27 matches found
CVE-2025-12028
The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4. This is due to missing nonce verification on the loginformindieauth function and the authorization endpoint at wp-login.php?action=indieauth. This makes it possible for...
WordPress plugin IndieAuth 跨站请求伪造漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin.... A cross-sit...
CVE-2025-12028
The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4. This is due to missing nonce verification on the loginformindieauth function and the authorization endpoint at wp-login.php?action=indieauth. This makes it possible for...
CVE-2025-12028 IndieAuth <= 4.5.4 - Cross-Site Request Forgery to Account Takeover via Stolen OAuth Tokens
The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4. This is due to missing nonce verification on the loginformindieauth function and the authorization endpoint at wp-login.php?action=indieauth. This makes it possible for...
CVE-2025-12028
CVE-2025-12028 (IndieAuth WordPress plugin) : The IndieAuth plugin (versions ≤ 4.5.4) is vulnerable to Cross-Site Request Forgery due to missing nonce verification in login_form_indieauth() and the wp-login.php?action=indieauth endpoint. This enables an unauthenticated attacker to induce a logged...
EUVD-2025-35817
The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4. This is due to missing nonce verification on the loginformindieauth function and the authorization endpoint at wp-login.php?action=indieauth. This makes it possible for...
CVE-2025-12028 IndieAuth <= 4.5.4 - Cross-Site Request Forgery to Account Takeover via Stolen OAuth Tokens
The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4. This is due to missing nonce verification on the loginformindieauth function and the authorization endpoint at wp-login.php?action=indieauth. This makes it possible for...
PT-2025-43600
Name of the Vulnerable Software and Affected Versions WordPress IndieAuth plugin versions prior to 4.5.4 Description The software is susceptible to Cross-Site Request Forgery CSRF due to missing nonce verification. Specifically, the login form indieauth function and the authorization endpoint at...
WordPress IndieAuth plugin <= 4.5.4 - Cross-Site Request Forgery to Account Takeover via Stolen OAuth Tokens vulnerability
Cross-Site Request Forgery to Account Takeover via Stolen OAuth Tokens vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin IndieAuth versions = 4.5.4...
EUVD-2023-2857
Malicious code in bioql PyPI...
EUVD-2024-38294
Malicious code in bioql PyPI...
CVE-2024-39906
A command injection vulnerability was found in the IndieAuth functionality of the Ruby on Rails based Haven blog web application. The affected functionality requires authentication, but an attacker can craft a link that they can pass to a logged in administrator of the blog software. This leads t...
CVE-2024-39906
The CVE-2024-39906 vulnerability affects the Haven blog web application (Ruby on Rails) via its IndieAuth functionality. A logged-in administrator can be forced to click a crafted link that executes arbitrary commands on the server, enabling Remote Code Execution (RCE). The root cause is a comman...
CVE-2024-39906 Remote code execution in Haven IndieAuthClient (GHSL-2024-093)
A command injection vulnerability was found in the IndieAuth functionality of the Ruby on Rails based Haven blog web application. The affected functionality requires authentication, but an attacker can craft a link that they can pass to a logged in administrator of the blog software. This leads t...
CVE-2024-39906 Remote code execution in Haven IndieAuthClient (GHSL-2024-093)
A command injection vulnerability was found in the IndieAuth functionality of the Ruby on Rails based Haven blog web application. The affected functionality requires authentication, but an attacker can craft a link that they can pass to a logged in administrator of the blog software. This leads t...
CVE-2024-39906 Remote code execution in Haven IndieAuthClient (GHSL-2024-093)
A command injection vulnerability was found in the IndieAuth functionality of the Ruby on Rails based Haven blog web application. The affected functionality requires authentication, but an attacker can craft a link that they can pass to a logged in administrator of the blog software. This leads t...
PT-2024-28724 · Unknown +1 · Ruby On Rails +1
Name of the Vulnerable Software and Affected Versions: Haven blog web application affected versions not specified Description: A command injection vulnerability was found in the IndieAuth functionality of the Ruby on Rails based Haven blog web application. The affected functionality requires...
OwnCast remote code execution vulnerability
An issue in OwnCast v.0.1.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via the authHost parameter of the indieauth function...
CVE-2023-46480
An issue in OwnCast v.0.1.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via the authHost parameter of the indieauth function...
CVE-2023-46480
An issue in OwnCast v.0.1.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via the authHost parameter of the indieauth function...