CVE-2025-65096 RomM Insecure Direct Object Reference (IDOR) Allows Unauthorized Access to Private Collections

RomM ROM Manager allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, users can read private collections / smart collections belonging to other users by directly accessing their IDs via API. No ownership...

CVE-2025-65096 RomM Insecure Direct Object Reference (IDOR) Allows Unauthorized Access to Private Collections

RomM ROM Manager allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, users can read private collections / smart collections belonging to other users by directly accessing their IDs via API. No ownership...

CVE-2025-13109

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.2 via the "woofaddquery" and "woofremovequery" functions due to missing validation on a user controlled key. This makes it...

CVE-2025-13109 HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_query/woof_remove_query'

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.2 via the "woofaddquery" and "woofremovequery" functions due to missing validation on a user controlled key. This makes it...

CVE-2025-13109

CVE-2025-13109 concerns the WordPress plugin HUSKY – Products Filter Professional for WooCommerce (versions

EUVD-2025-200981

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.2 via the "woofaddquery" and "woofremovequery" functions due to missing validation on a user controlled key. This makes it...

WordPress HUSKY plugin <= 1.3.7.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_query/woof_remove_query' vulnerability

Authenticated Subscriber+ Insecure Direct Object Reference via 'woofaddquery/woofremovequery' vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin HUSKY versions = 1.3.7.2...

Grav Insecure Direct Object Reference Vulnerability

Grav is an extensible CMS Content Management System for personal blogs, small content publishing platforms and one-page product presentations. Grav has an insecure direct object reference vulnerability, the vulnerability stems from the application does not correctly implement the access control...

📄 EduplusCampus 3.0.1 Insecure Direct Object Reference

A critical insecure direct object reference vulnerability was identified in the EduplusCampus student portal version 3.0.1. This vulnerability allows an authenticated user to access the sensitive personal and financial records of other students by modifying the recno parameter in the API request...

PT-2025-48805

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.2 via the "woof add query" and "woof remove query" functions due to missing validation on a user controlled key. This makes i...

CVE-2025-66306

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR Insecure Direct Object Reference vulnerability in the Grav CMS Admin Panel which allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not possible, admin emai...

EUVD-2025-200104

Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel...

GHSA-4CWQ-J7JV-QMWG Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel

Summary An IDOR Insecure Direct Object Reference vulnerability in the Grav CMS Admin Panel allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not possible, admin email addresses and other metadata can be exposed, increasing the risk...

CVE-2025-66306

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR Insecure Direct Object Reference vulnerability in the Grav CMS Admin Panel which allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not possible, admin emai...

CVE-2025-66306

CVE-2025-66306 describes an Insecure Direct Object Reference (IDOR) in Grav CMS Admin Panel prior to 1.8.0-beta.27. The vulnerability allows low-privilege authenticated users to access information from other accounts via endpoints such as /admin/accounts/users/{username}, potentially exposing adm...

CVE-2025-66306 Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR Insecure Direct Object Reference vulnerability in the Grav CMS Admin Panel which allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not possible, admin emai...

CVE-2025-66306 Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR Insecure Direct Object Reference vulnerability in the Grav CMS Admin Panel which allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not possible, admin emai...

CVE-2025-65672

Insecure Direct Object Reference IDOR in classroomio 0.1.13 allows unauthorized share and invite access to course settings...

PT-2025-48565

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR Insecure Direct Object Reference vulnerability in the Grav CMS Admin Panel which allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not possible, admin emai...

Grav 安全漏洞

Grav is an extensible CMS Content Management System for personal blogs, small content publishing platforms and one-page product presentations. Grav has an insecure direct object reference vulnerability, the vulnerability stems from the application does not correctly implement the access control...