EUVD-2026-24521

WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — objects/categoryAddNew.json.php, objects/categoryDelete.json.php, and objects/pluginRunUpdateScript.json.php — enforce only a role check Category::canCreateCategory / User::isAdmin and...

WWBN AVideo 跨站请求伪造漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 29.0 contained a cross-site request forgeing vulnerability. This vulnerability stemmed from three JSON endpoints accessible only to administrators: objects/categoryAddNew.json.ph...

JIZHICMS 代码问题漏洞

JIZHICMS is an open-source content management system developed by JIZHI Corporation in China. Version 1.6.7 of JIZHICMS contains code vulnerabilities; these vulnerabilities stem from a file download vulnerability present in the administrator plugin update endpoint. This vulnerability could allow...

CVE-2025-14465 Sticky Action Buttons <= 1.1 - Cross-Site Request Forgery to Plugin Settings Update

The Sticky Action Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the sabsoptionspageformsubmit function. This makes it possible for unauthenticated attackers to update plug...

EUVD-2021-11779

Malware in sbrugna...

EUVD-2022-52146

Malicious code in bioql PyPI...

EUVD-2022-7233

Malicious code in bioql PyPI...

CVE-2025-9634

The Plugin updates blocker plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the pubsave action handler. This makes it possible for unauthenticated attackers to disable or enable plug...

CVE-2025-9634

The Plugin updates blocker plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the pubsave action handler. This makes it possible for unauthenticated attackers to disable or enable plug...

CVE-2025-9634

CVE-2025-9634 concerns the WordPress plugin “Plugin updates blocker” (versions up to and including 0.2). The flaw is a CSRF vulnerability caused by missing or incorrect nonce validation on the pub_save action, enabling unauthenticated attackers to toggle plugin updates (disable/enable) by luring ...

PT-2025-25176

Name of the Vulnerable Software and Affected Versions Chromium versions prior to 137.0.7151.103 Google Chrome versions prior to 137.0.7151.103 Description A type confusion issue exists in the V8 component of Google Chrome. This flaw could allow a remote attacker to execute arbitrary code within a...

PT-2025-21256 · WordPress · Wp Content Security Plugin

Name of the Vulnerable Software and Affected Versions: WP Content Security Plugin versions up to, and including, 2.3 Description: The WP Content Security Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the blocked-uri and effective-directive parameters due to insufficient...

WordPress Church Admin plugin <= 5.0.23 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by zaim in WordPress Plugin Church Admin versions = 5.0.23...

CVE-2024-6857 WP MultiTasking <= 0.1.12 - Header/Footer/Body Script Update via CSRF

The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check when updating its Header, Footer and Body Script Settings, which could allow attackers to make logged admins perform such action via a CSRF attack...

PT-2022-17112 · Jenkins · Jenkins Pipeline: Groovy Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Pipeline: Groovy Plugin versions 2648.va9433432b33c and earlier Jenkins Pipeline: Groovy Plugin prior to 2656.vf7a e7b 75a 457 Jenkins Pipeline: Groovy Plugin version 2.94.1 Jenkins Pipeline: Groovy Plugin version 2.92.1 Description:...

Nessus Essentials with offline registration and plugin updates

In this episode, I would like to talk about Nessus Essentials and, in particular, how to register and update it without direct internet access. Nothing complicated, but there are a couple of pitfalls that I would like to share. Lets say you need to scan a host in a critical autonomous segment whe...

Vulnerabilities fixed in Jenkins

Several vulnerabilities have been fixed in Jenkins. A malicious user could potentially exploit the vulnerabilities to perform a Cross-Site Scripting XSS attack. A such an attack can lead to the execution of arbitrary script code in the browser used to visit the application. Jenkins developers hav...

WordPress stops-core-theme-and-plugin-updates plugin has unspecified vulnerability

WordPress is a blogging platform developed by the WordPress Foundation using the PHP language. The platform supports personal blog sites on PHP and MySQL servers. stops-core-theme-and-plugin-updates is an update management plugin that is used to manage updates to WordPress and its related plugins...

CVE-2019-15650

The stops-core-theme-and-plugin-updates plugin before 8.0.5 for WordPress has insufficient restrictions on option changes such as disabling unattended theme updates because of a nonce check error...

WordPress Plugins Leave Online Shoppers Vulnerable

Researchers are calling into question the safety of some of the top WordPress e-commerce plugins used on over 100,000 commercial websites prepping for Black Friday and Cyber Monday online sales. In reviewing the top 12 WordPress e-commerce plugins, application security testing firm Checkmarx foun...