25068 matches found
EUVD-2026-10194
A vulnerability was identified in Tenda FH451 1.0.0.9. Affected by this vulnerability is the function formQuickIndex of the file /goform/QuickIndex. Such manipulation of the argument mitlinktype/PPPOEPassword leads to stack-based buffer overflow. It is possible to launch the attack remotely. The...
smart-admin 代码注入漏洞
Smart-Admin is a rapid development platform developed by individual developers of 1024-lab. Versions of Smart-Admin prior to 3.29 contained a code injection vulnerability. This vulnerability stemmed from incorrect handling of the file...
CVE-2026-3679
A vulnerability was identified in Tenda FH451 1.0.0.9. Affected by this vulnerability is the function formQuickIndex of the file /goform/QuickIndex. Such manipulation of the argument mitlinktype/PPPOEPassword leads to stack-based buffer overflow. It is possible to launch the attack remotely. The...
CVE-2026-3679
A vulnerability was identified in Tenda FH451 1.0.0.9. Affected by this vulnerability is the function formQuickIndex of the file /goform/QuickIndex. Such manipulation of the argument mitlinktype/PPPOEPassword leads to stack-based buffer overflow. It is possible to launch the attack remotely. The...
CVE-2026-3679 Tenda FH451 QuickIndex formQuickIndex stack-based overflow
A vulnerability was identified in Tenda FH451 1.0.0.9. Affected by this vulnerability is the function formQuickIndex of the file /goform/QuickIndex. Such manipulation of the argument mitlinktype/PPPOEPassword leads to stack-based buffer overflow. It is possible to launch the attack remotely. The...
WordPress Contact Form by WPForms plugin <= 1.9.9.3 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by davidfdzmorilla in WordPress Plugin Contact Form by WPForms versions = 1.9.9.3...
EUVD-2026-10136
The LotekMedia Popup Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level...
CVE-2026-2420
The LotekMedia Popup Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level...
CVE-2026-1073
The Purchase Button For Affiliate Link plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing nonce validation on the settings page form handler in inc/purchase-btn-options-page.php. This makes it possible for...
CVE-2026-1073
CVE-2026-1073 is a CSRF vulnerability in the WordPress plugin Purchase Button For Affiliate Link (versions up to 1.0.2). The issue arises from missing nonce validation on the settings page form handler in inc/purchase-btn-options-page.php, enabling unauthenticated attackers to modify plugin setti...
CVE-2026-1073
The Purchase Button For Affiliate Link plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing nonce validation on the settings page form handler in inc/purchase-btn-options-page.php. This makes it possible for...
CVE-2026-2420
CVE-2026-2420 (LotekMedia Popup Form, WordPress) : Stored XSS in plugin settings affecting all versions up to 1.0.6. Exploitation requires Administrator+ privileges; payload executes on frontend pages displaying the popup. Connected docs confirm the issue and affected version range; no explicit f...
CVE-2026-2420 LotekMedia Popup Form <= 1.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings
The LotekMedia Popup Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level...
CVE-2026-2420
The LotekMedia Popup Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level...
CVE-2026-2420 LotekMedia Popup Form <= 1.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings
The LotekMedia Popup Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level...
EUVD-2025-208352
The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.3.20. This is due to videowhisperregisterform function not restricting user roles that can be set during registration. This makes it possible...
CVE-2025-8899 Paid Videochat Turnkey Site – HTML5 PPV Live Webcams <= 7.3.20 - Authenticated (Author+) Privilege Escalation
The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.3.20. This is due to videowhisperregisterform function not restricting user roles that can be set during registration. This makes it possible...
CVE-2025-8899
The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.3.20. This is due to videowhisperregisterform function not restricting user roles that can be set during registration. This makes it possible...
CVE-2025-8899 Paid Videochat Turnkey Site – HTML5 PPV Live Webcams <= 7.3.20 - Authenticated (Author+) Privilege Escalation
The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.3.20. This is due to videowhisperregisterform function not restricting user roles that can be set during registration. This makes it possible...
CVE-2025-8899
The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams WordPress plugin is vulnerable to privilege escalation in all versions up to and including 7.3.20. The root cause is videowhisper_register_form() not restricting user roles during registration, allowing authenticated users with Author-level...