Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-639
Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2026-11988 (GCVE-0-2026-11988)
Vulnerability from cvelistv5 – Published: 2026-07-01 04:32 – Updated: 2026-07-01 10:42
VLAI
EPSS
VEX
Title
LearnPress <= 4.3.9.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Disclosure via 'userId' Parameter
Summary
The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.9.1 via the 'userId' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the course enrollment progress and completion data belonging to any instructor or administrator account on the site. This IDOR does not apply when the target user is a regular subscriber, as the guard correctly blocks cross-subscriber access; exploitation is limited to cases where the victim user holds the LP_TEACHER_ROLE or administrator role.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| thimpress | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses |
Affected:
0 , ≤ 4.3.9.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11988",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T10:31:37.825648Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T10:42:11.133Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LearnPress \u2013 WordPress LMS Plugin for Create and Sell Online Courses",
"vendor": "thimpress",
"versions": [
{
"lessThanOrEqual": "4.3.9.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "javitoia"
}
],
"descriptions": [
{
"lang": "en",
"value": "The LearnPress \u2013 WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.9.1 via the \u0027userId\u0027 parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the course enrollment progress and completion data belonging to any instructor or administrator account on the site. This IDOR does not apply when the target user is a regular subscriber, as the guard correctly blocks cross-subscriber access; exploitation is limited to cases where the victim user holds the LP_TEACHER_ROLE or administrator role."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T04:32:27.231Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6b5e8cfd-989e-4a64-abb0-9daa22df46a4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.9.1/inc/rest-api/v1/frontend/class-lp-rest-lazy-load-controller.php#L137"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.9.1/inc/rest-api/v1/frontend/class-lp-rest-lazy-load-controller.php#L118"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.9.1/inc/user/abstract-lp-user.php#L680"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.2.7.5/inc/rest-api/v1/frontend/class-lp-rest-lazy-load-controller.php#L137"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.2.7.5/inc/rest-api/v1/frontend/class-lp-rest-lazy-load-controller.php#L118"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.2.7.5/inc/user/abstract-lp-user.php#L680"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Flearnpress/tags/4.3.9.1\u0026new_path=%2Flearnpress/tags/4.4.0"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-11T14:43:46.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-30T16:07:05.000Z",
"value": "Disclosed"
}
],
"title": "LearnPress \u003c= 4.3.9.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Disclosure via \u0027userId\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-11988",
"datePublished": "2026-07-01T04:32:27.231Z",
"dateReserved": "2026-06-11T14:28:25.105Z",
"dateUpdated": "2026-07-01T10:42:11.133Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1201 (GCVE-0-2026-1201)
Vulnerability from cvelistv5 – Published: 2026-01-22 21:52 – Updated: 2026-01-29 16:51
VLAI
EPSS
VEX
Title
Authorization Bypass Through User-Controlled Key in Hubitat Elevation Hubs
Summary
An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.cisa.gov/news-events/ics-advisories/i… | government-resource |
| https://ostrichlab.io/research-blog/?post=hubitat… | technical-descriptionrelated |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Hubitat | Elevation C3 |
Affected:
0 , < 2.4.2.157
(custom)
|
|
| Hubitat | Elevation C4 |
Affected:
0 , < 2.4.2.157
(custom)
|
|
| Hubitat | Elevation C5 |
Affected:
0 , < 2.4.2.157
(custom)
|
|
| Hubitat | Elevation C7 |
Affected:
0 , < 2.4.2.157
(custom)
|
|
| Hubitat | Elevation C8 |
Affected:
0 , < 2.4.2.157
(custom)
|
|
| Hubitat | Elevation C8 pro |
Affected:
0 , < 2.4.2.157
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1201",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-23T20:12:37.957880Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-23T20:12:48.249Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Elevation C3",
"vendor": "Hubitat",
"versions": [
{
"lessThan": "2.4.2.157",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Elevation C4",
"vendor": "Hubitat",
"versions": [
{
"lessThan": "2.4.2.157",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Elevation C5",
"vendor": "Hubitat",
"versions": [
{
"lessThan": "2.4.2.157",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Elevation C7",
"vendor": "Hubitat",
"versions": [
{
"lessThan": "2.4.2.157",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Elevation C8",
"vendor": "Hubitat",
"versions": [
{
"lessThan": "2.4.2.157",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Elevation C8 pro",
"vendor": "Hubitat",
"versions": [
{
"lessThan": "2.4.2.157",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aaron \u0027theHastyOne\u0027 Hasty of Ostrich Lab reported this vulnerability to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T16:51:31.043Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-06"
