CVE-2026-4798

The Avada Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘productorder’ parameter in all versions up to, and including, 3.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

CVE-2026-4798

The Avada Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘productorder’ parameter in all versions up to, and including, 3.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

EUVD-2026-22822

The Avada Fusion Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to the plugin's fusiongetpostcustomfield function failing to validate whether metadata keys are protected underscore-prefixed. This makes it...

CVE-2026-1509

The Avada Fusion Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's outputactionhook function accepting user-controlled input to trigger any registered WordPress action hook without proper...

WordPress Avada (Fusion) Builder plugin <= 3.15.1 - Authenticated (Subscriber+) Limited Arbitrary WordPress Action Execution vulnerability

Authenticated Subscriber+ Limited Arbitrary WordPress Action Execution vulnerability discovered by Webbernaut in WordPress Plugin Fusion Builder versions = 3.15.1...

CVE-2026-1509

The CVE concerns the Avada (Fusion) Builder plugin for WordPress, affected in all versions up to 3.15.1. The root cause is the output_action_hook() function accepting user-controlled input to trigger any registered WordPress action hook without proper authorization checks, allowing authenticated ...

CVE-2026-1509 Avada (Fusion) Builder <= 3.15.1 - Authenticated (Subscriber+) Limited Arbitrary WordPress Action Execution

The Avada Fusion Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's outputactionhook function accepting user-controlled input to trigger any registered WordPress action hook without proper...

CVE-2026-1128 WP eCommerce <= 3.15.1 - Coupon Deletion via CSRF

The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove them via a CSRF attack...

CVE-2026-1128 WP eCommerce <= 3.15.1 - Coupon Deletion via CSRF

The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove them via a CSRF attack...

WordPress plugin WP eCommerce 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2026-1235

The vulnerability CVE-2026-1235 affects the WP eCommerce WordPress plugin (up to version 3.15.1). It arises from unserializing user input via ajax actions, enabling PHP Object Injection when a suitable gadget is present on the blog. Impact is unauthenticated access to trigger the issue; exploitat...

CVE-2026-1235 WP eCommerce <= 3.15.1 - Unauthenticated PHP Object Injection

The WP eCommerce WordPress plugin through 3.15.1 unserializes user input via ajax actions, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog...

PT-2026-7487

The WP eCommerce WordPress plugin through 3.15.1 unserializes user input via ajax actions, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog...

EUVD-2021-19495

Malware in sbrugna...

EUVD-2024-42351

Malicious code in bioql PyPI...

GHSA-65P9-J6PG-72HJ billboard.js allows prototype pollution via the function generate

billboard.js before 3.15.1 was discovered to contain a prototype pollution via the function generate, which could allow attackers to execute arbitrary code or cause a Denial of Service DoS via injecting arbitrary properties...

GHSA-GJXM-X497-4H6H Duplicate Advisory: D-Tale Command Injection vulnerability

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-832w-fhmw-w4f4. This link is maintained to preserve external references. Original Description A vulnerability in man-group/dtale versions 3.15.1 allows an attacker to override global state settings to enable the...

CVE-2025-0655

Rejected reason: REJECT DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-55890. Notes: All CVE users should reference CVE-2024-55890 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage...

PT-2025-12319 · Man · D-Tale

Name of the Vulnerable Software and Affected Versions: man-group/dtale version 3.15.1 Description: A vulnerability in man-group/dtale allows an attacker to override global state settings to enable the enable custom filters feature, which is typically restricted to trusted environments. Once...

CVE-2024-12852

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hacmctext' parameter of the Happy Mouse Cursor in all versions up to, and including, 3.15.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticate...