Lucene search
K

23 matches found

Cvelist
Cvelist
added 2026/06/11 5:15 p.m.26 views

CVE-2026-46698 Fediverse Embeds: Public-nonce SSRF via ftf_get_site_info AJAX action

Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.9, Fediverse Embeds registered the unauthenticated AJAX action wpajaxnoprivftfgetsiteinfo includes/SiteInfo.php that verified a nonce ftf-fediverse-embeds-nonce and then called filegethtml$siteurl on the...

5.3CVSS0.00229EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/30 9:28 a.m.10 views

CVE-2026-9757 GEO my WP <= 4.5.5 - Unauthenticated SQL Injection via 'swlatlng' / 'nelatlng' Parameters

The GEO my WP plugin for WordPress is vulnerable to SQL Injection via the 'swlatlng' and 'nelatlng' parameters in all versions up to, and including, 4.5.5 The parameters are read from $SERVER'QUERYSTRING' via parsestr bypassing WordPress's wpmagicquotes protection, which only covers...

7.5CVSS5.8AI score0.00344EPSS
Exploits0References8
EUVD
EUVD
added 2026/05/30 9:28 a.m.14 views

EUVD-2026-33453

The GEO my WP plugin for WordPress is vulnerable to SQL Injection via the 'swlatlng' and 'nelatlng' parameters in all versions up to, and including, 4.5.5 The parameters are read from $SERVER'QUERYSTRING' via parsestr bypassing WordPress's wpmagicquotes protection, which only covers...

7.5CVSS5.8AI score0.00344EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/05/08 12:0 a.m.10 views

PT-2026-39153

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but SESSION SAVE EVERY REQUEST is True. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django...

6.5CVSS5.8AI score0.00544EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/05/05 2:50 p.m.4 views

CVE-2026-35192

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but SESSIONSAVEEVERYREQUEST is True. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django serie...

2.3CVSS5.8AI score0.00544EPSS
Exploits0References4Affected Software1
AlpineLinux
AlpineLinux
added 2026/05/05 2:50 p.m.7 views

CVE-2026-35192

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but SESSIONSAVEEVERYREQUEST is True. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django serie...

6.5CVSS5.8AI score0.00544EPSS
Exploits0
Positive Technologies
Positive Technologies
added 2026/04/24 12:0 a.m.16 views

PT-2026-37170

Name of the Vulnerable Software and Affected Versions Lemmy versions prior to 0.19.18 Description Lemmy fetches metadata for user-supplied post URLs and, when using the default StoreLinkPreviews image mode, downloads preview images via local pict-rs. While the initial top-level page URL is checke...

6.5CVSS5.8AI score0.00209EPSS
Exploits0References9
Vulnrichment
Vulnrichment
added 2026/04/07 7:22 p.m.2 views

CVE-2026-39367 WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG Electronic Program Guide feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's epglin...

5.4CVSS5.8AI score0.00195EPSS
Exploits0References2
CNVD
CNVD
added 2026/03/02 12:0 a.m.4 views

WordPress Plugin Web Accessibility by accessiBe Information Disclosure Vulnerability

WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up a personal blog site on a PHP and MySQL based server.WordPress plugin is an application plugin. An information disclosure vulnerability exists in the WordPress plugin Web Accessibility by...

5.3CVSS5.6AI score0.00282EPSS
Exploits0References1
NVD
NVD
added 2026/01/07 12:16 p.m.5 views

CVE-2025-13371

The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details PAN, card holder name, expiry month/year, and CVV in WordPress postmeta using base64encode, and then...

8.6CVSS0.00372EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/01/07 12:0 a.m.4 views

WordPress plugin MoneySpace 信息泄露漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. An information...

8.6CVSS6.1AI score0.00372EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2025/11/18 7:2 p.m.7 views

XWiki view file macro: User can view content of office file without view rights on the attachment

Summary A user with no view rights on a page may see the content of an office attachment displayed with the view file macro. Details If on a public page is displayed an office attachment from a restricted page, a user with no view rights on the restricted page can view the attachment content, no...

6.8CVSS6.8AI score0.00252EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2024-22151

Malicious code in bioql PyPI...

7.5CVSS7.5AI score0.00614EPSS
Exploits0References2
GithubExploit
GithubExploit
added 2025/09/17 2:38 a.m.234 views

PoC-Stored-XSS-textpattern-4.8.8-Exploit

Textpattern CMS 4.8.8 — Stored XSS Advisory Title: Stored...

6.2AI score
Exploits0
Positive Technologies
Positive Technologies
added 2025/06/23 12:0 a.m.4 views

PT-2025-26681 · Advantech +1 · Advantech Wireless Sensing/Equipment +6

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: The issue allows an unauthenticated attacker to upload firmware through a public update page. This could potentially lead to backdoor installation or privilege escalation. Recommendations: A...

9.6CVSS6.5AI score0.00421EPSS
Exploits1References7
RedhatCVE
RedhatCVE
added 2025/05/23 8:8 a.m.8 views

CVE-2024-25511

RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vulnerability via the id parameter at /AddressBook/addresspublicnew.aspx...

9.4CVSS9.6AI score0.00617EPSS
Exploits1References1
CVE
CVE
added 2024/09/06 6:0 a.m.49 views

CVE-2024-6792

Vulnerability context: CVE-2024-6792 affects the WP ULike WordPress plugin prior to 4.7.2.1. The issue stems from improper sanitization of user display names when rendering on public pages, which is described in Red Hat and Patchstack entries as a subscriber-level stored XSS exposure. Affected so...

3.5CVSS3.9AI score0.00355EPSS
Exploits1References1Affected Software1
SUSE CVE
SUSE CVE
added 2023/02/15 3:37 a.m.2 views

SUSE CVE-2021-41179

Nextcloud is an open-source, self-hosted productivity platform. Prior to Nextcloud Server versions 20.0.13, 21.0.5, and 22.2.0, the Two-Factor Authentication wasn't enforced for pages marked as public. Any page marked as @PublicPage could thus be accessed with a valid user session that isn't...

6.5CVSS6.5AI score0.01157EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2022/05/24 4:50 p.m.15 views

Gitea XSS Vulnerability in Repository Description

Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting XSS. The impact is: execute JavaScript in victim's browser, when the vulnerable repo page is loaded. The component is: repository's description. The attack vector is: victim must navigate to public and affected repo page...

6.1CVSS6.7AI score0.0084EPSS
Exploits0References7Affected Software1
NVD
NVD
added 2021/04/12 2:15 p.m.16 views

CVE-2021-24221

The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin before 7.1.12 did not sanitise the resultid GET parameter on pages with the qsmresult shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection. The lowest role allowed to...

8.8CVSS0.01893EPSS
Exploits2References2
Rows per page
Query Builder