CVE-2026-3361

The WP Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpsladdress' post meta value in versions up to, and including, 2.2.261 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2026-2305 AddFunc Head & Footer Code <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields

The AddFunc Head & Footer Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the aFhfcheadcode, aFhfcbodycode, and aFhfcfootercode post meta values in all versions up to, and including, 2.3. This is due to the plugin outputting these meta values without any sanitization or...

EUVD-2023-12234

Malicious code in bioql PyPI...

EUVD-2024-31312

Malicious code in bioql PyPI...

Fedora 42 : clash-meta (2025-b4a1689983)

The remote Fedora 42 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-b4a1689983 advisory. upgrade to 1.19.12 Mitigating remote code execution vulnerabilities using systemd sandboxing features. Tenable has extracted the preceding description block...

CVE-2025-47611

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Khaled User Meta user-meta allows Reflected XSS.This issue affects User Meta: from n/a through = 3.1.2...

CVE-2024-33575

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in User Meta user-meta.This issue affects User Meta: from n/a through 3.0...

PT-2025-17886 · WordPress · Vikinger

Name of the Vulnerable Software and Affected Versions: Vikinger theme for WordPress versions up to, and including, 1.9.30 Description: The issue is due to insufficient user meta restrictions in the vikinger user meta update ajax function, allowing authenticated attackers with Subscriber-level...

CVE-2024-10080

The WP Easy Post Types plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post meta in versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2024-33575

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in User Meta user-meta.This issue affects User Meta: from n/a through 3.0...

PT-2023-24082 · Meta · Meta

Name of the Vulnerable Software and Affected Versions: meta affected versions not specified Description: The issue is a classic buffer overflow due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed f...

CVE-2023-0814 Profile Builder – User Profile & User Registration Forms <= 3.9.0 - Sensitive Information Disclosure via Shortcode

The Profile Builder – User Profile & User Registration Forms plugin for WordPress is vulnerable to sensitive information disclosure via the usermeta shortcode in versions up to, and including 3.9.0. This is due to insufficient restriction on sensitive user meta values that can be called via that...

DEBIAN-CVE-2019-8942

WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an wpattachedfile Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image...