Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3239 vulnerabilities reference this CWE, most recent first.

CVE-2026-12433 (GCVE-0-2026-12433)

Vulnerability from cvelistv5 – Published: 2026-07-09 08:31 – Updated: 2026-07-09 14:37
VLAI
Title
Hydra Booking <= 1.2.1 - Authenticated (Custom+) Insecure Direct Object Reference to Sensitive Information Exposure via 'booking_id' Parameter
Summary
The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/{id} REST endpoint. This is due to the getBookingDetails() callback only enforcing the tfhb_manage_options capability via tfhb_manage_options_permission(), without verifying that the requested booking belongs to the currently authenticated host (the lookup in getBookingDetailsData() filters solely on the booking id supplied in the URL). This makes it possible for authenticated attackers, with Hydra Host-level access and above (a role created by the plugin which grants tfhb_manage_options), to view sensitive booking records belonging to other hosts, including attendee names, emails, phone numbers, addresses, meeting details, payment method and status, transaction history, and internal notes by iterating booking IDs.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Credits
Quang
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12433",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-09T14:37:03.212048Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-09T14:37:17.193Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Hydra Booking \u2014 Appointment Scheduling \u0026 Booking Calendar",
          "vendor": "themefic",
          "versions": [
            {
              "lessThanOrEqual": "1.2.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Quang"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Hydra Booking \u2013 Appointment Scheduling \u0026 Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/{id} REST endpoint. This is due to the getBookingDetails() callback only enforcing the tfhb_manage_options capability via tfhb_manage_options_permission(), without verifying that the requested booking belongs to the currently authenticated host (the lookup in getBookingDetailsData() filters solely on the booking id supplied in the URL). This makes it possible for authenticated attackers, with Hydra Host-level access and above (a role created by the plugin which grants tfhb_manage_options), to view sensitive booking records belonging to other hosts, including attendee names, emails, phone numbers, addresses, meeting details, payment method and status, transaction history, and internal notes by iterating booking IDs."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-09T08:31:35.571Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa00fe53-dc65-4200-80bb-9167b4230194?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.44/admin/Controller/BookingController.php#L1418"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.44/admin/Controller/BookingController.php#L100"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.44/admin/Controller/RouteController.php#L55"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.44/includes/hooks/ActivationHooks.php#L38"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.41/admin/Controller/BookingController.php#L1418"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.41/admin/Controller/BookingController.php#L100"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.41/admin/Controller/RouteController.php#L55"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/hydra-booking/tags/1.1.41/includes/hooks/ActivationHooks.php#L38"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3600170%40hydra-booking\u0026new=3600170%40hydra-booking"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-16T18:35:40.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-07-08T20:27:39.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Hydra Booking \u003c= 1.2.1 - Authenticated (Custom+) Insecure Direct Object Reference to Sensitive Information Exposure via \u0027booking_id\u0027 Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-12433",
    "datePublished": "2026-07-09T08:31:35.571Z",
    "dateReserved": "2026-06-16T18:20:28.369Z",
    "dateUpdated": "2026-07-09T14:37:17.193Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12418 (GCVE-0-2026-12418)

