CVE-2026-24599

CVE-2026-24599 affects WordPress plugin XLPlugins NextMove Lite (WooCommerce) and is described as an Authorization Bypass Through User-Controlled Key via an insecure Direct Object Reference (IDOR) in the NextMove Lite woo-thank-you-page-nextmove-lite component. Public sources (NVD, Red Hat, CVE L...

CVE-2026-22430

CVE-2026-22430 affects Mikado-Themes Verdure Verdure WordPress theme (versions up to 1.6). Described as Authorization Bypass Through User-Controlled Key, an IDOR-style vulnerability that arises from incorrectly configured access control. Reported impact/metrics indicate a base CVSS 3.1 v3.1 score...

CVE-2026-22404 WordPress Innovio theme <= 1.7 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Innovio innovio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Innovio: from n/a through = 1.7...

CVE-2026-22398 WordPress Fleur theme <= 2.0 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Fleur fleur allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fleur: from n/a through = 2.0...

CVE-2026-22398 WordPress Fleur theme <= 2.0 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Fleur fleur allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fleur: from n/a through = 2.0...

CVE-2026-22393 WordPress Curly theme <= 3.3 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Curly curly allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Curly: from n/a through = 3.3...

CVE-2026-23844

Whisper Money is a personal finance application. Versions prior to 0.1.5 have an insecure direct object reference vulnerability. A user can update/create account balances in other users' bank accounts. Version 0.1.5 fixes the issue...

CVE-2026-23843

teklifolusturapp is a web-based PHP application that allows users to create, manage, and track quotes for their clients. Prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c, an Insecure Direct Object Reference IDOR vulnerability exists in the offer view functionality. Authenticated users can...

WordPress Dokan plugin <= 4.2.4 - Insecure Direct Object Reference to PayPal Account Takeover and Sensitive Information Disclosure vulnerability

Insecure Direct Object Reference to PayPal Account Takeover and Sensitive Information Disclosure vulnerability discovered by shark3y in WordPress Plugin Dokan versions = 4.2.4...

CVE-2025-14977 Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy <= 4.2.4 - Insecure Direct Object Reference to PayPal Account Takeover and Sensitive Information Disclosure

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the /wp-json/dokan/v1/settings REST API endpoint due to missing validation on a...

CVE-2025-14977 Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy <= 4.2.4 - Insecure Direct Object Reference to PayPal Account Takeover and Sensitive Information Disclosure

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the /wp-json/dokan/v1/settings REST API endpoint due to missing validation on a...

CVE-2026-23844

Whisper Money is a personal finance application. Versions prior to 0.1.5 have an insecure direct object reference vulnerability. A user can update/create account balances in other users' bank accounts. Version 0.1.5 fixes the issue...

CVE-2026-23844 Whisper Money has IDOR Vulnerability on sync/balances endpoint

Whisper Money is a personal finance application. Versions prior to 0.1.5 have an insecure direct object reference vulnerability. A user can update/create account balances in other users' bank accounts. Version 0.1.5 fixes the issue...

WordPress Membership Plugin - Restrict Content plugin <= 3.2.16 - Missing Authentication to Insecure Direct Object Reference and Sensitive Information Exposure vulnerability

WordPress Membership Plugin - Restrict Content plugin = 3.2.16 - Missing Authentication to Insecure Direct Object Reference and Sensitive Information Exposure vulnerability discovered by andrea bocchetti in WordPress Plugin Restrict Content versions = 3.2.16...

EUVD-2026-1931

IDOR vulnerability has been found in Viafirma Inbox v4.5.13 that allows any authenticated user without privileges in the application to list all users, access and modify their data. This allows the user's email addresses to be modified and, subsequently, using the password recovery functionality ...

WordPress WooCommerce Square plugin <= 5.1.1 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure vulnerability

Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure vulnerability discovered by DityaRA in WordPress Plugin WooCommerce Square versions = 5.1.1...

PT-2026-1703

Name of the Vulnerable Software and Affected Versions WooCommerce Square versions prior to 5.1.2 Description The WooCommerce Square plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This is due to a lack of validation on a user-controlled key within the get token b...

CVE-2021-22023

The vRealize Operations Manager API 8.x prior to 8.5 has insecure object reference vulnerability. A malicious actor with administrative access to vRealize Operations Manager API may be able to modify other users information leading to an account takeover...

CVE-2025-12030

The ACF to REST API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.4. This is due to insufficient capability checks in the updateitempermissionscheck method, which only verifies that the current user has the editposts capability...

CVE-2026-22234 OPEXUS eCasePortal unauthenticated IDOR

OPEXUS eCasePortal before version 9.0.45.0 allows an unauthenticated attacker to navigate to the 'Attachments.aspx' endpoint, iterate through predictable values of 'formid', and download or delete all user-uploaded files, or upload new files...