Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-639 (通过用户控制密钥绕过授权机制) — Vulnerability Class 1038

1038 vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制). AI Chinese analysis included.

CVE IDTitleCVSSSeverityPublished
CVE-2025-12126 The Total Book Project <= 1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Book Manipulation — The Total Book Project 5.4 Medium2025-11-11
CVE-2025-11532 Wisly <= 1.0.0 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation — Wisly 5.3 Medium2025-11-11
CVE-2025-11748 Groups <= 3.7.0 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Group Join — Groups 4.3 Medium2025-11-08
CVE-2025-12353 WPFunnels <= 3.6.2 - Unauthorized User Registration — WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell 5.3 Medium2025-11-08
CVE-2025-64431 IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering — zitadel 6.5 -2025-11-07
CVE-2025-12854 newbee-mall-plus seckillExecution executeSeckill authorization — newbee-mall-plus 3.7 Low2025-11-07
CVE-2025-58627 WordPress Miraculous Core Plugin plugin < 2.0.9 - Insecure Direct Object References (IDOR) vulnerability — Miraculous Core Plugin 9.1 -2025-11-06
CVE-2025-11690 IDOR vulnerability in the CFMOTO RIDE API — RIDE 8.5 High2025-11-04
CVE-2025-0987 IDOR in CB Project's CVLand — CVLand 9.9 Critical2025-11-03
CVE-2025-12623 fushengqian fuint Authentication Token ClientSignController.java authorization — fuint 3.1 Low2025-11-03
CVE-2025-6574 Service Finder Bookings < 6.1 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover — Service Finder Bookings 8.8 High2025-11-01
CVE-2025-5949 Service Finder Bookings <= 6.0 - Authenticated (Subscriber+) Privilege Escalation via change_candidate_password — Service Finder Bookings 8.8 High2025-11-01
CVE-2025-64283 WordPress RTMKit plugin <= 1.6.7 - Insecure Direct Object References (IDOR) vulnerability — RTMKit 9.1AICriticalAI2025-10-29
CVE-2025-12351 Inadequate access control measure allows unauthorized users to access restricted administrative functions — S35 3M/5M/8M/Pinhole/Kit Camera 6.8 Medium2025-10-27
CVE-2025-12288 Bdtask Pharmacy Management System User Profile edit_user authorization — Pharmacy Management System 4.3 Medium2025-10-27
CVE-2025-12283 code-projects Client Details System authorization — Client Details System 4.3 Medium2025-10-27
CVE-2025-34293 GN4 Publishing System Insecure Direct Object Reference (IDOR) Information Disclosure — GN4 Publishing System 8.8 -2025-10-24
CVE-2025-11957 Devolutions Server 安全漏洞 — Server 8.1AIHighAI2025-10-22
CVE-2025-49952 WordPress Houzez theme <= 4.2.5 - Insecure Direct Object References (IDOR) vulnerability — Houzez 6.5 Medium2025-10-22
CVE-2025-6833 All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier <= 2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Clocking In/Out — All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier 4.3 Medium2025-10-22
CVE-2025-10570 Flexible Refund and Return Order for WooCommerce <= 1.0.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order Refund — Flexible Refund and Return Order for WooCommerce 4.3 Medium2025-10-22
CVE-2025-8884 IDOR in VHS Electronic Software's ACE Center — ACE Center 5.5 Medium2025-10-20
CVE-2025-11519 Image optimization service by Optimole <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Author+) Media Offload — Optimole – Optimize Images in Real Time 4.3 Medium2025-10-18
CVE-2025-11741 WPC Smart Quick View for WooCommerce <= 4.2.5 - Insecure Direct Object Reference to Unauthenticated Private Product Exposure — WPC Smart Quick View for WooCommerce 5.3 Medium2025-10-18
CVE-2025-11517 Event Tickets and Registration <= 5.26.5 - Unauthenticated Ticket Payment Bypass — Event Tickets and Registration 7.5 High2025-10-18
CVE-2025-11895 Binary MLM Plan <= 5.0 - Authenticated (Subscriber+) Insecure Direct Object Reference — Binary MLM Plan 4.3 Medium2025-10-17
CVE-2024-56143 Strapi Allows Unauthorized Access to Private Fields via parms.lookup — strapi 8.2 High2025-10-16
CVE-2025-9559 Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data — Pega Infinity 6.5 Medium2025-10-16
CVE-2025-41020 Insecure direct object reference (IDOR) vulnerability in Sergestec's Exito — Exito 6.5AIMediumAI2025-10-16
CVE-2025-10742 Truelysell Core <= 1.8.6 - Unauthenticated Arbitrary User Password Change — Truelysell Core 9.8 Critical2025-10-16

Vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制) represent 1038 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.