{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/idor/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-2554"}],"_cs_exploited":false,"_cs_products":["WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin \u003c= 6.7.25"],"_cs_severities":["high"],"_cs_tags":["idor","wordpress","woocommerce","account-deletion"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin, a popular WordPress plugin, is affected by an Insecure Direct Object Reference (IDOR) vulnerability. This flaw, present in versions up to and including 6.7.25, stems from a lack of proper validation on the \u003ccode\u003ecustomerid\u003c/code\u003e parameter within the \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e function. An attacker with Vendor-level privileges or higher can exploit this vulnerability to delete any user account on the WordPress instance, including those with administrative rights. This can lead to complete compromise of the affected website.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress site with Vendor-level access or higher.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker includes the \u003ccode\u003ecustomerid\u003c/code\u003e parameter in the request, setting its value to the ID of the target user account they wish to delete.\u003c/li\u003e\n\u003cli\u003eDue to the missing validation on the \u003ccode\u003ecustomerid\u003c/code\u003e parameter, the application directly uses the provided ID to locate the user account.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e function proceeds to delete the user account identified by the attacker-supplied \u003ccode\u003ecustomerid\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe targeted user account is successfully deleted from the WordPress instance.\u003c/li\u003e\n\u003cli\u003eIf the deleted user account was an administrator, the attacker can effectively take control of the website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this IDOR vulnerability allows an attacker to delete arbitrary user accounts, including those with administrative privileges. This can lead to a complete compromise of the affected WordPress website. An attacker could then deface the website, steal sensitive data, or use it to launch further attacks. Due to the popularity of the plugin, a large number of WooCommerce stores are potentially affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest available patch or upgrade to a version of the WCFM plugin greater than 6.7.25 to remediate CVE-2026-2554.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e with unusual \u003ccode\u003ecustomerid\u003c/code\u003e values, using the Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eImplement input validation on the \u003ccode\u003ecustomerid\u003c/code\u003e parameter within the \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e function to prevent arbitrary user deletion.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T14:16:17Z","date_published":"2026-05-02T14:16:17Z","id":"/briefs/2026-05-wordpress-wcfm-idor/","summary":"The WCFM plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) that allows authenticated attackers with Vendor-level access or higher to delete arbitrary users, including administrators.","title":"WordPress WCFM Plugin Vulnerable to IDOR Leading to Account Deletion","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-wcfm-idor/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-7491"}],"_cs_exploited":false,"_cs_products":["School App"],"_cs_severities":["high"],"_cs_tags":["idor","vulnerability","web application","cve-2026-7491"],"_cs_type":"advisory","_cs_vendors":["Zyosoft"],"content_html":"\u003cp\u003eThe Zyosoft School App is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability identified as CVE-2026-7491. This flaw allows authenticated remote attackers to bypass authorization controls by modifying specific parameters within the application\u0026rsquo;s requests. By manipulating these parameters, attackers can gain unauthorized access to sensitive data belonging to other users, as well as modify that data. Successful exploitation allows unauthorized data access and modification, potentially leading to data breaches, privacy violations, and manipulation of user accounts. Defenders should prioritize identifying and mitigating this vulnerability to prevent potential abuse.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Zyosoft School App using valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a request that includes a user-controlled parameter referencing a specific object (e.g., user ID, record number).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the value of this parameter to reference a different object belonging to another user.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the modified request to the server.\u003c/li\u003e\n\u003cli\u003eThe server, lacking proper authorization checks, processes the request using the attacker-supplied object reference.\u003c/li\u003e\n\u003cli\u003eThe server returns the data associated with the targeted user\u0026rsquo;s object to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker can further modify parameters to alter the data of the targeted user.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully reads or modifies the targeted user\u0026rsquo;s data without proper authorization.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7491 allows authenticated attackers to read and modify other users\u0026rsquo; data within the Zyosoft School App. This can lead to severe consequences, including unauthorized access to sensitive student or staff information, modification of grades or attendance records, and potential data breaches. The number of affected users depends on the app\u0026rsquo;s deployment size, but any instance is vulnerable. This issue could affect any educational institution using the Zyosoft School App.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for requests containing unusual parameter modifications, specifically those referencing user IDs or other sensitive data fields (webserver logs).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect attempts to access or modify resources using potentially manipulated object references (Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement robust authorization checks in the Zyosoft School App to verify that users only have access to resources they are explicitly authorized to access.\u003c/li\u003e\n\u003cli\u003eContact Zyosoft for a patch addressing CVE-2026-7491.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T10:16:19Z","date_published":"2026-05-02T10:16:19Z","id":"/briefs/2026-05-zyosoft-school-app-idor/","summary":"Zyosoft's School App contains an Insecure Direct Object Reference vulnerability (CVE-2026-7491) that allows authenticated remote attackers to modify parameters and access or modify other users' data.","title":"Zyosoft School App Insecure Direct Object Reference Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-zyosoft-school-app-idor/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-4503"}],"_cs_exploited":false,"_cs_products":["Langflow Desktop"],"_cs_severities":["medium"],"_cs_tags":["idor","vulnerability","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["IBM"],"content_html":"\u003cp\u003eIBM Langflow Desktop versions 1.0.0 through 1.8.4 are susceptible to an indirect object reference (IDOR) vulnerability, designated as CVE-2026-4503. This flaw enables unauthenticated attackers to access and view images belonging to other users. The vulnerability arises from the application\u0026rsquo;s reliance on a user-controlled key to reference objects, which can be manipulated to bypass authorization checks and gain unauthorized access to sensitive image data. This poses a risk to user privacy and data security, as attackers can potentially view confidential or personal images without proper authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a user-controlled key used to reference image objects within Langflow Desktop.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies this key to point to another user\u0026rsquo;s image object.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to the Langflow Desktop application using the modified key.\u003c/li\u003e\n\u003cli\u003eThe application, due to the IDOR vulnerability, fails to properly validate the attacker\u0026rsquo;s authorization to access the requested image object.\u003c/li\u003e\n\u003cli\u003eThe application retrieves and returns the image data associated with the targeted user\u0026rsquo;s image.\u003c/li\u003e\n\u003cli\u003eThe attacker views the image without authentication.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to view other users\u0026rsquo; images within IBM Langflow Desktop. This can lead to a breach of privacy, as sensitive or personal images may be exposed. The number of affected users depends on the number of installations of Langflow Desktop within the vulnerable version range (1.0.0 through 1.8.4).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch or upgrade to a version of IBM Langflow Desktop that addresses CVE-2026-4503 as detailed in the IBM advisory.\u003c/li\u003e\n\u003cli\u003eImplement stricter authorization checks on image object references to prevent unauthorized access, mitigating CVE-2026-4503.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T21:16:33Z","date_published":"2026-04-30T21:16:33Z","id":"/briefs/2026-04-langflow-idor/","summary":"IBM Langflow Desktop versions 1.0.0 through 1.8.4 are vulnerable to an indirect object reference (IDOR) vulnerability (CVE-2026-4503), allowing unauthenticated users to view other users' images due to a user-controlled key.","title":"IBM Langflow Desktop Unauthenticated Image Access via IDOR","url":"https://feed.craftedsignal.io/briefs/2026-04-langflow-idor/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9,"id":"CVE-2026-5652"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["idor","privilege-escalation","cve-2026-5652"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAn insecure direct object reference (IDOR) vulnerability has been identified in the Users API component of Crafty Controller. This flaw, designated as CVE-2026-5652, allows a remote, authenticated attacker to bypass authorization controls and perform unauthorized user modification actions. The vulnerability stems from improper API permissions validation, enabling malicious actors with valid credentials but insufficient privileges to manipulate user accounts beyond their authorized scope. This poses a significant risk to the confidentiality, integrity, and availability of the Crafty Controller system and its users. Successful exploitation could lead to privilege escalation, data breaches, and service disruption.