Security Risk Category

idor Security Risks

Published vulnerability pages connected to idor. One risk can appear in multiple categories while keeping one canonical page.

idor risks

Showing 6 of 6 published risks.

highEPSS 0.003

Divi Form Builder WordPress Plugin Account Takeover Vulnerability

The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This is due to the update_user() function accepting a user ID parameter from form submissions without verifying that the authenticated user has permission to edit that specific user account, and the handle_register_submission() function only checking if any user is logged in rather than validating permissions for the target user. This makes it possible for authenticated attackers, with subscriber-level access and above, to change the email address and password of any user account, including administrators, resulting in complete account takeover.

CVE-2026-5523wordpressdividivi-form-builderaccount-takeover

Updated Jul 10, 2026

mediumEPSS 0.002

WP User Frontend Arbitrary Post Overwrite IDOR Vulnerability

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.7 via the 'wpuf_files_data' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to overwrite the post_title, post_content, and post_excerpt of any arbitrary post on the site, including posts authored by administrators. Exploitation requires access to any WPUF post submission form; this is achievable by users with no WordPress role, as the wpuf_submit_post AJAX action is gated only by a nonce with no capability check for the downstream post-edit operation.

CVE-2026-12418wordpresswp-user-frontendidorcontent-tampering

Updated Jul 10, 2026

mediumEPSS 0.004

GamiPress WordPress Plugin Activity Log IDOR Vulnerability

The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.9.4 via the 'access' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view private GamiPress activity log entries belonging to any user, including badge earnings, points balance changes, and event records from integrated plugins such as WooCommerce, LearnDash, and BuddyPress. This is exploitable by any unauthenticated visitor because the required 'gamipress' nonce is broadcast to all front-end users via wp_localize_script on the wp_enqueue_scripts hook, making the sole authentication barrier trivially bypassable.

CVE-2026-13450wordpressgamipressidorinformation-disclosure

Updated Jul 10, 2026

mediumEPSS 0.004

Hydra Booking WordPress Plugin Booking Details IDOR Vulnerability

The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/{id} REST endpoint. This is due to the getBookingDetails() callback only enforcing the tfhb_manage_options capability via tfhb_manage_options_permission(), without verifying that the requested booking belongs to the currently authenticated host (the lookup in getBookingDetailsData() filters solely on the booking id supplied in the URL). This makes it possible for authenticated attackers, with Hydra Host-level access and above (a role created by the plugin which grants tfhb_manage_options), to view sensitive booking records belonging to other hosts, including attendee names, emails, phone numbers, addresses, meeting details, payment method and status, transaction history, and internal notes by iterating booking IDs.

CVE-2026-12433wordpresshydra-bookingidorinformation-disclosure

Updated Jul 10, 2026

highEPSS 0.004

PAVO Pay User-Controlled Key Authorization Bypass Vulnerability

Authorization bypass through User-Controlled key vulnerability in PAVO Financial Technology Solutions Inc. PAVO Pay allows Exploitation of Trusted Identifiers. This issue affects PAVO Pay: through 09072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-1989pavo-payauthorization-bypassfintechidor

Updated Jul 10, 2026

low

macrozheng mall Order Return IDOR Vulnerability

A vulnerability was identified in macrozheng mall up to 1.0.3. This impacts an unknown function of the file /returnApply/create of the component Portal Endpoint. The manipulation of the argument orderId leads to improper control of resource identifiers. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor deleted the GitHub issue for this vulnerability without any explanation.

CVE-2026-15186idoraccess-controlmacrozheng-mall

Updated Jul 10, 2026