Lucene search
K

153 matches found

Nuclei
Nuclei
added 7 hours ago31 views

Rank Math SEO < 1.0.229 - Unauthenticated User and Term Metadata Insert/Update/Deletion

Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress contains a missing capability check on 'updatemetadata' in all versions up to 1.0.228, letting unauthenticated attackers insert, update, or delete metadata, including user and term metadata, potentially causing loss of...

6.5CVSS6.1AI score0.02131EPSS
Exploits0References5
CVE
CVE
added last week33 views

CVE-2026-53511

Calibre vulnerability CVE-2026-53511 affects the calibre e-book manager prior to version 9.10.0. A malicious EPUB/OPF/PDF can trigger arbitrary Python code execution when metadata is read by calibre (e.g., via Add books or Edit books) by embedding a python: template in calibre:user_metadata; the ...

8.5CVSS6.2AI score0.00197EPSS
Exploits0References3
OSV
OSV
added last week9 views

CVE-2026-53511 calibre: Arbitrary Code Execution in Template Formatter via Book Metadata

calibre is an e-book manager. Prior to 9.10.0, a malicious EPUB, OPF, or PDF file can execute arbitrary Python code when its metadata is read by calibre, including through Add books or Edit books, by embedding a custom column definition with a python: template in calibre:usermetadata that is pass...

8.5CVSS6.2AI score0.00197EPSS
Exploits0References5
NVD
NVD
added 2026/06/24 7:16 a.m.10 views

CVE-2026-9709

The Cornerstone WordPress plugin before 7.8.9 does not enforce capability checks on one of its REST API routes, allowing any authenticated user to disclose the metadata of any other user, including roles, session token previews and stored billing/shipping fields. This affects the premium co...

7.7CVSS0.00219EPSS
Exploits0References1
CVE
CVE
added 2026/06/24 6:0 a.m.11 views

CVE-2026-9709

The CVE-2026-9709 entry describes a vulnerability in the Premium Cornerstone page builder bundled with the X Theme (WordPress plugin) prior to version 7.8.9. The root cause is missing capability checks on one REST API route, allowing any authenticated user to disclose metadata of other users, inc...

7.7CVSS5.8AI score0.00219EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/09 11:54 p.m.10 views

CVE-2026-46546 Frappe LMS: HTML injection in user-controlled metadata

Frappe Learning Management System LMS is a learning system that helps users structure their content. Prior to version 2.53.0, an authenticated user could supply specially crafted content in certain user-editable fields that, when surfaced in page metadata, caused visitors' browsers to navigate to...

2.1CVSS5.3AI score0.00136EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/04 12:0 a.m.10 views

MISP 安全漏洞

MISP is a set of open-source software solutions developed by MISP. This product is used for collecting, storing, distributing, and sharing network security metrics. It also includes functions for analyzing threats to network security and malware analysis. MISP has a security vulnerability that...

5.3CVSS5.3AI score0.00176EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/23 12:0 a.m.12 views

hackage-server 跨站脚本漏洞

hackage-server is a Haskell software package repository server developed under open source. hackage-server has a cross-site scripting vulnerability, which stems from improperly cleaned user-controlled metadata. This vulnerability may lead to storage-based cross-site scripting attacks...

9.9CVSS5.6AI score0.00303EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/09 4:7 p.m.22 views

EUVD-2026-20950

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/id endpoint accepts a user-controlled filenamedisk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content...

8.5CVSS5.9AI score0.00204EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/21 3:26 a.m.4 views

CVE-2026-3460

The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback updateuserwechatshopinfopermissionscheck only validating that the supplied 'openid' parameter corresponds to an...

5.3CVSS5.9AI score0.00324EPSS
Exploits0References8
Veracode
Veracode
added 2026/03/20 4:50 a.m.4 views

Information Disclosure

code.gitea.io/gitea is vulnerable to information disclosure. The vulnerability is due to improper exposure of user metadata through sortable fields such as last login time, which allows an attacker to infer users' login activity by manipulating the explore/users sort order...

5.3CVSS7.2AI score0.00328EPSS
Exploits0References5Affected Software3
Packet Storm
Packet Storm
added 2026/02/27 12:0 a.m.151 views

📄 WordPress RestroPress Online Food Ordering System 3.1.9.2 Disclosure Scanner

WordPress RestroPress Online Food Ordering System plugin version 3.1.9.2 user metadata exposure scanner. ============================================================================================================================================= | Title : WordPress RestroPress Online Food Orderi...

9.8CVSS5.9AI score0.02196EPSS
Exploits6
CNNVD
CNNVD
added 2026/02/08 12:0 a.m.7 views

WordPress plugin JAY Login & Register 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

8.8CVSS6AI score0.0031EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/02/08 12:0 a.m.8 views

WordPress plugin JAY Login & Register 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The WordPres...

9.8CVSS5.9AI score0.00412EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/01/09 12:14 p.m.6 views

CVE-2018-9377

In getIntentForIntentSender of ActivityManagerService.java, there is a possible way to access user metadata due to a pending intent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

8.4CVSS6.8AI score0.00091EPSS
Exploits0References1
NVD
NVD
added 2025/12/21 3:15 a.m.12 views

CVE-2025-12980

The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the '/ultp/v2/getdynamiccontent/' REST API endpoint in all versions up to, and including, 5.0.3. This makes it possible...

7.5CVSS0.00277EPSS
Exploits0References2
CNNVD
CNNVD
added 2025/12/21 12:0 a.m.6 views

WordPress plugin Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. WordPress plugin Post...

7.5CVSS6.4AI score0.00277EPSS
Exploits0References3
NVD
NVD
added 2025/12/13 4:16 p.m.5 views

CVE-2025-12512

The GenerateBlocks plugin for WordPress is vulnerable to information exposure due to missing object-level authorization checks in versions up to, and including, 2.1.2. This is due to the plugin registering multiple REST API routes under generateblocks/v1/meta/ that gate access with...

4.3CVSS0.00342EPSS
Exploits0References5
CVE
CVE
added 2025/12/13 3:20 a.m.18 views

CVE-2025-12512

CVE-2025-12512 (GenerateBlocks, WordPress) : Information exposure due to missing object-level authorization on REST endpoints exposed by generateblocks/v1/meta/. Authenticated users with Contributor+ can query arbitrary user/post meta and key data via get_user_meta_rest, exposing PII such as name...

4.3CVSS5.3AI score0.00342EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2025/11/26 5:39 p.m.3 views

CVE-2025-13084 Opto 22 groov View Exposure of Sensitive Information Through Metadata

The users endpoint in the groov View API returns a list of all users and associated metadata including their API keys. This endpoint requires an Editor role to access and will display API keys for all users, including Administrators...

7.6CVSS6.4AI score0.00236EPSS
Exploits0References3
Rows per page
Query Builder