Vulnerability from cvelistv5 – Published: 2026-07-09 07:55 – Updated: 2026-07-09 14:39
VLAI
Title
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.7 - Insecure Direct Object Reference to Unauthenticated Arbitrary Post Modification via 'wpuf_files_data' Parameter
Summary
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.7 via the 'wpuf_files_data' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to overwrite the post_title, post_content, and post_excerpt of any arbitrary post on the site, including posts authored by administrators. Exploitation requires access to any WPUF post submission form; this is achievable by users with no WordPress role, as the wpuf_submit_post AJAX action is gated only by a nonce with no capability check for the downstream post-edit operation.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Credits
Kim ChanYeop
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12418",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-09T13:32:23.613537Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-09T14:39:37.233Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "User Frontend: AI Powered Frontend Posting, User Directory, Profile Builder, Membership \u0026 User Registration",
          "vendor": "wedevs",
          "versions": [
            {
              "lessThanOrEqual": "4.3.7",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Kim ChanYeop"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership \u0026 User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.7 via the \u0027wpuf_files_data\u0027 parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to overwrite the post_title, post_content, and post_excerpt of any arbitrary post on the site, including posts authored by administrators. Exploitation requires access to any WPUF post submission form; this is achievable by users with no WordPress role, as the wpuf_submit_post AJAX action is gated only by a nonce with no capability check for the downstream post-edit operation."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-09T07:55:13.665Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f66e25f-b67e-4227-95fe-69b40551af61?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.3.6/includes/Traits/FieldableTrait.php#L478"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.3.6/includes/Ajax/Frontend_Form_Ajax.php#L35"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.3.6/includes/Traits/FieldableTrait.php#L468"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.3.1/includes/Traits/FieldableTrait.php#L478"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.3.1/includes/Ajax/Frontend_Form_Ajax.php#L35"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.3.1/includes/Traits/FieldableTrait.php#L468"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3578622%40wp-user-frontend\u0026new=3578622%40wp-user-frontend"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-16T16:18:58.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-07-08T19:37:25.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership \u0026 User Registration \u003c= 4.3.7 - Insecure Direct Object Reference to Unauthenticated Arbitrary Post Modification via \u0027wpuf_files_data\u0027 Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-12418",
    "datePublished": "2026-07-09T07:55:13.665Z",
    "dateReserved": "2026-06-16T16:03:46.619Z",
    "dateUpdated": "2026-07-09T14:39:37.233Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12411 (GCVE-0-2026-12411)

Vulnerability from cvelistv5 – Published: 2026-06-26 15:27 – Updated: 2026-06-26 16:02
VLAI
Title
Broken Access Control in Canonical LXD DevLXD API
Summary
Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest's custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization bypass through User-Controlled key
  • CWE-862 - Missing Authorization
Assigner
References
Impacted products
Vendor Product Version
Canonical lxd Affected: 6.6 , < 6.9 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12411",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-26T16:02:35.514095Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-26T16:02:55.284Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/canonical",
          "defaultStatus": "unaffected",
          "packageName": "lxd",
          "platforms": [
            "Linux"
          ],
          "product": "lxd",
          "programFiles": [
            "permissions.go"
          ],
          "repo": "https://github.com/canonical/lxd",
          "vendor": "Canonical",
          "versions": [
            {
              "lessThan": "6.9",
              "status": "affected",
              "version": "6.6",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest\u0027s custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-77",
          "descriptions": [
            {
              "lang": "en",
              "value": "Manipulating User-Controlled Variables"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization bypass through User-Controlled key",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-26T15:27:55.111Z",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "name": "Cross-guest volume hijack via DevLXD device patch",
          "tags": [
            "vdb-entry",
            "vendor-advisory"
          ],
          "url": "https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp"
        },
        {
          "name": "Security fixes from the 6.9 release",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/canonical/lxd/pull/18585"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to LXD version 6.9 or later."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Broken Access Control in Canonical LXD DevLXD API"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2026-12411",
    "datePublished": "2026-06-26T15:27:55.111Z",
    "dateReserved": "2026-06-16T15:07:27.771Z",
    "dateUpdated": "2026-06-26T16:02:55.284Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12400 (GCVE-0-2026-12400)

