4371 matches found
CVE-2026-5465
Summary (technical): The Amelia Booking for Appointments and Events Calendar WordPress plugin (versions ≤ 2.1.3) is affected by an Insecure Direct Object Reference (IDOR) in the UpdateProviderCommandHandler. The handler does not validate ownership when a Provider (Employee) user updates their pro...
WordPress Amelia plugin <= 2.1.3 - Insecure Direct Object Reference to Authenticated (Employee+) Privilege Escalation via 'externalId' Parameter vulnerability
Insecure Direct Object Reference to Authenticated Employee+ Privilege Escalation via 'externalId' Parameter vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin Amelia versions = 2.1.3...
PT-2026-30799
Name of the Vulnerable Software and Affected Versions Amelia plugin for WordPress versions up to and including 2.1.3 Description The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is susceptible to Insecure Direct Object Reference. The UpdateProviderCommandHandler does...
SUSE CVE-2026-33030
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct...
CVE-2026-35183
CVE-2026-35183 : Brave CMS (open-source) has an IDOR in the article image deletion feature. The vulnerability is in deleteImage (app/Http/Controllers/Dashboard/ArticleController.php) where the endpoint accepts a filename from the URL without verifying ownership. This allows an authenticated user ...
EUVD-2026-19460
Brave CMS is an open-source CMS. Prior to 2.0.6, an Insecure Direct Object Reference IDOR vulnerability exists in the article image deletion feature. It is located in app/Http/Controllers/Dashboard/ArticleController.php within the deleteImage method. The endpoint accepts a filename from the URL b...
CVE-2026-35183
Brave CMS is an open-source CMS. Prior to 2.0.6, an Insecure Direct Object Reference IDOR vulnerability exists in the article image deletion feature. It is located in app/Http/Controllers/Dashboard/ArticleController.php within the deleteImage method. The endpoint accepts a filename from the URL b...
CVE-2026-35183 Brave CMS has an Insecure Direct Object Reference in Article Image Deletion
Brave CMS is an open-source CMS. Prior to 2.0.6, an Insecure Direct Object Reference IDOR vulnerability exists in the article image deletion feature. It is located in app/Http/Controllers/Dashboard/ArticleController.php within the deleteImage method. The endpoint accepts a filename from the URL b...
CVE-2026-35183 Brave CMS has an Insecure Direct Object Reference in Article Image Deletion
Brave CMS is an open-source CMS. Prior to 2.0.6, an Insecure Direct Object Reference IDOR vulnerability exists in the article image deletion feature. It is located in app/Http/Controllers/Dashboard/ArticleController.php within the deleteImage method. The endpoint accepts a filename from the URL b...
CVE-2026-35173
Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, an IDOR / Mass Assignment issue exists in the Post model that allows authenticated users with post editing permissions Edit Post, Edit Draft, Edit Own Post, Edit Own Draft to modify posts they do not own and do not have...
CVE-2026-35173 Chyrp Lite has an IDOR via Mass Assignment in Post Model
Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, an IDOR / Mass Assignment issue exists in the Post model that allows authenticated users with post editing permissions Edit Post, Edit Draft, Edit Own Post, Edit Own Draft to modify posts they do not own and do not have...
EUVD-2026-19420
Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, an IDOR / Mass Assignment issue exists in the Post model that allows authenticated users with post editing permissions Edit Post, Edit Draft, Edit Own Post, Edit Own Draft to modify posts they do not own and do not have...
Exploit for CVE-2026-35678
Vulnerability Research Report: All Eduplus ERP Insecure Direct...
Brave CMS 安全漏洞
Brave CMS is a blog and news content management system developed by Razvan Zamfir. Versions of Brave CMS prior to 2.0.6 contained security vulnerabilities. These vulnerabilities stemmed from an insecure direct object reference in the article image deletion function, which could allow authenticate...
CVE-2026-4896
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via multiple AJAX actions including wcfmmodifyorderstatus, deletewcfmarticle,...
EUVD-2026-18981
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via multiple AJAX actions including wcfmmodifyorderstatus, deletewcfmarticle,...
CVE-2026-4896
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via multiple AJAX actions including wcfmmodifyorderstatus, deletewcfmarticle,...
WordPress plugin WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The WordPres...
WordPress WCFM - WooCommerce Frontend Manager plugin <= 6.7.25 - Insecure Direct Object References to Authenticated (Vendor+) Arbitrary Post/Product Manipulation vulnerability
WordPress WCFM - WooCommerce Frontend Manager plugin = 6.7.25 - Insecure Direct Object References to Authenticated Vendor+ Arbitrary Post/Product Manipulation vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin WCFM – Frontend Manager for...
CVE-2026-3139
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.15.5 via the wppbsaveavatarvalue function due to missing validation on a user controlled key...