WordPress Stripe Payment Gateway for WooCommerce plugin <= 5.0.7 - Broken Authentication vulnerability

Broken Authentication vulnerability discovered by Jakub Herman in WordPress Plugin Stripe Payment Gateway for WooCommerce versions = 5.0.7...

CVE-2026-34382

Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylistfunction.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently...

CVE-2026-32813

Admidio has a second-order SQL injection via its list configuration feature. Authenticated users can store arbitrary values in the list configuration (notably in lsc_special_field, lsc_sort, and lsc_filter) which are later interpolated unsafely into SQL during list rendering, enabling data exfilt...

CVE-2026-32817 Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion

Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the documents and files module does not verify whether the current user has permission to delete folders or files. The folderdelete and filedelete action handlers in modules/documents-files.php only perform a VIE...

CVE-2026-32817 Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion

Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the documents and files module does not verify whether the current user has permission to delete folders or files. The folderdelete and filedelete action handlers in modules/documents-files.php only perform a VIE...

CVE-2026-32757

Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject...

CVE-2026-32757 Admidio: HTMLPurifier Bypass in eCard Message Allows HTML Email Injection

Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject...

CVE-2026-32756 Admidio: Unrestricted File Upload via CSRF Token Validation Bypass in Documents & Files Module

Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an...

CVE-2026-32816 Admidio has Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions

Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the delete, activate, and deactivate modes in modules/groups-roles/groupsroles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF...

Missing Authorization

Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Missing Authorization in the topicdelete and postdelete processes. An attacker can remove any forum topic, including all associated...

CVE-2026-22589

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an unauthenticated attacker to access guest address information without...

CVE-2026-22589

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an unauthenticated attacker to access guest address information without...

CVE-2026-22589

CVE-2026-22589 affects Spree (Rails e-commerce); unauthenticated IDOR allows access to guest address data. Affected: Spree versions before 4.10.2, 5.0.7, 5.1.9, and 5.2.5. Patch/mitigation: upgrade to 4.10.2+, 5.0.7+, 5.1.9+, or 5.2.5+. Root cause cited as faulty authorization (CanCanCan) leading...

CVE-2025-68523

Missing Authorization vulnerability in Spiffy Plugins Spiffy Calendar spiffy-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spiffy Calendar: from n/a through = 5.0.7...

CVE-2025-68523 WordPress Spiffy Calendar plugin <= 5.0.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in Spiffy Plugins Spiffy Calendar spiffy-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spiffy Calendar: from n/a through = 5.0.7...

CVE-2025-68523

CVE-2025-68523 affects WordPress Spiffy Calendar plugin spiffy-calendar (versions up to and including 5.0.7) with a Broken Access Control/Missing Authorization vulnerability due to incorrectly configured access control. Public sources in connected documents confirm the issue, describing insuffici...

WordPress plugin Spiffy Calendar 安全漏洞

WordPress Spiffy Calendar is a WordPress calendar plugin focused on helping users manage and display events. A lack of authorization vulnerability exists in WordPress Spiffy Calendar, which can be exploited by an attacker to leverage a misconfigured access control security level...

CVE-2025-31501

Best Practical RT Request Tracker 5.0 through 5.0.7 allows XSS via JavaScript injection in an RT permalink...

CVE-2023-1403

The Weaver Xtreme Theme for WordPress is vulnerable to stored Cross-Site Scripting due to insufficient escaping of the profile display name in versions up to, and including, 5.0.7. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary...

Best Practical Solutions Request Tracker 加密问题漏洞

Best Practical Solutions Request Tracker is an open source, enterprise-grade work order tracking system for customer service, IT service management and business process tracking from Best Practical Solutions. An encryption issue vulnerability exists in Best Practical Solutions Request Tracker...