EUVD-2023-44203

Malicious code in bioql PyPI...

EUVD-2024-38185

Malicious code in bioql PyPI...

WordPress Porn Videos Embed plugin <= 0.9.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Mika Patchstack Alliance in WordPress Plugin Porn Videos Embed versions = 0.9.1...

PT-2025-31735 · WordPress · Ultimate Addons For Elementor

Name of the Vulnerable Software and Affected Versions: Ultimate Addons for Elementor versions up to and including 2.4.6 Description: The Ultimate Addons for Elementor plugin for WordPress contains a flaw that allows unauthorized data modification. A missing capability check within the save hfe...

WordPress WP LOL Rotation <= 1.0 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Chu The Anh Blue Rock in WordPress Plugin WP LOL Rotation versions = 1.0...

WordPress Featured Image Plus – Quick & Bulk Edit with Unsplash plugin <= 1.6.6 - Authenticated (Admin+) Server-Side Request Forgery vulnerability

Authenticated Admin+ Server-Side Request Forgery vulnerability discovered by ch4r0n in WordPress Plugin Featured Image Plus versions = 1.6.6...

CVE-2025-4685 Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor <= 3.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTML data attributes of multiple widgets, in all versions up to, and including, 3.4.8 due to insufficient input sanitization and output escaping. This make...

WordPress WP Post Hide plugin <= 1.0.9 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin WP Post Hide versions = 1.0.9...

CVE-2025-7442

The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to SQL Injection via several parameters in the MJgmgtdeleteclasslimitformember, MJgmgtgetyearlyincomeexpense, MJgmgtgetmonthlyincomeexpense, MJgmgtaddclasslimit, MJgmgtviewmeetingdetail, and MJgmgtcreatemeeting functio...

WordPress RSFirewall! plugin <= 1.1.42 - Authenticated (Admin+) Arbitrary File Read vulnerability

Authenticated Admin+ Arbitrary File Read vulnerability discovered by WordFence in WordPress Plugin RSFirewall! versions = 1.1.42...

CVE-2025-53674

Jenkins Sensedia Api Platform tools Plugin 1.0 does not mask the Sensedia API Manager integration token on the global configuration form, increasing the potential for attackers to observe and capture it...

CVE-2025-53678

Jenkins User1st uTester Plugin 1.1 and earlier stores the uTester JWT token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system...

CVE-2025-53655

CVE-2025-53655 affects Jenkins Statistics Gatherer Plugin versions 2.0.3 and earlier. The root issue is that the AWS Secret Key is stored unencrypted in the global configuration file org.jenkins.plugins.statistics.gatherer.StatisticsConfiguration.xml on the Jenkins controller and is not masked in...

WordPress Opal Estate Pro plugin <= 1.7.5 - Unauthenticated Privilege Escalation via 'on_regiser_user' vulnerability

Unauthenticated Privilege Escalation via 'onregiseruser' vulnerability discovered by Alyudin Nafiie in WordPress Plugin Opal Estate Pro versions = 1.7.5...

CVE-2025-3863

The Post Carousel Slider for Elementor plugin for WordPress is vulnerable to improper authorization due to a missing capability check on the processwbelpspromoform function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Subscriber-level acces...

CVE-2025-49971

CVE-2025-49971 concerns a Missing Authorization (Broken Access Control) vulnerability in the WordPress plugin eDS Responsive Menu by aThemeArt translations. It affects versions up to 1.2, arising from improper access control configuration. Public references in connected sources confirm the issue ...

CVE-2025-5209 Ivory Search < 5.5.10 - Admin+ Stored XSS

The Ivory Search WordPress plugin before 5.5.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...

CVE-2025-5019 Hive Support <= 1.2.5 - Cross-Site Request Forgery via hs_update_ai_chat_settings Function

The Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the hsupdateaichatsettings function. This mak...

WordPress 4stats plugin <= 2.0.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by johska in WordPress Plugin 4stats versions = 2.0.9...

CVE-2024-6334

The Easy Table of Contents WordPress plugin before 2.0.67.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...