https://feed.craftedsignal.io/tags/idor/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 02 May 2026 14:16:17 +0000https://feed.craftedsignal.io/briefs/2026-05-wordpress-wcfm-idor/Sat, 02 May 2026 14:16:17 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-wordpress-wcfm-idor/The WCFM plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) that allows authenticated attackers with Vendor-level access or higher to delete arbitrary users, including administrators.The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin, a popular WordPress plugin, is affected by an Insecure Direct Object Reference (IDOR) vulnerability. This flaw, present in versions up to and including 6.7.25, stems from a lack of proper validation on the customerid parameter within the wcfm_delete_wcfm_customer function. An attacker with Vendor-level privileges or higher can exploit this vulnerability to delete any user account on the WordPress instance, including those with administrative rights. This can lead to complete compromise of the affected website.

Attack Chain

1. An attacker authenticates to the WordPress site with Vendor-level access or higher.
2. The attacker crafts a malicious HTTP request targeting the wcfm_delete_wcfm_customer function.
3. The attacker includes the customerid parameter in the request, setting its value to the ID of the target user account they wish to delete.
4. Due to the missing validation on the customerid parameter, the application directly uses the provided ID to locate the user account.
5. The wcfm_delete_wcfm_customer function proceeds to delete the user account identified by the attacker-supplied customerid.
6. The targeted user account is successfully deleted from the WordPress instance.
7. If the deleted user account was an administrator, the attacker can effectively take control of the website.

Impact

Successful exploitation of this IDOR vulnerability allows an attacker to delete arbitrary user accounts, including those with administrative privileges. This can lead to a complete compromise of the affected WordPress website. An attacker could then deface the website, steal sensitive data, or use it to launch further attacks. Due to the popularity of the plugin, a large number of WooCommerce stores are potentially affected.

Recommendation

• Apply the latest available patch or upgrade to a version of the WCFM plugin greater than 6.7.25 to remediate CVE-2026-2554.
• Monitor web server logs for suspicious requests to wcfm_delete_wcfm_customer with unusual customerid values, using the Sigma rule provided below.
• Implement input validation on the customerid parameter within the wcfm_delete_wcfm_customer function to prevent arbitrary user deletion.

]]>highadvisoryidorwordpresswoocommerceaccount-deletionhttps://feed.craftedsignal.io/briefs/2026-05-zyosoft-school-app-idor/Sat, 02 May 2026 10:16:19 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-zyosoft-school-app-idor/Zyosoft's School App contains an Insecure Direct Object Reference vulnerability (CVE-2026-7491) that allows authenticated remote attackers to modify parameters and access or modify other users' data.The Zyosoft School App is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability identified as CVE-2026-7491. This flaw allows authenticated remote attackers to bypass authorization controls by modifying specific parameters within the application’s requests. By manipulating these parameters, attackers can gain unauthorized access to sensitive data belonging to other users, as well as modify that data. Successful exploitation allows unauthorized data access and modification, potentially leading to data breaches, privacy violations, and manipulation of user accounts. Defenders should prioritize identifying and mitigating this vulnerability to prevent potential abuse.

Attack Chain

1. An attacker authenticates to the Zyosoft School App using valid credentials.
2. The attacker identifies a request that includes a user-controlled parameter referencing a specific object (e.g., user ID, record number).
3. The attacker modifies the value of this parameter to reference a different object belonging to another user.
4. The attacker sends the modified request to the server.
5. The server, lacking proper authorization checks, processes the request using the attacker-supplied object reference.
6. The server returns the data associated with the targeted user’s object to the attacker.
7. The attacker can further modify parameters to alter the data of the targeted user.
8. The attacker successfully reads or modifies the targeted user’s data without proper authorization.

Impact

Successful exploitation of CVE-2026-7491 allows authenticated attackers to read and modify other users’ data within the Zyosoft School App. This can lead to severe consequences, including unauthorized access to sensitive student or staff information, modification of grades or attendance records, and potential data breaches. The number of affected users depends on the app’s deployment size, but any instance is vulnerable. This issue could affect any educational institution using the Zyosoft School App.

Recommendation

• Inspect web server logs for requests containing unusual parameter modifications, specifically those referencing user IDs or other sensitive data fields (webserver logs).
• Deploy the Sigma rule provided below to detect attempts to access or modify resources using potentially manipulated object references (Sigma rule).
• Implement robust authorization checks in the Zyosoft School App to verify that users only have access to resources they are explicitly authorized to access.
• Contact Zyosoft for a patch addressing CVE-2026-7491.

]]>highadvisoryidorvulnerabilityweb applicationcve-2026-7491https://feed.craftedsignal.io/briefs/2026-04-langflow-idor/Thu, 30 Apr 2026 21:16:33 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-langflow-idor/IBM Langflow Desktop versions 1.0.0 through 1.8.4 are vulnerable to an indirect object reference (IDOR) vulnerability (CVE-2026-4503), allowing unauthenticated users to view other users' images due to a user-controlled key.IBM Langflow Desktop versions 1.0.0 through 1.8.4 are susceptible to an indirect object reference (IDOR) vulnerability, designated as CVE-2026-4503. This flaw enables unauthenticated attackers to access and view images belonging to other users. The vulnerability arises from the application’s reliance on a user-controlled key to reference objects, which can be manipulated to bypass authorization checks and gain unauthorized access to sensitive image data. This poses a risk to user privacy and data security, as attackers can potentially view confidential or personal images without proper authentication.

Attack Chain

1. An unauthenticated attacker identifies a user-controlled key used to reference image objects within Langflow Desktop.
2. The attacker modifies this key to point to another user’s image object.
3. The attacker sends a request to the Langflow Desktop application using the modified key.
4. The application, due to the IDOR vulnerability, fails to properly validate the attacker’s authorization to access the requested image object.
5. The application retrieves and returns the image data associated with the targeted user’s image.
6. The attacker views the image without authentication.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to view other users’ images within IBM Langflow Desktop. This can lead to a breach of privacy, as sensitive or personal images may be exposed. The number of affected users depends on the number of installations of Langflow Desktop within the vulnerable version range (1.0.0 through 1.8.4).

Recommendation

• Apply the security patch or upgrade to a version of IBM Langflow Desktop that addresses CVE-2026-4503 as detailed in the IBM advisory.
• Implement stricter authorization checks on image object references to prevent unauthorized access, mitigating CVE-2026-4503.

]]>mediumadvisoryidorvulnerabilityprivilege-escalationhttps://feed.craftedsignal.io/briefs/2026-04-crafty-controller-idor/Tue, 21 Apr 2026 17:16:57 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-crafty-controller-idor/Crafty Controller's Users API component contains an insecure direct object reference vulnerability, allowing a remote, authenticated attacker to perform unauthorized user modification actions due to improper API permissions validation (CVE-2026-5652).An insecure direct object reference (IDOR) vulnerability has been identified in the Users API component of Crafty Controller. This flaw, designated as CVE-2026-5652, allows a remote, authenticated attacker to bypass authorization controls and perform unauthorized user modification actions. The vulnerability stems from improper API permissions validation, enabling malicious actors with valid credentials but insufficient privileges to manipulate user accounts beyond their authorized scope. This poses a significant risk to the confidentiality, integrity, and availability of the Crafty Controller system and its users. Successful exploitation could lead to privilege escalation, data breaches, and service disruption.

Attack Chain

1. An attacker authenticates to the Crafty Controller application with a low-privileged user account.
2. The attacker identifies the Users API endpoint responsible for user modification actions.
3. The attacker crafts a malicious API request, manipulating the user ID parameter to target a different user account than the one associated with their credentials.
4. The attacker sends the crafted API request to the Crafty Controller server.
5. Due to the insecure direct object reference vulnerability, the application fails to properly validate the attacker’s permissions against the target user account.
6. The application processes the request and modifies the target user account according to the attacker’s specifications.
7. The attacker successfully modifies user attributes like password, permissions, or other sensitive data of the targeted user.
8. The attacker escalates privileges by modifying another administrator account, granting themselves full access to the application.

Impact

Successful exploitation of CVE-2026-5652 allows an attacker to perform unauthorized user modifications, potentially leading to privilege escalation and complete control over the Crafty Controller application. The CVSS v3.1 base score of 9.0 reflects the critical severity of this vulnerability. The number of potential victims is directly correlated to the number of Crafty Controller installations. Depending on the scope of the system, the consequences may include data breaches, financial loss, and reputational damage.

