500 matches found
WordPress plugin Smart Custom Fields 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
PT-2026-27252
The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational posts search function in all versions up to, and including, 5.0.6. This makes it possible for authenticated attackers, with Contributor-level access and...
CVE-2026-33355
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the /private-posts endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1...
CVE-2026-33355
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the /private-posts endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1...
CVE-2026-33355 Discourse filters whisper posts from private-posts feed
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the /private-posts endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1...
EUVD-2026-13337
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the /private-posts endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1...
CVE-2026-33355
Discourse (open-source) is affected by CVE-2026-33355. The vulnerability affects the /private-posts endpoint where post-type visibility filtering was not applied, enabling regular PM participants to see whisper posts in PM topics to which they had access. Affected versions are 2026.3.0-latest.1, ...
CVE-2026-33355 Discourse filters whisper posts from private-posts feed
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the /private-posts endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1...
CVE-2026-33355 Discourse filters whisper posts from private-posts feed
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the /private-posts endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1...
Discourse 信息泄露漏洞
Discourse is Discourse open source set of open source community discussion platform. The platform includes features such as community , e-mail and chat rooms . Discourse suffers from an information disclosure vulnerability that stems from the /private-posts endpoint not applying post type...
GHSA-G9W4-M5FX-X3WV Yoast Duplicate Post has an Authenticated (Contributor+) Missing Authorization to Arbitrary Post Duplication and Overwrite
The Yoast Duplicate Post plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clonebulkactionhandler and republishrequest functions in all versions up to, and including, 4.5. This makes it possible for authenticated attackers, with...
PT-2026-24659
Name of the Vulnerable Software and Affected Versions WordPress versions 6.9 through 6.9.1 Description WordPress core is susceptible to unauthorized access. The Notes feature, introduced in WordPress 6.9, allows for collaborative annotations on posts within the block editor. However, the REST API...
CVE-2026-1219
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'loadtracknoteajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers...
CVE-2025-13842
The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusting the $REQUEST'postid' parameter without verification in the...
CVE-2026-1219
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'loadtracknoteajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers...
CVE-2026-1219
CVE-2026-1219 affects the WordPress plugin MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar. Versions 4.0–5.10 are exposed to an Insecure Direct Object Reference via load_track_note_ajax due to missing validation on a user-controlled key, allowing unauthenticated access to privat...
CVE-2026-1219 MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 4.0 - 5.10 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'loadtracknoteajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers...
CVE-2026-1219
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'loadtracknoteajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers...
CVE-2025-13842
The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusting the $REQUEST'postid' parameter without verification in the...
CVE-2025-13842 Breadcrumb NavXT <= 7.5.0 - Missing Authorization to Sensitive Information Exposure
The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusting the $REQUEST'postid' parameter without verification in the...