CVE-2025-34438 AVideo < 20.1 IDOR Arbitrary Video Rotation

AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies upload capability but fails to enforce ownership or management rights for the targeted video...

EUVD-2025-203954

AVideo versions prior to 20.0 are vulnerable to an insecure direct object reference IDOR that allows any authenticated user to delete media files belonging to other users. The affected endpoint validates authentication but fails to verify ownership or edit permissions for the targeted video...

CVE-2025-34435

AVideo

CVE-2025-34435 AVideo < 20.1 IDOR Arbitrary File Deletion

AVideo versions prior to 20.1 are vulnerable to an insecure direct object reference IDOR that allows any authenticated user to delete media files belonging to other users. The affected endpoint validates authentication but fails to verify ownership or edit permissions for the targeted video...

EUVD-2025-203952

AVideo versions prior to 20.0 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks...

CVE-2025-34436 AVideo < 20.1 IDOR Arbitrary File Upload

AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks...

CVE-2025-34436 AVideo < 20.1 IDOR Arbitrary File Upload

AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks...

Pagekit CMS has an Insecure Direct Object Reference (IDOR) in its User Role component

An Insecure Direct Object Reference IDOR in Pagekit CMS v1.0.18 allows attackers to escalate privileges. The project was archived as of December 1, 2023...

CVE-2025-67165

An Insecure Direct Object Reference IDOR in Pagekit CMS v1.0.18 allows attackers to escalate privileges...

CVE-2025-11924

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the ninja-forms-views REST endpoints...

CVE-2025-11924

The CVE-2025-11924 entry concerns Ninja Forms – The Contact Form Builder That Grows With You for WordPress (versions up to and including 3.13.2). Affected component: the ninja-forms-views REST endpoints. Root cause: insufficient authorization checks allow an unauthenticated attacker to read arbit...

CVE-2025-11924 Ninja Forms – The Contact Form Builder That Grows With You <= 3.13.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure via Unscoped Bearer Token

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the ninja-forms-views REST endpoints...

PT-2025-51921

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.5.3 Description ChurchCRM is an open-source church management system. A flaw exists where an authenticated user with specific permissions "Edit Records" and "Manage Properties and Classifications" can inject a...

PT-2025-51846

Name of the Vulnerable Software and Affected Versions Pagekit CMS version 1.0.18 Description An Insecure Direct Object Reference IDOR exists in Pagekit CMS version 1.0.18, potentially allowing attackers to escalate privileges. An IDOR occurs when an application uses user-supplied input to directl...

VulnCheck KEV: CVE-2025-11924

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the ninja-forms-views REST endpoints...

ProjectSend 安全漏洞

ProjectSend cFTP is the ProjectSend open source suite of self-hosted applications based on PHP and MySQL. A security vulnerability exists in ProjectSend r1605 that originates from an unauthenticated attacker who can download private files by manipulating the download ID parameter, which could lea...

PT-2025-51968

Name of the Vulnerable Software and Affected Versions ProjectSend version r1605 Description An insecure direct object reference issue exists in ProjectSend r1605. An unauthenticated attacker can download private files by manipulating the id parameter in a download request to the 'process.php'...

CVE-2025-67165

An Insecure Direct Object Reference IDOR in Pagekit CMS v1.0.18 allows attackers to escalate privileges...

CVE-2025-67165

The CVE-2025-67165 entry concerns Pagekit CMS v1.0.18 with an Insecure Direct Object Reference (IDOR) in the User Role component that can lead to privilege escalation. The Root Cause described across sources is insufficient access control, enabling a crafted request (notably via the /api/user/rol...

CVE-2025-68071 WordPress Essential Real Estate plugin <= 5.3.2 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through = 5.3.2...