WordPress plugin BEAR 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

WordPress plugin Slider Revolution 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2026-5294

The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispatch and reaching a plugin installer helper that downloads and unzips attacker-supplied ZIP files...

CVE-2026-23927 Agent 2 Oracle plugin TNS connection string injection via the 'service' parameter

A user able to connect to Agent 2 can inject an Oracle TNS connection string via the 'service' parameter. This can lead to Agent 2 connecting to an attacker-controlled server and leaking Oracle database credentials if they are saved in a named session...

CVE-2026-5753

The CVE CVE-2026-5753 concerns the All-in-One WP Migration Unlimited Extension for WordPress (versions ≤ 2.83). The root cause is Missing Authorization in Ai1wmve_Schedules_Controller::save for admin_post_ai1wm_schedule_event_save, which does not verify user capabilities before saving schedule da...

PT-2026-38283

Name of the Vulnerable Software and Affected Versions Grav form plugin versions prior to 9.1.0 Description An unauthenticated page-content overwrite exists via file upload. The file upload handler in user/plugins/form/classes/Form.php uses a filename parameter that can be controlled via POST...

CVE-2026-40797 WordPress WebinarIgnition plugin <= 4.08.253 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Saleswonder LLC WebinarIgnition allows Blind SQL Injection. This issue affects WebinarIgnition: from n/a through 4.08.253...

WordPress plugin DX Sources 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

PT-2026-36957

Name of the Vulnerable Software and Affected Versions Zingaya Click-to-Call versions prior to 1.1 Description Insufficient input sanitization and output escaping in the sign-up admin page allow unauthenticated attackers to inject arbitrary web scripts. This occurs via the 'email', 'first name',...

WordPress plugin Royal Elementor Addons 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

WordPress plugin Schedule Post Changes With PublishPress Future 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be added t...

CVE-2026-4024

The Royal Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wprupdateformactionmeta AJAX action in all versions up to, and including, 1.7.1056. The handler is registered on both wpajax and wpajaxnopriv hooks, maki...

CVE-2026-32834

Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can...

CVE-2026-32834 Easy PayPal Events & Tickets < 1.4 Authentication Bypass via QR Code Scanning

Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can...

WordPress WebinarIgnition plugin < 4.09.86 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Dahmani Toumi pegaSUS in WordPress Plugin WebinarIgnition versions 4.09.86...

WordPress EmailKit – Email Customizer for WooCommerce & WP plugin <= 1.6.5 - Authenticated (Author+) Arbitrary File Read vulnerability

Authenticated Author+ Arbitrary File Read vulnerability discovered by Nguyen Cong Quang in WordPress Plugin EmailKit versions = 1.6.5...

WordPress Publish 2 Ping.fm plugin <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Publish 2 Ping.fm versions = 1.1...

WordPress DX Sources plugin <= 2.0.1 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin DX Sources versions = 2.0.1...

RHCOS 4 : OpenShift Container Platform 4.10.33 (RHSA-2022:6531)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2022:6531 advisory. - jenkins-plugin/junit: Stored XSS vulnerability in JUnit Plugin CVE-2022-34176 - jenkins-plugin: Arbitrary file write vulnerability...

CVE-2026-3504 Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 4.3.1 - Unauthenticated Information Disclosure in Store Reviews REST API Endpoint

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.1 via the '/dokan/v1/stores/id/reviews' REST API endpoint. This is due to the 'preparereviewsforresponse' method...