148 matches found
WordPress plugin Advanced Custom Fields 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...
PT-2026-45169
The Advanced Custom Fields ACF® plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrit...
CVE-2026-9104
The CVE concerns the Draft List plugin for WordPress, affecting all versions up to 2.6.3. It describes a Stored Cross-Site Scripting (XSS) vulnerability in draft post titles caused by insufficient input sanitization and output escaping. Exploitation requires at least author-level access; authenti...
PT-2026-36597
Name of the Vulnerable Software and Affected Versions Total theme for WordPress versions prior to 2.2.2 Description Stored Cross-Site Scripting is possible via post titles due to insufficient output escaping when rendering the the title function inside HTML attribute context in the home blog...
CVE-2026-3350 Image Alt Text Manager <= 1.8.2 - Authenticated (Author+) Stored Cross-Site Scripting via Post Title
The Image Alt Text Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.2. This is due to insufficient input sanitization and output escaping when dynamically generating image alt and title attributes using a DOM...
CVE-2026-27934
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a lack of visibility checks with a user action API endpoint that results in disclosure of the title and post excerpt to unauthorized users, leading to information disclosure. Versions...
Discourse 安全漏洞
Discourse is an open-source community discussion platform developed by Discourse. This platform includes features such as communities, email communication, and chat rooms. Versions of Discourse prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain security vulnerabilities. These...
CVE-2025-12116
The Drift theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to...
CVE-2026-1925
The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'updatetemplatedata' function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with...
CVE-2025-12117 Renden <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title
The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to...
CVE-2025-12116 Drift <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title
The Drift theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to...
CVE-2025-12116 Drift <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title
The Drift theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to...
PT-2026-20579
Name of the Vulnerable Software and Affected Versions Renden versions prior to 1.8.2 Description The Renden theme for WordPress is susceptible to Stored Cross-Site Scripting through the post title. Insufficient input sanitization and output escaping allow authenticated attackers with...
WordPress plugin Blog2Social: Social Media Auto Post & Scheduler 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
CVE-2026-2295 WPZOOM Addons for Elementor – Starter Templates & Widgets <= 1.3.2 - Unauthenticated Protected Post Exposure via ajax_post_grid_load_more
The WPZOOM Addons for Elementor – Starter Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajaxpostgridloadmore' function in all versions up to, and including, 1.3.2. This makes it possible for unauthenticated attacker...
CVE-2026-2295 WPZOOM Addons for Elementor – Starter Templates & Widgets <= 1.3.2 - Unauthenticated Protected Post Exposure via ajax_post_grid_load_more
The WPZOOM Addons for Elementor – Starter Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajaxpostgridloadmore' function in all versions up to, and including, 1.3.2. This makes it possible for unauthenticated attacker...
WordPress Bulk Edit Post Titles plugin <= 5.0.0 - Missing Authorization via bulkUpdatePostTitles vulnerability
Missing Authorization via bulkUpdatePostTitles vulnerability discovered by Francesco Carlucci in WordPress Plugin Bulk Edit Post Titles versions = 5.0.0...
CVE-2025-15525
The Ajax Load More – Infinite Scroll, Load More, & Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parsecustomargs function in all versions up to, and including, 7.8.1. This makes it possible for unauthenticated attackers to expose...
CVE-2025-15525
The Ajax Load More – Infinite Scroll, Load More, & Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parsecustomargs function in all versions up to, and including, 7.8.1. This makes it possible for unauthenticated attackers to expose...
CVE-2025-15525 Ajax Load More – Infinite Scroll, Lazy Load & Load More <= 7.8.1 - Incorrect Authorization to Unauthenticated Private/Draft Post Title and Excerpt Exposure
The Ajax Load More – Infinite Scroll, Load More, & Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parsecustomargs function in all versions up to, and including, 7.8.1. This makes it possible for unauthenticated attackers to expose...