4435 matches found
WordPress Homey theme <= 2.4.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion vulnerability
Insecure Direct Object Reference to Authenticated Subscriber+ Arbitrary User Deletion vulnerability discovered by a00n in WordPress Theme Homey versions = 2.4.4...
CVE-2025-3874
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and...
CVE-2025-3889
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 via the 'processpaymentdata' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to change the...
CVE-2025-3874
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and...
CVE-2025-3874 WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and...
CVE-2025-3889 WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference via 'quantity'
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 via the 'processpaymentdata' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to change the...
CVE-2025-3889 WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference via 'quantity'
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 via the 'processpaymentdata' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to change the...
CVE-2025-3874
CVE-2025-3874 affects the WordPress plugin “WordPress Simple Shopping Cart.” The issue is an Insecure Direct Object Reference caused by lack of randomization of a user-controlled key, enabling unauthenticated users to access customer carts, edit product links, add/delete products, and discover co...
CVE-2025-3889
CVE-2025-3889 affects WordPress Simple Shopping Cart (WordPress plugin) up to version 5.1.3, via Insecure Direct Object Reference in process_payment_data. Unauthenticated attackers can set a product quantity to a negative value, subtracting cost from the total, and the attack is only effective in...
CVE-2025-3874 WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and...
PT-2025-18382 · WordPress · Wordpress Simple Shopping Cart
Name of the Vulnerable Software and Affected Versions: WordPress Simple Shopping Cart plugin versions up to, and including, 5.1.3 Description: The issue is related to Insecure Direct Object Reference due to the lack of randomization of a user-controlled key. This allows unauthenticated attackers ...
📄 Daikin Security Gateway 214 Remote Password Reset
The Daikin Security Gateway exposes a critical vulnerability in its password reset API endpoint. Due to an insecure direct object reference IDOR flaw, an unauthenticated attacker can send a crafted POST request to this endpoint, bypassing authentication mechanisms. Successful exploitation resets...
CVE-2025-25777
Insecure Direct Object Reference IDOR in Codeastro Bus Ticket Booking System v1.0 allows unauthorized access to user profiles. By manipulating the user ID in the URL, an attacker can access another user's profile without proper authentication or authorization checks...
CVE-2025-1284
The Woocommerce Automatic Order Printing | Formerly WooCommerce Google Cloud Print plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1 via the xcwooprinterpreview AJAX action due to missing validation on a user controlled key. This make...
Authorization Bypass Through User-Controlled Key
Overview moodle/moodle is a learning platform. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key due to insufficient capability checks in the RSS block. An attacker can access and view additional RSS feeds by exploiting the IDOR vulnerability...
CVE-2025-25777
Insecure Direct Object Reference IDOR in Codeastro Bus Ticket Booking System v1.0 allows unauthorized access to user profiles. By manipulating the user ID in the URL, an attacker can access another user's profile without proper authentication or authorization checks...
CVE-2025-1284
The Woocommerce Automatic Order Printing | Formerly WooCommerce Google Cloud Print plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1 via the xcwooprinterpreview AJAX action due to missing validation on a user controlled key. This make...
CVE-2025-1284 Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) <= 4.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Order Information Disclosure
The Woocommerce Automatic Order Printing | Formerly WooCommerce Google Cloud Print plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1 via the xcwooprinterpreview AJAX action due to missing validation on a user controlled key. This make...
CVE-2025-1284
CVE-2025-1284 affects the WordPress plugin “Woocommerce Automatic Order Printing” (formerly WooCommerce Google Cloud Print), vulnerable up to version 4.1 due to missing validation on a user-controlled key in the xc_woo_printer_preview AJAX action. The issue is an Insecure Direct Object Reference ...
CVE-2025-25777
Insecure Direct Object Reference IDOR in Codeastro Bus Ticket Booking System v1.0 allows unauthorized access to user profiles. By manipulating the user ID in the URL, an attacker can access another user's profile without proper authentication or authorization checks...