Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3258 vulnerabilities reference this CWE, most recent first.

GHSA-P9CX-F595-H79H

Vulnerability from github – Published: 2024-11-07 15:31 – Updated: 2024-11-07 18:28
VLAI
Summary
Moodle's IDOR in Feedback non-respondents report allows messaging arbitrary site users
Details

A flaw was found in Feedback. Bulk messaging in the activity's non-respondents report did not verify message recipients belonging to the set of users returned by the report.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0-beta"
            },
            {
              "fixed": "4.2.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0-beta"
            },
            {
              "fixed": "4.3.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.4.0-beta"
            },
            {
              "fixed": "4.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-43438"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-07T18:28:35Z",
    "nvd_published_at": "2024-11-07T14:15:16Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Feedback. Bulk messaging in the activity\u0027s non-respondents report did not verify message recipients belonging to the set of users returned by the report.",
  "id": "GHSA-p9cx-f595-h79h",
  "modified": "2024-11-07T18:28:35Z",
  "published": "2024-11-07T15:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43438"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304267"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/moodle/moodle"
    },
    {
      "type": "WEB",
      "url": "https://moodle.org/mod/forum/discuss.php?d=461208"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Moodle\u0027s IDOR in Feedback non-respondents report allows messaging arbitrary site users"
}

GHSA-P9F5-H3RX-J5QW

Vulnerability from github – Published: 2026-06-22 23:59 – Updated: 2026-06-22 23:59
VLAI
Summary
Gogs Missing Authorization in Attachment Download
Details

Summary

In Gogs 0.14.1, GET /attachments/:uuid returns the raw attachment file without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository. In a test environment with REQUIRE_SIGNIN_VIEW = false, we confirmed that an unauthenticated user can download attachments belonging to a private repository.

Description

/attachments/:uuid retrieves an attachment record solely by the UUID provided in the URL and returns the corresponding local file without performing any authorization checks against the attachment’s parent object (Issue/Comment/Release) or the repository it belongs to. As a result, even attachments under private repositories can be downloaded by an unauthenticated user (or a user without proper permissions) as long as the UUID is known.

Relevant code (internal/cmd/web.go:306):

m.Get("/attachments/:uuid", func(c *context.Context) {
    attach, err := database.GetAttachmentByUUID(c.Params(":uuid"))
    if err != nil {
        c.NotFoundOrError(err, "get attachment by UUID")
        return
    } else if !com.IsFile(attach.LocalPath()) {
        c.NotFound()
        return
    }

    fr, err := os.Open(attach.LocalPath())
    if err != nil {
        c.Error(err, "open attachment file")
        return
    }
    defer fr.Close()

    c.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
    c.Header().Set("Cache-Control", "public,max-age=86400")
    c.Header().Set("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, attach.Name))

    if _, err = io.Copy(c.Resp, fr); err != nil {
        c.Error(err, "copy from file to response")
        return
    }
})

The UUID lookup itself also performs no validation tied to repository visibility or user permissions. Authorization is not enforced at this layer.

Relevant code (internal/database/attachment.go:124):

// GetAttachmentByUUID returns attachment by given UUID.
func GetAttachmentByUUID(uuid string) (*Attachment, error) {
    return getAttachmentByUUID(x, uuid)
}

Preconditions

  • The attacker knows the target attachment’s UUID (i.e., the attachment URL).
  • For unauthenticated exploitation: [auth] REQUIRE_SIGNIN_VIEW = false.
  • Even when REQUIRE_SIGNIN_VIEW = true, exploitation may still be possible because the handler does not check repository-level permissions; a user who can log in but lacks access to the target repository may still retrieve the attachment.

Steps to Reproduce

  1. Log in as an administrator and create a private repository, e.g. myadmin/idor-attach-1770724346-1a13bb.
  2. Add an attachment to an Issue in that repository and note the attachment UUID (example UUID used during testing: f06d90f8-5b62-4c10-ac8d-f11fdf870b57).
  3. Log out and access the following as an unauthenticated user:

  4. The repository page → 404 Not Found image

  5. The Issue page under that repository → 404 Not Found image

  6. GET /attachments/<uuid>the attachment file is successfully downloaded image

Minimum Required Privileges

  • REQUIRE_SIGNIN_VIEW = false: none (works without authentication).
  • REQUIRE_SIGNIN_VIEW = true: only the ability to log in (repository view permission is not required in practice).