},
{
"tags": [
"technical-description",
"related"
],
"url": "https://ostrichlab.io/research-blog/?post=hubitat_writeup"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Hubitat has released the following for users to implement:\u003cbr\u003e\u003cbr\u003e* Firmware version [2.4.2.157](\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://community.hubitat.com/t/release-2-4-2-available/154531/10\"\u003ehttps://community.hubitat.com/t/release-2-4-2-available/154531/10\u003c/a\u003e)\u003cbr\u003e"
}
],
"value": "Hubitat has released the following for users to implement:\n\n* Firmware version [2.4.2.157]( https://community.hubitat.com/t/release-2-4-2-available/154531/10 )"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authorization Bypass Through User-Controlled Key in Hubitat Elevation Hubs",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-1201",
"datePublished": "2026-01-22T21:52:01.011Z",
"dateReserved": "2026-01-19T14:29:21.551Z",
"dateUpdated": "2026-01-29T16:51:31.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1206 (GCVE-0-2026-1206)
Vulnerability from cvelistv5 – Published: 2026-03-26 05:29 – Updated: 2026-04-08 17:12
VLAI
EPSS
VEX
Title
Elementor Website Builder <= 3.35.7 - Incorrect Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Elementor Template
Summary
The Elementor Website Builder plugin for WordPress is vulnerable to Incorrect Authorization to Sensitive Information Exposure in all versions up to, and including, 3.35.7. This is due to a logic error in the is_allowed_to_read_template() function permission check that treats non-published templates as readable without verifying edit capabilities. This makes it possible for authenticated attackers, with contributor-level access and above, to read private or draft Elementor template content via the 'template_id' supplied to the 'get_template_data' action of the 'elementor_ajax' endpoint.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| elemntor | Elementor Website Builder – more than just a page builder |
Affected:
0 , ≤ 3.35.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1206",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T17:35:55.831733Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T17:51:15.618Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Elementor Website Builder \u2013 more than just a page builder",
"vendor": "elemntor",
"versions": [
{
"lessThanOrEqual": "3.35.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Angus Girvan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor Website Builder plugin for WordPress is vulnerable to Incorrect Authorization to Sensitive Information Exposure in all versions up to, and including, 3.35.7. This is due to a logic error in the is_allowed_to_read_template() function permission check that treats non-published templates as readable without verifying edit capabilities. This makes it possible for authenticated attackers, with contributor-level access and above, to read private or draft Elementor template content via the \u0027template_id\u0027 supplied to the \u0027get_template_data\u0027 action of the \u0027elementor_ajax\u0027 endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:12:59.673Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4420935-4952-4460-afc2-1c6df6965b3d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3489160/elementor/trunk/includes/template-library/sources/local.php?old=3473768\u0026old_path=elementor%2Ftrunk%2Fincludes%2Ftemplate-library%2Fsources%2Flocal.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-19T16:18:39.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-25T17:26:49.000Z",
"value": "Disclosed"
}
],
"title": "Elementor Website Builder \u003c= 3.35.7 - Incorrect Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Elementor Template"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1206",
"datePublished": "2026-03-26T05:29:33.177Z",
"dateReserved": "2026-01-19T16:01:46.785Z",
"dateUpdated": "2026-04-08T17:12:59.673Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12073 (GCVE-0-2026-12073)
Vulnerability from cvelistv5 – Published: 2026-06-30 05:34 – Updated: 2026-06-30 13:17
VLAI
EPSS
VEX
Title
ProfileGrid - User Profiles, Groups and Communities <= 5.9.9.5 - Unauthenticated Privilege Escalation via Email Overwrite
Summary
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.9.9.5. This is due to the plugin not validating a `user_login` on registration forms that don't contain this parameter, and not properly handling the error messages. This makes it possible for unauthenticated attackers to change email address of user account with ID=1 (usually an administrator), and leverage that to reset the user's password and gain access to their account.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| metagauss | ProfileGrid – User Profiles, Groups and Communities |
Affected:
0 , ≤ 5.9.9.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12073",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T13:17:25.165561Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T13:17:33.379Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ProfileGrid \u2013 User Profiles, Groups and Communities",
"vendor": "metagauss",
"versions": [
{
"lessThanOrEqual": "5.9.9.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ivan Kuzymchak"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ProfileGrid \u2013 User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.9.9.5. This is due to the plugin not validating a `user_login` on registration forms that don\u0027t contain this parameter, and not properly handling the error messages. This makes it possible for unauthenticated attackers to change email address of user account with ID=1 (usually an administrator), and leverage that to reset the user\u0027s password and gain access to their account."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T05:34:05.216Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d35279d-299e-4ca2-8f84-165284e058c8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3578435/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-08T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-06-12T10:23:51.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-29T16:51:48.000Z",
"value": "Disclosed"
}
],
"title": "ProfileGrid - User Profiles, Groups and Communities \u003c= 5.9.9.5 - Unauthenticated Privilege Escalation via Email Overwrite"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12073",
"datePublished": "2026-06-30T05:34:05.216Z",
"dateReserved": "2026-06-12T10:09:47.120Z",
"dateUpdated": "2026-06-30T13:17:33.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12102 (GCVE-0-2026-12102)
Vulnerability from cvelistv5 – Published: 2026-06-18 06:50 – Updated: 2026-06-18 13:53
VLAI
EPSS
VEX
Title
UsersWP <= 1.2.63 - Insecure Direct Object Reference to Authenticated (Editor+) Arbitrary User Avatar/Banner Reset via 'user_id' Parameter
Summary
The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'user_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with editor-level access and above, to reset and permanently delete the avatar or banner image of any arbitrary user, including administrators, by clearing their avatar_thumb or banner_thumb metadata in the uwp_usermeta table.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
12 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| stiofansisland | UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP |
Affected:
0 , ≤ 1.2.63
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12102",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T13:21:07.179981Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T13:53:27.642Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UsersWP \u2013 Front-end login form, User Registration, User Profile \u0026 Members Directory plugin for WP",
"vendor": "stiofansisland",
"versions": [
{
"lessThanOrEqual": "1.2.63",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pasindu Dilshan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The UsersWP \u2013 Front-end login form, User Registration, User Profile \u0026 Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the \u0027user_id\u0027 parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with editor-level access and above, to reset and permanently delete the avatar or banner image of any arbitrary user, including administrators, by clearing their avatar_thumb or banner_thumb metadata in the uwp_usermeta table."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T06:50:05.344Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7115756e-69fa-42fe-bde3-a36e34d4bae3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-forms.php#L371"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-forms.php#L389"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-forms.php#L89"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-userswp.php#L574"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-profile.php#L1739"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-forms.php#L371"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-forms.php#L389"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-forms.php#L89"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-userswp.php#L574"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-profile.php#L1739"
},
{
"url": "https://github.com/AyeCode/userswp/commit/0e69f967578904cc26fadd0206270d50b7420298"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-12T14:42:39.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-17T18:09:44.000Z",
"value": "Disclosed"
}
],
"title": "UsersWP \u003c= 1.2.63 - Insecure Direct Object Reference to Authenticated (Editor+) Arbitrary User Avatar/Banner Reset via \u0027user_id\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12102",
"datePublished": "2026-06-18T06:50:05.344Z",
"dateReserved": "2026-06-12T14:27:14.482Z",
"dateUpdated": "2026-06-18T13:53:27.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1213 (GCVE-0-2026-1213)
Vulnerability from cvelistv5 – Published: 2026-01-27 14:04 – Updated: 2026-01-27 20:48
VLAI
EPSS
VEX
Title
Askbot 0.12.2 - Insecure Direct Object Reference (IDOR)
Summary
All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users.This issue affects askbot: 0.12.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://fluidattacks.com/advisories/ghost | third-party-advisory |
| https://askbot.com/ | product |
| https://github.com/ASKBOT/askbot-devel/commit/3da… | patch |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1213",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T20:48:09.831629Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T20:48:18.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "askbot",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "askbot",
"vendor": "askbot",
"versions": [
{
"status": "affected",
"version": "0.12.2"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:askbot:askbot:0.12.2:*:windows:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:askbot:askbot:0.12.2:*:macos:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:askbot:askbot:0.12.2:*:linux:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Daniel Celis"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAll versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users.\u003c/span\u003e\u003cp\u003eThis issue affects askbot: 0.12.2.\u003c/p\u003e"
