CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

4442 matches found

Vulnrichment•added 2026/02/18 4:35 a.m.•6 views

CVE-2025-12071 Frontend User Notes <= 2.1.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Note Modification

The Frontend User Notes plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the 'funpajaxmodifynotes' AJAX endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

4.3CVSS5.7AI score0.00158EPSS

Exploits0References2

ATTACKERKB•added 2026/02/18 4:35 a.m.•5 views

CVE-2025-12071

4.3CVSS5.7AI score0.00158EPSS

Exploits0References3

CNNVD•added 2026/02/18 12:0 a.m.•4 views

WordPress plugin PDF Invoices & Packing Slips for WooCommerce 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

4.3CVSS5.8AI score0.00259EPSS

Exploits0References4

CNNVD•added 2026/02/18 12:0 a.m.•2 views

CodeAstro Membership Management System 安全漏洞

The CodeAstro Membership Management System is a member management system developed by CodeAstro Inc. Version 1.0 of the CodeAstro Membership Management System has security vulnerabilities. These vulnerabilities stem from the lack of authentication and authorization in the printmembershipcard.php...

7.5CVSS5.9AI score0.0039EPSS

Exploits1References2

Positive Technologies•added 2026/02/18 12:0 a.m.•5 views

PT-2026-20218

Name of the Vulnerable Software and Affected Versions Frontend User Notes plugin for WordPress versions up to and including 2.1.0 Description The Frontend User Notes plugin for WordPress contains a flaw that allows authenticated attackers with Subscriber-level access or higher to modify notes tha...

4.3CVSS5.4AI score0.00158EPSS

Exploits0References4

Vulnrichment•added 2026/02/18 12:0 a.m.•4 views

CVE-2025-70148

Missing authentication and authorization in printmembershipcard.php in CodeAstro Membership Management System 1.0 allows unauthenticated attackers to access membership card data of arbitrary users via direct requests with a manipulated id parameter, resulting in insecure direct object reference...

7.5CVSS5.7AI score0.0039EPSS

Exploits1References2

Cvelist•added 2026/02/18 12:0 a.m.•20 views

CVE-2025-70148

7.5CVSS0.0039EPSS

Exploits1References2

Positive Technologies•added 2026/02/18 12:0 a.m.•6 views

PT-2026-20465

Name of the Vulnerable Software and Affected Versions CodeAstro Membership Management System version 1.0 Description The application lacks proper authentication and authorization in the print membership card.php file. This allows unauthenticated attackers to access membership card data belonging ...

7.5CVSS5.2AI score0.0039EPSS

Exploits1References6

Cvelist•added 2026/02/18 12:0 a.m.•22 views

CVE-2025-70063

The 'Medical History' module in PHPGurukul Hospital Management System v4.0 contains an Insecure Direct Object Reference IDOR vulnerability. The application fails to verify that the requested 'viewid' parameter belongs to the currently authenticated patient. This allows a user to access the...

0.00336EPSS

Exploits1References2

CVE•added 2026/02/18 12:0 a.m.•9 views

CVE-2025-70148

CodeAstro Membership Management System 1.0 is affected by an IDOR vulnerability in print_membership_card.php due to missing authentication/authorization. Unauthenticated attackers can access membership card data of arbitrary users by sending direct requests with a manipulated id parameter. CVSSv3...

7.5CVSS5.7AI score0.0039EPSS

Exploits1References2Affected Software1

Positive Technologies•added 2026/02/18 12:0 a.m.•6 views

PT-2026-20474

The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.14.14 via the handle ajax save function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-leve...

4.3CVSS5.5AI score0.0019EPSS

Exploits0References4

Vulnrichment•added 2026/02/18 12:0 a.m.•3 views

CVE-2025-70063

5.5AI score0.00336EPSS

Exploits1References2

Positive Technologies•added 2026/02/18 12:0 a.m.•7 views

PT-2026-20392

Improper Access Control IDOR in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive...

7.1CVSS5.5AI score0.00212EPSS

Exploits0References2

RedhatCVE•added 2026/02/15 1:28 p.m.•5 views

CVE-2026-2312

The Media Library Folders plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.3.6 via the deletemaxgalleriamedia and maxgalleriarenameimage functions due to missing validation on a user controlled key. This makes it possible for...

4.3CVSS5.5AI score0.00209EPSS

Exploits0References1

RedhatCVE•added 2026/02/15 7:10 a.m.•6 views

CVE-2025-14608

The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata in the 'bulksave' AJAX action. This makes it possible for...

5.3CVSS5.7AI score0.00227EPSS

Exploits0References1

RedhatCVE•added 2026/02/15 7:10 a.m.•14 views

CVE-2026-1987

The Scheduler Widget plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.1.6. This is due to the schedulerwidgetajaxsaveevent function lacking proper authorization checks and ownership verification when updating events. This makes it...

5.4CVSS5.5AI score0.00308EPSS

Exploits0References1