PT-2026-37350

The Affiliate Program Suite — SliceWP Affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.2.7. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'slicewp...

WordPress plugin Affiliate Program Suite — SliceWP Affiliates 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension that can ...

CVE-2026-39362

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREEDOWNLOADFROMURL is enabled opt-in, authenticated users can supply remoteimage URLs that are fetched server-side via requests.get with only Django's URLValidator check. There is no validation against...

CVE-2026-39362

CVE-2026-39362 affects InvenTree (Open Source Inventory Management System). Before versions 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled, authenticated users can supply remote_image URLs that are fetched server-side via requests.get() with only Django’s URLValidator check. There i...

CVE-2026-35479 InvenTree Plugin Installation - Insufficient Permissions

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other plugin actions such as...

EUVD-2026-20588

InvenTree is an Open Source Inventory Management System. From 1.2.3 to 1.2.6, the fix for CVE-2026-27629 upgraded the PARTNAMEFORMAT validator to use jinja2.sandbox.SandboxedEnvironment. However, the actual renderer in part/helpers.py was not updated and still uses the non-sandboxed...

PT-2026-31433

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any us...

WordPress CM Custom Reports plugin <= 1.2.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Labels vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Plugin Labels vulnerability discovered by san6051 - PWC in WordPress Plugin CM Custom WordPress Reports and Analytics versions = 1.2.7...

CVE-2026-32487

Missing Authorization vulnerability in raratheme Lawyer Landing Page lawyer-landing-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lawyer Landing Page: from n/a through = 1.2.7...

CVE-2026-24535

Missing Authorization vulnerability in webdevstudios Automatic Featured Images from Videos automatic-featured-images-from-videos allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Automatic Featured Images from Videos: from n/a through = 1.2.7...

CVE-2026-24535

Missing Authorization vulnerability in webdevstudios Automatic Featured Images from Videos automatic-featured-images-from-videos allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Automatic Featured Images from Videos: from n/a through = 1.2.7...

WordPress plugin Miion has a security vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

WordPress Miion theme <= 1.2.7 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Miion versions = 1.2.7...

CVE-2025-62998

Insertion of Sensitive Information Into Sent Data vulnerability in WP Messiah WP AI CoPilot ai-co-pilot-for-wp allows Retrieve Embedded Sensitive Data.This issue affects WP AI CoPilot: from n/a through = 1.2.7...

CVE-2024-10532

The Bard Extra plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bardxtraimportxml function in all versions up to, and including, 1.2.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to...

WordPress Fish House theme <= 1.2.7 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Tran Nguyen Bao Khanh in WordPress Theme Fish House versions = 1.2.7...

Student-Homework-Management-System 安全漏洞

Student-Homework-Management-System is a student homework management system developed by itning individual developers using SSM+Shiro. A security vulnerability exists in Student-Homework-Management-System 1.2.7 and earlier versions, which is caused by cross-site request forgery...

CVE-2025-31612

Deserialization of Untrusted Data vulnerability in Sabuj Kundu CBX Poll cbxpoll allows Object Injection.This issue affects CBX Poll: from n/a through = 2.0.4...

PT-2025-14213 · Themeglow · Themeglow Jobboard Job Listing

Name of the Vulnerable Software and Affected Versions: themeglow JobBoard Job listing versions 1.2.7 and earlier Description: The issue is related to a Missing Authorization vulnerability, which allows exploitation of incorrectly configured access control security levels. Recommendations: For...

WordPress plugin CBX Poll 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A code issue vulnerability...