Total
970 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3282 | 1 Wpeverest | 1 User Registration \& Membership | 2025-07-08 | N/A | 5.3 MEDIUM |
| The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_membership_register_member() due to missing validation on the 'membership_id' user controlled key. This makes it possible for unauthenticated attackers to update any user's membership to any other active or non-active membership type. | |||||
| CVE-2025-3292 | 1 Wpeverest | 1 User Registration \& Membership | 2025-07-08 | N/A | 4.3 MEDIUM |
| The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_update_profile_details() due to missing validation on the 'user_id' user controlled key. This makes it possible for unauthenticated attackers to update other user's passwords, if they have access to the user ID and email. | |||||
| CVE-2024-11284 | 1 Chimpgroup | 1 Jobcareer | 2025-07-08 | N/A | 9.8 CRITICAL |
| The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.9. This is due to the plugin not properly validating a user's identity prior to updating their password through the account_settings_save_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | |||||
| CVE-2024-11285 | 1 Chimpgroup | 1 Jobcareer | 2025-07-08 | N/A | 9.8 CRITICAL |
| The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 7.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email via the account_settings_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | |||||
| CVE-2025-6942 | 2025-07-03 | N/A | 3.8 LOW | ||
| The distributed engine versions 8.4.39.0 and earlier of Secret Server versions 11.7.49 and earlier can be exploited during an initial authorization event that would allow an attacker to impersonate another distributed engine. | |||||
| CVE-2024-4750 | 1 Buddyboss | 1 Buddyboss | 2025-06-30 | N/A | 5.3 MEDIUM |
| The buddyboss-platform WordPress plugin before 2.6.0 contains an IDOR vulnerability that allows a user to like a private post by manipulating the ID included in the request | |||||
| CVE-2025-3811 | 1 Iqonic | 1 Wpbookit | 2025-06-27 | N/A | 9.8 CRITICAL |
| The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like email through the edit_newdata_customer_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | |||||
| CVE-2025-3810 | 1 Iqonic | 1 Wpbookit | 2025-06-27 | N/A | 9.8 CRITICAL |
| The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like password and email through the edit_profile_data() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses and passwords, including administrators, and leverage that to gain access to their account. | |||||
| CVE-2024-10215 | 1 Iqonic | 1 Wpbookit | 2025-06-27 | N/A | 9.8 CRITICAL |
| The WPBookit plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.6.4. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. | |||||
| CVE-2025-50693 | 1 Phpgurukul | 1 Online Dj Booking Management System | 2025-06-27 | N/A | 6.5 MEDIUM |
| PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Insecure Direct Object Reference (IDOR) in odms/request-details.php. | |||||
| CVE-2025-25952 | 1 Serosoft | 1 Academia Student Information System | 2025-06-27 | N/A | 6.5 MEDIUM |
| An Insecure Direct Object References (IDOR) in the component /getStudemtAllDetailsById?studentId=XX of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows attackers to access sensitive user information via a crafted API request. | |||||
| CVE-2025-3091 | 2025-06-26 | N/A | 7.5 HIGH | ||
| An low privileged remote attacker in possession of the second factor for another user can login as that user without knowledge of the other user`s password. | |||||
| CVE-2025-3625 | 1 Moodle | 1 Moodle | 2025-06-24 | N/A | 7.1 HIGH |
| A security vulnerability was discovered in Moodle that can allow hackers to gain access to sensitive information about students and prevent them from logging into their accounts, even after they had completed two-factor authentication (2FA). | |||||
| CVE-2025-3640 | 1 Moodle | 1 Moodle | 2025-06-24 | N/A | 4.3 MEDIUM |
| A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details, such as the full name and profile image URL, of other users they did not have permission to access. | |||||
| CVE-2025-3636 | 1 Moodle | 1 Moodle | 2025-06-24 | N/A | 4.3 MEDIUM |
| A flaw was found in Moodle. This vulnerability allows unauthorized users to access and view RSS feeds due to insufficient capability checks. | |||||
| CVE-2025-49995 | 2025-06-23 | N/A | 5.3 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Download Attachments: from n/a through 1.3.1. | |||||
| CVE-2025-49978 | 2025-06-23 | N/A | 4.3 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in eyecix JobSearch allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobSearch: from n/a through 2.9.0. | |||||
| CVE-2024-23747 | 1 Modernasistemas | 1 Modernanet Hospital Management System 2024 | 2025-06-20 | N/A | 7.5 HIGH |
| The Moderna Sistemas ModernaNet Hospital Management System 2024 is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability. This vulnerability resides in the system's handling of user data access through a /Modernanet/LAUDO/LAU0000100/Laudo?id= URI. By manipulating this id parameter, an attacker can gain access to sensitive medical information. | |||||
| CVE-2024-38447 | 1 Ncia | 1 Advisor Network | 2025-06-20 | N/A | 8.1 HIGH |
| NATO NCI ANET 3.4.1 allows Insecure Direct Object Reference via a modified ID field in a request for a private draft report (that belongs to an arbitrary user). | |||||
| CVE-2024-38446 | 1 Ncia | 1 Advisor Network | 2025-06-20 | N/A | 6.5 MEDIUM |
| NATO NCI ANET 3.4.1 mishandles report ownership. A user can create a report and, despite the restrictions imposed by the UI, change the author of that report to an arbitrary user (without their consent or knowledge) via a modified UUID in a POST request. | |||||