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Crafty Controller application with a low-privileged user account.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the Users API endpoint responsible for user modification actions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious API request, manipulating the user ID parameter to target a different user account than the one associated with their credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted API request to the Crafty Controller server.\u003c/li\u003e\n\u003cli\u003eDue to the insecure direct object reference vulnerability, the application fails to properly validate the attacker\u0026rsquo;s permissions against the target user account.\u003c/li\u003e\n\u003cli\u003eThe application processes the request and modifies the target user account according to the attacker\u0026rsquo;s specifications.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully modifies user attributes like password, permissions, or other sensitive data of the targeted user.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges by modifying another administrator account, granting themselves full access to the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5652 allows an attacker to perform unauthorized user modifications, potentially leading to privilege escalation and complete control over the Crafty Controller application. The CVSS v3.1 base score of 9.0 reflects the critical severity of this vulnerability. The number of potential victims is directly correlated to the number of Crafty Controller installations. Depending on the scope of the system, the consequences may include data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or updates from Crafty Controller to address CVE-2026-5652 as soon as possible.\u003c/li\u003e\n\u003cli\u003eImplement robust authorization checks on the Users API to ensure that users can only modify their own accounts or accounts they are explicitly authorized to manage.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect suspicious user modification activity.\u003c/li\u003e\n\u003cli\u003eMonitor API access logs for attempts to access or modify user accounts outside the user\u0026rsquo;s authorized scope.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T17:16:57Z","date_published":"2026-04-21T17:16:57Z","id":"/briefs/2026-04-crafty-controller-idor/","summary":"Crafty Controller's Users API component contains an insecure direct object reference vulnerability, allowing a remote, authenticated attacker to perform unauthorized user modification actions due to improper API permissions validation (CVE-2026-5652).","title":"Crafty Controller Users API Insecure Direct Object Reference Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-crafty-controller-idor/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["idor","cross-tenant","api","paperclip","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability exists in the Paperclip control-plane API, specifically in versions prior to 2026.416.0. The vulnerability allows a board user with membership in one company (e.g., Company A) to manipulate agent API keys for agents belonging to a different company (e.g., Company B). This is due to an Insecure Direct Object Reference (IDOR) in the \u003ccode\u003e/agents/:id/keys\u003c/code\u003e routes (GET, POST, DELETE) where the API only validates the user\u0026rsquo;s board-type session but fails to verify access to the company owning the target agent. By exploiting this flaw, an attacker can mint a new agent API key for an agent in the victim tenant, granting them full agent-level access within that tenant. This cross-tenant compromise allows the attacker to execute workflows, read data, and call any endpoint authorized for agents in the victim tenant, effectively breaching tenant isolation. The vulnerability was introduced due to missing company access checks in the key-management routes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates as a board user within Company A.\u003c/li\u003e\n\u003cli\u003eThe attacker discovers or obtains the UUID of an agent belonging to Company B.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003e/agents/\u0026lt;VICTIM_COMPANY_B_AGENT_ID\u0026gt;/keys\u003c/code\u003e with a name to create a new API key.\u003c/li\u003e\n\u003cli\u003eThe server, lacking proper authorization checks, creates a new API key associated with the victim agent\u0026rsquo;s \u003ccode\u003ecompanyId\u003c/code\u003e and returns the cleartext token.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly minted agent token in the \u003ccode\u003eAuthorization\u003c/code\u003e header to authenticate subsequent requests.\u003c/li\u003e\n\u003cli\u003eThe server\u0026rsquo;s authentication middleware incorrectly sets the \u003ccode\u003ereq.actor\u003c/code\u003e to an agent type associated with the victim\u0026rsquo;s company.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully accesses resources and executes actions within Company B\u0026rsquo;s tenant, bypassing company access checks.