4469 matches found
CVE-2025-11895 Binary MLM Plan <= 5.0 - Authenticated (Subscriber+) Insecure Direct Object Reference
The Binary MLM Plan plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 5.0. This is due to the bmpuserpayoutdetailofcurrentuser function selecting payout records solely by id without verifying ownership. This makes it possible for authenticate...
CVE-2025-11895
The CVE-2025-11895 vulnerability affects Binary MLM Plan (WordPress) versions
CVE-2025-9559
Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data...
CVE-2025-9559 Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data
Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data...
CVE-2025-9559 Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data
Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data...
CVE-2025-41020
Insecure direct object reference IDOR vulnerability in Sergestec's Exito v8.0. This vulnerability allows an attacker to access data belonging to other customers through the 'id' parameter in '/admin/ticketa4.php'...
CVE-2025-41020
Insecure direct object reference IDOR vulnerability in Sergestec's Exito v8.0. This vulnerability allows an attacker to access data belonging to other customers through the 'id' parameter in '/admin/ticketa4.php'...
CVE-2025-41020 Insecure direct object reference (IDOR) vulnerability in Sergestec's Exito
Insecure direct object reference IDOR vulnerability in Sergestec's Exito v8.0. This vulnerability allows an attacker to access data belonging to other customers through the 'id' parameter in '/admin/ticketa4.php'...
CVE-2025-41020
CVE-2025-41020 affects Sergestec Exito v8.0. An IDOR in /admin/ticket_a4.php (id parameter) allows access to other customers’ data. Root cause: insecure direct object reference. Impact per sources includes HIGH confidentiality impact (CVE metrics: CVSS v3.1 base 7.5, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I...
CVE-2025-11176
The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfisetthumbnail and qfideletethumbnail AJAX actions due to missing validation on a user controlled key. This makes it possible for authenticated...
Sergestec Exito 安全漏洞
Sergestec Exito is a sales platform from Sergestec, Inc. A security vulnerability exists in Sergestec Exito version v8.0, which stems from incorrect manipulation of the parameter id in the file /admin/ticketa4.php, which could lead to unsafe direct object references...
Pega Platform 安全漏洞
Pega Platform is an enterprise management platform from Pega Corporation, USA. A security vulnerability exists in Pega Platform versions 8.7.5 through 24.2.2, which stems from an insecure direct object reference in a user interface component that could lead to data readout...
PT-2025-42483
Name of the Vulnerable Software and Affected Versions Pega Platform versions 8.7.5 through 24.2.2 Description The Pega Platform contains an Insecure Direct Object Reference issue within a user interface component. This issue allows for the reading of data. Recommendations Update to a version late...
CVE-2025-11176 Quick Featured Images <= 13.7.2 - Insecure Direct Object Reference to Image Manipulation
The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfisetthumbnail and qfideletethumbnail AJAX actions due to missing validation on a user controlled key. This makes it possible for authenticated...
EUVD-2025-34513
The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfisetthumbnail and qfideletethumbnail AJAX actions due to missing validation on a user controlled key. This makes it possible for authenticated...
CVE-2025-11176 Quick Featured Images <= 13.7.2 - Insecure Direct Object Reference to Image Manipulation
The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfisetthumbnail and qfideletethumbnail AJAX actions due to missing validation on a user controlled key. This makes it possible for authenticated...
WordPress Quick Featured Images plugin <= 13.7.2 - Insecure Direct Object Reference to Image Manipulation vulnerability
Insecure Direct Object Reference to Image Manipulation vulnerability discovered by Lucas Montes Nirox in WordPress Plugin Quick Featured Images versions = 13.7.2...
WordPress plugin Quick Featured Images 安全漏洞
WordPress Quick Featured Images plugin is a plugin for bulk editing and replacing featured images in WordPress. WordPress Quick Featured Images plugin suffers from an insecure direct object reference vulnerability that stems from the lack of validation of user control keys in the qfisetthumbnail...
Bold Workplanner Insecure Direct Object Reference Vulnerability
Bold Workplanner is an enterprise software for human resource management from the Spanish company Bold Workplanner. An insecure direct object reference vulnerability exists in Bold Workplanner versions prior to 2.5.25, which stems from a lack of sufficient validation of user input, and can be...
Bold Workplanner Insecure Direct Object Reference Vulnerability (CNVD-2025-24046)
Bold Workplanner is an enterprise software for human resource management from the Spanish company Bold Workplanner. Bold Workplanner suffers from an insecure direct object reference vulnerability that can be exploited by an attacker to access calendar details using an unauthorized internal...