CVE-2026-8732

The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmptempaccessajax AJAX action being registered with wpajaxnopriv and protected only by a nonce check using the...

EUVD-2026-34888

The WP Captcha PRO the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.38. This is due to the ajaxruntool AJAX handler relying solely on a nonce check...

Exploit for CVE-2026-8732

WP Maps Pro Unauthenticated Stored Cross-Site Scripting CVE-2...

CVE-2026-8732

The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmptempaccessajax AJAX action being registered with wpajaxnopriv and protected only by a nonce check using the...

VulnCheck KEV: CVE-2026-8732

The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmptempaccessajax AJAX action being registered with wpajaxnopriv and protected only by a nonce check using the...

Roadiz Document base system 数据伪造问题漏洞

The Roadiz Document Base System is an open-source HTML template rendering system based on documents developed by Roadiz. Versions prior to 2.3.43, 2.5.45, 2.6.31, and 2.7.18 of the Roadiz Document Base System had data manipulation vulnerabilities. These vulnerabilities stemmed from the use of OID...

CVE-2026-4331

The CVE affects Blog2Social: Social Media Auto Post & Scheduler for WordPress up to version 8.8.2. The resetSocialMetaTags() AJAX path incorrectly validates permissions: it only checks for the 'read' capability and a valid b2s_security_nonce, which are available to Subscriber-level users, due to ...

CVE-2026-22698 RustCrypto SM2-PKE has 32-bit Biased Nonce Vulnerability

RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography ECC support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a critical vulnerability exists in...

EUVD-2016-1398

Malware in sbrugna...

EUVD-2014-7077

Malware in sbrugna...

EUVD-2022-1939

Malicious code in bioql PyPI...

EUVD-2022-3341

Malicious code in bioql PyPI...

CVE-2023-41935

Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b1154b3fb, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce...

CVE-2023-1026

The WP Meta SEO plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the listPostsCategory function in versions up to, and including, 4.5.3. This makes it possible for authenticated attackers with subscriber-level access to get post listings by...

PT-2025-20017 · WordPress · Login Lockdown & Protection

Name of the Vulnerable Software and Affected Versions: Login Lockdown & Protection plugin for WordPress versions up to, and including, 2.11 Description: The issue is related to unauthorized nonce access due to a missing capability check on the ajax run tool function. This allows authenticated...

Signatures can be replayed in castVoteWithReasonAndParamsBySig() to use up more votes than a user intended

Lines of code Vulnerability details Bug Description In the SecurityCouncilNomineeElectionGovernor and SecurityCouncilMemberElectionGovernor contracts, users can provide a signature to allow someone else to vote on their behalf using the castVoteWithReasonAndParamsBySig function, which is in...

CVE-2023-1026

Summary: CVE-2023-1026 affects the WP Meta SEO WordPress plugin (versions up to 4.5.3). The root cause is a missing capability check in the listPostsCategory function, causing unauthorized data access. The vulnerability arises because nonce-based access control was relied upon and the nonce was a...

Chaty < 3.0.3 - Admin+ SQLi

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin...

CVE-2022-3244

The Import all XML, CSV & TXT WordPress plugin before 6.5.8 does not have authorisation in some places, which could allow any authenticated users to access some of the plugin features if they manage to get the related nonce...

Malicious callers can replay disputes

Lines of code Vulnerability details Unlike some of the other signature based operations in the Rigor system, dispute signatures do not include a nonce and are vulnerable to replay attacks. This is similar to my finding in 339, but lower severity, since it is more of a spamming/griefing vector...