CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3239 vulnerabilities reference this CWE, most recent first.
CVE-2026-12433 (GCVE-0-2026-12433)
Vulnerability from cvelistv5 – Published: 2026-07-09 08:31 – Updated: 2026-07-09 14:37- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| themefic | Hydra Booking — Appointment Scheduling & Booking Calendar |
Affected:
0 , ≤ 1.2.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12433",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T14:37:03.212048Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:37:17.193Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Hydra Booking \u2014 Appointment Scheduling \u0026 Booking Calendar",
"vendor": "themefic",
"versions": [
{
"lessThanOrEqual": "1.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Quang"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Hydra Booking \u2013 Appointment Scheduling \u0026 Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/{id} REST endpoint. This is due to the getBookingDetails() callback only enforcing the tfhb_manage_options capability via tfhb_manage_options_permission(), without verifying that the requested booking belongs to the currently authenticated host (the lookup in getBookingDetailsData() filters solely on the booking id supplied in the URL). This makes it possible for authenticated attackers, with Hydra Host-level access and above (a role created by the plugin which grants tfhb_manage_options), to view sensitive booking records belonging to other hosts, including attendee names, emails, phone numbers, addresses, meeting details, payment method and status, transaction history, and internal notes by iterating booking IDs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T08:31:35.571Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa00fe53-dc65-4200-80bb-9167b4230194?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.44/admin/Controller/BookingController.php#L1418"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.44/admin/Controller/BookingController.php#L100"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.44/admin/Controller/RouteController.php#L55"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.44/includes/hooks/ActivationHooks.php#L38"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.41/admin/Controller/BookingController.php#L1418"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.41/admin/Controller/BookingController.php#L100"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.41/admin/Controller/RouteController.php#L55"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.41/includes/hooks/ActivationHooks.php#L38"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3600170%40hydra-booking\u0026new=3600170%40hydra-booking"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-16T18:35:40.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-08T20:27:39.000Z",
"value": "Disclosed"
}
],
"title": "Hydra Booking \u003c= 1.2.1 - Authenticated (Custom+) Insecure Direct Object Reference to Sensitive Information Exposure via \u0027booking_id\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12433",
"datePublished": "2026-07-09T08:31:35.571Z",
"dateReserved": "2026-06-16T18:20:28.369Z",
"dateUpdated": "2026-07-09T14:37:17.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12418 (GCVE-0-2026-12418)
Vulnerability from cvelistv5 – Published: 2026-07-09 07:55 – Updated: 2026-07-09 14:39- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| wedevs | User Frontend: AI Powered Frontend Posting, User Directory, Profile Builder, Membership & User Registration |
Affected:
0 , ≤ 4.3.7
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12418",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T13:32:23.613537Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:39:37.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "User Frontend: AI Powered Frontend Posting, User Directory, Profile Builder, Membership \u0026 User Registration",
"vendor": "wedevs",
"versions": [
{
"lessThanOrEqual": "4.3.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kim ChanYeop"
}
],
"descriptions": [
{
"lang": "en",
"value": "The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership \u0026 User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.7 via the \u0027wpuf_files_data\u0027 parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to overwrite the post_title, post_content, and post_excerpt of any arbitrary post on the site, including posts authored by administrators. Exploitation requires access to any WPUF post submission form; this is achievable by users with no WordPress role, as the wpuf_submit_post AJAX action is gated only by a nonce with no capability check for the downstream post-edit operation."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T07:55:13.665Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f66e25f-b67e-4227-95fe-69b40551af61?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.3.6/includes/Traits/FieldableTrait.php#L478"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.3.6/includes/Ajax/Frontend_Form_Ajax.php#L35"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.3.6/includes/Traits/FieldableTrait.php#L468"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.3.1/includes/Traits/FieldableTrait.php#L478"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.3.1/includes/Ajax/Frontend_Form_Ajax.php#L35"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.3.1/includes/Traits/FieldableTrait.php#L468"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3578622%40wp-user-frontend\u0026new=3578622%40wp-user-frontend"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-16T16:18:58.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-08T19:37:25.000Z",
"value": "Disclosed"
}
],
"title": "User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership \u0026 User Registration \u003c= 4.3.7 - Insecure Direct Object Reference to Unauthenticated Arbitrary Post Modification via \u0027wpuf_files_data\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12418",
"datePublished": "2026-07-09T07:55:13.665Z",
"dateReserved": "2026-06-16T16:03:46.619Z",
"dateUpdated": "2026-07-09T14:39:37.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12411 (GCVE-0-2026-12411)
Vulnerability from cvelistv5 – Published: 2026-06-26 15:27 – Updated: 2026-06-26 16:02| URL | Tags |
|---|---|
| https://github.com/canonical/lxd/security/advisor… | vdb-entryvendor-advisory |
| https://github.com/canonical/lxd/pull/18585 | patch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12411",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T16:02:35.514095Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T16:02:55.284Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/canonical",
"defaultStatus": "unaffected",
"packageName": "lxd",
"platforms": [
"Linux"
],
"product": "lxd",
"programFiles": [
"permissions.go"
],
"repo": "https://github.com/canonical/lxd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.9",
"status": "affected",
"version": "6.6",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest\u0027s custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled."
