Common Weakness Enumeration

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

CVE-2025-65031 (GCVE-0-2025-65031)

Vulnerability from cvelistv5 – Published: 2025-11-19 17:25 – Updated: 2025-11-19 18:35
VLAI
Title
Rallly Improper Authorization in Comment Endpoint Allows User Impersonation
Summary
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization flaw in the comment creation endpoint allows authenticated users to impersonate any other user by altering the authorName field in the API request. This enables attackers to post comments under arbitrary usernames, including privileged ones such as administrators, potentially misleading other users and enabling phishing or social engineering attacks. This issue has been patched in version 4.5.4.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-285 - Improper Authorization
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
lukevella rallly Affected: < 4.5.4
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-65031",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-19T18:34:27.431765Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-19T18:35:00.771Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rallly",
          "vendor": "lukevella",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.5.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization flaw in the comment creation endpoint allows authenticated users to impersonate any other user by altering the authorName field in the API request. This enables attackers to post comments under arbitrary usernames, including privileged ones such as administrators, potentially misleading other users and enabling phishing or social engineering attacks. This issue has been patched in version 4.5.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-19T17:25:49.058Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/lukevella/rallly/security/advisories/GHSA-hhfc-6gq7-rrpm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/lukevella/rallly/security/advisories/GHSA-hhfc-6gq7-rrpm"
        },
        {
          "name": "https://github.com/lukevella/rallly/releases/tag/v4.5.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lukevella/rallly/releases/tag/v4.5.4"
        }
      ],
      "source": {
        "advisory": "GHSA-hhfc-6gq7-rrpm",
        "discovery": "UNKNOWN"
      },
      "title": "Rallly Improper Authorization in Comment Endpoint Allows User Impersonation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-65031",
    "datePublished": "2025-11-19T17:25:49.058Z",
    "dateReserved": "2025-11-13T15:36:51.682Z",
    "dateUpdated": "2025-11-19T18:35:00.771Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-65032 (GCVE-0-2025-65032)

Vulnerability from cvelistv5 – Published: 2025-11-19 17:26 – Updated: 2025-11-19 18:50
VLAI
Title
Rallly Has an IDOR Vulnerability in Participant Rename Function Allows Unauthorized Modification of Other Users’ Names
Summary
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to change the display names of other participants in polls without being an admin or the poll owner. By manipulating the participantId parameter in a rename request, an attacker can modify another user’s name, violating data integrity and potentially causing confusion or impersonation attacks. This issue has been patched in version 4.5.4.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
lukevella rallly Affected: < 4.5.4
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-65032",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-19T18:50:38.588761Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-19T18:50:41.841Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/lukevella/rallly/security/advisories/GHSA-q9m7-chfx-43xw"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rallly",
          "vendor": "lukevella",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.5.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to change the display names of other participants in polls without being an admin or the poll owner. By manipulating the participantId parameter in a rename request, an attacker can modify another user\u2019s name, violating data integrity and potentially causing confusion or impersonation attacks. This issue has been patched in version 4.5.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-19T17:26:09.648Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/lukevella/rallly/security/advisories/GHSA-q9m7-chfx-43xw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/lukevella/rallly/security/advisories/GHSA-q9m7-chfx-43xw"
        },
        {
          "name": "https://github.com/lukevella/rallly/releases/tag/v4.5.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lukevella/rallly/releases/tag/v4.5.4"
        }
      ],
      "source": {
        "advisory": "GHSA-q9m7-chfx-43xw",
        "discovery": "UNKNOWN"
      },
      "title": "Rallly Has an IDOR Vulnerability in Participant Rename Function Allows Unauthorized Modification of Other Users\u2019 Names"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-65032",
    "datePublished": "2025-11-19T17:26:09.648Z",
    "dateReserved": "2025-11-13T15:36:51.683Z",
    "dateUpdated": "2025-11-19T18:50:41.841Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-65033 (GCVE-0-2025-65033)

