WordPress Directory Listings WordPress plugin - uListing plugin <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Update and PHP Object Injection vulnerability

WordPress Directory Listings WordPress plugin - uListing plugin = 2.2.0 - Missing Authorization to Authenticated Subscriber+ Arbitrary Post Meta Update and PHP Object Injection vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin uListing versions = 2.2.0...

CVE-2025-13629

The WP Landing Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the 'wplpapiupdatetext' function. This makes it possible for unauthenticated attackers to update arbitrary post meta via a...

WordPress WP Landing Page plugin <= 0.9.3 - Cross-Site Request Forgery to Arbitrary Post Meta Update vulnerability

Cross-Site Request Forgery to Arbitrary Post Meta Update vulnerability discovered by Ivan Cese in WordPress Plugin WP Landing Page versions = 0.9.3...

EUVD-2022-24710

Malicious code in bioql PyPI...

CVE-2025-6726 Block Editor Gallery Slider <= 1.1.1 - Missing Authorization to Authenticated (Subscriber+) Limited Post Meta Update

The Block Editor Gallery Slider plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the classicgalleryslideroptions function in all versions up to, and including, 1.1.1. This makes it possible for authenticated attackers, with...

CVE-2025-6726

CVE-2025-6726 relates to the Block Editor Gallery Slider WordPress plugin. The Wordfence/NVD entry states a missing capability check in classic_gallery_slider_options() affects all versions up to and including 1.1.1, enabling authenticated users with Subscriber-level access or higher to modify li...

CVE-2022-1393

The WP Subtitle WordPress plugin before 3.4.1 adds a subtitle field and provides a shortcode to display it via wpsubtitle. The subtitle is stored as a custom post meta with the key: "wpssubtitle", which is sanitized upon post save/update, however is not sanitized when updating it directly from th...

CVE-2025-1657

CVE-2025-1657 concerns the Directory Listings WordPress plugin – uListing for WordPress. The Red Hat and NVD entries, plus Wordfence details, state that all versions up to and including 2.1.7 are vulnerable due to a missing capability check on the stm_listing_ajax AJAX action. This allows authent...

WordPress Social Auto Poster plugin <= 5.3.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Update via wpw_auto_poster_update_tweet_template vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Post Meta Update via wpwautoposterupdatetweettemplate vulnerability discovered by István Márton in WordPress Plugin Social Auto Poster versions = 5.3.14...

PT-2024-17988 · WordPress · Event Post Plugin

Name of the Vulnerable Software and Affected Versions: Event post plugin for WordPress versions up to, and including, 5.9.4 Description: The issue allows authenticated attackers with subscriber access or higher to update post meta data due to a missing capability check on the save bulkdatas...