WordPress Booktics plugin <= 1.0.16 - Missing Authorization to Addon Plugin Installation vulnerability

Missing Authorization to Addon Plugin Installation vulnerability discovered by Kazuma Matsumoto - GMO Cybersecurity by IERAE, Inc. in WordPress Plugin Booktics versions = 1.0.16...

CVE-2026-1920

CVE-2026-1920 affects the WordPress plugin Booktics (Booking Calendar for Appointments and Service Businesses) up to version 1.0.16. The root cause is a missing capability check in Extension_Controller::update_item_permissions_check, allowing unauthenticated attackers to install addon plugins and...

CVE-2025-67524

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in NooTheme Jobmonster Elementor Addon jobmonster-addon allows PHP Local File Inclusion.This issue affects Jobmonster Elementor Addon: from n/a through = 1.1.4...

EUVD-2024-51435

Malicious code in bioql PyPI...

CVE-2025-8564 SKT Addons for Elementor <= 3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

The SKT Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...

WordPress ThemeREX Addons plugin <= 2.36.1.1 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Bonds in WordPress Plugin ThemeREX Addons versions = 2.36.1.1...

CVE-2024-6553

The WP Meteor Website Speed Optimization Addon plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.4.3.This is due to the plugin utilizing wpdesk and leaving test files with displayerrors on. This makes it possible for unauthenticated attackers to...

CVE-2023-26543 WordPress WP Meteor Page Speed Optimization Topping Plugin <= 3.1.4 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery CSRF vulnerability in Aleksandr Guidrevitch WP Meteor Website Speed Optimization Addon plugin = 3.1.4 versions...

CVE-2023-26543

CVE-2023-26543 affects the WP Meteor Website Speed Optimization Addon for WordPress, versioned

WordPress WPQA - Builder forms Addon plugin < 5.2 - Private Message Disclosure via IDOR vulnerability

Private Message Disclosure via IDOR vulnerability discovered by Veshraj Ghimire in WordPress WPQA - Builder forms Addon plugin versions 5.2. Solution Update the WordPress WPQA - Builder forms Addon plugin to the latest available version at least 5.2...

WordPress WooCommerce SEO Content Randomizer Addon plugin <= 1.2.0 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress WooCommerce SEO Content Randomizer Addon plugin versions = 1.2.0. Solution Update the WordPress WooCommerce SEO Content Randomizer Addon plugin to the latest available version at least 1.2.2...

Moodle Teacher Enrollment Privilege Escalation / Remote Code Execution Exploit

Moodle versions 3.9, 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12, and earlier unsupported versions allow for a teacher to exploit chain to remote code execution. A bug in the privileges system allows a teacher to add themselves as a manager to their own class. They can then add any other users, and...

flatCore remote code execution vulnerability

flatCore is a PHP and SQLite based Web Content Management System CMS. flatCore version 2.0.7 is vulnerable to remote code execution. An attacker can exploit the vulnerability to execute arbitrary php code by uploading the addon plugin...

Remote code execution

Remote Code Execution RCE vulnerabilty exists in FlatCore-CMS 2.0.7 via the upload addon plugin, which could let a remote malicious user exeuct arbitrary php code...

CVE-2021-39608

Remote Code Execution RCE vulnerabilty exists in FlatCore-CMS 2.0.7 via the upload addon plugin, which could let a remote malicious user exeuct arbitrary php code...

CVE-2021-39608

FlatCore-CMS 2.0.7 is vulnerable to remote code execution via the upload addon plugin, allowing a remote attacker to execute arbitrary PHP code. Public material across multiple feeds (NVD, RH/CVE, CNVD, OSV, CNVD) confirms RCE through the addon upload path. An exploit script exists publicly (Expl...

FlatCore-CMS 代码问题漏洞

flatCore is a PHP and SQLite based Web Content Management System CMS. flatCore version 2.0.7 is vulnerable to remote code execution. An attacker can exploit the vulnerability to execute arbitrary php code by uploading the addon plugin...

WordPress Astra Pro Addon Plugin SQL Injection Vulnerability

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A SQL injection vulnerability exists in WordPress Astra Pro Addon Plugin versions prior to 3.5.2, which stems...

CVE-2021-24144

Unvalidated input in the Contact Form 7 Database Addon plugin, versions before 1.2.5.6, was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files...

CVE-2021-24144

The CVE-2021-24144 issue affects the WordPress plugin Contact Form 7 Database Addon (CFDB7). Unvalidated input in CFDB7 prior to version 1.2.5.6 allows injection of arbitrary formulas into CSV exports/files. Affected component: CFDB7 CSV export handling; root cause: input validation weakness lead...