CVE-2026-5074

The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'sSortDir0' parameter of the getprivatecontentdata AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient sanitization of the user-supplied parameter which is concatenated directly into...

CVE-2026-5074

The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'sSortDir0' parameter of the getprivatecontentdata AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient sanitization of the user-supplied parameter which is concatenated directly into...

CVE-2026-5074 ARMember Premium <= 7.3.1 - Authenticated (Subscriber+) SQL Injection via 'sSortDir_0' Parameter

The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'sSortDir0' parameter of the getprivatecontentdata AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient sanitization of the user-supplied parameter which is concatenated directly into...

EUVD-2026-34004

The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'sSortDir0' parameter of the getprivatecontentdata AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient sanitization of the user-supplied parameter which is concatenated directly into...

CVE-2026-5074

The CVE concerns the ARMember Premium WordPress plugin. A SQL Injection exists in the get_private_content_data AJAX action via the sSortDir_0 parameter, in all versions up to and including 7.3.1. The user-supplied value is concatenated into the ORDER BY clause without a whitelist, allowing authen...

CVE-2026-5074 ARMember Premium <= 7.3.1 - Authenticated (Subscriber+) SQL Injection via 'sSortDir_0' Parameter

The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'sSortDir0' parameter of the getprivatecontentdata AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient sanitization of the user-supplied parameter which is concatenated directly into...

PT-2026-45845

Name of the Vulnerable Software and Affected Versions ARMember Premium versions prior to 7.3.2 Description An SQL Injection issue exists in the ARMember Premium plugin for WordPress. The get private content data AJAX action fails to properly sanitize the sSortDir 0 parameter, which is concatenate...

DRUPAL-CONTRIB-2026-034

Node view permissions module enables permissions "View own content" and "View any content" for each content type on permissions page The module doesn't sufficiently handle the case where a user is cancelled and their content is reassigned to the anonymous user. This vulnerability is mitigated by...

PT-2026-40836

Name of the Vulnerable Software and Affected Versions Node View Permissions versions 0.0.0 through 1.6.x Node View Permissions versions 2.0.0 through 2.0.0 Description An improper check for unusual or exceptional conditions in the Node View Permissions module allows forceful browsing. The module...

Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034

Node view permissions module enables permissions "View own content" and "View any content" for each content type on permissions page The module doesn't sufficiently handle the case where a user is cancelled and their content is reassigned to the anonymous user. This vulnerability is mitigated by...

CVE-2026-1629

Mattermost CVE-2026-1629 affects Mattermost 10.11.x up to 10.11.10. The issue arises from not invalidating cached permalink preview data when a user loses channel access, allowing continued viewing of private channel content via previously cached previews until cache reset or relogin. The CVSSv3....

CVE-2026-1629

Mattermost versions 10.11.x = 10.11.10 Fail to invalidate cached permalink preview data when a user loses channel access which allows the user to continue viewing private channel content via previously cached permalink previews until cache reset or relogin.. Mattermost Advisory ID: MMSA-2026-0058...

EUVD-2026-12184

The Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing validation checks on the 'thim-ekit/archive-course/get-courses' REST endpoint callback function in all versions up to, and including, 1.3.7...

WordPress plugin Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

PT-2026-25812

Mattermost versions 10.11.x = 10.11.10 Fail to invalidate cached permalink preview data when a user loses channel access which allows the user to continue viewing private channel content via previously cached permalink previews until cache reset or relogin.. Mattermost Advisory ID: MMSA-2026-0058...

CVE-2026-1870 Thim Kit for Elementor <= 1.3.7 - Missing Authorization to Unauthenticated Private Course Disclosure

The Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing validation checks on the 'thim-ekit/archive-course/get-courses' REST endpoint callback function in all versions up to, and including, 1.3.7...

PT-2026-25505

The Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing validation checks on the 'thim-ekit/archive-course/get-courses' REST endpoint callback function in all versions up to, and including, 1.3.7...

CVE-2025-71242

SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. The application does not properly check authorization when displaying content of articles and sections rubriques in AJAX-loaded fragments, allowing an authenticated attacker to access restricted...

UBUNTU-CVE-2025-71242

SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. The application does not properly check authorization when displaying content of articles and sections rubriques in AJAX-loaded fragments, allowing an authenticated attacker to access restricted...

CVE-2025-71242

SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. The application does not properly check authorization when displaying content of articles and sections rubriques in AJAX-loaded fragments, allowing an authenticated attacker to access restricted...