CVE-2025-7013
Published: 29 January 2026
Summary
CVE-2025-7013 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Qrmenumpro Menu Panel. Its CVSS base score is 5.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-7013 is an Authorization Bypass Through User-Controlled Key vulnerability in QR Menu Pro Smart Menu Systems Menu Panel that allows exploitation of trusted identifiers. The issue affects Menu Panel versions through 29012026 and is associated with CWE-639.
With a CVSS v3.1 base score of 5.7 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N), the vulnerability can be exploited over the network by a low-privileged authenticated user (PR:L) with low attack complexity (AC:L), though it requires user interaction (UI:R). Successful exploitation enables the attacker to bypass authorization controls via a user-controlled key, resulting in high-impact unauthorized access to confidential information (C:H) without affecting integrity or availability.
An advisory detailing the vulnerability is available at https://www.usom.gov.tr/bildirim/tr-26-0007. The vendor was contacted early regarding this disclosure but did not respond in any way, and no patches or official mitigation guidance have been provided.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206543
Vulnerability details
Authorization Bypass Through User-Controlled Key vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Exploitation of Trusted Identifiers. This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond…
more
in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR auth bypass in a network-accessible Menu Panel web application directly enables remote exploitation of a public-facing app for unauthorized data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization decisions on user-supplied keys so that only permitted identifiers can access menu-panel data, blocking the CWE-639 bypass.
Requires the system to make and enforce access-control decisions using authoritative, non-user-controlled attributes rather than trusting client-supplied identifiers.
Limits every authenticated user to the minimum privileges needed, reducing the scope of data that can be reached even if a key-based bypass succeeds.