CWE-639 (通过用户控制密钥绕过授权机制) — Vulnerability Class 1040

1040 vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制). AI Chinese analysis included.

CVE ID	Title	CVSS	Severity	Published
CVE-2025-13110	HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.3 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_subscr' — HUSKY – Products Filter Professional for WooCommerce	4.3	Medium	2025-12-18
CVE-2025-10910	Gaining remote control over Govee devices — H6056	9.8^AI	Critical^AI	2025-12-18
CVE-2025-10019	WordPress Contact Form Email plugin <= 1.3.60 - Insecure Direct Object References (IDOR) vulnerability — Contact Form Email	6.5	Medium	2025-12-18
CVE-2023-53930	ProjectSend r1605 Insecure Direct Object Reference File Download Vulnerability — projectSend	7.5	High	2025-12-17
CVE-2023-53914	UliCMS 2023.1 Authentication Bypass via Mass Assignment Vulnerability — Ulicms	9.8	Critical	2025-12-17
CVE-2025-34438	AVideo < 20.1 IDOR Arbitrary Video Rotation — AVideo	4.3^AI	Medium^AI	2025-12-17
CVE-2025-34437	AVideo < 20.1 IDOR Arbitrary Comment Image Upload — AVideo	4.3^AI	Medium^AI	2025-12-17
CVE-2025-34435	AVideo < 20.1 IDOR Arbitrary File Deletion — AVideo	6.5^AI	Medium^AI	2025-12-17
CVE-2025-34436	AVideo < 20.1 IDOR Arbitrary File Upload — AVideo	6.5^AI	Medium^AI	2025-12-17
CVE-2025-14101	IDOR in GG Soft's PaperWork — PaperWork	7.1	High	2025-12-17
CVE-2025-11924	Ninja Forms – The Contact Form Builder That Grows With You <= 3.13.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure via Unscoped Bearer Token — Ninja Forms – The Contact Form Builder That Grows With You	7.5	High	2025-12-17
CVE-2025-13474	IDOR in Menulux Software's Mobile App — Mobile App	7.5	High	2025-12-16
CVE-2025-68071	WordPress Essential Real Estate plugin <= 5.3.2 - Insecure Direct Object References (IDOR) vulnerability — Essential Real Estate	6.5	Medium	2025-12-16
CVE-2025-67985	WordPress Document Library Lite plugin <= 1.1.7 - Insecure Direct Object References (IDOR) vulnerability — Document Library Lite	5.3	Medium	2025-12-16
CVE-2025-66132	WordPress FAPI Member plugin <= 2.2.30 - Insecure Direct Object References (IDOR) vulnerability — FAPI Member	5.3	Medium	2025-12-16
CVE-2025-58137	Apache Fineract: IDOR via self-service API — Apache Fineract	7.5^AI	High^AI	2025-12-12
CVE-2025-14356	Ultra Addons for Contact Form 7 <= 3.5.33 - Missing Authorization to Authenticated (Subscriber+) to Generate Form Submission PDF — Ultra Addons for Contact Form 7	4.3	Medium	2025-12-12
CVE-2025-61950	Japan Total System多款产品安全漏洞 — GroupSession Free edition	4.3^AI	Medium^AI	2025-12-12
CVE-2025-12883	Campay Woocommerce Payment Gateway <= 1.2.2 - Unauthenticated Payment Bypass — Campay Woocommerce Payment Gateway	5.3	Medium	2025-12-12
CVE-2025-13124	IDOR in Netiket''s ApplyLogic — ApplyLogic	7.6	High	2025-12-11
CVE-2025-13003	IDOR in Aksis Computer's AxOnboard — AxOnboard	7.6	High	2025-12-11
CVE-2025-11247	Authorization Bypass Through User-Controlled Key in GitLab — GitLab	4.3	Medium	2025-12-11
CVE-2020-36895	EIBIZ i-Media Server Digital Signage 3.8.0 Unauthenticated Configuration Disclosure — i-Media Server Digital Signage	9.8^AI	Critical^AI	2025-12-10
CVE-2025-13125	IDOR in Im Park's DijiDemi — DijiDemi	4.3	Medium	2025-12-10
CVE-2025-41358	Direct reference to insecure objects (IDOR) in CronosWeb from CronosWeb i2A — CronosWeb	6.5^AI	Medium^AI	2025-12-10
CVE-2025-63065	WordPress Media LIbrary Assistant plugin <= 3.29 - Broken Access Control vulnerability — Media LIbrary Assistant	5.3	Medium	2025-12-09
CVE-2025-67594	WordPress Thim Elementor Kit plugin <= 1.3.3 - Insecure Direct Object References (IDOR) vulnerability — Thim Elementor Kit	4.3	Medium	2025-12-09
CVE-2025-64497	Tuleap exposes releases for all projects to File Release System project administrators — tuleap	6.5	Medium	2025-12-08
CVE-2025-13748	Fluent Forms <= 6.1.7 - Unauthenticated Insecure Direct Object Reference to Payment Status Tampering via submission_id — Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder	5.3	Medium	2025-12-06
CVE-2025-66558	Nextcloud Twofactor WebAuthn app was updated based on public key — security-advisories	3.1	Low	2025-12-05

Vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制) represent 1040 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.

Goal Reached Thanks to every supporter — we hit 100%!

CWE-639 (通过用户控制密钥绕过授权机制) — Vulnerability Class 1040