PT-2025-51070

The Popover Windows plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple ajax actions e.g., pop submit, poptheme submit in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with...

Taint-Based Code Slicing for LLMs-Based Malicious NPM Package Detection

The increasing sophistication of malware attacks in the npm ecosystem, characterized by obfuscation and complex logic, necessitates advanced detection methods. Recently, researchers have turned their attention from traditional detection approaches to Large Language Models LLMs due to their strong...

EUVD-2025-203061

The Guest Support plugin for WordPress is vulnerable to User Email Disclosure in versions up to, and including, 1.2.3. This is due to the plugin exposing a public AJAX endpoint that allows anyone to search for and retrieve user email addresses without any authentication or capability checks. This...

CVE-2025-67726

Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The parseparam function in httputil.py is used to parse specific HTTP header values, such as thos...

CVE-2025-10684 Construction Light < 1.6.8 - Subscriber+ Arbitrary Plugin Activation

The Construction Light WordPress theme before 1.6.8 does not have authorisation and CSRF when activating via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary...

CVE-2025-67725

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation...

CVE-2025-67724

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers where it could be used for header injection or in HTML in the default error page where it could be used for XSS and can be exploited by...

CVE-2025-13866

CVE-2025-13866 : The Flow-Flow Social Feed Stream WordPress plugin (versions 3.0.0–4.7.5) is vulnerable to unauthorized modification of data due to a missing capability check on the flow_flow_social_auth AJAX action. Authenticated attackers with Subscriber level access or higher can modify plugin...

PT-2025-50826

The Flow-Flow Social Feed Stream plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the flow flow social auth AJAX action in versions 3.0.0 to 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and abov...

WordPress plugin Construction Light 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerabili...

WordPress plugin Guest Support 信息泄露漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. An information disclosure...

WordPress plugin WP Fastest Cache 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to set up personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...

📄 Elementor Website Builder SQL Injection

Proof of concept exploit that demonstrates a remote SQL injection vulnerability in Elementor Website Builder versions prior 3.12.2. ============================================================================================================================================= | Title : Elementor...

CVE-2022-50650

A flaw was found in the Linux kernel's BPF verifier. The verifier incorrectly handles reference state management for synchronous callbacks that execute multiple times foreach style helpers. This can lead to reference leaks when callbacks acquire references, or double-free conditions when callback...

SUSE CVE-2023-53799

In the Linux kernel, the following vulnerability has been resolved: crypto: api - Use work queue in cryptodestroyinstance The function cryptodropspawn expects to be called in process context. However, when an instance is unregistered while it still has active users, the last user may cause the...

libwebsockets: Stack-based Buffer Overflow in libwebsockets

A stack based buffer overflow flaw has been discovered in libwebsockets. The vulnerability allows an attacker that can inspect DNS requests made by the victim e.g. being in the same wireless network to forge a DNS response packet that overflows the stack and may lead to arbitrary code execution...

CVE-2025-62408 c-ares has a Use After Free vulnerability when connection is cleaned up after error

c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5 terminate a query after maximum attempts when using readanswer and processanswer, which can cause a Denial of Service. This issue is fixed in version 1.34.6...

CVE-2025-62408 c-ares has a Use After Free vulnerability when connection is cleaned up after error

c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5 terminate a query after maximum attempts when using readanswer and processanswer, which can cause a Denial of Service. This issue is fixed in version 1.34.6...

CVE-2025-12093

The Voidek Employee Portal plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX actions in all versions up to, and including, 1.0.7. This makes it possible for unauthenticated attackers to perform several actions like registering an account,...

CVE-2025-13358 Accessiy By CodeConfig Accessibility <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Page Creation

The Accessiy By CodeConfig Accessibility plugin for WordPress is vulnerable to unauthorized page creation due to missing authorization checks in versions up to, and including, 1.0.0. This is due to the plugin not performing capability checks in the Settings::createPage function. This makes it...