CVE-2025-11762 HubSpot All-In-One Marketing - Forms, Popups, Live Chat <= 11.3.32 - Missing Authorization to Authenticated (Contributor+) Installed Plugin Disclosure

The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with...

CVE-2026-28427 OpenDeck affected by path traversal allows arbitrary file read

OpenDeck is Linux software for your Elgato Stream Deck. Prior to 2.8.1, the service listening on port 57118 serves static files for installed plugins but does not properly sanitize path components. By including ../ sequences in the request path, an attacker can traverse outside the intended...

CVE-2025-10212

The SiteAlert Formerly WP Health plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.9.8. This makes it possible for unauthenticated attackers to view the site health information, includi...

EUVD-2025-24959

Malicious code in bioql PyPI...

EUVD-2022-2060

Malicious code in bioql PyPI...

CVE-2024-0767

The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.4. This is due to missing or incorrect nonce validation on the ajaxpluginactivation function. This makes it possible for unauthenticated...

CVE-2024-0767

CVE-2024-0767 (Envo's Elementor Templates & Widgets for WooCommerce) is a CSRF in the plugin’s ajax_plugin_activation path that can let unauthenticated attackers activate arbitrary plugins if an admin is tricked into performing an action. The vulnerability affects WordPress installations using th...

CVE-2024-0767 Envo's Elementor Templates & Widgets for WooCommerce <= 1.4.4 - Cross-Site Request Forgery via ajax_plugin_activation

The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.4. This is due to missing or incorrect nonce validation on the ajaxpluginactivation function. This makes it possible for unauthenticated...

Envo's Elementor Templates & Widgets for WooCommerce < 1.4.5 - Arbitrary Plugin Activation via CSRF

Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the ajaxpluginactivation function, allowing unauthenticated attackers to activate arbitrary installed plugins via a forged request granted they can trick a site administrator into...

CVE-2023-4668

The Ad Inserter for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.7.30 via the ai-debug-processing-fe URL parameter. This can allow unauthenticated attackers to extract sensitive data including installed plugins present and active, active theme,...

CVE-2023-4668 Ad Inserter <= 2.7.30 - Unauthenticated Sensitive Information Exposure via ai-debug-processing-fe

The Ad Inserter for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.7.30 via the ai-debug-processing-fe URL parameter. This can allow unauthenticated attackers to extract sensitive data including installed plugins present and active, active theme,...

GHSA-MQR8-3V8J-46WV Missing Authorization in Jenkins Configuration as Code Plugin

Missing permission checks in Jenkins Configuration as Code Plugin 1.24 and earlier in various HTTP endpoints allowed users with Overall/Read access to access the generated schema and documentation for this plugin containing detailed information about installed plugins...

Improper Authorization

librenms is vulnerable to improper authorization. The vulnerability exists due to the lack of validation of the user's role and level allowing an attacker to switch on/off installed plugins...

Grafana -- Path Traversal

Grafana Labs reports: Grafana is vulnerable to directory traversal, allowing access to local files. We have confirmed this for versions v8.0.0-beta1 to v8.3.0. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable. The vulnerable URL path is: /public/plugins/ where...

CVE-2019-10344

Missing permission checks in Jenkins Configuration as Code Plugin 1.24 and earlier in various HTTP endpoints allowed users with Overall/Read access to access the generated schema and documentation for this plugin containing detailed information about installed plugins...

Design/Logic Flaw

Missing permission checks in Jenkins Configuration as Code Plugin 1.24 and earlier in various HTTP endpoints allowed users with Overall/Read access to access the generated schema and documentation for this plugin containing detailed information about installed plugins...

CVE-2019-10344

Missing permission checks in Jenkins Configuration as Code Plugin 1.24 and earlier in various HTTP endpoints allowed users with Overall/Read access to access the generated schema and documentation for this plugin containing detailed information about installed plugins...

CVE-2018-1000192

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins...

CVE-2018-1000192

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins...

WordPress Plugin w3-total-cache Stored XSS Vulnerability

Exploit for php platform in category web applications Steps to Produce the Vulnerability : 1 Go to Dashboard. 2 Click on Installed Plugins. 3 Go to W3-Total-Cache Plugin and Click on settings. 4 Go to Reverse Proxy and Click on page cache settings. 5 Go to Cache Preload and Type Vector - ". in...