CWE-639
Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2026-1436 (GCVE-0-2026-1436)
Vulnerability from cvelistv5 – Published: 2026-02-18 13:09 – Updated: 2026-02-18 14:19
VLAI
Title
Improper Access Control (IDOR) vulnerability in Graylog Web Interface
Summary
Improper Access Control (IDOR) in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive third-party information to be accessed, such as names, email addresses, internal identifiers, and last activity. The endpoint 'http://<IP>:12900/users/<my_user>' does not implement object-level authorization validations.
Severity
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.incibe.es/en/incibe-cert/notices/avis… | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Graylog | Graylog Web Interface |
Affected:
2.2.3
|
Date Public
2026-02-17 11:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1436",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T14:19:25.627419Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T14:19:37.438Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Graylog Web Interface",
"vendor": "Graylog",
"versions": [
{
"status": "affected",
"version": "2.2.3"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:graylog:graylog_web_interface:2.2.3:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Julen Garrido Est\u00e9vez (B3xal)"
}
],
"datePublic": "2026-02-17T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Access Control (IDOR) in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user\u0027s profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive third-party information to be accessed, such as names, email addresses, internal identifiers, and last activity. The endpoint \u0027http://\u0026lt;IP\u0026gt;:12900/users/\u0026lt;my_user\u0026gt;\u0027 does not implement object-level authorization validations."
}
],
"value": "Improper Access Control (IDOR) in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user\u0027s profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive third-party information to be accessed, such as names, email addresses, internal identifiers, and last activity. The endpoint \u0027http://\u003cIP\u003e:12900/users/\u003cmy_user\u003e\u0027 does not implement object-level authorization validations."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T13:11:34.044Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-graylog"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "It is recommended to update the software to the latest version, where the vulnerability described has already been mitigated. For the affected version, the vulnerability is not mitigated, as the manufacturer considers all versions prior to the current one to be obsolete.\u003cbr\u003e"
}
],
"value": "It is recommended to update the software to the latest version, where the vulnerability described has already been mitigated. For the affected version, the vulnerability is not mitigated, as the manufacturer considers all versions prior to the current one to be obsolete."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Access Control (IDOR) vulnerability in Graylog Web Interface",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2026-1436",
"datePublished": "2026-02-18T13:09:35.443Z",
"dateReserved": "2026-01-26T13:20:07.838Z",
"dateUpdated": "2026-02-18T14:19:37.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1496 (GCVE-0-2026-1496)
Vulnerability from cvelistv5 – Published: 2026-03-27 14:14 – Updated: 2026-03-27 14:36
VLAI
Title
Coverity CLI Authentication Bypass
Summary
Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass. A malicious actor with access to the /token API endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication. Successful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user’s Coverity Connect account.
Severity
CWE
- CWE-639 - Authorization bypass through User-Controlled key
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://community.blackduck.com/s/article/Black-D… | vendor-advisory |
| https://community.blackduck.com/s/article/Instruc… | vendor-advisorymitigation |
| https://community.blackduck.com/s/article/WAF-IDS… | vendor-advisorymitigation |
| https://github.com/blackduck-inc/Coverity-Usage-L… | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Black Duck | Coverity |
Affected:
2024.3.0 , < 2025.12.0
(custom)
Unaffected: 2024.3.0A Unaffected: 2024.3.1A Unaffected: 2024.3.2A Unaffected: 2024.6.0A Unaffected: 2024.6.1A Unaffected: 2024.9.0A Unaffected: 2024.9.1A Unaffected: 2024.12.0A Unaffected: 2024.12.1A Unaffected: 2024.12.2 Unaffected: 2025.3.0A Unaffected: 2025.3.1A Unaffected: 2025.3.2 Unaffected: 2025.6.0A Unaffected: 2025.6.2A Unaffected: 2025.6.4 Unaffected: 2025.9.0A Unaffected: 2025.9.2A Unaffected: 2025.9.3 Unaffected: 2025.12.0A Unaffected: 2025.12.1 |
Date Public
