CVE-2019-25738 WordPress Hybrid Composer 1.4.6 Unauthenticated Settings Change

WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hcajaxsaveoption action. Attackers can send POST requests to the admin-ajax.php endpoint with the action parameter set to...

EUVD-2026-33371

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution...

Exploit for CVE-2026-5118

🔥 CVE-2026-5118 Divi Form Builder --- 🎯 Ring...

PT-2025-51229

Name of the Vulnerable Software and Affected Versions Fox LMS – WordPress LMS Plugin versions prior to 1.0.5.1 Description The Fox LMS – WordPress LMS Plugin does not properly validate the role parameter when creating new users via the /fox-lms/v1/payments/create-order API endpoint. This allows...

PT-2025-45431

Name of the Vulnerable Software and Affected Versions Notification Center versions prior to 2.1.0.3443 Notification Center versions prior to 1.9.2.3163 Notification Center versions prior to 3.0.0.3466 Description A cross-site scripting XSS issue exists in Notification Center. An attacker who...

CVE-2022-3180

The WPGateway Plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.5. This allows unauthenticated attackers to create arbitrary malicious administrator accounts...

CVE-2024-46905

In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated lower-privileged user at least Network Manager permissions required to achieve privilege escalation to the admin account...

PT-2024-30576 · Unknown · Progauge Maglink Lx4 Console

Name of the Vulnerable Software and Affected Versions: ProGauge MAGLINK LX4 CONSOLE affected versions not specified Description: The web application for ProGauge MAGLINK LX4 CONSOLE contains an administrative-level user account with a password that cannot be changed. Recommendations: At the momen...

CVE-2024-42798

An Incorrect Access Control vulnerability was found in /music/index.php?page=userlist and /music/index.php?page=edituser in Kashipara Music Management System v1.0. This allows a low privileged attacker to take over the administrator account...

PT-2024-28462 · Docusign · Docusign Api

Name of the Vulnerable Software and Affected Versions: Docusign API package version 8.142.14 for Salesforce Description: An issue was discovered in the Docusign API package for Salesforce, where the Apttus DocuApi DocusignAuthentication mdt object stores configuration information in a manner that...

CVE-2024-0819

Improper initialization of default settings in TeamViewer Remote Client prior version 15.51.5 for Windows, Linux and macOS, allow a low privileged user to elevate privileges by changing the personal password setting and establishing a remote connection to a logged-in admin account...

PT-2023-32772 · Unknown · Codeastro Pos/Inventory Management System

Name of the Vulnerable Software and Affected Versions: CodeAstro POS and Inventory Management System version 1.0 Description: A vulnerability has been found in the system, allowing for improper access controls. The issue is related to the manipulation of the account type argument with the input...

PT-2023-2811 · Solarwinds · Solarwinds Orion Platform +1

Name of the Vulnerable Software and Affected Versions: SolarWinds Platform affected versions not specified Description: The issue is related to the SolarWinds Platform, which was susceptible to a Command Injection Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds...

CVE-2022-46074

Helmet Store Showroom 1.0 is vulnerable to Cross Site Request Forgery CSRF. An unauthenticated user can add an admin account due to missing CSRF protection...

CVE-2022-42751

CandidATS version 3.0.0 allows an external attacker to elevate privileges in the application. This is possible because the application suffers from CSRF. This allows to persuade an administrator to create a new account with administrative permissions...

CVE-2022-31228

Dell EMC XtremIO versions prior to X2 6.4.0-22 contain a bruteforce vulnerability. A remote unauthenticated attacker can potentially exploit this vulnerability and gain access to an admin account...

PT-2022-3486 · Schneider Electric · Conext Combox

Name of the Vulnerable Software and Affected Versions: Conext ComBox All Versions Description: The issue is related to insufficient restriction of excessive authentication attempts, which could allow a remote attacker to bypass security restrictions using a brute force attack. This is due to the...

WordPress plugin Quick Subscribe 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site request forger...

CVE-2022-0952

The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as...

WordPress plugin MasterStudy LMS 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exists in...