CVE-2026-7616 Zawgyi Embed <= 2.1.1 - Cross-Site Request Forgery via 'zawgyi_forceCSS' Parameter

The Zawgyi Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the zawgyiadminpage function. This makes it possible for unauthenticated attackers to update the plugin's...

WordPress Catch Import Export plugin <= 1.8 - Unauthorized Plugin Setting Change vulnerability

Unauthorized Plugin Setting Change vulnerability discovered by apple502j in WordPress Catch Import Export plugin versions = 1.8. Solution Update the WordPress Catch Import Export plugin to the latest available version at least 1.9...

WordPress Catch Web Tools plugin <= 2.6.6 - Unauthorized Plugin Setting Change vulnerability

Unauthorized Plugin Setting Change vulnerability discovered by apple502j in WordPress Catch Web Tools plugin versions = 2.6.6. Solution Update the WordPress Catch Web Tools plugin to the latest available version at least 2.7...

Slack: Team admin can change unauthorized team setting (allow_message_deletion)

Team admin can escalate his privileges and change 'allowmessagedeletion' team setting, which can be changed only by a team owner. Steps to reproduce: 1. Log in as team admin. 2. Send the below request using his cookie & token and notice that it changes 'allowmessagedeletion' team setting to true...