CVE-2026-5652

An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation...

CVE-2026-5652

CVE-2026-5652 affects Crafty Controller’s Users API component, enabling an authenticated remote attacker to perform user modification actions due to improper API permissions validation. Reported CVSS 3.1 base score 9.0 (CRITICAL) with network attack vector, low attack complexity, high confidentia...

CVE-2026-5652

An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation...

PT-2026-34013

An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation...

Horilla 安全漏洞

Horilla is a free open-source human resources software developed by Horilla Company. Version 1.5.0 of Horilla contains a security vulnerability. This vulnerability stems from an insecure direct object reference in the employee document upload endpoint, which could allow any authenticated user to...

WebVuln-Chain-Framework

WebVuln Chain Framework Modular web vulnerability scanner w...

WordPress Fluent Forms - Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin <= 6.1.21 - Insecure Direct Object Reference in Stripe SCA Confirmation to Unauthenticated Payment Status Modification vulnerability

WordPress Fluent Forms - Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin = 6.1.21 - Insecure Direct Object Reference in Stripe SCA Confirmation to Unauthenticated Payment Status Modification vulnerability discovered by Prickly Cactus in WordPress Plugin FluentForm...

reconauto

reconauto Automated b...

EUVD-2026-23356

The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::createpaymentintentfortransaction action is registered as a public action no authentication required an...

CVE-2026-5234

The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::createpaymentintentfortransaction action is registered as a public action no authentication required an...

CVE-2026-5234 LatePoint <= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID

The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::createpaymentintentfortransaction action is registered as a public action no authentication required an...

CVE-2026-5234

The LatePoint WordPress plugin (versions

WordPress LatePoint plugin <= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID vulnerability

Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID vulnerability discovered by darkmode in WordPress Plugin LatePoint versions = 5.3.2...

EUVD-2026-23237

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submissionid' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validatio...

CVE-2026-4160

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submissionid' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validatio...

CVE-2026-4160

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submissionid' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validatio...

PT-2026-33318

Name of the Vulnerable Software and Affected Versions Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder versions prior to 6.1.22 Description An Insecure Direct Object Reference IDOR exists due to missing authorization and ownership validation on a user...

WordPress plugin Fluent Forms 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

CVE-2026-40737

The CVE concerns WordPress COMPE plugin

WordPress Avada (Fusion) Builder plugin <= 3.15.1 - Authenticated (Subscriber+) Sensitive Information Exposure via Insecure Direct Object Reference vulnerability

Authenticated Subscriber+ Sensitive Information Exposure via Insecure Direct Object Reference vulnerability discovered by Webbernaut in WordPress Plugin Fusion Builder versions = 3.15.1...