CVE-2026-35181

CVE-2026-35181 affects WWBN AVideo prior to 29.x. The endpoint admin/playerUpdate.json.php does not validate CSRF tokens, and the ORM security check excludes the plugins table via ignoreTableSecurityCheck(), removing the remaining defense. Coupled with SameSite=None cookies, an authenticated admi...

GHSA-HQXF-MHFW-RC44 AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins

Summary The AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugins database table is explicitly listed in ignoreTableSecurityCheck,...

CVE-2024-13684

The Reset plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6. This is due to missing or incorrect nonce validation on the resetdbpage function. This makes it possible for unauthenticated attackers to reset several tables in the database like...

Exploit for CVE-2024-12025

CVE-2024-12025 Collapsing Categories = 5.0 AND error-based - W...