2026-03-27 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1496",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T14:35:08.919139Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T14:36:04.188Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Coverity",
"vendor": "Black Duck",
"versions": [
{
"lessThan": "2025.12.0",
"status": "affected",
"version": "2024.3.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2024.3.0A"
},
{
"status": "unaffected",
"version": "2024.3.1A"
},
{
"status": "unaffected",
"version": "2024.3.2A"
},
{
"status": "unaffected",
"version": "2024.6.0A"
},
{
"status": "unaffected",
"version": "2024.6.1A"
},
{
"status": "unaffected",
"version": "2024.9.0A"
},
{
"status": "unaffected",
"version": "2024.9.1A"
},
{
"status": "unaffected",
"version": "2024.12.0A"
},
{
"status": "unaffected",
"version": "2024.12.1A"
},
{
"status": "unaffected",
"version": "2024.12.2"
},
{
"status": "unaffected",
"version": "2025.3.0A"
},
{
"status": "unaffected",
"version": "2025.3.1A"
},
{
"status": "unaffected",
"version": "2025.3.2"
},
{
"status": "unaffected",
"version": "2025.6.0A"
},
{
"status": "unaffected",
"version": "2025.6.2A"
},
{
"status": "unaffected",
"version": "2025.6.4"
},
{
"status": "unaffected",
"version": "2025.9.0A"
},
{
"status": "unaffected",
"version": "2025.9.2A"
},
{
"status": "unaffected",
"version": "2025.9.3"
},
{
"status": "unaffected",
"version": "2025.12.0A"
},
{
"status": "unaffected",
"version": "2025.12.1"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:black_duck:coverity:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2025.12.0",
"versionStartIncluding": "2024.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.3.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.3.1a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.3.2a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.6.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.6.1a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.9.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.9.1a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.12.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.12.1a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.12.2:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.3.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.3.1a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.3.2:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.6.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.6.2a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.6.4:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.9.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.9.2a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.9.3:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.12.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.12.1:*:*:*:*:*:*:*",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Huong Kieu from Cenobe"
}
],
"datePublic": "2026-03-27T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass.\u0026nbsp;\u003cspan\u003eA malicious actor with access to the\u003c/span\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e\u003ccode\u003e/token\u003c/code\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e\u003cspan\u003eAPI endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication.\u0026nbsp;\u003c/span\u003e\u003cspan\u003eSuccessful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user\u2019s Coverity Connect account.\u0026nbsp;\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass.\u00a0A malicious actor with access to the\u00a0/token\u00a0API endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication.\u00a0Successful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user\u2019s Coverity Connect account."
}
],
"impacts": [
{
"capecId": "CAPEC-384",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-384 Application API Message Manipulation via Man-in-the-Middle"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization bypass through User-Controlled key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T14:14:01.871Z",
"orgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
"shortName": "BlackDuck"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.blackduck.com/s/article/Black-Duck-Security-Advisory-CVE-2026-1496"
},
{
"tags": [
"vendor-advisory",
"mitigation"
],
"url": "https://community.blackduck.com/s/article/Instructions-on-how-to-block-token-endpoint-for-Coverity-Connect"
},
{
"tags": [
"vendor-advisory",
"mitigation"
],
"url": "https://community.blackduck.com/s/article/WAF-IDS-IPS-Mitigation-Guidance"
},
{
"tags": [
"related"
],