Vulnerability from cvelistv5 – Published: 2026-07-10 07:48 – Updated: 2026-07-14 01:35
VLAI
Title
FlowForms <= 1.1.1 - Authenticated (Contributor+) Insecure Direct Object Reference to Arbitrary Form Modification via REST API '/flowforms/v1/forms/{id}' Endpoints
Summary
The FlowForms – Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.1 via the update_form due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to modify the content, design, and settings of, as well as publish or revert, any form on the site — including forms owned by administrators — by supplying an arbitrary form ID in the REST URL.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Credits
Aliyan Khan
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12400",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-14T01:35:35.039908Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-14T01:35:43.795Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "FlowForms \u2013 Conversational Form Builder",
          "vendor": "priyanshuchaudhary",
          "versions": [
            {
              "lessThanOrEqual": "1.1.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Aliyan Khan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The FlowForms \u2013 Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.1 via the update_form due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to modify the content, design, and settings of, as well as publish or revert, any form on the site \u2014 including forms owned by administrators \u2014 by supplying an arbitrary form ID in the REST URL."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-10T07:48:43.100Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f4e6133-f833-4da2-af4a-e7e7fcedfe3c?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L493"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L48"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L562"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L603"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L654"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L694"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3577870%40flowforms\u0026new=3577870%40flowforms"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-09T19:17:45.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "FlowForms \u003c= 1.1.1 - Authenticated (Contributor+) Insecure Direct Object Reference to Arbitrary Form Modification via REST API \u0027/flowforms/v1/forms/{id}\u0027 Endpoints"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-12400",
    "datePublished": "2026-07-10T07:48:43.100Z",
    "dateReserved": "2026-06-16T13:34:11.451Z",
    "dateUpdated": "2026-07-14T01:35:43.795Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12204 (GCVE-0-2026-12204)

Vulnerability from cvelistv5 – Published: 2026-06-15 01:15 – Updated: 2026-06-15 14:58
VLAI
Title
ShopXO Scheduled Task Endpoint Crontab.php GoodsGiveIntegral authorization
Summary
A vulnerability was determined in ShopXO up to 6.7.1. This vulnerability affects the function OrderClose/OrderSuccess/PayLogOrderClose/GoodsGiveIntegral of the file app/api/controller/Crontab.php of the component Scheduled Task Endpoint. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/vuln/370847 vdb-entrytechnical-description
https://vuldb.com/vuln/370847/cti signaturepermissions-required
https://vuldb.com/cve/CVE-2026-12204 third-party-advisory
https://vuldb.com/submit/830800 third-party-advisory
https://github.com/yunyan05/MYCVE/tree/main/ShopX… exploit
Impacted products
Vendor Product Version
n/a ShopXO Affected: 6.7.0
Affected: 6.7.1
    cpe:2.3:a:shopxo:shopxo:*:*:*:*:*:*:*:*
Credits
yunyan05 (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12204",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T14:58:13.523598Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T14:58:36.083Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:shopxo:shopxo:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Scheduled Task Endpoint"
          ],
          "product": "ShopXO",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "6.7.0"
            },
            {
              "status": "affected",
              "version": "6.7.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "yunyan05 (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was determined in ShopXO up to 6.7.1. This vulnerability affects the function OrderClose/OrderSuccess/PayLogOrderClose/GoodsGiveIntegral of the file app/api/controller/Crontab.php of the component Scheduled Task Endpoint. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 7.5,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T01:15:07.840Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-370847 | ShopXO Scheduled Task Endpoint Crontab.php GoodsGiveIntegral authorization",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/370847"
        },
        {
          "name": "VDB-370847 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/370847/cti"
        },
        {
          "name": "CVE-2026-12204 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-12204"
        },
        {
          "name": "Submit #830800 | ShopXO 6.7.1 Authorization Bypass",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/830800"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/yunyan05/MYCVE/tree/main/ShopXO/V6.7.1-Unauthenticated-Crontab-Trigger"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-14T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-06-14T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-06-14T13:59:57.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "ShopXO Scheduled Task Endpoint Crontab.php GoodsGiveIntegral authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-12204",
    "datePublished": "2026-06-15T01:15:07.840Z",
    "dateReserved": "2026-06-14T11:54:42.627Z",
    "dateUpdated": "2026-06-15T14:58:36.083Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12102 (GCVE-0-2026-12102)

