Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3256 vulnerabilities reference this CWE, most recent first.

GHSA-V345-W9F2-MPM5

Vulnerability from github – Published: 2024-09-17 17:55 – Updated: 2024-10-25 16:48
VLAI
Summary
Sentry improperly authorizes muting of alert rules
Details

Impact

An authenticated user can mute alert rules from arbitrary organizations and projects given a known given rule ID. The user does not need to be a member of the organization or have permissions on the project.

In our review, we have identified no instances where alerts have been muted by unauthorized parties.

Patches

A patch was issued to ensure authorization checks are properly scoped on requests to mute alert rules. Authenticated users who do not have the necessary permissions are no longer able to mute alerts.

Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 24.9.0 or higher.

Affected Versions

The rule mute feature was generally available as of 23.6.0 but users with early access may have had the feature as of 23.4.0.

Update

As of 2024-10-25 and after additional we've updated the Severity scoring to reduce Privileged Required from Low to None and Integrity from High to Low. Thanks again to @emanuelbeni for the correction on Privileges Required.

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "sentry"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "23.4.0"
            },
            {
              "fixed": "24.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45606"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-17T17:55:38Z",
    "nvd_published_at": "2024-09-17T20:15:05Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nAn authenticated user can mute alert rules from arbitrary organizations and projects given a known given rule ID. The user does not need to be a member of the organization or have permissions on the project. \n\nIn our review, we have identified no instances where alerts have been muted by unauthorized parties. \n\n### Patches\nA patch was issued to ensure authorization checks are properly scoped on requests to mute alert rules. Authenticated users who do not have the necessary permissions are no longer able to mute alerts. \n\nSentry SaaS users do not need to take any action. [Self-Hosted Sentry](https://github.com/getsentry/self-hosted) users should upgrade to version **24.9.0** or higher.\n\n### Affected Versions\nThe rule mute feature was generally available as of 23.6.0 but users with early access may have had the feature as of 23.4.0. \n\n### Update\nAs of 2024-10-25 and after additional we\u0027ve updated the Severity scoring to reduce Privileged Required from Low to None and Integrity from High to Low. Thanks again to @emanuelbeni for the correction on Privileges Required. \n\n### References\n- [Prevent muting alerts](https://github.com/getsentry/sentry/pull/77016)\n",
  "id": "GHSA-v345-w9f2-mpm5",
  "modified": "2024-10-25T16:48:04Z",
  "published": "2024-09-17T17:55:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry/security/advisories/GHSA-v345-w9f2-mpm5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45606"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry/pull/77016"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry/commit/e8e71708758e1f9f56ce815ace73fe60d9e608dc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/self-hosted"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getsentry/sentry"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Sentry improperly authorizes muting of alert rules"
}

GHSA-V348-VR4Q-FV9P

Vulnerability from github – Published: 2026-05-19 12:31 – Updated: 2026-06-29 22:58
VLAI
Summary
TYPO3 sf_register extension allows unauthorized assignment of frontend user groups
Details

The create and edit flows in the TYPO3 extension sf_register do not restrict which user properties may be submitted, and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "evoweb/sf-register"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0.0"
            },
            {
              "fixed": "14.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "evoweb/sf-register"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46721"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-29T22:58:05Z",
    "nvd_published_at": "2026-05-19T10:16:24Z",
    "severity": "MODERATE"
  },
  "details": "The `create` and `edit` flows in the TYPO3 extension sf_register do not restrict which user properties may be submitted, and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups.",
  "id": "GHSA-v348-vr4q-fv9p",
  "modified": "2026-06-29T22:58:05Z",
  "published": "2026-05-19T12:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46721"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/evoweb/sf-register/CVE-2026-46721.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/evoWeb/sf_register"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-ext-sa-2026-009"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "TYPO3 sf_register extension allows unauthorized assignment of frontend user groups"
}

GHSA-V3GV-GJ4M-F92W

Vulnerability from github – Published: 2022-03-04 00:00 – Updated: 2022-03-17 00:03
VLAI
Details

