Lucene search
K

738 matches found

Cvelist
Cvelist
added 14 hours ago5 views

CVE-2026-57694 WordPress Tutor LMS plugin <= 3.9.13 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through = 3.9.13...

6.5CVSS
Exploits0References1
Cvelist
Cvelist
added 17 hours ago8 views

CVE-2026-12274 Tutor LMS < 3.9.13 - Instructor+ Arbitrary Post Overwrite via IDOR

The Tutor LMS WordPress plugin before 3.9.13 does not verify that the requesting user is allowed to edit a target post before overwriting it in one of its content-builder save handlers, authorizing the request only against an unrelated identifier, allowing authenticated users with instructor-leve...

Exploits0References1
NVD
NVD
added 2 days ago8 views

CVE-2026-13116

The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.14.0 via the generatedocumentshortcode due to missing validation on a user controlled key. This makes it possible for authenticated...

4.3CVSS0.00223EPSS
Exploits0References8
EUVD
EUVD
added 3 days ago6 views

EUVD-2026-42981

Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, or delete records owned by other users. Attackers can modify CR...

8.8CVSS6.1AI score0.0028EPSS
Exploits0References3
Cvelist
Cvelist
added 3 days ago33 views

CVE-2026-61460 Krayin CRM Insecure Direct Object Reference via Controllers

Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, or delete records owned by other users. Attackers can modify CR...

8.8CVSS0.0028EPSS
Exploits0References3
Cvelist
Cvelist
added 3 days ago29 views

CVE-2026-56765 Vikunja - Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR

Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, enabling permission escalation to admin-level shares. The GetTaskAttachment endpoint performs permission checks against user-supplied task IDs but fetches...

9.8CVSS0.00351EPSS
Exploits0References2
CVE
CVE
added 3 days ago6 views

CVE-2026-12400

FlowForms (WordPress plugin)

4.3CVSS6.1AI score0.00226EPSS
Exploits1References8
NVD
NVD
added 4 days ago5 views

CVE-2026-12418

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.7 via the 'wpuffilesdata' parameter due to missing validation on a user controll...

5.3CVSS0.00243EPSS
Exploits0References8
Cvelist
Cvelist
added 4 days ago28 views

CVE-2026-13450 GamiPress <= 7.9.4 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'access' Parameter

The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.9.4 via the 'access' parameter due to missing validation on a user controlled key. This...

5.3CVSS0.00408EPSS
Exploits0References14
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-42540

The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.9.4 via the 'access' parameter due to missing validation on a user controlled key. This...

5.3CVSS5.9AI score0.00408EPSS
Exploits0References14
CVE
CVE
added 4 days ago13 views

CVE-2026-13450

The CVE describes a vulnerability in the GamiPress WordPress plugin (versions up to 7.9.4) where Insecure Direct Object Reference is triggered via the access parameter due to missing validation on a user-controlled key. This allows unauthenticated attackers to view private GamiPress activity log ...

5.3CVSS5.9AI score0.00408EPSS
Exploits0References14
Cvelist
Cvelist
added 4 days ago29 views

CVE-2026-51923

An Insecure Direct Object Reference IDOR vulnerability exists in docuForm GmbH Client v.11.11c allowing a remote attacker to execute arbitrary code via the user settings component, and modify or retrieve sensitive data associated with other users’ accounts...

0.00382EPSS
Exploits0References3
EUVD
EUVD
added 5 days ago5 views

EUVD-2026-42229

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.1 via the paymentpage function due to missing validation on the 'userid' user...

5.3CVSS5.9AI score0.00183EPSS
Exploits0References2
CVE
CVE
added 5 days ago11 views

CVE-2026-5459

The CVE-2026-5459 entry concerns the WordPress plugin “User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration” up to version 4.3.1. The vulnerability is an Insecure Direct Object Reference in the payment_page() function caused by missing validation on ...

5.3CVSS5.9AI score0.00183EPSS
Exploits0References2
EUVD
EUVD
added 5 days ago6 views

EUVD-2026-42220

The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the 'wcfmvmmembershipchange' AJAX action not validating user permission to modify other...

8.1CVSS5.9AI score0.00223EPSS
Exploits0References2
EUVD
EUVD
added 2026/07/01 11:58 a.m.9 views

EUVD-2026-40949

MCO is vulnerable to an Insecure Direct Object Reference IDOR vulnerability in the /customer/servlet/mco/webapi/trading-document/fetchPdfStatement endpoint. The application does not properly validate whether an authenticated user is authorized to access a requested document, allowing direct...

7.1CVSS5.8AI score0.00244EPSS
Exploits0References2
EUVD
EUVD
added 2026/07/01 7:53 a.m.7 views

EUVD-2026-40936

The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'pageid' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, t...

4.3CVSS5.9AI score0.00196EPSS
Exploits0References5
CVE
CVE
added 2026/07/01 4:32 a.m.18 views

CVE-2026-11988

CVE-2026-11988 affects LearnPress

6.5CVSS5.8AI score0.00275EPSS
Exploits0References8
NVD
NVD
added 2026/06/29 6:16 p.m.9 views

CVE-2026-56780

Modoboa before 2.9.0 contains an insecure direct object reference vulnerability in the PUT /api/v1/accounts/pk/password/ endpoint that allows domain administrators to change any user's password. Attackers with domain admin privileges can bypass object-level access controls to reset superadmin...

7.7CVSS0.00265EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/29 5:14 p.m.34 views

CVE-2026-56780 Modoboa < 2.9.0 - Insecure Direct Object Reference in Account Password Change API

Modoboa before 2.9.0 contains an insecure direct object reference vulnerability in the PUT /api/v1/accounts/pk/password/ endpoint that allows domain administrators to change any user's password. Attackers with domain admin privileges can bypass object-level access controls to reset superadmin...

7.7CVSS0.00265EPSS
Exploits0References3
Rows per page
Query Builder