Vulnerability from cvelistv5 – Published: 2026-06-18 06:50 – Updated: 2026-06-18 13:53
VLAI
Title
UsersWP <= 1.2.63 - Insecure Direct Object Reference to Authenticated (Editor+) Arbitrary User Avatar/Banner Reset via 'user_id' Parameter
Summary
The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'user_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with editor-level access and above, to reset and permanently delete the avatar or banner image of any arbitrary user, including administrators, by clearing their avatar_thumb or banner_thumb metadata in the uwp_usermeta table.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Credits
Pasindu Dilshan
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12102",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-18T13:21:07.179981Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-18T13:53:27.642Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "UsersWP \u2013 Front-end login form, User Registration, User Profile \u0026 Members Directory plugin for WP",
          "vendor": "stiofansisland",
          "versions": [
            {
              "lessThanOrEqual": "1.2.63",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Pasindu Dilshan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The UsersWP \u2013 Front-end login form, User Registration, User Profile \u0026 Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the \u0027user_id\u0027 parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with editor-level access and above, to reset and permanently delete the avatar or banner image of any arbitrary user, including administrators, by clearing their avatar_thumb or banner_thumb metadata in the uwp_usermeta table."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 2.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-18T06:50:05.344Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7115756e-69fa-42fe-bde3-a36e34d4bae3?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-forms.php#L371"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-forms.php#L389"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-forms.php#L89"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-userswp.php#L574"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-profile.php#L1739"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-forms.php#L371"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-forms.php#L389"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-forms.php#L89"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-userswp.php#L574"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-profile.php#L1739"
        },
        {
          "url": "https://github.com/AyeCode/userswp/commit/0e69f967578904cc26fadd0206270d50b7420298"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-12T14:42:39.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-06-17T18:09:44.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "UsersWP \u003c= 1.2.63 - Insecure Direct Object Reference to Authenticated (Editor+) Arbitrary User Avatar/Banner Reset via \u0027user_id\u0027 Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-12102",
    "datePublished": "2026-06-18T06:50:05.344Z",
    "dateReserved": "2026-06-12T14:27:14.482Z",
    "dateUpdated": "2026-06-18T13:53:27.642Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12073 (GCVE-0-2026-12073)

Vulnerability from cvelistv5 – Published: 2026-06-30 05:34 – Updated: 2026-06-30 13:17
VLAI
Title
ProfileGrid - User Profiles, Groups and Communities <= 5.9.9.5 - Unauthenticated Privilege Escalation via Email Overwrite
Summary
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.9.9.5. This is due to the plugin not validating a `user_login` on registration forms that don't contain this parameter, and not properly handling the error messages. This makes it possible for unauthenticated attackers to change email address of user account with ID=1 (usually an administrator), and leverage that to reset the user's password and gain access to their account.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Credits
Ivan Kuzymchak
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12073",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-30T13:17:25.165561Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T13:17:33.379Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "ProfileGrid \u2013 User Profiles, Groups and Communities",
          "vendor": "metagauss",
          "versions": [
            {
              "lessThanOrEqual": "5.9.9.5",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Ivan Kuzymchak"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The ProfileGrid \u2013 User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.9.9.5. This is due to the plugin not validating a `user_login` on registration forms that don\u0027t contain this parameter, and not properly handling the error messages. This makes it possible for unauthenticated attackers to change email address of user account with ID=1 (usually an administrator), and leverage that to reset the user\u0027s password and gain access to their account."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T05:34:05.216Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d35279d-299e-4ca2-8f84-165284e058c8?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3578435/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-08T00:00:00.000Z",
          "value": "Discovered"
        },
        {
          "lang": "en",
          "time": "2026-06-12T10:23:51.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-06-29T16:51:48.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "ProfileGrid - User Profiles, Groups and Communities \u003c= 5.9.9.5 - Unauthenticated Privilege Escalation via Email Overwrite"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-12073",
    "datePublished": "2026-06-30T05:34:05.216Z",
    "dateReserved": "2026-06-12T10:09:47.120Z",
    "dateUpdated": "2026-06-30T13:17:33.379Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-11988 (GCVE-0-2026-11988)

