CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3230 vulnerabilities reference this CWE, most recent first.
GHSA-WMJR-58RF-XGRC
Vulnerability from github – Published: 2026-06-10 00:31 – Updated: 2026-06-10 00:31BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary user_id because the get_items_permissions_check method only verifies that the requester is logged in and never checks ownership of the requested list, resulting in disclosure of users' private social connections.
{
"affected": [],
"aliases": [
"CVE-2026-53675"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-10T00:16:55Z",
"severity": "MODERATE"
},
"details": "BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user\u0027s complete friend list. Attackers can query the friends endpoint with an arbitrary user_id because the get_items_permissions_check method only verifies that the requester is logged in and never checks ownership of the requested list, resulting in disclosure of users\u0027 private social connections.",
"id": "GHSA-wmjr-58rf-xgrc",
"modified": "2026-06-10T00:31:53Z",
"published": "2026-06-10T00:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53675"
},
{
"type": "WEB",
"url": "https://buddypress.org"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/buddypress"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/buddypress-friends-list-idor-via-rest-api"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WMWX-JR2P-4J4R
Vulnerability from github – Published: 2026-06-19 19:35 – Updated: 2026-06-19 19:35Impact
A relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting client by protectedFields, and even when the object owning the relation was not readable by the client under its ACL or class-level permissions. The request requires only the public API credentials that Parse clients normally carry — no user session, master key, or Cloud Code is needed.
As a result, an unauthenticated client who knows or obtains the owning object's objectId could enumerate the objects linked through a protected relation, or combine the operator with an objectId constraint to use it as a membership oracle — confirming whether a specific object is linked to a private parent. This affects applications that rely on protectedFields or object ACLs to keep Relation membership confidential, such as private group memberships, block lists, or account-to-resource associations.
Patches
The relation query path now authorizes $relatedTo against the owning object before reading the relation join table, using the caller's authentication context. The relation key is checked against the owning class's protectedFields (the query is rejected if the key is protected), and the owning object must be readable by the caller under its class-level permissions, ACL, and pointer permissions; otherwise the relation returns no results. Master and maintenance requests are unaffected. The check is applied consistently whether $relatedTo is used at the top level or nested within $or, $and, or $nor.
Workarounds
There is no complete workaround without upgrading. As mitigation, applications can avoid exposing sensitive membership through Relation fields to untrusted clients, or enforce access on the queried class in a beforeFind trigger.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.9.1-alpha.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.6.80"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53726"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T19:35:19Z",
"nvd_published_at": "2026-06-12T19:16:30Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nA relation query using the `$relatedTo` operator could read the membership of a `Relation` field even when that field was hidden from the requesting client by `protectedFields`, and even when the object owning the relation was not readable by the client under its ACL or class-level permissions. The request requires only the public API credentials that Parse clients normally carry \u2014 no user session, master key, or Cloud Code is needed.\n\nAs a result, an unauthenticated client who knows or obtains the owning object\u0027s `objectId` could enumerate the objects linked through a protected relation, or combine the operator with an `objectId` constraint to use it as a membership oracle \u2014 confirming whether a specific object is linked to a private parent. This affects applications that rely on `protectedFields` or object ACLs to keep `Relation` membership confidential, such as private group memberships, block lists, or account-to-resource associations.\n\n### Patches\n\nThe relation query path now authorizes `$relatedTo` against the owning object before reading the relation join table, using the caller\u0027s authentication context. The relation key is checked against the owning class\u0027s `protectedFields` (the query is rejected if the key is protected), and the owning object must be readable by the caller under its class-level permissions, ACL, and pointer permissions; otherwise the relation returns no results. Master and maintenance requests are unaffected. The check is applied consistently whether `$relatedTo` is used at the top level or nested within `$or`, `$and`, or `$nor`.\n\n### Workarounds\n\nThere is no complete workaround without upgrading. As mitigation, applications can avoid exposing sensitive membership through `Relation` fields to untrusted clients, or enforce access on the queried class in a `beforeFind` trigger.",
"id": "GHSA-wmwx-jr2p-4j4r",
"modified": "2026-06-19T19:35:19Z",
"published": "2026-06-19T19:35:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-wmwx-jr2p-4j4r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53726"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10493"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10494"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "parse-server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL"
}
GHSA-WPF3-WV8V-2WXJ
Vulnerability from github – Published: 2026-02-18 06:30 – Updated: 2026-02-18 06:30The Frontend User Notes plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the 'funp_ajax_modify_notes' AJAX endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary notes that do not belong to them.
