EUVD-2026-30256

The Media Sync plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.9 via the 'subdir' and 'mediaitems' parameters. This is due to insufficient validation of user-supplied file paths, which are not checked for directory traversal sequences or restricted t...

PT-2026-40893

The Media Sync plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.9 via the 'sub dir' and 'media items' parameters. This is due to insufficient validation of user-supplied file paths, which are not checked for directory traversal sequences or restricted...

CVE-2026-39705 WordPress MIPL WC Multisite Sync plugin <= 1.4.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Mulika Team MIPL WC Multisite Sync mipl-wc-multisite-sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MIPL WC Multisite Sync: from n/a through = 1.4.4...

CVE-2026-39705

CVE-2026-39705 concerns the WordPress plugin MIPL WC Multisite Sync by Mulika Team, vulnerable through a missing/incorrect authorization mechanism. The issue affects versions through 1.4.4 and is categorized as Broken Access Control due to improperly configured access control security levels. Pub...

CVE-2026-25020 WordPress WP Sync for Notion plugin <= 1.7.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP connect WP Sync for Notion wp-sync-for-notion allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Sync for Notion: from n/a through = 1.7.0...

CVE-2025-68570 WordPress Captivate Sync plugin <= 3.2.2 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in captivateaudio Captivate Sync captivatesync-trade allows Blind SQL Injection.This issue affects Captivate Sync: from n/a through = 3.2.2...

CVE-2025-49350 WordPress Actionwear products sync plugin <= 2.3.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in marcoingraiti Actionwear products sync actionwear-products-sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Actionwear products sync: from n/a through = 2.3.3...

MAL-2025-191220 Malicious code in @fishingbooker/browser-sync-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 79d64a6878784c34ef61c163e69714d7ac73721da8790b37ad02be83ec6246af The package @fishingbooker/browser-sync-plugin was found to contain malicious code. Source: ghsa-malware...

Malicious code in @fishingbooker/browser-sync-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 79d64a6878784c34ef61c163e69714d7ac73721da8790b37ad02be83ec6246af The package @fishingbooker/browser-sync-plugin was found to contain malicious code. Source: ghsa-malware...

EUVD-2025-199318

Malicious code in @fishingbooker/browser-sync-plugin npm...

Malicious code in @posthog/gitub-star-sync-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4be422ec924addbeb23c34a8b3305835feb3d665ab57afdc1450734d0b10f5a4 The package @posthog/gitub-star-sync-plugin was found to contain malicious code. Source: google-open-source-security...

CVE-2025-12676

The KiotViet Sync plugin for WordPress is vulnerable to authorizarion bypass in all versions up to, and including, 1.8.5. This is due to the plugin using a hardcoded password for authentication in the QueryControllerAdmin::authenticated function. This makes it possible for unauthenticated attacke...

PT-2025-45095

Name of the Vulnerable Software and Affected Versions KiotViet Sync plugin for WordPress versions up to and including 1.8.5 Description The KiotViet Sync plugin for WordPress is susceptible to exposure of sensitive information. Specifically, unauthenticated attackers can extract the webhook token...

CVE-2025-11976

CVE-2025-11976 concerns FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) for WordPress. According to connected sources, the vulnerability is a Cross-Site Forgery (CSRF) due to missing or incorrect nonce validation in the save_cha...

CVE-2025-60221

CVE-2025-60221 concerns the WordPress Captivate Sync Plugin (

WordPress User Sync – Remote User Sync plugin <= 1.0.2 - Cross-Site Request Forgery to Plugin Deactivation vulnerability

Cross-Site Request Forgery to Plugin Deactivation vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin User Sync versions = 1.0.2...

CVE-2024-11368

The Splash Sync plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 2.0.7. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages tha...

CVE-2025-3914

The Aeropage Sync for Airtable plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aeropagemediadownloader' function in all versions up to, and including, 3.2.0. This makes it possible for authenticated attackers, with Subscriber-level access a...

CVE-2025-3915

The Aeropage Sync for Airtable plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'aeropageDeletePost' function in all versions up to, and including, 3.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and...

CVE-2025-3915

The Aeropage Sync for Airtable plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'aeropageDeletePost' function in all versions up to, and including, 3.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and...