CVE-2025-14481 Yoast SEO <= 26.5 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via 'post_id' Parameter

The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify post ownership. This makes it possible for authenticated...

CVE-2026-6206 MW WP Form <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'post_id' Query Parameter

The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the getpostpropertyfromquerystring function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract da...

CVE-2026-6206 MW WP Form <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'post_id' Query Parameter

The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the getpostpropertyfromquerystring function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract da...

CVE-2026-4573 SourceCodester Simple E-learning System HTTP GET Parameter delete_post.php sql injection

A security vulnerability has been detected in SourceCodester Simple E-learning System 1.0. This affects an unknown part of the file /includes/formhandlers/deletepost.php of the component HTTP GET Parameter Handler. The manipulation of the argument postid leads to sql injection. It is possible to...

CVE-2026-4573

SourceCodester Simple E-learning System 1.0 contains a SQL injection in the HTTP GET parameter handler for delete_post.php (parameter post_id) evaluated by /includes/form_handlers/delete_post.php. This vulnerability allows remote exploitation and is publicly disclosed. The CVSS-derived metrics in...

CVE-2026-2233

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the draftpost function in all versions up to, and including, 4.2.8. This makes it...

CVE-2026-2917

The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the haduplicatething admin action handler. This is due to the canclone method only checking currentusercan'editposts' a general capability without...

WordPress Happy Addons for Elementor plugin <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Post Duplication via 'post_id' Parameter vulnerability

Insecure Direct Object Reference to Authenticated Contributor+ Post Duplication via 'postid' Parameter vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Happy Addons for Elementor versions = 3.21.0...

CVE-2023-54332 Jetpack 11.4 - Cross Site Scripting (XSS)

Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject malicious scripts through the postid parameter. Attackers can craft malicious URLs with script payloads to execute arbitrary JavaScript in victims' browsers when they interact wit...

CVE-2022-0321

The WP Voting Contest WordPress plugin before 3.0 does not sanitise and escape the postid parameter before outputting it back in the response via the wpvcsocialshareicons AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting issue...

CVE-2025-11857

The XX2WP Integration Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mxpfb2wpdisplayembed' shortcode in all versions up to, and including, 1.9.9. This is due to the plugin not properly sanitizing user input and output of the 'postid' parameter. This makes it...

CVE-2025-11857 XX2WP Integration Tools <= 1.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

The XX2WP Integration Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mxpfb2wpdisplayembed' shortcode in all versions up to, and including, 1.9.9. This is due to the plugin not properly sanitizing user input and output of the 'postid' parameter. This makes it...

CVE-2025-11857

The CVE-2025-11857 entry pertains to the XX2WP Integration Tools WordPress plugin. Affected versions are all up to and including 1.9.9, with a Stored Cross-Site Scripting (Stored XSS) flaw in the mxp_fb2wp_display_embed shortcode caused by improper sanitization of the post_id parameter. This allo...

EUVD-2021-11776

Malware in sbrugna...

EUVD-2007-1893

Malware in sbrugna...

EUVD-2014-4518

Malware in sbrugna...

EUVD-2010-0352

Malware in sbrugna...

EUVD-2023-33714

Malicious code in bioql PyPI...

EUVD-2023-33704

Malicious code in bioql PyPI...

EUVD-2022-15555

Malicious code in bioql PyPI...