Weaknesses of type CWE-639
1,597 resultsCVE-2025-49352MEDIUMWordPress Order Cancellation & Returns for WooCommerce plugin <= 1.1.10 - Insecure Direct Object References (IDOR) vulnerabilityEPSS 0.2%CVE-2026-28736MEDIUMFocalboard IDOR in file content endpoint allows cross-user file access (unsupported product, no fix)EPSS 0.2%CVE-2025-15626MEDIUMAuthenticated user can bypass authorization in Ribblr - Crochet & Knitting iOS applicationEPSS 0.2%CVE-2025-41069MEDIUMInsecure Direct Object References (IDOR) in DeporSite of T-Innova DeporSiteEPSS 0.2%CVE-2026-13512MEDIUMDatabend Tenant client_session_manager.rs state_key authorizationEPSS 0.2%CVE-2025-57886MEDIUMWordPress Accessibility Checker by Equalize Digital Plugin <= 1.30.0 - Insecure Direct Object References (IDOR) VulnerabilityEPSS 0.2%CVE-2026-23487MEDIUMBlinko: IDOR - user.detail Endpoint Leaks Superadmin TokenEPSS 0.2%CVE-2026-25147HIGHOpenEMR's Portal Payment Endpoint Trusts User-Controlled pidEPSS 0.2%CVE-2025-11176MEDIUMQuick Featured Images <= 13.7.2 - Insecure Direct Object Reference to Image ManipulationEPSS 0.2%CVE-2026-1881MEDIUMBroadstreet <= 1.52.2 - Authenticated (Subscriber+) Private Post Meta Disclosure via get_sponsored_metaEPSS 0.2%CVE-2026-6008MEDIUMIDOR in Im Park's DijiDemiEPSS 0.2%CVE-2025-13932HIGHThe SolisCloud API suffers from a Broken Access Control vulnerability, specifically an Insecure Direct Object Reference (IDOR), where any auEPSS 0.2%CVE-2026-27397MEDIUMWordPress Really Simple Security Pro plugin <= 9.5.4.0 - Insecure Direct Object References (IDOR) vulnerabilityEPSS 0.2%CVE-2026-47713LOWAnythingLLM: Legacy mobile device tokens bypass multi-user workspace scoping after mode migrationEPSS 0.2%CVE-2026-9712LOWInsecure direct object referenceEPSS 0.2%CVE-2026-9228MEDIUMTimetable and Event Schedule by MotoPress <= 2.4.16 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via action_get_event_data FunctionEPSS 0.2%CVE-2026-5396HIGHFluent Forms <= 6.1.21 - Authenticated (Subscriber+) Authorization Bypass via 'form_id' ParameterEPSS 0.2%CVE-2026-30843CRITICALWekan has Cross-Board IDOR in Custom Fields Update EndpointsEPSS 0.2%CVE-2025-67298HIGHAn issue in ClasroomIO before v.0.2.6 allows a remote attacker to escalate privileges via the endpoints /api/verify and /rest/v1/profileEPSS 0.2%CVE-2026-3073MEDIUMAuthorization Bypass Through User-Controlled Key in GitLabEPSS 0.2%