3451 matches found
CVE-2025-15370
The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible...
CVE-2025-15370 Shield Security <= 21.0.9 - Authenticated (Subscriber+) Insecure Direct Object Reference to Disable Google Authenticator
The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible...
CVE-2025-15370 Shield Security <= 21.0.9 - Authenticated (Subscriber+) Insecure Direct Object Reference to Disable Google Authenticator
The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible...
CVE-2025-15370
The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible...
CVE-2025-15370
CVE-2025-15370 affects Shield: Blocks Bots, Protects Users, and Prevents Security Breaches (WordPress Shield Security plugin) up to version 21.0.9. The issue is an Insecure Direct Object Reference via MfaGoogleAuthToggle that allows authenticated attackers with Subscriber-level access and above t...
CVE-2025-15527 WP Recipe Maker <= 10.2.2 - Insecure Direct Object Reference to Sensitive Information Exposure
The WP Recipe Maker plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 10.2.2 via the apigetpostsummary function due to insufficient restrictions on which posts can be retrieved. This makes it possible for authenticated attackers, with Contributor-level...
CVE-2025-15527
CVE-2025-15527 : WP Recipe Maker for WordPress is vulnerable to Information Exposure up to version 10.2.2 via api_get_post_summary, due to insufficient post-retrieval restrictions. Authenticated attackers with Contributor+ access can read data from posts they shouldn’t be able to edit or read, in...
PT-2026-3215
The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible...
WordPress Shield Security plugin <= 21.0.9 - Authenticated (Subscriber+) Insecure Direct Object Reference to Disable Google Authenticator vulnerability
Authenticated Subscriber+ Insecure Direct Object Reference to Disable Google Authenticator vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Shield Security versions = 21.0.9...
CVE-2025-13457
The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the gettokenbyid function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Squa...
CVE-2026-22589
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an unauthenticated attacker to access guest address information without...
CVE-2026-22033 Label Studio vulnerable to full account takeover by chaining Stored XSS + IDOR in User Profile via custom_hotkeys field
Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting XSS vulnerability exists in the customhotkeys functionality of the application. An authenticated attacker or one who can trick a user/administrator into updating their...
GHSA-2MQ9-HM29-8QCH Label Studio is vulnerable to full account takeover by chaining Stored XSS + IDOR in User Profile via custom_hotkeys field
Prologue These vulnerabilities have been found and chained by DCODX-AI. Validation of the exploit chain has been confirmed manually. Summary A persistent stored cross-site scripting XSS vulnerability exists in the customhotkeys functionality of the application. An authenticated attacker or one wh...
CVE-2025-41077
CVE-2025-41077 affects Viafirma Inbox v4.5.13 with an Insecure Direct Object Reference (IDOR) flaw. The vulnerability allows any authenticated, unprivileged user to list all users, access and modify their data (including emails) and then use password recovery to impersonate other users, potential...
CVE-2025-13457
The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the gettokenbyid function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Squa...
CVE-2025-13457 WooCommerce Square <= 5.1.1 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure in get_token_by_id
The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the gettokenbyid function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Squa...
EUVD-2026-1860
The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the gettokenbyid function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Squa...
CVE-2025-13457
CVE-2025-13457 affects the WooCommerce Square plugin for WordPress (versions up to 5.1.1). The vulnerability is an Insecure Direct Object Reference in the get_token_by_id function due to missing validation on a user-controlled key, enabling unauthenticated attackers to exfiltrate arbitrary Square...
EUVD-2026-1460
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an unauthenticated attacker to access guest address information without...
CVE-2026-22589 Spree API has Unauthenticated IDOR - Guest Address
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an unauthenticated attacker to access guest address information without...