CVE-2026-1375

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References IDOR in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the courselistbulkaction, bulkdeletecourse, and...

EUVD-2008-3086

Malware in sbrugna...

EUVD-2024-50160

Malicious code in bioql PyPI...

EUVD-2025-19387

Malicious code in bioql PyPI...

EUVD-2025-18086

Malicious code in bioql PyPI...

CVE-2025-8487 Kubio AI Page Builder <= 2.6.3 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Installation

The Kubio AI Page Builder plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the kubio-image-hub-install-plugin AJAX action in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with Subscriber-lev...

PT-2025-26932 · WordPress · Drive Folder Embedder

Name of the Vulnerable Software and Affected Versions: Drive Folder Embedder plugin for WordPress versions up to, and including, 1.1.0 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated attackers...

CVE-2025-5673

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to SQL Injection via the ‘prgSortPostType’ parameter in all versions up to, and including, 8.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQ...

TencentOS Server 4: lemonldap-ng (TSSA-2025:0034)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2025:0034 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...

CVE-2025-4216

The DIOT SCADA with MQTT plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'diot' shortcode in all versions up to, and including, 1.0.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...

CVE-2025-5395

The WordPress Automatic Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'core.php' file in all versions up to, and including, 3.115.0. This makes it possible for authenticated attackers, with Author-level access and above, to...

PT-2025-22909 · WordPress · Exclusive Addons For Elementor

Name of the Vulnerable Software and Affected Versions: Exclusive Addons for Elementor plugin for WordPress versions up to, and including, 2.7.9.1 Description: The issue is related to Stored Cross-Site Scripting via the HTML attributes of the Countdown Timer Widget due to insufficient input...

CVE-2024-12061

The Events Addon for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.3 via the naeventselementortemplate shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, wi...

CVE-2024-10909

The The Pojo Forms plugin for WordPress is vulnerable to arbitrary shortcode execution via formpreviewshortcode AJAX action in all versions up to, and including, 1.4.7. This is due to the software allowing users to execute an action that does not properly validate a value before running...

CVE-2024-10785

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Countdown' widget in all versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-1457

The Element Pack Addons for Elementor – Free Templates and Widgets for Your WordPress Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Wrapper Link, Countdown and Gallery widgets in all versions up to, and including, 5.10.28 due to insufficient input sanitization...

CVE-2024-9416 Modula Image Gallery <= 2.10.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox 5 JavaScript Library

The Modula Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library versions = 5.0.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-2577

The Bitspecter Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and abov...

CVE-2024-13675

The SlingBlocks – Gutenberg Blocks by FunnelKit Formerly WooFunnels plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the "Icon List" Block in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-43656 A backup can be manipulated and then restored to create arbitrary files inside the <redacted> directory. A CGI script can be added to the web directory this way, allowing for full remote code execution.

Improper Neutralization of Special Elements used in a Command 'Command Injection' vulnerability allows OS Command Injection as root This issue affects Iocharger firmware for AC model chargers before version 24120701. Likelihood: Moderate – It might be difficult for an attacker to identify the fil...