Vulnerability from cvelistv5 – Published: 2025-11-19 17:26 – Updated: 2025-11-19 20:03
VLAI
Title
Rallly Broken Authorization: Any User Can Pause or Resume Any Poll via Poll ID Manipulation
Summary
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the poll management feature allows any authenticated user to pause or resume any poll, regardless of ownership. The system only uses the public pollId to identify polls, and it does not verify whether the user performing the action is the poll owner. As a result, any user can disrupt polls created by others, leading to a loss of integrity and availability across the application. This issue has been patched in version 4.5.4.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-285 - Improper Authorization
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
lukevella rallly Affected: < 4.5.4
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-65033",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-19T20:03:41.039021Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-19T20:03:45.344Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/lukevella/rallly/security/advisories/GHSA-4p93-v53r-vch3"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rallly",
          "vendor": "lukevella",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.5.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the poll management feature allows any authenticated user to pause or resume any poll, regardless of ownership. The system only uses the public pollId to identify polls, and it does not verify whether the user performing the action is the poll owner. As a result, any user can disrupt polls created by others, leading to a loss of integrity and availability across the application. This issue has been patched in version 4.5.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-19T17:26:44.807Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/lukevella/rallly/security/advisories/GHSA-4p93-v53r-vch3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/lukevella/rallly/security/advisories/GHSA-4p93-v53r-vch3"
        },
        {
          "name": "https://github.com/lukevella/rallly/releases/tag/v4.5.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lukevella/rallly/releases/tag/v4.5.4"
        }
      ],
      "source": {
        "advisory": "GHSA-4p93-v53r-vch3",
        "discovery": "UNKNOWN"
      },
      "title": "Rallly Broken Authorization: Any User Can Pause or Resume Any Poll via Poll ID Manipulation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-65033",
    "datePublished": "2025-11-19T17:26:44.807Z",
    "dateReserved": "2025-11-13T15:36:51.683Z",
    "dateUpdated": "2025-11-19T20:03:45.344Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-65034 (GCVE-0-2025-65034)

Vulnerability from cvelistv5 – Published: 2025-11-19 17:26 – Updated: 2025-11-19 20:20
VLAI
Title
Rallly Improper Authorization Allows Reopening of Any Finalized Poll via Public pollId
Summary
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization vulnerability allows any authenticated user to reopen finalized polls belonging to other users by manipulating the pollId parameter. This can disrupt events managed by other users and compromise both availability and integrity of poll data. This issue has been patched in version 4.5.4.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
lukevella rallly Affected: < 4.5.4
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-65034",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-19T20:12:38.285005Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-19T20:20:04.793Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/lukevella/rallly/security/advisories/GHSA-5fp2-pv2j-rqpc"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rallly",
          "vendor": "lukevella",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.5.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization vulnerability allows any authenticated user to reopen finalized polls belonging to other users by manipulating the pollId parameter. This can disrupt events managed by other users and compromise both availability and integrity of poll data. This issue has been patched in version 4.5.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-19T17:26:59.038Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/lukevella/rallly/security/advisories/GHSA-5fp2-pv2j-rqpc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/lukevella/rallly/security/advisories/GHSA-5fp2-pv2j-rqpc"
        },
        {
          "name": "https://github.com/lukevella/rallly/releases/tag/v4.5.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lukevella/rallly/releases/tag/v4.5.4"
        }
      ],
      "source": {
        "advisory": "GHSA-5fp2-pv2j-rqpc",
        "discovery": "UNKNOWN"
      },
      "title": "Rallly Improper Authorization Allows Reopening of Any Finalized Poll via Public pollId"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-65034",
    "datePublished": "2025-11-19T17:26:59.038Z",
    "dateReserved": "2025-11-13T15:36:51.684Z",
    "dateUpdated": "2025-11-19T20:20:04.793Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-65096 (GCVE-0-2025-65096)

Vulnerability from cvelistv5 – Published: 2025-12-03 19:39 – Updated: 2025-12-03 21:47
VLAI
Title
RomM Insecure Direct Object Reference (IDOR) Allows Unauthorized Access to Private Collections
Summary
RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, users can read private collections / smart collections belonging to other users by directly accessing their IDs via API. No ownership verification or checking if the collection is public/private before returning collection data. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-284 - Improper Access Control
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
rommapp romm Affected: < 4.4.1-beta.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-65096",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-03T21:47:12.972345Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-03T21:47:22.189Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "romm",
          "vendor": "rommapp",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.4.1-beta.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, users can read private collections / smart collections belonging to other users by directly accessing their IDs via API. No ownership verification or checking if the collection is public/private before returning collection data. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-03T19:39:53.722Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rommapp/romm/security/advisories/GHSA-5ghc-8wr3-788c",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rommapp/romm/security/advisories/GHSA-5ghc-8wr3-788c"
        }
      ],
      "source": {
        "advisory": "GHSA-5ghc-8wr3-788c",
        "discovery": "UNKNOWN"
      },
      "title": "RomM Insecure Direct Object Reference (IDOR) Allows Unauthorized Access to Private Collections"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-65096",
    "datePublished": "2025-12-03T19:39:53.722Z",
    "dateReserved": "2025-11-17T20:55:34.692Z",
    "dateUpdated": "2025-12-03T21:47:22.189Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-65097 (GCVE-0-2025-65097)

