3479 matches found
CVE-2024-13740 ProfileGrid – User Profiles, Groups and Communities <= 5.9.4.2 - Insecure Direct Object Reference to Authenticated (Subscriber+) Private Messages Disclosure
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.4.2 via the pmmessengershowmessages function due to missing validation on a user controlled key. This makes it possible for...
WordPress plugin ProfileGrid 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...
PT-2025-6605 · WordPress · Profilegrid
Name of the Vulnerable Software and Affected Versions: ProfileGrid – User Profiles, Groups and Communities plugin for WordPress versions up to, and including, 5.9.4.2 Description: The issue allows authenticated attackers with Subscriber-level access and above to read private conversations of othe...
BIT-GITLAB-2025-1042 Files or Directories Accessible to External Parties in GitLab
An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way...
CVE-2024-13692
The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.4.5 via several functions due to missing validation on a user...
CVE-2025-1270
Insecure direct object reference IDOR vulnerability in Anapi Group's h6web, allows an authenticated attacker to access other users' information by making a POST request and modifying the “pkrelated” parameter in the “/h6web/hadatoshermano.php” endpoint to refer to another user. In addition, the...
CVE-2024-13601
The Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.5 via the 'exportusereraserequest' function due to missing validation on a user controlled key. This makes i...
CVE-2024-13692
The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.4.5 via several functions due to missing validation on a user...
CVE-2024-13692
The CVE-2024-13692 entry for Return Refund and Exchange For WooCommerce (woo-refund-and-exchange-lite) is confirmed as a real vulnerability. It is an Insecure Direct Object Reference (IDOR) in all versions up to 4.4.5 caused by missing validation on a user-controlled key. This flaw allows unauthe...
CVE-2024-13692 Return Refund and Exchange For WooCommerce <= 4.4.5 - Authenticated (Subscriber+) Insecure Direct Object Reference
The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.4.5 via several functions due to missing validation on a user...
CVE-2024-13692 Return Refund and Exchange For WooCommerce <= 4.4.5 - Authenticated (Subscriber+) Insecure Direct Object Reference
The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.4.5 via several functions due to missing validation on a user...
CVE-2024-33818
Globitel KSA SpeechLog v8.1 was discovered to contain an Insecure Direct Object Reference IDOR via the userID parameter...
WordPress Return Refund and Exchange For WooCommerce plugin <= 4.4.5 - Authenticated (Subscriber+) Insecure Direct Object Reference vulnerability
Authenticated Subscriber+ Insecure Direct Object Reference vulnerability discovered by Tim Coen in WordPress Plugin Return Refund and Exchange For WooCommerce versions = 4.4.5...
CVE-2025-1270
CVE-2025-1270 describes an IDOR vulnerability in Anapi Group’s h6web. An authenticated attacker can access other users’ information by sending a POST to /h6web/ha_datos_hermano.php and altering the pkrelated parameter to reference a different user, with the first request potentially enabling impe...
Vulnerabilities fixed in GitLab CE/EE
GitLab has fixed vulnerabilities in GitLab CE/EE Specifically for versions 14.1 to 17.8.2. The vulnerabilities include a denial-of-service vulnerability, an external service interaction vulnerability, a critical XSS vulnerability, improper authorization vulnerabilities, an insecure direct object...
PT-2025-6871
Name of the Vulnerable Software and Affected Versions: h6web affected versions not specified Description: The issue is related to an insecure direct object reference IDOR vulnerability. It allows an authenticated attacker to access other users' information by making a POST request and modifying t...
UBUNTU-CVE-2025-1042
An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way...
CVE-2025-1042
CVE-2025-1042 is an insecure direct object reference in GitLab EE that allowed viewing repositories without authorization in affected releases: 15.7 up to 17.6.5, 17.7 up to 17.7.4, and 17.8 up to 17.8.2. The vulnerability’s root cause is improper access control on repository data, with no exploi...
CVE-2025-1042 Files or Directories Accessible to External Parties in GitLab
An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way...
CVE-2024-13601
The Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.5 via the 'exportusereraserequest' function due to missing validation on a user controlled key. This makes i...