CWE-639
Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
We have discovered 1,203,174 live websites that are affected by CWE-639.
CVEs
- Count - 220
CWE References
Website Distribution by Country
Number of websites using CWE-639 United States | 332,223 websites |
 Germany | 104,702 websites |
 Japan | 68,113 websites |
 France | 62,533 websites |
 GB | 61,178 websites |
 Italy | 48,471 websites |
 Netherlands | 40,156 websites |
 Spain | 31,667 websites |
 Russia | 31,263 websites |
 Poland | 26,344 websites |
Website Distribution by TLD
Number of websites using CWE-639| .com | 516,547 websites |
| .de | 53,251 websites |
| .org | 51,847 websites |
| .co.uk | 37,376 websites |
| .nl | 35,780 websites |
| .it | 33,917 websites |
| .net | 29,686 websites |
| .fr | 26,102 websites |
| .ru | 25,441 websites |
| .pl | 20,028 websites |
Newest CVEs
List of the most recent CVEs that are part of CWE-639| Discovered | CVE | Description | Websites |
|---|---|---|---|
| Feb, 2026 | CVE-2025-13842 | Breadcrumb NavXT <= 7.5.0 - Missing Authorization to Sensitive Information Exposure | 133,646 |
| Feb, 2026 | CVE-2026-1219 | MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 4.0 - 5.10 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure | 1,293 |
| Feb, 2026 | CVE-2026-25120 | Gogs Allows Cross-Repository Comment Deletion via DeleteComment | 50 |
| Feb, 2026 | CVE-2026-2230 | Booking Calendar <= 10.14.14 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Settings Modification | 12,144 |
| Feb, 2026 | CVE-2025-15147 | WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.11.8 - Insecure Direct Object Reference to Update Membership Payment | 98 |
| Feb, 2026 | CVE-2026-25497 | Craft has a GraphQL Asset Mutation Privilege Escalation | 16 |
| Feb, 2026 | CVE-2026-1228 | Timeline Block <= 1.3.3 - Insecure Direct Object Reference to Authenticated (Author+) Private Timeline Exposure via Shortcode Attribute | 651 |
| Feb, 2026 | CVE-2026-1271 | ProfileGrid <= 5.9.7.2 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Profile and Cover Image Modification | 1,142 |
| Feb, 2026 | CVE-2026-0909 | WP ULike <= 4.8.3.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Log Deletion via 'id' Parameter | 10,307 |
| Feb, 2026 | CVE-2026-1375 | Tutor LMS <= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion | 8,187 |
The most widespread CVEs
List of the most common CVEs that are part of CWE-639| Discovered | CVE | Description | Websites |
|---|---|---|---|
| Dec, 2025 | CVE-2025-15033 | WooCommerce - Subscriber/Customer+ Order Data Disclosure | 482,812 |
| May, 2025 | CVE-2024-10075 | Jetpack < 13.8 - Unauthenticated Arbitrary Block & Shortcode Execution | 224,167 |
| Feb, 2026 | CVE-2025-13842 | Breadcrumb NavXT <= 7.5.0 - Missing Authorization to Sensitive Information Exposure | 133,646 |
| Dec, 2025 | CVE-2025-11924 | Ninja Forms – The Contact Form Builder That Grows With You <= 3.13.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure via Unscoped Bearer Token | 77,605 |
| Dec, 2024 | CVE-2024-12335 | Avada Builder <= 3.11.12 - Authenticated (Contributor+) Protected Post Disclosure | 48,063 |
| Nov, 2025 | CVE-2025-12427 | YITH WooCommerce Wishlist <= 4.10.0 - Unauthenticated Insecure Direct Object Reference to Unauthenticated Wishlist Rename | 38,260 |
| Dec, 2025 | CVE-2025-13748 | Fluent Forms <= 6.1.7 - Unauthenticated Insecure Direct Object Reference to Payment Status Tampering via submission_id | 33,348 |
| Dec, 2024 | CVE-2024-5333 | The Events Calendar < 6.8.2.1 - Unauthenticated Password Protected Event Disclosure | 23,364 |
| Dec, 2025 | CVE-2025-68502 | WordPress JetPopup plugin <= 2.0.20.1 - Insecure Direct Object References (IDOR) vulnerability | 20,878 |
| Feb, 2026 | CVE-2026-2230 | Booking Calendar <= 10.14.14 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Settings Modification | 12,144 |
Websites affected by CWE-639
Top websites that are affected by CWE-639. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *******.com | United States | *** | |
| ****.com | United States | *** | |
| *****.com | United States | *** | |
| ******.*******.org | United States | *** | |
| **.*******.com |  China | *** | |
| ************.com | United States | *,*** | |
| ****.*******.org | United States | *,*** | |
| ***************.eu | Netherlands | *,*** | |
| *******.com | China | *,*** | |
| ************.com | United States | *,*** |