An Insecure Direct Object Reference (IDOR) vulnerability in OpenEMR 6.0.0 allows any authenticated attacker to access and modify unauthorized areas via a crafted POST request to /modules/zend_modules/public/Installer/register.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-25471"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-03T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "An Insecure Direct Object Reference (IDOR) vulnerability in OpenEMR 6.0.0 allows any authenticated attacker to access and modify unauthorized areas via a crafted POST request to /modules/zend_modules/public/Installer/register.",
  "id": "GHSA-v3gv-gj4m-f92w",
  "modified": "2022-03-17T00:03:53Z",
  "published": "2022-03-04T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25471"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openemr/openemr"
    },
    {
      "type": "WEB",
      "url": "https://securityforeveryone.com/blog/inactive-post-test/openemr-0-day-idor-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://www.open-emr.org"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V3MV-8XGW-9PRF

Vulnerability from github – Published: 2023-05-16 09:30 – Updated: 2024-04-04 04:11
VLAI
Details

The RegistrationMagic plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 5.2.0.5. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers, with administrator-level permissions and above, to change user passwords and potentially take over super-administrator accounts in multisite setup.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2548"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-16T09:15:09Z",
    "severity": "HIGH"
  },
  "details": "The RegistrationMagic plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 5.2.0.5. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers, with administrator-level permissions and above, to change user passwords and potentially take over super-administrator accounts in multisite setup.",
  "id": "GHSA-v3mv-8xgw-9prf",
  "modified": "2024-04-04T04:11:56Z",
  "published": "2023-05-16T09:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2548"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/5.2.0.5/includes/class_rm_utilities.php#L3044"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bfbc406b-49af-419e-adeb-0510794b7e3f?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V3V2-W9V8-Q7H6

Vulnerability from github – Published: 2026-04-08 09:31 – Updated: 2026-04-08 09:31
VLAI
Details

The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the handle_webhook() function. The webhook endpoint processes unauthenticated requests and only performs signature verification if both the webhook_secret setting is configured AND the HTTP_STRIPE_SIGNATURE header is present. Since webhook_secret defaults to an empty string, the webhook processes attacker-controlled JSON payloads without any verification. This makes it possible for unauthenticated attackers to send fake Stripe webhook events with arbitrary order_id values in the metadata, mark any order as completed without payment, and gain unauthorized access to paid course content.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5167"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-08T07:16:22Z",
    "severity": "MODERATE"
  },
  "details": "The Masteriyo LMS \u2013 Online Course Builder for eLearning, LMS \u0026 Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the handle_webhook() function. The webhook endpoint processes unauthenticated requests and only performs signature verification if both the webhook_secret setting is configured AND the HTTP_STRIPE_SIGNATURE header is present. Since webhook_secret defaults to an empty string, the webhook processes attacker-controlled JSON payloads without any verification. This makes it possible for unauthenticated attackers to send fake Stripe webhook events with arbitrary order_id values in the metadata, mark any order as completed without payment, and gain unauthorized access to paid course content.",
  "id": "GHSA-v3v2-w9v8-q7h6",
  "modified": "2026-04-08T09:31:30Z",
  "published": "2026-04-08T09:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5167"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.4/addons/stripe/StripeAddon.php#L563-639"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.4/addons/stripe/StripeAddon.php#L649-704"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/learning-management-system/trunk/addons/stripe/StripeAddon.php#L563-639"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/learning-management-system/trunk/addons/stripe/StripeAddon.php#L649-704"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3499458/learning-management-system/trunk/addons/stripe/StripeAddon.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b6d51dc3-b695-4e9d-b25a-d1b302be1fec?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V3WG-JG3P-QCMH

Vulnerability from github – Published: 2025-02-05 15:32 – Updated: 2026-04-08 18:33
VLAI
Details

The UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.8 via the show_template due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to expose the contents of draft, private, and pending posts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10696"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-21T11:15:21Z",
    "severity": "MODERATE"
  },
  "details": "The UltraAddons \u2013 Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.8 via the show_template due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to expose the contents of draft, private, and pending posts.",
  "id": "GHSA-v3wg-jg3p-qcmh",
  "modified": "2026-04-08T18:33:40Z",
  "published": "2025-02-05T15:32:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10696"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/ultraaddons-elementor-lite/trunk/inc/wp/shortcode.php#L16"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3221044"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/719de6e5-29c5-4303-981d-81840939a0b1?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V43W-M78J-VR5M

Vulnerability from github – Published: 2024-04-29 06:30 – Updated: 2025-02-06 06:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Fabio Rinaldi Crelly Slider.This issue affects Crelly Slider: from n/a through 1.4.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-33542"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-29T06:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Fabio Rinaldi Crelly Slider.This issue affects Crelly Slider: from n/a through 1.4.5.",
  "id": "GHSA-v43w-m78j-vr5m",
  "modified": "2025-02-06T06:31:25Z",
  "published": "2024-04-29T06:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33542"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/crelly-slider/wordpress-crelly-slider-plugin-1-4-5-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V487-79CJ-W3X8

Vulnerability from github – Published: 2023-07-05 03:30 – Updated: 2024-04-04 05:23
VLAI
Details

Insecure Direct Object Reference vulnerability in WHMCS module SolusVM 1 4.1.2 allows an attacker to change the password and hostname of other customer servers without authorization.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-05T03:15:09Z",
    "severity": "HIGH"
  },
  "details": "Insecure Direct Object Reference vulnerability in WHMCS module SolusVM 1 4.1.2 allows an attacker to change the password and hostname of other customer servers without authorization.",
  "id": "GHSA-v487-79cj-w3x8",
  "modified": "2024-04-04T05:23:12Z",
  "published": "2023-07-05T03:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42175"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mr404ntf/9c8728ee8f35d9744feec3828df1085d"
    },
    {
      "type": "WEB",
      "url": "http://soluslabs.com"
    },
    {
      "type": "WEB",
      "url": "http://solusvm.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V492-6XX2-P57G

Vulnerability from github – Published: 2026-01-14 09:31 – Updated: 2026-01-14 21:16
VLAI
Summary
Chainlit contains an authorization bypass vulnerability
Details

Chainlit versions prior to 2.8.5 contain an authorization bypass through user-controlled key vulnerability. If this vulnerability is exploited, threads may be viewed or thread ownership may be obtained by an attacker who can log in to the product.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "chainlit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-14T21:16:04Z",
    "nvd_published_at": "2026-01-14T07:16:14Z",
    "severity": "LOW"
  },
  "details": "Chainlit versions prior to 2.8.5 contain an authorization bypass through user-controlled key vulnerability. If this vulnerability is exploited, threads may be viewed or thread ownership may be obtained by an attacker who can log in to the product.",
  "id": "GHSA-v492-6xx2-p57g",
  "modified": "2026-01-14T21:16:04Z",
  "published": "2026-01-14T09:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68492"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Chainlit/chainlit/pull/2637"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Chainlit/chainlit/commit/8f1153db439eca58ae5c50c8276ba6fdd311448e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Chainlit/chainlit"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Chainlit/chainlit/releases"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Chainlit/chainlit/releases/tag/2.8.5"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN34964581"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Chainlit contains an authorization bypass vulnerability"
}

GHSA-V492-QVFP-R274

Vulnerability from github – Published: 2022-08-16 00:00 – Updated: 2022-08-17 00:00
VLAI
Details

The SearchWP Live Ajax Search WordPress plugin before 1.6.2 does not ensure that users making a live search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2535"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-15T11:21:00Z",
    "severity": "MODERATE"
  },
  "details": "The SearchWP Live Ajax Search WordPress plugin before 1.6.2 does not ensure that users making a live search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink",
  "id": "GHSA-v492-qvfp-r274",
  "modified": "2022-08-17T00:00:23Z",
  "published": "2022-08-16T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2535"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/0e13c375-044c-4c2e-ab8e-48cb89d90d02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.