EUVD-2025-32246

The AP Background plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.2. This is due to missing or incorrect nonce validation on the advParallaxBackAdminSaveSlider function. This makes it possible for unauthenticated attackers to create or...

CVE-2025-9897

CVE-2025-9897 : The WordPress AP Background plugin (versions up to 3.8.2) is affected by a Cross-Site Request Forgery due to missing/incorrect nonce validation in advParallaxBackAdminSaveSlider. Exploitation requires user interaction (social engineering via an admin action), and it can enable una...

CVE-2025-10165

CVE-2025-10165 affects the WordPress plugin AP Background. A stored XSS flaw exists in the adv_parallax_back shortcode due to insufficient input sanitization and output escaping in versions up to 3.8.2, allowing authenticated users with contributor-level access or higher to inject and execute scr...

CVE-2025-9561 AP Background 3.8.1 - 3.8.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload via advParallaxBackAdminSaveSlider Function

The AP Background plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization and insufficient file validation within the advParallaxBackAdminSaveSlider handler in versions 3.8.1 to 3.8.2. This makes it possible for authenticated attackers, with Subscriber-level acce...

CVE-2025-9561

CVE-2025-9561 affects the WordPress AP Background plugin (versions 3.8.1–3.8.2). The issue is an arbitrary file upload vulnerability due to missing authorization and insufficient file validation in advParallaxBackAdminSaveSlider(), allowing authenticated attackers with Subscriber+ access to uploa...

EUVD-2025-32248

The AP Background plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization and insufficient file validation within the advParallaxBackAdminSaveSlider handler in versions 3.8.1 to 3.8.2. This makes it possible for authenticated attackers, with Subscriber-level acce...

WordPress AP Background plugin <= 3.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin AP Background versions = 3.8.2...

WordPress AP Background plugin <= 3.8.2 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by Nabil Irawan in WordPress Plugin AP Background versions = 3.8.2...

WordPress AP Background plugin 3.8.1-3.8.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload via advParallaxBackAdminSaveSlider Function vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary File Upload via advParallaxBackAdminSaveSlider Function vulnerability discovered by kr0d in WordPress Plugin AP Background versions 3.8.1-3.8.2...

WordPress plugin AP Background 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. WordPress AP Background plugin suffers from a cross-site scripting vulnerability that stems from the application's lack of effective filtering and escaping of advparallaxback,...

PT-2025-40467

Name of the Vulnerable Software and Affected Versions AP Background plugin for WordPress versions prior to 3.8.3 Description The software contains a flaw that allows an attacker to inject malicious web scripts into pages. This is possible due to insufficient input sanitization and output escaping...

WordPress plugin AP Background 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. A cross-site request forgery vulnerability exists in the WordPress AP Background plugin that stems from missing or incorrect random number validation in the...

WordPress plugin AP Background 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. An arbitrary file upload vulnerability exists in the WordPress AP Background plugin, which stems from a lack of authorization and insufficient file validation in the...

PT-2025-40509

Name of the Vulnerable Software and Affected Versions AP Background plugin for WordPress versions up to and including 3.8.2 Description The software is susceptible to Cross-Site Request Forgery CSRF. This is due to missing or incorrect nonce validation within the advParallaxBackAdminSaveSlider...

CVE-2025-20366

In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.111, 9.3.2408.119, and 9.2.2406.122, a low-privileged user that does not hold the admin or power Splunk roles could access sensitive search results if Splunk Enterprise runs an...

CVE-2025-20366 Improper Access Control in Background Job Submission in Splunk Enterprise

In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.111, 9.3.2408.119, and 9.2.2406.122, a low-privileged user that does not hold the admin or power Splunk roles could access sensitive search results if Splunk Enterprise runs an...

CVE-2025-20366 Improper Access Control in Background Job Submission in Splunk Enterprise

In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.111, 9.3.2408.119, and 9.2.2406.122, a low-privileged user that does not hold the admin or power Splunk roles could access sensitive search results if Splunk Enterprise runs an...

CVE-2025-20366

CVE-2025-20366 affects Splunk Enterprise and Splunk Cloud Platform. A low-privileged user (not admin/power roles) can access sensitive search results if an administrative search job runs in the background and the user guesses the job’s unique SID, potentially exposing confidential data. Affected ...

WordPress Image&Video FullScreen Background plugin <= 1.6.7 - SQL Injection vulnerability

SQL Injection vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Image&Video FullScreen Background versions = 1.6.7...

CVE-2025-59305

Improper authorization in the background migration endpoints of Langfuse 3.1 before d67b317 allows any authenticated user to invoke migration control functions. This can lead to data corruption or denial of service through unauthorized access to TRPC endpoints such as backgroundMigrations.all,...