PT-2026-6209

Name of the Vulnerable Software and Affected Versions Open eClass versions prior to 4.2 Description The Open eClass platform, previously known as GUnet eClass, is a course management system. A security issue exists where an unauthenticated remote attacker can access personal files belonging to...

PT-2026-6043

Name of the Vulnerable Software and Affected Versions Tutor LMS versions prior to 3.9.5 Description The Tutor LMS plugin for WordPress is susceptible to Insecure Direct Object References IDOR due to insufficient object-level authorization checks. Specifically, the course list bulk action, bulk...

WordPress WP ULike plugin <= 4.8.3.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Log Deletion via 'id' Parameter vulnerability

Insecure Direct Object Reference to Authenticated Subscriber+ Arbitrary Log Deletion via 'id' Parameter vulnerability discovered by Pouria Shahba p0or1ya in WordPress Plugin WP ULike versions = 4.8.3.1...

CVE-2025-69207 Khoj has an IDOR in Notion OAuth Flow Enables Index Poisoning

Khoj is a self-hostable artificial intelligence app. Prior to 2.0.0-beta.23, an IDOR in the Notion OAuth callback allows an attacker to hijack any user's Notion integration by manipulating the state parameter. The callback endpoint accepts any user UUID without verifying the OAuth flow was...

CVE-2026-1251

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the 'addreply' function due to missing validation on a user controlled key. This makes it possible for authenticated...

WordPress Quiz And Survey Master plugin <= 10.3.4 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by johska in WordPress Plugin Quiz And Survey Master versions = 10.3.4...

CVE-2026-1251

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the 'addreply' function due to missing validation on a user controlled key. This makes it possible for authenticated...

CVE-2026-1251 SupportCandy – Helpdesk & Customer Support Ticket System <= 3.4.4 - Authenticated (Subscriber+) Insecure Direct Object Reference

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the 'addreply' function due to missing validation on a user controlled key. This makes it possible for authenticated...

EUVD-2026-5080

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the 'addreply' function due to missing validation on a user controlled key. This makes it possible for authenticated...

PT-2026-5504

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the 'add reply' function due to missing validation on a user controlled key. This makes it possible for authenticated...

WordPress Plugin SupportCandy security vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

WordPress BuddyBoss Platform plugin < 2.6.0 - Subscriber+ Comment on Private Post via IDOR vulnerability

Subscriber+ Comment on Private Post via IDOR vulnerability discovered by Faris Krivic in WordPress Plugin Buddyboss Platform versions 2.6.0...

WordPress Shiprocket plugin <= 2.0.8 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by NumeX in WordPress Plugin Shiprocket versions = 2.0.8...

BurpSuitePro

Burp Suite Bambda Scripts - Vulnerability Testing Toolkit v2.0...

CVE-2026-1389

The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the...

CVE-2026-1389

The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the...

EUVD-2026-4916

The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the...

CVE-2026-1389

CVE-2026-1389 affects the WordPress plugin Document Embedder (

WordPress Document Embedder plugin <= 2.0.4 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Document Library Entry Deletion vulnerability

Insecure Direct Object Reference to Authenticated Author+ Arbitrary Document Library Entry Deletion vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin Document Embedder versions = 2.0.4...

CVE-2026-1213

CVE-2026-1213 affects askbot up to version 0.12.2, where an attacker authenticated with normal user permissions can modify other users’ profile pictures due to inexhaustive permissions checks. Red Hat, OSV-GHSA entries, and related advisories corroborate the issue as an IDOR-like permission flaw ...