EUVD-2026-30602

phpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the getIdFromSolutionId method that lacks permission filtering, allowing unauthenticated attackers to enumerate restricted FAQ entries and read their titles via the /solutionidid.html endpoint. Attackers can sequentially...

EUVD-2026-13196

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a lack of visibility checks with a user action API endpoint that results in disclosure of the title and post excerpt to unauthorized users, leading to information disclosure. Versions...

CVE-2025-2942 Order Delivery Date Pro for WooCommerce < 12.6.0 - Unauthenticated Arbitrary Post Title Disclosure

The Order Delivery Date WordPress plugin before 12.6.0 discloses arbitrary post title such as from draft and private posts via an unauthenticated AJAX action, allowing attackers to retrieve such information...

CVE-2025-2942 Order Delivery Date Pro for WooCommerce < 12.6.0 - Unauthenticated Arbitrary Post Title Disclosure

The Order Delivery Date WordPress plugin before 12.6.0 discloses arbitrary post title such as from draft and private posts via an unauthenticated AJAX action, allowing attackers to retrieve such information...

CVE-2025-2942

CVE-2025-2942 affects the Order Delivery Date WordPress plugin prior to version 12.6.0. An unauthenticated AJAX action discloses arbitrary post titles (including drafts/private posts), enabling information disclosure. The root cause is an insecure AJAX endpoint that returns post title data withou...

CVE-2022-1352

Due to an insecure direct object reference vulnerability in Gitlab EE/CE affecting all versions from 11.0 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1, an endpoint may reveal the issue title to a user who crafted an API call with the ID of the issue from a public project that...

PT-2025-17349 · WordPress +1 · Order Delivery Date +1

Name of the Vulnerable Software and Affected Versions: Order Delivery Date WordPress plugin versions prior to 12.6.0 Description: The Order Delivery Date WordPress plugin before version 12.6.0 discloses arbitrary post titles including draft and private posts through an unauthenticated AJAX action...

CVE-2025-2252 Easy Digital Downloads – eCommerce Payments and Subscriptions made easy <= 3.3.6.1 - Unauthenticated Private Post Title Disclosure

The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.6.1 via the eddajaxgetdownloadtitle function. This makes it possible for unauthenticated attackers to extract...

CVE-2023-3706 ActivityPub for WordPress < 1.0.0 - Subscriber+ Arbitrary Post Title Disclosure

The ActivityPub WordPress plugin before 1.0.0 does not ensure that post titles to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the title of arbitrary post such as draft and private via an IDOR vector...

CVE-2023-1426 WP Tiles <= 1.1.2 - Subscriber+ Draft/Private Post Title Disclosure

The WP Tiles WordPress plugin through 1.1.2 does not ensure that posts to be displayed are not draft/private, allowing any authenticated users, such as subscriber to retrieve the titles of draft and privates posts for example. AN attacker could also retrieve the title of any other type of post...

WP Tiles <= 1.1.2 - Subscriber+ Draft/Private Post Title Disclosure

The plugin does not ensure that posts to be displayed are not draft/private, allowing any authenticated users, such as subscriber to retrieve the titles of draft and privates posts for example. AN attacker could also retrieve the title of any other type of post. Run the below command in the...

WP Tiles <= 1.1.2 - Subscriber+ Draft/Private Post Title Disclosure

The plugin does not ensure that posts to be displayed are not draft/private, allowing any authenticated users, such as subscriber to retrieve the titles of draft and privates posts for example. AN attacker could also retrieve the title of any other type of post. PoC Run the below command in the...

Gitlab -- Multiple Vulnerabilities

Gitlab reports: Kubernetes Integration Server-Side Request Forgery Server-Side Request Forgery in Jira Integration Improved Protection Against Credential Stuffing Attacks Markdown Clientside Resource Exhaustion Pipeline Status Disclosure Group Runner Authorization Issue CI Metrics Disclosure User...

SA-CONTRIB-2012-170 - MultiLink - Access Bypass

MultiLink allows you to generate in-content links to a suitable node or node translation based on the visitor's language preferences. It allows the Node Title of the target node to be shown as the visible text and title attribute for the generated link. Prior to versions 6.x-2.7 and 7.x-2.7 the...

CVE-2011-4360

MediaWiki before 1.17.1 allows remote attackers to obtain the page titles of all restricted pages via a series of requests involving the 1 curid or 2 oldid parameter...