3460 matches found
CVE-2025-60511
The CVE-2025-60511 instance affects Moodle OpenAI Chat Block plugin 3.0.1, with an Insecure Direct Object Reference (IDOR) due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user’s block (e.g., admini...
CVE-2025-8884 IDOR in VHS Electronic Software's ACE Center
Authorization Bypass Through User-Controlled Key vulnerability in VHS Electronic Software Ltd. Co. ACE Center allows Privilege Abuse, Exploitation of Trusted Identifiers. This issue affects ACE Center: from 3.10.100.1768 before 3.10.161.2255...
PT-2025-42792
Name of the Vulnerable Software and Affected Versions FileRise versions prior to 1.4.0 Description FileRise is a self-hosted web-based file manager. A flaw in file/folder handling allows low-privilege users to perform unauthorized operations view, delete, modify on files created by other users...
CVE-2025-11519
The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the /wp-json/optml/v1/moveimage REST API endpoint due to missing validation on a user...
EUVD-2025-34975
The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the /wp-json/optml/v1/moveimage REST API endpoint due to missing validation on a user...
CVE-2025-11519
The CVE concerns the Optimole WordPress plugin (image optimization service) up to version 4.1.0, where an Insecure Direct Object Reference exists through the /wp-json/optml/v1/move_image REST endpoint due to missing validation of a user-controlled key. This allows authenticated attackers with Aut...
CVE-2025-11519 Image optimization service by Optimole <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Author+) Media Offload
The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the /wp-json/optml/v1/moveimage REST API endpoint due to missing validation on a user...
CVE-2025-11741 WPC Smart Quick View for WooCommerce <= 4.2.5 - Insecure Direct Object Reference to Unauthenticated Private Product Exposure
The WPC Smart Quick View for WooCommerce plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.2.5 via the 'woosqquickview' AJAX endpoint due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated...
WordPress plugin Optimole 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to set up personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...
CVE-2025-9559
Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data...
CVE-2025-11895
The Binary MLM Plan plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 5.0. This is due to the bmpuserpayoutdetailofcurrentuser function selecting payout records solely by id without verifying ownership. This makes it possible for authenticate...
CVE-2025-11895 Binary MLM Plan <= 5.0 - Authenticated (Subscriber+) Insecure Direct Object Reference
The Binary MLM Plan plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 5.0. This is due to the bmpuserpayoutdetailofcurrentuser function selecting payout records solely by id without verifying ownership. This makes it possible for authenticate...
CVE-2025-11895
The CVE-2025-11895 vulnerability affects Binary MLM Plan (WordPress) versions
CVE-2025-41020
Insecure direct object reference IDOR vulnerability in Sergestec's Exito v8.0. This vulnerability allows an attacker to access data belonging to other customers through the 'id' parameter in '/admin/ticketa4.php'...
CVE-2025-41020
Insecure direct object reference IDOR vulnerability in Sergestec's Exito v8.0. This vulnerability allows an attacker to access data belonging to other customers through the 'id' parameter in '/admin/ticketa4.php'...
CVE-2025-41020
CVE-2025-41020 affects Sergestec Exito v8.0. An IDOR in /admin/ticket_a4.php (id parameter) allows access to other customers’ data. Root cause: insecure direct object reference. Impact per sources includes HIGH confidentiality impact (CVE metrics: CVSS v3.1 base 7.5, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I...
CVE-2025-11176
The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfisetthumbnail and qfideletethumbnail AJAX actions due to missing validation on a user controlled key. This makes it possible for authenticated...
Pega Platform 安全漏洞
Pega Platform is an enterprise management platform from Pega Corporation, USA. A security vulnerability exists in Pega Platform versions 8.7.5 through 24.2.2, which stems from an insecure direct object reference in a user interface component that could lead to data readout...
PT-2025-42483
Name of the Vulnerable Software and Affected Versions Pega Platform versions 8.7.5 through 24.2.2 Description The Pega Platform contains an Insecure Direct Object Reference issue within a user interface component. This issue allows for the reading of data. Recommendations Update to a version late...
EUVD-2025-34513
The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfisetthumbnail and qfideletethumbnail AJAX actions due to missing validation on a user controlled key. This makes it possible for authenticated...