453 matches found
CVE-2026-1379
The HTTP Headers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.19.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions a...
Open WebUI 安全漏洞
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI under open source. Versions of Open WebUI prior to 0.9.0 contained security vulnerabilities. These vulnerabilities stemmed from the router not calling filterallowedaccessgrants during path creation or updates...
EUVD-2026-29443
The FastBots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
CVE-2026-6800
The FastBots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
EUVD-2026-28905
There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission...
CVE-2026-6447
The Call for Price for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
PT-2026-34268
Name of the Vulnerable Software and Affected Versions HTTP Headers plugin for WordPress versions prior to 1.19.3 Description Insufficient input sanitization and output escaping in admin settings allow authenticated attackers with administrator-level permissions and above to perform Stored...
Tanium Server 安全漏洞
Tanium Server is a security management platform provided by the American company Tanium. There is a security vulnerability in Tanium Server, which allows authenticated Tanium users with the role of Administrator or Write Downloader authentication permissions to retrieve credentials used for remot...
CVE-2026-6712 Website LLMs.txt <= 8.2.6 - Authenticated (Admin+) Stored Cross-Site Scripting
The Website LLMs.txt plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permission...
WordPress plugin Tutor LMS 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...
CVE-2026-3121
A flaw was found in Keycloak. An administrator with manage-clients permission can exploit a misconfiguration where this permission is equivalent to manage-permissions. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within...
PT-2026-26585
Name of the Vulnerable Software and Affected Versions CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress versions through 1.2.7 Description The plugin is susceptible to Stored Cross-Site Scripting through admin settings due to inadequate input sanitization and...
CVE-2026-2289
CVE-2026-2289 (Taskbuilder WordPress plugin) is a stored cross-site scripting vulnerability in Taskbuilder versions up to 5.0.3. The issue arises from insufficient input sanitization and output escaping in admin settings, allowing an authenticated attacker with administrator-level permissions to ...
CVE-2026-1055 TalkJS <= 0.1.15 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'welcomeMessage' Parameter
The TalkJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.1.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
CVE-2026-2230
The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.14.14 via the handleajaxsave function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level...
PT-2026-20474
The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.14.14 via the handle ajax save function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-leve...
PT-2026-20217
Name of the Vulnerable Software and Affected Versions WP 404 Auto Redirect to Similar Post plugin for WordPress versions prior to 1.0.6 Description The WP 404 Auto Redirect to Similar Post plugin for WordPress is susceptible to Stored Cross-Site Scripting through admin settings. Insufficient inpu...
Mattermost 安全漏洞
Mattermost is an open-source collaboration platform developed by the American company Mattermost. Versions of Mattermost such as 10.11.9 and earlier, including 10.11.x, have security vulnerabilities. These vulnerabilities stem from the lack of enforceable invitation permissions during the update...
CVE-2026-1399
The WP Google Ad Manager Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...
CVE-2025-9520
An IDOR vulnerability exists in Omada Controllers that allows an attacker with Administrator permissions to manipulate requests and potentially hijack the Owner account...