Cyber Resilience

CVE-2025-7013

MediumUpdated

Published: 29 January 2026

Published
29 January 2026
Modified
05 June 2026
KEV Added
Patch
CVSS Score v3.1 5.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.0032 23.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-7013 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Qrmenumpro Menu Panel. Its CVSS base score is 5.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-7013 is an Authorization Bypass Through User-Controlled Key vulnerability in QR Menu Pro Smart Menu Systems Menu Panel that allows exploitation of trusted identifiers. The issue affects Menu Panel versions through 29012026 and is associated with CWE-639.

With a CVSS v3.1 base score of 5.7 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N), the vulnerability can be exploited over the network by a low-privileged authenticated user (PR:L) with low attack complexity (AC:L), though it requires user interaction (UI:R). Successful exploitation enables the attacker to bypass authorization controls via a user-controlled key, resulting in high-impact unauthorized access to confidential information (C:H) without affecting integrity or availability.

An advisory detailing the vulnerability is available at https://www.usom.gov.tr/bildirim/tr-26-0007. The vendor was contacted early regarding this disclosure but did not respond in any way, and no patches or official mitigation guidance have been provided.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Authorization Bypass Through User-Controlled Key vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Exploitation of Trusted Identifiers. This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond…

more

in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

IDOR auth bypass in a network-accessible Menu Panel web application directly enables remote exploitation of a public-facing app for unauthorized data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-7014Same product: Qrmenumpro Menu Panel
CVE-2026-41471Shared CWE-639
CVE-2023-36331Shared CWE-639
CVE-2026-33297Shared CWE-639
CVE-2026-41084Shared CWE-639
CVE-2024-50685Shared CWE-639
CVE-2019-25235Shared CWE-639
CVE-2026-28469Shared CWE-639
CVE-2026-33511Shared CWE-639
CVE-2026-40600Shared CWE-639

Affected Assets

qrmenumpro
menu panel
≤ 29012026

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization decisions on user-supplied keys so that only permitted identifiers can access menu-panel data, blocking the CWE-639 bypass.

prevent

Requires the system to make and enforce access-control decisions using authoritative, non-user-controlled attributes rather than trusting client-supplied identifiers.

prevent

Limits every authenticated user to the minimum privileges needed, reducing the scope of data that can be reached even if a key-based bypass succeeds.

References