WordPress 3D FlipBook - PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin <= 1.16.17 - Missing Authorization to Unauthenticated Private/Draft Flipbook Data Exposure vulnerability

WordPress 3D FlipBook - PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin = 1.16.17 - Missing Authorization to Unauthenticated Private/Draft Flipbook Data Exposure vulnerability discovered by Kai Aizen in WordPress Plugin 3D FlipBook – PDF Flipbook Viewer, Flipbook Image Gallery...

CVE-2026-4812

The Advanced Custom Fields ACF plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions witho...

CVE-2026-4812 Advanced Custom Fields (ACF®) <= 6.7.0 - Unauthenticated Missing Authorization to Arbitrary Post/Page Disclosure via AJAX Field Query Parameters

The Advanced Custom Fields ACF plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions witho...

CVE-2026-4812

The CVE describes a vulnerability in Advanced Custom Fields (ACF) for WordPress, affecting versions up to 6.7.0. The issue arises from AJAX field query endpoints that accept user-supplied filter parameters, which override field-configured restrictions without proper authorization checks. This all...

CVE-2026-4812 Advanced Custom Fields (ACF®) <= 6.7.0 - Unauthenticated Missing Authorization to Arbitrary Post/Page Disclosure via AJAX Field Query Parameters

The Advanced Custom Fields ACF plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions witho...

PT-2026-33003

Name of the Vulnerable Software and Affected Versions Advanced Custom Fields ACF plugin for WordPress versions prior to 6.7.1 Description The plugin contains a flaw where AJAX field query endpoints accept user-supplied filter parameters that override field-configured restrictions without proper...

PT-2026-33021

The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.0. The katalogportal popup shortcode function is registered as an AJAX handler via wp ajax katalogportal shortcodePrinter but lacks any capability check current user can ...

CVE-2026-1314

The CVE-2026-1314 entry concerns the WordPress plugin “3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery”. It is vulnerable due to a missing capability check in send_post_pages_json() across all versions up to and including 1.16.17, allowing unauthenticated attackers to retr...

CVE-2026-1314 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery <= 1.16.17 - Missing Authorization to Unauthenticated Private/Draft Flipbook Data Exposure

The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sendpostpagesjson function in all versions up to, and including, 1.16.17. This makes it possible for unauthenticat...

CVE-2026-1314 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery <= 1.16.17 - Missing Authorization to Unauthenticated Private/Draft Flipbook Data Exposure

The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sendpostpagesjson function in all versions up to, and including, 1.16.17. This makes it possible for unauthenticat...

Exploit for CVE-2025-66849

CVE-2025-66849 Ghost CMS Privilege Escalation PoC Summar...

WordPress ActivityPub Routing plugin < 8.0.2 - Unauthenticated Drafts/Scheduled/Pending Posts Disclosure vulnerability

Unauthenticated Drafts/Scheduled/Pending Posts Disclosure vulnerability discovered by ryuk kos0ng in WordPress Plugin ActivityPub versions 8.0.2...

Discourse Information Disclosure Vulnerability (CNVD-2026-17249)

Discourse is Discourse open source set of open source community discussion platform. The platform includes features such as community , e-mail and chat rooms . An information disclosure vulnerability exists in Discourse. The vulnerability stems from the fact that an authenticated user can send an...

EUVD-2026-20058

The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts...

CVE-2026-2263

The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hustlemoduleconverted' AJAX action in all versions up to, and including, 7.8.10.2. This makes it possible for...

WordPress plugin ActivityPub 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

BIT-DISCOURSE-2026-32951 Discourse: Authorization bypass in oneboxer via user-controlled category id

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, an authenticated user can obtain shared draft topic titles by sending an inline onebox request with a categoryid parameter matching the shared drafts category. This issue h...

org.webjars.npm:vitepress (=1.0.0-draft.8) potentially affected by CVE-2026-39365 via org.webjars.npm:vite (=3.0.0-beta.9)

org.webjars.npm:vite MAVEN version =3.0.0-beta.9 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vite and may be impacted: - org.webjars.npm:vitepress =1.0.0-draft.8 Source cves: CVE-2026-39365 Source advisory:...

CVE-2026-32951

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated user can obtain shared draft topic titles by sending an inline onebox request with a categoryid parameter...

GHSA-M577-W9J8-CH7J AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter

Summary AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" a. This bypasses the admin-controlled moderation and draft workflows. The setStatus method validates the status code again...