63 matches found
CVE-2026-12098
The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'embed' Episode Meta Field in all versions up to, and including, 11.16.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers...
CVE-2026-12098
CVE-2026-12098 affects the WordPress PowerPress Podcasting plugin by Blubrry up to version 11.16.8. The vulnerability is a Stored Cross-Site Scripting via the embed Episode Meta Field, caused by insufficient input sanitization and output escaping. The embed value is stored with update_post_meta()...
CVE-2026-8365
The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksymeta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the blocksysanitizepostmetaoptions...
CVE-2026-8365 Blocksy <= 2.1.41 - Authenticated (Contributor+) PHP Object Injection via Deserialization of Untrusted Data via 'blocksy_meta' REST API Field
The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksymeta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the blocksysanitizepostmetaoptions...
PT-2026-47723
Name of the Vulnerable Software and Affected Versions Blocksy versions prior to 2.1.36 Description Insufficient input sanitization in the blocksy sanitize post meta options function allows authenticated attackers with contributor-level access or higher to store serialized PHP object strings in po...
CVE-2026-6252
The Meta Field Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tagName' block attribute in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-lev...
CVE-2026-6093
Corteza contains a SQL injection vulnerability in its Microsoft SQL Server MSSQL backend when filtering Compose records by the meta field.This issue affects corteza: 2024.9.8...
CVE-2026-3173
The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 1.5.1. Authenticated attackers with Contributor-level access or higher can read arbitrary user meta, post meta, and term meta from any object, potentially exposing PII (...
CVE-2026-3173
The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user...
PT-2026-44188
The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user...
WordPress plugin Meta Field Block 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...
WordPress Meta Field Block – Display custom fields in the Block Editor without coding plugin <= 1.5.1 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary User Meta Exposure vulnerability
Insecure Direct Object Reference to Authenticated Contributor+ Arbitrary User Meta Exposure vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin Meta Field Block versions = 1.5.1...
CVE-2026-6252
The Meta Field Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tagName' block attribute in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-lev...
CVE-2026-6252
The Meta Field Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tagName' block attribute in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-lev...
EUVD-2026-30252
The Meta Field Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tagName' block attribute in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-lev...
CVE-2026-6252
The CVE covers the WordPress plugin Meta Field Block (display-a-meta-field-as-block) with versions up to 1.5.2 affected. The root cause is insufficient input sanitization and output escaping in the tagName block attribute, enabling Stored Cross-Site Scripting. Exploitation requires authenticated ...
CVE-2026-6252 Meta Field Block <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'tagName' Block Attribute
The Meta Field Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tagName' block attribute in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-lev...
CVE-2026-6252 Meta Field Block <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'tagName' Block Attribute
The Meta Field Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tagName' block attribute in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-lev...
PT-2026-40889
The Meta Field Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tagName' block attribute in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-lev...
WordPress plugin Meta Field Block 跨站脚本漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...