Impact

  • Confidential information attached to private repositories or restricted Issues/Releases may be disclosed.

  • Examples include credentials, cryptographic keys, personal data, internal documents, or unpublished source code fragments.

  • While the severity depends on the attachment contents, attachments frequently contain sensitive data, making the potential impact high.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.14.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-52799"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-22T23:59:03Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nIn Gogs 0.14.1, `GET /attachments/:uuid` returns the raw attachment file **without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository**.\nIn a test environment with `REQUIRE_SIGNIN_VIEW = false`, we confirmed that **an unauthenticated user can download attachments belonging to a private repository**.\n\n## Description\n\n`/attachments/:uuid` retrieves an attachment record solely by the UUID provided in the URL and returns the corresponding local file **without performing any authorization checks** against the attachment\u2019s parent object (Issue/Comment/Release) or the repository it belongs to. As a result, even attachments under private repositories can be downloaded by an unauthenticated user (or a user without proper permissions) as long as the UUID is known.\n\nRelevant code (internal/cmd/web.go:306):\n\n```go\nm.Get(\"/attachments/:uuid\", func(c *context.Context) {\n\tattach, err := database.GetAttachmentByUUID(c.Params(\":uuid\"))\n\tif err != nil {\n\t\tc.NotFoundOrError(err, \"get attachment by UUID\")\n\t\treturn\n\t} else if !com.IsFile(attach.LocalPath()) {\n\t\tc.NotFound()\n\t\treturn\n\t}\n\n\tfr, err := os.Open(attach.LocalPath())\n\tif err != nil {\n\t\tc.Error(err, \"open attachment file\")\n\t\treturn\n\t}\n\tdefer fr.Close()\n\n\tc.Header().Set(\"Content-Security-Policy\", \"default-src \u0027none\u0027; style-src \u0027unsafe-inline\u0027; sandbox\")\n\tc.Header().Set(\"Cache-Control\", \"public,max-age=86400\")\n\tc.Header().Set(\"Content-Disposition\", fmt.Sprintf(`inline; filename=\"%s\"`, attach.Name))\n\n\tif _, err = io.Copy(c.Resp, fr); err != nil {\n\t\tc.Error(err, \"copy from file to response\")\n\t\treturn\n\t}\n})\n```\n\nThe UUID lookup itself also performs **no validation tied to repository visibility or user permissions**. Authorization is not enforced at this layer.\n\nRelevant code (internal/database/attachment.go:124):\n\n```go\n// GetAttachmentByUUID returns attachment by given UUID.\nfunc GetAttachmentByUUID(uuid string) (*Attachment, error) {\n\treturn getAttachmentByUUID(x, uuid)\n}\n```\n\n## Preconditions\n\n* The attacker knows the target attachment\u2019s UUID (i.e., the attachment URL).\n* For unauthenticated exploitation: `[auth] REQUIRE_SIGNIN_VIEW = false`.\n* Even when `REQUIRE_SIGNIN_VIEW = true`, exploitation may still be possible because the handler does not check repository-level permissions; a user who can log in but lacks access to the target repository may still retrieve the attachment.\n\n## Steps to Reproduce\n\n1. Log in as an administrator and create a private repository, e.g. `myadmin/idor-attach-1770724346-1a13bb`.\n2. Add an attachment to an Issue in that repository and note the attachment UUID\n   (example UUID used during testing: `f06d90f8-5b62-4c10-ac8d-f11fdf870b57`).\n3. Log out and access the following as an unauthenticated user:\n\n* The repository page \u2192 404 Not Found\n\u003cimg width=\"1702\" height=\"758\" alt=\"image\" src=\"https://github.com/user-attachments/assets/8fdb1d92-cfc3-4ef8-977e-60ec13f792df\" /\u003e\n\n* The Issue page under that repository \u2192 404 Not Found\n\u003cimg width=\"1983\" height=\"546\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c44c5e69-8ca2-4ea6-a071-62302b7e896f\" /\u003e\n\n* `GET /attachments/\u003cuuid\u003e` \u2192 **the attachment file is successfully downloaded**\n\u003cimg width=\"2007\" height=\"378\" alt=\"image\" src=\"https://github.com/user-attachments/assets/23950ac6-6b3a-42f8-a06b-b9e0cf508d24\" /\u003e\n\n\n\n## Minimum Required Privileges\n\n* `REQUIRE_SIGNIN_VIEW = false`: none (works without authentication).\n* `REQUIRE_SIGNIN_VIEW = true`: only the ability to log in (repository view permission is not required in practice).\n\n## Impact\n\n* Confidential information attached to private repositories or restricted Issues/Releases may be disclosed.\n\n  * Examples include credentials, cryptographic keys, personal data, internal documents, or unpublished source code fragments.\n* While the severity depends on the attachment contents, attachments frequently contain sensitive data, making the potential impact high.",
  "id": "GHSA-p9f5-h3rx-j5qw",
  "modified": "2026-06-22T23:59:03Z",
  "published": "2026-06-22T23:59:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-p9f5-h3rx-j5qw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/pull/8320"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/d3ca23f9f33d5710472a775d6dcd3a7bb128bb05"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gogs Missing Authorization in Attachment Download"
}