{
"affected": [],
"aliases": [
"CVE-2025-12071"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-18T05:16:16Z",
"severity": "MODERATE"
},
"details": "The Frontend User Notes plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the \u0027funp_ajax_modify_notes\u0027 AJAX endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary notes that do not belong to them.",
"id": "GHSA-wpf3-wv8v-2wxj",
"modified": "2026-02-18T06:30:19Z",
"published": "2026-02-18T06:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12071"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/frontend-user-notes/tags/2.1.1/includes/ajax.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/30f2dd33-228d-4942-88d9-78c7ed0b79a1?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WPPH-CJGR-7C39
Vulnerability from github – Published: 2026-03-03 23:12 – Updated: 2026-03-30 13:18Summary
channels.*.groups.*.toolsBySender could match a privileged sender policy using a colliding mutable identity value (for example senderName or senderUsername) when deployments used untyped keys.
The fix introduces explicit typed sender keys (id:, e164:, username:, name:), keeps legacy untyped keys on a deprecated ID-only path, and adds regression coverage to prevent cross-identifier collisions.
Affected Packages / Versions
- Package: npm
openclaw - Affected versions:
<= 2026.2.21-2 - Latest published npm version at triage time (February 22, 2026):
2026.2.21-2 - Patched version (planned next release):
2026.2.22
Impact
This is a sender-authorization bypass in group tool policy matching for deployments that use toolsBySender with untyped keys. Under those conditions, an attacker could inherit stronger tool permissions intended for another sender if they can force an identifier collision.
Fix Commit(s)
5547a2275cb69413af3b62c795b93214fe913b57
Release Process Note
patched_versions is pre-set to the planned next release (2026.2.22). Once that npm release is published, this advisory should only need publishing.
OpenClaw thanks @jiseoung for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32039"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T23:12:21Z",
"nvd_published_at": "2026-03-19T22:16:40Z",
"severity": "MODERATE"
},
"details": "### Summary\n`channels.*.groups.*.toolsBySender` could match a privileged sender policy using a colliding mutable identity value (for example `senderName` or `senderUsername`) when deployments used untyped keys.\n\nThe fix introduces explicit typed sender keys (`id:`, `e164:`, `username:`, `name:`), keeps legacy untyped keys on a deprecated ID-only path, and adds regression coverage to prevent cross-identifier collisions.\n\n### Affected Packages / Versions\n- Package: npm `openclaw`\n- Affected versions: `\u003c= 2026.2.21-2`\n- Latest published npm version at triage time (February 22, 2026): `2026.2.21-2`\n- Patched version (planned next release): `2026.2.22`\n\n### Impact\nThis is a sender-authorization bypass in group tool policy matching for deployments that use `toolsBySender` with untyped keys. Under those conditions, an attacker could inherit stronger tool permissions intended for another sender if they can force an identifier collision.\n\n### Fix Commit(s)\n- `5547a2275cb69413af3b62c795b93214fe913b57`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.22`). Once that npm release is published, this advisory should only need publishing.\n\nOpenClaw thanks @jiseoung for reporting.",
"id": "GHSA-wpph-cjgr-7c39",
"modified": "2026-03-30T13:18:04Z",
"published": "2026-03-03T23:12:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wpph-cjgr-7c39"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32039"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/5547a2275cb69413af3b62c795b93214fe913b57"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-sender-authorization-bypass-via-identity-collision-in-toolsbysender"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw\u0027s typed sender-key matching for toolsBySender prevents identity-collision policy bypass"
}
GHSA-WPPR-J57C-8JPM
Vulnerability from github – Published: 2024-11-15 12:31 – Updated: 2024-11-15 20:58An Improper Authorization vulnerability exists in Dolibarr versions prior to version 15.0.0. A user with restricted permissions in the 'Reception' section is able to access specific reception details via direct URL access, bypassing the intended permission restrictions.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "dolibarr/dolibarr"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "15.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3991"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-15T20:58:30Z",
"nvd_published_at": "2024-11-15T11:15:07Z",
"severity": "MODERATE"
},
"details": "An Improper Authorization vulnerability exists in Dolibarr versions prior to version 15.0.0. A user with restricted permissions in the \u0027Reception\u0027 section is able to access specific reception details via direct URL access, bypassing the intended permission restrictions.",
"id": "GHSA-wppr-j57c-8jpm",
"modified": "2024-11-15T20:58:31Z",
"published": "2024-11-15T12:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3991"
},
{
"type": "WEB",
"url": "https://github.com/dolibarr/dolibarr/commit/63cd06394f39d60784d6e6a0ccf4867a71a6568f"
},
{
"type": "PACKAGE",
"url": "https://github.com/dolibarr/dolibarr"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/58ddbd8a-0faf-4b3f-aec9-5850bb19ab67"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Improper Authorization in dolibarr/dolibarr"
}
GHSA-WPX8-X78M-JRQQ
Vulnerability from github – Published: 2022-01-13 00:01 – Updated: 2022-01-21 00:01growi is vulnerable to Authorization Bypass Through User-Controlled Key
{
"affected": [],
"aliases": [
"CVE-2021-3852"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-12T11:15:00Z",
"severity": "HIGH"
},
"details": "growi is vulnerable to Authorization Bypass Through User-Controlled Key",
"id": "GHSA-wpx8-x78m-jrqq",
"modified": "2022-01-21T00:01:14Z",
"published": "2022-01-13T00:01:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3852"
},
{
"type": "WEB",
"url": "https://github.com/weseek/growi/commit/863bfd7f622f413bd159b9446166fb1ce78ec863"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/d44def81-2834-4031-9037-e923975c3852"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WQ8W-54VC-9F9Q
Vulnerability from github – Published: 2026-07-09 12:30 – Updated: 2026-07-09 12:30Authorization bypass through User-Controlled key vulnerability in PAVO Financial Technology Solutions Inc. PAVO Pay allows Exploitation of Trusted Identifiers.