"url": "https://github.com/blackduck-inc/Coverity-Usage-Log-Analyzer"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCustomers\nare recommended to upgrade to one of the following Coverity patched versions at their earliest availability or deploy documented mitigations.\u003c/p\u003e\n\n\u003cp\u003ePatched versions:\u003c/p\u003e\n\n\u003cul\u003e\n \u003cli\u003e2025.12.1\u003c/li\u003e\n\u003cli\u003e2025.12.0A\u003c/li\u003e\u003cli\u003e2025.9.2A\u003c/li\u003e\u003cli\u003e2025.9.0A\u003c/li\u003e\u003cli\u003e2025.6.2A\u003c/li\u003e\u003cli\u003e2025.6.0A\u003c/li\u003e\u003cli\u003e2025.3.1A\u003c/li\u003e\u003cli\u003e2025.3.0A\u003c/li\u003e\u003cli\u003e2024.12.1A\u003c/li\u003e\u003cli\u003e2024.12.0A\u003c/li\u003e\u003cli\u003e2024.9.1A\u003c/li\u003e\u003cli\u003e\u003cspan\u003e2024.9.0A\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003e\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\u003cp\u003eFull Installers:\u003c/p\u003e\n\n\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e2025.12.1\u003c/li\u003e\u003cli\u003e2025.9.3\u003c/li\u003e\u003cli\u003e2025.6.4\u003c/li\u003e\u003cli\u003e2025.3.2\u003c/li\u003e\u003cli\u003e2024.12.2\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Customers\nare recommended to upgrade to one of the following Coverity patched versions at their earliest availability or deploy documented mitigations.\n\n\n\nPatched versions:\n\n\n\n\n * 2025.12.1\n\n * 2025.12.0A\n * 2025.9.2A\n * 2025.9.0A\n * 2025.6.2A\n * 2025.6.0A\n * 2025.3.1A\n * 2025.3.0A\n * 2024.12.1A\n * 2024.12.0A\n * 2024.9.1A\n * 2024.9.0A\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nFull Installers:\n\n\n\n\n\n * 2025.12.1\n * 2025.9.3\n * 2025.6.4\n * 2025.3.2\n * 2024.12.2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Coverity CLI Authentication Bypass",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
"assignerShortName": "BlackDuck",
"cveId": "CVE-2026-1496",
"datePublished": "2026-03-27T14:14:01.871Z",
"dateReserved": "2026-01-27T15:53:39.147Z",
"dateUpdated": "2026-03-27T14:36:04.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1541 (GCVE-0-2026-1541)
Vulnerability from cvelistv5 – Published: 2026-04-15 01:25 – Updated: 2026-04-15 15:56
VLAI
Title
Avada (Fusion) Builder <= 3.15.1 - Authenticated (Subscriber+) Sensitive Information Exposure via Insecure Direct Object Reference
Summary
The Avada (Fusion) Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to the plugin's `fusion_get_post_custom_field()` function failing to validate whether metadata keys are protected (underscore-prefixed). This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract protected post metadata fields that should not be publicly accessible via the Dynamic Data feature's `post_custom_field` parameter.
Severity
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themefusion | Avada (Fusion) Builder |
Affected:
0 , ≤ 3.15.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1541",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T15:55:18.301327Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T15:56:52.964Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Avada (Fusion) Builder",
"vendor": "themefusion",
"versions": [
{
"lessThanOrEqual": "3.15.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Craig Smith"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Avada (Fusion) Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to the plugin\u0027s `fusion_get_post_custom_field()` function failing to validate whether metadata keys are protected (underscore-prefixed). This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract protected post metadata fields that should not be publicly accessible via the Dynamic Data feature\u0027s `post_custom_field` parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T01:25:17.892Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f1f69f93-80e3-434d-98a6-fc8757b4e6d1?source=cve"
},
{
"url": "https://themeforest.net/item/avada-responsive-multipurpose-theme/2833226"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-24T16:14:39.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-14T12:23:58.000Z",
"value": "Disclosed"
}
],
"title": "Avada (Fusion) Builder \u003c= 3.15.1 - Authenticated (Subscriber+) Sensitive Information Exposure via Insecure Direct Object Reference"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1541",
"datePublished": "2026-04-15T01:25:17.892Z",
"dateReserved": "2026-01-28T14:57:30.708Z",
"dateUpdated": "2026-04-15T15:56:52.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1558 (GCVE-0-2026-1558)
Vulnerability from cvelistv5 – Published: 2026-02-27 04:33 – Updated: 2026-04-08 17:06
VLAI
Title
WP Recipe Maker <= 10.3.2 - Insecure Direct Object Reference to Unauthenticated Arbitrary Post Metadata Modification via 'recipeId' Parameter
Summary
The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integrations/instacart REST API endpoint's permission_callback being set to __return_true and a lack of subsequent authorization or ownership checks on the user-supplied recipeId. This makes it possible for unauthenticated attackers to overwrite arbitrary post metadata (wprm_instacart_combinations) for any post ID on the site via the recipeId parameter.