Vulnerability from cvelistv5 – Published: 2025-12-03 19:41 – Updated: 2025-12-03 21:47
VLAI
Title
Insecure Direct Object Reference (IDOR) Allows Unauthorized Deletion of User Collections
Summary
RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, an Authenticated User can delete collections belonging to other users by directly sending a DELETE request to the collection endpoint. No ownership verification is performed before deleting collections. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-284 - Improper Access Control
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
rommapp romm Affected: < 4.4.1-beta.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-65097",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-03T21:47:47.143002Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-03T21:47:55.770Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "romm",
          "vendor": "rommapp",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.4.1-beta.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, an Authenticated User can delete collections belonging to other users by directly sending a DELETE request to the collection endpoint. No ownership verification is performed before deleting collections. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-03T19:41:33.262Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rommapp/romm/security/advisories/GHSA-v7c8-f6xc-rv9g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rommapp/romm/security/advisories/GHSA-v7c8-f6xc-rv9g"
        }
      ],
      "source": {
        "advisory": "GHSA-v7c8-f6xc-rv9g",
        "discovery": "UNKNOWN"
      },
      "title": "Insecure Direct Object Reference (IDOR) Allows Unauthorized Deletion of User Collections"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-65097",
    "datePublished": "2025-12-03T19:41:33.262Z",
    "dateReserved": "2025-11-17T20:55:34.692Z",
    "dateUpdated": "2025-12-03T21:47:55.770Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-65098 (GCVE-0-2025-65098)

Vulnerability from cvelistv5 – Published: 2026-01-22 14:59 – Updated: 2026-01-22 16:25
VLAI
Title
Typebot Vulnerable to Credential Theft via Client-Side Script Execution and API Authorization Bypass
Summary
Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-284 - Improper Access Control
  • CWE-311 - Missing Encryption of Sensitive Data
  • CWE-522 - Insufficiently Protected Credentials
  • CWE-639 - Authorization Bypass Through User-Controlled Key
  • CWE-862 - Missing Authorization
Assigner
References
Impacted products
Vendor Product Version
baptisteArno typebot.io Affected: < 3.13.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-65098",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-22T16:25:42.669751Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-22T16:25:45.772Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "typebot.io",
          "vendor": "baptisteArno",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.13.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking \"Run\", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-311",
              "description": "CWE-311: Missing Encryption of Sensitive Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-522",
              "description": "CWE-522: Insufficiently Protected Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-22T14:59:20.488Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47"
        }
      ],
      "source": {
        "advisory": "GHSA-4xc5-wfwc-jw47",
        "discovery": "UNKNOWN"
      },
      "title": "Typebot Vulnerable to Credential Theft via Client-Side Script Execution and API Authorization Bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-65098",
    "datePublished": "2026-01-22T14:59:20.488Z",
    "dateReserved": "2025-11-17T20:55:34.692Z",
    "dateUpdated": "2026-01-22T16:25:45.772Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-6574 (GCVE-0-2025-6574)

