CVE-2026-22430 WordPress Verdure theme <= 1.6 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Verdure verdure allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Verdure: from n/a through = 1.6...

CVE-2026-22426 WordPress Sweet Jane theme <= 1.2 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Elated-Themes Sweet Jane sweetjane allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sweet Jane: from n/a through = 1.2...

CVE-2026-22396 WordPress Fiorello theme <= 1.0 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Fiorello fiorello allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fiorello: from n/a through = 1.0...

CVE-2025-47555 WordPress Tutor LMS plugin <= 3.9.4 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through = 3.9.4...

CVE-2025-14977

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the /wp-json/dokan/v1/settings REST API endpoint due to missing validation on a...

CVE-2026-23844 Whisper Money has IDOR Vulnerability on sync/balances endpoint

Whisper Money is a personal finance application. Versions prior to 0.1.5 have an insecure direct object reference vulnerability. A user can update/create account balances in other users' bank accounts. Version 0.1.5 fixes the issue...

CVE-2026-23843

teklifolusturapp is a web-based PHP application that allows users to create, manage, and track quotes for their clients. Prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c, an Insecure Direct Object Reference IDOR vulnerability exists in the offer view functionality. Authenticated users can...

CVE-2026-23843

teklifolusturapp is a web-based PHP application that allows users to create, manage, and track quotes for their clients. Prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c, an Insecure Direct Object Reference IDOR vulnerability exists in the offer view functionality. Authenticated users can...

PT-2026-3484

Name of the Vulnerable Software and Affected Versions teklifolustur app versions prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c Description teklifolustur app is a web-based PHP application for managing quotes. An Insecure Direct Object Reference IDOR exists in the offer view...

CVE-2026-0820

The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wcuploadandsavesignaturehandler function in all versions up to, and including, 4.1116. This makes it possible for...

CVE-2026-0820

CVE-2026-0820 (RepairBuddy

PT-2026-3215

The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible...

GHSA-2MQ9-HM29-8QCH Label Studio is vulnerable to full account takeover by chaining Stored XSS + IDOR in User Profile via custom_hotkeys field

Prologue These vulnerabilities have been found and chained by DCODX-AI. Validation of the exploit chain has been confirmed manually. Summary A persistent stored cross-site scripting XSS vulnerability exists in the customhotkeys functionality of the application. An authenticated attacker or one wh...

Viafirma Inbox 安全漏洞

Viafirma Inbox is an electronic signature inbox from the Spanish company Viafirma. A security vulnerability exists in Viafirma Inbox version 4.5.13, which stems from the presence of an insecure direct object reference that could cause any authenticated but unprivileged user to list all users,...

CVE-2025-13457

The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the gettokenbyid function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Squa...

CVE-2025-13457

CVE-2025-13457 affects the WooCommerce Square plugin for WordPress (versions up to 5.1.1). The vulnerability is an Insecure Direct Object Reference in the get_token_by_id function due to missing validation on a user-controlled key, enabling unauthenticated attackers to exfiltrate arbitrary Square...

EUVD-2026-1860

The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the gettokenbyid function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Squa...

CVE-2023-50872

The API in Accredible Credential.net December 6th, 2023 allows an Insecure Direct Object Reference attack that discloses partial information about certificates and their respective holder. NOTE: the excellium-services.com web page about this issue mentions "Vendor says that it's not a security...

CVE-2023-49339

Ellucian Banner 9.17 allows Insecure Direct Object Reference IDOR via a modified bannerId to the /StudentSelfService/ssb/studentCard/retrieveData endpoint...

CVE-2023-45396

An Insecure Direct Object Reference IDOR vulnerability leads to events profiles access in Elenos ETG150 FM transmitter running on version 3.12...