WordPress Contextual Related Posts plugin <= 4.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by ? in WordPress Plugin Contextual Related Posts versions = 4.2.1...

CVE-2026-33093 Anviz Products Missing Authorization

Anviz CX7 Firmware is vulnerable to an unauthenticated POST to the device that captures a photo with the front facing camera, exposing visual information about the deployment environment...

Improper Verification

github.com/mattermost/mattermost-server is vulnerable to improper verification. The vulnerability is due to failure to validate that /share-issue-publicly post actions were created by the Jira plugin, which allows an attacker to exfiltrate Jira tickets by tricking victim users into interacting wi...

CVE-2026-6443

creationtimestamp| type| source ---|---|--- 2026-04-17 07:30:33+00:00| seen| https://infosec.exchange/users/offseq/statuses/116418873404290151 2026-04-17 07:30:35+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mjofqe4pc425 2026-04-17 09:15:54+00:00| seen|...

CVE-2026-4666

The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of extract$args, EXTROVERWRITE on user-controlled input in the edit method of classes/Posts.php in all versions up to, and including, 2.4.16. The postedit action handler in Actions.php passes...

PT-2026-33399

The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of extract$args, EXTR OVERWRITE on user-controlled input in the edit method of classes/Posts.php in all versions up to, and including, 2.4.16. The post edit action handler in Actions.php passes...

CVE-2026-21719

creationtimestamp| type| source ---|---|--- 2026-04-16 20:00:00+00:00| seen| https://jvn.jp/en/jp/JVN78422311 2026-04-17 06:00:29+00:00| seen| https://infosec.exchange/users/offseq/statuses/116418519259243532 2026-04-17 06:00:31+00:00| seen|...

CVE-2026-6414

creationtimestamp| type| source ---|---|--- 2026-04-16 13:15:27+00:00| seen| https://bsky.app/profile/ulisesgascon.com/post/3mjmik2cvw22a 2026-04-16 13:36:32+00:00| seen| https://bsky.app/profile/ulisesgascon.com/post/3mjmjpo4gfc2n 2026-04-16 14:58:59+00:00| seen|...

CVE-2026-3155

The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

CVE-2026-0718

The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ultpshareCountcallback function in all versions up to, and including, 5.0.5. This makes it possible for...

PT-2026-33282

The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ultp shareCount callback function in all versions up to, and including, 5.0.5. This makes it possible for...

PT-2026-33307

The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

CVE-2026-20180

creationtimestamp| type| source ---|---|--- 2026-04-15 16:21:38+00:00| seen| https://infosec.exchange/users/AAKL/statuses/116409637135769540 2026-04-15 17:18:54+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mjkfoj4tgf2w 2026-04-15 17:21:15+00:00| seen|...

CVE-2026-3649

The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.0. The katalogportalpopupshortcode function is registered as an AJAX handler via wpajaxkatalogportalshortcodePrinter but lacks any capability check currentusercan or nonc...

CVE-2026-1555

creationtimestamp| type| source ---|---|--- 2026-04-15 04:30:31+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mjj2qkoar62p 2026-04-15 04:30:31+00:00| seen| https://infosec.exchange/users/offseq/statuses/116406840802962869 2026-04-15 05:06:37+00:00| seen|...

CVE-2026-4812

The Advanced Custom Fields ACF plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions witho...

WordPress Advanced Custom Fields (ACF®) plugin <= 6.7.0 - Unauthenticated Missing Authorization to Arbitrary Post/Page Disclosure via AJAX Field Query Parameters vulnerability

Unauthenticated Missing Authorization to Arbitrary Post/Page Disclosure via AJAX Field Query Parameters vulnerability discovered by Fernando Mecozzi in WordPress Plugin Advanced Custom Fields versions = 6.7.0...

CVE-2026-4812

The Advanced Custom Fields ACF plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions witho...

CVE-2026-4812

The CVE describes a vulnerability in Advanced Custom Fields (ACF) for WordPress, affecting versions up to 6.7.0. The issue arises from AJAX field query endpoints that accept user-supplied filter parameters, which override field-configured restrictions without proper authorization checks. This all...

CVE-2026-4812 Advanced Custom Fields (ACF®) <= 6.7.0 - Unauthenticated Missing Authorization to Arbitrary Post/Page Disclosure via AJAX Field Query Parameters

The Advanced Custom Fields ACF plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions witho...