Lucene search
+L

27 matches found

redhatcve
redhatcve
added 2025/10/25 8:29 a.m.11 views

CVE-2025-12028

The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4. This is due to missing nonce verification on the loginformindieauth function and the authorization endpoint at wp-login.php?action=indieauth. This makes it possible for...

8.8CVSS5.7AI score0.00194EPSS
Exploits0References1
cnnvd
cnnvd
added 2025/10/25 12:0 a.m.7 views

WordPress plugin IndieAuth 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin.... A cross-sit...

8.8CVSS6.3AI score0.00194EPSS
Exploits0References5
nvd
nvd
added 2025/10/24 9:15 a.m.11 views

CVE-2025-12028

The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4. This is due to missing nonce verification on the loginformindieauth function and the authorization endpoint at wp-login.php?action=indieauth. This makes it possible for...

8.8CVSS0.00194EPSS
Exploits0References5
euvd
euvd
added 2025/10/24 8:23 a.m.7 views

EUVD-2025-35817

The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4. This is due to missing nonce verification on the loginformindieauth function and the authorization endpoint at wp-login.php?action=indieauth. This makes it possible for...

8.8CVSS5.2AI score0.00194EPSS
Exploits0References5
cvelist
cvelist
added 2025/10/24 8:23 a.m.15 views

CVE-2025-12028 IndieAuth <= 4.5.4 - Cross-Site Request Forgery to Account Takeover via Stolen OAuth Tokens

The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4. This is due to missing nonce verification on the loginformindieauth function and the authorization endpoint at wp-login.php?action=indieauth. This makes it possible for...

8.8CVSS0.00194EPSS
Exploits0References5
vulnrichment
vulnrichment
added 2025/10/24 8:23 a.m.4 views

CVE-2025-12028 IndieAuth <= 4.5.4 - Cross-Site Request Forgery to Account Takeover via Stolen OAuth Tokens

The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4. This is due to missing nonce verification on the loginformindieauth function and the authorization endpoint at wp-login.php?action=indieauth. This makes it possible for...

8.8CVSS5.3AI score0.00194EPSS
Exploits0References5
cve
cve
added 2025/10/24 8:23 a.m.23 views

CVE-2025-12028

CVE-2025-12028 (IndieAuth WordPress plugin) : The IndieAuth plugin (versions ≤ 4.5.4) is vulnerable to Cross-Site Request Forgery due to missing nonce verification in login_form_indieauth() and the wp-login.php?action=indieauth endpoint. This enables an unauthenticated attacker to induce a logged...

8.8CVSS5.3AI score0.00194EPSS
Exploits0References5
ptsecurity
ptsecurity
added 2025/10/24 12:0 a.m.11 views

PT-2025-43600

Name of the Vulnerable Software and Affected Versions WordPress IndieAuth plugin versions prior to 4.5.4 Description The software is susceptible to Cross-Site Request Forgery CSRF due to missing nonce verification. Specifically, the login form indieauth function and the authorization endpoint at...

8.8CVSS6.5AI score0.00194EPSS
Exploits0References10
patchstack
patchstack
added 2025/10/23 10:43 p.m.6 views

WordPress IndieAuth plugin <= 4.5.4 - Cross-Site Request Forgery to Account Takeover via Stolen OAuth Tokens vulnerability

Cross-Site Request Forgery to Account Takeover via Stolen OAuth Tokens vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin IndieAuth versions = 4.5.4...

8.8CVSS6.7AI score0.00194EPSS
Exploits0References1Affected Software1
euvd
euvd
added 2025/10/03 8:7 p.m.6 views

EUVD-2023-2857

Malicious code in bioql PyPI...

9.8CVSS9.2AI score0.01619EPSS
Exploits0References3
euvd
euvd
added 2025/10/03 8:7 p.m.6 views

EUVD-2024-38294

Malicious code in bioql PyPI...

8.3CVSS6.6AI score0.01021EPSS
Exploits0References2
nvd
nvd
added 2024/07/19 8:15 p.m.31 views

CVE-2024-39906

A command injection vulnerability was found in the IndieAuth functionality of the Ruby on Rails based Haven blog web application. The affected functionality requires authentication, but an attacker can craft a link that they can pass to a logged in administrator of the blog software. This leads t...

8.3CVSS0.01021EPSS
Exploits0References2
cve
cve
added 2024/07/19 7:50 p.m.49 views

CVE-2024-39906

The CVE-2024-39906 vulnerability affects the Haven blog web application (Ruby on Rails) via its IndieAuth functionality. A logged-in administrator can be forced to click a crafted link that executes arbitrary commands on the server, enabling Remote Code Execution (RCE). The root cause is a comman...

8.3CVSS8AI score0.01021EPSS
Exploits0References2
cvelist
cvelist
added 2024/07/19 7:50 p.m.38 views

CVE-2024-39906 Remote code execution in Haven IndieAuthClient (GHSL-2024-093)

A command injection vulnerability was found in the IndieAuth functionality of the Ruby on Rails based Haven blog web application. The affected functionality requires authentication, but an attacker can craft a link that they can pass to a logged in administrator of the blog software. This leads t...

8.3CVSS0.01021EPSS
Exploits0References2
vulnrichment
vulnrichment
added 2024/07/19 7:50 p.m.19 views

CVE-2024-39906 Remote code execution in Haven IndieAuthClient (GHSL-2024-093)

A command injection vulnerability was found in the IndieAuth functionality of the Ruby on Rails based Haven blog web application. The affected functionality requires authentication, but an attacker can craft a link that they can pass to a logged in administrator of the blog software. This leads t...

8.3CVSS8AI score0.01021EPSS
Exploits0References2
osv
osv
added 2024/07/19 7:50 p.m.24 views

CVE-2024-39906 Remote code execution in Haven IndieAuthClient (GHSL-2024-093)

A command injection vulnerability was found in the IndieAuth functionality of the Ruby on Rails based Haven blog web application. The affected functionality requires authentication, but an attacker can craft a link that they can pass to a logged in administrator of the blog software. This leads t...

8.3CVSS7.9AI score0.01021EPSS
Exploits0References4
ptsecurity
ptsecurity
added 2024/07/19 12:0 a.m.7 views

PT-2024-28724 · Unknown +1 · Ruby On Rails +1

Name of the Vulnerable Software and Affected Versions: Haven blog web application affected versions not specified Description: A command injection vulnerability was found in the IndieAuth functionality of the Ruby on Rails based Haven blog web application. The affected functionality requires...

8.3CVSS8.3AI score0.01021EPSS
Exploits0References7
github
github
added 2023/11/28 12:30 a.m.19 views

OwnCast remote code execution vulnerability

An issue in OwnCast v.0.1.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via the authHost parameter of the indieauth function...

9.8CVSS7.5AI score0.01619EPSS
Exploits0References3Affected Software1
nvd
nvd
added 2023/11/27 11:15 p.m.40 views

CVE-2023-46480

An issue in OwnCast v.0.1.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via the authHost parameter of the indieauth function...

9.8CVSS0.01619EPSS
Exploits0References2
cve
cve
added 2023/11/27 12:0 a.m.57 views

CVE-2023-46480

OwnCast v0.1.1 contains a remote code execution vulnerability exploitable via the authHost parameter in the indieauth function. Public sources (NVD/Red Hat/Veracode/GHSA) describe an in-the-wild risk with high impact, including arbitrary code execution and disclosure of sensitive information. The...

9.8CVSS9.5AI score0.01619EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder