PT-2026-44747

Name of the Vulnerable Software and Affected Versions Breeze versions prior to 2.5.3 Description Improper verification of the wordpress logged in cookie in the inc/cache/execute-cache.php file occurs when the "Cache Logged-in Users" setting is enabled. The plugin uses the substr function to parse...

CVE-2026-1219

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'loadtracknoteajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers...

CVE-2026-1219 MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 4.0 - 5.10 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'loadtracknoteajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers...

CVE-2026-1219

CVE-2026-1219 affects the WordPress plugin MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar. Versions 4.0–5.10 are exposed to an Insecure Direct Object Reference via load_track_note_ajax due to missing validation on a user-controlled key, allowing unauthenticated access to privat...

WordPress plugin Ultimate Post Kit Addons for Elementor 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host a personal blog site on a PHP and MySQL based server.WordPress plugin is an application plugin. A security...

CVE-2025-66402 misskey.js's export data contains private post data

Misskey is an open source, federated social media platform. Starting in version 13.0.0-beta.16 and prior to version 2025.12.0, an actor who does not have permission to view favorites or clips can can export the posts and view the contents. Version 2025.12.0 fixes the issue...

EUVD-2024-16473

Malicious code in bioql PyPI...

CVE-2025-8091 EventON Lite <= 2.4.7 - Authenticated (Contributor+) Information Disclosure

The EventON Lite plugin for WordPress is vulnerable to Information Exposure in all versions less than, or equal to, 2.4.6 via the addsingleeventon and addeventon shortcodes due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to...

CVE-2021-24840

The Squaretype WordPress theme before 3.0.4 allows unauthenticated users to manipulate the queryvars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request...

PT-2024-17655 · WordPress · Button Block

Name of the Vulnerable Software and Affected Versions: Button Block plugin for WordPress versions up to, and including, 1.1.5 Description: The issue allows authenticated attackers with Contributor-level access and above to extract potentially sensitive data from draft, scheduled, private, and...

PT-2024-16017 · WordPress · Contact Form 7 – Dynamic Text Extension

Name of the Vulnerable Software and Affected Versions: Contact Form 7 – Dynamic Text Extension plugin for WordPress versions prior to 4.5.0 Description: The Contact Form 7 – Dynamic Text Extension plugin for WordPress has a Basic Information Disclosure issue. This makes it possible for...