Recommendation

• Apply available patches or updates from Crafty Controller to address CVE-2026-5652 as soon as possible.
• Implement robust authorization checks on the Users API to ensure that users can only modify their own accounts or accounts they are explicitly authorized to manage.
• Deploy the Sigma rule provided to detect suspicious user modification activity.
• Monitor API access logs for attempts to access or modify user accounts outside the user’s authorized scope.

]]>criticaladvisoryidorprivilege-escalationcve-2026-5652https://feed.craftedsignal.io/briefs/2026-04-paperclip-idor/Thu, 16 Apr 2026 22:49:46 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-paperclip-idor/A Paperclip API vulnerability allows a board user from one company to create, list, and revoke agent API keys in another company, leading to full cross-tenant compromise due to insufficient authorization checks on `/agents/:id/keys` routes.A critical vulnerability exists in the Paperclip control-plane API, specifically in versions prior to 2026.416.0. The vulnerability allows a board user with membership in one company (e.g., Company A) to manipulate agent API keys for agents belonging to a different company (e.g., Company B). This is due to an Insecure Direct Object Reference (IDOR) in the /agents/:id/keys routes (GET, POST, DELETE) where the API only validates the user’s board-type session but fails to verify access to the company owning the target agent. By exploiting this flaw, an attacker can mint a new agent API key for an agent in the victim tenant, granting them full agent-level access within that tenant. This cross-tenant compromise allows the attacker to execute workflows, read data, and call any endpoint authorized for agents in the victim tenant, effectively breaching tenant isolation. The vulnerability was introduced due to missing company access checks in the key-management routes.

Attack Chain

1. The attacker authenticates as a board user within Company A.
2. The attacker discovers or obtains the UUID of an agent belonging to Company B.
3. The attacker sends a POST request to /agents/<VICTIM_COMPANY_B_AGENT_ID>/keys with a name to create a new API key.
4. The server, lacking proper authorization checks, creates a new API key associated with the victim agent’s companyId and returns the cleartext token.
5. The attacker uses the newly minted agent token in the Authorization header to authenticate subsequent requests.
6. The server’s authentication middleware incorrectly sets the req.actor to an agent type associated with the victim’s company.
7. The attacker successfully accesses resources and executes actions within Company B’s tenant, bypassing company access checks.
8. The attacker can enumerate and revoke existing keys using the /agents/:id/keys and /agents/:id/keys/:keyId endpoints, causing denial of service to legitimate users.

Impact

This vulnerability leads to a full cross-tenant compromise. An attacker can gain unauthorized access to any tenant within the Paperclip instance, provided they have a minimal valid account (board user in any company) and a victim agent UUID. This allows the attacker to execute workflows, read sensitive data, and call any authorized endpoint within the victim tenant, leading to complete confidentiality, integrity, and availability loss. Furthermore, the attacker can revoke legitimate agent keys, resulting in a denial of service. This represents a scope change, where a vulnerability in Company A’s scoping checks results in catastrophic impact within Company B’s tenant.

Recommendation

• Implement explicit company-access checks on the /agents/:id/keys (GET, POST) and /agents/:id/keys/:keyId (DELETE) routes before interacting with the service layer. This directly addresses the core issue as described in the advisory’s “Recommended Fix” section.
• Deploy the Sigma rule Detect Paperclip Cross-Tenant API Key Creation to identify unauthorized API key creation attempts.
• Deploy the Sigma rule Detect Paperclip Cross-Tenant API Access to detect unauthorized access using stolen agent tokens.
• Upgrade to npm/@paperclipai/server version 2026.416.0 or later to patch the vulnerability as mentioned in the advisory’s “Affected Packages” section.

]]>criticaladvisoryidorcross-tenantapipaperclipprivilege-escalationhttps://feed.craftedsignal.io/briefs/2026-04-chamilo-idor/Fri, 10 Apr 2026 18:16:42 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-chamilo-idor/An Insecure Direct Object Reference (IDOR) vulnerability in Chamilo LMS (CVE-2026-32930) allows authenticated teachers to modify gradebook evaluation settings of other courses by manipulating the 'editeval' GET parameter, leading to unauthorized data modification.Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability, identified as CVE-2026-32930. This flaw exists in the gradebook evaluation edit page. An authenticated teacher can exploit this vulnerability to view and modify the settings (name, max score, weight) of evaluations belonging to other courses. This is achieved by manipulating the editeval GET parameter. Successful exploitation allows unauthorized modification of gradebook settings, potentially affecting student grades and overall course integrity. The vulnerability was patched in versions 1.11.38 and 2.0.0-RC.3. This affects any Chamilo LMS instance running a vulnerable version accessible to authenticated users.

