📄 WordPress Chained Quiz 1.3.5 Insecure Direct Object Reference

WordPress Chained Quiz plugin versions 1.3.5 and below appear to suffer from an insecure direct object reference. The issue was partially patched in versions 1.3.4 and 1.3.5. Exploit Title: Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie Date: 19-12-2025 Exploit...

PT-2026-1585

Name of the Vulnerable Software and Affected Versions ACF to REST API plugin for WordPress versions through 3.3.4 Description The ACF to REST API plugin for WordPress is affected by an Insecure Direct Object Reference issue. Insufficient capability checks in the update item permissions check meth...

CVE-2020-36923

Sony BRAVIA Digital Signage 1.7.8 contains an insecure direct object reference vulnerability that allows attackers to bypass authorization controls. Attackers can access hidden system resources like '//content-creation' by manipulating client-side access restrictions...

CVE-2020-36923 Sony BRAVIA Digital Signage 1.7.8 Client-Side Protection Bypass via IDOR

Sony BRAVIA Digital Signage 1.7.8 contains an insecure direct object reference vulnerability that allows attackers to bypass authorization controls. Attackers can access hidden system resources like '//content-creation' by manipulating client-side access restrictions...

Sony BRAVIA Digital Signage 安全漏洞

Sony BRAVIA Digital Signage is a digital signage system from Sony, Japan. A security vulnerability exists in Sony BRAVIA Digital Signage version 1.7.8, which stems from an insecure direct object reference vulnerability that could lead to bypassing authorization controls and accessing hidden syste...

CVE-2026-21447 Bagisto has IDOR in Customer Order Reorder Functionality

Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order...

WordPress Verdure theme <= 1.6 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Verdure versions = 1.6...

Webkul Software Bagisto 安全漏洞

Webkul Software Bagisto is an open source e-commerce framework from Webkul Software, India. A security vulnerability exists in Webkul Software Bagisto versions prior to 2.3.10, which stems from an insecure direct object reference in the Customer Order Reorder feature, which could cause an...

CVE-2025-63053

CVE-2025-63053 affects Master Addons For Elementor – White Label, Free Widgets, Hover Effects, Conditions, & Animations. The issue is an Unauthenticated Insecure Direct Object Reference (IDOR) due to misconfigured access control, impacting Master Addons For Elementor versions up to 2.0.9.9.4. Wor...

CVE-2025-68997 WordPress wpDiscuz plugin <= 7.6.43 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in AdvancedCoding wpDiscuz wpdiscuz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpDiscuz: from n/a through = 7.6.43...

Insecure Direct Object Reference (IDOR) in LollMS Friend Request Response

Executive Summary A critical security vulnerability has been identified in LollMS that allows any authenticated user to accept or reject friend requests belonging to other users. The respondrequest function lacks authorization checks, enabling Insecure Direct Object Reference IDOR attacks. Affect...

WordPress wpDiscuz plugin <= 7.6.43 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by Doan Dinh Van in WordPress Plugin wpDiscuz versions = 7.6.43...

Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie

Exploit Title: Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie Date: 19-12-2025 Exploit Author: Karuppiah Sabari Kumar0xsabre Vendor Homepage: https://wordpress.org/plugins/chained-quiz/ Software Link: https://downloads.wordpress.org/plugin/chained-quiz.1.3.3.zip...

EUVD-2023-60244

SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an insecure direct object reference vulnerability that allows attackers to bypass authorization and access hidden system resources. Attackers can exploit the vulnerability by manipulating user-supplied input to execute privileged functionalities without...

CVE-2023-53955 SOUND4 IMPACT/FIRST/PULSE/Eco v2.x Authorization Bypass via Insecure Object References

SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an insecure direct object reference vulnerability that allows attackers to bypass authorization and access hidden system resources. Attackers can exploit the vulnerability by manipulating user-supplied input to execute privileged functionalities without...

CVE-2023-53955

CVE-2023-53955 affects SOUND4 IMPACT/FIRST/PULSE/Eco v2.x. The vulnerability is an insecure direct object reference (IDOR) that allows an attacker to bypass authorization and access privileged functions by manipulating user-supplied input. Affected components include Impact/Pulse/First (v2.x) and...

Sound4 IMPACT 安全漏洞

Sound4 IMPACT is a professional broadcast audio processor from Sound4 France. A security vulnerability exists in Sound4 IMPACT version v2.x. The vulnerability stems from an insecure direct object reference that could lead to an authorization bypass...

CVE-2025-7733

The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'csupdateapplicationstatuscallback' due to missing validation on a user controlled key. This makes it possible for authenticated...

PT-2025-52550

Name of the Vulnerable Software and Affected Versions WP JobHunt plugin for WordPress versions prior to 7.8 Description The WP JobHunt plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This affects versions up to and including 7.7, stemming from a lack of validatio...

CVE-2025-14882 Insecure direct object reference

An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only...