Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3235 vulnerabilities reference this CWE, most recent first.

GHSA-V348-VR4Q-FV9P

Vulnerability from github – Published: 2026-05-19 12:31 – Updated: 2026-06-29 22:58
VLAI
Summary
TYPO3 sf_register extension allows unauthorized assignment of frontend user groups
Details

The create and edit flows in the TYPO3 extension sf_register do not restrict which user properties may be submitted, and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "evoweb/sf-register"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0.0"
            },
            {
              "fixed": "14.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "evoweb/sf-register"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46721"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-29T22:58:05Z",
    "nvd_published_at": "2026-05-19T10:16:24Z",
    "severity": "MODERATE"
  },
  "details": "The `create` and `edit` flows in the TYPO3 extension sf_register do not restrict which user properties may be submitted, and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups.",
  "id": "GHSA-v348-vr4q-fv9p",
  "modified": "2026-06-29T22:58:05Z",
  "published": "2026-05-19T12:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46721"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/evoweb/sf-register/CVE-2026-46721.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/evoWeb/sf_register"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-ext-sa-2026-009"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "TYPO3 sf_register extension allows unauthorized assignment of frontend user groups"
}

GHSA-V3GV-GJ4M-F92W

Vulnerability from github – Published: 2022-03-04 00:00 – Updated: 2022-03-17 00:03
VLAI
Details

An Insecure Direct Object Reference (IDOR) vulnerability in OpenEMR 6.0.0 allows any authenticated attacker to access and modify unauthorized areas via a crafted POST request to /modules/zend_modules/public/Installer/register.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-25471"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-03T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "An Insecure Direct Object Reference (IDOR) vulnerability in OpenEMR 6.0.0 allows any authenticated attacker to access and modify unauthorized areas via a crafted POST request to /modules/zend_modules/public/Installer/register.",
  "id": "GHSA-v3gv-gj4m-f92w",
  "modified": "2022-03-17T00:03:53Z",
  "published": "2022-03-04T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25471"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openemr/openemr"
    },
    {
      "type": "WEB",
      "url": "https://securityforeveryone.com/blog/inactive-post-test/openemr-0-day-idor-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://www.open-emr.org"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V3MV-8XGW-9PRF

Vulnerability from github – Published: 2023-05-16 09:30 – Updated: 2024-04-04 04:11
VLAI
Details

The RegistrationMagic plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 5.2.0.5. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers, with administrator-level permissions and above, to change user passwords and potentially take over super-administrator accounts in multisite setup.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2548"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-16T09:15:09Z",
    "severity": "HIGH"
  },
  "details": "The RegistrationMagic plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 5.2.0.5. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers, with administrator-level permissions and above, to change user passwords and potentially take over super-administrator accounts in multisite setup.",
  "id": "GHSA-v3mv-8xgw-9prf",
  "modified": "2024-04-04T04:11:56Z",
  "published": "2023-05-16T09:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2548"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/5.2.0.5/includes/class_rm_utilities.php#L3044"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bfbc406b-49af-419e-adeb-0510794b7e3f?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V3V2-W9V8-Q7H6

Vulnerability from github – Published: 2026-04-08 09:31 – Updated: 2026-04-08 09:31
VLAI
Details

The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the handle_webhook() function. The webhook endpoint processes unauthenticated requests and only performs signature verification if both the webhook_secret setting is configured AND the HTTP_STRIPE_SIGNATURE header is present. Since webhook_secret defaults to an empty string, the webhook processes attacker-controlled JSON payloads without any verification. This makes it possible for unauthenticated attackers to send fake Stripe webhook events with arbitrary order_id values in the metadata, mark any order as completed without payment, and gain unauthorized access to paid course content.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5167"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-08T07:16:22Z",
    "severity": "MODERATE"
  },
  "details": "The Masteriyo LMS \u2013 Online Course Builder for eLearning, LMS \u0026 Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the handle_webhook() function. The webhook endpoint processes unauthenticated requests and only performs signature verification if both the webhook_secret setting is configured AND the HTTP_STRIPE_SIGNATURE header is present. Since webhook_secret defaults to an empty string, the webhook processes attacker-controlled JSON payloads without any verification. This makes it possible for unauthenticated attackers to send fake Stripe webhook events with arbitrary order_id values in the metadata, mark any order as completed without payment, and gain unauthorized access to paid course content.",
  "id": "GHSA-v3v2-w9v8-q7h6",
  "modified": "2026-04-08T09:31:30Z",
  "published": "2026-04-08T09:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5167"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.4/addons/stripe/StripeAddon.php#L563-639"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.4/addons/stripe/StripeAddon.php#L649-704"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/learning-management-system/trunk/addons/stripe/StripeAddon.php#L563-639"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/learning-management-system/trunk/addons/stripe/StripeAddon.php#L649-704"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3499458/learning-management-system/trunk/addons/stripe/StripeAddon.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b6d51dc3-b695-4e9d-b25a-d1b302be1fec?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V3WG-JG3P-QCMH

Vulnerability from github – Published: 2025-02-05 15:32 – Updated: 2026-04-08 18:33
VLAI
Details

The UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.8 via the show_template due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to expose the contents of draft, private, and pending posts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10696"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-21T11:15:21Z",
    "severity": "MODERATE"
  },
  "details": "The UltraAddons \u2013 Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.8 via the show_template due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to expose the contents of draft, private, and pending posts.",
  "id": "GHSA-v3wg-jg3p-qcmh",
  "modified": "2026-04-08T18:33:40Z",
  "published": "2025-02-05T15:32:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10696"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/ultraaddons-elementor-lite/trunk/inc/wp/shortcode.php#L16"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3221044"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/719de6e5-29c5-4303-981d-81840939a0b1?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V43W-M78J-VR5M

Vulnerability from github – Published: 2024-04-29 06:30 – Updated: 2025-02-06 06:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Fabio Rinaldi Crelly Slider.This issue affects Crelly Slider: from n/a through 1.4.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-33542"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-29T06:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Fabio Rinaldi Crelly Slider.This issue affects Crelly Slider: from n/a through 1.4.5.",
  "id": "GHSA-v43w-m78j-vr5m",
  "modified": "2025-02-06T06:31:25Z",
  "published": "2024-04-29T06:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33542"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/crelly-slider/wordpress-crelly-slider-plugin-1-4-5-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V487-79CJ-W3X8

Vulnerability from github – Published: 2023-07-05 03:30 – Updated: 2024-04-04 05:23
VLAI
Details

Insecure Direct Object Reference vulnerability in WHMCS module SolusVM 1 4.1.2 allows an attacker to change the password and hostname of other customer servers without authorization.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-05T03:15:09Z",
    "severity": "HIGH"
  },
  "details": "Insecure Direct Object Reference vulnerability in WHMCS module SolusVM 1 4.1.2 allows an attacker to change the password and hostname of other customer servers without authorization.",
  "id": "GHSA-v487-79cj-w3x8",
  "modified": "2024-04-04T05:23:12Z",
  "published": "2023-07-05T03:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42175"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mr404ntf/9c8728ee8f35d9744feec3828df1085d"
    },
    {
      "type": "WEB",
      "url": "http://soluslabs.com"
    },
    {
      "type": "WEB",
      "url": "http://solusvm.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V492-6XX2-P57G

Vulnerability from github – Published: 2026-01-14 09:31 – Updated: 2026-01-14 21:16
VLAI
Summary
Chainlit contains an authorization bypass vulnerability
Details

Chainlit versions prior to 2.8.5 contain an authorization bypass through user-controlled key vulnerability. If this vulnerability is exploited, threads may be viewed or thread ownership may be obtained by an attacker who can log in to the product.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "chainlit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-14T21:16:04Z",
    "nvd_published_at": "2026-01-14T07:16:14Z",
    "severity": "LOW"
  },
  "details": "Chainlit versions prior to 2.8.5 contain an authorization bypass through user-controlled key vulnerability. If this vulnerability is exploited, threads may be viewed or thread ownership may be obtained by an attacker who can log in to the product.",
  "id": "GHSA-v492-6xx2-p57g",
  "modified": "2026-01-14T21:16:04Z",
  "published": "2026-01-14T09:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68492"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Chainlit/chainlit/pull/2637"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Chainlit/chainlit/commit/8f1153db439eca58ae5c50c8276ba6fdd311448e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Chainlit/chainlit"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Chainlit/chainlit/releases"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Chainlit/chainlit/releases/tag/2.8.5"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN34964581"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Chainlit contains an authorization bypass vulnerability"
}

GHSA-V492-QVFP-R274

Vulnerability from github – Published: 2022-08-16 00:00 – Updated: 2022-08-17 00:00
VLAI
Details

The SearchWP Live Ajax Search WordPress plugin before 1.6.2 does not ensure that users making a live search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2535"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-15T11:21:00Z",
    "severity": "MODERATE"
  },
  "details": "The SearchWP Live Ajax Search WordPress plugin before 1.6.2 does not ensure that users making a live search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink",
  "id": "GHSA-v492-qvfp-r274",
  "modified": "2022-08-17T00:00:23Z",
  "published": "2022-08-16T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2535"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/0e13c375-044c-4c2e-ab8e-48cb89d90d02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V574-8M96-8MP9

Vulnerability from github – Published: 2024-08-15 21:31 – Updated: 2024-08-16 18:30
VLAI
Details

Insecure Permissions vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information and execute arbitrary code via the cid parameter of the calendar event feature.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27730"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-15T19:15:18Z",
    "severity": "CRITICAL"
  },
  "details": "Insecure Permissions vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information and execute arbitrary code via the cid parameter of the calendar event feature.",
  "id": "GHSA-v574-8m96-8mp9",
  "modified": "2024-08-16T18:30:57Z",
  "published": "2024-08-15T21:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27730"
    },
    {
      "type": "WEB",
      "url": "https://github.com/friendica/friendica/pull/13927"
    },
    {
      "type": "WEB",
      "url": "https://leo.oliver.nz/posts/2024/05/friendica-cve-disclosures"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.