Skitter Slideshow <= 2.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Skitter Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping. id: CVE-2025-28906 info: name: Skitter Slideshow = 2.5.2 - Authenticated Administrator+ Stored Cross-Site...

FlatnuX CMS - Directory Traversal

A path traversal vulnerability in controlcenter.php in FlatnuX CMS 2011 08.09.2 allows remote administrators to read arbitrary files via a full pathname in the dir parameter in a contents/Files action. id: CVE-2012-4878 info: name: FlatnuX CMS - Directory Traversal author: daffainfo severity:...

EUVD-2026-38695

The Site Kit by Google WordPress plugin before 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users who have been granted dashboard sharing access such as Editors to modify a site-wide Site Kit by Google WordPress plugin before 1.176.0...

CVE-2026-10753

CVE-2026-10753 concerns Site Kit by Google for WordPress prior to 1.176.0. A REST API write endpoint is not properly restricted to administrators, allowing lower-privileged users (e.g., Editors with dashboard sharing access) to modify a site-wide setting that should be admin-only. Impact: potenti...

CVE-2026-56222

Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/rolebindings that fails to verify appid ownership during app-scoped role binding creation. An attacker with administrative privileges in one organization can create role bindings targeting applications owned by...

CVE-2026-56446

MISP is affected by CVE-2026-56446 where an authenticated site administrator could configure an arbitrary filesystem path for the NDJSON error log via JsonLogTool. Logged data can contain attacker-controlled content, enabling direction of log output to a web-accessible PHP file and potentially in...

CVE-2026-8918

The CVE concerns ASUS Armoury Crate. A permissive input validation allows a local administrator to bypass checks and perform arbitrary memory read/write or trigger a system crash (BSOD). Affected software is ASUS Armoury Crate; the underling issue is permissive input validation in the input handl...

CVE-2026-56342

AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter, which lacks isSSRFSafeURL validation and accepts requests to private IP ranges and cloud metadata...

EUVD-2026-38131

AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter, which lacks isSSRFSafeURL validation and accepts requests to private IP ranges and cloud metadata...

CVE-2026-7547

CVE-2026-7547 affects the WordPress plugin Woosa – Marktplaats for WooCommerce. Versions up to 2.0.4 are vulnerable to Arbitrary File Read via path traversal in render_logs_ui(), which accepts a base64-encoded log_file name and concatenates it with the log directory without validating the final p...

PT-2026-51041

Name of the Vulnerable Software and Affected Versions Branda plugin for WordPress versions prior to 3.4.30 Description The plugin is susceptible to privilege escalation through account takeover. This occurs because the software fails to properly validate a user's identity before updating a...

WordPress Woosa – Marktplaats for WooCommerce plugin <= 2.0.5 - Authenticated (Administrator+) Arbitrary File Read vulnerability

Authenticated Administrator+ Arbitrary File Read vulnerability discovered by Legion Hunter in WordPress Plugin Woosa – Marktplaats for WooCommerce versions = 2.0.5...

CVE-2026-11358 Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <= 3.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu-item-icon' Parameter

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it...

CVE-2026-11777

Form Maker by 10Web (WordPress) 導插件 Form Maker, versions up to 1.15.43, is vulnerable to a generic SQL Injection via the name parameter due to insufficient escaping and lack of prepared statements. The vulnerability allows an authenticated attacker with administrator-level access to append additi...

EUVD-2026-37783

Sonatype Nexus Repository Manager before 3.93.0 contains an authorization vulnerability in the proxy repository configuration that allows a delegated repository administrator to disclose stored upstream proxy credentials...

CVE-2026-12115

The vulnerability CVE-2026-12115 affects the WordPress plugin Counter Box (versions up to 2.0.13). It allows PHP Object Injection via deserialization of untrusted input and requires authenticated access at Administrator+ level. Deserialization occurs automatically during the post-import redirect ...

CVE-2026-49954

Discuz! X5.0 releases 20260320 through 20260610 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted plugin configuration containing path traversal sequences in the directory attribute. Attackers can trigg...

CVE-2016-20067

CVE-2016-20067 : WordPress CP Polls 1.0.8 contains a cross-site request forgery (CSRF) vulnerability that allows an attacker to perform unauthorized poll operations on behalf of an authenticated administrator. An attacker can craft a malicious HTML page; when an admin visits it while logged in, t...

PT-2026-49309

Discuz! X5.0 releases 20260320 through 20260501 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted plugin configuration containing path traversal sequences in the directory attribute. Attackers can trigg...

CVE-2026-54358

The CVE concerns MISP where an organization administrator can target site administrator accounts within the same organization via the administrative email function due to a faulty authorization check that fails to exclude site-admin recipients from queries. This allows privileged account-manageme...