4442 matches found
CVE-2024-9263 WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin <= 1.0.25 - Insecure Direct Object Reference to Unauthenticated Arbitrary User Password/Email Reset/Account Takeover
The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to Account Takeover/Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 1.0.25 via the save due to missing validation on a user...
CVE-2024-9215
The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors plugin for WordPress is vulnerable to Insecure Direct Object Reference to Privilege Escalation/Account Takeover in all versions up to, and including, 4.7.1 via the actioneditedauthor due to missing...
CVE-2024-9215 Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors <= 4.7.1 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary User Email Update and Account Takeover
The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors plugin for WordPress is vulnerable to Insecure Direct Object Reference to Privilege Escalation/Account Takeover in all versions up to, and including, 4.7.1 via the actioneditedauthor due to missing...
CVE-2024-9215 Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors <= 4.7.1 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary User Email Update and Account Takeover
The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors plugin for WordPress is vulnerable to Insecure Direct Object Reference to Privilege Escalation/Account Takeover in all versions up to, and including, 4.7.1 via the actioneditedauthor due to missing...
CVE-2024-9215
The CVE-2024-9215 entry concerns the WordPress plugin PublishPress Authors (Co-Authors, Multiple Authors and Guest Authors) up to version 4.7.1. It describes an insecure direct object reference in the action_edited_author() flow, caused by missing validation of the authors-user_id key, which is u...
WordPress plugin WP Timetics 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...
WordPress WP Timetics plugin <= 1.0.25 - Insecure Direct Object Reference to Unauthenticated Arbitrary User Password/Email Reset/Account Takeover vulnerability
Insecure Direct Object Reference to Unauthenticated Arbitrary User Password/Email Reset/Account Takeover vulnerability discovered by wesley wcraft in WordPress Plugin Timetics versions = 1.0.25...
CVE-2023-7286
The plugin ACF Quick Edit Fields for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.2.2. This makes it possible for attackers without the editusers capability to access metadata of other users, this includes contributor-level users and above...
CVE-2023-7286
The plugin ACF Quick Edit Fields for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.2.2. This makes it possible for attackers without the editusers capability to access metadata of other users, this includes contributor-level users and above...
CVE-2023-7286 ACF Quick Edit Fields <= 3.2.2 - Authenticated (Contributor+) Insecure Direct Object Reference
The plugin ACF Quick Edit Fields for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.2.2. This makes it possible for attackers without the editusers capability to access metadata of other users, this includes contributor-level users and above...
CVE-2023-7286
The WordPress plugin ACF Quick Edit Fields (≤ 3.2.2) is affected by an Insecure Direct Object Reference issue that allows authenticated users with Contributor+ privileges to access metadata of other users without the edit_users capability. Root cause: insecure access to user metadata via the plug...
PT-2024-39522 · WordPress · Wp Timetics- Ai-Powered Appointment Booking Calendar/Online Scheduling Plugin
Name of the Vulnerable Software and Affected Versions: WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress versions up to, and including, 1.0.25 Description: The issue allows for Account Takeover and Privilege Escalation via Insecure Direct Objec...
Insecure Direct Object Reference (IDOR)
Open-webui/open-webui is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is caused by insufficient access controls in the API, which fail to validate user permissions, allowing unauthorized users to manipulate restricted data...
VulnCheck KEV: CVE-2023-7286
The plugin ACF Quick Edit Fields for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.2.2. This makes it possible for attackers without the editusers capability to access metadata of other users, this includes contributor-level users and above...
KubeSphere IDOR vulnerability
An Insecure Direct Object Reference IDOR vulnerability in KubeSphere v3.4.1 and v4.1.1 allows low-privileged authenticated attackers to access sensitive resources without proper authorization checks...
CVE-2024-46528
An Insecure Direct Object Reference IDOR vulnerability in KubeSphere 4.x before 4.1.3 and 3.x through 3.4.1 and KubeSphere Enterprise 4.x before 4.1.3 and 3.x through 3.5.0 allows low-privileged authenticated attackers to access sensitive resources without proper authorization checks...
GHSA-XCVC-5HGV-PHQG open-webui Insecure Direct Object Reference (IDOR) vulnerability
An Insecure Direct Object Reference IDOR vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoint http://0.0.0.0:3000/api/v1/memories/id/update, where the decentralization design is flawed, allowing attackers to edit other users' memories without...
open-webui Insecure Direct Object Reference (IDOR) vulnerability
An Insecure Direct Object Reference IDOR vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoint http://0.0.0.0:3000/api/v1/memories/id/update, where the decentralization design is flawed, allowing attackers to edit other users' memories without...
CVE-2024-7041
An Insecure Direct Object Reference IDOR vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoint http://0.0.0.0:3000/api/v1/memories/id/update, where the decentralization design is flawed, allowing attackers to edit other users' memories without...
CVE-2024-7041 IDOR in open-webui/open-webui
An Insecure Direct Object Reference IDOR vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoint http://0.0.0.0:3000/api/v1/memories/id/update, where the decentralization design is flawed, allowing attackers to edit other users' memories without...