Lucene search
K

976 matches found

CNNVD
CNNVD
added 2026/03/18 12:0 a.m.8 views

WordPress plugin Code Embed 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be added t...

6.4CVSS5.7AI score0.00198EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/03/18 12:0 a.m.4 views

PT-2026-26068

The Code Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field meta values in all versions up to, and including, 2.5.1. This is due to the plugin's sanitization function sec check post fields only running on the save post hook, while WordPress allows custom fiel...

6.4CVSS6AI score0.00198EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/03/16 12:0 a.m.8 views

PT-2026-25776

Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been patched in version 1.23.3...

9.1CVSS6AI score0.003EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/08 1:44 a.m.7 views

CVE-2026-1650

The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'customfieldscontroller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom...

5.3CVSS5.9AI score0.00262EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/07 7:31 p.m.8 views

CVE-2026-30843

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference IDOR issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data...

9.3CVSS5.8AI score0.00218EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/07 3:30 a.m.4 views

EUVD-2026-10096

The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'customfieldscontroller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom...

5.3CVSS5.9AI score0.00262EPSS
Exploits0References5
NVD
NVD
added 2026/03/07 2:16 a.m.4 views

CVE-2026-1650

The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'customfieldscontroller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom...

5.3CVSS0.00262EPSS
Exploits0References4
CVE
CVE
added 2026/03/07 1:21 a.m.21 views

CVE-2026-1650

The CVE concerns the MDJM Event Management plugin for WordPress. A missing capability check in the custom_fields_controller allows unauthenticated attackers to modify data by deleting arbitrary custom event fields via delete_custom_field and id parameters. Affected versions include all up to 1.7....

5.3CVSS5.9AI score0.00262EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/03/07 1:21 a.m.4 views

CVE-2026-1650

The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'customfieldscontroller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom...

5.3CVSS5.9AI score0.00262EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/03/07 12:0 a.m.7 views

WordPress plugin MDJM Event Management 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

5.3CVSS5.8AI score0.00262EPSS
Exploits0References5
NVD
NVD
added 2026/03/06 8:16 p.m.5 views

CVE-2026-30843

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference IDOR issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data...

9.3CVSS0.00218EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/06 7:30 p.m.29 views

CVE-2026-30843 Wekan has Cross-Board IDOR in Custom Fields Update Endpoints

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference IDOR issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data...

9.3CVSS0.00218EPSS
Exploits0References3
EUVD
EUVD
added 2026/03/06 7:30 p.m.6 views

EUVD-2026-10062

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference IDOR issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data...

9.3CVSS5.8AI score0.00218EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/06 7:30 p.m.2 views

CVE-2026-30843 Wekan has Cross-Board IDOR in Custom Fields Update Endpoints

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference IDOR issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data...

9.3CVSS5.8AI score0.00218EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/06 7:30 p.m.5 views

CVE-2026-30843

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference IDOR issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data...

9.3CVSS5.8AI score0.00218EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/03/06 7:30 p.m.5 views

CVE-2026-30843 Wekan has Cross-Board IDOR in Custom Fields Update Endpoints

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference IDOR issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data...

9.3CVSS5.8AI score0.00218EPSS
Exploits0References5
CVE
CVE
added 2026/03/06 7:30 p.m.12 views

CVE-2026-30843

Wekan versions 8.32 and 8.33 contain a critical Insecure Direct Object Reference (IDOR) in custom fields update endpoints, allowing cross-board modification of custom fields. The PUT /api/boards/:boardId/custom-fields/:customFieldId endpoint validates board access but uses the field’s _id as a fi...

9.3CVSS5.8AI score0.00218EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/06 12:0 a.m.5 views

PT-2026-23743

🚨 CVE-2026-30843 Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference IDOR issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to...

9.3CVSS5.8AI score0.00218EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/03/03 8:38 p.m.8 views

Craft CMS has IDOR via GraphQL @parseRefs

The GraphQL directive @parseRefs, intended to parse internal reference tags e.g., user:1:email, can be abused by both authenticated users and unauthenticated guests if a Public Schema is enabled to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs...

8.7CVSS6AI score0.00447EPSS
Exploits1References4Affected Software1
RedhatCVE
RedhatCVE
added 2026/02/28 2:0 p.m.6 views

CVE-2026-2383

The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access...

6.4CVSS6AI score0.00197EPSS
Exploits0References1
Rows per page
Query Builder