Cyber Posture

CVE-2025-7013

Medium

Published: 29 January 2026

Published
29 January 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score 5.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.0002 3.8th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7013 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Qrmenumpro Menu Panel. Its CVSS base score is 5.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-24 Access Control Decisions
addresses: CWE-639

Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.

AC-3 Access Enforcement
addresses: CWE-639

Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

IDOR auth bypass in a network-accessible Menu Panel web application directly enables remote exploitation of a public-facing app for unauthorized data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Authorization Bypass Through User-Controlled Key vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Exploitation of Trusted Identifiers.This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond in…

more

any way.

Deeper analysisAI

CVE-2025-7013 is an Authorization Bypass Through User-Controlled Key vulnerability in QR Menu Pro Smart Menu Systems Menu Panel that allows exploitation of trusted identifiers. The issue affects Menu Panel versions through 29012026 and is associated with CWE-639.

With a CVSS v3.1 base score of 5.7 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N), the vulnerability can be exploited over the network by a low-privileged authenticated user (PR:L) with low attack complexity (AC:L), though it requires user interaction (UI:R). Successful exploitation enables the attacker to bypass authorization controls via a user-controlled key, resulting in high-impact unauthorized access to confidential information (C:H) without affecting integrity or availability.

An advisory detailing the vulnerability is available at https://www.usom.gov.tr/bildirim/tr-26-0007. The vendor was contacted early regarding this disclosure but did not respond in any way, and no patches or official mitigation guidance have been provided.

Details

CWE(s)
CWE-639

Affected Products

qrmenumpro
menu panel
≤ 29012026

CVEs Like This One

CVE-2025-7014Same product: Qrmenumpro Menu Panel
CVE-2025-40805Shared CWE-639
CVE-2026-4503Shared CWE-639
CVE-2026-40600Shared CWE-639
CVE-2023-53955Shared CWE-639
CVE-2020-36923Shared CWE-639
CVE-2026-33511Shared CWE-639
CVE-2026-39384Shared CWE-639
CVE-2025-14844Shared CWE-639
CVE-2023-53914Shared CWE-639

References