6988 matches found
wpForo Forum <= 2.1.8 - Cross-Site Scripting
The wpForo Forum plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘wpforodebug’ function in versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...
WordPress wpForo Forum < 1.9.7 - Open Redirect
WordPress wpForo Forum 1.9.7 is susceptible to an open redirect vulnerability because the plugin did not validate the redirectto parameter in the login form of the forum, leading to an open redirect issue after a successful login. id: CVE-2021-24406 info: name: WordPress wpForo Forum 1.9.7 - Open...
Orange Forum 1.4.0 - Open Redirect
Orange Forum 1.4.0 contains an open redirect vulnerability in views/auth.go via the next parameter to /login or /signup. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. id: CVE-2018-14474 info: nam...
wpForo Forum <= 2.4.14 - SQL Injection
wpForo Forum WordPress plugin = 2.4.14 contains a time-based SQL injection caused by insufficient escaping of the 'wpfob' parameter, letting unauthenticated attackers extract sensitive database information. id: CVE-2026-1581 info: name: wpForo Forum = 2.4.14 - SQL Injection author: Shivam Kamboj...
WordPress Asgaros Forum <1.15.13 - SQL Injection
WordPress Asgaros Forum plugin before 1.15.13 is susceptible to SQL injection. The plugin does not validate and escape user input when subscribing to a topic before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized...
CVE-2026-35443
NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/classes/ForumPostReactionContext.php only verifies that the caller can view the forum, but it does not re-enforce topic-level viewothertopics authorization. As a result, in forums where users may enter the forum...
CVE-2026-33398
NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/pages/forum/getquotes.php only checks whether the caller is logged in, then reads a post by attacker-controlled post ID and returns its content. The backend helper in modules/Forum/classes/Forum.php does not...
CVE-2026-35443
NamelessMC (website software for Minecraft servers) is affected in version 2.2.4. The vulnerability lies in modules/Forum/classes/ForumPostReactionContext.php, where topic-level view_other_topics authorization is not re-enforced, allowing reactions on other users’ topics to be read and modified. ...
CVE-2026-35443 NamelessMC: Forum reactions bypass the "view own topics only" restriction
NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/classes/ForumPostReactionContext.php only verifies that the caller can view the forum, but it does not re-enforce topic-level viewothertopics authorization. As a result, in forums where users may enter the forum...
EUVD-2026-33975
NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/classes/ForumPostReactionContext.php only verifies that the caller can view the forum, but it does not re-enforce topic-level viewothertopics authorization. As a result, in forums where users may enter the forum...
CVE-2026-35443
NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/classes/ForumPostReactionContext.php only verifies that the caller can view the forum, but it does not re-enforce topic-level viewothertopics authorization. As a result, in forums where users may enter the forum...
CVE-2026-35443 NamelessMC: Forum reactions bypass the "view own topics only" restriction
NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/classes/ForumPostReactionContext.php only verifies that the caller can view the forum, but it does not re-enforce topic-level viewothertopics authorization. As a result, in forums where users may enter the forum...
CVE-2026-33398 Authenticated users can read hidden forum posts through `/forum/get_quotes`
NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/pages/forum/getquotes.php only checks whether the caller is logged in, then reads a post by attacker-controlled post ID and returns its content. The backend helper in modules/Forum/classes/Forum.php does not...
CVE-2026-33398
NamelessMC 2.2.4 is affected by an insecure access control in modules/Forum/pages/forum/get_quotes.php, which only checks that a caller is logged in and reads a post by an attacker-controlled post ID. The backend helper in modules/Forum/classes/Forum.php does not enforce forum or topic ACLs, allo...
EUVD-2026-33949
NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/pages/forum/getquotes.php only checks whether the caller is logged in, then reads a post by attacker-controlled post ID and returns its content. The backend helper in modules/Forum/classes/Forum.php does not...
CVE-2026-33398 Authenticated users can read hidden forum posts through `/forum/get_quotes`
NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/pages/forum/getquotes.php only checks whether the caller is logged in, then reads a post by attacker-controlled post ID and returns its content. The backend helper in modules/Forum/classes/Forum.php does not...
CVE-2026-33398
NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/pages/forum/getquotes.php only checks whether the caller is logged in, then reads a post by attacker-controlled post ID and returns its content. The backend helper in modules/Forum/classes/Forum.php does not...
PT-2026-45800
NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/classes/ForumPostReactionContext.php only verifies that the caller can view the forum, but it does not re-enforce topic-level view other topics authorization. As a result, in forums where users may enter the for...
PT-2026-45773
NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/pages/forum/get quotes.php only checks whether the caller is logged in, then reads a post by attacker-controlled post ID and returns its content. The backend helper in modules/Forum/classes/Forum.php does not...
CVE-2026-42682
Missing Authorization vulnerability in Tomdever wpForo Forum allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects wpForo Forum: from n/a through 3.0.6...