This issue affects PAVO Pay: through 09072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2026-1989"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-09T10:16:25Z",
"severity": "HIGH"
},
"details": "Authorization bypass through User-Controlled key vulnerability in PAVO Financial Technology Solutions Inc. PAVO Pay allows Exploitation of Trusted Identifiers.\n\nThis issue affects PAVO Pay: through 09072026.\u00a0NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-wq8w-54vc-9f9q",
"modified": "2026-07-09T12:30:27Z",
"published": "2026-07-09T12:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1989"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0521"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WQFG-5QCM-9R65
Vulnerability from github – Published: 2025-09-30 12:30 – Updated: 2025-10-08 18:30Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner in versions prior to 2.5.25 (4935b438f9b), consisting of a lack of adequate validation of user input, allowing an authenticated user to access to the list of permissions using unauthorised internal identifiers.
{
"affected": [],
"aliases": [
"CVE-2025-41099"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-30T11:37:40Z",
"severity": "HIGH"
},
"details": "Insecure Direct Object Reference (IDOR) vulnerability in BOLD Workplanner in versions prior to 2.5.25 (4935b438f9b), consisting of a lack of adequate validation of user input, allowing an authenticated user to\u00a0access to the list of permissions using unauthorised internal identifiers.",
"id": "GHSA-wqfg-5qcm-9r65",
"modified": "2025-10-08T18:30:15Z",
"published": "2025-09-30T12:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41099"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/insecure-direct-object-reference-gps-bold-workplanner"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WQV6-VH6H-52RM
Vulnerability from github – Published: 2024-07-09 12:30 – Updated: 2024-07-09 12:30A BOLA vulnerability in POST /providers allows a low privileged user to create a privileged user (provider) in the system. This results in privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2023-3288"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T11:15:12Z",
"severity": "HIGH"
},
"details": "A BOLA vulnerability in POST /providers allows a low privileged user to create a privileged user (provider) in the system. This results in privilege escalation.",
"id": "GHSA-wqv6-vh6h-52rm",
"modified": "2024-07-09T12:30:56Z",
"published": "2024-07-09T12:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3288"
},
{
"type": "WEB",
"url": "https://github.com/alextselegidis/easyappointments"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WR2F-FRVR-F8HG
Vulnerability from github – Published: 2026-07-11 06:31 – Updated: 2026-07-11 06:31The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.14.0 via the generate_document_shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to mint publicly accessible, session-free download links for arbitrary third-party orders, exposing customer names, billing and shipping addresses, email addresses, phone numbers, order and invoice numbers, line items, totals, payment details, and customer notes contained in those orders' invoices and packing slips. Exploitation requires the plugin's Document link access type setting to be configured to 'full'; with the default 'logged_in' value, generated URLs are signed with a per-session nonce rather than the order_key, making the shortcode path unexploitable for unauthorized access to third-party orders.
{
"affected": [],
"aliases": [
"CVE-2026-13116"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-11T05:16:32Z",
"severity": "MODERATE"
},
"details": "The PDF Invoices \u0026 Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.14.0 via the generate_document_shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to mint publicly accessible, session-free download links for arbitrary third-party orders, exposing customer names, billing and shipping addresses, email addresses, phone numbers, order and invoice numbers, line items, totals, payment details, and customer notes contained in those orders\u0027 invoices and packing slips. Exploitation requires the plugin\u0027s Document link access type setting to be configured to \u0027full\u0027; with the default \u0027logged_in\u0027 value, generated URLs are signed with a per-session nonce rather than the order_key, making the shortcode path unexploitable for unauthorized access to third-party orders.",
"id": "GHSA-wr2f-frvr-f8hg",
"modified": "2026-07-11T06:31:16Z",
"published": "2026-07-11T06:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13116"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.14.0/includes/Endpoint.php#L111"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.14.0/includes/Frontend.php#L271"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.14.0/includes/Frontend.php#L284"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.9.2/includes/Endpoint.php#L111"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.9.2/includes/Frontend.php#L271"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-pdf-invoices-packing-slips/tags/5.9.2/includes/Frontend.php#L284"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3590578%40woocommerce-pdf-invoices-packing-slips\u0026new=3590578%40woocommerce-pdf-invoices-packing-slips"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6525195e-5d90-4dd4-b9ee-612a8295c262?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.