CVE-2026-1704

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.9.29. This is due to the getitempermissionscheck method granting access to users with the...

CVE-2026-1704 Appointment Booking Calendar <= 1.6.9.29 - Insecure Direct Object Reference to Authenticated (Staff+) Sensitive Information Exposure

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.9.29. This is due to the getitempermissionscheck method granting access to users with the...

CVE-2025-14075

CVE-2025-14075 affects the WP Hotel Booking plugin for WordPress (versions up to and including 2.2.7). The vulnerability exposes the unauthenticated AJAX action hotel_booking_fetch_customer_info without proper capability checks, relying only on a nonce. This allows unauthenticated attackers to re...

CVE-2025-40646 Multiple vulnerabilities in Energy CRM by Status Tracker

Stored Cross-Site Scripting XSS vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to “/crm/createjobsubmit.php”, using the “JobCreatedBy” parameter. This vulnerability could allow a remote...

Floorsight Insights Security Breaches

Floorsight Software Floorsight Insights is an application from Floorsight Software, Inc. A security vulnerability exists in Floorsight Insights Q3 2023. A remote attacker could view sensitive customer information by exploiting the vulnerability...

PT-2023-29751 · Floorsight · Floorsight Customer Portal Q3 2023

Name of the Vulnerable Software and Affected Versions: Floorsight Customer Portal Q3 2023 Description: An indirect Object Reference IDOR in the Order and Invoice pages allows an unauthenticated remote attacker to view sensitive customer information. Recommendations: As a temporary workaround,...

Improper Access Control

dolibarr/dolibarr is vulnerable to Improper Access Control. The vulnerability is a result of the library's failure to adequately validate user input data. This allows an attacker to read a database table containing sensitive customer data...

What Are Shadow IDs, and How Are They Crucial in 2022?

Just before last Christmas, in a first-of-a-kind case, JPMorgan was fined $200M for employees using non-sanctioned applications for communicating about financial strategy. No mention of insider trading, naked shorting, or any malevolence. Just employees circumventing regulation using, well, Shado...

Fitness firm V Shred exposes 606 GB worth of sensitive customer data

By Waqas V Shred was launched in 2016. This is a post from HackRead.com Read the original post: Fitness firm V Shred exposes 606 GB worth of sensitive customer data...

Design/Logic Flaw

An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an HTTP GET request to two files that contain customer data and application paths...

Equifax Breach: Four Members of Chinese Military Charged with Hacking

U.S. authorities have charged four Chinese military officers in the 2017 Equifax data breach, which compromised the data of nearly 150 million. The four, Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei, are believed to be members of the 54th Research Institute of the Chinese People’s Liberation Army PLA...

Nord Security: IDOR allow access to payments data of any user

simple send this POST request no need any auth: POST /api/v1/orders HTTP/1.1 Host: join.nordvpn.com Accept: application/json Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 179 DNT: 1 Connection: close...

Design/Logic Flaw

A vulnerability in the auto discovery phase of Cisco Spark Hybrid Calendar Service could allow an unauthenticated, remote attacker to view sensitive information in the unencrypted headers of an HTTP method request. The attacker could use this information to conduct additional reconnaissance attac...

CVE-2018-0108

A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to collect customer files via an out-of-band XML External Entity XXE injection. An attacker could exploit this vulnerability to gain information to conduct additional reconnaissance attacks. The...

Printing and Marketing Firm Leaks High-Profile Customers' Data

Franchise Services, the parent company of a number of large print and design companies, said it is investigating claims that sensitive customer data stored by one of its franchisees is accessible online. The data dates back to 2010 and ranges from sensitive health records belonging to a former...

Wyndham Hotels Hit Again By Hackers

Hackers broke into computer systems at Wyndham Hotels & Resorts recently, stealing sensitive customer data. The break-in occurred between late October 2009 and January 2010, when it was finally discovered. This is the third data breach reported by Wyndham in the past year. Read the full article...

Midicart ASP - Remote Customer Information Retrieval

Midicart ASP - Remote Customer Information Retrieval source: https://www.securityfocus.com/bid/5438/info Midicart ASP is a commercially available e-commerce solution distributed by Coxco Support. It is available for the Microsoft Windows operating system. The default installation of Midicart ASP...

CVE-1999-1374

perlshop.cgi shopping cart program stores sensitive customer information in directories and files that are under the web root, which allows remote attackers to obtain that information via an HTTP request...