}
],
"impacts": [
{
"capecId": "CAPEC-77",
"descriptions": [
{
"lang": "en",
"value": "Manipulating User-Controlled Variables"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization bypass through User-Controlled key",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T15:27:55.111Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"name": "Cross-guest volume hijack via DevLXD device patch",
"tags": [
"vdb-entry",
"vendor-advisory"
],
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp"
},
{
"name": "Security fixes from the 6.9 release",
"tags": [
"patch"
],
"url": "https://github.com/canonical/lxd/pull/18585"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to LXD version 6.9 or later."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Broken Access Control in Canonical LXD DevLXD API"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-12411",
"datePublished": "2026-06-26T15:27:55.111Z",
"dateReserved": "2026-06-16T15:07:27.771Z",
"dateUpdated": "2026-06-26T16:02:55.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12400 (GCVE-0-2026-12400)
Vulnerability from cvelistv5 – Published: 2026-07-10 07:48 – Updated: 2026-07-14 01:35- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| priyanshuchaudhary | FlowForms – Conversational Form Builder |
Affected:
0 , ≤ 1.1.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12400",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T01:35:35.039908Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T01:35:43.795Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FlowForms \u2013 Conversational Form Builder",
"vendor": "priyanshuchaudhary",
"versions": [
{
"lessThanOrEqual": "1.1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aliyan Khan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The FlowForms \u2013 Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.1 via the update_form due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to modify the content, design, and settings of, as well as publish or revert, any form on the site \u2014 including forms owned by administrators \u2014 by supplying an arbitrary form ID in the REST URL."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T07:48:43.100Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f4e6133-f833-4da2-af4a-e7e7fcedfe3c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L493"
},
{
"url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L48"
},
{
"url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L562"
},
{
"url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L603"
},
{
"url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L654"
},
{
"url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L694"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3577870%40flowforms\u0026new=3577870%40flowforms"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T19:17:45.000Z",
"value": "Disclosed"
}
],
"title": "FlowForms \u003c= 1.1.1 - Authenticated (Contributor+) Insecure Direct Object Reference to Arbitrary Form Modification via REST API \u0027/flowforms/v1/forms/{id}\u0027 Endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12400",
"datePublished": "2026-07-10T07:48:43.100Z",
"dateReserved": "2026-06-16T13:34:11.451Z",
"dateUpdated": "2026-07-14T01:35:43.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12204 (GCVE-0-2026-12204)
Vulnerability from cvelistv5 – Published: 2026-06-15 01:15 – Updated: 2026-06-15 14:58| URL | Tags |
|---|---|
| https://vuldb.com/vuln/370847 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/370847/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-12204 | third-party-advisory |
| https://vuldb.com/submit/830800 | third-party-advisory |
| https://github.com/yunyan05/MYCVE/tree/main/ShopX… | exploit |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12204",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T14:58:13.523598Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T14:58:36.083Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:shopxo:shopxo:*:*:*:*:*:*:*:*"
],
"modules": [
"Scheduled Task Endpoint"
],
"product": "ShopXO",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "6.7.0"
},
{
"status": "affected",
"version": "6.7.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "yunyan05 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in ShopXO up to 6.7.1. This vulnerability affects the function OrderClose/OrderSuccess/PayLogOrderClose/GoodsGiveIntegral of the file app/api/controller/Crontab.php of the component Scheduled Task Endpoint. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T01:15:07.840Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-370847 | ShopXO Scheduled Task Endpoint Crontab.php GoodsGiveIntegral authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/370847"
},
{
"name": "VDB-370847 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/370847/cti"
},
{
"name": "CVE-2026-12204 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-12204"
},
{
"name": "Submit #830800 | ShopXO 6.7.1 Authorization Bypass",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/830800"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/yunyan05/MYCVE/tree/main/ShopXO/V6.7.1-Unauthenticated-Crontab-Trigger"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-14T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-14T13:59:57.000Z",
"value": "VulDB entry last update"
}
],
"title": "ShopXO Scheduled Task Endpoint Crontab.php GoodsGiveIntegral authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-12204",
"datePublished": "2026-06-15T01:15:07.840Z",
"dateReserved": "2026-06-14T11:54:42.627Z",
"dateUpdated": "2026-06-15T14:58:36.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12102 (GCVE-0-2026-12102)
Vulnerability from cvelistv5 – Published: 2026-06-18 06:50 – Updated: 2026-06-18 13:53- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| stiofansisland | UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP |
Affected:
0 , ≤ 1.2.63
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12102",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T13:21:07.179981Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T13:53:27.642Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UsersWP \u2013 Front-end login form, User Registration, User Profile \u0026 Members Directory plugin for WP",
"vendor": "stiofansisland",
"versions": [
{
