CVE-2026-5395 Fluent Forms <= 6.2.0 - Authenticated (Subscriber+) Authorization Bypass via 'table' Parameter

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.2.0 via the exportEntries function due to missing validation on a user controlled key. This mak...

CVE-2026-5395

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.2.0 via the exportEntries function due to missing validation on a user controlled key. This mak...

PT-2026-29408

The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to SQL Injection via the sort parameter in the payments listing endpoint in all versions up to, and including, 2.1.2. This is due to insufficient escaping on the user-supplied sort parameter and lack of...

Vaultwarden -- Multiple vulnerabilities

The Vaultwarden project reports: GHSA-w9f8-m526-h7fh. This vulnerability would allow an attacker to access a cipher from a different user fully encrypted if they already know its internal UUID. GHSA-h4hq-rgvh-wh27. This vulnerability allows an attacker with manager-level access within an...

EUVD-2002-0658

Malware in sbrugna...

CVE-2025-57438

The 2wcom IP-4c 2.15.5 device suffers from a Broken Access Control vulnerability. Certain sensitive endpoints are intended to be accessible only after the admin explicitly grants access to a manager-level account. However, a manager-level user can bypass these controls by intercepting and modifyi...

CVE-2024-9927

The WooCommerce Order Proposal plugin for WordPress is vulnerable to privilege escalation via order proposal in all versions up to and including 2.0.5. This is due to the improper implementation of allowpaymentwithoutlogin function. This makes it possible for authenticated attackers, with Shop...

CVE-2024-9130

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter in all versions up to, and including, 3.16.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existin...

WooCommerce Multilingual & Multicurrency with WPML < 5.3.4 - Shop Manager+ SQL Injection

Description The WooCommerce Multilingual & Multicurrency with WPML plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 5.3.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes...

WooCommerce Multilingual & Multicurrency with WPML < 5.3.4 - Shop Manager+ SQL Injection

Description The WooCommerce Multilingual & Multicurrency with WPML plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 5.3.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes...

GiveWP – Donation Plugin and Fundraising Platform < 3.5.0 - Authenticated (GiveWP Manager+) PHP Object Injection

Description The GiveWP plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.2 via deserialization of untrusted input. This makes it possible for authenticated attackers, with give manager-level access and above, to inject a PHP Object. No known POP...

CVE-2024-0659

The Easy Digital Downloads – Sell Digital Files eCommerce Store & Payments Made Easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the variable pricing option title in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This...

CVE-2024-0659 Easy Digital Downloads <= 3.2.6 - Authenticated(Shop Manager+) Stored Cross-Site Scripting via variable pricing options

The Easy Digital Downloads – Sell Digital Files eCommerce Store & Payments Made Easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the variable pricing option title in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This...

Easy Digital Downloads < 3.2.7 - Shop Manager+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting via the variable pricing option title due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manger-level access, to inject arbitrary web scripts in pages that wi...

Symbiostock Lite <= 6.0.0 - Authenticated (Shop Manager+) Arbitrary File Upload

Description The Symbiostock – Sell Photos Online For Free! plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 6.0.0. This makes it possible for authenticated attackers, with shop manager-level access and above, to...

Extra Product Options for WooCommerce <= 3.0.3 - Authenticated (Shop manager+) Stored Cross-Site Scripting via plugin settings

Description The Extra Product Options for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in versions up to, and including, 3.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

Export and Import Users and Customers < 2.4.2 - Shop Manager+ Privilege Escalation

The plugin does not correctly implement a capability check on the 'hfupdatecustomer' function, which is triggered via an AJAX action. This omission allows users with shop manager-level permissions to modify data they should not have access to, such as changing user passwords and potentially gaini...