1763 matches found
EUVD-2026-31034
The 診断ジェネレータ作成プラグイン Diagnosis Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'js' parameter in versions up to and including 1.4.16. This is due to missing authorization checks and insufficient input sanitization in the themeFunc function. The function is hooke...
WordPress Sentence To SEO (keywords, description and tags) plugin <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability
Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Sentence To SEO keywords, description and tags versions = 1.0...
Malicious code in babel-plugin-version (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
MAL-2026-4129 Malicious code in babel-plugin-version (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
@lingxiteam/cli (=0.3.0), babel-preset-jaid (>=1.0.0 <=2.9.0) +1 more potentially affected by unknown CVE via babel-plugin-version (=0.2.3)
babel-plugin-version NPM version =0.2.3 is affected by a known vulnerability. The following packages have a transitive dependency on babel-plugin-version and may be impacted: - @lingxiteam/cli =0.3.0 - babel-preset-jaid =1.0.0, =2.0.0, =2.9.0 Source cves: unknown CVE Source advisory:...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
PT-2026-41513
Name of the Vulnerable Software and Affected Versions The AI Engine – The Chatbot, AI Framework & MCP for WordPress version 3.4.9 Description Missing WordPress capability enforcement in the MCP OAuth bearer-token authorization path allows authenticated users with Subscriber privileges or higher t...
CVE-2026-4683
The Smartcat Translator for WPML plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'routeData' REST endpoint in all versions up to, and including, 3.1.77. This makes it possible for unauthenticated attackers to overwrite the plugin's...
CVE-2026-4029
The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized database export in all versions up to, and including, 2.5.2. This is due to the plugin not properly enforcing the return value of its authorization check. This makes it possible for unauthenticated attackers to...
WordPress plugin Meta Field Block 跨站脚本漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...
SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution
Summary SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HTML escaping. The kernel-side helper sanitizePackageDisplayStrings in...
WordPress My Calendar – Accessible Event Manager plugin <= 3.7.9 - Authenticated (Custom+) Missing Authorization to Unauthorized Event Publication vulnerability
Authenticated Custom+ Missing Authorization to Unauthorized Event Publication vulnerability discovered by type5afe in WordPress Plugin My Calendar versions = 3.7.9...
CVE-2026-6708
The CVE-2026-6708 entry concerns the WordPress plugin “HEL Online Classroom: AI-powered Online Classrooms” (versions
WordPress plugin WP Google Maps Integration 跨站脚本漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...
WordPress plugin Pricing Tables for WP 跨站脚本漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...
WordPress Zawgyi Embed plugin <= 2.1.1 - Cross-Site Request Forgery vulnerability
Cross-Site Request Forgery vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin Zawgyi Embed versions = 2.1.1...
WordPress AI Product Search for WooCommerce – Motive Commerce Search plugin <= 1.38.2 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Benedictus Jovan aillesim/eneri in WordPress Plugin AI Product Search for WooCommerce Motive Commerce Search versions = 1.38.2...
PT-2026-36567
Name of the Vulnerable Software and Affected Versions My Social Feeds – Social Feeds Embedder versions prior to 1.0.5 Description The plugin is subject to sensitive information exposure via the 'ttp get accounts' AJAX action. The get accounts function lacks authorization checks and nonce...
WordPress Widgets on Pages plugin <= 1.7 - Unauthenticated Reflected Cross-Site Scripting vulnerability
Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Widgets on Pages versions = 1.7...