Vulnerability from cvelistv5 – Published: 2026-07-01 04:32 – Updated: 2026-07-01 10:42
VLAI
Title
LearnPress <= 4.3.9.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Disclosure via 'userId' Parameter
Summary
The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.9.1 via the 'userId' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the course enrollment progress and completion data belonging to any instructor or administrator account on the site. This IDOR does not apply when the target user is a regular subscriber, as the guard correctly blocks cross-subscriber access; exploitation is limited to cases where the victim user holds the LP_TEACHER_ROLE or administrator role.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Credits
javitoia
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-11988",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-01T10:31:37.825648Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-01T10:42:11.133Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "LearnPress \u2013 WordPress LMS Plugin for Create and Sell Online Courses",
          "vendor": "thimpress",
          "versions": [
            {
              "lessThanOrEqual": "4.3.9.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "javitoia"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The LearnPress \u2013 WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.9.1 via the \u0027userId\u0027 parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the course enrollment progress and completion data belonging to any instructor or administrator account on the site. This IDOR does not apply when the target user is a regular subscriber, as the guard correctly blocks cross-subscriber access; exploitation is limited to cases where the victim user holds the LP_TEACHER_ROLE or administrator role."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-01T04:32:27.231Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6b5e8cfd-989e-4a64-abb0-9daa22df46a4?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.9.1/inc/rest-api/v1/frontend/class-lp-rest-lazy-load-controller.php#L137"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.9.1/inc/rest-api/v1/frontend/class-lp-rest-lazy-load-controller.php#L118"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.9.1/inc/user/abstract-lp-user.php#L680"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.2.7.5/inc/rest-api/v1/frontend/class-lp-rest-lazy-load-controller.php#L137"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.2.7.5/inc/rest-api/v1/frontend/class-lp-rest-lazy-load-controller.php#L118"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.2.7.5/inc/user/abstract-lp-user.php#L680"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Flearnpress/tags/4.3.9.1\u0026new_path=%2Flearnpress/tags/4.4.0"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-11T14:43:46.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-06-30T16:07:05.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "LearnPress \u003c= 4.3.9.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Disclosure via \u0027userId\u0027 Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-11988",
    "datePublished": "2026-07-01T04:32:27.231Z",
    "dateReserved": "2026-06-11T14:28:25.105Z",
    "dateUpdated": "2026-07-01T10:42:11.133Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-11987 (GCVE-0-2026-11987)

