CVE-2025-1327

The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the 'homeydeleteuseraccount' action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access...

CVE-2025-1327

The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the 'homeydeleteuseraccount' action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access...

CVE-2025-1327 Homey - Booking and Rentals WordPress Theme <= 2.4.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion

The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the 'homeydeleteuseraccount' action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access...

CVE-2025-1327

CVE-2025-1327 affects the Homey WordPress theme (versions ≤ 2.4.4). The vulnerability is an Insecure Direct Object Reference via the homey_delete_user_account action, caused by missing validation on a user-controlled key. This allows authenticated attackers with Subscriber-level access or higher ...

WordPress Homey theme <= 2.4.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion vulnerability

Insecure Direct Object Reference to Authenticated Subscriber+ Arbitrary User Deletion vulnerability discovered by a00n in WordPress Theme Homey versions = 2.4.4...

CVE-2025-3874

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and...

CVE-2025-3889

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 via the 'processpaymentdata' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to change the...

CVE-2025-3874 WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and...

CVE-2025-3874

CVE-2025-3874 affects the WordPress plugin “WordPress Simple Shopping Cart.” The issue is an Insecure Direct Object Reference caused by lack of randomization of a user-controlled key, enabling unauthenticated users to access customer carts, edit product links, add/delete products, and discover co...

CVE-2025-3889 WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference via 'quantity'

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 via the 'processpaymentdata' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to change the...

CVE-2025-3889

CVE-2025-3889 affects WordPress Simple Shopping Cart (WordPress plugin) up to version 5.1.3, via Insecure Direct Object Reference in process_payment_data. Unauthenticated attackers can set a product quantity to a negative value, subtracting cost from the total, and the attack is only effective in...

CVE-2025-3889 WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference via 'quantity'

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 via the 'processpaymentdata' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to change the...

CVE-2025-3874 WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and...

WordPress WordPress Simple PayPal Shopping Cart plugin <= 5.1.3 - Insecure Direct Object Reference vulnerability

Insecure Direct Object Reference vulnerability discovered by Jack Taylor in WordPress Plugin Simple Shopping Cart versions = 5.1.3...

PT-2025-18382 · WordPress · Wordpress Simple Shopping Cart

Name of the Vulnerable Software and Affected Versions: WordPress Simple Shopping Cart plugin versions up to, and including, 5.1.3 Description: The issue is related to Insecure Direct Object Reference due to the lack of randomization of a user-controlled key. This allows unauthenticated attackers ...

WordPress Homey Theme <= 2.4.4 is vulnerable to Insecure Direct Object References (IDOR)

Software Homey Type Theme Vulnerable versions = 2.4.4 Fixed in 2.4.5 OWASP Top 10 A7: Identification and Authentication Failures Classification Insecure Direct Object References IDOR CVE CVE-2025-1327 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID d8b4f513f58e Credits a00...

📄 Daikin Security Gateway 214 Remote Password Reset

The Daikin Security Gateway exposes a critical vulnerability in its password reset API endpoint. Due to an insecure direct object reference IDOR flaw, an unauthenticated attacker can send a crafted POST request to this endpoint, bypassing authentication mechanisms. Successful exploitation resets...

CVE-2025-25777

Insecure Direct Object Reference IDOR in Codeastro Bus Ticket Booking System v1.0 allows unauthorized access to user profiles. By manipulating the user ID in the URL, an attacker can access another user's profile without proper authentication or authorization checks...

CVE-2025-1284

The Woocommerce Automatic Order Printing | Formerly WooCommerce Google Cloud Print plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1 via the xcwooprinterpreview AJAX action due to missing validation on a user controlled key. This make...

Authorization Bypass Through User-Controlled Key

Overview moodle/moodle is a learning platform. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key due to insufficient capability checks in the RSS block. An attacker can access and view additional RSS feeds by exploiting the IDOR vulnerability...