NPM: FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment

NPM: FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

NPM: FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment

NPM: FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

WordPress Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin <= 6.5.13 - Authenticated (Author+) Limited Privilege Escalation vulnerability

Authenticated Author+ Limited Privilege Escalation vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Essential Addons for Elementor versions = 6.5.13...

WordPress ManageWP Worker plugin <= 4.9.31 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by timomangcut in WordPress Plugin ManageWP Worker versions = 4.9.31...

WordPress MapGeo – Interactive Geo Maps plugin <= 1.6.27 - Interactive Geo Maps <= 1.6.27 - Reflected Cross-Site Scripting vulnerability

Interactive Geo Maps plugin = 1.6.27 - Interactive Geo Maps = 1.6.27 - Reflected Cross-Site Scripting vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Interactive Geo Maps versions = 1.6.27...

WordPress Taskbuilder – Project Management & Task Management Tool With Kanban Board plugin <= 5.0.6 - Authenticated (Subscriber+) Time-Based Blind SQL Injection vulnerability

Authenticated Subscriber+ Time-Based Blind SQL Injection vulnerability discovered by Louis Deschanel JeanJeanLeHaxor - Patrowl in WordPress Plugin Taskbuilder versions = 5.0.6...

WordPress InfusedWoo Pro plugin <= 5.1.2 - Unauthenticated Arbitrary File Read vulnerability

Unauthenticated Arbitrary File Read vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin InfusedWoo Pro versions = 5.1.2...

WordPress InfusedWoo Pro plugin <= 5.1.2 - Unauthenticated Missing Authorization to Arbitrary Post Deletion vulnerability

Unauthenticated Missing Authorization to Arbitrary Post Deletion vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin InfusedWoo Pro versions = 5.1.2...

WordPress InfusedWoo Pro plugin <= 5.1.2 - Authenticated (Subscriber+) Missing Authorization to Privilege Escalation vulnerability

Authenticated Subscriber+ Missing Authorization to Privilege Escalation vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin InfusedWoo Pro versions = 5.1.2...

WordPress InfusedWoo Pro plugin <= 5.1.2 - Unauthenticated Missing Authorization to Privilege Escalation vulnerability

Unauthenticated Missing Authorization to Privilege Escalation vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin InfusedWoo Pro versions = 5.1.2...

WordPress Motors – Car Dealership & Classified Listings Plugin plugin <= 1.4.107 - Authenticated (Subscriber+) Arbitrary File Deletion vulnerability

Authenticated Subscriber+ Arbitrary File Deletion vulnerability discovered by Leonid Semenenko lsemenenko in WordPress Plugin Motors versions = 1.4.107...

WordPress Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin <= 6.2.0 - Authenticated (Subscriber+) Authorization Bypass vulnerability

Authenticated Subscriber+ Authorization Bypass vulnerability discovered by Sander Horsman - Conda Security in WordPress Plugin FluentForm versions = 6.2.0...

WordPress Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin <= 6.1.21 - Authenticated (Subscriber+) Authorization Bypass vulnerability

Authenticated Subscriber+ Authorization Bypass vulnerability discovered by Sander Horsman - Conda Security in WordPress Plugin FluentForm versions = 6.1.21...

WordPress Career Section plugin <= 1.7 - Unauthenticated Arbitrary File Upload vulnerability

Unauthenticated Arbitrary File Upload vulnerability discovered by Paolo Tresso - Wordfence in WordPress Plugin Career Section versions = 1.7...

WordPress Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin 3.4.0-3.4.1.1 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover vulnerability

Privacy-Friendly WordPress Analytics Google Analytics Alternative plugin 3.4.0-3.4.1.1 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover vulnerability discovered by ? in WordPress Plugin Burst Statistics versions 3.4.0-3.4.1.1...

WordPress Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity plugin <= 3.3.6 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Peng Zhou in WordPress Plugin Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity versions = 3.3.6...

