EUVD-2026-21257

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the payincompleteorder function. The function accepts an...

CVE-2026-3360

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the payincompleteorder function. The function accepts an...

CVE-2026-3360

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the payincompleteorder function. The function accepts an...

WordPress plugin Tutor LMS – eLearning and online course solution 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

PT-2026-31846

Name of the Vulnerable Software and Affected Versions Tutor LMS versions through 3.9.7 Description The Tutor LMS plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This is due to the absence of proper authentication and authorization checks within the pay incomplete...

CVE-2026-33931

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference IDOR vulnerability in the patient portal payment page allows any authenticated portal patient to access other patients' payment...

CVE-2026-33931

Vulnerability summary (CVE-2026-33931) : OpenEMR prior to version 8.0.0.3 contains an insecure direct object reference (IDOR) in the patient portal payment page. By manipulating the recid parameter in portal/portal_payment.php, any authenticated portal patient could access other patients’ payment...

CVE-2026-32122

OpenEMR (Claim File Tracker UI/AJAX Endpoint) exposes billing claim metadata to authenticated users lacking proper billing permissions prior to version 8.0.0.1 due to missing authorization on the Claim File Tracker endpoint. This is fixed in 8.0.0.1. The vulnerability stems from ACLs not matching...

CVE-2026-32122 OpenEMR: Missing Authorization on Claim File Tracker UI and AJAX Endpoint (V2)

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the Claim File Tracker feature exposes an AJAX endpoint that returns billing claim metadata claim IDs, payer info, transmission logs. The endpoint does not enforce the same A...

CVE-2025-13085

The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to Improper Authorization leading to Sensitive Post Meta Disclosure in versions up to and including 1.3.2. This is due to missing object-level authorization checks in the resolvevariables AJAX handler. This makes it possible for...

CVE-2025-13085 SiteSEO – SEO Simplified <= 1.3.2 - Insecure Direct Object Reference to Sensitive Post Meta Disclosure

The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to Improper Authorization leading to Sensitive Post Meta Disclosure in versions up to and including 1.3.2. This is due to missing object-level authorization checks in the resolvevariables AJAX handler. This makes it possible for...

EUVD-2025-36640

The Call Now Button – The 1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with...

CVE-2025-11632

The Call Now Button – The 1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with...

CVE-2025-11632

The WordPress plugin Call Now Button (Call Now Button – The #1 Click to Call Button for WordPress) is affected by CVE-2025-11632 due to missing capability checks in multiple functions across versions up to 1.5.4. The issue enables authenticated users with Subscriber-level access and above to gene...

Discord Data Breach: Hackers Access IDs, Billing Details and Support Chats

Discord confirms a data breach via a third-party vendor, exposing government-issued photo IDs, names, emails, and limited billing data of users who contacted customer support. Learn the full risk...

Zenitel ICX500和Zenitel ICX510 安全漏洞

Zenitel ICX500 and Zenitel ICX510 are both communication and control platforms from Zenitel Norway. A security vulnerability exists in the Zenitel ICX500 and Zenitel ICX510 that stems from an attacker's ability to directly query the underlying database, which could result in the retrieval of all...

CVE-2023-6966

The The Moneytizer plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX functions in the /core/coreajax.php file in all versions up to, and including, 9.5.20. This makes it possible for...

PT-2024-15148 · WordPress · The Moneytizer

Name of the Vulnerable Software and Affected Versions: The Moneytizer plugin for WordPress versions up to, and including, 9.5.20 Description: The issue is caused by a missing capability check on multiple AJAX functions in the /core/core ajax.php file. This allows authenticated attackers, with...

PT-2022-5124 · WordPress · Ultimate Sms Notifications For Woocommerce

Name of the Vulnerable Software and Affected Versions: Ultimate SMS Notifications for WooCommerce plugin for WordPress versions up to, and including, 1.4.1 Description: The issue is related to a CSV Injection vulnerability in the 'Export Utility' functionality. This allows authenticated attackers...

CVE-2022-34770

Tabit - sensitive information disclosure. Several APIs on the web system display, without authorization, sensitive information such as health statements, previous bills in a specific restaurant, alcohol consumption and smoking habits. Each of the described API’s, has in its URL one or more MongoD...