WordPress plugin Slek Gateway for WooCommerce 信息泄露漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

CVE-2026-25146

OpenEMR is affected from version 5.0.2 up to, but not including, 8.0.0. In at least two code paths, the gateway_api_key secret value is rendered in plaintext in client-side JavaScript, exposing the key used to authorize payment gateway APIs. This leakage can enable arbitrary money movements or br...

CVE-2026-25146 OpenEMR's payments gateway_api_key secret rendered into client JS code

OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there are at least two paths where the gatewayapikey secret value is rendered to the client in plaintext. These secret keys being leaked could result in arbitrary...

Shakapacker has environment variable leak via EnvironmentPlugin that exposes secrets to client-side bundles

Summary Since 2017, the default webpack plugins have passed the entire process.env to EnvironmentPlugin. This pattern exposed ALL build environment variables to client-side JavaScript bundles whenever application code or any dependency referenced process.env.VARIABLENAME. This is not a regression...

CVE-2025-14823 Certificate Signing Extension Returns Encrypted Values

In deployments using the ScreenConnect™ Certificate Signing Extension, encrypted configuration values including an Azure Key Vault-related key, could be returned to unauthenticated users through a client-facing endpoint under certain conditions. The values remained encrypted and securely stored a...

CVE-2025-11760

The eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams plugin for WordPress is vulnerable to exposure of sensitive information in all versions up to, and including, 1.5.6. This is due to the plugin exposing Zoom SDK secret keys in client-side JavaScript within the meeting vie...

CVE-2025-11760

The eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams plugin for WordPress is vulnerable to exposure of sensitive information in all versions up to, and including, 1.5.6. This is due to the plugin exposing Zoom SDK secret keys in client-side JavaScript within the meeting vie...

CVE-2023-39422

The /irmdata/api/ endpoints exposed by the IRM Next Generation booking engine authenticates requests using HMAC tokens. These tokens are however exposed in a JavaScript file loaded on the client side, thus rendering this extra safety mechanism useless...

CVE-2023-39422

The CVE-2023-39422 issue affects the IRM Next Generation booking engine’s /irmdata/api/ endpoints. The root cause is that HMAC tokens used to authenticate requests are exposed in a client-side JavaScript file, which renders this extra safety mechanism ineffective. Descriptions across sources repe...

PT-2023-26943 · Unknown · Irm Next Generation

Name of the Vulnerable Software and Affected Versions: IRM Next Generation booking engine affected versions not specified Description: The /irmdata/api/ endpoints exposed by the IRM Next Generation booking engine authenticate requests using HMAC tokens. However, these tokens are exposed in a...

SA40005 - Details on fixes for OpenSSL Heartbleed issue (CVE-2014-0160)

Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. This article provides detailed information related to the fixes for OpenSSL "Heartbleed" issue CVE-2014-0160 for PCS/PPS products. The following PCS versions are vulnerable to the...