WordPress WP Directory Kit plugin <= 1.5.1 - SQL Injection vulnerability

SQL Injection vulnerability discovered by daroo in WordPress Plugin WP Directory Kit versions = 1.5.1...

WordPress The7 — Website and eCommerce Builder for WordPress theme <= 14.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by João Pedro Soares de Alcântara - Kinorth in WordPress Theme The7 versions = 14.3.2...

WordPress FOX – Currency Switcher Professional for WooCommerce plugin <= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Configuration Deletion vulnerability

Missing Authorization to Authenticated Contributor+ Configuration Deletion vulnerability discovered by Ren Voza in WordPress Plugin FOX versions = 1.4.5...

WordPress Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin <= 1.7.1058 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Romain Deperne ang3L in WordPress Plugin Royal Elementor Addons versions = 1.7.1058...

WordPress User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin <= 5.1.5 - Unauthenticated Missing Authorization to Admin Approval Bypass vulnerability

Unauthenticated Missing Authorization to Admin Approval Bypass vulnerability discovered by Anthony Cihan Hann1bl3L3ct3r - Obviam in WordPress Plugin User Registration versions = 5.1.5...

WordPress MW WP Form plugin <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure vulnerability

Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure vulnerability discovered by Kirasec in WordPress Plugin MW WP Form versions = 5.1.2...

WordPress CC Child Pages plugin <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin CC Child Pages versions = 2.1.1...

WordPress Bold Page Builder plugin <= 5.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin Bold Page Builder versions = 5.6.8...

WordPress GeoDirectory plugin <= 2.8.157 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Evan in WordPress Plugin GeoDirectory versions = 2.8.157...

WordPress Meta Field Block – Display custom fields in the Block Editor without coding plugin <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Meta Field Block versions = 1.5.2...

WordPress Media Sync plugin <= 1.4.9 - Authenticated (Author+) Path Traversal vulnerability

Authenticated Author+ Path Traversal vulnerability discovered by Drew Webber mcdruid in WordPress Plugin Media Sync versions = 1.4.9...

WordPress LatePoint – Calendar Booking Plugin for Appointments and Events plugin <= 5.3.2 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by Tulgaaaa - Empasoft Institute of Technology in WordPress Plugin LatePoint versions = 5.3.2...

WordPress WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL Scan plugin <= 7.8.5.10 - One Click SSL & Force HTTPS <= 7.8.5.10 - Missing Authorization to Authenticated (Subscriber+) SSL Setup Tampering vulnerability

One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL Scan plugin = 7.8.5.10 - One Click SSL & Force HTTPS = 7.8.5.10 - Missing Authorization to Authenticated Subscriber+ SSL Setup Tampering vulnerability discovered by Kitch - KitchGlobal in WordPress Plugin WP Encryption – One...

NPM: claude-code-cache-fix vulnerable to local code execution via Python triple-quote injection in tools/quota-statusline.sh

NPM: claude-code-cache-fix vulnerable to local code execution via Python triple-quote injection in tools/quota-statusline.sh vulnerability discovered by ? in WordPress Npm claude-code-cache-fix versions = 3.5.0, 3.5.2...

NPM: LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning

NPM: LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning vulnerability discovered by ? in WordPress Npm langsmith versions 0.6.0...

NPM: Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name

NPM: Systeminformation vulnerable to Linux command injection in networkInterfaces via unsanitized NetworkManager connection profile name vulnerability discovered by ? in WordPress Npm systeminformation versions = 4.17.0, = 5.31.5...

WordPress LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin <= 4.3.5 - Authenticated (Subscriber+) Payment Bypass to Free Course Enrollment vulnerability

Authenticated Subscriber+ Payment Bypass to Free Course Enrollment vulnerability discovered by winrace in WordPress Plugin LearnPress versions = 4.3.5...

WordPress Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More plugin <= 1.12.4 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by ? in WordPress Plugin Envira Photo Gallery versions = 1.12.4...

