CVE-2025-14161 Truefy Embed <= 1.1.0 - Cross-Site Request Forgery to 'truefy_embed_options_update' Settings Update

The Truefy Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'truefyembedoptionsupdate' settings update action. This makes it possible for unauthenticated attackers to update the...

Duplicate Advisory: Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mv7p-34fv-4874. This link is maintained to preserve external references. Original Description A vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of t...

CVE-2025-13877 nocobase JWT Service jwt-service.ts hard-coded key

A vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of the file nocobase\packages\core\auth\src\base\jwt-service.ts of the component JWT Service. The manipulation of the argument APIKEY results in use of hard-coded cryptographic key . T...

PT-2025-48710

Name of the Vulnerable Software and Affected Versions nocobase versions 1.9.4 and 2.0.0-alpha.37 Description A security issue exists in nocobase that allows for remote attacks with high complexity and difficult exploitability. The issue involves the manipulation of the API KEY argument within an...

CVE-2025-13829

Incorrect Authorization vulnerability in Data Illusion Zumbrunn NGSurvey allows any logged-in user to obtain the private information of any other user. Critical information retrieved: APIKEY 1 year user Session RefreshToken 10 minutes user Session Password hashed with bcrypt User IP Email Full Na...

CVE-2025-13829

CVE-2025-13829 affects Data Illusion Zumbrunn NGSurvey and is described as an Incorrect Authorization vulnerability that lets any logged-in user access private data of other users. Publicly reported details across multiple sources (NVD, Red Hat, EUVD, CVE.org, CNNVD, etc.) enumerate sensitive dat...

PT-2025-48486

Incorrect Authorization vulnerability in Data Illusion Zumbrunn NGSurvey allows any logged-in user to obtain the private information of any other user. Critical information retrieved: APIKEY 1 year user Session RefreshToken 10 minutes user Session Password hashed with bcrypt User IP Email Full Na...

EUVD-2025-198101

The WP Login and Register using JWT plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mojwtgeneratenewapikey' function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level...

EUVD-2025-198127

The New User Approve plugin for WordPress is vulnerable to unauthorized data disclosure in all versions up to, and including, 3.0.9 due to insufficient API key validation using loose equality comparison. This makes it possible for unauthenticated attackers to retrieve personally identifiable...

CVE-2025-12822

The WP Login and Register using JWT plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mojwtgeneratenewapikey' function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-12822

CVE-2025-12822 concerns the WordPress plugin WP Login and Register using JWT . The vulnerability is caused by a missing capability check in the function mo_jwt_generate_new_api_key , present in all versions up to and including 3.0.0. This allows an attacker with at least Subscriber -level access ...

CVE-2025-12822 WP Login and Register using JWT <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) API Key Exposure

The WP Login and Register using JWT plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mojwtgeneratenewapikey' function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-12770

The New User Approve plugin for WordPress is vulnerable to unauthorized data disclosure in all versions up to, and including, 3.0.9 due to insufficient API key validation using loose equality comparison. This makes it possible for unauthenticated attackers to retrieve personally identifiable...

PT-2025-47434

The WP Login and Register using JWT plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mo jwt generate new api key' function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with...

WordPress plugin WP Login and Register using JWT 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerabili...

WordPress WP Login and Register using JWT plugin <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) API Key Exposure vulnerability

Missing Authorization to Authenticated Subscriber+ API Key Exposure vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin WP Login and Register using JWT versions = 3.0.0...

CVE-2025-12113 Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images <= 1.8.3 - Missing Authorization to Authenticated (Subscriber+) API Key Deletion

The Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the atgaideleteapikey function in all versions up to, and including, 1.8.3. This makes it possible for authenticated...

CVE-2025-12113 Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images <= 1.8.3 - Missing Authorization to Authenticated (Subscriber+) API Key Deletion

The Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the atgaideleteapikey function in all versions up to, and including, 1.8.3. This makes it possible for authenticated...

CVE-2025-12113

CVE-2025-12113 affects the WordPress plugin “Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images” (versions

PT-2025-46569

Name of the Vulnerable Software and Affected Versions Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images plugin for WordPress versions through 1.8.3 Description The Alt Text Generator AI plugin for WordPress is susceptible to unauthorized data loss. A missing capability chec...