WordPress Buy one click WooCommerce plugin <= 2.2.9 - Missing Authorization to Authenticated (Subscriber+) Settings Import vulnerability

Missing Authorization to Authenticated Subscriber+ Settings Import vulnerability discovered by incognito in WordPress Plugin Buy one click WooCommerce versions = 2.2.9...

CVE-2025-65841

Aquarius Desktop 3.0.069 for macOS stores user authentication credentials in the local file /Library/Application Support/Aquarius/aquarius.settings using a weak obfuscation scheme. The password is "encrypted" through predictable byte-substitution that can be trivially reversed, allowing immediate...

EUVD-2019-6783

Malware in sbrugna...

EUVD-2021-34175

Malicious code in bioql PyPI...

EUVD-2022-46489

Malicious code in bioql PyPI...

WordPress Zakra Unauthorized Modification Vulnerability

WordPress Zakra is a WordPress theme known for its power, compatibility and lightweight design, suitable for creating personal blogs, business websites, WooCommerce stores and more. WordPress Zakra suffers from an unauthorized modification vulnerability that stems from a missing...

CVE-2025-8595 Zakra <= 4.1.5 - Missing Authorization to Subscriber+ Demo Import

The Zakra theme for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the welcomenoticeimporthandler function in all versions up to, and including, 4.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

WordPress plugin Zakra 安全漏洞

WordPress Zakra is a WordPress theme known for its power, compatibility and lightweight design, suitable for creating personal blogs, business websites, WooCommerce stores and more. WordPress Zakra suffers from an unauthorized modification vulnerability that stems from a missing...

WordPress Order Delivery Date Missing Authorization

WordPress Order Delivery Date plugin versions prior to 12.3.1 have missing authorization and cross site request forgery vulnerabilities surrounding the importing of settings...

CVE-2024-5600

The SCSS Happy Compiler – Compile SCSS to CSS & Automatic Enqueue plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check and insufficient sanitization on the importsettings function in all versions up to, and including, 1.3.10. This makes it possible f...

CVE-2021-4400

The Better Search plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the bsearchprocesssettingsimport and bsearchprocesssettingsexport functions. This makes it possible for unauthenticat...

CVE-2023-5934

The Travelpayouts: All Travel Brands in One Place WordPress plugin before 1.1.13 does not have CSRF check in place when importing settings from the v1, which could allow attackers to make a logged in admin update some settings via a CSRF attack...

WordPress plugin Travelpayouts: All Travel Brands in One Place 安全漏洞

WordPress and the WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in the...

CVE-2025-2907

The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modi...

VulnCheck KEV: CVE-2025-2907

The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to...

CVE-2025-0954 WP Online Contract <= 5.1.4 - Missing Authorization to Unauthenticated Settings Import

The WP Online Contract plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the jsonimport and jsonexport functions in all versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to import and export the plugin's setting...

CVE-2025-0954 WP Online Contract <= 5.1.4 - Missing Authorization to Unauthenticated Settings Import

The WP Online Contract plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the jsonimport and jsonexport functions in all versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to import and export the plugin's setting...

WordPress WP Online Contract plugin <= 5.1.4 - Missing Authorization to Unauthenticated Settings Import vulnerability

Missing Authorization to Unauthenticated Settings Import vulnerability discovered by Lucio Sá in WordPress Plugin WP Online Contract versions = 5.1.4...

CVE-2024-12155

The SV100 Companion plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the settingsimport function in all versions up to, and including, 2.0.02. This makes it possible for unauthenticated attackers to...

CVE-2024-1110

The Podlove Podcast Publisher plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the init function in all versions up to, and including, 4.0.11. This makes it possible for unauthenticated attackers to import the plugin's settings...