Severity
5.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | WP Recipe Maker |
Affected:
0 , ≤ 10.3.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1558",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T15:43:55.428168Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T15:44:54.096Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Recipe Maker",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "10.3.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qu\u1ed1c Huy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integrations/instacart REST API endpoint\u0027s permission_callback being set to __return_true and a lack of subsequent authorization or ownership checks on the user-supplied recipeId. This makes it possible for unauthenticated attackers to overwrite arbitrary post metadata (wprm_instacart_combinations) for any post ID on the site via the recipeId parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:06:48.448Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/90a5589f-f0e9-4511-9c5e-0afcee0824d5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/tags/10.3.2/includes/public/class-wprm-instacart.php#L110"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/tags/10.3.2/includes/public/api/class-wprm-api-integrations.php#L40"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3464195%40wp-recipe-maker%2Ftrunk\u0026old=3441130%40wp-recipe-maker%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-28T18:34:38.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-26T15:59:49.000Z",
"value": "Disclosed"
}
],
"title": "WP Recipe Maker \u003c= 10.3.2 - Insecure Direct Object Reference to Unauthenticated Arbitrary Post Metadata Modification via \u0027recipeId\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1558",
"datePublished": "2026-02-27T04:33:03.419Z",
"dateReserved": "2026-01-28T18:19:24.671Z",
"dateUpdated": "2026-04-08T17:06:48.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1619 (GCVE-0-2026-1619)
Vulnerability from cvelistv5 – Published: 2026-02-13 13:20 – Updated: 2026-02-13 16:59
VLAI
Title
IDOR in Universal Sotware's FlexCity/Kiosk
Summary
Authorization Bypass Through User-Controlled Key vulnerability in Universal Software Inc. FlexCity/Kiosk allows Exploitation of Trusted Identifiers.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.
Severity
8.3 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.usom.gov.tr/bildirim/tr-26-0065 | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Universal Software Inc. | FlexCity/Kiosk |
Affected:
1.0 , < 1.0.36
(custom)
|
Date Public
2026-02-13 13:16
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1619",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-13T16:59:38.442129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T16:59:48.958Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FlexCity/Kiosk",
"vendor": "Universal Software Inc.",
"versions": [
{
"lessThan": "1.0.36",
"status": "affected",
"version": "1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "\u0130brahim Y\u0130\u011e\u0130TSOY"
}
],
"datePublic": "2026-02-13T13:16:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authorization Bypass Through User-Controlled Key vulnerability in Universal Software Inc. FlexCity/Kiosk allows Exploitation of Trusted Identifiers.\u003cp\u003eThis issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.\u003c/p\u003e"
}
],
"value": "Authorization Bypass Through User-Controlled Key vulnerability in Universal Software Inc. FlexCity/Kiosk allows Exploitation of Trusted Identifiers.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36."
