CVE-2015-20067 WP Attachment Export < 0.2.4 - Unauthenticated Posts Download

The WP Attachment Export WordPress plugin before 0.2.4 does not have proper access controls, allowing unauthenticated users to download the XML data that holds all the details of attachments/posts on a Wordpress...

Bulk Datetime Change < 1.12 - Missing Authorisation

The plugin does not enforce capability checks which allows users with Contributor roles to 1 list private post titles of other users and 2 change the posted date of other users' posts. PoC Run on "Bulk Datetime Change" page:...

Discourse 信息泄露漏洞

Discourse is an open source community discussion platform. The platform includes community, email, and chat room features.Discourse has a security vulnerability that could be exploited by attackers to add their reactions to posts...

CVE-2021-24677

The Find My Blocks WordPress plugin before 3.4.0 does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles...

CVE-2021-24677 Find My Blocks < 3.4.0 - Private Post Titles Disclosure

The Find My Blocks WordPress plugin before 3.4.0 does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles...

CVE-2021-24677

The CVE concerns the WordPress plugin Find My Blocks prior to version 3.4.0, where the REST API lacks authorization checks. This allows unauthenticated users to enumerate titles of private posts via the plugin’s REST endpoints (e.g., private post title disclosure). Impact is limited to affected s...

WordPress 插件跨站脚本漏洞

WordPress is a blogging platform developed by the Wordpress Foundation using the PHP language. A cross-site scripting vulnerability exists in the WordPress Podcast Subscribe Buttons plugin in versions prior to 1.4.2, which stems from a lack of checksum filtering of user-supplied data and output...

WordPress Popular Posts Plugin < 5.3.4 XSS Vulnerability

The WordPress plugin Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can redistribute it and/or modify it...

Cross-Site Request Forgery (CSRF) in flatcore/flatcore-cms

Description 1 Missing CSRF token in delete posts and delete folder in the frontend 2 Missing backend CSRF validation in 1 removing and enabling fix status and 2 deleting posts, and 3 delete folder and 4 delexclude in the indexing page see Permalinks 3 Delete cache Proof of Concept Open in...

Squaretype Modern Blog < 3.0.4 - Unauthenticated Private/Schedule Posts Disclosure

The theme allows unauthenticated users to manipulate the queryvars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request. PoC POST /wp-json/csco/v1/more-posts Accept:...

Squaretype Modern Blog < 3.0.4 - Unauthenticated Private/Schedule Posts Disclosure

The theme allows unauthenticated users to manipulate the queryvars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request. POST /wp-json/csco/v1/more-posts Accept:...

WordPress Similar Posts plugin <= 3.1.5 - Arbitrary PHP Code Execution vulnerability

Arbitrary PHP Code Execution vulnerability discovered by bl4derunner in WordPress Similar Posts plugin versions = 3.1.5. Solution Update the WordPress Similar Posts plugin to the latest available version at least 3.1.6...

Inline Related Posts < 3.0.5 - Admin+ Cross-Site Scripting

Multiple parameters are vulnerable to stored Cross-site Scripting. The vulnerabilities require admin privileges to exploit. In each case the script will execute for every user viewing a post that contains one of the inline references. PoC POST...

WordPress Inline Related Posts plugin <= 3.0.4 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability discovered by Martin Vierula Trustwave in WordPress Inline Related Posts plugin versions = 3.0.4. Solution Update the WordPress Inline Related Posts plugin to the latest available version at least 3.0.5...

WordPress Inline Related Posts 插件跨站脚本漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports personal blog sites on PHP and MySQL servers.WordPress Plugin is an open source application plugin for WordPress. A cross-site scripting vulnerability exists in the Inline...

WordPress TableOn – WordPress Posts Table Filterable plugin <= 1.0.0 - Reflected Cross-Scripting (XSS) vulnerability

Reflected Cross-Scripting XSS vulnerability discovered in WordPress TableOn – WordPress Posts Table Filterable plugin versions = 1.0.0. Solution Update the WordPress TableOn – WordPress Posts Table Filterable plugin to the latest available version at least 1.0.1...

CVE-2021-20035

creationtimestamp| type| source ---|---|--- 2021-09-27 22:34:55+00:00| seen| https://t.me/cibsecurity/29520 2025-04-16 17:15:16+00:00| seen| https://bsky.app/profile/cyberalerts.bsky.social/post/3lmx3qwkbbe2c 2025-04-16 18:02:17+00:00| seen| https://feedsin.space/feed/CISAKevBot/items/3814863...

CVE-2021-24661

The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10, with Saved Templates Addon enabled, allows users with Contributor roles or higher to read password-protected or private post contents the user is otherwise unable to read, given the post ID...

WordPress plugin Popular Posts cross-site scripting vulnerability

WordPress is the WordPress Foundation's suite of blogging platforms developed using the PHP language. The platform supports the hosting of personal blog sites on servers with PHP and MySQL.The Wordpress plugin Popular Posts 5.3.3 and previous versions have a cross-site scripting vulnerability tha...

CVE-2021-36872

Authenticated Persistent Cross-Site Scripting XSS vulnerability in WordPress Popular Posts plugin versions = 5.3.3. Vulnerable at &widget-wpp2posttype...