WordPress WCFM Marketplace plugin <= 3.7.0 - Insecure Direct Object Reference to Unauthenticated Arbitrary Refund Request Creation vulnerability

Insecure Direct Object Reference to Unauthenticated Arbitrary Refund Request Creation vulnerability discovered by Gibran Abdillah in WordPress Plugin WCFM Marketplace versions = 3.7.0...

WordPress WCFM Membership - WooCommerce Memberships for Multivendor Marketplace plugin <= 2.11.8 - Insecure Direct Object Reference to Update Membership Payment vulnerability

WordPress WCFM Membership - WooCommerce Memberships for Multivendor Marketplace plugin = 2.11.8 - Insecure Direct Object Reference to Update Membership Payment vulnerability discovered by Jing Xuan Sun in WordPress Plugin WCFM Membership versions = 2.11.8...

CVE-2025-15147

CVE-2025-15147 affects the WCFM Membership – WooCommerce Memberships for Multivendor Marketplace WordPress plugin. The vulnerability is an Insecure Direct Object Reference in all versions up to 2.11.8, caused by missing validation on a user-controlled key in WCFMvm_Memberships_Payment_Controller:...

CVE-2026-25806 PlaciPy has Missing Authorization Checks on Student Management Endpoints (IDOR)

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the GET /api/students/:email PUT /api/students/:email/status, and DELETE /api/students/:email routes in backend/src/routes/student.routes.ts only enforce authentication using authenticateToken but do...

CVE-2026-24900 MarkUs has a submission-view IDOR exposes all student submissions

MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses//assignments//submissions/htmlcontent accepted a selectfileid parameter to serve SubmissionFile objects containing a record of files submitted by students. This parameter was not correct...

PT-2026-7195

The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.8 via the 'WCFMvm Memberships Payment Controller::processing' due to missing validation on a user controlled...

CVE-2026-25574

Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference IDOR vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default...

CVE-2026-25758

Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to...

EUVD-2026-5709

WeKan versions prior to 8.19 contain an insecure direct object reference IDOR in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers...

CVE-2026-25567

WeKan versions prior to 8.19 contain an insecure direct object reference IDOR in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier...

CVE-2026-25567

WeKan versions prior to 8.19 contain an insecure direct object reference IDOR in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier...

CVE-2026-25564

WeKan versions prior to 8.19 contain an insecure direct object reference IDOR in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers...

CVE-2026-25567 WeKan < 8.19 Card Comment Author Spoofing via User-controlled authorId

WeKan versions prior to 8.19 contain an insecure direct object reference IDOR in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier...

CVE-2026-25564

WeKan versions prior to 8.19 are affected by an insecure direct object reference (IDOR) in checklist creation and related routes. The issue arises because the implementation does not verify that the supplied cardId belongs to the supplied boardId, enabling cross-board ID tampering by manipulating...

CVE-2026-25564

WeKan versions prior to 8.19 contain an insecure direct object reference IDOR in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers...

CVE-2026-25563 WeKan < 8.19 Checklist Creation Cross-Board IDOR

WeKan versions prior to 8.19 contain an insecure direct object reference IDOR in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers...

CVE-2026-25563

WeKan versions prior to 8.19 contain an insecure direct object reference IDOR in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers...

CVE-2026-25563 WeKan < 8.19 Checklist Creation Cross-Board IDOR

WeKan versions prior to 8.19 contain an insecure direct object reference IDOR in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers...

Vajra

⚡ Vajra ██╗ ██╗ █████╗ ██╗██████╗ █████╗ ██║...

PT-2026-6926

Name of the Vulnerable Software and Affected Versions WeKan versions prior to 8.19 Description The software contains an insecure direct object reference IDOR in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied...