CVE-2025-13820 Comments – wpDiscuz < 7.6.40 - Unauthenticated Account Takeover

The Comments WordPress plugin before 7.6.40 does not properly validate user's identity when using the disqus.com provider, allowing an attacker to log in to any user when knowing their email address when such user does not have an account on disqus.com yet...

PT-2024-37447 · Haloitsm · Haloitsm

Name of the Vulnerable Software and Affected Versions: HaloITSM versions up to 2.146.1 Description: The issue allows anonymous actors to impersonate arbitrary HaloITSM users by knowing their email address when a SAML integration is configured. This is due to a SAML XML Signature Wrapping XSW...

Elastic: Create an account on auth-sandbox.elastic.co with email @elastic.co or any other @domain.com

Summary: Dear Team, Today when doing some recon steps and found this subdomain https://54.246.136.164/ Its not loaded correctly and viewing the source code exposed some other links interesting https://elasticsandbox.docebosaas.com/pages/14/learner-dashboard https://auth-sandbox.elastic.co Go to...

Design/Logic Flaw

The invite-anyone plugin before 1.3.16 for WordPress has incorrect access control for email-based invitations...