PT-2025-33246 · WordPress · Bplugins Button Block

Name of the Vulnerable Software and Affected Versions: bPlugins Button Block versions through 1.2.0 Description: This issue involves a Cross-Site Request Forgery CSRF that allows malicious actors to perform actions on behalf of an unsuspecting user. Recommendations: Update bPlugins Button Block t...

CVE-2025-8891 OceanWP <= 4.0.9 - 4.1.1 - Cross-Site Request Forgery to Ocean Extra Plugin Installation

The OceanWP theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.0.9 to 4.1.1. This is due to missing or incorrect nonce validation on the oceanwpnoticebuttonclick function. This makes it possible for unauthenticated attackers to install the Ocean Extra plugin via a forge...

CVE-2025-8891

CVE-2025-8891 relates to the OceanWP WordPress theme. The affected versions are 4.0.9 through 4.1.1, where a Cross-Site Request Forgery can be exploited due to missing/incorrect nonce validation in the oceanwp_notice_button_click() function. This enables unauthenticated attackers to cause the ins...

GHSA-M5C7-5GV3-HCPF Liferay Portal 7.4.0 and Liferay DXP have a reflected cross-site scripting (XSS) vulnerability

A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows...

Liferay Portal 7.4.0 and Liferay DXP have a reflected cross-site scripting (XSS) vulnerability

A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the first display label field in the configuration of a custom sort widget. An attacker can execute arbitrary JavaScript code in the context of the user's browser by injecting a malicious payload that is...

CVE-2025-43734

A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows...

CVE-2025-43734

A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows...

CVE-2025-43734

A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows...

CVE-2025-43734

A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows...

CVE-2025-43734

Liferay Portal 7.4.0–7.4.3.132 and Liferay DXP 2025.Q1.0–2025.Q1.10, 2024.Q4.0–2024.Q4.7, 2024.Q3.1–2024.Q3.13, 2024.Q2.1–2024.Q2.13, 2024.Q1.1–2024.Q1.16 and 7.4 GA through update 92 are affected by a reflected XSS in the first display label field of a custom sort widget. A remote authenticated ...

xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer

A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leadin...

Malicious Package

Overview @platform-ui-storybook/copy-button is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...

@toptal/picasso (>=48.1.18 <=54.1.4-alpha-CPS-2606-migrate-to-tailwind-4-fe1684b09.0), @toptal/picasso-accordion (>=2.0.11 <=3.0.32-alpha-CPS-2606-migrate-to-tailwind-4-fe1684b09.0) +33 more potentially affected by unknown CVE via @toptal/picasso-button (>=4.0.0 <=4.0.9)

@toptal/picasso-button NPM version =4.0.0, =48.1.18, =2.0.11, =3.0.11, =2.0.11, =4.0.0, =3.0.0, =4.0.0, =4.0.0, =2.0.15, =1.0.45, =3.0.11, =4.0.0, =2.0.12, =4.0.33-alpha-CPS-2606-migrate-to-tailwind-4-fe1684b09.0...

Malicious code in @toptal/picasso-button (npm)

The package communicates with a domain associated with malicious activity...

CVE-2025-7669 Avishi WP PayPal Payment Button <= 2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Avishi WP PayPal Payment Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing or incorrect nonce validation on the 'avishi-wp-paypal-payment-button/index.php' page. This makes it possible for unauthenticated...

CVE-2025-7669

CVE-2025-7669 affects the Avishi WP PayPal Payment Button plugin for WordPress. It is a Cross-Site Request Forgery (CSRF) vulnerability caused by missing or incorrect nonce validation on avishi-wp-paypal-payment-button/index.php, enabling unauthenticated attackers to update settings and inject ma...

PT-2025-30113 · WordPress · Avishi Wp Paypal Payment Button

Name of the Vulnerable Software and Affected Versions: Avishi WP PayPal Payment Button versions prior to 2.1 Description: The Avishi WP PayPal Payment Button plugin for WordPress is susceptible to Cross-Site Request Forgery due to missing or incorrect nonce validation on the...

WordPress plugin Avishi WP PayPal Payment Button 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A cross-site request forgery...

WordPress plugin Contact Form 7 Editor Button 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a blogging platform developed in the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists i...