729 matches found
CVE-2026-6728 Slider Revolution <= 7.0.9 - Unauthenticated Sensitive Information Exposure via 'sliders/stream'
The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.0.9 via the 'getstreamdata' function. This makes it possible for unauthenticated attackers to extract sensitive data including published password-protected post, page, an...
CVE-2026-6728
The CVE concerns the WordPress Slider Revolution plugin (up to version 7.0.9). Affected component: get_stream_data() in sliders/stream, enabling unauthenticated attackers to exfiltrate sensitive content, including published password-protected posts, pages, and products. Root cause: Sensitive Info...
PT-2026-42137
The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.0.9 via the 'get stream data' function. This makes it possible for unauthenticated attackers to extract sensitive data including published password-protected post, page,...
CVE-2026-6206
The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the getpostpropertyfromquerystring function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract da...
CVE-2026-6206 MW WP Form <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'post_id' Query Parameter
The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the getpostpropertyfromquerystring function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract da...
CVE-2026-6206
The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the getpostpropertyfromquerystring function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract da...
GHSA-FMH9-GPQH-G53G SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}` publish-mode
Summary The advisory GHSA-c77m-r996-jr3q patched getBookmark so that, when invoked by a publish-mode RoleReader, results are filtered through FilterBlocksByPublishAccess to remove entries from password-protected / publish-ignored notebooks. Four sibling search handlers in the same file did not...
CVE-2025-9987
The Broadstreet plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.53.1 via the getsponsoredmeta AJAX action. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract data from password protect...
PT-2026-40727
Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.7.0 Description Broken access control in the publish-mode allows readers to enumerate metadata from documents that are invisible to the publish service. This occurs because certain search handlers do not filter...
CVE-2026-1314 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery <= 1.16.17 - Missing Authorization to Unauthenticated Private/Draft Flipbook Data Exposure
The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sendpostpagesjson function in all versions up to, and including, 1.16.17. This makes it possible for unauthenticat...
CVE-2026-34453
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling...
CVE-2026-34376 PdfDing: Password-protected share bypass via direct serve endpoint
PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.0, an access-control vulnerability allows unauthenticated users to retrieve password-protected shared PDFs by directly calling the file-serving endpoint without...
CVE-2026-34376
PdfDing is vulnerable prior to version 1.7.0 due to an access-control flaw that allowed unauthenticated retrieval of password‑protected shared PDFs via the direct file‑serving endpoint without completing the password verification flow. This could expose confidential documents intended to be prote...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the getBookmark function. An attacker can retrieve sensitive content from password-protected documents by sending unauthenticated requests to the /api/bookmark/getBookmark endpoint, which improperly authorize...
CVE-2026-34453 SiYuan: Broken access control in /api/bookmark/getBookmark allows unauthenticated publish visitors to read password-protected bookmarked content
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling...
CVE-2026-34453 SiYuan: Broken access control in /api/bookmark/getBookmark allows unauthenticated publish visitors to read password-protected bookmarked content
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling...
CVE-2026-34453
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling...
EUVD-2026-17683
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling...
CVE-2026-34453
SiYuan exposes bookmarked blocks from password-protected documents via the publish service prior to 3.6.2. In publish/read-only mode, /api/bookmark/getBookmark uses FilterBlocksByPublishAccess(nil, ...) and treats a nil context as authorized, skipping the password check and returning content from...
EUVD-2026-16748
AVideo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification...