CVE-2026-9104

The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Draft Post Title in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to...

CVE-2026-9104 Draft List <= 2.6.3 - Authenticated (Author+) Stored Cross-Site Scripting via Draft Post Title

The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Draft Post Title in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to...

EUVD-2026-31405

The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Draft Post Title in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to...

PT-2026-42730

The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Draft Post Title in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to...

BIT-DISCOURSE-2026-32951 Discourse: Authorization bypass in oneboxer via user-controlled category id

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, an authenticated user can obtain shared draft topic titles by sending an inline onebox request with a categoryid parameter matching the shared drafts category. This issue h...

CVE-2026-32951

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated user can obtain shared draft topic titles by sending an inline onebox request with a categoryid parameter...

EUVD-2026-17565

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated user can obtain shared draft topic titles by sending an inline onebox request with a categoryid parameter...

PT-2026-29314

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated user can obtain shared draft topic titles by sending an inline onebox request with a category id paramete...

CVE-2025-13215

CVE-2025-13215 : Information exposure in WordPress plugin “Shortcodes and extra features for Phlox theme” allows unauthenticated users to view draft post titles via auxels_ajax_search in all versions up to 2.17.13. Patch released in 2.17.13 (remediation noted). Base CVSS 3.1/3.1 vector indicates ...

CVE-2025-12175

The Events Calendar WordPress plugin (versions up to 6.15.9) has an unauthorized access flaw due to a missing capability check on the tec_qr_code_modal AJAX endpoint. This allows authenticated users with Subscriber-level access and above to view draft event names and to generate/view QR codes. Wo...

WordPress 安全漏洞

WordPress is a suite of blogging platforms developed in the PHP language by the WordPress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A security vulnerability exists in WordPress versions 3.5 through 6.8.2, which stems from mishandling of...

CVE-2024-10937

The Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.58 via the wpajaxnoprivrelatedpostajaxgetpostids AJAX action. This makes it possible for...

CVE-2024-9025

The Sight – Professional Image Gallery and Portfolio plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'handlerposttitle' function in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to expose...

PT-2024-39370 · WordPress · The Sight +1

Name of the Vulnerable Software and Affected Versions: The Sight – Professional Image Gallery and Portfolio plugin for WordPress versions up to, and including, 1.1.2 Description: The issue is related to unauthorized access of data due to a missing capability check on the handler post title...

CVE-2024-1904

The MasterStudy LMS plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the searchposts function in all versions up to, and including, 3.2.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to expose...

PT-2024-18410 · WordPress · Masterstudy Lms

Name of the Vulnerable Software and Affected Versions: MasterStudy LMS plugin for WordPress versions up to, and including, 3.2.13 Description: The issue allows unauthorized access to data due to a missing capability check on the search posts function. This makes it possible for authenticated...

WordPress plugin WP Tile 信息泄露漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. An information disclosure...

WordPress 安全漏洞

WordPress is a blogging platform developed by the WordPress Foundation using the PHP language. Document Embedder WordPress plugin prior to version 1.7.9 is vulnerable to a title enumeration vulnerability, which stems from the fact that the plugin includes an AJAX operation endpoint that can be...