4459 matches found
CVE-2026-2554
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfmdeletewcfmcustomer' due to missing validation on the 'customerid' user...
CVE-2026-2554
The CVE concerns the WCFM – Frontend Manager for WooCommerce and Bookings Subscription Listings Compatible plugin for WordPress. It describes an Insecure Direct Object Reference vulnerability (CWE/impact not explicitly named in provided text) exposed via the wcfm_delete_wcfm_customer parameter, c...
EUVD-2026-26789
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfmdeletewcfmcustomer' due to missing validation on the 'customerid' user...
CVE-2026-2554 WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.25 - Authenticated (Vendor+) Insecure Direct Object Reference to Arbitrary User Deletion
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfmdeletewcfmcustomer' due to missing validation on the 'customerid' user...
CVE-2026-2554
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfmdeletewcfmcustomer' due to missing validation on the 'customerid' user...
CVE-2026-7491
School App developed by Zyosoft has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify a specific parameter to read and modify other users' data...
CVE-2026-7491
Technical details about CVE-2026-7491 are not publicly available in the provided documents. Monitor for updates.
CVE-2026-7491
School App developed by Zyosoft has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify a specific parameter to read and modify other users' data...
CVE-2026-7491 Zyosoft|School App - Insecure Direct Object Reference
School App developed by Zyosoft has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify a specific parameter to read and modify other users' data...
EUVD-2026-26772
School App developed by Zyosoft has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify a specific parameter to read and modify other users' data...
CVE-2026-7638
The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 5.6.0. This is due to missing authorization validation in the uploadavatar function, which accepts an attacker-controlled...
CVE-2026-7638
CVE-2026-7638 details : The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress (WordPress plugin) is vulnerable to Insecure Direct Object Reference in all versions up to 5.6.0. The root cause is missing authorization validation in the upload_avatar() function, which...
PT-2026-36563
Name of the Vulnerable Software and Affected Versions App Builder – Create Native Android & iOS Apps On The Flight versions prior to 5.6.1 Description An Insecure Direct Object Reference IDOR exists due to missing authorization validation in the upload avatar function. The...
PT-2026-36600
Name of the Vulnerable Software and Affected Versions School App developed by Zyosoft affected versions not specified Description An Insecure Direct Object Reference IDOR issue exists, where authenticated remote attackers can modify a specific parameter to read and modify data belonging to other...
PT-2026-36617
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm delete wcfm customer' due to missing validation on the 'customerid' us...
WordPress App Builder – Create Native Android & iOS Apps On The Flight plugin <= 5.6.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Avatar Modification vulnerability
Insecure Direct Object Reference to Authenticated Subscriber+ Arbitrary User Avatar Modification vulnerability discovered by Ren Voza in WordPress Plugin App Builder versions = 5.6.0...
WordPress WCFM – Frontend Manager for WooCommerce plugin <= 6.7.25 - Authenticated (Vendor+) Insecure Direct Object Reference to Arbitrary User Deletion vulnerability
Authenticated Vendor+ Insecure Direct Object Reference to Arbitrary User Deletion vulnerability discovered by Supakiad S. m3ez - E-CQURITY Thailand in WordPress Plugin WCFM – Frontend Manager for WooCommerce versions = 6.7.25...
CVE-2026-4503
IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow could allow an unauthenticated user to view other users' images due to an indirect object reference through a user-controlled key...
EUVD-2026-26435
IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow could allow an unauthenticated user to view other users' images due to an indirect object reference through a user-controlled key...
CVE-2026-4503 Unauthenticated Insecure Direct Object Reference (IDOR) Vulnerability in Langflow Desktop Image Download Endpoint
IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow could allow an unauthenticated user to view other users' images due to an indirect object reference through a user-controlled key...