EUVD-2025-203952

AVideo versions prior to 20.0 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks...

Pagekit CMS has an Insecure Direct Object Reference (IDOR) in its User Role component

An Insecure Direct Object Reference IDOR in Pagekit CMS v1.0.18 allows attackers to escalate privileges. The project was archived as of December 1, 2023...

CVE-2025-67165

An Insecure Direct Object Reference IDOR in Pagekit CMS v1.0.18 allows attackers to escalate privileges...

CVE-2025-11924

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the ninja-forms-views REST endpoints...

CVE-2025-11924 Ninja Forms – The Contact Form Builder That Grows With You <= 3.13.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure via Unscoped Bearer Token

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the ninja-forms-views REST endpoints...

CVE-2025-11924

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the ninja-forms-views REST endpoints...

VulnCheck KEV: CVE-2025-11924

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the ninja-forms-views REST endpoints...

ProjectSend 安全漏洞

ProjectSend cFTP is the ProjectSend open source suite of self-hosted applications based on PHP and MySQL. A security vulnerability exists in ProjectSend r1605 that originates from an unauthenticated attacker who can download private files by manipulating the download ID parameter, which could lea...

PT-2025-51921

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.5.3 Description ChurchCRM is an open-source church management system. A flaw exists where an authenticated user with specific permissions "Edit Records" and "Manage Properties and Classifications" can inject a...

PT-2025-51968

Name of the Vulnerable Software and Affected Versions ProjectSend version r1605 Description An insecure direct object reference issue exists in ProjectSend r1605. An unauthenticated attacker can download private files by manipulating the id parameter in a download request to the 'process.php'...

CVE-2025-67165

An Insecure Direct Object Reference IDOR in Pagekit CMS v1.0.18 allows attackers to escalate privileges...

PT-2025-51846

Name of the Vulnerable Software and Affected Versions Pagekit CMS version 1.0.18 Description An Insecure Direct Object Reference IDOR exists in Pagekit CMS version 1.0.18, potentially allowing attackers to escalate privileges. An IDOR occurs when an application uses user-supplied input to directl...

CVE-2025-67165

The CVE-2025-67165 entry concerns Pagekit CMS v1.0.18 with an Insecure Direct Object Reference (IDOR) in the User Role component that can lead to privilege escalation. The Root Cause described across sources is insufficient access control, enabling a crafted request (notably via the /api/user/rol...

CVE-2025-68071 WordPress Essential Real Estate plugin <= 5.3.2 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through = 5.3.2...

CVE-2025-66132 WordPress FAPI Member plugin <= 2.2.30 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in FAPI Business s.r.o. FAPI Member fapi-member allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FAPI Member: from n/a through = 2.2.30...

WordPress Essential Real Estate plugin <= 5.2.6 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by daroo in WordPress Plugin Essential Real Estate versions = 5.2.6...

Insecure Direct Object Reference (IDOR)

getgrav/grav is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to improper access control in the Admin Panel, which allows a low-privilege attacker to access sensitive information of other users by manipulating direct object references...

CVE-2025-64011

Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference IDOR in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such...

CVE-2025-64011

Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference IDOR in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such...

WordPress WP Recipe Maker plugin <= 10.2.2 - Insecure Direct Object Reference to Sensitive Information Exposure vulnerability

Insecure Direct Object Reference to Sensitive Information Exposure vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin WP Recipe Maker versions = 10.2.2...