WordPress The Events Calendar plugin <= 6.15.16 - Improper Authorization to Authenticated (Contributor+) Event/Organizer/Venue Update/Trash via REST API vulnerability

Improper Authorization to Authenticated Contributor+ Event/Organizer/Venue Update/Trash via REST API vulnerability discovered by type5afe in WordPress Plugin The Events Calendar versions = 6.15.16...

CVE-2026-2694

The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'canedit' and 'candelete' function in all versions up to, and including, 6.15.16. This makes it possible for authenticated attackers, with...

CVE-2026-2694 The Events Calendar <= 6.15.16 - Improper Authorization to Authenticated (Contributor+) Event/Organizer/Venue Update/Trash via REST API

The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'canedit' and 'candelete' function in all versions up to, and including, 6.15.16. This makes it possible for authenticated attackers, with...

PT-2026-22024

Name of the Vulnerable Software and Affected Versions The Events Calendar plugin for WordPress versions prior to 6.15.16 Description The Events Calendar plugin for WordPress is susceptible to unauthorized modification and potential loss of data. This is due to an insufficient capability check...

CVE-2026-25738 Indico has Server-Side Request Forgery (SSRF) in multiple places

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of...

CVE-2026-25738 Indico has Server-Side Request Forgery (SSRF) in multiple places

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of...

CVE-2024-8113 Stored XSS in Placeholder Samples in Mail Preview

Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However,...

GHSA-2M5G-8XPW-42VP OpenCFP Framework (Sentry) Account takeover via null password reset codes

OpenCFP, an open-source conference talk submission system written in PHP, contains a security vulnerability in its third-party authentication framework, Sentry, developed by Cartalyst. The vulnerability stems from how Sentry handles password reset checks. Users lacking a password reset token stor...

OpenCFP Framework (Sentry) Account takeover via null password reset codes

OpenCFP, an open-source conference talk submission system written in PHP, contains a security vulnerability in its third-party authentication framework, Sentry, developed by Cartalyst. The vulnerability stems from how Sentry handles password reset checks. Users lacking a password reset token stor...

Indico vulnerable to Cross-Site-Scripting via confirmation prompts

Impact There is a Cross-Site-Scripting vulnerability in confirmation prompts commonly used when deleting content from Indico. Exploitation requires someone with at least submission privileges such as a speaker and then someone else to attempt to delete this content. Considering that event...

Security and Human Behavior (SHB) 2023

Im just back from the sixteenth Workshop on Security and Human Behavior, hosted by Alessandro Acquisti at Carnegie Mellon University in Pittsburgh. SHB is a small, annual, invitational workshop of people studying various aspects of the human side of security, organized each year by Alessandro...

GHSA-23FX-92M6-4F2G pretalx allows path traversal in HTML export

pretalx 2.3.1 before 2.3.2 allows path traversal in HTML export a non-default feature. Organizers can trigger the overwriting with the standard pretalx 404 page content of an arbitrary file...

Cyber Police of Ukraine Busted Phishing Gang Responsible for $4.33 Million Scam

The Cyber Police of Ukraine, in collaboration with law enforcement officials from Czechia, has arrested several members of a cybercriminal gang that set up phishing sites to target European users. Two of the apprehended affiliates are believed to be organizers, with 10 others detained in other...

BJDCTF2020_March

本届BJDCTF由江苏科技大学、北京工业大学、西南民族大学、杭州师范大学、 江苏大学、湖南工业大学（排名不分先后）联合举办,刷题就到buu,感谢赵总大力支持...

Burning Man Tickets for $225? Yep, Too Good to Be True

Burning Man aficionados anxious to get their tickets squared away for the 2020 “experience” should beware: Fake concert organizers are offering passes in what researchers say is a very convincing and sophisticated scam effort. Burning Man, which bills itself as a “vibrant participatory metropolis...

Human Factor Podcast: Jenny Radcliffe and Chris Boyd

A little while ago, I was invited to take part in Jenny Radcliffe's Human Factor Podcast. With 44 episodes strong and counting!, Jenny spends an hour or so talking at length with her guests who are professional investigators, security advocates, all-round educators, tireless consultant/conference...

Spoofing

Microsoft Exchange Server 2013 SP1 and Cumulative Update 7 allows remote attackers to spoof meeting organizers via unspecified vectors, aka "Exchange Forged Meeting Request Spoofing Vulnerability."...

CVE-2015-1631

Microsoft Exchange Server 2013 SP1 and Cumulative Update 7 allows remote attackers to spoof meeting organizers via unspecified vectors, aka "Exchange Forged Meeting Request Spoofing Vulnerability."...

Meetup.com Back Online After DDoS Attacks, Extortion

Social networking site Meetup.com is finally back online today, yet officials at the site are warning it could still face future outages following a series of sustained distributed denial of service attacks DDoS over the weekend. Meetup is a social networking portal that allows individuals with...

Aaron Barr's Strange Trip To (Occupy) Wall Street

It was an “Elvis Meets Nixon” kind of moment: former HBGary Federal CEO Aaron Barr sporting blue hair and posing in front of a van sporting the Wikileaks logo down at New York’s Zuccotti Park, home of the Occupy Wall Street protest. What was he doing there? It’s complicated. In an interview with...