"lessThanOrEqual": "1.2.63",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pasindu Dilshan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The UsersWP \u2013 Front-end login form, User Registration, User Profile \u0026 Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the \u0027user_id\u0027 parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with editor-level access and above, to reset and permanently delete the avatar or banner image of any arbitrary user, including administrators, by clearing their avatar_thumb or banner_thumb metadata in the uwp_usermeta table."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T06:50:05.344Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7115756e-69fa-42fe-bde3-a36e34d4bae3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-forms.php#L371"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-forms.php#L389"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-forms.php#L89"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-userswp.php#L574"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-profile.php#L1739"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-forms.php#L371"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-forms.php#L389"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-forms.php#L89"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-userswp.php#L574"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-profile.php#L1739"
},
{
"url": "https://github.com/AyeCode/userswp/commit/0e69f967578904cc26fadd0206270d50b7420298"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-12T14:42:39.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-17T18:09:44.000Z",
"value": "Disclosed"
}
],
"title": "UsersWP \u003c= 1.2.63 - Insecure Direct Object Reference to Authenticated (Editor+) Arbitrary User Avatar/Banner Reset via \u0027user_id\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12102",
"datePublished": "2026-06-18T06:50:05.344Z",
"dateReserved": "2026-06-12T14:27:14.482Z",
"dateUpdated": "2026-06-18T13:53:27.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12073 (GCVE-0-2026-12073)
Vulnerability from cvelistv5 – Published: 2026-06-30 05:34 – Updated: 2026-06-30 13:17- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| metagauss | ProfileGrid – User Profiles, Groups and Communities |
Affected:
0 , ≤ 5.9.9.5
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12073",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T13:17:25.165561Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T13:17:33.379Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ProfileGrid \u2013 User Profiles, Groups and Communities",
"vendor": "metagauss",
"versions": [
{
"lessThanOrEqual": "5.9.9.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ivan Kuzymchak"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ProfileGrid \u2013 User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.9.9.5. This is due to the plugin not validating a `user_login` on registration forms that don\u0027t contain this parameter, and not properly handling the error messages. This makes it possible for unauthenticated attackers to change email address of user account with ID=1 (usually an administrator), and leverage that to reset the user\u0027s password and gain access to their account."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T05:34:05.216Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d35279d-299e-4ca2-8f84-165284e058c8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3578435/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-08T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-06-12T10:23:51.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-29T16:51:48.000Z",
"value": "Disclosed"
}
],
"title": "ProfileGrid - User Profiles, Groups and Communities \u003c= 5.9.9.5 - Unauthenticated Privilege Escalation via Email Overwrite"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12073",
"datePublished": "2026-06-30T05:34:05.216Z",
"dateReserved": "2026-06-12T10:09:47.120Z",
"dateUpdated": "2026-06-30T13:17:33.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11988 (GCVE-0-2026-11988)
Vulnerability from cvelistv5 – Published: 2026-07-01 04:32 – Updated: 2026-07-01 10:42- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| thimpress | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses |
Affected:
0 , ≤ 4.3.9.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11988",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T10:31:37.825648Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T10:42:11.133Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LearnPress \u2013 WordPress LMS Plugin for Create and Sell Online Courses",
"vendor": "thimpress",
"versions": [
{
"lessThanOrEqual": "4.3.9.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "javitoia"
}
],
"descriptions": [
{
"lang": "en",
"value": "The LearnPress \u2013 WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.9.1 via the \u0027userId\u0027 parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the course enrollment progress and completion data belonging to any instructor or administrator account on the site. This IDOR does not apply when the target user is a regular subscriber, as the guard correctly blocks cross-subscriber access; exploitation is limited to cases where the victim user holds the LP_TEACHER_ROLE or administrator role."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T04:32:27.231Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6b5e8cfd-989e-4a64-abb0-9daa22df46a4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.9.1/inc/rest-api/v1/frontend/class-lp-rest-lazy-load-controller.php#L137"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.9.1/inc/rest-api/v1/frontend/class-lp-rest-lazy-load-controller.php#L118"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.9.1/inc/user/abstract-lp-user.php#L680"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.2.7.5/inc/rest-api/v1/frontend/class-lp-rest-lazy-load-controller.php#L137"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.2.7.5/inc/rest-api/v1/frontend/class-lp-rest-lazy-load-controller.php#L118"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.2.7.5/inc/user/abstract-lp-user.php#L680"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Flearnpress/tags/4.3.9.1\u0026new_path=%2Flearnpress/tags/4.4.0"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-11T14:43:46.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-30T16:07:05.000Z",
"value": "Disclosed"
}
],
"title": "LearnPress \u003c= 4.3.9.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Disclosure via \u0027userId\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-11988",
