3529 matches found
CVE-2026-3688 WCFM - WooCommerce Multivendor Membership <= 2.11.10 - Insecure Direct Object Reference to Limited Privilege Escalation via User Role Overwrite
The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the 'wcfmvmmembershipchange' AJAX action not validating user permission to modify other...
CVE-2026-5730 IDOR in Idvlabs' Ontime
Authorization bypass through User-Controlled key vulnerability in Idvlabs Software and Consulting Services Inc. Ontime allows Exploitation of Trusted Identifiers. This issue affects Ontime: through 04052026...
CVE-2026-11900
The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 2.8.16 via the 'data' attribute of the adinserter shortcode. This is due to the replaceaitags function processing a reusable-block-N tag pattern that...
CVE-2026-11900
The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 2.8.16 via the 'data' attribute of the adinserter shortcode. This is due to the replaceaitags function processing a reusable-block-N tag pattern that...
CVE-2026-11900
The CVE-2026-11900 entry concerns the WordPress plugin Ad Inserter – Ad Manager & AdSense Ads up to version 2.8.16. It is vulnerable to an Insecure Direct Object Reference via the shortcodes’ data attribute. The replace_ai_tags() function processes a {reusable-block-N} pattern by calling get_post...
CVE-2026-9180
MotoPress Appointment Booking for WordPress (versions up to 2.4.4) is vulnerable to an Authorization Bypass via a user-controlled booking_id. The REST endpoint POST /motopress/appointment/v1/bookings is registered with a permissive permission_callback (return_true ), and createBooking() loads the...
PT-2026-55514
Name of the Vulnerable Software and Affected Versions Ad Inserter – Ad Manager & AdSense Ads versions prior to 2.8.17 Description An Insecure Direct Object Reference exists via the data attribute of the adinserter shortcode. The replace ai tags function processes a reusable-block-N tag pattern th...
WordPress Ad Inserter – Ad Manager & AdSense Ads plugin <= 2.8.16 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Post Content Disclosure vulnerability
Insecure Direct Object Reference to Authenticated Contributor+ Arbitrary Post Content Disclosure vulnerability discovered by nightward in WordPress Plugin Ad Inserter versions = 2.8.16...
CVE-2026-9188
The Appointment Bookings for Zoom GoogleMeet and more – Wappointment plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 2.7.6 via the appointmentkey parameter due to the appointment editkey — the sole authorization token consumed by tryCance...
CVE-2026-12657
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the 'serviceid' parameter due to missing validation on a user controlled key. This makes it possible for...
CVE-2026-11896
The CVE-2026-11896 entry describes a flaw in the WordPress plugin “My Calendar – Accessible Event Manager” (versions up to 3.7.14). The root cause is missing validation on a user-controlled key used by the vcal parameter, enabling Insecure Direct Object Reference. This allows unauthenticated atta...
EUVD-2026-41266
The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.14 via the 'vcal' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to...
EUVD-2026-41260
The Appointment Bookings for Zoom GoogleMeet and more – Wappointment plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 2.7.6 via the appointmentkey parameter due to the appointment editkey — the sole authorization token consumed by tryCance...
CVE-2026-12657 LatePoint <= 5.6.2 - Unauthenticated Insecure Direct Object Reference to Arbitrary Creation via 'service_id' Parameter
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the 'serviceid' parameter due to missing validation on a user controlled key. This makes it possible for...
CVE-2026-9188 Appointment Bookings for Zoom GoogleMeet and more – Wappointment <= 2.7.6 - Unauthenticated Insecure Direct Object Reference via Predictable 'edit_key' / 'appointmentkey' Parameter
The Appointment Bookings for Zoom GoogleMeet and more – Wappointment plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 2.7.6 via the appointmentkey parameter due to the appointment editkey — the sole authorization token consumed by tryCance...
CVE-2026-9188
CVE-2026-9188 affects the WordPress plugin “Wappointment” (Appointment Bookings for Zoom GoogleMeet and more) up to version 2.7.6. The vulnerability is an Insecure Direct Object Reference via the appointmentkey/edit_key parameter, where the authorization token consumed by tryCancel() is a predict...
CVE-2026-12657
The CVE-2026-12657 entry concerns the WordPress LatePoint Calendar Booking Plugin (versions up to and including 5.6.2). The vulnerability is an Insecure Direct Object Reference exposed via user-controlled keys in two publicly accessible parameters: params[booking][service_id] in steps__load_step ...
CVE-2026-5348 Academy LMS <= 3.8.1 - Unauthenticated Insecure Direct Object Reference to Private Topic Disclosure
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the '/topics' REST API endpoint being registered with a permission callback set to 'returntrue',...
WordPress MotoPress Appointment Booking plugin <= 2.4.4 - Unauthenticated Insecure Direct Object Reference to 'payment_details.booking_id' Parameter vulnerability
Unauthenticated Insecure Direct Object Reference to 'paymentdetails.bookingid' Parameter vulnerability discovered by g0wthr in WordPress Plugin MotoPress Appointment Booking versions = 2.4.4...
WordPress Appointment Bookings for Zoom GoogleMeet and more – Wappointment plugin <= 2.7.6 - Unauthenticated Insecure Direct Object Reference vulnerability
Unauthenticated Insecure Direct Object Reference vulnerability discovered by davidfdzmorilla in WordPress Plugin Wappointment versions = 2.7.6...