CVE-2025-11532 Wisly <= 1.0.0 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation

The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the 'wishlistid' user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other user's wishlists...

PT-2025-46249

Name of the Vulnerable Software and Affected Versions Wisly plugin for WordPress versions prior to 1.0.1 Description The Wisly plugin for WordPress is susceptible to an Insecure Direct Object Reference issue in versions up to and including 1.0.0. This is due to a lack of validation on the wishlis...

WordPress plugin The Total Book Project 安全漏洞

WordPress and the WordPress plugin are products of the WordPress Foundation, a blogging platform developed in the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerability exists in...

CVE-2025-48878

CVE-2025-48878 affects Combodo iTop (3.x) prior to 3.2.2. The vulnerability is an insecure direct object reference that allows a user (e.g., with a Service desk agent profile) to create a ModuleInstallation object when they should not be able to. The issue is resolved in 3.2.2. Impact details are...

CVE-2025-48878 Combodo iTop vulnerable to IDOR with ModuleInstallation object

Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user e.g. with Service desk agent profile to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue...

EUVD-2025-50777

Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user e.g. with Service desk agent profile to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue...

CVE-2025-11748

The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0 via the 'groupid' parameter of the groupjoin function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

Insecure Direct Object Reference (IDOR)

com.liferay.commerce, com.liferay.commerce.service is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to comliferaycommerceorderwebinternalportletCommerceOrderPortletcommerceOrderId parameter not being validated across virtual instances. This allows an attacker in on...

CVE-2025-4522 IDonate 2.0.0 - 2.1.9 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion via admin_post_donor_delete Function

The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Insecure Direct Object Reference via the adminpostdonordelete function in versions 2.0.0 to 2.1.9. By supplying an arbitrary userid parameter value to the wpdeleteuser function, authenticated...

CVE-2025-11690

CVE-2025-11690 corresponds to an Insecure Direct Object Reference (IDOR) in the vehicleId parameter of the CFMOTO RIDE API backend. The issue allows unauthorized access to sensitive data from other users’ vehicles (GPS coordinates, encryption keys, initialization vectors, model numbers, fuel stat...

CFMOTO RIDE 安全漏洞

CFMOTO RIDE is an in-vehicle vehicle data management system from the Chinese company CFMOTO. A security vulnerability exists in CFMOTO RIDE that stems from an insecure direct object reference in the vehicleId parameter, which could lead to unauthorized access to sensitive information of other use...

CVE-2025-61876

Insecure Direct Object Reference IDOR in /tenants/id API endpoint in Inforcer Platform version 2.0.153 allows an authenticated user with low privileges to enumerate and access tenant information belonging to other clients via modification of the tenant ID in the request URL...

WordPress plugin Tutor LMS Pro 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...

CVE-2025-6639 Tutor LMS Pro – eLearning and online course solution <= 3.8.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to View/Edit Other Assignments

The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.3 due to missing validation on a user controlled key when viewing and editing assignments through the tutorassignmentsubmit...

CVE-2025-6639 Tutor LMS Pro – eLearning and online course solution <= 3.8.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to View/Edit Other Assignments

The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.3 due to missing validation on a user controlled key when viewing and editing assignments through the tutorassignmentsubmit...

CVE-2025-6833 All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier <= 2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Clocking In/Out

The All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0 via the 'aiotimeclocklitejs' AJAX action due to missing validation on a user controlled key. This makes it...

CVE-2025-6833 All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier <= 2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Clocking In/Out

The All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0 via the 'aiotimeclocklitejs' AJAX action due to missing validation on a user controlled key. This makes it...

CVE-2025-11519 Image optimization service by Optimole <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Author+) Media Offload

The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the /wp-json/optml/v1/moveimage REST API endpoint due to missing validation on a user...

CVE-2025-9559

Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data...

CVE-2025-9559 Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data

Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data...