22 matches found
EUVD-2025-121476
Malicious code in tailwindcss-rehype-nightmare-prettier-plugin-markdown npm...
EUVD-2025-111131
Malicious code in mini-css-extract-plugin-ophiuchus-lyra-eslint-plugin npm...
MAL-2025-142759 Malicious code in gacrux-css-minimizer-webpack-plugin-flare-flare (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dc8b4a91227e773e130eae13bfb68e4884b8fad2f307cf3ea714f2a8819940e2 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
EUVD-2025-111146
Malicious code in mini-css-extract-plugin-callisto-vulcan-apex npm...
CVE-2025-48096
CVE-2025-48096 is a Missing Authorization/Broken Access Control vulnerability in the WordPress plugin “Custom CSS” (custom-css-editor) for versions up to and including 1.4.0. Public records from Red Hat and Patchstack confirm the issue stems from incorrectly configured access control, affecting t...
CVE-2025-48096 WordPress Custom CSS plugin <= 1.4.0 - Broken Access Control vulnerability
Missing Authorization vulnerability in FRESHFACE Custom CSS custom-css-editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom CSS: from n/a through = 1.4.0...
WordPress plugin Custom CSS 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerabili...
WordPress Custom CSS plugin <= 1.4.0 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Custom CSS versions = 1.4.0...
EUVD-2021-11538
Malware in sbrugna...
EUVD-2023-48602
Malicious code in bioql PyPI...
EUVD-2024-47620
Malicious code in bioql PyPI...
MAL-2025-26421 Malicious code in mini-css-extract-plugin-buffer-bellatrix-selenium (npm)
The package mini-css-extract-plugin-buffer-bellatrix-selenium was found to contain malicious code...
WordPress plugin Live css 跨站脚本漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...
WordPress Live css plugin <= 1.3 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by stealthcopter in WordPress Plugin Live css versions = 1.3...
PT-2024-16915 · WordPress · Custom Css
Name of the Vulnerable Software and Affected Versions: Custom CSS, JS & PHP plugin for WordPress versions up to, and including, 2.3.0 Description: The issue arises from the use of add query arg and remove query arg without proper escaping on the URL, leading to Reflected Cross-Site Scripting. Thi...
CVE-2024-3903
The Add Custom CSS and JS WordPress plugin through 1.20 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in as author and above add Stored XSS payloads via a CSRF attack...
CVE-2021-4418
The Custom CSS, JS & PHP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the save function. This makes it possible for unauthenticated attackers to save code snippets via a forged...
CVE-2023-44243
Cross-Site Request Forgery CSRF vulnerability in Dylan Blokhuis Instant CSS plugin = 1.2.1 versions...
Cross site request forgery (csrf)
Cross-Site Request Forgery CSRF vulnerability in Dylan Blokhuis Instant CSS plugin = 1.2.1 versions...
CVE-2021-24626
The Chameleon CSS WordPress plugin through 1.2 does not have any CSRF and capability checks in all its AJAX calls, allowing any authenticated user, such as subscriber to call them and perform unauthorised actions. One of AJAX call, removecss, also does not sanitise or escape the cssid POST...