EUVD-2025-203075

The Magical Posts Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mpactitletag' parameter in the Magical Posts Accordion widget in all versions up to, and including, 1.2.54 due to insufficient input sanitization and output escaping on user-supplied HTML tag name...

CVE-2025-12965 Magical Posts Display <= 1.2.54 - Authenticated (Author+) Stored Cross-Site Scripting via Magical Posts Accordion Widget

The Magical Posts Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mpactitletag' parameter in the Magical Posts Accordion widget in all versions up to, and including, 1.2.54 due to insufficient input sanitization and output escaping on user-supplied HTML tag name...

CVE-2025-12963

creationtimestamp| type| source ---|---|--- 2025-12-12 04:34:36+00:00| seen| https://infosec.exchange/users/offseq/statuses/115704730410222311 2025-12-12 04:34:37+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3m7rb5pqz5r2j 2025-12-12 05:25:47+00:00| seen|...

CVE-2025-10163

The List category posts plugin for WordPress is vulnerable to time-based SQL Injection via the ‘startingwith’ parameter of the catlist shortcode in all versions up to, and including, 0.91.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

WordPress Magical Posts Display plugin <= 1.2.54 - Authenticated (Author+) Stored Cross-Site Scripting via Magical Posts Accordion Widget vulnerability

Authenticated Author+ Stored Cross-Site Scripting via Magical Posts Accordion Widget vulnerability discovered by Abu Hurayra HurayraIIT in WordPress Plugin Magical Posts Display versions = 1.2.54...

WordPress plugin Magical Posts Display 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site scripting...

PT-2025-50922

The Magical Posts Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mpac title tag' parameter in the Magical Posts Accordion widget in all versions up to, and including, 1.2.54 due to insufficient input sanitization and output escaping on user-supplied HTML tag...

PT-2025-50912

The PDF for Contact Form 7 + Drag and Drop Template Builder plugin for WordPress is vulnerable to unauthorized post duplication due to a missing capability check on the 'rednumber duplicate' function in all versions up to, and including, 6.3.3. This makes it possible for authenticated attackers,...

CVE-2025-14046

CVE-2025-14046 affects GitHub Enterprise Server; improper input neutralization allows user-supplied HTML to inject DOM elements with conflicting IDs, shadowing server-initialized data islands and causing unintended server-side POST requests or other unauthorized backend interactions. Exploitation...

CVE-2025-64701

creationtimestamp| type| source ---|---|--- 2025-12-11 08:47:59+00:00| seen| https://bsky.app/profile/potato.software/post/3m7p6tu3pdm24 2025-12-11 08:55:43+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3m7p7bpcuoo2e 2025-12-11 09:33:16+00:00| seen|...

CVE-2025-10163

The List category posts plugin for WordPress is vulnerable to time-based SQL Injection via the ‘startingwith’ parameter of the catlist shortcode in all versions up to, and including, 0.91.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

CVE-2025-10163

Summary: WordPress plugin List category posts (versions

EUVD-2025-202663

The List category posts plugin for WordPress is vulnerable to time-based SQL Injection via the ‘startingwith’ parameter of the catlist shortcode in all versions up to, and including, 0.91.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

CVE-2025-10163 List Category Posts <= 0.91.0 - Authenticated (Contributor+) SQL Injection via Plugin's Shortcode

The List category posts plugin for WordPress is vulnerable to time-based SQL Injection via the ‘startingwith’ parameter of the catlist shortcode in all versions up to, and including, 0.91.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

CVE-2025-10163 List Category Posts <= 0.91.0 - Authenticated (Contributor+) SQL Injection via Plugin's Shortcode

The List category posts plugin for WordPress is vulnerable to time-based SQL Injection via the ‘startingwith’ parameter of the catlist shortcode in all versions up to, and including, 0.91.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

WordPress List Category Posts plugin <= 0.91.0 - Authenticated (Contributor+) SQL Injection via Plugin's Shortcode vulnerability

Authenticated Contributor+ SQL Injection via Plugin's Shortcode vulnerability discovered by Khanh Nguyen - BlueRock - BlueRock in WordPress Plugin List category posts versions = 0.91.0...

CVE-2025-11414

creationtimestamp| type| source ---|---|--- 2025-12-11 00:30:27+00:00| seen| https://bsky.app/profile/bluesky.awakari.com/post/3m7od2756u523 2025-12-11 00:30:37+00:00| seen| https://bsky.app/profile/bluesky.awakari.com/post/3m7od2j6xti2p 2025-12-11 06:48:37+00:00| seen|...

CVE-2025-11412

creationtimestamp| type| source ---|---|--- 2025-12-11 00:30:27+00:00| seen| https://bsky.app/profile/bluesky.awakari.com/post/3m7od2756u523 2025-12-11 00:30:37+00:00| seen| https://bsky.app/profile/bluesky.awakari.com/post/3m7od2j6xti2p 2025-12-11 06:48:37+00:00| seen|...

CVE-2025-67510

creationtimestamp| type| source ---|---|--- 2025-12-11 00:02:58+00:00| seen| https://infosec.exchange/users/offseq/statuses/115697999974272387 2025-12-11 00:02:59+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3m7obj33kme2n 2025-12-11 01:10:24+00:00| seen|...

PT-2025-50649

An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. These collisions could overwrite or shadow critical application state objects used by...