\u003c/li\u003e\n\u003cli\u003eThe attacker can enumerate and revoke existing keys using the \u003ccode\u003e/agents/:id/keys\u003c/code\u003e and \u003ccode\u003e/agents/:id/keys/:keyId\u003c/code\u003e endpoints, causing denial of service to legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability leads to a full cross-tenant compromise. An attacker can gain unauthorized access to any tenant within the Paperclip instance, provided they have a minimal valid account (board user in any company) and a victim agent UUID. This allows the attacker to execute workflows, read sensitive data, and call any authorized endpoint within the victim tenant, leading to complete confidentiality, integrity, and availability loss. Furthermore, the attacker can revoke legitimate agent keys, resulting in a denial of service. This represents a scope change, where a vulnerability in Company A\u0026rsquo;s scoping checks results in catastrophic impact within Company B\u0026rsquo;s tenant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement explicit company-access checks on the \u003ccode\u003e/agents/:id/keys\u003c/code\u003e (GET, POST) and \u003ccode\u003e/agents/:id/keys/:keyId\u003c/code\u003e (DELETE) routes before interacting with the service layer. This directly addresses the core issue as described in the advisory\u0026rsquo;s \u0026ldquo;Recommended Fix\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Paperclip Cross-Tenant API Key Creation\u003c/code\u003e to identify unauthorized API key creation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Paperclip Cross-Tenant API Access\u003c/code\u003e to detect unauthorized access using stolen agent tokens.\u003c/li\u003e\n\u003cli\u003eUpgrade to npm/@paperclipai/server version 2026.416.0 or later to patch the vulnerability as mentioned in the advisory\u0026rsquo;s \u0026ldquo;Affected Packages\u0026rdquo; section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T22:49:46Z","date_published":"2026-04-16T22:49:46Z","id":"/briefs/2026-04-paperclip-idor/","summary":"A Paperclip API vulnerability allows a board user from one company to create, list, and revoke agent API keys in another company, leading to full cross-tenant compromise due to insufficient authorization checks on `/agents/:id/keys` routes.","title":"Paperclip Cross-Tenant Agent API Key IDOR Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-paperclip-idor/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-32930"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["idor","chamilo","lms","cve-2026-32930"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability, identified as CVE-2026-32930. This flaw exists in the gradebook evaluation edit page. An authenticated teacher can exploit this vulnerability to view and modify the settings (name, max score, weight) of evaluations belonging to other courses. This is achieved by manipulating the \u003ccode\u003eediteval\u003c/code\u003e GET parameter. Successful exploitation allows unauthorized modification of gradebook settings, potentially affecting student grades and overall course integrity. The vulnerability was patched in versions 1.11.38 and 2.0.0-RC.3. This affects any Chamilo LMS instance running a vulnerable version accessible to authenticated users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to Chamilo LMS as a teacher.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the gradebook section of a course they have access to.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the URL used to edit an evaluation, noting the \u003ccode\u003eediteval\u003c/code\u003e parameter and its associated value.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eediteval\u003c/code\u003e parameter value to reference an evaluation ID from a different course.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the modified request to the Chamilo LMS server.\u003c/li\u003e\n\u003cli\u003eThe server, due to the IDOR vulnerability, processes the request without proper authorization checks.\u003c/li\u003e\n\u003cli\u003eThe attacker is able to view and modify the settings (name, max score, weight) of the evaluation belonging to the other course.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the changes, which are then reflected in the gradebook of the targeted course.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-32930 can lead to unauthorized modification of gradebook evaluation settings. This could result in inaccurate grades, unfair assessment of students, and overall compromise of the learning environment\u0026rsquo;s integrity. Given that Chamilo LMS is used by educational institutions worldwide, a successful attack could affect a large number of students and teachers. The unauthorized changes could disrupt the educational process and erode trust in the system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 or later to patch CVE-2026-32930, as indicated in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Chamilo Gradebook Edit Request\u003c/code\u003e to identify attempts to exploit this IDOR vulnerability by monitoring for suspicious \u003ccode\u003eediteval\u003c/code\u003e parameter modifications.