263 matches found
CVE-2025-12129 CubeWP – All-in-One Dynamic Content Framework <= 1.1.27 - Unauthenticated Information Exposure
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be include...
PT-2026-3353
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be include...
CVE-2025-14279
MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An...
MLFlow is vulnerable to DNS rebinding attacks due to a lack of Origin header validation
MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An...
CVE-2025-14279
MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An...
PT-2026-1734
Name of the Vulnerable Software and Affected Versions MLFlow versions up to and including 3.4.0 Description MLFlow versions up to and including 3.4.0 are susceptible to DNS rebinding attacks because of missing Origin header validation within the MLFlow REST server. This allows malicious websites ...
CVE-2025-11924
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the ninja-forms-views REST endpoints...
EUVD-2025-203882
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the ninja-forms-views REST endpoints...
CVE-2025-12512
The GenerateBlocks plugin for WordPress is vulnerable to information exposure due to missing object-level authorization checks in versions up to, and including, 2.1.2. This is due to the plugin registering multiple REST API routes under generateblocks/v1/meta/ that gate access with...
EUVD-2025-203187
The GenerateBlocks plugin for WordPress is vulnerable to information exposure due to missing object-level authorization checks in versions up to, and including, 2.1.2. This is due to the plugin registering multiple REST API routes under generateblocks/v1/meta/ that gate access with...
WordPress plugin Bookit 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...
CVE-2025-13620 Wp Social Login and Register Social Counter <= 3.1.3 - Missing Authorization in Cache REST Endpoints to Social Counter Tampering
The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to missing authorization in versions up to, and including, 3.1.3. This is due to the REST routes wslu/v1/checkcache/type, wslu/v1/savecache/type, and wslu/v1/settings/clearcountercache being registered with...
CVE-2025-13620
CVE-2025-13620 (WordPress) affects the WP Social Login and Register Social Counter plugin (versions up to 3.1.3). Multiple REST routes (wslu/v1/check_cache/{type}, wslu/v1/save_cache/{type}, wslu/v1/settings/clear_counter_cache) were registered with permission_callback set to __return_true and la...
EUVD-2025-201339
The SurveyFunnel – Survey Plugin for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via several unprotected /wp-json/surveyfunnel/v2/ REST API endpoints. This makes it possible for unauthenticated attackers to extract...
CVE-2025-13006 SurveyFunnel – Survey Plugin for WordPress <= 1.1.5 - Unauthenticated Information Exposure
The SurveyFunnel – Survey Plugin for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via several unprotected /wp-json/surveyfunnel/v2/ REST API endpoints. This makes it possible for unauthenticated attackers to extract...
WordPress Wp Social Login and Register Social Counter plugin <= 3.1.3 - Missing Authorization in Cache REST Endpoints to Social Counter Tampering vulnerability
Missing Authorization in Cache REST Endpoints to Social Counter Tampering vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Wp Social versions = 3.1.3...
EUVD-2025-200213
The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.9.4. This is due to insufficient capability checks in the REST API endpoints under the 'fl-controls/v1' namespace that control site-wide Global Presets...
PT-2025-48650
Name of the Vulnerable Software and Affected Versions Beaver Builder – WordPress Page Builder plugin versions prior to 2.9.4 Description The Beaver Builder – WordPress Page Builder plugin for WordPress is susceptible to a missing authorization issue. Insufficient capability checks within the REST...
CVE-2025-61757: Imperva Customers Protected Against Critical Oracle Identity Manager Authentication Bypass Leading to Remote Code Execution
At the end of October 2025, Oracle released an emergency security alert addressing CVE-2025-61757, a high-severity authentication-bypass flaw that enables remote code execution in the Identity Manager product of Oracle Fusion Middleware versions 12.2.1.4.0 and 14.1.2.1.0. Multiple threat actors a...
CVE-2025-12535
The SureForms plugin for WordPress is vulnerable to Cross-Site Request Forgery Bypass in all versions up to, and including, 1.13.1. This is due to the plugin distributing generic WordPress REST API nonces wprest to unauthenticated users via the 'wpajaxnoprivrest-nonce' action. While the plugin...