Attack Chain

1. An attacker authenticates to Chamilo LMS as a teacher.
2. The attacker navigates to the gradebook section of a course they have access to.
3. The attacker identifies the URL used to edit an evaluation, noting the editeval parameter and its associated value.
4. The attacker modifies the editeval parameter value to reference an evaluation ID from a different course.
5. The attacker submits the modified request to the Chamilo LMS server.
6. The server, due to the IDOR vulnerability, processes the request without proper authorization checks.
7. The attacker is able to view and modify the settings (name, max score, weight) of the evaluation belonging to the other course.
8. The attacker saves the changes, which are then reflected in the gradebook of the targeted course.

Impact

The successful exploitation of CVE-2026-32930 can lead to unauthorized modification of gradebook evaluation settings. This could result in inaccurate grades, unfair assessment of students, and overall compromise of the learning environment’s integrity. Given that Chamilo LMS is used by educational institutions worldwide, a successful attack could affect a large number of students and teachers. The unauthorized changes could disrupt the educational process and erode trust in the system.

Recommendation

• Upgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 or later to patch CVE-2026-32930, as indicated in the overview.
• Deploy the Sigma rule Detect Chamilo Gradebook Edit Request to identify attempts to exploit this IDOR vulnerability by monitoring for suspicious editeval parameter modifications.
• Review web server logs for requests containing the editeval parameter where the associated value appears out of sequence with the user’s course access, related to the Sigma rule.

]]>highadvisoryidorchamilolmscve-2026-32930https://feed.craftedsignal.io/briefs/2026-04-amelia-idor/Tue, 07 Apr 2026 07:16:24 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-amelia-idor/The Amelia WordPress plugin is vulnerable to an insecure direct object reference, allowing authenticated attackers with Provider-level access or higher to escalate privileges and gain persistence by taking over any WordPress account, including Administrator by manipulating the `externalId` field.The Amelia WordPress plugin, specifically the “Booking for Appointments and Events Calendar”, contains an Insecure Direct Object Reference (IDOR) vulnerability (CVE-2026-5465) in versions up to and including 2.1.3. This flaw resides within the UpdateProviderCommandHandler and stems from insufficient validation when a Provider (Employee) user modifies their profile. The critical issue is the ability to manipulate the externalId field, which directly corresponds to a WordPress user ID. By injecting an arbitrary externalId value during a profile update, an authenticated attacker with Provider-level access or higher can bypass authorization checks. This oversight permits the attacker to execute functions such as wp_set_password() and wp_update_user() on behalf of any other user, including those with Administrator privileges. This vulnerability allows for complete account takeover, representing a significant risk for organizations utilizing the vulnerable plugin.

Attack Chain

1. An attacker gains authenticated access to a WordPress instance with the Amelia plugin installed, possessing at least Provider (Employee) level privileges.
2. The attacker navigates to their user profile within the Amelia plugin interface.
3. The attacker intercepts the HTTP request generated when updating their profile using a tool like Burp Suite or browser developer tools.
4. The attacker modifies the externalId parameter within the intercepted HTTP request, replacing its original value with the WordPress user ID of the target account they wish to compromise (e.g., the Administrator account, typically user ID 1).
5. The attacker sends the modified HTTP request to the server.
6. Due to the IDOR vulnerability, the UpdateProviderCommandHandler fails to validate the manipulated externalId value.
7. The Amelia plugin’s backend utilizes the attacker-controlled externalId to call wp_set_password() and/or wp_update_user() on the target account.
8. The attacker successfully changes the password or other profile details of the target account, achieving complete account takeover and escalating privileges.

Impact

Successful exploitation of CVE-2026-5465 allows an attacker with minimal privileges (Provider/Employee role) to compromise any other account on the WordPress instance, including Administrator accounts. This grants the attacker full control over the WordPress site, enabling them to install malicious plugins, modify content, exfiltrate sensitive data, or further compromise the underlying server. The number of potential victims is directly proportional to the number of websites utilizing the vulnerable Amelia plugin. Given the plugin’s popularity, a successful mass exploitation could impact thousands of websites across various sectors.

