CVE-2025-6064

The WP URL Shortener plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the 'urlshortenersettings' page. This makes it possible for unauthenticated attackers to update settings and...

CVE-2025-5930

The WP2HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the save function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request...

CVE-2023-4709

A vulnerability classified as problematic has been found in TOTVS RM 12.1. Affected is an unknown function of the file Login.aspx of the component Portal. The manipulation of the argument VIEWSTATE leads to cross site scripting. It is possible to launch the attack remotely. The complexity of an...

CVE-2022-21654 Incorrect configuration handling allows TLS session re-use without re-validation in Envoy

Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised...

NEX-Forms <= 7.9.4 - Multiple Admin+ Stored Cross-Site Scripting

The plugin does not escape some of its settings and form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. In Global Setting Preferences Validation, put the following...