CVE-2018-25129 SOCA Access Control System 180612 Information Disclosure via Multiple Endpoints

SOCA Access Control System 180612 contains multiple insecure direct object reference vulnerabilities that allow attackers to access sensitive user credentials. Attackers can retrieve authenticated and unauthenticated user password hashes and pins through unprotected endpoints like...

CVE-2018-25129

CVE-2018-25129 affects the SOCA Access Control System (version 180612). The issue is insecure direct object references that allow access to sensitive credentials via unprotected endpoints Get_Permissions_From_DB.php and Ac10_ReadSortCard, enabling retrieval of password hashes and pins. Affected c...

CVE-2025-67909 WordPress Membership For WooCommerce plugin <= 3.0.3 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in WP Swings Membership For WooCommerce membership-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Membership For WooCommerce: from n/a through = 3.0.3...

PT-2025-53350

Name of the Vulnerable Software and Affected Versions SOCA Access Control System version 180612 Description The SOCA Access Control System has multiple insecure direct object reference issues. These allow attackers to access sensitive user credentials, including retrieving authenticated and...

SOCA Access Control System 安全漏洞

SOCA Access Control System is an access control system from China's Sunchem SOCA. A security vulnerability exists in SOCA Access Control System version 180612, which stems from an insecure direct object reference that could lead to the disclosure of sensitive credentials...

WordPress WP JobHunt plugin <= 7.7 - Authenticated (Candidate+) Insecure Direct Object Reference vulnerability

Authenticated Candidate+ Insecure Direct Object Reference vulnerability discovered by meghnine islem - CYBEARS in WordPress Plugin WP JobHunt versions = 7.7...

CVE-2023-53955

SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an insecure direct object reference vulnerability that allows attackers to bypass authorization and access hidden system resources. Attackers can exploit the vulnerability by manipulating user-supplied input to execute privileged functionalities without...

CVE-2023-53955

SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an insecure direct object reference vulnerability that allows attackers to bypass authorization and access hidden system resources. Attackers can exploit the vulnerability by manipulating user-supplied input to execute privileged functionalities without...

PT-2025-52696

Name of the Vulnerable Software and Affected Versions SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x Description The software contains an insecure direct object reference issue. This allows attackers to bypass authorization and access hidden system resources. Attackers can exploit the issue by...

CVE-2025-7733

The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'csupdateapplicationstatuscallback' due to missing validation on a user controlled key. This makes it possible for authenticated...

CVE-2025-7733

CVE-2025-7733 affects the WP JobHunt WordPress plugin (up to 7.7) via Insecure Direct Object Reference in the cs_update_application_status_callback, caused by missing validation on a user-controlled key. This allows authenticated users with Candidate-level access and above to send a site-generate...

CVE-2025-7733 WP JobHunt <= 7.7 - Authenticated (Candidate+) Insecure Direct Object Reference

The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'csupdateapplicationstatuscallback' due to missing validation on a user controlled key. This makes it possible for authenticated...

CVE-2025-7733 WP JobHunt <= 7.7 - Authenticated (Candidate+) Insecure Direct Object Reference

The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'csupdateapplicationstatuscallback' due to missing validation on a user controlled key. This makes it possible for authenticated...

CVE-2025-14881

The CVE-2025-14881 issue is a broken access control in pretix (a ticketing system) where the UUID parameter in multiple API endpoints can be used to access sensitive files belonging to other users. Descriptions across Red Hat, ENISA EUVD, GHSA advisories, and the OSV/NVD entries consistently stat...

CVE-2025-14881 Insecure direct object reference

Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only...

CVE-2025-14881 Insecure direct object reference

Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only...

CVE-2025-14882

CVE-2025-14882 is a vulnerability in pretix (Python ticketing system) where an API endpoint allowed cross-user file access by supplying the target file’s UUID. The issue is described as an Authorization Bypass Through User-Controlled Key, enabling retrieval of sensitive files belonging to other u...

CVE-2025-14882 Insecure direct object reference

An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only...

CVE-2023-53930

ProjectSend r1605 contains an insecure direct object reference vulnerability that allows unauthenticated attackers to download private files by manipulating the download ID parameter. Attackers can access any user's private files by changing the 'id' parameter in the download request to process.p...

WordPress HUSKY – Products Filter Professional for WooCommerce plugin <= 1.3.7.3 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_subscr' vulnerability

Authenticated Subscriber+ Insecure Direct Object Reference via 'woofaddsubscr' vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin HUSKY versions = 1.3.7.3...