CVE-2026-2112 Dam Spam <= 1.0.8 - Cross-Site Request Forgery to Arbitrary Pending Comment Deletion

The Dam Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing nonce verification on the pending comment deletion action in the cleanup page. This makes it possible for unauthenticated attackers to delete all pendi...

CVE-2026-2281

The Private Comment plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Label text' setting in all versions up to, and including, 0.0.4. This is due to insufficient input sanitization and output escaping on the plugin's label text option. This makes it possible for...

CVE-2026-1640

The Taskbuilder – WordPress Project Management & Task Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.0.2. This is due to missing authorization checks on the project and task comment submission functions AJAX actions:...

CVE-2026-2281 Private Comment <= 0.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Label Text Setting

The Private Comment plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Label text' setting in all versions up to, and including, 0.0.4. This is due to insufficient input sanitization and output escaping on the plugin's label text option. This makes it possible for...

CVE-2026-2281 Private Comment <= 0.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Label Text Setting

The Private Comment plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Label text' setting in all versions up to, and including, 0.0.4. This is due to insufficient input sanitization and output escaping on the plugin's label text option. This makes it possible for...

CVE-2026-2281

The Private Comment plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Label text' setting in all versions up to, and including, 0.0.4. This is due to insufficient input sanitization and output escaping on the plugin's label text option. This makes it possible for...

CVE-2026-1640 Taskbuilder <= 5.0.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Project/Task Comment Creation

The Taskbuilder – WordPress Project Management & Task Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.0.2. This is due to missing authorization checks on the project and task comment submission functions AJAX actions:...

CVE-2026-2281

CVE-2026-2281 affects the WordPress plugin Private Comment . It is a Stored Cross-Site Scripting (XSS) via the “Label text” setting, in all versions up to 0.0.4. Attack requires authenticated Administrator+ access and applies on multisite installations or where unfiltered_html is disabled. The vu...

WordPress Dam Spam plugin <= 1.0.8 - Cross-Site Request Forgery to Arbitrary Pending Comment Deletion vulnerability

Cross-Site Request Forgery to Arbitrary Pending Comment Deletion vulnerability discovered by Duong Quang Hao in WordPress Plugin Dam Spam versions = 1.0.8...

WordPress Private Comment plugin <= 0.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Label Text Setting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Label Text Setting vulnerability discovered by Supoj Polsawas sp0x5ec in WordPress Plugin Private Comment versions = 0.0.4...

WordPress plugin Dam Spam 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

PT-2026-20298

The Dam Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing nonce verification on the pending comment deletion action in the cleanup page. This makes it possible for unauthenticated attackers to delete all pendi...

Important: golang

Issue Overview: A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. CVE-2025-61732 Affected Packages: golang Issue Correction: Run dnf update golang --releasever 2023.10.20260216 or dnf update --advisory ALAS2023-2026-1438...

WordPress plugin Private Comment 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

PT-2026-20280

The Taskbuilder – WordPress Project Management & Task Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.0.2. This is due to missing authorization checks on the project and task comment submission functions AJAX actions: wppm submit proj...

PT-2026-20304

The Private Comment plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Label text' setting in all versions up to, and including, 0.0.4. This is due to insufficient input sanitization and output escaping on the plugin's label text option. This makes it possible for...

GHSA-JJ5M-H57J-5GV7 Gogs Allows Cross-Repository Comment Deletion via DeleteComment

IDOR: Cross-Repository Comment Deletion via DeleteComment Summary The POST /:owner/:repo/issues/comments/:id/delete endpoint does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the DeleteComment function, accessible via the /:owner/:repo/issues/comments/:id/delete endpoint. A user can delete comments from other users' repositories by sending POST requests for known comment IDs...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the DeleteComment function, accessible via the /:owner/:repo/issues/comments/:id/delete endpoint. A user can delete comments from other users' repositories by sending POST requests for known comment IDs...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the DeleteComment function, accessible via the /:owner/:repo/issues/comments/:id/delete endpoint. A user can delete comments from other users' repositories by sending POST requests for known comment IDs...