CVE-2025-12126

The The Total Book Project plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0 via several functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access a...

CVE-2025-11532

The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the 'wishlistid' user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other user's wishlists...

WordPress IDonate plugin unsafe direct object reference vulnerability

WordPress IDonate plugin is a blood donation management tool on the WordPress platform, which is mainly used for blood donor registration, blood donation request submission and background management. WordPress IDonate plugin has an insecure direct object reference vulnerability, the vulnerability...

FileBrowser 安全漏洞

FileBrowser is an open source web file browser from Seagate. Provides a file management interface in a specified directory for uploading, deleting, previewing, renaming and editing your files. It allows the creation of multiple users , each user can have its own directory . It can be used as a...

CVE-2025-48878

Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user e.g. with Service desk agent profile to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue...

EUVD-2025-60928

The The Total Book Project plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0 via several functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access a...

CVE-2025-12126

CVE-2025-12126 affects The Total Book Project WordPress plugin (versions ≤ 1.0). Root cause: insecure direct object reference due to missing validation of a user-controlled key, enabling authenticated users with Contributor+ privileges to move/delete/create chapters in books not owned by them. Im...

CVE-2025-11532

CVE-2025-11532 affects the Wisly WordPress plugin (versions

CVE-2025-11532 Wisly <= 1.0.0 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation

The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the 'wishlistid' user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other user's wishlists...

PT-2025-46273

Name of the Vulnerable Software and Affected Versions The Total Book Project plugin for WordPress versions prior to 1.1 Description The software is susceptible to an Insecure Direct Object Reference issue. This impacts authenticated attackers with Contributor-level access or higher, allowing them...

WordPress Wisly plugin <= 1.0.0 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation vulnerability

Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin Wisly versions = 1.0.0...

CVE-2025-48878

Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user e.g. with Service desk agent profile to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue...

CVE-2025-48878 Combodo iTop vulnerable to IDOR with ModuleInstallation object

Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user e.g. with Service desk agent profile to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue...

CVE-2025-48878 Combodo iTop vulnerable to IDOR with ModuleInstallation object

Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user e.g. with Service desk agent profile to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue...

WordPress Groups plugin <= 3.7.0 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by shark3y in WordPress Plugin Groups versions = 3.7.0...

PT-2025-46195

Name of the Vulnerable Software and Affected Versions Combodo iTop versions prior to 3.2.2 Description Combodo iTop is a web based IT service management tool. An insecure direct object reference allows a user, such as one with a Service desk agent profile, to create a ModuleInstallation object wh...

lemlist: Authentication Bypass in Subscription Management Endpoint

A vulnerability was identified in the subscription management functionality that allowed unauthorized access to customer billing information. The issue stemmed from insufficient authentication and authorization controls on an API endpoint. The vulnerability was classified as an Insecure Direct...

GHSA-FQQ7-H225-8W6H Skuul School Management System has an Insecure Direct Object Reference (IDOR) Vulnerability in View Fee Invoice

A security flaw has been discovered in yungifez Skuul School Management System up to 2.6.5. The impacted element is an unknown function of the file /dashboard/fees/fee-invoices/ of the component View Fee Invoice. Performing manipulation of the argument invoiceid results in improper control of...

CVE-2025-11748

The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0 via the 'groupid' parameter of the groupjoin function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

CVE-2025-64431

Zitadel is an open source identity management platform. Versions 4.0.0-rc.1 through 4.6.2 are vulnerable to secure Direct Object Reference IDOR attacks through its V2Beta API, allowing authenticated users with specific administrator roles within one organization to access and modify data belongin...