4550 matches found
CVE-2026-28374
CVE-2026-28374 corresponds to an IDOR in the Annotations API where editors can delete any annotation, including those they lack read access to. The vulnerability allows unprivileged users to delete annotations they should not be able to modify, while editor users cannot create or read annotations...
CVE-2026-6965
The CVE-2026-6965 entry concerns Tutor LMS
CVE-2026-6965 Tutor LMS <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the getcourseidby function unconditionally trusting the user-supplied course GET parameter as the authoritative course ...
EUVD-2026-29914
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the getcourseidby function unconditionally trusting the user-supplied course GET parameter as the authoritative course ...
CVE-2025-14755 Cost Calculator Builder <= 4.0.1 - Unauthenticated Price Manipulation and Insecure Direct Object Reference
The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Price Manipulation and Insecure Direct Object Reference IDOR in all versions up to, and including, 4.0.1 only when used in combination with Cost Calculator Builder PRO. This is due to the ccbwoocommercepayment AJAX...
CVE-2025-14755
The Cost Calculator Builder plugin for WordPress (
PT-2026-40817
Name of the Vulnerable Software and Affected Versions SQLBot versions prior to 1.8.0 Description An Insecure Direct Object Reference IDOR and authorization bypass issue exists in the '/api/v1/datasource/exportDsSchema' and '/api/v1/datasource/uploadDsSchema' endpoints. This allows an attacker to...
IDOR in Annotations API allows unprivileged users to DELETE annotation
Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations...
WordPress plugin Tutor LMS 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...
CVE-2026-44341 GoJobs: Insecure Direct Object Reference (IDOR) in Job Retrieval Endpoint
GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. The endpoint lacks proper authentication and authorization checks, resulting in unauthorized access ...
CVE-2026-44341
Summary: CVE-2026-44341 affects the GoJobs REST API (Job Board) and stems from an insecure direct object reference in the job retrieval endpoint. The endpoint allows unauthenticated access by manipulating object identifiers, due to missing authentication and authorization checks. Impact (as state...
CVE-2026-44341 GoJobs: Insecure Direct Object Reference (IDOR) in Job Retrieval Endpoint
GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. The endpoint lacks proper authentication and authorization checks, resulting in unauthorized access ...
EUVD-2023-34492
An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request...
WordPress Tutor LMS – eLearning and online course solution plugin <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion vulnerability
Insecure Direct Object Reference to Authenticated Instructor+ Arbitrary Post Deletion vulnerability discovered by molten bit in WordPress Plugin Tutor LMS versions = 3.9.9...
WordPress Checkout Files Upload for WooCommerce plugin <= 2.2.5 - Insecure Direct Object References (IDOR) vulnerability
Insecure Direct Object References IDOR vulnerability discovered by devploit in WordPress Plugin Checkout Files Upload for WooCommerce versions = 2.2.5...
Mk-Auth 安全漏洞
Mk-Auth is a Brazilian internet service provider management system developed by Mk-Auth company. It is used to control client access and permissions through a network interface panel. Version 23.01K4.9 of MK-Auth contains a security vulnerability caused by insecure direct object references. This...
PT-2026-40048
An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request...
CVE-2023-30059
An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request...
CVE-2023-30059
An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request...
CVE-2026-43890 Outline: IDOR in subscriptions.create allows cross-tenant subscription on private documents (sibling of GHSA-23jj-rp48-w7q7)
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.7.0, the subscriptions.create API endpoint in server/routes/api/subscriptions/subscriptions.ts exhibits a broken authorization pattern. When both collectionId and documentId are supplied in the request, the route...