CVE-2025-13748

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the 'submissionid' parameter due to missing validation on a user controlled key within...

CVE-2025-13748

CVE-2025-13748: Fluent Forms for WordPress (

unified_scanner-SQL-LFI.XSS.IDOR-etc.-

unifiedscanner-SQL-LFI.XSS.IDOR-etc.- Key Improvements in...

EUVD-2025-201308

The SolisCloud API suffers from a Broken Access Control vulnerability, specifically an Insecure Direct Object Reference IDOR, where any authenticated user can access detailed data of any plant by altering the plantid in the request...

CVE-2025-12997

Insecure Direct Object Reference vulnerability in Medtronic CareLink Network which allows an authenticated attacker with access to specific device and user information to submit web requests to an API endpoint that would expose sensitive user information. This issue affects CareLink Network: befo...

CVE-2025-12997

Insecure Direct Object Reference vulnerability in Medtronic CareLink Network which allows an authenticated attacker with access to specific device and user information to submit web requests to an API endpoint that would expose sensitive user information. This issue affects CareLink Network: befo...

CVE-2025-13109

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.2 via the "woofaddquery" and "woofremovequery" functions due to missing validation on a user controlled key. This makes it...

Insecure Direct Object Reference (IDOR)

com.liferay.commerce, com.liferay.commerce.order.content.web is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to improper access control on the CommerceOrderPortletcommerceOrderId parameter, which allows an attacker to access shipment addresses from other virtual...

CVE-2025-61148

An Insecure Direct Object Reference IDOR vulnerability in the EduplusCampus 3.0.1 Student Payment API allows authenticated users to access other students personal and financial records by modifying the 'recno' parameter in the /student/get-receipt endpoint...

CVE-2025-65097 Insecure Direct Object Reference (IDOR) Allows Unauthorized Deletion of User Collections

RomM ROM Manager allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, an Authenticated User can delete collections belonging to other users by directly sending a DELETE request to the collection endpoint. No...

CVE-2025-66306

CVE-2025-66306 describes an Insecure Direct Object Reference (IDOR) in Grav CMS Admin Panel prior to 1.8.0-beta.27. The vulnerability allows low-privilege authenticated users to access information from other accounts via endpoints such as /admin/accounts/users/{username}, potentially exposing adm...

CVE-2025-65670

An Insecure Direct Object Reference IDOR in classroomio 0.1.13 allows students to access sensitive admin/teacher endpoints by manipulating course IDs in URLs, resulting in unauthorized disclosure of sensitive course, admin, and student data. The leak occurs momentarily before the system reverts t...

WordPress QODE Wishlist for WooCommerce plugin <= 1.2.7 - Unauthenticated Insecure Direct Object Reference to Wishlist Update vulnerability

Unauthenticated Insecure Direct Object Reference to Wishlist Update vulnerability discovered by WordFence in WordPress Plugin QODE Wishlist for WooCommerce versions = 1.2.7...

WordPress Frontend File Manager Plugin Insecure Direct Object Reference Vulnerability

WordPress Frontend File Manager Plugin is a plugin that allows users to upload, manage and share files through a frontend interface that supports secure storage and permission control. WordPress Frontend File Manager Plugin suffers from an insecure direct object reference vulnerability that stems...

CVE-2025-65672

Insecure Direct Object Reference IDOR in classroomio 0.1.13 allows unauthorized share and invite access to course settings...

CVE-2025-12766

An Insecure Direct Object Reference IDOR vulnerability in the Management Console of BlackBerry® AtHoc® OnPrem version 7.21 could allow an attacker to potentially gain unauthorized knowledge about other organizations hosted on the same Interactive Warning System IWS...

CVE-2025-65672

Insecure Direct Object Reference IDOR in classroomio 0.1.13 allows unauthorized share and invite access to course settings...

PT-2025-48174

Insecure Direct Object Reference IDOR in classroomio 0.1.13 allows unauthorized share and invite access to course settings...

CVE-2025-65670

An Insecure Direct Object Reference IDOR in classroomio 0.1.13 allows students to access sensitive admin/teacher endpoints by manipulating course IDs in URLs, resulting in unauthorized disclosure of sensitive course, admin, and student data. The leak occurs momentarily before the system reverts t...

CVE-2025-65672

Insecure Direct Object Reference IDOR in classroomio 0.1.13 allows unauthorized share and invite access to course settings...