4442 matches found
CVE-2025-34436
AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks...
CVE-2025-34438
AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies upload capability but fails to enforce ownership or management rights for the targeted video...
CVE-2025-64282 WordPress Radius Blocks plugin <= 2.2.1 - Insecure Direct Object References (IDOR) vulnerability
Authorization Bypass Through User-Controlled Key vulnerability in RadiusTheme Radius Blocks radius-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Radius Blocks: from n/a through = 2.2.1...
CVE-2025-64282 WordPress Radius Blocks plugin <= 2.2.1 - Insecure Direct Object References (IDOR) vulnerability
Authorization Bypass Through User-Controlled Key vulnerability in RadiusTheme Radius Blocks radius-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Radius Blocks: from n/a through = 2.2.1...
CVE-2025-13110
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.3 via the "woofaddsubscr" function due to missing validation on a user controlled key. This makes it possible for authenticat...
CVE-2025-13110 HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.3 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_subscr'
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.3 via the "woofaddsubscr" function due to missing validation on a user controlled key. This makes it possible for authenticat...
WordPress Google Calendar Events plugin <= 3.5.9 - Insecure Direct Object References (IDOR) vulnerability
Insecure Direct Object References IDOR vulnerability discovered by Doan Dinh Van in WordPress Plugin Google Calendar Events versions = 3.5.9...
CVE-2025-11924
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the ninja-forms-views REST endpoints...
CVE-2025-67165
An Insecure Direct Object Reference IDOR in Pagekit CMS v1.0.18 allows attackers to escalate privileges...
PT-2025-52215
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.3 via the "woof add subscr" function due to missing validation on a user controlled key. This makes it possible for...
CVE-2023-53930
ProjectSend r1605 contains an insecure direct object reference vulnerability that allows unauthenticated attackers to download private files by manipulating the download ID parameter. Attackers can access any user's private files by changing the 'id' parameter in the download request to process.p...
CVE-2023-53930
ProjectSend r1605 contains an insecure direct object reference vulnerability that allows unauthenticated attackers to download private files by manipulating the download ID parameter. Attackers can access any user's private files by changing the 'id' parameter in the download request to process.p...
CVE-2023-53930
CVE-2023-53930 affects ProjectSend version r1605. The issue is an insecure direct object reference in the download flow: an unauthenticated attacker can change the id parameter in the download request to process.php to download private files from any user. The available connected documents confir...
CVE-2023-53930 ProjectSend r1605 Insecure Direct Object Reference File Download Vulnerability
ProjectSend r1605 contains an insecure direct object reference vulnerability that allows unauthenticated attackers to download private files by manipulating the download ID parameter. Attackers can access any user's private files by changing the 'id' parameter in the download request to process.p...
CVE-2023-53930 ProjectSend r1605 Insecure Direct Object Reference File Download Vulnerability
ProjectSend r1605 contains an insecure direct object reference vulnerability that allows unauthenticated attackers to download private files by manipulating the download ID parameter. Attackers can access any user's private files by changing the 'id' parameter in the download request to process.p...
CVE-2025-34438
AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies upload capability but fails to enforce ownership or management rights for the targeted video...
CVE-2025-34436
AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks...
CVE-2025-34438
AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies upload capability but fails to enforce ownership or management rights for the targeted video...
CVE-2025-34435
AVideo versions prior to 20.1 are vulnerable to an insecure direct object reference IDOR that allows any authenticated user to delete media files belonging to other users. The affected endpoint validates authentication but fails to verify ownership or edit permissions for the targeted video...
CVE-2025-34438
Summary: CVE-2025-34438 affects AVideo versions prior to 20.1. It is an insecure direct object reference (IDOR) where users with upload permissions can modify the rotation metadata of arbitrary videos because the endpoint verifies upload capability but fails to enforce ownership/administrative ri...