3449 matches found
CVE-2026-23844
CVE-2026-23844 affects Whisper Money, a personal finance app. The vulnerability is an insecure direct object reference (IDOR) in the sync/balances endpoint, allowing a user to update or create account balances in other users’ bank accounts. Root cause is improper authorization checks for direct o...
EUVD-2026-3286
Whisper Money is a personal finance application. Versions prior to 0.1.5 have an insecure direct object reference vulnerability. A user can update/create account balances in other users' bank accounts. Version 0.1.5 fixes the issue...
CVE-2026-23844 Whisper Money has IDOR Vulnerability on sync/balances endpoint
Whisper Money is a personal finance application. Versions prior to 0.1.5 have an insecure direct object reference vulnerability. A user can update/create account balances in other users' bank accounts. Version 0.1.5 fixes the issue...
CVE-2026-23843
teklifolusturapp is a web-based PHP application that allows users to create, manage, and track quotes for their clients. Prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c, an Insecure Direct Object Reference IDOR vulnerability exists in the offer view functionality. Authenticated users can...
CVE-2026-23843
Summary: CVE-2026-23843 affects the teklifolustur_app PHP web app. An IDOR vulnerability exists in the offer view function: authenticated users can modify the offer_id to access offers owned by others due to missing authorization checks. The issue is mitigated by the patch introduced in commit dd...
CVE-2026-23843 teklifolustur_app's IDOR vulnerability allows unauthorized access to other users' offers
teklifolusturapp is a web-based PHP application that allows users to create, manage, and track quotes for their clients. Prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c, an Insecure Direct Object Reference IDOR vulnerability exists in the offer view functionality. Authenticated users can...
CVE-2026-23843 teklifolustur_app's IDOR vulnerability allows unauthorized access to other users' offers
teklifolusturapp is a web-based PHP application that allows users to create, manage, and track quotes for their clients. Prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c, an Insecure Direct Object Reference IDOR vulnerability exists in the offer view functionality. Authenticated users can...
PT-2026-3484
Name of the Vulnerable Software and Affected Versions teklifolustur app versions prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c Description teklifolustur app is a web-based PHP application for managing quotes. An Insecure Direct Object Reference IDOR exists in the offer view...
CVE-2025-15370
The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible...
CVE-2026-0820
The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wcuploadandsavesignaturehandler function in all versions up to, and including, 4.1116. This makes it possible for...
EUVD-2026-3150
The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wcuploadandsavesignaturehandler function in all versions up to, and including, 4.1116. This makes it possible for...
CVE-2026-0820 RepairBuddy <= 4.1116 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Signature Upload to Orders
The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wcuploadandsavesignaturehandler function in all versions up to, and including, 4.1116. This makes it possible for...
CVE-2026-0820 RepairBuddy <= 4.1116 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Signature Upload to Orders
The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wcuploadandsavesignaturehandler function in all versions up to, and including, 4.1116. This makes it possible for...
CVE-2026-0820
CVE-2026-0820 (RepairBuddy
PT-2026-3345
The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wc upload and save signature handler function in all versions up to, and including, 4.1116. This makes it possible for...
WordPress plugin RepairBuddy has a security vulnerability
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
WordPress RepairBuddy plugin <= 4.1116 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Signature Upload to Orders vulnerability
Insecure Direct Object Reference to Authenticated Subscriber+ Arbitrary Signature Upload to Orders vulnerability discovered by Teerachai Somprasong in WordPress Plugin RepairBuddy versions = 4.1116...
CVE-2025-14844 Membership Plugin – Restrict Content <= 3.2.16 - Missing Authentication to Insecure Direct Object Reference and Sensitive Information Exposure
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcpstripecreatesetupintentforsavedcard' function due to missing capability check. Additionally, the plugin does not check a user-controlled...
CVE-2025-15370
The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible...
CVE-2025-15370 Shield Security <= 21.0.9 - Authenticated (Subscriber+) Insecure Direct Object Reference to Disable Google Authenticator
The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible...