LatePoint <= 5.0.11 - SQL Injection

The LatePoint plugin for WordPress is vulnerable to Arbitrary User Password Change via SQL Injection in versions up to, and including, 5.0.11. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible f...

EUVD-2026-33255

The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the lwpajaxregister AJAX handler not binding the Firebase session to the phone number supplied in the...

CVE-2026-3655 OTP Login With Phone Number, OTP Verification <= 1.8.60 - Unauthenticated Authentication Bypass via Firebase OTP Verification

The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the lwpajaxregister AJAX handler not binding the Firebase session to the phone number supplied in the...

Synology Surveillance Station 安全漏洞

Synology Surveillance Station is an application developed by Synology, a Chinese company. It provides intelligent monitoring and video management tools to protect your valuable assets. There are security vulnerabilities in versions of Synology Surveillance Station prior to 9.2.2.2-11575 and...

CVE-2026-2554

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfmdeletewcfmcustomer' due to missing validation on the 'customerid' user...

CVE-2026-40925

WWBN AVideo contains a CSRF vulnerability in objects/configurationUpdate.json.php (also via /updateConfig) that an authenticated admin can be tricked into triggering via cross-origin POST, allowing rewriting of encoder URL, SMTP credentials, site HTML, and more. Affected: WWBN AVideo up through v...

CVE-2026-23753

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the language management functionality where the charset POST parameter is passed directly to SWIFTLanguage::Create without HTML sanitization and subsequently rendered unsanitized by ViewLanguage.RenderGrid. An...

CVE-2026-3595

CVE-2026-3595 affects the Riaxe Product Customizer plugin for WordPress. All versions up to and including 2.1.2 are vulnerable due to an unauthenticated authorization bypass: the plugin registers a REST API route POST /wp-json/InkXEProductDesignerLite/customer/delete_customer without a permission...

EUVD-2026-21320

A Stored Cross-Site Scripting XSS vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the createpost function within backend/routers/social/init.py, where user-provided content is directly assigned to the...

PT-2026-30799

Name of the Vulnerable Software and Affected Versions Amelia plugin for WordPress versions up to and including 2.1.3 Description The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is susceptible to Insecure Direct Object Reference. The UpdateProviderCommandHandler does...

CVE-2026-2737

A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session...

CVE-2026-21663

HackerOne community member Patrick Lang 7yr has reported a reflected XSS vulnerability in the banner-acl.php script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser a...

CVE-2025-10484

The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. This is due to the plugin not properly verifying a users identity prior to authenticating them via the fmalwpsetsessionphpfun...

CVE-2023-31285

An XSS issue was discovered in Serenity Serene and StartSharp before 6.7.0. When users upload temporary files, some specific file endings are not allowed, but it is possible to upload .html or .htm files containing an XSS payload. The resulting link can be sent to an administrator user...

CVE-2023-4142

The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '-cus1' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin...

EUVD-2025-201358

The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.39. This is due to the plugin not properly validating that an OTP was generate...

PT-2025-48816

Name of the Vulnerable Software and Affected Versions ERPNext version 15.83.2 Frappe Framework version 15.86.0 Description Improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the...

CVE-2025-12366

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.5 via the pagelayerreplacepage function due to missing validation on a user controlled key. This makes it possible for...

CVE-2025-6027 Ace User Management <= 2.0.3 - Subscriber+ Authentication Bypass via Password Rest

The Ace User Management WordPress plugin through 2.0.3 does not properly validate that a password reset token is associated with the user who requested it, allowing any authenticated users, such as subscriber to reset the password of arbitrary accounts, including administrators...

PT-2025-43512

Name of the Vulnerable Software and Affected Versions Vilar VS-IPC1002 IP cameras affected versions not specified Description Vilar VS-IPC1002 IP cameras are susceptible to Reflected Cross-Site Scripting XSS attacks. This occurs because parameters within GET requests sent to the /cgi-bin/action A...