CVE-2026-10038

The Charitable – Donation Plugin for WordPress (Charitable) up to version 1.8.11.1 is affected by an Insecure Direct Object Reference/Authorization Bypass that enables Arbitrary Attachment Deletion via the profile avatar update flow. The issue stems from save_avatar() calling wp_delete_attachment...

PT-2026-47067

Name of the Vulnerable Software and Affected Versions The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More versions prior to 1.8.11.2 Description An Insecure Direct Object Reference and Authorization Bypass allows authenticated attackers with Subscriber-lev...

Vikunja 安全漏洞

Vikunja is an open-source to-do application developed by Vikunja developers. Versions of Vikunja prior to 2.2.1 contained security vulnerabilities. These vulnerabilities stemmed from the TaskAttachment.ReadOne function, which only queried attachments based on ID, potentially allowing arbitrary...

CVE-2026-1298

The CVE-2026-1298 entry refers to the WordPress plugin Easy Replace Image (

CVE-2026-0548

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the deleteexistinguserphoto function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, wi...

EUVD-2018-19384

Malware in sbrugna...

EUVD-2016-2689

Malware in sbrugna...

EUVD-2014-5936

Malware in sbrugna...

CVE-2024-9067

The CVE-2024-9067 entry concerns Youzify for WordPress. A missing capability check in the delete_attachment function across versions up to 1.3.0 allows authenticated users with Subscriber+ privileges to modify data by deleting arbitrary attachments. This is a Broken Access Control issue in Youzif...

CVE-2024-3608

The Product Designer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the productdesignerajaxdeleteattachid function in all versions up to, and including, 1.0.33. This makes it possible for unauthenticated attackers to delete arbitrary...

CVE-2024-3608

CVE-2024-3608 affects the Product Designer plugin for WordPress. It enables unauthenticated attackers to delete arbitrary attachments due to a missing capability check in product_designer_ajax_delete_attach_id() in versions up to 1.0.33. The vulnerability status and exact impacted versions are do...

CVE-2024-4274 Essential Real Estate <= 4.4.2 - Insecure Direct Object Reference to Arbitrary Attachment Deletion

The Essential Real Estate plugin for WordPress is vulnerable to unauthorized loss of data due to insufficient validation on the removepropertyattachmentajax function in all versions up to, and including, 4.4.2. This makes it possible for authenticated attackers, with subscriber-level access and...

The vulnerability of the Kiwi TCMS testing system lies in its ability to allow unlimited loading of dangerous types of files. This allows attackers to upload arbitrary attachments to testing plans and test scenarios.

The vulnerability of the Kiwi TCMS testing system lies in its ability to load files of a malicious nature without limitation. Exploiting this vulnerability allows an attacker to upload arbitrary attachments to testing plans and test scenarios remotely...

The vulnerability of the Kiwi TCMS testing system lies in the lack of measures to protect the website structure. This allows attackers to upload arbitrary attachments to testing plans and test scenarios.

The vulnerability of the Kiwi TCMS testing system is related to the lack of measures taken to protect the website structure. Exploiting this vulnerability allows a malicious actor to upload arbitrary attachments to testing plans and test scenarios...

JetElements For Elementor < 2.6.13.1 - Missing Authorization to Unauthenticated Arbitrary Attachment Download

Description The JetElements plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on an unknown function in all versions up to, and including, 2.6.13. This makes it possible for unauthenticated attackers to download arbitrary attachments...

Cross site request forgery (csrf)

The REST API TO MiniProgram WordPress plugin through 4.6.1 does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments...

CVE-2023-0551 REST API TO MiniProgram <= 4.6.1 - Subscriber+ Attachment Deletion

The REST API TO MiniProgram WordPress plugin through 4.6.1 does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments...

PT-2023-8827 · Nginx +1 · Nginx +1

Name of the Vulnerable Software and Affected Versions: Kiwi TCMS versions prior to 12.4 Description: The issue is related to the lack of protection of the web page structure in Kiwi TCMS, allowing a remote attacker to upload arbitrary attachments to test plans and test cases. Earlier versions of...

Redmine 安全漏洞

Redmine is a set of open source Web-based project management and defect tracking tools . The product provides features such as project management, issue tracking and role-based access control. A security vulnerability exists in Redmine version 5.x up to and including version 5.0.4, which stems fr...

Server side request forgery (ssrf)

phpMyFAQ before 2.8.13 allows remote attackers to read arbitrary attachments via a direct request...