Vulnerabilities > Authorization Bypass Through User-Controlled Key

DATE CVE VULNERABILITY TITLE RISK
2025-03-20 CVE-2024-13558 The NP Quote Request for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.179 due to missing validation on a user controlled key.
network
low complexity
CWE-639
7.5
7.5
2025-03-15 CVE-2025-1667 The School Management System – WPSchoolPress plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wpsp_UpdateTeacher() function in all versions up to, and including, 2.2.16.
network
low complexity
CWE-639
8.8
8.8
2025-03-14 CVE-2024-13407 Authorization Bypass Through User-Controlled Key vulnerability in Omnipressteam Omnipress
The Omnipress plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.5.4 via the megamenu block due to insufficient restrictions on which posts can be included.
network
low complexity
omnipressteam CWE-639
6.5
6.5
2025-03-14 CVE-2024-11284 The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.9.
network
low complexity
CWE-639
critical
 9.8
9.8
2025-03-14 CVE-2024-11285 The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 7.1.
network
low complexity
CWE-639
critical
 9.8
9.8
2025-03-13 CVE-2024-13887 The Business Directory Plugin – Easy Listing Directories for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.14 via the 'ajax_listing_submit_image_upload' function due to missing validation on a user controlled key.
network
low complexity
CWE-639
5.3
5.3
2025-03-11 CVE-2025-26660 SAP Fiori applications using the posting library fail to properly configure security settings during the setup process, leaving them at default or inadequately defined.
network
low complexity
CWE-639
4.3
4.3
2025-03-11 CVE-2025-27433 The Manage Bank Statements in SAP S/4HANA allows authenticated attacker to bypass certain functionality restrictions of the application and upload files to a reversed bank statement.
network
low complexity
CWE-639
4.3
4.3
2025-03-11 CVE-2025-27436 The Manage Bank Statements in SAP S/4HANA does not perform required access control checks for an authenticated user to confirm whether a request to interact with a resource is legitimate, allowing the attacker to delete the attachment of a posted bank statement.
network
low complexity
CWE-639
4.3
4.3
2025-03-08 CVE-2024-12114 Authorization Bypass Through User-Controlled Key vulnerability in Fooplugins Foogallery
The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.29 via the foogallery_attachment_modal_save AJAX action due to missing validation on a user controlled key (img_id).
network
low complexity
fooplugins CWE-639
4.3
4.3