}
],
"impacts": [
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21 Exploitation of Trusted Identifiers"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T13:20:54.637Z",
"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"shortName": "TR-CERT"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.usom.gov.tr/bildirim/tr-26-0065"
}
],
"source": {
"advisory": "TR-26-0065",
"defect": [
"TR-26-0065"
],
"discovery": "UNKNOWN"
},
"title": "IDOR in Universal Sotware\u0027s FlexCity/Kiosk",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"assignerShortName": "TR-CERT",
"cveId": "CVE-2026-1619",
"datePublished": "2026-02-13T13:20:54.637Z",
"dateReserved": "2026-01-29T14:06:14.343Z",
"dateUpdated": "2026-02-13T16:59:48.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1664 (GCVE-0-2026-1664)
Vulnerability from cvelistv5 – Published: 2026-02-03 11:39 – Updated: 2026-02-03 14:46
VLAI
Title
Insecure Direct Object Reference (IDOR) via Header-Based Email Routing
Summary
Summary
An Insecure Direct Object Reference has been found to exist in `createHeaderBasedEmailResolver()` function within the Cloudflare Agents SDK. The issue occurs because the `Message-ID` and `References` headers are parsed to derive the target agentName and agentId without proper validation or origin checks, allowing an external attacker with control of these headers to route inbound mail to arbitrary Durable Object instances and namespaces .
Root cause
The `createHeaderBasedEmailResolver()` function lacks cryptographic verification or origin validation for the headers used in the routing logic, effectively allowing external input to dictate internal object routing.
Impact
Insecure Direct Object Reference (IDOR) in email routing lets an attacker steer inbound mail to arbitrary Agent instances via spoofed Message-ID.
Mitigation:
* PR: https://github.com/cloudflare/agents/blob/main/docs/email.md ] provides the necessary architectural context for coding agents to mitigate the issue by refactoring the resolver to enforce strict identity boundaries.
* Agents-sdk users should upgrade to agents@0.3.7
Severity
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/cloudflare/agents |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1664",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T14:38:24.747542Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T14:46:36.842Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/cloudflare/agents",
"defaultStatus": "unaffected",
"packageName": "agents",
"repo": "https://github.com/cloudflare/agents",
"versions": [
{
"lessThanOrEqual": "0.3.6",
"status": "affected",
"version": "0.0.104",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "asukalangley"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eSummary\u003c/span\u003e\u003c/p\u003e\u003c/b\u003e\u003cp\u003eAn Insecure Direct Object Reference has been found to exist in `createHeaderBasedEmailResolver()` function within the Cloudflare Agents SDK. The issue occurs because the `Message-ID` and `References` headers are parsed to derive the target agentName and agentId without proper validation or origin checks, allowing an external attacker with control of these headers to route inbound mail to arbitrary Durable Object instances and namespaces .\u003c/p\u003e\u003cb\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eRoot cause\u003c/span\u003e\u003c/p\u003e\u003c/b\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eThe `\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003ecreateHeaderBasedEmailResolver()`\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e function lacks cryptographic verification or origin validation for the headers used in the routing logic, effectively allowing external input to dictate internal object routing.\u003c/span\u003e\u003c/p\u003e\u003cb\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eImpact\u003c/span\u003e\u003c/p\u003e\u003c/b\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eInsecure Direct Object Reference (IDOR) in email routing lets an attacker steer inbound mail to arbitrary Agent instances via spoofed Message-ID.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cb\u003eMitigation:\u003c/b\u003e\u003c/span\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cspan style=\"background-color: transparent;\"\u003ePR: \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/agents/pull/811\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://github.com/cloudflare/agents/pull/811\u003c/span\u003e\u003c/a\u003e\u003c/li\u003e\u003cli\u003eThis \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/agents/blob/main/docs/email.md\"\u003e\u003cspan style=\"background-color: transparent;\"\u003edocumentation\u003c/span\u003e\u003c/a\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u0026nbsp;[\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/agents/blob/main/docs/email.md\"\u003ehttps://github.com/cloudflare/agents/blob/main/docs/email.md\u003c/a\u003e] provides the necessary architectural context for coding agents to mitigate the issue by refactoring the resolver to enforce strict identity boundaries.\u003c/span\u003e\u003c/li\u003e\u003cli\u003eAgents-sdk users should upgrade to \u003cspan style=\"background-color: transparent;\"\u003eagents@0.3.7\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e\u003cb\u003e\u003c/b\u003e"
