8780 matches found
PT-2026-7719
Name of the Vulnerable Software and Affected Versions Pion DTLS versions 1.0.0 through 3.1.0 Description Pion DTLS, a Go implementation of Datagram Transport Layer Security, is susceptible to an issue where the use of random nonce generation with AES GCM ciphers allows remote attackers to...
CVE-2026-0996
The Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AI Form Builder module in all versions up to, and including, 6.1.14 due to a combination of missing authorization checks, a leaked nonce, and insufficient input sanitization. The vulnerability allows...
CVE-2026-1082
The TITLE ANIMATOR plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page form handler in inc/settings-page.php. This makes it possible for unauthenticated attackers to modify plugin...
CVE-2026-1082
The CVE concerns the TITLE ANIMATOR WordPress plugin, where a Cross-Site Request Forgery flaw exists in all versions up to and including 1.0 due to missing nonce validation on the settings-page form handler in inc/settings-page.php. This allows unauthenticated attackers to modify plugin settings ...
CVE-2026-1082
The TITLE ANIMATOR plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page form handler in inc/settings-page.php. This makes it possible for unauthenticated attackers to modify plugin...
EUVD-2026-5738
The TITLE ANIMATOR plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page form handler in inc/settings-page.php. This makes it possible for unauthenticated attackers to modify plugin...
CVE-2026-1082 TITLE ANIMATOR <= 1.0 - Cross-Site Request Forgery to Settings Update
The TITLE ANIMATOR plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page form handler in inc/settings-page.php. This makes it possible for unauthenticated attackers to modify plugin...
CVE-2026-1082 TITLE ANIMATOR <= 1.0 - Cross-Site Request Forgery to Settings Update
The TITLE ANIMATOR plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page form handler in inc/settings-page.php. This makes it possible for unauthenticated attackers to modify plugin...
PT-2026-6888
Name of the Vulnerable Software and Affected Versions TITLE ANIMATOR plugin for WordPress versions prior to 1.0 Description The software is susceptible to a Cross-Site Request Forgery issue. This is a result of a lack of nonce validation on the settings page form handler located in...
CVE-2026-1785
The Code Snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.9.4. This is due to missing nonce validation on the cloud snippet download and update actions in the CloudSearchListTable class. This makes it possible for unauthenticated...
CVE-2026-1785
The Code Snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.9.4. This is due to missing nonce validation on the cloud snippet download and update actions in the CloudSearchListTable class. This makes it possible for unauthenticated...
CVE-2026-1785
The Code Snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.9.4. This is due to missing nonce validation on the cloud snippet download and update actions in the CloudSearchListTable class. This makes it possible for unauthenticated...
CVE-2026-1785 Code Snippets <= 3.9.4 - Cross-Site Request Forgery to Cloud Snippet Download/Update Actions
The Code Snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.9.4. This is due to missing nonce validation on the cloud snippet download and update actions in the CloudSearchListTable class. This makes it possible for unauthenticated...
CVE-2026-1785 Code Snippets <= 3.9.4 - Cross-Site Request Forgery to Cloud Snippet Download/Update Actions
The Code Snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.9.4. This is due to missing nonce validation on the cloud snippet download and update actions in the CloudSearchListTable class. This makes it possible for unauthenticated...
📄 WordPress Royal Elementor Addons 1.3.78 Shell Upload
WordPress Royal Elementor Addons plugin version 1.3.78 remote shell upload proof of concept exploit. ============================================================================================================================================= | Title : WordPress Royal Elementor Addons 1.3.78 RCE ...
PT-2026-6692
Name of the Vulnerable Software and Affected Versions Code Snippets plugin for WordPress versions up to and including 3.9.4 Description The Code Snippets plugin for WordPress is susceptible to Cross-Site Request Forgery. This is a result of a lack of nonce validation on the cloud snippet download...
CVE-2026-0679
The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to an inverted nonce check in the 'checkfortisnotifyresponse' function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update arbitrary WooCommerce order...
Nonce Reuse in HPKE Context
The sequence number that is used to compute the AEAD nonce when using a re-usable HPKE context is incremented after each seal or open operation. This sequence number was stored as a u32 and used regular addition on u32 for the increment, meaning in release mode it would silently wrap around to 0...
RUSTSEC-2026-0071 Nonce Reuse in HPKE Context
The sequence number that is used to compute the AEAD nonce when using a re-usable HPKE context is incremented after each seal or open operation. This sequence number was stored as a u32 and used regular addition on u32 for the increment, meaning in release mode it would silently wrap around to 0...
CVE-2025-14079 ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.5. This is due to missing capability checks on the ehcrmticketgeneral function combined with a shared nonce that is exposed to low-privileg...