10 matches found
CVE-2026-6512 InfusedWoo Pro <= 5.1.2 - Unauthenticated Missing Authorization to Arbitrary Post Deletion via Multiple Parameters
The InfusedWoo Pro plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to permanently delete...
📄 Hibernate ORM 5.6.15 SQL Injection
Hibernate ORM versions 5.6.15 and below suffer from a remote SQL injection vulnerability. CVE-2026-0603 Hibernate ORM Injection / Second-Order SQL Injection ★ CVE-2026-0603 Hibernate SQL Injection PoC ★ https://github.com/user-attachments/assets/2e7c3a89-e26f-48cd-af0b-8b82d32ce71f Overview...
CVE-2026-40929
WWBN AVideo 29.0 and earlier: the endpoint objects/commentDelete.json.php mutates state to delete comments without CSRF validation, lacking forbidIfIsUntrustedRequest(), CSRF/global token, or Origin/Referer checks. Because session.cookie_samesite=None, cross-site requests from attacker pages carr...
EUVD-2026-10926
Alienbin is an anonymous code and text sharing web service. In 1.0.0 and earlier, the /save endpoint in server.js drops and recreates the MongoDB TTL index on the entire post collection for every new paste submission. When User B submits a paste with a short TTL e.g., 30 seconds, the TTL index is...
CVE-2026-31827
Alienbin is an anonymous code and text sharing web service. In 1.0.0 and earlier, the /save endpoint in server.js drops and recreates the MongoDB TTL index on the entire post collection for every new paste submission. When User B submits a paste with a short TTL e.g., 30 seconds, the TTL index is...
CVE-2025-11166
WP Go Maps (formerly WP Google Maps) for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) across all versions up to 9.0.46. The root cause is an AJAX bridge that exposes state-changing REST actions without proper CSRF token validation and GET-accessible destructive logic lacking a per...
CVE-2025-11166 WP Go Maps (formerly WP Google Maps) <= 9.0.46 - Cross-Site Request Forgery to Plugin Settings Update
The WP Go Maps formerly WP Google Maps plugin for WordPress is vulnerable to Cross-Site Request Forgery CSRF in all versions up to, and including, 9.0.46. This is due to the plugin exposing state-changing REST actions through an AJAX bridge without proper CSRF token validation, and having...
PT-2025-41330
Name of the Vulnerable Software and Affected Versions WP Go Maps plugin for WordPress versions prior to 9.0.46 Description The WP Go Maps plugin for WordPress is susceptible to Cross-Site Request Forgery CSRF. The plugin exposes state-changing REST actions through an AJAX bridge without appropria...
CVE-2025-55741
UnoPim is an open-source Product Information Management PIM system built on the Laravel framework. In versions 0.3.0 and earlier, users without the Delete privilege for products are unable to delete individual products via the standard endpoint, as expected. However, these users can bypass intend...
Thumbnail carousel slider < 1.0.1 - Cross-Site Request Forgery to Mass Slider Deletion
Description The Thumbnail carousel slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing nonce validation on the deleteselected function. This makes it possible for unauthenticated attackers to delete sliders in bulk via a forged request...