1828 matches found
CVE-2025-0801 RateMyAgent Official <= 1.4.0 - Cross-Site Request Forgery to API Key Update
The RateMyAgent Official plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.0. This is due to missing or incorrect nonce validation on the 'rma-settings-wizard'. This makes it possible for unauthenticated attackers to update the plugin's API...
CVE-2025-0801
CVE-2025-0801 – RateMyAgent Official WordPress plugin CSRF Affected software: RateMyAgent Official plugin for WordPress (all versions up to and including 1.4.0).Root cause: Missing or incorrect nonce validation on the rma-settings-wizard, enabling Cross-Site Request Forgery.Impact: Unauthenticate...
PT-2025-9054 · WordPress · Ratemyagent Official
Name of the Vulnerable Software and Affected Versions: RateMyAgent Official plugin for WordPress versions up to and including 1.4.0 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the 'rma-settings-wizard'. This allows unauthenticate...
AWS VDP: Sensitive API Key Leakage
Vulnerability: AWS Sensitive Keys Leakage Details : the AWS Access Key & Secret Key is leaked in a Public GitHub Repository located at : Repository located at : █████████ Steps To Reproduce: Go to : ██████ In the middle of this file you can see the Keys Please see the attached screenshot also...
PT-2025-7820 · WordPress · Enfold
Name of the Vulnerable Software and Affected Versions: Enfold theme for WordPress versions up to, and including, 6.0.9 Description: The issue allows unauthorized access to data due to a missing capability check in the avia-export-class.php file. This enables unauthenticated attackers to export al...
GHSA-C39W-3PJX-QC7M Leantime allows Stored Cross-Site Scripting (XSS)
Description Leantime allows stored cross-site scripting XSS in the API key name while generating the API key. Impact Any low privileged user like manager, or editor, can create an API key with XSS payload. When admin will visit the Company page, the XSS will automatically get triggerred leading t...
Leantime allows Stored Cross-Site Scripting (XSS)
Description Leantime allows stored cross-site scripting XSS in the API key name while generating the API key. Impact Any low privileged user like manager, or editor, can create an API key with XSS payload. When admin will visit the Company page, the XSS will automatically get triggerred leading t...
CVE-2023-51315
PHPJabbers Restaurant Booking System v3.0 is vulnerable to Multiple Stored Cross-Site Scripting XSS in the "seatname, pluginsmsapikey, pluginsmscountrycode, title, name" parameters...
CVE-2023-51300
PHPJabbers Hotel Booking System v4.0 is vulnerable to Cross-Site Scripting XSS vulnerabilities in the "name, pluginsmsapikey, pluginsmscountrycode, title, pluginsmsapikey" parameters...
PT-2025-7288 · Phpjabbers · Phpjabbers Event Ticketing System
Name of the Vulnerable Software and Affected Versions: PHPJabbers Event Ticketing System version 1.0 Description: The PHPJabbers Event Ticketing System is vulnerable to multiple HTML injections in the parameters lid, name, plugin sms api key, plugin sms country code, and title. This issue allows...
SUSE CVE-2024-23445
It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.htmlsecurity-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the fieldsecurity parameter, an...
CVE-2024-34897
Nedis SmartLife android app v1.4.0 was discovered to contain an API key disclosure vulnerability...
CVE-2022-3805
The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the...
CVE-2022-46155
Airtable.js is the JavaScript client for Airtable. Prior to version 0.11.6, Airtable.js had a misconfigured build script in its source package. When the build script is run, it would bundle environment variables into the build target of a transpiled bundle. Specifically, the AIRTABLEAPIKEY and...
CVE-2020-2500
This improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service. Attackers can access the sensitive data on QNAP Kayako server with API keys. We have replaced the API key to mitigate the vulnerability, and already fixed the issue in Helpdesk 3.0.1 and...
CVE-2024-25635
alf.io is an open source ticket reservation system. Prior to version 2.0-Mr-2402, organization owners can view the generated API KEY and USERS of other organization owners using the http://192.168.26.128:8080/admin/api/users/ endpoint, which exposes the details of the provided user ID. This may...
CVE-2024-7389
The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.29.1 via class-forminator-addon-hubspot-wp-api.php. This makes it possible for unauthenticated attackers to extract the HubSpot integration developer API key and make...
CVE-2024-51492
Zusam is a free and open-source way to self-host private forums. Prior to version 0.5.6, specially crafted SVG files uploaded to the service as images allow for unrestricted script execution on raw image load. With certain payloads, theft of the target user’s long-lived session token is possible...
CVE-2024-6397
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 0.1.0.44. This is due to insufficient verification of the API key. This makes it possible for unauthenticated attackers to log in as any existing...
CVE-2024-6587
A Server-Side Request Forgery SSRF vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the apibase parameter when making requests to POST /chat/completions, causing the application to send the request to the domain specified by apibase. This request...