}
],
"value": "All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users.This issue affects askbot: 0.12.2."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T14:04:18.274Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://fluidattacks.com/advisories/ghost"
},
{
"tags": [
"product"
],
"url": "https://askbot.com/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ASKBOT/askbot-devel/commit/3da3d75f35204aa71633c7a315327ba39cb6295d"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Askbot 0.12.2 - Insecure Direct Object Reference (IDOR)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2026-1213",
"datePublished": "2026-01-27T14:04:18.274Z",
"dateReserved": "2026-01-19T21:32:48.977Z",
"dateUpdated": "2026-01-27T20:48:18.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1219 (GCVE-0-2026-1219)
Vulnerability from cvelistv5 – Published: 2026-02-19 09:26 – Updated: 2026-02-20 20:37
VLAI
EPSS
VEX
Title
MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 4.0 - 5.10 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure
Summary
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_track_note_ajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| sonaar | MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar |
Affected:
4.0 , ≤ 5.10
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1219",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T20:37:24.748298Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T20:37:50.944Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MP3 Audio Player \u2013 Music Player, Podcast Player \u0026 Radio by Sonaar",
"vendor": "sonaar",
"versions": [
{
"lessThanOrEqual": "5.10",
"status": "affected",
"version": "4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kenneth Dunn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MP3 Audio Player \u2013 Music Player, Podcast Player \u0026 Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the \u0027load_track_note_ajax\u0027 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T09:26:36.530Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce8fa964-d543-4d46-a534-e403dff4f425?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.10/sonaar-music.php#L179"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.10/public/class-sonaar-music-public.php#L323"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3453076/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "MP3 Audio Player \u2013 Music Player, Podcast Player \u0026 Radio by Sonaar 4.0 - 5.10 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1219",
"datePublished": "2026-02-19T09:26:36.530Z",
"dateReserved": "2026-01-20T01:27:06.784Z",
"dateUpdated": "2026-02-20T20:37:50.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12204 (GCVE-0-2026-12204)
Vulnerability from cvelistv5 – Published: 2026-06-15 01:15 – Updated: 2026-06-15 14:58
VLAI
EPSS
VEX
Title
ShopXO Scheduled Task Endpoint Crontab.php GoodsGiveIntegral authorization
Summary
A vulnerability was determined in ShopXO up to 6.7.1. This vulnerability affects the function OrderClose/OrderSuccess/PayLogOrderClose/GoodsGiveIntegral of the file app/api/controller/Crontab.php of the component Scheduled Task Endpoint. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/370847 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/370847/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-12204 | third-party-advisory |
| https://vuldb.com/submit/830800 | third-party-advisory |
| https://github.com/yunyan05/MYCVE/tree/main/ShopX… | exploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12204",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T14:58:13.523598Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T14:58:36.083Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:shopxo:shopxo:*:*:*:*:*:*:*:*"
],
"modules": [
"Scheduled Task Endpoint"
],
"product": "ShopXO",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "6.7.0"
},
{
"status": "affected",
"version": "6.7.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "yunyan05 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in ShopXO up to 6.7.1. This vulnerability affects the function OrderClose/OrderSuccess/PayLogOrderClose/GoodsGiveIntegral of the file app/api/controller/Crontab.php of the component Scheduled Task Endpoint. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T01:15:07.840Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-370847 | ShopXO Scheduled Task Endpoint Crontab.php GoodsGiveIntegral authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/370847"
},
{
"name": "VDB-370847 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/370847/cti"
},
{
"name": "CVE-2026-12204 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-12204"
},
{
"name": "Submit #830800 | ShopXO 6.7.1 Authorization Bypass",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/830800"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/yunyan05/MYCVE/tree/main/ShopXO/V6.7.1-Unauthenticated-Crontab-Trigger"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-14T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-14T13:59:57.000Z",
"value": "VulDB entry last update"
}
],
"title": "ShopXO Scheduled Task Endpoint Crontab.php GoodsGiveIntegral authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-12204",
"datePublished": "2026-06-15T01:15:07.840Z",
