WordPress Five Star Restaurant Reservations plugin <= 2.7.14 - Payment Bypass vulnerability

Payment Bypass vulnerability discovered by Evan in WordPress Plugin Five Star Restaurant Reservations versions = 2.7.14...

NPM: SillyTavern has a SSRF vulnerability in the CORS proxy middleware

NPM: SillyTavern has a SSRF vulnerability in the CORS proxy middleware discovered by ? in WordPress Npm sillytavern versions = 1.17.0...

NPM: SillyTavern has a reflected XSS vulnerability in the CORS proxy middleware

NPM: SillyTavern has a reflected XSS vulnerability in the CORS proxy middleware discovered by ? in WordPress Npm sillytavern versions = 1.17.0...

NPM: SillyTavern has a Path Traversal issue

NPM: SillyTavern has a Path Traversal issue vulnerability discovered by ? in WordPress Npm sillytavern versions = 1.17.0...

NPM: SillyTavern has Authentication Bypass via SSO Header Injection

NPM: SillyTavern has Authentication Bypass via SSO Header Injection vulnerability discovered by ? in WordPress Npm sillytavern versions = 1.17.0...

NPM: SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover

NPM: SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover vulnerability discovered by ? in WordPress Npm sillytavern versions = 1.17.0...

WordPress EventPrime plugin <= 4.3.2.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Evan in WordPress Plugin EventPrime versions = 4.3.2.0...

WordPress Tutor LMS – eLearning and online course solution plugin <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion vulnerability

Insecure Direct Object Reference to Authenticated Instructor+ Arbitrary Post Deletion vulnerability discovered by molten bit in WordPress Plugin Tutor LMS versions = 3.9.9...

WordPress ilGhera Support System for WooCommerce plugin <= 1.3.0 - Missing Authorization to Unauthenticated Sensitive Information Exposure vulnerability

Missing Authorization to Unauthenticated Sensitive Information Exposure vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Woocommerce Support System versions = 1.3.0...

WordPress Hustle plugin <= 7.8.10.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Bao - BlueRock in WordPress Plugin Hustle versions = 7.8.10.1...

NPM: OpenClaude Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input

NPM: OpenClaude Sandbox Bypass via Model-Controlled dangerouslyDisableSandbox Input vulnerability discovered by ? in WordPress Npm openclaude versions 0.5.1...

WordPress Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Cost of Goods for WooCommerce versions = 4.1.0...

WordPress Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin <= 1.8.10.4 - Authenticated (Custom+) SQL Injection vulnerability

Authenticated Custom+ SQL Injection vulnerability discovered by Abi Wiranata in WordPress Plugin Charitable versions = 1.8.10.4...

WordPress Broadstreet plugin <= 1.53.1 - Missing Authorization to Authenticated (Subscriber+) Advertiser Creation vulnerability

Missing Authorization to Authenticated Subscriber+ Advertiser Creation vulnerability discovered by greenhats - Student in WordPress Plugin Broadstreet Ads versions = 1.53.1...

WordPress Broadstreet plugin <= 1.53.1 - Authenticated (Subscriber+) Information Disclosure vulnerability

Authenticated Subscriber+ Information Disclosure vulnerability discovered by greenhats - Student in WordPress Plugin Broadstreet Ads versions = 1.53.1...

WordPress Broadstreet plugin <= 1.53.1 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by greenhats - Student in WordPress Plugin Broadstreet Ads versions = 1.53.1...

WordPress Blog2Social: Social Media Auto Post & Scheduler plugin <= 8.9.0 - Missing Authorization to Authenticated (Subscriber+) Delete Arbitrary B2S Post Records vulnerability

Missing Authorization to Authenticated Subscriber+ Delete Arbitrary B2S Post Records vulnerability discovered by awhacken in WordPress Plugin Blog2Social versions = 8.9.0...

WordPress Cost Calculator Builder plugin <= 4.0.1 - Unauthenticated Price Manipulation and Insecure Direct Object Reference vulnerability

Unauthenticated Price Manipulation and Insecure Direct Object Reference vulnerability discovered by andrea bocchetti in WordPress Plugin Cost Calculator Builder versions = 4.0.1...

WordPress AWP Classifieds plugin <= 4.4.5 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by she11f in WordPress Plugin AWP Classifieds versions = 4.4.5...

NPM: sealed-env: TOTP secret embedded in unseal token payload (enterprise mode)

NPM: sealed-env: TOTP secret embedded in unseal token payload enterprise mode vulnerability discovered by ? in WordPress Npm sealed-env versions 0.1.0-alpha.4...

WordPress Checkout Files Upload for WooCommerce plugin <= 2.2.5 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by devploit in WordPress Plugin Checkout Files Upload for WooCommerce versions = 2.2.5...

NPM: protobuf.js: Code injection in pbjs static output from crafted schema names

NPM: protobuf.js: Code injection in pbjs static output from crafted schema names vulnerability discovered by ? in WordPress Npm protobufjs-cli versions = 1.2.0...

NPM: protobuf.js: Denial of service from crafted field names in generated code

NPM: protobuf.js: Denial of service from crafted field names in generated code vulnerability discovered by ? in WordPress Npm protobufjs versions = 7.5.5...

NPM: protobuf.js: Code injection through bytes field defaults in generated toObject code

NPM: protobuf.js: Code injection through bytes field defaults in generated toObject code vulnerability discovered by ? in WordPress Npm protobufjs versions = 7.5.5...

WordPress Stripe Payment Gateway for WooCommerce plugin <= 5.0.7 - Broken Authentication vulnerability

Broken Authentication vulnerability discovered by Jakub Herman in WordPress Plugin Stripe Payment Gateway for WooCommerce versions = 5.0.7...

