CVE-2026-4071 BirdSeed <= 2.2.0 - Cross-Site Request Forgery via BirdSeed Token Change

The BirdSeed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing nonce validation in the birdseedpluginsettingspage function. The function processes the 'birdseedtoken' GET parameter and saves it to the database via...

CVE-2026-4071 BirdSeed <= 2.2.0 - Cross-Site Request Forgery via BirdSeed Token Change

The BirdSeed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing nonce validation in the birdseedpluginsettingspage function. The function processes the 'birdseedtoken' GET parameter and saves it to the database via...

CVE-2026-4071

The BirdSeed WordPress plugin is affected by a Cross-Site Request Forgery in all versions up to and including 2.2.0. The root cause is missing nonce validation in the birdseed_plugin_settings_page() function, which processes the birdseed_token GET parameter and saves it via update_option() withou...

CVE-2026-4071

The BirdSeed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing nonce validation in the birdseedpluginsettingspage function. The function processes the 'birdseedtoken' GET parameter and saves it to the database via...

CVE-2026-2631 Datalogics Ecommerce Delivery < 2.6.60 - Unauthenticated Privilege Escalation

The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option datalogicstoken without verification. This token is subsequently used for authentication in a protected endpoint that allows users to perform...

EUVD-2015-1936

Malware in sbrugna...

CVE-2024-3246

The LiteSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0.1. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the token setting and inject malicious JavaScrip...

CVE-2024-33944 WordPress WooCommerce AWeber Newsletter Subscription plugin <= 4.0.2 - Unauthenticated Access Token Change/Reset vulnerability

Missing Authorization vulnerability in Kestrel WooCommerce AWeber Newsletter Subscription.This issue affects WooCommerce AWeber Newsletter Subscription: from n/a through 4.0.2...

WordPress WooCommerce AWeber Newsletter Subscription plugin <= 4.0.2 - Unauthenticated Access Token Change/Reset vulnerability

Unauthenticated Access Token Change/Reset vulnerability discovered by Dave Jong Patchstack in WordPress Plugin WooCommerce AWeber Newsletter Subscription versions = 4.0.2...

PT-2023-7208 · Symfony · Symfony

Name of the Vulnerable Software and Affected Versions: Symfony versions 5.4.21 through 5.4.30 Symfony versions 6.2.7 through 6.3.7 Description: The issue is related to the incorrect management of sessions by the SessionStrategyListener function in the Symfony platform. This can allow a remote...

GHSA-3269-JQP5-V8C9 Jenkins allows for Privilege Escalation by Remote Authenticated Users

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users...

Lack of safeApprove(0) prevents some registrations, and the changing of stakers and LP tokens

Lines of code Vulnerability details OpenZeppelin's safeApprove will revert if the account already is approved and the new safeApprove is done with a non-zero value function safeApprove IERC20 token, address spender, uint256 value internal // safeApprove should only be called when setting an initi...

ERC20Rewards breaks when setting a different token

Handle cmichel Vulnerability details The setRewards function allows setting a different token. Holders of a previous reward period cannot all be paid out and will receive their old reward amount in the new token. This leads to issues when the new token is more less valuable, or uses different...

CVE-2021-21260 XSS in description field

Online Invoicing System OIS is open source software which is a lean invoicing system for small businesses, consultants and freelancers created using AppGini. In OIS version 4.0 there is a stored XSS which can enables an attacker takeover of the admin account through a payload that extracts a csrf...

CVE-2018-15539

Agentejo Cockpit lacks an anti-CSRF protection mechanism. Thus, an attacker is able to change API tokens, passwords, etc...

jenkins: forced API token change (SECURITY-180)

A flaw was found in the Jenkins API token-issuing service. The service was not properly protected against anonymous users, potentially allowing remote attackers to escalate privileges...

Code injection

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users...

FreeBSD : jenkins -- multiple vulnerabilities (22dc4a22-d1e5-11e4-879c-00e0814cab4e)

Jenkins Security Advisory : DescriptionSECURITY-171, SECURITY-177 Reflective XSS vulnerability An attacker without any access to Jenkins can navigate the user to a carefully crafted URL and have the user execute unintended actions. This vulnerability can be used to attack Jenkins inside firewalls...

nt.screensaver.token.txt

Date: Tue, 9 Mar 1999 12:57:42 -0800 From: Aleph One To: [email protected] Subject: Windows NT Screen Saver Vulnerability Cybermedia Software has found the following vulnerability: Screen Saver vulnerability Description: The Screen Saver is started by Winlogon.Exe whenever the machine is idle...