CVE-2026-8906

The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts...

CVE-2025-14075

The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotelbookingfetchcustomerinfo' AJAX action to unauthenticated users without proper capability checks, relying only on a...

CVE-2025-14075

CVE-2025-14075 affects the WP Hotel Booking plugin for WordPress (versions up to and including 2.2.7). The vulnerability exposes the unauthenticated AJAX action hotel_booking_fetch_customer_info without proper capability checks, relying only on a nonce. This allows unauthenticated attackers to re...

CVE-2025-11260 WP Headless CMS Framework <= 1.15 - Unauthenticated Protection Mechanism Bypass

The WP Headless CMS Framework plugin for WordPress is vulnerable to protection mechanism bypass in all versions up to, and including, 1.15. This is due to the plugin only checking for the existence of the Authorization header in a request when determining if the nonce protection should be bypasse...

EUVD-2025-158258

The WP Headless CMS Framework plugin for WordPress is vulnerable to protection mechanism bypass in all versions up to, and including, 1.15. This is due to the plugin only checking for the existence of the Authorization header in a request when determining if the nonce protection should be bypasse...

PT-2025-46791

Name of the Vulnerable Software and Affected Versions WP Headless CMS Framework versions up to and including 1.15 Description The WP Headless CMS Framework plugin for WordPress has a flaw where its protection mechanisms can be bypassed. The plugin only verifies the presence of the Authorization...

EUVD-2021-11073

Malware in sbrugna...

EUVD-2021-11077

Malware in sbrugna...

EUVD-2021-11132

Malware in sbrugna...

EUVD-2021-11080

Malware in sbrugna...

EUVD-2022-34342

Malicious code in bioql PyPI...

EUVD-2023-12783

Malicious code in bioql PyPI...

EUVD-2022-34696

Malicious code in bioql PyPI...

EUVD-2025-25959

Malicious code in bioql PyPI...

EUVD-2022-34512

Malicious code in bioql PyPI...

EUVD-2022-34307

Malicious code in bioql PyPI...

CVE-2021-24163

The AJAX action, wpajaxninjaformssendwpremoteinstallhandler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP Ninja Forms Contact Form – The Drag and Drop Form...

CVE-2021-24218

The wpajaxsavefbesettings and wpajaxdeletefbesettings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved...

CVE-2021-24166

The wpajaxnfoauthdisconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection...

CVE-2022-2443

The FreeMind WP Browser plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.2. This is due to missing nonce protection on the FreemindOptions function found in the /freemind-wp-browser.php file. This makes it possible for unauthenticated attackers t...