"datePublished": "2026-07-01T04:32:27.231Z",
"dateReserved": "2026-06-11T14:28:25.105Z",
"dateUpdated": "2026-07-01T10:42:11.133Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11987 (GCVE-0-2026-11987)
Vulnerability from cvelistv5 – Published: 2026-06-27 06:50 – Updated: 2026-06-29 19:02- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| dokaninc | Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy |
Affected:
0 , ≤ 5.0.4
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11987",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T19:02:35.809645Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T19:02:43.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Dokan: AI Powered WooCommerce Multivendor Marketplace Solution \u2013 Build Your Own Amazon, eBay, Etsy",
"vendor": "dokaninc",
"versions": [
{
"lessThanOrEqual": "5.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "0xHerc"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution \u2013 Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.4 via the \u0027id\u0027 parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to read any other vendor\u0027s products \u2014 including unpublished draft and pending listings \u2014 exposing product names, prices, SKUs, and descriptions belonging to other vendors. The permission callbacks for both the collection endpoint and the single-item endpoint only verify the generic vendor capability (\u0027dokan_view_product_menu\u0027 / \u0027dokandar\u0027), which every vendor holds, rather than confirming the requested author ID or product ownership matches the authenticated user."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T06:50:55.494Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1359945a-cf4e-4883-830b-53a3fcd40e56?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/Abstracts/DokanRESTController.php#L299"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/REST/ProductController.php#L159"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/REST/ProductController.php#L473"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/Abstracts/DokanRESTController.php#L39"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/Abstracts/DokanRESTController.php#L66"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/REST/ProductController.php#L495"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/Abstracts/DokanRESTController.php#L299"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/REST/ProductController.php#L159"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/REST/ProductController.php#L473"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/Abstracts/DokanRESTController.php#L39"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/Abstracts/DokanRESTController.php#L66"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/REST/ProductController.php#L495"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3578095%40dokan-lite\u0026new=3578095%40dokan-lite\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-11T14:40:23.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-26T17:54:35.000Z",
"value": "Disclosed"
}
],
"title": "Dokan: AI Powered WooCommerce Multivendor Marketplace Solution \u003c= 5.0.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Information Disclosure via \u0027id\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-11987",
"datePublished": "2026-06-27T06:50:55.494Z",
"dateReserved": "2026-06-11T14:24:55.603Z",
"dateUpdated": "2026-06-29T19:02:43.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11900 (GCVE-0-2026-11900)
Vulnerability from cvelistv5 – Published: 2026-07-03 07:53 – Updated: 2026-07-07 17:01- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| spacetime | Ad Inserter – Ad Manager & AdSense Ads |
Affected:
0 , ≤ 2.8.16
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11900",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T18:04:48.926021Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T17:01:17.535Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Ad Inserter \u2013 Ad Manager \u0026 AdSense Ads",
"vendor": "spacetime",
"versions": [
{
"lessThanOrEqual": "2.8.16",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "nightward"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Ad Inserter \u2013 Ad Manager \u0026 AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 2.8.16 via the \u0027data\u0027 attribute of the [adinserter] shortcode. This is due to the replace_ai_tags() function processing a {reusable-block-N} tag pattern that calls get_post_field(\u0027post_content\u0027, N) without verifying the requesting user\u0027s capability with current_user_can(\u0027read_post\u0027), without restricting the post type to \u0027wp_block\u0027, and without checking the post status. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the full content of arbitrary posts including Private, Draft, Pending, Trashed, and password-protected posts owned by other users, by placing the shortcode in a post they own and previewing it."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T07:53:08.023Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/20f0e9ae-786b-4ba8-a6d5-92bf31ebc2c7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.16/ad-inserter.php#L13083"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.16/ad-inserter.php#L10569"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.16/ad-inserter.php#L10818"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.16/ad-inserter.php#L2101"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.13/ad-inserter.php#L13083"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.13/ad-inserter.php#L10569"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.13/ad-inserter.php#L10818"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.13/ad-inserter.php#L2101"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3591792%40ad-inserter\u0026new=3591792%40ad-inserter\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-10T15:58:36.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-02T19:01:12.000Z",
"value": "Disclosed"
}
],
"title": "Ad Inserter \u003c= 2.8.16 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Post Content Disclosure via \u0027data\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-11900",
"datePublished": "2026-07-03T07:53:08.023Z",
"dateReserved": "2026-06-10T15:43:26.797Z",
"dateUpdated": "2026-07-07T17:01:17.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.