NPM: protobuf.js: Prototype injection in generated message constructors

NPM: protobuf.js: Prototype injection in generated message constructors vulnerability discovered by ? in WordPress Npm protobufjs versions = 7.5.5...

NPM: protobuf.js: Code generation gadget after prototype pollution

NPM: protobuf.js: Code generation gadget after prototype pollution vulnerability discovered by ? in WordPress Npm protobufjs versions = 7.5.5...

NPM: protobuf.js: Process-wide denial of service through unsafe option paths

NPM: protobuf.js: Process-wide denial of service through unsafe option paths vulnerability discovered by ? in WordPress Npm protobufjs versions = 7.5.5...

NPM: protobuf.js: Denial of service through unbounded protobuf recursion

NPM: protobuf.js: Denial of service through unbounded protobuf recursion vulnerability discovered by ? in WordPress Npm protobufjs versions = 7.5.5...

NPM: protobufjs has overlong UTF-8 decoding

NPM: protobufjs has overlong UTF-8 decoding vulnerability discovered by ? in WordPress Npm protobufjs versions = 7.5.5...

NPM: protobuf.js is Vulnerable to OS Command Injection in the CLI

NPM: protobuf.js is Vulnerable to OS Command Injection in the CLI vulnerability discovered by ? in WordPress Npm protobufjs-cli versions = 1.2.0...

WordPress Smart Manager plugin <= 8.85.0 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin Smart Manager versions = 8.85.0...

WordPress MyCryptoCheckout plugin <= 2.161 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin MyCryptoCheckout versions = 2.161...

WordPress LifePress plugin <= 2.2.2 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by ? in WordPress Plugin LifePress versions = 2.2.2...

WordPress WP Google Maps Integration plugin <= 1.2 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Julian Chibuike Nwadinobi Wackydawg - streamio in WordPress Plugin WP Google Maps Integration versions = 1.2...

WordPress AzonPost plugin <= 1.3 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Julian Chibuike Nwadinobi Wackydawg - streamio in WordPress Plugin AzonPost versions = 1.3...

WordPress Pricing Tables for WP plugin <= 1.1.0 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Julian Chibuike Nwadinobi Wackydawg - streamio in WordPress Plugin Pricing Tables for WP versions = 1.1.0...

WordPress Eight Day Week Print Workflow plugin <= 1.2.6 - Authenticated (Subscriber+) SQL Injection vulnerability

Authenticated Subscriber+ SQL Injection vulnerability discovered by Loganatha Vishnubalaji in WordPress Plugin Eight Day Week Print Workflow versions = 1.2.6...

WordPress AIWU plugin <= 1.4.21 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Kazuma Matsumoto - GMO Cybersecurity by IERAE, Inc. in WordPress Plugin AIWU versions = 1.4.21...

WordPress Custom CSS JS PHP plugin <= 2.0.7 - Unauthenticated SQL Injection to RCE vulnerability

Unauthenticated SQL Injection to RCE vulnerability discovered by John Umoru in WordPress Plugin Custom css-js-php versions = 2.0.7...

WordPress ProfileGrid – User Profiles, Groups and Communities plugin <= 5.9.8.4 - Missing Authorization to Authenticated (Subscriber+) Group Settings Modification vulnerability

Missing Authorization to Authenticated Subscriber+ Group Settings Modification vulnerability discovered by Chawabhon Netisingha JNX03 in WordPress Plugin ProfileGrid versions = 5.9.8.4...

WordPress Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin <= 6.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin FluentForm versions = 6.2.1...

WordPress RTMKit plugin <= 2.0.2 - Authenticated (Author+) Missing Authorization to Widget Configuration Modification vulnerability

Authenticated Author+ Missing Authorization to Widget Configuration Modification vulnerability discovered by momopon1415 in WordPress Plugin RTMKit versions = 2.0.2...

WordPress Hostinger Reach – AI-Powered Email Marketing for WordPress plugin <= 1.3.8 - Missing Authorization to Authenticated (Subscriber+) Integration API Key Update vulnerability

Missing Authorization to Authenticated Subscriber+ Integration API Key Update vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Hostinger Reach AI-Powered Email Marketing for WordPress versions = 1.3.8...

WordPress WPC Badge Management for WooCommerce plugin <= 3.1.6 - Authenticated (Shop Manager+) Stored Cross-Site Scripting vulnerability

Authenticated Shop Manager+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin WPC Badge Management for WooCommerce versions = 3.1.6...

WordPress Continually plugin <= 4.3.1 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by Kazuma Matsumoto - GMO Cybersecurity by IERAE, Inc. in WordPress Plugin Continually versions = 4.3.1...

WordPress FastBots plugin <= 1.0.12 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by Kazuma Matsumoto - GMO Cybersecurity by IERAE, Inc. in WordPress Plugin FastBots versions = 1.0.12...

WordPress Motors – Car Dealership & Classified Listings Plugin plugin <= 1.4.103 - Missing Authorization to Authenticated (Subscriber+) Payment Bypass vulnerability

Missing Authorization to Authenticated Subscriber+ Payment Bypass vulnerability discovered by shrikant bhosale in WordPress Plugin Motors versions = 1.4.103...

NPM: Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()`

NPM: Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in JSONPathBuilder.key / .at vulnerability discovered by ? in WordPress Npm kysely versions = 0.26.0, 0.28.17...

NPM: Mermaid: Improper sanitization of configuration leads to CSS injection

NPM: Mermaid: Improper sanitization of configuration leads to CSS injection vulnerability discovered by ? in WordPress Npm mermaid versions = 10.9.5...