CVE-2026-45775

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a path traversal vulnerability in Discourse backup handling could allow an authenticated administrator on one site in a...

CVE-2026-4512

The reCaptcha by WebDesignBy WordPress plugin before 2.0 does not sanitize or escape the Site Key setting before outputting it in a JavaScript string context via the grecaptchajs function. This allows administrators on multisite installations who do not have the unfilteredhtml capability to injec...

CVE-2026-1083

The Appointment Hour Booking – Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form field configuration parameters in all versions up to, and including, 1.5.60 due to insufficient input sanitization and output escaping on the 'Min length/characters' and 'Max...

CVE-2025-12065

The WP Carticon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'carticonjsscript' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-lev...

PT-2023-17903 · WordPress · Fast & Effective Popups & Lead-Generation

Name of the Vulnerable Software and Affected Versions: Fast & Effective Popups & Lead-Generation for WordPress plugin versions prior to 2.1.4 Description: The issue concerns the concatenation of user input into an SQL query without proper escaping in the plugin's report API endpoint. This could...

PT-2022-25944 · WordPress · Contest Gallery Pro +1

Name of the Vulnerable Software and Affected Versions: Contest Gallery WordPress plugin versions prior to 19.1.5.1 Contest Gallery Pro WordPress plugin versions prior to 19.1.5.1 Description: The issue arises from the failure to escape the cg option id POST parameter before it is concatenated to ...