\u003c/li\u003e\n\u003cli\u003eReview web server logs for requests containing the \u003ccode\u003eediteval\u003c/code\u003e parameter where the associated value appears out of sequence with the user\u0026rsquo;s course access, related to the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T18:16:42Z","date_published":"2026-04-10T18:16:42Z","id":"/briefs/2026-04-chamilo-idor/","summary":"An Insecure Direct Object Reference (IDOR) vulnerability in Chamilo LMS (CVE-2026-32930) allows authenticated teachers to modify gradebook evaluation settings of other courses by manipulating the 'editeval' GET parameter, leading to unauthorized data modification.","title":"Chamilo LMS Insecure Direct Object Reference Vulnerability (CVE-2026-32930)","url":"https://feed.craftedsignal.io/briefs/2026-04-chamilo-idor/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5465"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","amelia","idor","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Amelia WordPress plugin, specifically the \u0026ldquo;Booking for Appointments and Events Calendar\u0026rdquo;, contains an Insecure Direct Object Reference (IDOR) vulnerability (CVE-2026-5465) in versions up to and including 2.1.3. This flaw resides within the \u003ccode\u003eUpdateProviderCommandHandler\u003c/code\u003e and stems from insufficient validation when a Provider (Employee) user modifies their profile. The critical issue is the ability to manipulate the \u003ccode\u003eexternalId\u003c/code\u003e field, which directly corresponds to a WordPress user ID. By injecting an arbitrary \u003ccode\u003eexternalId\u003c/code\u003e value during a profile update, an authenticated attacker with Provider-level access or higher can bypass authorization checks. This oversight permits the attacker to execute functions such as \u003ccode\u003ewp_set_password()\u003c/code\u003e and \u003ccode\u003ewp_update_user()\u003c/code\u003e on behalf of any other user, including those with Administrator privileges. This vulnerability allows for complete account takeover, representing a significant risk for organizations utilizing the vulnerable plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to a WordPress instance with the Amelia plugin installed, possessing at least Provider (Employee) level privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to their user profile within the Amelia plugin interface.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the HTTP request generated when updating their profile using a tool like Burp Suite or browser developer tools.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eexternalId\u003c/code\u003e parameter within the intercepted HTTP request, replacing its original value with the WordPress user ID of the target account they wish to compromise (e.g., the Administrator account, typically user ID 1).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the modified HTTP request to the server.\u003c/li\u003e\n\u003cli\u003eDue to the IDOR vulnerability, the \u003ccode\u003eUpdateProviderCommandHandler\u003c/code\u003e fails to validate the manipulated \u003ccode\u003eexternalId\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eThe Amelia plugin\u0026rsquo;s backend utilizes the attacker-controlled \u003ccode\u003eexternalId\u003c/code\u003e to call \u003ccode\u003ewp_set_password()\u003c/code\u003e and/or \u003ccode\u003ewp_update_user()\u003c/code\u003e on the target account.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully changes the password or other profile details of the target account, achieving complete account takeover and escalating privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5465 allows an attacker with minimal privileges (Provider/Employee role) to compromise any other account on the WordPress instance, including Administrator accounts. This grants the attacker full control over the WordPress site, enabling them to install malicious plugins, modify content, exfiltrate sensitive data, or further compromise the underlying server. The number of potential victims is directly proportional to the number of websites utilizing the vulnerable Amelia plugin. Given the plugin\u0026rsquo;s popularity, a successful mass exploitation could impact thousands of websites across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Amelia WordPress plugin to the latest version (greater than 2.1.3) to patch CVE-2026-5465.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e endpoint with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003eam_update_provider\u003c/code\u003e and a modified \u003ccode\u003eexternalId\u003c/code\u003e parameter in the request body. Implement the Sigma rule \u003ccode\u003eDetect Amelia Plugin IDOR Attack\u003c/code\u003e to detect such activity.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies and multi-factor authentication for all WordPress accounts, including those with limited privileges, to mitigate the impact of potential account compromises.\u003c/li\u003e\n\u003cli\u003eReview and audit existing WordPress user accounts and their assigned roles to identify and remove any unnecessary or excessive privileges.