Lucene search
+L

4651 matches found

CVE
CVE
added 2026/07/03 7:53 a.m.22 views

CVE-2026-11900

The CVE-2026-11900 entry concerns the WordPress plugin Ad Inserter – Ad Manager & AdSense Ads up to version 2.8.16. It is vulnerable to an Insecure Direct Object Reference via the shortcodes’ data attribute. The replace_ai_tags() function processes a {reusable-block-N} pattern by calling get_post...

4.3CVSS6AI score0.00273EPSS
Exploits0References10
CVE
CVE
added 2026/07/03 4:30 a.m.25 views

CVE-2026-9180

MotoPress Appointment Booking for WordPress (versions up to 2.4.4) is vulnerable to an Authorization Bypass via a user-controlled booking_id. The REST endpoint POST /motopress/appointment/v1/bookings is registered with a permissive permission_callback (return_true ), and createBooking() loads the...

5.3CVSS5.7AI score0.00342EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/07/03 12:0 a.m.13 views

PT-2026-55514

Name of the Vulnerable Software and Affected Versions Ad Inserter – Ad Manager & AdSense Ads versions prior to 2.8.17 Description An Insecure Direct Object Reference exists via the data attribute of the adinserter shortcode. The replace ai tags function processes a reusable-block-N tag pattern th...

4.3CVSS6AI score0.00273EPSS
Exploits0References15
Patchstack
Patchstack
added 2026/07/02 7:1 p.m.5 views

WordPress Ad Inserter – Ad Manager & AdSense Ads plugin <= 2.8.16 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Post Content Disclosure vulnerability

Insecure Direct Object Reference to Authenticated Contributor+ Arbitrary Post Content Disclosure vulnerability discovered by nightward in WordPress Plugin Ad Inserter versions = 2.8.16...

4.3CVSS5.9AI score0.00273EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/07/02 11:15 a.m.35 views

CVE-2026-57680 WordPress Kirki plugin <= 6.0.11 - Insecure Direct Object References (IDOR) vulnerability

Unauthenticated Insecure Direct Object References IDOR in Kirki = 6.0.11 versions...

6.5CVSS0.00253EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/02 11:15 a.m.11 views

CVE-2026-57680

Unauthenticated Insecure Direct Object References IDOR in Kirki = 6.0.11 versions...

6.5CVSS5.8AI score0.00253EPSS
Exploits0References2
CVE
CVE
added 2026/07/02 11:15 a.m.15 views

CVE-2026-57680

CVE-2026-57680 affects the WordPress Kirki plugin versions

6.5CVSS5.8AI score0.00253EPSS
Exploits0References1
NVD
NVD
added 2026/07/02 10:16 a.m.8 views

CVE-2026-9188

The Appointment Bookings for Zoom GoogleMeet and more – Wappointment plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 2.7.6 via the appointmentkey parameter due to the appointment editkey — the sole authorization token consumed by tryCance...

5.3CVSS0.00297EPSS
Exploits0References10
NVD
NVD
added 2026/07/02 10:16 a.m.8 views

CVE-2026-12657

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the 'serviceid' parameter due to missing validation on a user controlled key. This makes it possible for...

5.3CVSS0.00381EPSS
Exploits0References12
EUVD
EUVD
added 2026/07/02 8:33 a.m.8 views

EUVD-2026-41266

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.14 via the 'vcal' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to...

5.3CVSS5.8AI score0.00313EPSS
Exploits0References14
ATTACKERKB
ATTACKERKB
added 2026/07/02 8:33 a.m.5 views

CVE-2026-11896

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.14 via the 'vcal' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to...

5.3CVSS5.8AI score0.00313EPSS
Exploits0References15
Cvelist
Cvelist
added 2026/07/02 8:33 a.m.41 views

CVE-2026-11896 My Calendar <= 3.7.14 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'vcal' Parameter

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.14 via the 'vcal' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to...

5.3CVSS0.00313EPSS
Exploits0References14
CVE
CVE
added 2026/07/02 8:33 a.m.22 views

CVE-2026-11896

The CVE-2026-11896 entry describes a flaw in the WordPress plugin “My Calendar – Accessible Event Manager” (versions up to 3.7.14). The root cause is missing validation on a user-controlled key used by the vcal parameter, enabling Insecure Direct Object Reference. This allows unauthenticated atta...

5.3CVSS5.8AI score0.00313EPSS
Exploits0References14
EUVD
EUVD
added 2026/07/02 8:33 a.m.7 views

EUVD-2026-41260

The Appointment Bookings for Zoom GoogleMeet and more – Wappointment plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 2.7.6 via the appointmentkey parameter due to the appointment editkey — the sole authorization token consumed by tryCance...

5.3CVSS5.8AI score0.00297EPSS
Exploits0References10
CVE
CVE
added 2026/07/02 8:33 a.m.14 views

CVE-2026-9188

CVE-2026-9188 affects the WordPress plugin “Wappointment” (Appointment Bookings for Zoom GoogleMeet and more) up to version 2.7.6. The vulnerability is an Insecure Direct Object Reference via the appointmentkey/edit_key parameter, where the authorization token consumed by tryCancel() is a predict...

5.3CVSS5.8AI score0.00297EPSS
Exploits0References10
Cvelist
Cvelist
added 2026/07/02 8:33 a.m.39 views

CVE-2026-12657 LatePoint <= 5.6.2 - Unauthenticated Insecure Direct Object Reference to Arbitrary Creation via 'service_id' Parameter

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the 'serviceid' parameter due to missing validation on a user controlled key. This makes it possible for...

5.3CVSS0.00381EPSS
Exploits0References12
CVE
CVE
added 2026/07/02 8:33 a.m.17 views

CVE-2026-12657

The CVE-2026-12657 entry concerns the WordPress LatePoint Calendar Booking Plugin (versions up to and including 5.6.2). The vulnerability is an Insecure Direct Object Reference exposed via user-controlled keys in two publicly accessible parameters: params[booking][service_id] in steps__load_step ...

5.3CVSS5.8AI score0.00381EPSS
Exploits0References12
Cvelist
Cvelist
added 2026/07/02 8:33 a.m.37 views

CVE-2026-9188 Appointment Bookings for Zoom GoogleMeet and more – Wappointment <= 2.7.6 - Unauthenticated Insecure Direct Object Reference via Predictable 'edit_key' / 'appointmentkey' Parameter

The Appointment Bookings for Zoom GoogleMeet and more – Wappointment plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 2.7.6 via the appointmentkey parameter due to the appointment editkey — the sole authorization token consumed by tryCance...

5.3CVSS0.00297EPSS
Exploits0References10
Cvelist
Cvelist
added 2026/07/02 5:35 a.m.39 views

CVE-2026-5348 Academy LMS <= 3.8.1 - Unauthenticated Insecure Direct Object Reference to Private Topic Disclosure

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the '/topics' REST API endpoint being registered with a permission callback set to 'returntrue',...

5.3CVSS0.00262EPSS
Exploits0References8
Patchstack
Patchstack
added 2026/07/02 12:0 a.m.4 views

WordPress MotoPress Appointment Booking plugin <= 2.4.4 - Unauthenticated Insecure Direct Object Reference to 'payment_details.booking_id' Parameter vulnerability

Unauthenticated Insecure Direct Object Reference to 'paymentdetails.bookingid' Parameter vulnerability discovered by g0wthr in WordPress Plugin MotoPress Appointment Booking versions = 2.4.4...

5.3CVSS5.9AI score0.00342EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder