CVE-2025-13880 WP Social Ninja - Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) <= 4.0.1 - Missing Authorization to Unauthenticated Plugin's Settings Disclosure And Modification

The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets Google Reviews, YouTube Feed, Photo Feeds, and More plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the getAdvanceSettings and saveAdvanceSettings...

EUVD-2025-203870

The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets Google Reviews, YouTube Feed, Photo Feeds, and More plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the getAdvanceSettings and saveAdvanceSettings...

PT-2025-51811

The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets Google Reviews, YouTube Feed, Photo Feeds, and More plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the getAdvanceSettings and saveAdvanceSettings...

CVE-2025-14170

The Vimeo SimpleGallery plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 0.2. This is due to missing authorization checks on the vimeogalleryadmin function hooked to adminmenu. This makes it possible for authenticated attackers, with Subscriber-lev...

PT-2025-51044

The Employee Spotlight – Team Member Showcase & Meet the Team Plugin for WordPress is vulnerable to unauthorized tracking settings modification due to missing authorization validation on the employee spotlight check optin function in all versions up to, and including, 5.1.3. This makes it possibl...

EUVD-2025-203015

The Vimeo SimpleGallery plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 0.2. This is due to missing authorization checks on the vimeogalleryadmin function hooked to adminmenu. This makes it possible for authenticated attackers, with Subscriber-lev...

PT-2025-50868

The Simple Theme Changer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the user theme admin, display method admin, and set change theme button name actions actions in all versions up to, and including, 1.0. This makes it possible for...

CVE-2025-2848

A vulnerability in Synology Mail Server allows remote authenticated attackers to read and write non-sensitive settings, and disable some non-critical functions...

EUVD-2025-201393

The ARK Related Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 2.19. This is due to missing or incorrect nonce validation on the arkrpoptionspage function. This makes it possible for unauthenticated attackers to modify the plugin's configuration settings via a...

PT-2025-49248

Name of the Vulnerable Software and Affected Versions Fanvil x210 V2 version 2.12.20 Description A directory traversal issue exists in Fanvil x210 V2 version 2.12.20. An unauthenticated attacker on the local network can store files in arbitrary locations. This could potentially lead to modificati...

CVE-2025-2848

A vulnerability in Synology Mail Server allows remote authenticated attackers to read and write non-sensitive settings, and disable some non-critical functions...

WordPress plugin AuthorSure 跨站请求伪造漏洞

WordPress AuthorSure plugin is an open source plugin designed for the WordPress platform, mainly used to manage the submission process of multi-author sites. WordPress AuthorSure plugin has a cross-site request forgery vulnerability, the vulnerability stems from the lack of random number validati...

CVE-2025-63221

The Axel Technology puma devices firmware versions 0.8.5 to 1.0.3 are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system...

CVE-2025-12372

The Permalinks Cascade plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action in the handleTPCAdminAjaxRequest function. This makes it possible for...

CVE-2025-12827

The Top Friends plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing nonce validation on the topfriendsoptionssubpanel function. This makes it possible for unauthenticated attackers to modify plugin settings via a forge...

Malicious code in syahmuda-poke29 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cc719f15c2a95caa13b2728c2559ec6429aec6d4508bcb908722192e77826919 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-126142 Malicious code in electric_dinosaur_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6fbdbc491d316e467c22677306dc4b21a471af8ff57766ae6e3fb12694199e6d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in nutritious_bobcat_ivory-19 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1fdf02c34fc1f8636ec7bcd51b21ed0cacd105b294eb92ec6c0c546bc0aeaa55 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

CVE-2025-12636

The Ubia camera ecosystem fails to adequately secure API credentials, potentially enabling an attacker to connect to backend services. The attacker would then be able to gain unauthorized access to available cameras, enabling the viewing of live feeds or modification of settings...

CVE-2025-27919

An issue was discovered in AnyDesk through 9.0.4. A remotely connected user with the "Control my device" permission can manipulate remote AnyDesk settings and create a password for the Full Access profile without needing confirmation from the counterparty. Consequently, the attacker can later...