Cross-site Scripting (XSS)

Mezzanine CMS is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper input sanitization due to failure to filter user-supplied input in the /blog/blogpost/add component, allowing injection of malicious scripts into blog posts...

CVE-2025-8401

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.1 via the 'getpostdata' function. This makes it possible for authenticated attackers, with Author-level access and above, to extract sensitive...

CVE-2025-4425

creationtimestamp| type| source ---|---|--- 2025-07-30 03:01:15+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3lv5myi7qbb2d 2025-07-30 03:02:09+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3lv5n23uovd2s...

WordPress hiWeb Export Posts Cross-Site Request Forgery Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation, and WordPress plugin is an application plugin. A cross-site request forgery vulnerability exists in WordPress hiWeb Export Posts, which stems from missing or incorrect random number validation, and can be exploited by a...

Mars: SQLi at █████ parameter

A SQL injection vulnerability was discovered in an items endpoint that accepted unauthenticated POST requests without CSRF validation. The vulnerability allowed execution of arbitrary SQL commands and extraction of database metadata. Additional security issues included stored XSS through the...

CVE-2025-54768

creationtimestamp| type| source ---|---|--- 2025-07-29 00:16:07+00:00| seen| https://bsky.app/profile/nimblenerd.social/post/3lv2tcazdnq26 2025-07-29 01:10:34+00:00| seen| https://bsky.app/profile/jimbecher.bsky.social/post/3lv2wdmsm4s2k 2025-07-29 02:49:14+00:00| seen|...

WordPress plugin kallyas 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

CVE-2025-8169

creationtimestamp| type| source ---|---|--- 2025-07-25 20:45:07+00:00| seen| https://bsky.app/profile/potato.software/post/3lusw43zpe52c 2025-07-25 20:45:52+00:00| seen| https://infosec.exchange/users/cR0w/statuses/114915826085504624...

CVE-2025-45893

OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting XSS attack via SVG file uploads used in blog posts. The vulnerability arises because SVG files uploaded through the media manager are not properly sanitized. Attackers can craft a malicious SVG file containing embedded...

Improper Authorization

github.com/mattermost/mattermost-server is vulnerable to Improper Authorization. The vulnerability is due to a failure to verify authorization when retrieving cached posts by PendingPostID, which allows an attacker to read posts from private channels they do not have access to by guessing the...

CVE-2025-7640 hiWeb Export Posts <= 0.9.0.0 - Cross-Site Request Forgery to Arbitrary File Deletion

The hiWeb Export Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.0.0. This is due to missing or incorrect nonce validation on the tool-dashboard-history.php file. This makes it possible for unauthenticated attackers to delete...

WordPress plugin hiWeb Export Posts 路径遍历漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation, and WordPress plugin is an application plugin. A cross-site request forgery vulnerability exists in WordPress hiWeb Export Posts, which stems from missing or incorrect random number validation, and can be exploited by a...

PT-2025-30653 · WordPress · Hiweb Export Posts

Name of the Vulnerable Software and Affected Versions: hiWeb Export Posts plugin for WordPress versions up to and including 0.9.0.0 Description: The hiWeb Export Posts plugin for WordPress is susceptible to Cross-Site Request Forgery due to missing or incorrect nonce validation on the...

RHSA-2023:7077

creationtimestamp| type| source ---|---|--- 2025-07-23 19:38:05+00:00| seen| Telegram/7dqI0T7UDX-m5iuSwEoYuCcQjqNmKpc0btwU4cyV1G7Uc 2025-07-23 19:38:08+00:00| seen| Telegram/yffDVxtiYaWwp3UyhuKhfb81Vl84aAOxSkdR3j5tCAnhVI 2025-07-23 19:38:10+00:00| seen|...

CVE-2025-50481

A cross-site scripting XSS vulnerability in the component /blog/blogpost/add of Mezzanine CMS v6.1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into a blog post...

WordPress Information Disclosure Vulnerability (Jul 2025) - Windows

WordPress is prone to an information disclosure vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

CVE-2025-41675

creationtimestamp| type| source ---|---|--- 2025-07-21 10:42:09+00:00| seen| https://infosec.exchange/users/certvde/statuses/114890803062994673 2025-07-21 10:42:29+00:00| seen| https://infosec.exchange/users/certvde/statuses/114890804388115598 2025-07-21 10:46:28+00:00| seen|...

CVE-2025-54352

WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests. NOTE: the Supplier is not changing this behavior...

UBUNTU-CVE-2025-54352

WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests. NOTE: the Supplier is not changing this behavior...

CVE-2025-54352

CVE-2025-54352 affects WordPress 3.5–6.8.2 and enables remote disclosure of private/draft post titles via pingback.ping XML-RPC requests. A PoC on GitHub demonstrates retrieving the title after sending a pingback to a crafted post. The provided sources confirm the vulnerability but do not specify...