CVE-2024-4874

The Bricks Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.8 via the postId parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and...

CVE-2024-13429

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the 'jobenforcedelete' due to missing validation on a user controlled key. This makes it possib...

CVE-2024-13428

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the deleteCompanyLogo due to missing validation on a user controlled key. This makes it possibl...

CVE-2024-13457

The Event Tickets and Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.18.1 via the tc-order-id parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view ord...

CVE-2024-13372

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the getresumefiledownloadbyid and getallresumefiles functions due to missing validation on a us...

CVE-2024-40395

An Insecure Direct Object Reference IDOR in PTC ThingWorx v9.5.0 allows attackers to view sensitive information, including PII, regardless of access level...

CVE-2024-48217

An Insecure Direct Object Reference IDOR in the dashboard of SiSMART v7.4.0 allows attackers to execute a horizontal-privilege escalation...

CVE-2024-8123

The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.0.8 via the duplicatepost function due to missing validation on a user controlled key. This makes it possible for authenticated attackers...

CVE-2024-13425

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the enforcedelete function due to missing validation on a user controlled key. This makes it...

CVE-2024-12131

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.5 due to missing validation on a user controlled key. This makes it possible for authenticated...

CVE-2024-12132

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.4 due to missing validation on a user controlled key. This makes it possible for authenticated...

CVE-2024-7848

The User Private Files – WordPress File Sharing Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the 'dpkupvfupdatedoc' due to missing validation on the 'docid' user controlled key. This makes it possible for authenticat...

CVE-2024-51066

An Insecure Direct Object Reference IDOR vulnerability in appointment-detail.php in Phpgurukul's Beauty Parlour Management System v1.1 allows unauthorized access to the Personally Identifiable Information PII of other customers...

CVE-2024-12309

The Rate My Post – Star Rating Plugin by FeedbackWP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.4 via the getpoststatus due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to...

CVE-2023-0550

The Quick Restaurant Menu plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the fact that during menu item deletion/modification, the plugin does not verify that the post ID provided to the AJAX action is indeed a menu...

CVE-2023-6969

The User Shortcodes Plus plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.2 via the usermeta shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level...

CVE-2023-45893

An indirect Object Reference IDOR in the Order and Invoice pages in Floorsight Customer Portal Q3 2023 allows an unauthenticated remote attacker to view sensitive customer information...

Insecure Direct Object Reference (IDOR)

sjbr/sr-feuser-register is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to missing or improper access control checks on user-supplied identifiers, allowing attackers to access or manipulate data they shouldn't have access to...

CVE-2023-6630

The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the CF7getcustomfield and CF7getcurrentuser shortcodes due to missing validation on a user controlled key. This makes it possible for...

CVE-2023-6506

The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.0 via the sendbackupcodesemail due to missing validation on a user controlled key. This makes it possible for subscriber-level...