Vulnerability from cvelistv5 – Published: 2025-11-01 06:40 – Updated: 2026-04-08 16:42
VLAI
Title
Service Finder Bookings < 6.1 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover
Summary
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and excluding, 6.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
aonetheme Service Finder Bookings Affected: 0 , < 6.1 (semver)
Create a notification for this product.
Credits
Thái An
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-6574",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-03T13:22:12.474119Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-03T13:30:52.307Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Service Finder Bookings",
          "vendor": "aonetheme",
          "versions": [
            {
              "lessThan": "6.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Th\u00e1i An"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and excluding, 6.1. This is due to the plugin not properly validating a user\u0027s identity prior to updating their details like email. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user\u0027s email addresses, including administrators, and leverage that to reset the user\u0027s password and gain access to their account."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:42:42.084Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/264cb002-bf40-4cc2-9c21-cda9bb24f494?source=cve"
        },
        {
          "url": "https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-10-31T18:15:54.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Service Finder Bookings \u003c 6.1 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-6574",
    "datePublished": "2025-11-01T06:40:36.491Z",
    "dateReserved": "2025-06-24T14:07:03.697Z",
    "dateUpdated": "2026-04-08T16:42:42.084Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-66123 (GCVE-0-2025-66123)

Vulnerability from cvelistv5 – Published: 2026-06-26 14:52 – Updated: 2026-06-26 20:19
VLAI
Title
WordPress BookPro plugin <= 1.1.0 - Insecure Direct Object References (IDOR) vulnerability
Summary
Unauthenticated Insecure Direct Object References (IDOR) in BookPro <= 1.1.0 versions.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
About Envato BookPro Affected: n/a , ≤ 1.1.0 (custom)
Create a notification for this product.
Credits
Phat RiO | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-66123",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-26T20:14:15.024342Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-26T20:19:41.689Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "ovabookpro",
          "product": "BookPro",
          "vendor": "About Envato",
          "versions": [
            {
              "lessThanOrEqual": "1.1.0",
              "status": "affected",
              "version": "n/a",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Phat RiO | Patchstack Bug Bounty Program"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Unauthenticated Insecure Direct Object References (IDOR) in BookPro \u003c= 1.1.0 versions."
            }
          ],
          "value": "Unauthenticated Insecure Direct Object References (IDOR) in BookPro \u003c= 1.1.0 versions."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-26T14:52:13.859Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/wordpress/plugin/ovabookpro/vulnerability/wordpress-bookpro-plugin-1-1-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WordPress BookPro plugin \u003c= 1.1.0 - Insecure Direct Object References (IDOR) vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-66123",
    "datePublished": "2026-06-26T14:52:13.859Z",
    "dateReserved": "2025-11-21T11:21:32.201Z",
    "dateUpdated": "2026-06-26T20:19:41.689Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-66132 (GCVE-0-2025-66132)

Vulnerability from cvelistv5 – Published: 2025-12-16 08:12 – Updated: 2026-04-28 16:14
VLAI
Title
WordPress FAPI Member plugin <= 2.2.30 - Insecure Direct Object References (IDOR) vulnerability
Summary
Authorization Bypass Through User-Controlled Key vulnerability in FAPI Business s.r.o. FAPI Member fapi-member allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FAPI Member: from n/a through <= 2.2.30.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
FAPI Business s.r.o. FAPI Member Affected: 0 , ≤ 2.2.30 (custom)
Create a notification for this product.
Date Public
2026-04-22 14:23
Credits
NumeX | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-66132",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-17T18:37:19.270312Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-27T16:45:03.239Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "fapi-member",
          "product": "FAPI Member",
          "vendor": "FAPI Business s.r.o.",
          "versions": [
            {
              "lessThanOrEqual": "2.2.30",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "NumeX | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-22T14:23:54.510Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Authorization Bypass Through User-Controlled Key vulnerability in FAPI Business s.r.o. FAPI Member fapi-member allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects FAPI Member: from n/a through \u003c= 2.2.30.\u003c/p\u003e"
            }
          ],
          "value": "Authorization Bypass Through User-Controlled Key vulnerability in FAPI Business s.r.o. FAPI Member fapi-member allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FAPI Member: from n/a through \u003c= 2.2.30."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:14:17.862Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/fapi-member/vulnerability/wordpress-fapi-member-plugin-2-2-26-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress FAPI Member plugin \u003c= 2.2.30 - Insecure Direct Object References (IDOR) vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-66132",
    "datePublished": "2025-12-16T08:12:54.562Z",
    "dateReserved": "2025-11-21T11:21:32.203Z",
    "dateUpdated": "2026-04-28T16:14:17.862Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation

Phase: Architecture and Design

Description:

  • For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation

Phases: Architecture and Design, Implementation

Description:

  • Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation

Phase: Architecture and Design

Description:

  • Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page