CVE-2025-64523

Summary: The FileBrowser project (github.com/filebrowser/filebrowser/v2/http) has an IDOR vulnerability in the share deletion endpoint. The shareDeleteHandler deletes a share based only on the provided hash, with no check that the share’s owner matches the authenticated user (d.user.ID). This per...

CVE-2025-12087

The CVE-2025-12087 issue affects the WordPress plugin Wishlist and Save for later for Woocommerce (versions up to and including 1.1.22). It is an Insecure Direct Object Reference vulnerability triggered by insufficient validation of a user-controlled key in the awwlm_remove_added_wishlist_page AJ...

PT-2025-46766

Name of the Vulnerable Software and Affected Versions File Browser versions prior to 2.45.1 Description File Browser provides a file managing interface for tasks like uploading, deleting, previewing, renaming, and editing files. An Insecure Direct Object Reference IDOR exists in the application's...

PT-2025-46565

Name of the Vulnerable Software and Affected Versions GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress versions prior to 2.8.139 Description The GeoDirectory plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This fl...

EUVD-2025-60937

The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the 'wishlistid' user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other user's wishlists...

CVE-2025-11532

The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the 'wishlistid' user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other user's wishlists...

CVE-2025-12126 The Total Book Project <= 1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Book Manipulation

The The Total Book Project plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0 via several functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access a...

CVE-2025-11532 Wisly <= 1.0.0 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation

The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the 'wishlistid' user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other user's wishlists...

PT-2025-46249

Name of the Vulnerable Software and Affected Versions Wisly plugin for WordPress versions prior to 1.0.1 Description The Wisly plugin for WordPress is susceptible to an Insecure Direct Object Reference issue in versions up to and including 1.0.0. This is due to a lack of validation on the wishlis...

WordPress plugin The Total Book Project 安全漏洞

WordPress and the WordPress plugin are products of the WordPress Foundation, a blogging platform developed in the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerability exists in...

CVE-2025-48878 Combodo iTop vulnerable to IDOR with ModuleInstallation object

Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user e.g. with Service desk agent profile to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue...

EUVD-2025-50777

Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user e.g. with Service desk agent profile to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue...

CVE-2025-48878

CVE-2025-48878 affects Combodo iTop (3.x) prior to 3.2.2. The vulnerability is an insecure direct object reference that allows a user (e.g., with a Service desk agent profile) to create a ModuleInstallation object when they should not be able to. The issue is resolved in 3.2.2. Impact details are...

CVE-2025-11748

The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0 via the 'groupid' parameter of the groupjoin function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

Insecure Direct Object Reference (IDOR)

com.liferay.commerce, com.liferay.commerce.service is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to comliferaycommerceorderwebinternalportletCommerceOrderPortletcommerceOrderId parameter not being validated across virtual instances. This allows an attacker in on...

CVE-2025-4522 IDonate 2.0.0 - 2.1.9 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion via admin_post_donor_delete Function

The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Insecure Direct Object Reference via the adminpostdonordelete function in versions 2.0.0 to 2.1.9. By supplying an arbitrary userid parameter value to the wpdeleteuser function, authenticated...

CVE-2025-11690

CVE-2025-11690 corresponds to an Insecure Direct Object Reference (IDOR) in the vehicleId parameter of the CFMOTO RIDE API backend. The issue allows unauthorized access to sensitive data from other users’ vehicles (GPS coordinates, encryption keys, initialization vectors, model numbers, fuel stat...

CFMOTO RIDE 安全漏洞

CFMOTO RIDE is an in-vehicle vehicle data management system from the Chinese company CFMOTO. A security vulnerability exists in CFMOTO RIDE that stems from an insecure direct object reference in the vehicleId parameter, which could lead to unauthorized access to sensitive information of other use...

CVE-2025-61876

Insecure Direct Object Reference IDOR in /tenants/id API endpoint in Inforcer Platform version 2.0.153 allows an authenticated user with low privileges to enumerate and access tenant information belonging to other clients via modification of the tenant ID in the request URL...

WordPress plugin Tutor LMS Pro 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...