4469 matches found
GHSA-FQQ7-H225-8W6H Skuul School Management System has an Insecure Direct Object Reference (IDOR) Vulnerability in View Fee Invoice
A security flaw has been discovered in yungifez Skuul School Management System up to 2.6.5. The impacted element is an unknown function of the file /dashboard/fees/fee-invoices/ of the component View Fee Invoice. Performing manipulation of the argument invoiceid results in improper control of...
CVE-2025-11748
The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0 via the 'groupid' parameter of the groupjoin function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...
CVE-2025-64431
Zitadel is an open source identity management platform. Versions 4.0.0-rc.1 through 4.6.2 are vulnerable to secure Direct Object Reference IDOR attacks through its V2Beta API, allowing authenticated users with specific administrator roles within one organization to access and modify data belongin...
CVE-2025-4522
The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Insecure Direct Object Reference via the adminpostdonordelete function in versions 2.0.0 to 2.1.9. By supplying an arbitrary userid parameter value to the wpdeleteuser function, authenticated...
EUVD-2025-38353
The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.0 via the 'groupid' parameter of the groupjoin function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...
CVE-2025-11748
The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0 via the 'groupid' parameter of the groupjoin function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...
CVE-2025-11748 Groups <= 3.7.0 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Group Join
The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0 via the 'groupid' parameter of the groupjoin function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...
CVE-2025-11748 Groups <= 3.7.0 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Group Join
The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0 via the 'groupid' parameter of the groupjoin function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...
CVE-2025-11748
CVE-2025-11748 : Groups plugin for WordPress contains an Insecure Direct Object Reference (IDOR) in the group_join function via the group_id parameter, allowing authenticated users with Subscriber level and above to join groups not specified by the shortcode. This affects versions up to and inclu...
WordPress plugin Groups 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerabili...
PT-2025-45542
Name of the Vulnerable Software and Affected Versions Groups plugin for WordPress versions prior to 6.7.1 Description The Groups plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This flaw stems from inadequate validation of a user-controlled key, specifically the...
CVE-2025-64431
Zitadel is an open source identity management platform. Versions 4.0.0-rc.1 through 4.6.2 are vulnerable to secure Direct Object Reference IDOR attacks through its V2Beta API, allowing authenticated users with specific administrator roles within one organization to access and modify data belongin...
CVE-2025-64431 IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering
Zitadel is an open source identity management platform. Versions 4.0.0-rc.1 through 4.6.2 are vulnerable to secure Direct Object Reference IDOR attacks through its V2Beta API, allowing authenticated users with specific administrator roles within one organization to access and modify data belongin...
CVE-2025-64431
The CVE-2025-64431 issue concerns Zitadel’s Organization V2Beta API, where IDOR flaws allow an authenticated administrator of one organization to read or modify data of other organizations. Affected versions are Zitadel 4.0.0-rc.1 through 4.6.2. The root cause is improper authorization checks acr...
Insecure Direct Object Reference (IDOR)
com.liferay.commerce, com.liferay.commerce.service is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to comliferaycommerceorderwebinternalportletCommerceOrderPortletcommerceOrderId parameter not being validated across virtual instances. This allows an attacker in on...
CVE-2025-4522
The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Insecure Direct Object Reference via the adminpostdonordelete function in versions 2.0.0 to 2.1.9. By supplying an arbitrary userid parameter value to the wpdeleteuser function, authenticated...
CVE-2025-4522
The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Insecure Direct Object Reference via the adminpostdonordelete function in versions 2.0.0 to 2.1.9. By supplying an arbitrary userid parameter value to the wpdeleteuser function, authenticated...
CVE-2025-4522 IDonate 2.0.0 - 2.1.9 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion via admin_post_donor_delete Function
The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Insecure Direct Object Reference via the adminpostdonordelete function in versions 2.0.0 to 2.1.9. By supplying an arbitrary userid parameter value to the wpdeleteuser function, authenticated...
CVE-2025-4522
The WordPress IDonate plugin (IDonate) is affected by an Insecure Direct Object Reference in versions 2.0.0–2.1.9. The root cause is improper access control in the admin_post_donor_delete flow, which allows an authenticated user (Subscriber+ privilege) to craft a user_id value passed to wp_delete...
WordPress plugin IDonate 安全漏洞
WordPress IDonate plugin is a blood donation management tool on the WordPress platform, which is mainly used for blood donor registration, blood donation request submission and background management. WordPress IDonate plugin has an insecure direct object reference vulnerability, the vulnerability...