux Software\u0027s Mobile App",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
    "assignerShortName": "TR-CERT",
    "cveId": "CVE-2025-13474",
    "datePublished": "2025-12-16T11:25:49.658Z",
    "dateReserved": "2025-11-20T12:01:32.797Z",
    "dateUpdated": "2026-06-04T06:34:18.531Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13457 (GCVE-0-2025-13457)

Vulnerability from cvelistv5 – Published: 2026-01-10 03:21 – Updated: 2026-01-12 16:49
VLAI
Title
WooCommerce Square <= 5.1.1 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure in get_token_by_id
Summary
The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Square "ccof" (credit card on file) values and leverage this value to potentially make fraudulent charges on the target site.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
woocommerce WooCommerce Square Affected: 4.2.0 , < 4.2.3 (semver)
Affected: 4.3.0 , < 4.3.2 (semver)
Affected: 4.4.0 , < 4.4.2 (semver)
Affected: 4.5.0 , < 4.5.2 (semver)
Affected: 4.6.0 , < 4.6.4 (semver)
Affected: 4.7.0 , < 4.7.4 (semver)
Affected: 4.8.0 , < 4.8.8 (semver)
Affected: 4.9.0 , < 4.9.9 (semver)
Affected: 5.0.0 , < 5.0.1 (semver)
Affected: 5.1.0 , < 5.1.2 (semver)
Create a notification for this product.
Credits
German
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13457",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-12T16:49:05.848129Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-12T16:49:14.896Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "WooCommerce Square",
          "vendor": "woocommerce",
          "versions": [
            {
              "lessThan": "4.2.3",
              "status": "affected",
              "version": "4.2.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.3.2",
              "status": "affected",
              "version": "4.3.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.4.2",
              "status": "affected",
              "version": "4.4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.5.2",
              "status": "affected",
              "version": "4.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.6.4",
              "status": "affected",
              "version": "4.6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.7.4",
              "status": "affected",
              "version": "4.7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.8.8",
              "status": "affected",
              "version": "4.8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.9.9",
              "status": "affected",
              "version": "4.9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.0.1",
              "status": "affected",
              "version": "5.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.1.2",
              "status": "affected",
              "version": "5.1.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "German"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id  function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Square \"ccof\" (credit card on file) values and leverage this value to potentially make fraudulent charges on the target site."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-10T03:21:01.113Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7f4f726-7e53-4397-8d8b-7a574326adc6?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3415850/woocommerce-square"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-11-25T19:04:33.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-01-09T14:05:48.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "WooCommerce Square \u003c= 5.1.1 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure in get_token_by_id"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-13457",
    "datePublished": "2026-01-10T03:21:01.113Z",
    "dateReserved": "2025-11-19T20:13:41.577Z",
    "dateUpdated": "2026-01-12T16:49:14.896Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.