WordPress Unlimited Elements For Elementor plugin <= 2.0.7 - Authenticated (Contributor+) SQL Injection vulnerability

Authenticated Contributor+ SQL Injection vulnerability discovered by Nguyen Truong Roll in WordPress Plugin Unlimited Elements For Elementor Free Widgets, Addons, Templates versions = 2.0.7...

WordPress Redirection for Contact Form 7 plugin <= 3.2.8 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by JongHwan Shin in WordPress Plugin Redirection for Contact Form 7 versions = 3.2.8...

WordPress WPBakery Page Builder plugin <= 8.7.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Ethan Consulting in WordPress Plugin WPBakery Page Builder versions = 8.7.2...

WordPress Advanced Custom Fields: Extended plugin <= 0.9.2.3 - Unauthenticated Arbitrary Shortcode Execution vulnerability

Unauthenticated Arbitrary Shortcode Execution vulnerability discovered by Kishan Vyas in WordPress Plugin ACF Extended versions = 0.9.2.3...

WordPress MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin <= 10.1.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure And Plugin Integration Reset vulnerability

Missing Authorization to Authenticated Subscriber+ Sensitive Information Exposure And Plugin Integration Reset vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Google Analytics by Monster Insights versions = 10.1.2...

WordPress Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin <= 2.5.4 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by gidget smith in WordPress Plugin Custom Twitter Feeds Tweets Widget versions = 2.5.4...

WordPress ProfileGrid – User Profiles, Groups and Communities plugin <= 5.9.8.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Group Joining vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Group Joining vulnerability discovered by Jonah Burgess CryptoCat in WordPress Plugin ProfileGrid versions = 5.9.8.4...

WordPress Avada (Fusion) Builder plugin <= 3.15.1 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by Rafie Muhammad - Awesome Motive, Inc. in WordPress Plugin Fusion Builder versions = 3.15.1...

WordPress Avada (Fusion) Builder plugin <= 3.15.2 - Authenticated (Subscriber+) Arbitrary File Read vulnerability

Authenticated Subscriber+ Arbitrary File Read vulnerability discovered by Rafie Muhammad - Awesome Motive, Inc. in WordPress Plugin Fusion Builder versions = 3.15.2...

WordPress Court Reservation – Manage Your Court Bookings Online plugin <= 1.10.11 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by MD. TAREQ AHAMED JONY itztrq - Knight Squad in WordPress Plugin Court Reservation versions = 1.10.11...

WordPress coreActivity: Activity Logging for WordPress plugin <= 3.0 - Unauthenticated PHP Object Injection vulnerability

Unauthenticated PHP Object Injection vulnerability discovered by ? in WordPress Plugin coreActivity: Activity Logging plugin for WordPress versions = 3.0...

WordPress ProfileGrid – User Profiles, Groups and Communities plugin <= 5.9.8.4 - Authenticated (Subscriber+) SQL Injection vulnerability

Authenticated Subscriber+ SQL Injection vulnerability discovered by Jonah Burgess CryptoCat in WordPress Plugin ProfileGrid versions = 5.9.8.4...

NPM: OpenLearnX: Critical Authentication Bypass via JWT Signature Verification Disabled Leading to Account Takeover

NPM: OpenLearnX: Critical Authentication Bypass via JWT Signature Verification Disabled Leading to Account Takeover vulnerability discovered by ? in WordPress Npm openlearnx versions 2.0.4...

NPM: Astro: Server island encrypted parameters vulnerable to cross-component replay

NPM: Astro: Server island encrypted parameters vulnerable to cross-component replay vulnerability discovered by ? in WordPress Npm astro versions 6.1.10...

WordPress My Calendar – Accessible Event Manager plugin <= 3.7.9 - Authenticated (Custom+) Missing Authorization to Unauthorized Event Publication vulnerability

Authenticated Custom+ Missing Authorization to Unauthorized Event Publication vulnerability discovered by type5afe in WordPress Plugin My Calendar versions = 3.7.9...

WordPress The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin <= 6.4.11 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by daroo in WordPress Plugin The Plus Addons for Elementor Page Builder Lite versions = 6.4.11...