EUVD-2026-37835

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via the changeorderstatus, addordernote, deleteordernote,...

CVE-2026-48759

TypeBot is a chatbot builder tool. Versions 3.15.2 and below have an Insecure Direct Object Reference vulnerability through cross-workspace Theme Template modification and deletion. The handleSaveThemeTemplate and handleDeleteThemeTemplate handlers validate that the authenticated user is a...

CVE-2026-48759 TypeBot: Cross-Workspace Theme Template IDOR (Modification and Deletion)

TypeBot is a chatbot builder tool. Versions 3.15.2 and below have an Insecure Direct Object Reference vulnerability through cross-workspace Theme Template modification and deletion. The handleSaveThemeTemplate and handleDeleteThemeTemplate handlers validate that the authenticated user is a...

EUVD-2026-37629

Unauthenticated Insecure Direct Object References IDOR in Clean Login = 1.15 versions...

WordPress PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin plugin <= 2.3.0 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Modification vulnerability

Insecure Direct Object Reference to Authenticated Custom+ Arbitrary Modification vulnerability discovered by Truong Tran in WordPress Plugin PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin versions = 2.3.0...

WordPress Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin <= 5.0.3 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Order Modification vulnerability

Insecure Direct Object Reference to Authenticated Custom+ Arbitrary Order Modification vulnerability discovered by Kirasec in WordPress Plugin Dokan versions = 5.0.3...

CVE-2025-15657

Unauthenticated Insecure Direct Object References IDOR in School Management = 93.1.0 versions...

PT-2026-50564

Name of the Vulnerable Software and Affected Versions TypeBot versions prior to 3.16.0 Steeltoe affected versions not specified Description TypeBot contains an Insecure Direct Object Reference IDOR issue—a flaw where an application provides direct access to objects based on user-supplied...

CVE-2026-10780 Static Block <= 2.2 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via Shortcode 'id' Attribute

The Static Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2. This is due to the staticblockcontent shortcode handler retrieving a post via getpost using an attacker-supplied 'id' attribute and outputting its postcontent without...

CVE-2026-10780

CVE-2026-10780 affects the WordPress Static Block plugin (versions up to 2.2). The vulnerability is an Insecure Direct Object Reference in the static_block_content() shortcode handler, which retrieves a post with get_post() using an attacker-controlled id and outputs its post_content without vali...

EUVD-2026-37034

The Static Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2. This is due to the staticblockcontent shortcode handler retrieving a post via getpost using an attacker-supplied 'id' attribute and outputting its postcontent without...

CVE-2026-39518

Subscriber Insecure Direct Object References IDOR in EventPrime = 4.3.0.0 versions...

CVE-2026-52699

Summary: CVE-2026-52699 affects the WordPress VikRentCar plugin, versions

EUVD-2026-36904

Unauthenticated Insecure Direct Object References IDOR in VikRentCar = 1.4.5 versions...

CVE-2026-48868

The CVE-2026-48868 entry concerns the WordPress WordPress Simple Shopping Cart plugin (versions

CVE-2025-59133 WordPress Projectopia plugin <= 5.1.25.2 - Insecure Direct Object References (IDOR) vulnerability

Custom role Insecure Direct Object References IDOR in Projectopia = 5.1.25.2 versions...

WordPress Static Block plugin <= 2.2 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure vulnerability

Insecure Direct Object Reference to Authenticated Contributor+ Sensitive Information Disclosure vulnerability discovered by dyingman in WordPress Plugin Static Block versions = 2.2...

PT-2026-49394

Subscriber Insecure Direct Object References IDOR in EventPrime = 4.3.0.0 versions...

Security Bulletin: Langflow OSS Unauthenticated IDOR on Image Downloads

Summary Langflow OSS versions 1.0.0 - 1.8.4 are affected by an insecure direct object reference vulnerability in the image download endpoint due to missing authentication and authorization checks. The images endpoint serves image files without verifying user identity or ownership. An user who get...

CVE-2026-44976

CVE-2026-44976 affects the Frappe web framework. The vulnerability is described as an IDOR in the “update_onboarding_step” function, allowing any user to modify any field in any Onboarding Step record prior to version 16.17.4. The issue is explicitly patched in version 16.17.4. The available conn...