Cross-site Request Forgery (CSRF)

Overview org.jenkins-ci.plugins:github-pullrequest is a GitHub Integration Plugin for Jenkins. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF due to not requiring POST requests for an HTTP endpoint. This vulnerability allows attackers to trigger a build for a...

Server-side Request Forgery (SSRF)

Overview @nocobase/plugin-workflow-request is a Send HTTP requests to any HTTP service for data interaction in workflow. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the workflow HTTP request and custom request plugins, which make server-side HTTP...

Server-side Request Forgery (SSRF)

Overview @nocobase/plugin-action-custom-request is a Sending a request to any HTTP service supports sending context data to the target service. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the workflow HTTP request and custom request plugins, which make...

Server-side Request Forgery (SSRF)

Overview @nocobase/utils is a Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the workflow HTTP request and custom request plugins, which make server-side HTTP requests to user-supplied URLs without proper validation. An attacker can access internal networ...

Nocobase 安全漏洞

Nocobase is an open-source low-code platform developed by NocoBase. Versions of NocoBase prior to 2.0.37 contained security vulnerabilities. These vulnerabilities stemmed from the lack of SSRF protection when the workflow HTTP request plugin and custom request operation plugins initiated...

CVE-2026-40346 NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An...

CVE-2025-12634

The Refund Request for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'updaterefundstatus' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level...

EUVD-2025-199565

The Refund Request for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'updaterefundstatus' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-12634 Refund Request for WooCommerce <= 1.0 - Missing Authorization to Authenticated (Subscriber+) Refund Status Update

The Refund Request for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'updaterefundstatus' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level...

WordPress plugin Callback Request 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists...

WordPress Callback Request plugin <= 1.4 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Abdi Pranata in WordPress Plugin Callback Request versions = 1.4...

CVE-2023-41937

CVE-2023-41937 affects the Jenkins Bitbucket Push and Pull Request Plugin versions 2.4.0–2.8.3 (inclusive). The vulnerability arises because the plugin trusts values in the webhook payload (including certain URLs) and uses configured Bitbucket credentials to connect to those URLs, enabling an att...

WordPress Plugin Cancel order request WooCommerce 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists...

GHSA-2QH6-HHVV-M2WW Jenkins HTTP Request Plugin stores HTTP Request passwords unencrypted

HTTP Request Plugin 1.15 and earlier stores HTTP Request passwords unencrypted in its global configuration file jenkins.plugins.httprequest.HttpRequest.xml on the Jenkins controller as part of its configuration when using deprecated Basic/Digest Authentication. These passwords can be viewed by...

CVE-2022-36901

Jenkins HTTP Request Plugin 1.15 and earlier stores HTTP Request passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system...

PT-2022-4019 · Jenkins · Jenkins Http Request Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins HTTP Request Plugin versions 1.15 and earlier Description: The issue is related to the storage of HTTP Request passwords in an unencrypted form in the global configuration file on the Jenkins controller. This allows users with access ...

org.jenkins-ci.plugins:salesforce-migration-assistant-plugin (=2.2.0) potentially affected by CVE-2018-1000142 via org.jenkins-ci.plugins:ghprb (=1.31.4)

org.jenkins-ci.plugins:ghprb MAVEN version =1.31.4 is affected by a known vulnerability. The following packages have a transitive dependency on org.jenkins-ci.plugins:ghprb and may be impacted: - org.jenkins-ci.plugins:salesforce-migration-assistant-plugin =2.2.0 Source cves: CVE-2018-1000142...

CVE-2013-4944

The CVE-2013-4944 issue affects the WordPress plugin BuddyPress Extended Friendship Request (versions before 1.0.2). When the Friend Connections component is enabled, an XSS flaw exists in the friendship_request_message parameter passed to wp-admin/admin-ajax.php, enabling remote script/HTML inje...