GHSA-MWJC-5J4X-R686 AVideo has an unauthenticated decrypt oracle leaking any ciphertext

Summary The API plugin exposes a decryptString action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly e.g., view/url2Embed.json.php, so any user can recover protected tokens/metadata. Severity: High. Details - Entry:...

WordPress Post SMTP plugin <= 3.2.0 - Account Takeover Vulnerability

Account Takeover Vulnerability discovered by Denver Jackson Patchstack Alliance in WordPress Plugin Post SMTP versions = 3.2.0...

WordPress Pro Bulk Watermark Plugin for WordPress Theme <= 2.0 is vulnerable to Path Traversal

Software Pro Bulk Watermark Plugin for WordPress Type Theme Vulnerable versions = 2.0 Fixed in N/A OWASP Top 10 A3: Injection Classification Path Traversal CVE CVE-2025-28973 Patch priority High CVSS severity High 6.5 Developer Claim ownership PSID c40f943bba08 Credits Tran Nguyen Bao Khanh VCI -...

WordPress WPGYM plugin <= 65.0 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Jingle Bells in WordPress Plugin WPGYM versions = 65.0...

WordPress Fitrush Theme <= 1.3.4 is vulnerable to Local File Inclusion

Software Fitrush Type Theme Vulnerable versions = 1.3.4 Fixed in N/A OWASP Top 10 A4: Insecure Design Classification Local File Inclusion CVE CVE-2023-26005 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 578d89dc95a4 Credits Phat RiO - BlueRock Required privilege...

WordPress SUMO Affiliates Pro plugin < 11.1.0 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Anhchangmutrang in WordPress Plugin SUMO Affiliates Pro versions 11.1.0...

DRUPAL-CONTRIB-2025-071

The "Simple Klaro" module adds the "Klaro! A Simple Consent Manager" to your website and allows you to configure it according to your needs in the Drupal backend. The module doesn't sufficiently mark its administrative permission as restricted, creating the possibility for the permission to be...

WordPress Event Calendar plugin <= 1.0.4 - Unauthenticated Arbitrary Calendar Deletion vulnerability

Unauthenticated Arbitrary Calendar Deletion vulnerability discovered by Bob Matyas in WordPress Plugin Event Calendar versions = 1.0.4...

WordPress AffiliateImporterEb plugin <= 1.0.6 - Reflected XSS via Search vulnerability

Reflected XSS via Search vulnerability discovered by Bob Matyas in WordPress Plugin AffiliateImporterEb versions = 1.0.6...

WordPress Eventin plugin <= 4.0.26 - Arbitrary File Download Vulnerability

Arbitrary File Download Vulnerability discovered by astra.r3verii in WordPress Plugin Eventin versions = 4.0.26...

WordPress WPshop 2 plugin 2.0.0-2.6.0 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover

Authenticated Subscriber+ Privilege Escalation via Account Takeover vulnerability discovered by kr0d in WordPress Plugin WP shop versions 2.0.0-2.6.0...

WordPress Reales WP STPT plugin <= 2.1.2 - Authenticated (Subscriber+) Privilege Escalation via Password Update vulnerability

Authenticated Subscriber+ Privilege Escalation via Password Update vulnerability discovered by Foxyyy in WordPress Plugin Reales WP STPT versions = 2.1.2...

WordPress Ultimate Auction Pro plugin <= 1.5.2 - Unauthenticated SQL Injection via 'auction_id' vulnerability

Unauthenticated SQL Injection via 'auctionid' vulnerability discovered by Tom Broucke in WordPress Plugin Ultimate Auction Pro versions = 1.5.2...

WordPress Popup Builder plugin <= 1.1.35 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by LVT-tholv2k in WordPress Plugin Popup Builder versions = 1.1.35...

WordPress FoodBakery plugin <= 3.3 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Bonds Patchstack Alliance in WordPress Plugin FoodBakery versions = 3.3...

WordPress Avatar plugin <= 0.1.4 - Authenticated (Subscriber+) Arbitrary File Deletion vulnerability

Authenticated Subscriber+ Arbitrary File Deletion vulnerability discovered by theviper17y in WordPress Plugin Avatar versions = 0.1.4...

WordPress Rating by BestWebSoft plugin <= 1.7 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Le Ngoc Anh in WordPress Plugin Rating by BestWebSoft versions = 1.7...

WordPress Modal Survey plugin <= 2.0.2.0.1 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Bonds Patchstack Alliance in WordPress Plugin Modal Survey versions = 2.0.2.0.1...

WordPress Clinked Client Portal Plugin <= 1.10 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by 0xd4rk5id3 in WordPress Plugin Clinked Client Portal versions = 1.10...

WordPress Duplicate Title Checker Plugin <= 1.2 - SQL Injection vulnerability

SQL Injection vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Duplicate Title Checker versions = 1.2...