5 matches found
CVE-2026-4804 Zakra <= 4.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta REST API
The Zakra theme for WordPress is vulnerable to Stored Cross-Site Scripting via post meta values in all versions up to, and including, 4.2.0. This is due to the theme registering three post meta fields zakramenuitemcolor, zakramenuitemhovercolor, and zakramenuitemactivecolor with 'showinrest' = tr...
PT-2026-33001
immich is a high performance self-hosted photo and video management solution. Versions prior to 2.7.3 contain an open redirect vulnerability in the shared album functionality, where the album name is inserted unsanitized into a tag in api.service.ts. A registered attacker can create a shared albu...
CVE-2026-2305
The AddFunc Head & Footer Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the aFhfcheadcode, aFhfcbodycode, and aFhfcfootercode post meta values in all versions up to, and including, 2.3. This is due to the plugin outputting these meta values without any sanitization or...
WordPress Duplicate Page and Post plugin SQL Injection Vulnerability
WordPress Duplicate Page and Post plugin is a plugin for quickly duplicating pages or posts, supporting one-click cloning of existing content and saving it to draft, private or public status, for users who need to batch process website content. WordPress Duplicate Page and Post plugin suffers fro...
PT-2024-15093 · WordPress · Custom Fields Shortcode Plugin
Name of the Vulnerable Software and Affected Versions: Custom fields shortcode plugin for WordPress version 0.1 and earlier Description: The issue arises from insufficient input sanitization and output escaping on user-supplied custom post meta values, allowing authenticated attackers with...