CVE-2025-2271 IDOR in Issuetrak NewAuditID parameter via Inv_PopTrakXShow.asp

A vulnerability exists in Issuetrak v17.2.2 and prior that allows a low-privileged user to access audit results of other users by exploiting an Insecure Direct Object Reference IDOR vulnerability in the Issuetrak audit component. The vulnerability enables unauthorized access to sensitive...

CVE-2024-13887

CVE-2024-13887 concerns the WordPress plugin Business Directory Plugin – Easy Listing Directories for WordPress (versions

CVE-2024-13887 Business Directory Plugin - Easy Listing Directories for WordPress <= 6.4.14 - Insecure Direct Object Reference to Listing Arbitrary Image Addition

The Business Directory Plugin – Easy Listing Directories for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.14 via the 'ajaxlistingsubmitimageupload' function due to missing validation on a user controlled key. This makes...

Insecure Direct Object Reference (IDOR)

github.com/zitadel/zitadel is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to insufficient access control in the Admin API, allowing authenticated users without specific IAM roles to modify sensitive settings...

CVE-2024-12114

The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.29 via the foogalleryattachmentmodalsave AJAX action due to missing validation on a user controll...

CVE-2024-13552

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.0 via file upload due to missing validation on a user controlled key. This makes it possible for authenticated attackers to...

CVE-2024-12114

The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.29 via the foogalleryattachmentmodalsave AJAX action due to missing validation on a user controll...

CVE-2024-12114

The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.29 via the foogalleryattachmentmodalsave AJAX action due to missing validation on a user controll...

CVE-2024-12114 FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel <= 2.4.29 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Post/Page Updates

The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.29 via the foogalleryattachmentmodalsave AJAX action due to missing validation on a user controll...

CVE-2024-12114 FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel <= 2.4.29 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Post/Page Updates

The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.29 via the foogalleryattachmentmodalsave AJAX action due to missing validation on a user controll...

CVE-2024-12114

CVE-2024-12114 affects FooGallery for WordPress (

CVE-2024-13552 SupportCandy – Helpdesk & Customer Support Ticket System <= 3.3.0 - Insecure Direct Object Reference

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.0 via file upload due to missing validation on a user controlled key. This makes it possible for authenticated attackers to...

CVE-2024-13552 SupportCandy – Helpdesk & Customer Support Ticket System <= 3.3.0 - Insecure Direct Object Reference

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.0 via file upload due to missing validation on a user controlled key. This makes it possible for authenticated attackers to...

UniRide Vehicle Booking Management System 1.0 Insecure Direct Object Reference

UniRide Vehicle Booking Management System version 1.0 suffers from an insecure direct object reference vulnerability. ============================================================================================================================================= | Title : UniRide Vehicle Booking...

Employee Leaves Management System 2.1 Insecure Direct Object Reference

Employee Leaves Management System version 2.1 suffers from an insecure direct object reference vulnerability. Exploit Title: Employee Leaves Management System ELMS v2.1 - Authenticated Insecure Direct Object References IDOR Date: 2025-03-04 Exploit Author: Mehmet Can Kadıoğlu a.k.a mao7un Vendor:...

CVE-2025-27507 IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference IDOR vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While...

ZITADEL 安全漏洞

ZITADEL is a modern open source alternative to Auth0, Firebase Auth, AWS Cognito, and Keycloak built for the container and serverless era from the Swiss ZITADEL open source. ZITADEL suffers from a security vulnerability that stems from an unsafe direct object reference...

PT-2025-9686 · Zitadel · Zitadel

Name of the Vulnerable Software and Affected Versions: Zitadel versions prior to 2.71.0 Zitadel versions prior to 2.70.1 Zitadel versions prior to 2.69.4 Zitadel versions prior to 2.68.4 Zitadel versions prior to 2.67.8 Zitadel versions prior to 2.66.11 Zitadel versions prior to 2.65.6 Zitadel...

CVE-2025-25952

An Insecure Direct Object References IDOR in the component /getStudemtAllDetailsById?studentId=XX of Serosoft Solutions Pvt Ltd Academia Student Information System SIS EagleR v1.0.118 allows attackers to access sensitive user information via a crafted API request...

PT-2025-9587

Name of the Vulnerable Software and Affected Versions Serosoft Solutions Pvt Ltd Academia Student Information System SIS EagleR version 1.0.118 Description The issue is related to an Insecure Direct Object References IDOR in the component "/getStudemtAllDetailsById?studentId=XX". This allows...