Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-639 (通过用户控制密钥绕过授权机制) — Vulnerability Class 1033

1033 vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制). AI Chinese analysis included.

CVE IDTitleCVSSSeverityPublished
CVE-2025-13109 HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_query/woof_remove_query' — HUSKY – Products Filter Professional for WooCommerce 4.3 Medium2025-12-03
CVE-2025-41086 Authorization bypass in GAMS from GAMS Development Corp. — GAMS 8.1AIHighAI2025-12-02
CVE-2025-66306 Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel — grav 4.3 Medium2025-12-01
CVE-2025-13615 StreamTube Core <= 4.78 - Unauthenticated Arbitrary User Password Change — StreamTube Core 9.8 Critical2025-11-30
CVE-2025-13768 Uniong|WebITR - Authorization Bypass — WebITR 7.5 High2025-11-28
CVE-2025-13157 QODE Wishlist for WooCommerce <= 1.2.7 - Unauthenticated Insecure Direct Object Reference to Wishlist Update — QODE Wishlist for WooCommerce 5.3 Medium2025-11-27
CVE-2025-13382 Frontend File Manager Plugin <= 23.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary File Renaming — Frontend File Manager Plugin 4.3 Medium2025-11-25
CVE-2025-13389 Admin and Customer Messages After Order for WooCommerce: OrderConvo <= 14 - Missing Authorization to Unauthenticated Information Disclosure — Admin and Customer Messages After Order for WooCommerce: OrderConvo 5.3 Medium2025-11-25
CVE-2025-12040 Wishlist for WooCommerce <= 1.1.3 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation — Wishlist for WooCommerce 6.5 Medium2025-11-25
CVE-2025-13452 Admin and Customer Messages After Order for WooCommerce: OrderConvo <= 14 - Missing Authorization to Unauthenticated User Impersonation in Order Messages — Admin and Customer Messages After Order for WooCommerce: OrderConvo 4.3 Medium2025-11-25
CVE-2025-10039 ELEX WordPress HelpDesk & Customer Ticketing System <= 3.2.9 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'eh_crm_ticket_single_view_client' — ELEX WordPress HelpDesk & Customer Ticketing System 4.3 Medium2025-11-21
CVE-2025-12881 Return Refund and Exchange For WooCommerce <= 4.5.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Order Message Read — Return Refund and Exchange For WooCommerce 5.4 Medium2025-11-21
CVE-2025-12086 Return Refund and Exchange For WooCommerce <= 4.5.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Refund Request Cancellation — Return Refund and Exchange For WooCommerce 4.3 Medium2025-11-21
CVE-2025-65034 Rallly Improper Authorization Allows Reopening of Any Finalized Poll via Public pollId — rallly 8.1 High2025-11-19
CVE-2025-65032 Rallly Has an IDOR Vulnerability in Participant Rename Function Allows Unauthorized Modification of Other Users’ Names — rallly 6.5 Medium2025-11-19
CVE-2025-12766 Insecure Direct Object Reference (IDOR) vulnerability in the Management Console of affected versions of BlackBerry AtHoc. — BlackBerry® AtHoc® (OnPrem) 5.0 Medium2025-11-19
CVE-2025-12427 YITH WooCommerce Wishlist <= 4.10.0 - Unauthenticated Insecure Direct Object Reference to Unauthenticated Wishlist Rename — YITH WooCommerce Wishlist 5.3 Medium2025-11-19
CVE-2025-12524 Post Type Switcher <= 4.0.0 - Insecure Direct Object Reference to Authenticated (Author+) Post Type Change — Post Type Switcher 5.4 Medium2025-11-18
CVE-2025-8855 2FA Expiry Bypass in Optimus Software's Brokerage Automation — Brokerage Automation 8.1 High2025-11-14
CVE-2025-64706 Typebot IDOR Vulnerability: Unauthorized API Token Deletion and Exposure — typebot.io 5.0 Medium2025-11-13
CVE-2025-41069 Insecure Direct Object References (IDOR) in DeporSite of T-Innova DeporSite — DSuite 2025 8.1 -2025-11-13
CVE-2025-12366 Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.5 - Authenticated (Author+) Insecure Direct Object Reference — Page Builder: Pagelayer – Drag and Drop website builder 4.3 Medium2025-11-13
CVE-2025-12903 Payment Plugins Braintree For WooCommerce <= 3.2.78 - Missing Authorization to Payment Token Exposure and Transaction Fraud — Payment Plugins Braintree For WooCommerce 7.5 High2025-11-12
CVE-2025-12833 GeoDirectory – WP Business Directory Plugin and Classified Listings Directory <= 2.8.139 - Missing Authorization to Authenticated (Author+) Arbitrary Image Attachment — GeoDirectory – WP Business Directory Plugin and Classified Listings Directory 4.3 Medium2025-11-12
CVE-2025-12087 Wishlist and Save for later for Woocommerce <= 1.1.22 - Insecure Direct Object Reference to Authenticated (Subscriber+) Wishlist Item Deletion — Wishlist and Save for later for Woocommerce 4.3 Medium2025-11-12
CVE-2025-12126 The Total Book Project <= 1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Book Manipulation — The Total Book Project 5.4 Medium2025-11-11
CVE-2025-11532 Wisly <= 1.0.0 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation — Wisly 5.3 Medium2025-11-11
CVE-2025-11748 Groups <= 3.7.0 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Group Join — Groups 4.3 Medium2025-11-08
CVE-2025-12353 WPFunnels <= 3.6.2 - Unauthorized User Registration — WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell 5.3 Medium2025-11-08
CVE-2025-64431 IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering — zitadel 6.5 -2025-11-07

Vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制) represent 1033 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.