CVE-2025-57698

AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function installpluginupload of the interface '/plugin/install-upload' parses the filename from the request body provided by the user, and directly uses the filename to assign to filepath without checking the validi...

CVE-2025-57698

AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function installpluginupload of the interface '/plugin/install-upload' parses the filename from the request body provided by the user, and directly uses the filename to assign to filepath without checking the validi...

CVE-2025-10706 Classified Pro <= 1.0.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation

The Classified Pro theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'cwpaddonsupdateplugincb' function in all versions up to, and including, 1.0.14. This makes it possible for authenticated attackers, with subscriber-level access and...

EUVD-2025-33847

The Newsup theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the newsupadmininfoinstallplugin function in all versions up to, and including, 5.0.10. This makes it possible for unauthenticated attackers to install the ansar-import plugin...

EUVD-2025-29548

Malicious code in bioql PyPI...

CVE-2025-8446

The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized limited plugin install due to a missing capability check on the 'blazedemoimporterinstallplugin' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with...

CVE-2025-8446

CVE-2025-8446 concerns the Blaze Demo Importer plugin for WordPress (versions 1.0.12 or apply the vendor-provided fix, and validate that unauthorized plugin installations are disallowed.

CVE-2025-8446 Blaze Demo Importer <= 1.0.12 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install

The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized limited plugin install due to a missing capability check on the 'blazedemoimporterinstallplugin' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with...

CVE-2025-8592 Inspiro <= 2.1.2 - Cross-Site Request Forgery to Arbitrary Plugin Installation

The Inspiro theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.2. This is due to missing or incorrect nonce validation on the inspiroinstallplugin function. This makes it possible for unauthenticated attackers to install plugins from the...

CVE-2025-54386

Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../...

CVE-2025-1562

The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the installoractivateaddonplugins function and a weak nonce hash in all...

juzaweb CMS 安全漏洞

Juzaweb CMS is a content management system developed by Juzaweb Individual Developer based on the Laravel framework and Web platform. A security vulnerability exists in juzaweb CMS version 3.4.2 and earlier, which stems from improper access control in the file /admin-cp/plugin/install...

CVE-2022-3881

The WP Tools Increase Maximum Limits, Repair, Server PHP Info, Javascript errors, File Permissions, Transients, Error Log WordPress plugin before 3.43 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and...

Citrix Cloud: Workspace App configuration is missing silent plugin install for teams or other apps

To understand reason for certainplugin install for teams or other apps is currently unavailable along workspace configuration of Daas console On trying to enable the "Updates and Plug-ins" options for MSTeam, WebEx or Zoom the options to enabled or disable the below are not showing or missing in...

CVE-2024-10542

The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 6.43.2. This makes it possible for...

CVE-2024-10897

The Tutor LMS Elementor Addons plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the installetlmsdependencyplugin function in all versions up to, and including, 2.1.5. This makes it possible for authenticated attackers, with Subscriber-lev...

CVE-2023-6985

The 10Web AI Assistant – AI content writing assistant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the installplugin AJAX action in all versions up to, and including, 1.0.18. This makes it possible for authenticated attackers, with...

CVE-2023-36097

CVE-2023-36097 affects FunAdmin v3.3.2 and v3.3.3. The issue is an insecure file upload in the plugin installation process, caused by insufficient validation/restrictions on uploaded plugin files. This vulnerability allows an attacker to upload malicious files via the local install mechanism, pot...

CVE-2023-2280

The WP Directory Kit plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'ajaxpublic' function in versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to delete or change plugin...

CVE-2020-36719

The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Arbitrary Plugin Installation, Activation and Deactivation in versions before 2.6.1. This is due to a missing capability check on the lpccaddonsactions function. This makes it possible for unauthenticated attacker...