Total
1149 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-64282 | 1 Wordpress | 1 Wordpress | 2025-12-19 | 4.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in RadiusTheme Radius Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Radius Blocks: from n/a through 2.2.1. | ||||
| CVE-2025-63043 | 2 Pickplugins, Wordpress | 2 Post Grid, Wordpress | 2025-12-19 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in PickPlugins Post Grid and Gutenberg Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Grid and Gutenberg Blocks: from n/a through 2.3.19. | ||||
| CVE-2025-64011 | 1 Nextcloud | 2 Nextcloud Server, Server | 2025-12-19 | 4.3 Medium |
| Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such as text files or images, without prior sharing permissions. | ||||
| CVE-2025-43732 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-12-19 | 2.7 Low |
| Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.17 and 7.4 GA through update 92 is vulnerable to Insecure Direct Object Reference (IDOR) in the groupId parameter of the _com_liferay_roles_selector_web_portlet_RolesSelectorPortlet_groupId. When an organization administrator modifies this parameter id value, they can gain unauthorized access to user lists from other organizations. | ||||
| CVE-2025-10019 | 2 Codepeople, Wordpress | 2 Contact Form Email, Wordpress | 2025-12-19 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.60. | ||||
| CVE-2025-13110 | 2 Realmag777, Wordpress | 2 Huskys Products Filter Professional For Woocommerce, Wordpress | 2025-12-19 | 4.3 Medium |
| The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.3 via the "woof_add_subscr" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to create product messenger subscriptions on behalf of arbitrary users, including administrators. | ||||
| CVE-2025-67985 | 1 Wordpress | 1 Wordpress | 2025-12-18 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Barn2 Plugins Document Library Lite document-library-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Document Library Lite: from n/a through <= 1.1.7. | ||||
| CVE-2025-64012 | 1 Invoiceplane | 1 Invoiceplane | 2025-12-18 | 4.3 Medium |
| InvoicePlane commit debb446c is vulnerable to Incorrect Access Control. The invoices/view handler fails to verify ownership before returning invoice data. | ||||
| CVE-2025-11924 | 1 Wordpress | 1 Wordpress | 2025-12-18 | 7.5 High |
| The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the `ninja-forms-views` REST endpoints return form metadata and submission content. This makes it possible for unauthenticated attackers to read arbitrary form definitions and submission records via a leaked bearer token granted they can load any page containing the Submissions Table block. NOTE: The developer released a patch for this issue in 3.13.1, but inadvertently introduced a REST API endpoint in which a valid bearer token could be minted for arbitrary form IDs, making this patch ineffective. | ||||
| CVE-2025-14101 | 1 Gg Soft | 1 Paperwork | 2025-12-18 | 7.1 High |
| Authorization Bypass Through User-Controlled Key vulnerability in GG Soft Software Services Inc. PaperWork allows Exploitation of Trusted Identifiers.This issue affects PaperWork: from 5.2.0.9427 before 6.0. | ||||
| CVE-2025-67165 | 1 Pagekit | 1 Pagekit | 2025-12-18 | 9.8 Critical |
| An Insecure Direct Object Reference (IDOR) in Pagekit CMS v1.0.18 allows attackers to escalate privileges. | ||||
| CVE-2025-58137 | 1 Apache | 1 Fineract | 2025-12-18 | 8.1 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1. Users are encouraged to upgrade to version 1.13.0, the latest release. | ||||
| CVE-2020-36895 | 1 Eibiz | 1 I-media Server Digital Signage | 2025-12-17 | 7.5 High |
| EIBIZ i-Media Server Digital Signage 3.8.0 contains an unauthenticated configuration disclosure vulnerability that allows remote attackers to access sensitive configuration files via direct object reference. Attackers can retrieve the SiteConfig.properties file through an HTTP GET request, exposing administrative credentials, database connection details, and system configuration information. | ||||
| CVE-2025-66132 | 1 Wordpress | 1 Wordpress | 2025-12-17 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in FAPI Business s.r.o. FAPI Member fapi-member allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FAPI Member: from n/a through <= 2.2.26. | ||||
| CVE-2025-13474 | 1 Menulux | 1 Mobile App | 2025-12-16 | 7.5 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Menulux Software Inc. Mobile App allows Exploitation of Trusted Identifiers.This issue affects Mobile App: before 9.5.8. | ||||
| CVE-2023-49251 | 1 Siemens | 2 Simatic Cn 4100, Simatic Cn 4100 Firmware | 2025-12-16 | 8.8 High |
| A vulnerability has been identified in SIMATIC CN 4100 (All versions < V2.7). The "intermediate installation" system state of the affected application allows an attacker to add their own login credentials to the device. This allows an attacker to remotely login as root and take control of the device even after the affected device is fully set up. | ||||
| CVE-2022-0639 | 2 Redhat, Url-parse Project | 2 Rhmt, Url-parse | 2025-12-16 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7. | ||||
| CVE-2025-61148 | 1 Edupluscampus | 2 Edupluscampus, Student Payment Api | 2025-12-16 | 6.5 Medium |
| An Insecure Direct Object Reference (IDOR) vulnerability in the EduplusCampus 3.0.1 Student Payment API allows authenticated users to access other students personal and financial records by modifying the 'rec_no' parameter in the /student/get-receipt endpoint. | ||||
| CVE-2025-68071 | 2 G5theme, Wordpress | 2 Essential Real Estate, Wordpress | 2025-12-16 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through <= 5.2.2. | ||||
| CVE-2025-43803 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-12-16 | 4.3 Medium |
| Insecure direct object reference (IDOR) vulnerability in the Contacts Center widget in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers to view contact information, including the contact’s name and email address, via the _com_liferay_contacts_web_portlet_ContactsCenterPortlet_entryId parameter. | ||||