GHSA-P9JF-6QR6-P275

Vulnerability from github – Published: 2026-01-22 18:30 – Updated: 2026-01-27 21:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Justicia justicia allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Justicia: from n/a through <= 1.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22409"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-22T17:16:33Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Justicia justicia allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Justicia: from n/a through \u003c= 1.2.",
  "id": "GHSA-p9jf-6qr6-p275",
  "modified": "2026-01-27T21:31:44Z",
  "published": "2026-01-22T18:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22409"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Theme/justicia/vulnerability/wordpress-justicia-theme-1-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P9W3-8M39-9587

Vulnerability from github – Published: 2023-12-20 15:30 – Updated: 2026-04-28 21:33
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce GoCardless.This issue affects GoCardless: from n/a through 2.5.6.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-37871"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-20T14:15:19Z",
    "severity": "HIGH"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce GoCardless.This issue affects GoCardless: from n/a through 2.5.6.",
  "id": "GHSA-p9w3-8m39-9587",
  "modified": "2026-04-28T21:33:27Z",
  "published": "2023-12-20T15:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37871"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/woocommerce-gateway-gocardless/wordpress-woocommerce-gocardless-gateway-plugin-2-5-6-unauthenticated-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P9X3-W98F-7J3Q

Vulnerability from github – Published: 2026-03-02 19:53 – Updated: 2026-03-02 19:53
VLAI
Summary
NocoDB Missing Ownership Validation in MCP Token Operations
Details

Summary

The MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known.

Details

McpTokenService.get(), regenerateToken(), and delete() did not filter by fk_user_id. The analogous ApiTokensService correctly enforced ownership.

Impact

Limited — requires Creator role and knowledge of target token ID. Primary risk is denial of service (invalidating tokens) and scoped token disclosure.

Credit

This issue was reported by @bugbunny-research (bugbunny.ai).

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.301.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "nocodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.301.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28361"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-02T19:53:41Z",
    "nvd_published_at": "2026-03-02T17:16:34Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user\u0027s MCP tokens if the token ID was known.\n\n### Details\n`McpTokenService.get()`, `regenerateToken()`, and `delete()` did not filter by `fk_user_id`. The analogous `ApiTokensService` correctly enforced ownership.\n\n### Impact\nLimited \u2014 requires Creator role and knowledge of target token ID. Primary risk is denial of service (invalidating tokens) and scoped token disclosure.\n\n### Credit\nThis issue was reported by [@bugbunny-research](https://github.com/bugbunny-research) (bugbunny.ai).",
  "id": "GHSA-p9x3-w98f-7j3q",
  "modified": "2026-03-02T19:53:41Z",
  "published": "2026-03-02T19:53:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-p9x3-w98f-7j3q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28361"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocodb/nocodb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/releases/tag/0.301.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "NocoDB Missing Ownership Validation in MCP Token Operations"
}

GHSA-PC38-57G8-39GG

Vulnerability from github – Published: 2026-02-12 18:30 – Updated: 2026-02-18 15:31
VLAI
Details

