CVE-2026-8688

The Advance Nav Menu Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

EUVD-2026-38685

The Advance Nav Menu Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

EUVD-2026-38134

AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields that execute for all site...

CVE-2026-11358 Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <= 3.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu-item-icon' Parameter

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it...

CVE-2026-11358

The CVE concerns the Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress (versions up to 3.0.6). The vulnerability is a Stored Cross-Site Scripting flaw arising from insufficient input sanitization and output escaping in admin settings. It a...

AVideo has Stored XSS via Unescaped Menu Item Fields in TopMenu Plugin

Summary The TopMenu plugin renders menu item fields icon classes, URLs, and text labels directly into HTML without applying htmlspecialchars or any other output encoding. Since menu items are rendered on every public page through plugin hooks, a single malicious menu entry results in stored...

Cross-site Scripting (XSS)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering of menu item fields such as icon classes, URLs, and text labels without proper output encoding in the TopMenu plugin. An...

EUVD-2026-11786

The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the addmenuitem method hooked to adminmenu in all versions up to, and including, 4.5.8. This is due to the method performing wpinsertpost and...

EUVD-2021-11854

Malware in sbrugna...

EUVD-2007-5552

Malware in sbrugna...

EUVD-2025-10358

Malicious code in bioql PyPI...

CVE-2025-52358

A cross-site scripting vulnerability in Vivaldi United Group iCONTROL+ Server including Firmware version 4.7.8.0.eden Logic version 5.32 and below. This issue allows attackers to inject JavaScript payloads within the error or edit-menu-item parameters which are then executed in the victim's brows...

CVE-2023-0550

The Quick Restaurant Menu plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the fact that during menu item deletion/modification, the plugin does not verify that the post ID provided to the AJAX action is indeed a menu...

CVE-2023-46781

Cross-Site Request Forgery CSRF vulnerability in Roland Murg Current Menu Item for Custom Post Types plugin = 1.5 versions...

CVE-2018-14862

Incorrect access control in the mail templating system in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated internal users to delete arbitrary menuitems via a crafted RPC request...

CVE-2025-28409

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the add method of the /add/parentId endpoint does not properly validate whether the requesting user has permission to add a menu item under the specified parentId...

CVE-2025-28409

An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the add method of the /add/parentId endpoint does not properly validate whether the requesting user has permission to add a menu item under the specified parentId...

CVE-2025-28409

The CVE-2025-28409 entry concerns RUoYi v4.8.0 where the add/{parentId} endpoint does not properly validate whether the requesting user has permission to add a menu item under the specified parentId, enabling privilege escalation. Affected software is RUoYi v4.8.0; the underlying issue is insuffi...

RuoYi 安全漏洞

RuoYi is a backend management system by the individual developer of RuoYi in China. A security vulnerability exists in RuoYi version v.4.8.0, which stems from the add method not properly verifying the requested user's permissions, which may result in the addition of a menu item...

CVE-2025-28913

Cross-Site Request Forgery CSRF vulnerability in Aftab Ali Muni WP Add Active Class To Menu Item wp-add-active-class-to-menu-item allows Cross Site Request Forgery.This issue affects WP Add Active Class To Menu Item: from n/a through = 1.0...