Recommendation

• Immediately update the Amelia WordPress plugin to the latest version (greater than 2.1.3) to patch CVE-2026-5465.
• Monitor web server logs for POST requests to the /wp-admin/admin-ajax.php endpoint with the action parameter set to am_update_provider and a modified externalId parameter in the request body. Implement the Sigma rule Detect Amelia Plugin IDOR Attack to detect such activity.
• Implement strong password policies and multi-factor authentication for all WordPress accounts, including those with limited privileges, to mitigate the impact of potential account compromises.
• Review and audit existing WordPress user accounts and their assigned roles to identify and remove any unnecessary or excessive privileges.

]]>criticaladvisorywordpressameliaidorprivilege-escalationhttps://feed.craftedsignal.io/briefs/2024-01-26-brave-cms-idor/Mon, 06 Apr 2026 20:16:26 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-26-brave-cms-idor/Brave CMS versions prior to 2.0.6 are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability allowing authenticated users with edit permissions to delete images attached to articles owned by other users due to missing ownership verification in the deleteImage method.Brave CMS, an open-source content management system, is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability in versions prior to 2.0.6. The vulnerability resides within the deleteImage method in app/Http/Controllers/Dashboard/ArticleController.php. This flaw allows an authenticated user with edit permissions, regardless of article ownership, to delete images associated with other users’ articles. The root cause is the lack of proper ownership validation when processing image deletion requests. An attacker can exploit this vulnerability by crafting requests with the filenames of images belonging to other users’ articles, leading to unauthorized image deletion and potential data integrity issues. This issue was resolved in version 2.0.6 of Brave CMS.

Attack Chain

1. Attacker authenticates to the Brave CMS application with an account that has edit permissions.
2. Attacker identifies the filename of an image attached to an article that they do not own. This can be achieved through inspecting the HTML source code of the article page or by querying the database directly (if accessible).
3. Attacker crafts a malicious HTTP request targeting the deleteImage endpoint (app/Http/Controllers/Dashboard/ArticleController.php).
4. The malicious request includes the filename of the target image in the URL parameters.
5. The deleteImage method processes the request without verifying if the authenticated user owns the article to which the image is attached.
6. The application deletes the specified image file from the server’s file system.
7. The link to the deleted image in the target article is broken.
8. The victim user, who owns the article, notices the missing image.

Impact

Successful exploitation of this IDOR vulnerability in Brave CMS versions prior to 2.0.6 allows attackers with edit permissions to arbitrarily delete images from articles they do not own. This can lead to data integrity issues, content manipulation, and potential denial of service by removing important visual elements from the website. The impact is limited to users with edit permissions within the CMS, but can affect any article and its associated media. The CVSS v3.1 base score for this vulnerability is 7.1.

Recommendation

• Upgrade Brave CMS to version 2.0.6 or later to patch the CVE-2026-35183 vulnerability.
• Implement the Sigma rule Detect Brave CMS Image Deletion Attempt to detect unauthorized image deletion attempts by monitoring HTTP requests to the deleteImage endpoint.
• Review and harden access control policies within the Brave CMS application to ensure proper ownership validation for sensitive operations, such as image deletion.

]]>mediumadvisoryidorbrave-cmsvulnerabilityhttps://feed.craftedsignal.io/briefs/2026-03-langflow-idor/Fri, 27 Mar 2026 19:36:23 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-langflow-idor/Langflow versions 1.5.0 and earlier contain an IDOR vulnerability (CVE-2026-34046) that allows authenticated users to read, modify, and delete flows belonging to other users due to a missing ownership check, potentially exposing sensitive information and enabling unauthorized control over AI agent logic.Langflow, a platform for building AI agents, suffered from an Insecure Direct Object Reference (IDOR) vulnerability affecting versions 1.5.0 and earlier. This flaw, identified as CVE-2026-34046, resided in the _read_flow helper function within the src/backend/base/langflow/api/v1/flows.py file. The vulnerability arose from a conditional check related to the AUTO_LOGIN setting, which inadvertently bypassed ownership validation when authentication was enabled. As a result, any authenticated…

]]>highadvisoryidorlangflowvulnerability