CVE-2025-3874

CVE-2025-3874 affects the WordPress plugin “WordPress Simple Shopping Cart.” The issue is an Insecure Direct Object Reference caused by lack of randomization of a user-controlled key, enabling unauthenticated users to access customer carts, edit product links, add/delete products, and discover co...

CVE-2025-3889 WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference via 'quantity'

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 via the 'processpaymentdata' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to change the...

CVE-2025-3874 WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and...

CVE-2025-3889

CVE-2025-3889 affects WordPress Simple Shopping Cart (WordPress plugin) up to version 5.1.3, via Insecure Direct Object Reference in process_payment_data. Unauthenticated attackers can set a product quantity to a negative value, subtracting cost from the total, and the attack is only effective in...

PT-2025-18382 · WordPress · Wordpress Simple Shopping Cart

Name of the Vulnerable Software and Affected Versions: WordPress Simple Shopping Cart plugin versions up to, and including, 5.1.3 Description: The issue is related to Insecure Direct Object Reference due to the lack of randomization of a user-controlled key. This allows unauthenticated attackers ...

📄 Daikin Security Gateway 214 Remote Password Reset

The Daikin Security Gateway exposes a critical vulnerability in its password reset API endpoint. Due to an insecure direct object reference IDOR flaw, an unauthenticated attacker can send a crafted POST request to this endpoint, bypassing authentication mechanisms. Successful exploitation resets...

CVE-2025-25777

Insecure Direct Object Reference IDOR in Codeastro Bus Ticket Booking System v1.0 allows unauthorized access to user profiles. By manipulating the user ID in the URL, an attacker can access another user's profile without proper authentication or authorization checks...

CVE-2025-1284

The Woocommerce Automatic Order Printing | Formerly WooCommerce Google Cloud Print plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1 via the xcwooprinterpreview AJAX action due to missing validation on a user controlled key. This make...

Authorization Bypass Through User-Controlled Key

Overview moodle/moodle is a learning platform. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key due to insufficient capability checks in the RSS block. An attacker can access and view additional RSS feeds by exploiting the IDOR vulnerability...

CVE-2025-25777

Insecure Direct Object Reference IDOR in Codeastro Bus Ticket Booking System v1.0 allows unauthorized access to user profiles. By manipulating the user ID in the URL, an attacker can access another user's profile without proper authentication or authorization checks...

CVE-2025-1284

The Woocommerce Automatic Order Printing | Formerly WooCommerce Google Cloud Print plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1 via the xcwooprinterpreview AJAX action due to missing validation on a user controlled key. This make...

CVE-2025-1284 Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) <= 4.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Order Information Disclosure

The Woocommerce Automatic Order Printing | Formerly WooCommerce Google Cloud Print plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1 via the xcwooprinterpreview AJAX action due to missing validation on a user controlled key. This make...

CVE-2025-1284

CVE-2025-1284 affects the WordPress plugin “Woocommerce Automatic Order Printing” (formerly WooCommerce Google Cloud Print), vulnerable up to version 4.1 due to missing validation on a user-controlled key in the xc_woo_printer_preview AJAX action. The issue is an Insecure Direct Object Reference ...

CVE-2025-25777

Insecure Direct Object Reference IDOR in Codeastro Bus Ticket Booking System v1.0 allows unauthorized access to user profiles. By manipulating the user ID in the URL, an attacker can access another user's profile without proper authentication or authorization checks...

CodeAstro Bus Ticket Booking System 安全漏洞

CodeAstro Bus Ticket Booking System is a bus ticket booking system from CodeAstro. A security vulnerability exists in CodeAstro Bus Ticket Booking System version 1.0, which stems from an insecure direct object reference that could lead to unauthorized access to user data...

CVE-2025-25777

Insecure Direct Object Reference IDOR in Codeastro Bus Ticket Booking System v1.0 allows unauthorized access to user profiles. By manipulating the user ID in the URL, an attacker can access another user's profile without proper authentication or authorization checks...

PT-2025-17708 · WordPress · Woocommerce Automatic Order Printing

Name of the Vulnerable Software and Affected Versions: WooCommerce Automatic Order Printing plugin versions up to, and including, 4.1 Description: The issue is related to Insecure Direct Object Reference, which allows authenticated attackers with Subscriber-level access and above to view other...

CVE-2025-25777

CVE-2025-25777 affects Codeastro Bus Ticket Booking System v1.0, where an insecure direct object reference (IDOR) allows unauthorized access to user profiles by altering the URL parameter user ID. Root cause: insufficient authentication/authorization checks on profile endpoints, enabling access t...

📄 UJCMS 9.6.3 Insecure Direct Object Reference

UJCMS version 9.6.3 suffers from an insecure direct object reference vulnerability that enables user enumeration. Exploit Title: UJCMS 9.6.3 User Enumeration via IDOR Exploit Author: Cyd Tseng Date: 11 Dec 2024 Category: Web application Vendor Homepage: https://dromara.org/ Software Link:...

UJCMS 9.6.3 - User Enumeration via IDOR

Exploit Title: UJCMS 9.6.3 User Enumeration via IDOR Exploit Author: Cyd Tseng Date: 11 Dec 2024 Category: Web application Vendor Homepage: https://dromara.org/ Software Link: https://github.com/dromara/ujcms Version: UJCMS 9.6.3 Tested on: Linux CVE: CVE-2024-12483 Advisory:...