Exploit for CVE-2025-13342

CVE-2025-13342 Frontend Admin by DynamiApps = 3.28.20 - Un...

CVE-2025-11372

CVE-2025-11372 affects the LearnPress – WordPress LMS Plugin (WordPress) up to and including version 4.2.9.3. The root cause is missing capability checks on Admin Tools REST endpoints, with permission_callback set to __return_true, enabling unauthenticated attackers to perform destructive databas...

EUVD-2024-50564

Malicious code in bioql PyPI...

CVE-2024-12059

The ElementInvader Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.1 via the elioptionvalue shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract...

acf-to-rest-api plugin insecure direct object reference (IDOR) via permalink manipulation

An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wpoptions table, such as the login and pass...

GHSA-R345-X8HR-2R9P acf-to-rest-api plugin insecure direct object reference (IDOR) via permalink manipulation

An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wpoptions table, such as the login and pass...

Design/Logic Flaw

The Thrive Optimize WordPress plugin before 1.4.13.3, Thrive Comments WordPress plugin before 1.4.15.3, Thrive Headline Optimizer WordPress plugin before 1.3.7.3, Thrive Leads WordPress plugin before 2.3.9.4, Thrive Ultimatum WordPress plugin before 2.3.9.4, Thrive Quiz Builder WordPress plugin...

Wordpress plugin Controlled Admin Access 访问控制错误漏洞

WordPress Plugin is an open source application plugin for WordPress. A security vulnerability exists in multiple Wordpress plugins that allows an attacker to use this endpoint to add arbitrary data to predefined options in the wpoptions table. The following products and versions are affected: The...

WordPress acf-to-rest-api Information Disclosure Vulnerability

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. An information disclosure vulnerability exists in WordPress acf-to-rest-api, which can be exploited by an...

ACF to REST API < 3.3.0 - Unauthenticated Arbitrary wp_options Disclosure

The plugin does not properly check for authorisation and allowed options to be retrieved from the wp-json/acf/v3/options/ endpoint. This could allow unauthenticated attacker to retrieve arbitrary values from the wpoptions table, such as a list of active plugins. List all active plugins of the blo...

CVE-2020-13700

An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wpoptions table, such as the login and pass...

Cross site request forgery (csrf)

An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wpoptions table, such as the login and pass...

Easy WP SMTP <= 1.3.9 - Unauthenticated Arbitrary wp_options Import

The changelog for easy-wp-smtp detailed that they "fixed potential vulnerability in import\export settings." in 1.3.9.1 of the plugin SVN changeset 2052058. This was released on 17th March 2019. It appears that an unauthenticated user can import arbitrary wpoptions by providing a PHP serialized...

WordPress Plugin Premium SEO Pack 1.9.1.3 - wp_options Overwrite

Vendor Homepage: http://aa-team.com/ Software Link: http://codecanyon.net/item/premium-seo-pack-wordpress-plugin/6109437?srank=2 Version: 1.9.1.3 Tested on: Debian 8, PHP 5.6.17-3 Type: Authenticated customer, subscriber wpoptions overwrite Time line: Found 05-Jun-2016, Vendor notified 05-Jun-201...

WordPress Social Stream Plugin 1.5.15 - "wp_options" Overwrite

This plugin is prone to "wpoptions" file overwrite vulnerability. Solution Upgrade the plugin...