}
],
"value": "Summary\n\nAn Insecure Direct Object Reference has been found to exist in `createHeaderBasedEmailResolver()` function within the Cloudflare Agents SDK. The issue occurs because the `Message-ID` and `References` headers are parsed to derive the target agentName and agentId without proper validation or origin checks, allowing an external attacker with control of these headers to route inbound mail to arbitrary Durable Object instances and namespaces .\n\n\n\n\nRoot cause\n\nThe `createHeaderBasedEmailResolver()` function lacks cryptographic verification or origin validation for the headers used in the routing logic, effectively allowing external input to dictate internal object routing.\n\n\n\n\nImpact\n\nInsecure Direct Object Reference (IDOR) in email routing lets an attacker steer inbound mail to arbitrary Agent instances via spoofed Message-ID.\n\n\n\n\n\nMitigation:\n\n * PR: https://github.com/cloudflare/agents/blob/main/docs/email.md ] provides the necessary architectural context for coding agents to mitigate the issue by refactoring the resolver to enforce strict identity boundaries.\n * Agents-sdk users should upgrade to agents@0.3.7"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T11:45:10.068Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/agents"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Insecure Direct Object Reference (IDOR) via Header-Based Email Routing",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2026-1664",
"datePublished": "2026-02-03T11:39:18.810Z",
"dateReserved": "2026-01-29T21:09:21.411Z",
"dateUpdated": "2026-02-03T14:46:36.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1704 (GCVE-0-2026-1704)
Vulnerability from cvelistv5 – Published: 2026-03-13 07:23 – Updated: 2026-04-08 17:21
VLAI
Title
Appointment Booking Calendar <= 1.6.9.29 - Insecure Direct Object Reference to Authenticated (Staff+) Sensitive Information Exposure
Summary
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.9.29. This is due to the `get_item_permissions_check` method granting access to users with the `ssa_manage_appointments` capability without validating staff ownership of the requested appointment. This makes it possible for authenticated attackers, with custom-level access and above (users granted the ssa_manage_appointments capability, such as Team Members), to view appointment records belonging to other staff members and access sensitive customer personally identifiable information via the appointment ID parameter.
Severity
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| croixhaug | Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin |
Affected:
0 , ≤ 1.6.9.29
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1704",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T16:06:23.797912Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T16:06:31.251Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin",
"vendor": "croixhaug",
"versions": [
{
"lessThanOrEqual": "1.6.9.29",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Itthidej Aramsri"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.9.29. This is due to the `get_item_permissions_check` method granting access to users with the `ssa_manage_appointments` capability without validating staff ownership of the requested appointment. This makes it possible for authenticated attackers, with custom-level access and above (users granted the ssa_manage_appointments capability, such as Team Members), to view appointment records belonging to other staff members and access sensitive customer personally identifiable information via the appointment ID parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:21:32.359Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c82f3864-13af-4ff6-824a-4c799a98f3f6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/class-appointment-model.php#L1436"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/class-appointment-model.php#L1436"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/class-appointment-model.php#L1348"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.21/includes/class-appointment-model.php#L1348"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3480506%40simply-schedule-appointments%2Ftrunk\u0026old=3475885%40simply-schedule-appointments%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-30T15:53:08.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-12T19:08:49.000Z",
"value": "Disclosed"
}
],
"title": "Appointment Booking Calendar \u003c= 1.6.9.29 - Insecure Direct Object Reference to Authenticated (Staff+) Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1704",
"datePublished": "2026-03-13T07:23:38.921Z",
"dateReserved": "2026-01-30T15:37:58.974Z",
"dateUpdated": "2026-04-08T17:21:32.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1881 (GCVE-0-2026-1881)
Vulnerability from cvelistv5 – Published: 2026-05-21 01:26 – Updated: 2026-05-21 14:24
VLAI
Title
Broadstreet <= 1.52.2 - Authenticated (Subscriber+) Private Post Meta Disclosure via get_sponsored_meta
Summary
The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get_sponsored_meta AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disclose any private post metadata.