Vulnerability from cvelistv5 – Published: 2026-06-27 06:50 – Updated: 2026-06-29 19:02
VLAI
Title
Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Information Disclosure via 'id' Parameter
Summary
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.4 via the 'id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to read any other vendor's products — including unpublished draft and pending listings — exposing product names, prices, SKUs, and descriptions belonging to other vendors. The permission callbacks for both the collection endpoint and the single-item endpoint only verify the generic vendor capability ('dokan_view_product_menu' / 'dokandar'), which every vendor holds, rather than confirming the requested author ID or product ownership matches the authenticated user.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Credits
0xHerc
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-11987",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-29T19:02:35.809645Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-29T19:02:43.047Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Dokan: AI Powered WooCommerce Multivendor Marketplace Solution \u2013 Build Your Own Amazon, eBay, Etsy",
          "vendor": "dokaninc",
          "versions": [
            {
              "lessThanOrEqual": "5.0.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "0xHerc"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution \u2013 Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.4 via the \u0027id\u0027 parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to read any other vendor\u0027s products \u2014 including unpublished draft and pending listings \u2014 exposing product names, prices, SKUs, and descriptions belonging to other vendors. The permission callbacks for both the collection endpoint and the single-item endpoint only verify the generic vendor capability (\u0027dokan_view_product_menu\u0027 / \u0027dokandar\u0027), which every vendor holds, rather than confirming the requested author ID or product ownership matches the authenticated user."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-27T06:50:55.494Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1359945a-cf4e-4883-830b-53a3fcd40e56?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/Abstracts/DokanRESTController.php#L299"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/REST/ProductController.php#L159"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/REST/ProductController.php#L473"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/Abstracts/DokanRESTController.php#L39"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/Abstracts/DokanRESTController.php#L66"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/REST/ProductController.php#L495"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/Abstracts/DokanRESTController.php#L299"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/REST/ProductController.php#L159"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/REST/ProductController.php#L473"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/Abstracts/DokanRESTController.php#L39"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/Abstracts/DokanRESTController.php#L66"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/REST/ProductController.php#L495"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3578095%40dokan-lite\u0026new=3578095%40dokan-lite\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-11T14:40:23.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-06-26T17:54:35.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Dokan: AI Powered WooCommerce Multivendor Marketplace Solution \u003c= 5.0.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Information Disclosure via \u0027id\u0027 Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-11987",
    "datePublished": "2026-06-27T06:50:55.494Z",
    "dateReserved": "2026-06-11T14:24:55.603Z",
    "dateUpdated": "2026-06-29T19:02:43.047Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-11900 (GCVE-0-2026-11900)

Vulnerability from cvelistv5 – Published: 2026-07-03 07:53 – Updated: 2026-07-07 17:01
VLAI
Title
Ad Inserter <= 2.8.16 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Post Content Disclosure via 'data' Shortcode Attribute
Summary
The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 2.8.16 via the 'data' attribute of the [adinserter] shortcode. This is due to the replace_ai_tags() function processing a {reusable-block-N} tag pattern that calls get_post_field('post_content', N) without verifying the requesting user's capability with current_user_can('read_post'), without restricting the post type to 'wp_block', and without checking the post status. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the full content of arbitrary posts including Private, Draft, Pending, Trashed, and password-protected posts owned by other users, by placing the shortcode in a post they own and previewing it.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Credits
nightward
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-11900",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-06T18:04:48.926021Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-07T17:01:17.535Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Ad Inserter \u2013 Ad Manager \u0026 AdSense Ads",
          "vendor": "spacetime",
          "versions": [
            {
              "lessThanOrEqual": "2.8.16",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "nightward"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Ad Inserter \u2013 Ad Manager \u0026 AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 2.8.16 via the \u0027data\u0027 attribute of the [adinserter] shortcode. This is due to the replace_ai_tags() function processing a {reusable-block-N} tag pattern that calls get_post_field(\u0027post_content\u0027, N) without verifying the requesting user\u0027s capability with current_user_can(\u0027read_post\u0027), without restricting the post type to \u0027wp_block\u0027, and without checking the post status. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the full content of arbitrary posts including Private, Draft, Pending, Trashed, and password-protected posts owned by other users, by placing the shortcode in a post they own and previewing it."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-03T07:53:08.023Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/20f0e9ae-786b-4ba8-a6d5-92bf31ebc2c7?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.16/ad-inserter.php#L13083"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.16/ad-inserter.php#L10569"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.16/ad-inserter.php#L10818"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.16/ad-inserter.php#L2101"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.13/ad-inserter.php#L13083"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.13/ad-inserter.php#L10569"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.13/ad-inserter.php#L10818"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.13/ad-inserter.php#L2101"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3591792%40ad-inserter\u0026new=3591792%40ad-inserter\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-10T15:58:36.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-07-02T19:01:12.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Ad Inserter \u003c= 2.8.16 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Post Content Disclosure via \u0027data\u0027 Shortcode Attribute"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-11900",
    "datePublished": "2026-07-03T07:53:08.023Z",
    "dateReserved": "2026-06-10T15:43:26.797Z",
    "dateUpdated": "2026-07-07T17:01:17.535Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.