WP Spell Check < 9.18 - Cross-Site Request Forgery

Description The WP Spell Check plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.17. This is due to missing or incorrect nonce validation on the wpscxadminemptyrender function. This makes it possible for unauthenticated attackers to update an...

avalex – Automatisch sichere Rechtstexte < 3.0.9 - Missing Authorization

Description The plugin is vulnerable to unauthorized modifcation of data due to a missing capability check on the saveApiKey function hooked via admininit in all versions up to, and including, 3.0.8. This makes it possible for unauthenticated attackers to modify the API key for the plugin...

PT-2024-2594 · Elastic · Elasticsearch

Name of the Vulnerable Software and Affected Versions: Elasticsearch versions 8.10.0 through 8.12.x Description: The issue is related to an Incorrect Authorization problem in the API key based security model for Remote Cluster Security, which is currently in Beta. This allows a malicious user wit...

CVE-2023-6875

The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7...

CVE-2023-6875

The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7...

Design/Logic Flaw

The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7...

CVE-2023-6875

WordPress POST SMTP Mailer plugin (

POST SMTP Mailer < 2.8.8 - Authorization Bypass via type connect-app API

Description The plugin is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to...

Type Juggling Leads to Two Vulnerabilities in POST SMTP Mailer WordPress Plugin

On December 14th, 2023, during our Bug Bounty Program Holiday Bug Extravaganza, we received a submission for an Authorization Bypass vulnerability in POST SMTP Mailer, a WordPress plugin with over 300,000+ active installations. This vulnerability makes it possible for unauthenticated threat actor...

PT-2024-1238 · WordPress · Post Smtp Mailer

Name of the Vulnerable Software and Affected Versions: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress versions up to, and including, 2.8.7 Description: The issue is related to a type juggling problem on the connect-app REST...

Information Disclosure

org.owasp/dependency-check is vulnerable to Information Disclosure. The vulnerability is due to the nvdApiKey not being masked because it doesn't match the specified patterns. As a result, when debug mode is enabled using mvn -X, the API key is logged in clear text. This exposes the NVD API key...

nvdApiKey is logged in debug mode

Summary The value of nvdApiKey configuration parameter is logged in clear text in debug mode. Details The NVD API key is a kind of secret and should be treated like other secrets when logging in debug mode. Expecting the same behavior as for several password configurations: just print Note that...

PT-2023-32948 · Unknown · Dependencycheck For Ant +2

Name of the Vulnerable Software and Affected Versions: DependencyCheck for Maven versions 9.0.0 through 9.0.6 DependencyCheck for CLI versions 9.0.0 through 9.0.5 DependencyCheck for Ant versions 9.0.0 through 9.0.5 Description: The issue allows an attacker to recover the NVD API Key from a log...

Telegram-Nearby-Map - Discover The Location Of Nearby Telegram Users

Telegram Nearby Map uses OpenStreetMap and the official Telegram library to find the position of nearby users. Please note: Telegram's API was updated a while ago to make nearby user distances less precise, preventing exact location calculations. Therefore, Telegram Nearby Map displays users...

AcuAutomate - Unofficial Acunetix CLI Tool For Automated Pentesting And Bug Hunting Across Large Scopes

AcuAutomate is an unofficial Acunetix CLI tool that simplifies automated pentesting and bug hunting across extensive targets. It's a valuable aid during large-scale pentests, enabling the easy launch or stoppage of multiple Acunetix scans simultaneously. Additionally, its versatile functionality...

Gift Up < 2.22 - Settings Update via CSRF

Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the consumepost function, allowing unauthenticated attackers to set the plugin's API key and update other plugin settings via a forged request granted they can trick a site...

CVE-2023-48839

Appointment Scheduler 3.0 is vulnerable to Multiple Stored Cross-Site Scripting XSS issues via the name, pluginsmsapikey, pluginsmscountrycode, calendarid, title, country name, or customername parameter...

CVE-2023-48837

Car Rental Script 3.0 is vulnerable to Multiple HTML Injection issues via SMS API Key or Default Country Code...

CVE-2023-48838

Appointment Scheduler 3.0 is vulnerable to Multiple HTML Injection issues via the SMS API Key or Default Country Code...

CVE-2023-48837

Car Rental Script 3.0 is vulnerable to Multiple HTML Injection issues via SMS API Key or Default Country Code...