12 matches found
PT-2026-51690
Name of the Vulnerable Software and Affected Versions Devs Accounting – Simple Accounting and Invoicing Solution versions prior to 1.2.1 Description A missing capability check in the delete single account function allows unauthorized modification or deletion of data. The REST route...
CVE-2026-10860 MISP CRUDComponent delete validation bypass via operator precedence error
A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as $validationError === null && POST || DELETE, meaning a DELETE request...
CVE-2026-40581 ChurchCRM: Cross-Site Request Forgery (CSRF) in SelectDelete.php Leading to Permanent Data Deletion
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint SelectDelete.php performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An attacker can craft a...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the api/internal/sftp-event endpoint. An attacker can remove database records associated with media files by crafting custom HTTP requests that simulate internal SFTP events, provided they have knowledge of vali...
EUVD-2015-1980
Malware in sbrugna...
CVE-2024-23751
LlamaIndex aka llamaindex through 0.9.34 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's student records via "Dro...
CVE-2023-2628
The KiviCare WordPress plugin before 3.2.1 does not have CSRF checks either flawed or missing completely in various AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. This includes, but is not limited to: Delete arbitrary...
Cross site request forgery (csrf)
The WP Affiliate Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.3.9. This is due to missing or incorrect nonce validation on various functions including the affiliatesmenu method. This makes it possible for unauthenticated attackers t...
PT-2022-24635 · WordPress · Wp-Affiliate-Platform
Name of the Vulnerable Software and Affected Versions: WP Affiliate Platform plugin for WordPress versions up to, and including, 6.3.9 Description: The issue is due to missing or incorrect nonce validation on various functions, including the affiliates menu method. This allows unauthenticated...
JiangQie Official Website Mini Program < 1.1.1 - Authenticated SQL Injection
The plugin does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues https://example.com/wp-admin/admin.php?page=jiangqieowfreefeedback&action=detail&id=1+AND+%28SELECT+%2A+FROM+%28SELECT%28SLEEP%285%29%29%29a%29 Could also make a logged i...
ISC BIND 安全漏洞
ISC BIND is a suite of open source software that implements the DNS protocol from ISC USA. A security vulnerability exists in ISC BIND that causes the receiving named server to inadvertently delete SOA records for problematic zones from the zone database...
Cross site request forgery (csrf)
Cross-site request forgery CSRF vulnerability in the Contact Form DB aka CFDB and contact-form-7-to-database-extension plugin before 2.8.32 for WordPress allows remote attackers to hijack the authentication of administrators for requests that delete all plugin records via a request in the...