Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-639 (通过用户控制密钥绕过授权机制) — Vulnerability Class 1040

1040 vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制). AI Chinese analysis included.

CVE IDTitleCVSSSeverityPublished
CVE-2025-67919 WordPress Woffice Core plugin <= 5.4.30 - Insecure Direct Object References (IDOR) vulnerability — Woffice Core 6.5 Medium2026-01-08
CVE-2025-15018 Optional Email <= 1.3.11 - Unauthenticated Privilege Escalation to Account Takeover — Optional Email 9.8 Critical2026-01-07
CVE-2025-12030 ACF to REST API <= 3.3.4 - Insecure Direct Object Reference to Authenticated (Contributor+) ACF Field/Option Modification — ACF to REST API 4.3 Medium2026-01-07
CVE-2025-14802 LearnPress – WordPress LMS Plugin <= 4.3.2.2 - Insecure Direct Object Reference to Authenticated (Instructor+) Teacher Material Deletion — LearnPress – WordPress LMS Plugin for Create and Sell Online Courses 5.4 Medium2026-01-07
CVE-2020-36923 Sony BRAVIA Digital Signage 1.7.8 Client-Side Protection Bypass via IDOR — Sony BRAVIA Digital Signage 9.8 Critical2026-01-06
CVE-2025-14996 AS Password Field In Default Registration Form <= 2.0.0 - Unauthenticated Privilege Escalation via Account Takeover — AS Password Field In Default Registration Form 9.8 Critical2026-01-06
CVE-2025-15001 FS Registration Password <= 1.0.1 - Unauthenticated Privilege Escalation via Account Takeover — FS Registration Password 9.8 Critical2026-01-06
CVE-2025-68044 WordPress Five Star Restaurant Reservations plugin <= 2.7.4 - Insecure Direct Object References (IDOR) vulnerability — Five Star Restaurant Reservations 8.6 High2026-01-05
CVE-2025-14998 Branda – White Label & Branding, Free Login Page Customizer <= 3.4.24 - Unauthenticated Privilege Escalation via Account Takeover — Branda – White Label & Branding, Free Login Page Customizer 9.8 Critical2026-01-02
CVE-2025-49352 WordPress Order Cancellation & Returns for WooCommerce plugin <= 1.1.10 - Insecure Direct Object References (IDOR) vulnerability — Order Cancellation & Returns for WooCommerce 4.3 Medium2025-12-31
CVE-2025-49334 WordPress MyD Delivery plugin <= 1.7.1 - Insecure Direct Object References (IDOR) vulnerability — MyD Delivery 5.3 Medium2025-12-31
CVE-2025-63053 WordPress Master Addons for Elementor plugin <= 2.0.9.9.4 - Insecure Direct Object References (IDOR) vulnerability — Master Addons for Elementor 5.3 Medium2025-12-31
CVE-2025-69030 WordPress Backpack Traveler theme <= 2.10.3 - Insecure Direct Object References (IDOR) vulnerability — Backpack Traveler 5.4 Medium2025-12-30
CVE-2025-69032 WordPress FiveStar theme <= 1.7 - Insecure Direct Object References (IDOR) vulnerability — FiveStar 5.4 Medium2025-12-30
CVE-2025-69029 WordPress Struktur theme <= 2.5.1 - Insecure Direct Object References (IDOR) vulnerability — Struktur 5.4 Medium2025-12-30
CVE-2025-68997 WordPress wpDiscuz plugin <= 7.6.43 - Insecure Direct Object References (IDOR) vulnerability — wpDiscuz 5.3 Medium2025-12-30
CVE-2025-68979 WordPress Google Calendar Events plugin <= 3.5.9 - Insecure Direct Object References (IDOR) vulnerability — Google Calendar Events 5.3 Medium2025-12-30
CVE-2025-68975 WordPress Eagle Booking plugin <= 1.3.4.3 - Insecure Direct Object References (IDOR) vulnerability — Eagle Booking 4.3 Medium2025-12-30
CVE-2025-68502 WordPress JetPopup plugin <= 2.0.20.1 - Insecure Direct Object References (IDOR) vulnerability — JetPopup 4.3 Medium2025-12-29
CVE-2019-25235 Smartwares HOME easy 1.0.9 Client-Side Authentication Bypass via Web Pages — Smartwares HOME easy 9.8 Critical2025-12-24
CVE-2018-25129 SOCA Access Control System 180612 Information Disclosure via Multiple Endpoints — SOCA Access Control System 7.5 High2025-12-24
CVE-2025-67909 WordPress Membership For WooCommerce plugin <= 3.0.3 - Insecure Direct Object References (IDOR) vulnerability — Membership For WooCommerce 7.5 High2025-12-24
CVE-2021-47721 Orangescrum 1.8.0 Authenticated Privilege Escalation via User Session Manipulation — orangescrum 8.8 High2025-12-23
CVE-2023-53955 SOUND4 IMPACT/FIRST/PULSE/Eco v2.x Authorization Bypass via Insecure Object References — Impact/Pulse/First 9.8 Critical2025-12-22
CVE-2025-7733 WP JobHunt <= 7.7 - Authenticated (Candidate+) Insecure Direct Object Reference — WP JobHunt 4.3 Medium2025-12-20
CVE-2025-14881 Insecure direct object reference — pretix 7.5AIHighAI2025-12-19
CVE-2025-14882 Insecure direct object reference — pretix-offlinesales 7.5AIHighAI2025-12-19
CVE-2025-63043 WordPress Post Grid and Gutenberg Blocks plugin <= 2.3.23 - Insecure Direct Object References (IDOR) vulnerability — Post Grid and Gutenberg Blocks 5.3 Medium2025-12-18
CVE-2025-64282 WordPress Radius Blocks plugin <= 2.2.1 - Insecure Direct Object References (IDOR) vulnerability — Radius Blocks 4.3 Medium2025-12-18
CVE-2025-1031 IDOR in Utarit Informatics' SoliClub — SoliClub 7.5 High2025-12-18

Vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制) represent 1040 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.