CVE-2025-10181

The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'drafts' shortcode in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

CVE-2025-10181

CVE-2025-10181 – Draft List (WordPress) stored XSS affects the Draft List plugin for WordPress, versions up to and including 2.6. Root cause: insufficient input sanitization and output escaping on the plugin’s drafts shortcode attributes. Vulnerability requires authenticated access at contributor...

CVE-2025-10181 Draft List <= 2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'drafts' shortcode in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

CVE-2025-10181 Draft List <= 2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'drafts' shortcode in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

PT-2025-38629

Name of the Vulnerable Software and Affected Versions Draft List plugin for WordPress versions prior to 2.7 Description The Draft List plugin for WordPress is susceptible to Stored Cross-Site Scripting through the plugin’s ‘drafts’ shortcode. Insufficient input sanitization and output escaping on...

CVE-2025-7843

The Auto Save Remote Images Drafts plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.9 via the fetchimages function. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to...

CVE-2025-7843

CVE-2025-7843 — Auto Save Remote Images (Drafts) (WordPress) SSRF . The WordPress plugin (versions up to and including 1.0.9) is affected via fetch_images(), enabling authenticated attackers with Contributor+ privileges to make outbound requests from the web app and potentially access internal se...

CVE-2025-7843 Auto Save Remote Images (Drafts) <= 1.0.9 - Authenticated (Contributor+) Server-Side Request Forgery

The Auto Save Remote Images Drafts plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.9 via the fetchimages function. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to...

CVE-2025-7843 Auto Save Remote Images (Drafts) <= 1.0.9 - Authenticated (Contributor+) Server-Side Request Forgery

The Auto Save Remote Images Drafts plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.9 via the fetchimages function. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to...

WordPress plugin Auto Save Remote Images (Drafts) 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed using the PHP language, which supports personal blogs on PHP and MySQL servers.WordPress plugin is an...

WordPress Auto Save Remote Images (Drafts) plugin <= 1.0.9 - Authenticated (Contributor+) Server-Side Request Forgery vulnerability

Authenticated Contributor+ Server-Side Request Forgery vulnerability discovered by Nabil Irawan in WordPress Plugin Auto Save Remote Images Drafts versions = 1.0.9...

Nextcloud: Participants were able to blindly delete poll drafts of other users by ID

Participants were able to blindly delete poll drafts of other users by ID...

CVE-2024-33668

An issue was discovered in Zammad before 6.3.0. The Zammad Upload Cache uses insecure, partially guessable FormIDs to identify content. An attacker could try to brute force them to upload malicious content to article drafts they have no access to...

CVE-2024-10669

The Countdown Timer block – Display the event's date into a timer. plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.4 via the ctb shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated...

CVE-2024-10782

The Theme Builder For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.2 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with...

CVE-2023-22740

Discourse is an open source platform for community discussion. Versions prior to 3.1.0.beta1 beta tests-passed are vulnerable to Allocation of Resources Without Limits. Users can create chat drafts of an unlimited length, which can cause a denial of service by generating an excessive load on the...

CVE-2022-37251

Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting XSS via Drafts...

CVE-2021-43781

Invenio-Drafts-Resources is a submission/deposit module for Invenio, a software framework for research data management. Invenio-Drafts-Resources prior to versions 0.13.7 and 0.14.6 does not properly check permissions when a record is published. The vulnerability is exploitable in a default...

GHSA-2JQJ-5QV2-XVCG ezsystems/ezplatform-richtext allows access to external entities in XML

Impact This security advisory resolves a vulnerability in the RichText field type. By entering a maliciously crafted input into the RichText XML, an attacker could perform an attack using XML external entity XXE injection, which might be able to read files on the server. To exploit this...

CVE-2025-32360

In Zammad 6.4.x before 6.4.2, there is information exposure. Only agents should be able to see and work on shared article drafts. However, a logged in customer was able to see details about shared drafts for their customer tickets in the browser console, which may contain confidential information...