An issue in the "My Details" user profile functionality of Ideagen Q-Pulse 7.1.0.32 allows an authenticated user to view other users' profile information by modifying the objectKey HTTP parameter in the My Details page URL.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-69752"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-12T16:16:05Z",
    "severity": "MODERATE"
  },
  "details": "An issue in the \"My Details\" user profile functionality of Ideagen Q-Pulse 7.1.0.32 allows an authenticated user to view other users\u0027 profile information by modifying the objectKey HTTP parameter in the My Details page URL.",
  "id": "GHSA-pc38-57g8-39gg",
  "modified": "2026-02-18T15:31:24Z",
  "published": "2026-02-12T18:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69752"
    },
    {
      "type": "WEB",
      "url": "https://github.com/brtsec/public-advisories/tree/main/advisories/CVE-2025-69752"
    },
    {
      "type": "WEB",
      "url": "http://ideagen.com"
    },
    {
      "type": "WEB",
      "url": "http://q-pulse.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PCM2-6VC4-FM2M

Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2025-03-27 18:30
VLAI
Details

Globitel KSA SpeechLog v8.1 was discovered to contain an Insecure Direct Object Reference (IDOR) via the userID parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-33818"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T15:38:07Z",
    "severity": "HIGH"
  },
  "details": "Globitel KSA SpeechLog v8.1 was discovered to contain an Insecure Direct Object Reference (IDOR) via the userID parameter.",
  "id": "GHSA-pcm2-6vc4-fm2m",
  "modified": "2025-03-27T18:30:39Z",
  "published": "2024-05-14T18:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33818"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/%40rajput.thakur/insecure-direct-object-references-cve-2024-33818-86785aa8c969"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PCR4-QPPJ-9V45

Vulnerability from github – Published: 2024-08-22 12:30 – Updated: 2024-09-27 00:31
VLAI
Details

The User Private Files – WordPress File Sharing Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the 'dpk_upvf_update_doc' due to missing validation on the 'docid' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to gain access to other user's private files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7848"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-22T11:15:14Z",
    "severity": "MODERATE"
  },
  "details": "The User Private Files \u2013 WordPress File Sharing Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the \u0027dpk_upvf_update_doc\u0027 due to missing validation on the \u0027docid\u0027 user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to gain access to other user\u0027s private files.",
  "id": "GHSA-pcr4-qppj-9v45",
  "modified": "2024-09-27T00:31:04Z",
  "published": "2024-08-22T12:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7848"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3136913%40user-private-files\u0026new=3136913%40user-private-files\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0fb06de8-97d6-46c3-83ef-93a209540259?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PF3F-6CWQ-WV9H

Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09
VLAI
Details

The User Profile Picture WordPress plugin before 2.6.0 was affected by an IDOR issue, allowing users with the upload_image capability (by default author and above) to change and delete the profile pictures of other users (including those with higher roles).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-24473"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-02T11:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The User Profile Picture WordPress plugin before 2.6.0 was affected by an IDOR issue, allowing users with the upload_image capability (by default author and above) to change and delete the profile pictures of other users (including those with higher roles).",
  "id": "GHSA-pf3f-6cwq-wv9h",
  "modified": "2022-05-24T19:09:38Z",
  "published": "2022-05-24T19:09:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24473"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/79982ea9-4733-4b1e-a43e-17629c1136de"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PF3Q-2QV4-VX44

Vulnerability from github – Published: 2025-01-30 09:30 – Updated: 2025-01-30 09:30
VLAI
Details

The WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.8.7 via the download_pdf_file() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to extract data from wishlists that they should not have access to.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13694"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-30T09:15:08Z",
    "severity": "HIGH"
  },
  "details": "The WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.8.7 via the download_pdf_file() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to extract data from wishlists that they should not have access to.",
  "id": "GHSA-pf3q-2qv4-vx44",
  "modified": "2025-01-30T09:30:37Z",
  "published": "2025-01-30T09:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13694"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/smart-wishlist-for-more-convert/trunk/includes/class-wlfmc-form-handler.php#L607"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/smart-wishlist-for-more-convert/trunk/includes/class-wlfmc-wishlist.php#L529"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3229758"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/smart-wishlist-for-more-convert/#developers"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59fe7630-ab94-419f-aca5-39b74d86ae4e?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.