CVE-2025-3853 WPshop 2 – E-Commerce 2.0.0 - 2.6.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Key Generation

The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 2.0.0 to 2.6.0 via the callbackgenerateapikey due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above...

CVE-2025-3853

CVE-2025-3853 affects WPshop 2 – E-Commerce for WordPress (versions 2.0.0–2.6.0). The vulnerability is an Insecure Direct Object Reference in the callback_generate_api_key() function due to missing validation on a user-controlled key. Exploitation requires authenticated access at Subscriber level...

CVE-2025-3281

The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.1 via the createstripesubscription function, due to missing validation on the 'memberid' use...

CVE-2025-3281

The CVE-2025-3281 entry concerns the WordPress plugin “User Registration & Membership – Custom Registration Form, Login Form, and User Profile.” The root cause is insecure direct object reference due to missing validation on the member_id key in the create_stripe_subscription() function, enabling...

Grokability Snipe-IT 8.0.4 - Insecure Direct Object Reference (IDOR)

Exploit Title: Grokability Snipe-IT 8.0.4 - Insecure Direct Object Reference IDOR Google Dork: N/A Date: 2025-05-02 Exploit Author: Sn1p3r-H4ck3r Siripong Jintung Vendor Homepage: https://snipeitapp.com Software Link: https://github.com/grokability/snipe-it Version: /printassigned endpoint. This...

📄 Grokability Snipe-IT 8.0.4 Insecure Direct Object Reference

Grokability Snipe-IT versions 8.0.4 and below suffer from an insecure direct object reference vulnerability. Exploit Title: Grokability Snipe-IT 8.0.4 - Insecure Direct Object Reference IDOR Google Dork: N/A Date: 2025-05-02 Exploit Author: Sn1p3r-H4ck3r Siripong Jintung Vendor Homepage:...

PT-2025-19903

Name of the Vulnerable Software and Affected Versions User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress versions prior to 4.2.2 Description The issue is related to an Insecure Direct Object Reference in the create stripe subscription...

Exploit for Authorization Bypass Through User-Controlled Key in Snipeitapp Snipe-It

CVE-2025-47226 - IDOR Vulnerability in Snipe-IT = v8.0.4 🚨 I...

CVE-2025-3874

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and...

CVE-2025-3889

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 via the 'processpaymentdata' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to change the...

CVE-2025-1327

The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the 'homeydeleteuseraccount' action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access...

CVE-2025-1327

The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the 'homeydeleteuseraccount' action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access...

CVE-2025-1327 Homey - Booking and Rentals WordPress Theme <= 2.4.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion

The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the 'homeydeleteuseraccount' action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access...

CVE-2025-1327

CVE-2025-1327 affects the Homey WordPress theme (versions ≤ 2.4.4). The vulnerability is an Insecure Direct Object Reference via the homey_delete_user_account action, caused by missing validation on a user-controlled key. This allows authenticated attackers with Subscriber-level access or higher ...

WordPress Homey theme <= 2.4.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion vulnerability

Insecure Direct Object Reference to Authenticated Subscriber+ Arbitrary User Deletion vulnerability discovered by a00n in WordPress Theme Homey versions = 2.4.4...

CVE-2025-3874

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and...

CVE-2025-3889

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 via the 'processpaymentdata' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to change the...

CVE-2025-3874

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and...

CVE-2025-3874 WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and...

CVE-2025-3889 WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference via 'quantity'

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 via the 'processpaymentdata' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to change the...