"dateReserved": "2026-06-14T11:54:42.627Z",
"dateUpdated": "2026-06-15T14:58:36.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1228 (GCVE-0-2026-1228)
Vulnerability from cvelistv5 – Published: 2026-02-06 02:23 – Updated: 2026-04-08 17:24
VLAI
EPSS
VEX
Title
Timeline Block <= 1.3.3 - Insecure Direct Object Reference to Authenticated (Author+) Private Timeline Exposure via Shortcode Attribute
Summary
The Timeline Block – Beautiful Timeline Builder for WordPress (Vertical & Horizontal Timelines) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.3 via the tlgb_shortcode() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to disclose private timeline content via the id attribute supplied to the 'timeline_block' shortcode.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| bplugins | Timeline Block – Beautiful Timeline Builder for WordPress (Vertical & Horizontal Timelines) |
Affected:
0 , ≤ 1.3.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1228",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-06T19:27:56.342985Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T19:28:05.665Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Timeline Block \u2013 Beautiful Timeline Builder for WordPress (Vertical \u0026 Horizontal Timelines)",
"vendor": "bplugins",
"versions": [
{
"lessThanOrEqual": "1.3.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kazuma Matsumoto"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Timeline Block \u2013 Beautiful Timeline Builder for WordPress (Vertical \u0026 Horizontal Timelines) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.3 via the tlgb_shortcode() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to disclose private timeline content via the id attribute supplied to the \u0027timeline_block\u0027 shortcode."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:24:31.746Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cecebfd0-c2af-4150-8793-299cdbeaa7b9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3446078/timeline-block-block"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-20T13:17:45.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-05T13:39:29.000Z",
"value": "Disclosed"
}
],
"title": "Timeline Block \u003c= 1.3.3 - Insecure Direct Object Reference to Authenticated (Author+) Private Timeline Exposure via Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1228",
"datePublished": "2026-02-06T02:23:38.677Z",
"dateReserved": "2026-01-20T13:01:02.988Z",
"dateUpdated": "2026-04-08T17:24:31.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12400 (GCVE-0-2026-12400)
Vulnerability from cvelistv5 – Published: 2026-07-10 07:48 – Updated: 2026-07-14 01:35
VLAI
EPSS
VEX
Title
FlowForms <= 1.1.1 - Authenticated (Contributor+) Insecure Direct Object Reference to Arbitrary Form Modification via REST API '/flowforms/v1/forms/{id}' Endpoints
Summary
The FlowForms – Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.1 via the update_form due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to modify the content, design, and settings of, as well as publish or revert, any form on the site — including forms owned by administrators — by supplying an arbitrary form ID in the REST URL.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| priyanshuchaudhary | FlowForms – Conversational Form Builder |
Affected:
0 , ≤ 1.1.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12400",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T01:35:35.039908Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T01:35:43.795Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FlowForms \u2013 Conversational Form Builder",
"vendor": "priyanshuchaudhary",
"versions": [
{
"lessThanOrEqual": "1.1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aliyan Khan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The FlowForms \u2013 Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.1 via the update_form due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to modify the content, design, and settings of, as well as publish or revert, any form on the site \u2014 including forms owned by administrators \u2014 by supplying an arbitrary form ID in the REST URL."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T07:48:43.100Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f4e6133-f833-4da2-af4a-e7e7fcedfe3c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L493"
},
{
"url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L48"
},
{
"url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L562"
},
{
"url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L603"
},
{
"url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L654"
},
{
"url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L694"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3577870%40flowforms\u0026new=3577870%40flowforms"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T19:17:45.000Z",
"value": "Disclosed"
}
],
"title": "FlowForms \u003c= 1.1.1 - Authenticated (Contributor+) Insecure Direct Object Reference to Arbitrary Form Modification via REST API \u0027/flowforms/v1/forms/{id}\u0027 Endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12400",
"datePublished": "2026-07-10T07:48:43.100Z",
"dateReserved": "2026-06-16T13:34:11.451Z",
"dateUpdated": "2026-07-14T01:35:43.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Phases: Architecture and Design, Implementation
Description:
- Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Phase: Architecture and Design
Description:
- Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.