248 matches found
CVE-2022-27247
onlinetolls in cdSoft Onlinetools-Smart Winhotel.MX 2021 allows an attacker to download sensitive information about any customer e.g., data of birth, full address, mail information, and phone number via GastKont Insecure Direct Object Reference...
WordPress Five Star Restaurant Reservations plugin <= 2.7.4 - Insecure Direct Object References (IDOR) vulnerability
Insecure Direct Object References IDOR vulnerability discovered by daroo in WordPress Plugin Five Star Restaurant Reservations versions = 2.7.4...
EUVD-2025-205712
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes FiveStar fivestar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FiveStar: from n/a through = 1.7...
CVE-2025-69029 WordPress Struktur theme <= 2.5.1 - Insecure Direct Object References (IDOR) vulnerability
Authorization Bypass Through User-Controlled Key vulnerability in Select-Themes Struktur struktur allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Struktur: from n/a through = 2.5.1...
CVE-2025-69024 WordPress BizPrint plugin <= 4.6.7 - Broken Access Control vulnerability
Missing Authorization vulnerability in bizswoop BizPrint print-google-cloud-print-gcp-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BizPrint: from n/a through = 4.6.7...
CVE-2023-40679
CVE-2023-40679 is a broken access control vulnerability in the WordPress plugin Master Addons for Elementor (aka Jewel Theme Master Addons for Elementor). Affected versions are up to and including 2.0.5.3, with unauthenticated access possible due to misconfigured access controls. The issue is con...
Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM® Db2® Big SQL
Summary Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime 8 affect IBM® Db2® Big SQL 7.x on Cloud Pak for Data 4.x Vulnerability Details CVEID:CVE-2023-38264 DESCRIPTION: The IBM SDK, Java Technology Edition's Object Request Broker ORB 7.1.0.0 through 7.1.5.21 and 8.0.0.0 through...
CVE-2025-63043
CVE-2025-63043 is an IDOR-by-auth bypass in the WordPress Post Grid and Gutenberg Blocks plugin (versions up to 2.3.19 as reported). The vulnerability arises from authorization by a user-controlled key, enabling access control bypass to restricted objects. Several connected sources confirm the af...
EUVD-2025-204247
Authorization Bypass Through User-Controlled Key vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through = 1.3.60...
CVE-2025-66165
Missing Authorization vulnerability in merkulove Lottier for WPBakery lottier-wpbakery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lottier for WPBakery: from n/a through = 1.1.7...
EUVD-2025-203543
Authorization Bypass Through User-Controlled Key vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through = 5.2.2...
PT-2025-51455
Name of the Vulnerable Software and Affected Versions g5theme Essential Real Estate versions through 5.2.2 Description An authorization bypass exists due to incorrectly configured access control security levels. This allows for unauthorized access. The issue is present in g5theme Essential Real...
CVE-2025-36747
ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their own malicious versions, since the firmwar...
CVE-2025-36747
The CVE entry for CVE-2025-36747 describes ShineLan-X firmware containing FTP server credentials, enabling testers to establish an insecure FTP connection. This can allow an attacker to replace legitimate firmware-deployed files with malicious versions because firmware signature verification is n...
CVE-2025-36747 Hardcoded FTP Credentials within the firmware
ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their own malicious versions, since the firmwar...
CVE-2025-64011
Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. An authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter, enabling unauthorized disclosure of sensitive data (text, ...
EUVD-2025-201952
Missing Authorization vulnerability in Rhys Wynne WP Email Capture wp-email-capture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Email Capture: from n/a through = 3.12.4...
PT-2025-49984
Missing Authorization vulnerability in Hype Hype pico allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hype: from n/a through = 1.0.5...
CVE-2025-66109
Missing Authorization vulnerability in Octolize Shipping Plugins Cart Weight for WooCommerce woo-cart-weight allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cart Weight for WooCommerce: from n/a through = 1.9.11...
CVE-2025-48878
Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user e.g. with Service desk agent profile to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue...