Monthly
EspoCRM's POST /api/v1/EmailTemplate/:id/prepare endpoint exposes an IDOR-class ACL bypass (CWE-639) allowing authenticated low-privileged users to exfiltrate all field values from arbitrary Contact, Lead, Account, or User records prior to version 9.3.5. By supplying a target entity's email address as an attacker-controlled lookup key, the endpoint resolves and returns the full record without enforcing read:own or read:team ACL restrictions. A publicly available proof-of-concept exists; no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV listing absent), but the low attack complexity and public POC meaningfully elevate real-world risk.
Insecure Direct Object Reference in WPEverest's User Registration & Membership WordPress plugin (all versions through 5.1.5) allows deletion of arbitrary media attachments by exploiting missing ownership validation on user-controlled attachment IDs. Authenticated users at subscriber level or above can permanently destroy any media file uploaded by any other user, including administrators, by submitting a crafted attachment ID to the plugin's frontend handler. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV; however, the low barrier to exploitation - any registered site user qualifies - elevates practical risk on membership-driven WordPress sites.
Insecure Direct Object Reference in the Meta Field Block WordPress plugin (all versions through 1.5.1) allows authenticated attackers with Contributor-level access to read arbitrary user meta, post meta, and term meta data from any object in the database by supplying unchecked object IDs and types via block attributes. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) confirms this is remotely exploitable with low privilege and no user interaction, with a full confidentiality impact on metadata. Risk is materially elevated on sites running WooCommerce or similar plugins that persist PII - names, billing addresses, phone numbers, emails - in meta fields. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Insecure Direct Object Reference in the Timetable and Event Schedule by MotoPress WordPress plugin (all versions through 2.4.16) allows authenticated contributors to bypass object-level authorization and read non-public content belonging to other users. The vulnerability exists in the action_get_event_data AJAX action, which accepts a user-controlled timeslot key with no ownership or visibility validation, exposing full WP_Post data - including post_content, post_excerpt, post_status, and post_author - for draft, pending, and private mp-event posts. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Authorization bypass in FOX - Currency Switcher Professional for WooCommerce (all versions through 1.4.6) allows authenticated attackers with Subscriber-level access to impersonate higher-privileged roles - such as wholesale customers or administrators - to obtain discounted or otherwise role-restricted product pricing. The flaw stems from the plugin's fixed user-role pricing engine blindly trusting a client-supplied HTTP request parameter over the server-side session object when resolving a user's role for price calculation. No public exploit is identified at time of analysis, and real-world impact is bounded by a non-default configuration requirement, keeping the CVSS base score at 4.3.
Authenticated cross-client stale result replay in Microsoft UFO's WebSocket task handling allows a low-privileged attacker to retrieve another user's completed automation session output. The framework accepts client-supplied session_id values without verifying ownership, so a requester who knows or can predict a prior session's identifier can hijack its stored result via the normal send_task_end() callback path. No public exploit has been identified at time of analysis, and KEV listing is absent, but the High confidentiality impact (C:H) is significant given UFO orchestrates device automation tasks that may capture sensitive screen content, documents, or credentials.
Identity confusion in GitLab EE's Duo AI workflow runners lets an authenticated, low-privileged user cause specific Duo AI workflows to execute under another user's identity, crossing the trust boundary between accounts (CVSS scope: changed). The flaw stems from improper user identity resolution and affects GitLab Enterprise Edition 18.8 through 18.10.6, 18.11 through 18.11.3, and 19.0, with High confidentiality and integrity impact but no availability impact. No public exploit has been identified, CISA's SSVC marks exploitation as 'none,' and the High attack complexity (AC:H) combined with the 'under certain conditions' caveat indicates exploitation is non-trivial rather than push-button.
Privilege escalation in kvf-admin v1.0.0 allows authenticated remote attackers to elevate their privileges by abusing insecure permission checks within the UserController.java component. The flaw maps to CWE-639 (Authorization Bypass Through User-Controlled Key), and while publicly available exploit code exists per the referenced GitHub issue, EPSS is very low (0.04%, 13th percentile), indicating limited observed exploitation activity. No CISA KEV listing exists, so this is not confirmed actively exploited.
Unauthorized file download in pretix's export API allows an authenticated attacker to retrieve export files belonging to other users by supplying a UUID not associated with their own account. Affected versions span a wide range from pretix 2024.10.0 through the 2026.4.x series prior to the 2026.4.2 patch. Exploitation is significantly constrained by the CVSS 4.0 AT:P (Attack Target: Prerequisite) condition - the attacker must independently obtain a valid UUID for a target file, making opportunistic exploitation unlikely absent a secondary information-disclosure weakness. No public exploit code exists and no active exploitation has been identified at time of analysis.
Information disclosure in the BP Better Messages WordPress plugin (versions up to and including 2.14.16) allows remote unauthenticated attackers to read private messaging data belonging to other users by manipulating a user-controlled object identifier (IDOR). The CVSS 3.1 base score is 7.5 with confidentiality-only impact (C:H/I:N/A:N), and there is no public exploit identified at time of analysis. EPSS is very low at 0.03% (10th percentile), indicating no observed widespread exploitation activity.
EspoCRM's POST /api/v1/EmailTemplate/:id/prepare endpoint exposes an IDOR-class ACL bypass (CWE-639) allowing authenticated low-privileged users to exfiltrate all field values from arbitrary Contact, Lead, Account, or User records prior to version 9.3.5. By supplying a target entity's email address as an attacker-controlled lookup key, the endpoint resolves and returns the full record without enforcing read:own or read:team ACL restrictions. A publicly available proof-of-concept exists; no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV listing absent), but the low attack complexity and public POC meaningfully elevate real-world risk.
Insecure Direct Object Reference in WPEverest's User Registration & Membership WordPress plugin (all versions through 5.1.5) allows deletion of arbitrary media attachments by exploiting missing ownership validation on user-controlled attachment IDs. Authenticated users at subscriber level or above can permanently destroy any media file uploaded by any other user, including administrators, by submitting a crafted attachment ID to the plugin's frontend handler. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV; however, the low barrier to exploitation - any registered site user qualifies - elevates practical risk on membership-driven WordPress sites.
Insecure Direct Object Reference in the Meta Field Block WordPress plugin (all versions through 1.5.1) allows authenticated attackers with Contributor-level access to read arbitrary user meta, post meta, and term meta data from any object in the database by supplying unchecked object IDs and types via block attributes. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) confirms this is remotely exploitable with low privilege and no user interaction, with a full confidentiality impact on metadata. Risk is materially elevated on sites running WooCommerce or similar plugins that persist PII - names, billing addresses, phone numbers, emails - in meta fields. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Insecure Direct Object Reference in the Timetable and Event Schedule by MotoPress WordPress plugin (all versions through 2.4.16) allows authenticated contributors to bypass object-level authorization and read non-public content belonging to other users. The vulnerability exists in the action_get_event_data AJAX action, which accepts a user-controlled timeslot key with no ownership or visibility validation, exposing full WP_Post data - including post_content, post_excerpt, post_status, and post_author - for draft, pending, and private mp-event posts. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Authorization bypass in FOX - Currency Switcher Professional for WooCommerce (all versions through 1.4.6) allows authenticated attackers with Subscriber-level access to impersonate higher-privileged roles - such as wholesale customers or administrators - to obtain discounted or otherwise role-restricted product pricing. The flaw stems from the plugin's fixed user-role pricing engine blindly trusting a client-supplied HTTP request parameter over the server-side session object when resolving a user's role for price calculation. No public exploit is identified at time of analysis, and real-world impact is bounded by a non-default configuration requirement, keeping the CVSS base score at 4.3.
Authenticated cross-client stale result replay in Microsoft UFO's WebSocket task handling allows a low-privileged attacker to retrieve another user's completed automation session output. The framework accepts client-supplied session_id values without verifying ownership, so a requester who knows or can predict a prior session's identifier can hijack its stored result via the normal send_task_end() callback path. No public exploit has been identified at time of analysis, and KEV listing is absent, but the High confidentiality impact (C:H) is significant given UFO orchestrates device automation tasks that may capture sensitive screen content, documents, or credentials.
Identity confusion in GitLab EE's Duo AI workflow runners lets an authenticated, low-privileged user cause specific Duo AI workflows to execute under another user's identity, crossing the trust boundary between accounts (CVSS scope: changed). The flaw stems from improper user identity resolution and affects GitLab Enterprise Edition 18.8 through 18.10.6, 18.11 through 18.11.3, and 19.0, with High confidentiality and integrity impact but no availability impact. No public exploit has been identified, CISA's SSVC marks exploitation as 'none,' and the High attack complexity (AC:H) combined with the 'under certain conditions' caveat indicates exploitation is non-trivial rather than push-button.
Privilege escalation in kvf-admin v1.0.0 allows authenticated remote attackers to elevate their privileges by abusing insecure permission checks within the UserController.java component. The flaw maps to CWE-639 (Authorization Bypass Through User-Controlled Key), and while publicly available exploit code exists per the referenced GitHub issue, EPSS is very low (0.04%, 13th percentile), indicating limited observed exploitation activity. No CISA KEV listing exists, so this is not confirmed actively exploited.
Unauthorized file download in pretix's export API allows an authenticated attacker to retrieve export files belonging to other users by supplying a UUID not associated with their own account. Affected versions span a wide range from pretix 2024.10.0 through the 2026.4.x series prior to the 2026.4.2 patch. Exploitation is significantly constrained by the CVSS 4.0 AT:P (Attack Target: Prerequisite) condition - the attacker must independently obtain a valid UUID for a target file, making opportunistic exploitation unlikely absent a secondary information-disclosure weakness. No public exploit code exists and no active exploitation has been identified at time of analysis.
Information disclosure in the BP Better Messages WordPress plugin (versions up to and including 2.14.16) allows remote unauthenticated attackers to read private messaging data belonging to other users by manipulating a user-controlled object identifier (IDOR). The CVSS 3.1 base score is 7.5 with confidentiality-only impact (C:H/I:N/A:N), and there is no public exploit identified at time of analysis. EPSS is very low at 0.03% (10th percentile), indicating no observed widespread exploitation activity.