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T07:16:24Z","date_published":"2026-04-07T07:16:24Z","id":"/briefs/2026-04-amelia-idor/","summary":"The Amelia WordPress plugin is vulnerable to an insecure direct object reference, allowing authenticated attackers with Provider-level access or higher to escalate privileges and gain persistence by taking over any WordPress account, including Administrator by manipulating the `externalId` field.","title":"Amelia WordPress Plugin IDOR Vulnerability CVE-2026-5465","url":"https://feed.craftedsignal.io/briefs/2026-04-amelia-idor/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-35183"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["idor","brave-cms","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBrave CMS, an open-source content management system, is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability in versions prior to 2.0.6. The vulnerability resides within the \u003ccode\u003edeleteImage\u003c/code\u003e method in \u003ccode\u003eapp/Http/Controllers/Dashboard/ArticleController.php\u003c/code\u003e. This flaw allows an authenticated user with edit permissions, regardless of article ownership, to delete images associated with other users\u0026rsquo; articles. The root cause is the lack of proper ownership validation when processing image deletion requests. An attacker can exploit this vulnerability by crafting requests with the filenames of images belonging to other users\u0026rsquo; articles, leading to unauthorized image deletion and potential data integrity issues. This issue was resolved in version 2.0.6 of Brave CMS.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Brave CMS application with an account that has edit permissions.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the filename of an image attached to an article that they do not own. This can be achieved through inspecting the HTML source code of the article page or by querying the database directly (if accessible).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting the \u003ccode\u003edeleteImage\u003c/code\u003e endpoint (\u003ccode\u003eapp/Http/Controllers/Dashboard/ArticleController.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe malicious request includes the filename of the target image in the URL parameters.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edeleteImage\u003c/code\u003e method processes the request without verifying if the authenticated user owns the article to which the image is attached.\u003c/li\u003e\n\u003cli\u003eThe application deletes the specified image file from the server\u0026rsquo;s file system.\u003c/li\u003e\n\u003cli\u003eThe link to the deleted image in the target article is broken.\u003c/li\u003e\n\u003cli\u003eThe victim user, who owns the article, notices the missing image.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this IDOR vulnerability in Brave CMS versions prior to 2.0.6 allows attackers with edit permissions to arbitrarily delete images from articles they do not own. This can lead to data integrity issues, content manipulation, and potential denial of service by removing important visual elements from the website. The impact is limited to users with edit permissions within the CMS, but can affect any article and its associated media. The CVSS v3.1 base score for this vulnerability is 7.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Brave CMS to version 2.0.6 or later to patch the CVE-2026-35183 vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Brave CMS Image Deletion Attempt\u003c/code\u003e to detect unauthorized image deletion attempts by monitoring HTTP requests to the \u003ccode\u003edeleteImage\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eReview and harden access control policies within the Brave CMS application to ensure proper ownership validation for sensitive operations, such as image deletion.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T20:16:26Z","date_published":"2026-04-06T20:16:26Z","id":"/briefs/2024-01-26-brave-cms-idor/","summary":"Brave CMS versions prior to 2.0.6 are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability allowing authenticated users with edit permissions to delete images attached to articles owned by other users due to missing ownership verification in the deleteImage method.","title":"Brave CMS Insecure Direct Object Reference Vulnerability (CVE-2026-35183)","url":"https://feed.craftedsignal.io/briefs/2024-01-26-brave-cms-idor/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["idor","langflow","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eLangflow, a platform for building AI agents, suffered from an Insecure Direct Object Reference (IDOR) vulnerability affecting versions 1.5.0 and earlier. This flaw, identified as CVE-2026-34046, resided in the \u003ccode\u003e_read_flow\u003c/code\u003e helper function within the \u003ccode\u003esrc/backend/base/langflow/api/v1/flows.py\u003c/code\u003e file. The vulnerability arose from a conditional check related to the \u003ccode\u003eAUTO_LOGIN\u003c/code\u003e setting, which inadvertently bypassed ownership validation when authentication was enabled. As a result, any authenticated…\u003c/p\u003e\n","date_modified":"2026-03-27T19:36:23Z","date_published":"2026-03-27T19:36:23Z","id":"/briefs/2026-03-langflow-idor/","summary":"Langflow versions 1.5.0 and earlier contain an IDOR vulnerability (CVE-2026-34046) that allows authenticated users to read, modify, and delete flows belonging to other users due to a missing ownership check, potentially exposing sensitive information and enabling unauthorized control over AI agent logic.","title":"Langflow IDOR Vulnerability Allows Cross-User Flow Manipulation","url":"https://feed.craftedsignal.io/briefs/2026-03-langflow-idor/"}],"language":"en","title":"CraftedSignal Threat Feed — Idor","version":"https://jsonfeed.org/version/1.1"}