Severity
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| broadstreetads | Broadstreet |
Affected:
0 , ≤ 1.52.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1881",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T14:03:03.561352Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T14:24:56.187Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Broadstreet",
"vendor": "broadstreetads",
"versions": [
{
"lessThanOrEqual": "1.52.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tarc\u00edsio Luchesi De Almeida Silva"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get_sponsored_meta AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disclose any private post metadata."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T01:26:15.241Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/328ccf8f-797b-4b1a-b0f1-afd8e44f41e6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fbroadstreet/tags/1.52.2\u0026new_path=%2Fbroadstreet/tags/1.53.2"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-04T12:59:16.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-20T13:15:10.000Z",
"value": "Disclosed"
}
],
"title": "Broadstreet \u003c= 1.52.2 - Authenticated (Subscriber+) Private Post Meta Disclosure via get_sponsored_meta"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1881",
"datePublished": "2026-05-21T01:26:15.241Z",
"dateReserved": "2026-02-04T12:39:42.839Z",
"dateUpdated": "2026-05-21T14:24:56.187Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1883 (GCVE-0-2026-1883)
Vulnerability from cvelistv5 – Published: 2026-03-15 01:19 – Updated: 2026-04-08 16:55
VLAI
Title
Wicked Folders <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Folder Deletion
Summary
The Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the delete_folders() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders created by other users.
Severity
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wickedplugins | Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types |
Affected:
0 , ≤ 4.1.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1883",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T19:14:30.706921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T19:15:04.692Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Wicked Folders \u2013 Folder Organizer for Pages, Posts, and Custom Post Types",
"vendor": "wickedplugins",
"versions": [
{
"lessThanOrEqual": "4.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youssef Elouaer"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Wicked Folders \u2013 Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the delete_folders() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders created by other users."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:55:43.918Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5cec2c52-d780-4d94-a5b2-d3b405bce49c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3473857/wicked-folders"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-04T15:27:18.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-14T13:11:53.000Z",
"value": "Disclosed"
}
],
"title": "Wicked Folders \u003c= 4.1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Folder Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1883",
"datePublished": "2026-03-15T01:19:05.803Z",
"dateReserved": "2026-02-04T13:48:43.162Z",
"dateUpdated": "2026-04-08T16:55:43.918Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1947 (GCVE-0-2026-1947)
Vulnerability from cvelistv5 – Published: 2026-03-15 01:19 – Updated: 2026-04-08 17:16
VLAI
Title
NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_set_entry_update_id
Summary
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 9.1.9 via the submit_nex_form() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to to overwrite arbitrary form entries via the 'nf_set_entry_update_id' parameter.
Severity
7.5 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| webaways | NEX-Forms – Ultimate Forms Plugin for WordPress |
Affected:
0 , ≤ 9.1.9
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1947",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T19:13:52.233817Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T19:14:13.133Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress",
"vendor": "webaways",
"versions": [
{
"lessThanOrEqual": "9.1.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youssef Elouaer"
}
],
"descriptions": [
{
"lang": "en",
"value": "The NEX-Forms \u2013 Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 9.1.9 via the submit_nex_form() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to to overwrite arbitrary form entries via the \u0027nf_set_entry_update_id\u0027 parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:16:29.189Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2a8c307-2430-4ea9-afe0-e5e758eabdd1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3470888/nex-forms-express-wp-form-builder"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-05T00:32:39.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-14T13:14:22.000Z",
"value": "Disclosed"
}
],
"title": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress \u003c= 9.1.9 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_set_entry_update_id"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1947",
"datePublished": "2026-03-15T01:19:06.351Z",
"dateReserved": "2026-02-05T00:14:44.427Z",
"dateUpdated": "2026-04-08T17:16:29.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Phases: Architecture and Design, Implementation
Description:
- Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Phase: Architecture and Design
Description:
- Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.