24966 matches found
EUVD-2026-27241
The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the embedformaction function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-level acce...
EUVD-2026-27240
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'inputs' parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...
CVE-2026-3359
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'inputs' parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...
CVE-2026-3601
The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the embedformaction function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-level acce...
CVE-2026-3601
The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the embedformaction function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-level acce...
CVE-2026-3601 User Registration & Membership <= 5.1.4 - Missing Authorization to Authenticated (Contributor+) Limited Page Content Modification
The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the embedformaction function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-level acce...
CVE-2026-3601 User Registration & Membership <= 5.1.4 - Missing Authorization to Authenticated (Contributor+) Limited Page Content Modification
The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the embedformaction function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-level acce...
CVE-2026-3601
Summary: CVE-2026-3601 affects the WordPress plugin “User Registration & Membership” (versions
CVE-2026-3359
The CVE-2026-3359 entry concerns the WordPress plugin Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder. Affected component: the inputs parameter used in SQL queries. Root cause: insufficient escaping and lack of adequate query preparation, allowing unauthenticated attackers ...
CVE-2026-3359 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.42 - Unauthenticated SQL Injection via 'inputs'
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'inputs' parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...
CVE-2026-3359
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'inputs' parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...
CVE-2026-3359 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.42 - Unauthenticated SQL Injection via 'inputs'
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'inputs' parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...
EUVD-2026-27185
The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'status' parameter in the wprupdateformactionmeta AJAX action in all versions up to, and including, 1.7.1056. This is due to insufficient input sanitization and output escaping, combined with a...
CVE-2026-4803 Royal Addons for Elementor <= 1.7.1056 - Unauthenticated Stored Cross-Site Scripting via 'status' Parameter in wpr_update_form_action_meta
The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'status' parameter in the wprupdateformactionmeta AJAX action in all versions up to, and including, 1.7.1056. This is due to insufficient input sanitization and output escaping, combined with a...
EUVD-2026-25603
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream...
NPM: Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
NPM: Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream vulnerability discovered by ? in WordPress Npm axios versions = 1.0.0, 1.15.1...
GHSA-445Q-VR5W-6Q77 Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
Summary The FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF \r\n sequences. An attacker who controls the .type property of a Blob/File-like object e.g., via a user-uploaded fil...
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
Summary The FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF \r\n sequences. An attacker who controls the .type property of a Blob/File-like object e.g., via a user-uploaded fil...
EUVD-2026-25605
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data...
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
Summary toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. Details lib/helpers/toFormData.js:210 defines an inner buildvalue, path that recurses into every object/array child line 225:...