46571 matches found
WordPress WP Activity Log plugin <= 5.6.3.1 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by daroo in WordPress Plugin WP Activity Log versions = 5.6.3.1...
NPM: hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard
NPM: hono: CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard vulnerability discovered by ? in WordPress Npm hono versions 4.12.25...
WordPress Falang multilanguage plugin <= 1.4.2 - Privilege Escalation vulnerability
Privilege Escalation vulnerability discovered by ParkHyunWoo in WordPress Plugin Falang multilanguage versions = 1.4.2...
NPM: hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)
NPM: hono: Path traversal in serve-static on Windows via encoded backslash %5C vulnerability discovered by ? in WordPress Npm hono versions 4.12.25...
NPM: hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice
NPM: hono: AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice vulnerability discovered by ? in WordPress Npm hono versions 4.12.25...
NPM: Astro: Reflected XSS via unescaped slot name
NPM: Astro: Reflected XSS via unescaped slot name vulnerability discovered by ? in WordPress Npm astro versions 6.3.3...
NPM: Nuxt: Reflected XSS in `<NuxtLink>` via unsanitised `javascript:` or `data:` URL
NPM: Nuxt: Reflected XSS in via unsanitised javascript: or data: URL vulnerability discovered by ? in WordPress Npm nuxt versions 3.21.7...
NPM: Nuxt dev server vite-node IPC socket is world-connectable on Linux
NPM: Nuxt dev server vite-node IPC socket is world-connectable on Linux vulnerability discovered by ? in WordPress Npm nuxt versions = 3.18.0, 3.21.7...
NPM: Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher
NPM: Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher vulnerability discovered by ? in WordPress Npm nuxt versions = 3.11.0, 3.21.7...
NPM: Nuxt: URL-handling weaknesses in `navigateTo` and `reloadNuxtApp`: SSR open redirect, client-side script execution via the `open` option, and protocol-relative bypass in `reloadNuxtApp`
NPM: Nuxt: URL-handling weaknesses in navigateTo and reloadNuxtApp: SSR open redirect, client-side script execution via the open option, and protocol-relative bypass in reloadNuxtApp vulnerability discovered by ? in WordPress Npm nuxt versions 3.21.7...
WordPress Melhor Envio plugin <= 2.16.3 - Broken Authentication vulnerability
Broken Authentication vulnerability discovered by HieuPenguinnn in WordPress Plugin Melhor Envio versions = 2.16.3...
WordPress SMS Alert Order Notifications plugin <= 3.9.3 - Broken Authentication vulnerability
Broken Authentication vulnerability discovered by Jakub Herman in WordPress Plugin SMS Alert Order Notifications versions = 3.9.3...
WordPress SMS Alert Order Notifications plugin <= 3.9.4 - Privilege Escalation vulnerability
Privilege Escalation vulnerability discovered by Peng Zhou in WordPress Plugin SMS Alert Order Notifications versions = 3.9.4...
WordPress Fusion Builder plugin <= 3.15.4 - Arbitrary File Deletion vulnerability
Arbitrary File Deletion vulnerability discovered by daroo in WordPress Plugin Fusion Builder versions = 3.15.4...
WordPress Clean Login plugin <= 1.15 - Insecure Direct Object References (IDOR) vulnerability
Insecure Direct Object References IDOR vulnerability discovered by Jakub Herman in WordPress Plugin Clean Login versions = 1.15...
WordPress JetEngine plugin <= 3.8.10 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by VanTastic in WordPress Plugin JetEngine versions = 3.8.10...
WordPress JetFormBuilder plugin <= 3.6.1 - Privilege Escalation vulnerability
Privilege Escalation vulnerability discovered by Baikuya in WordPress Plugin JetFormBuilder versions = 3.6.1...
WordPress JetEngine plugin <= 3.8.10 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by VanTastic in WordPress Plugin JetEngine versions = 3.8.10...
WordPress JobSearch plugin <= 3.2.9 - SQL Injection vulnerability
SQL Injection vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin JobSearch versions = 3.2.9...
WordPress Cornerstone plugin < 7.8.8 - SQL Injection vulnerability
SQL Injection vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin Cornerstone versions 7.8.8...
WordPress JetFormBuilder plugin <= 3.6.0.1 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by daroo in WordPress Plugin JetFormBuilder versions = 3.6.0.1...
WordPress Popup box plugin <= 6.2.9 - Reflected Cross Site Scripting (XSS) vulnerability
Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Popup box versions = 6.2.9...
WordPress WooCommerce Stripe Payment Gateway plugin <= 10.7.0 - Missing Authorization to Unauthenticated Order Status Manipulation vulnerability
Missing Authorization to Unauthenticated Order Status Manipulation vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin WooCommerce Stripe Payment Gateway versions = 10.7.0...
WordPress Secure Client Portal and Private File Sharing Plugin – User Private Files plugin <= 2.1.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability
Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by pham quang huy Zibanana in WordPress Plugin User Private Files versions = 2.1.6...
WordPress WP Review Slider Pro plugin <= 12.6.8 - Authenticated (Subscriber+) SQL Injection vulnerability
Authenticated Subscriber+ SQL Injection vulnerability discovered by h0xilo in WordPress Plugin WP Review Slider Pro versions = 12.6.8...
WordPress WP Review Slider Pro plugin <= 12.6.8 - Authenticated (Subscriber+) SQL Injection vulnerability
Authenticated Subscriber+ SQL Injection vulnerability discovered by h0xilo in WordPress Plugin WP Review Slider Pro versions = 12.6.8...
WordPress WP Review Slider Pro plugin <= 12.6.8 - Authenticated (Subscriber+) Arbitrary File Deletion vulnerability
Authenticated Subscriber+ Arbitrary File Deletion vulnerability discovered by h0xilo in WordPress Plugin WP Review Slider Pro versions = 12.6.8...
WordPress Premmerce Dev Tools plugin <= 2.0 - Missing Authorization to Authenticated (Subscriber+) Remote Code Execution vulnerability
Missing Authorization to Authenticated Subscriber+ Remote Code Execution vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin Premmerce Dev Tools versions = 2.0...
WordPress Counter Box – Add Countdowns, Timers & Dynamic Counters to WordPress plugin <= 2.0.13 - Authenticated (Administrator+) PHP Object Injection vulnerability
Authenticated Administrator+ PHP Object Injection vulnerability discovered by Duc Long in WordPress Plugin Counter Box versions = 2.0.13...
NPM: Remotion: arbitrary file write vulnerability
NPM: Remotion: arbitrary file write vulnerability discovered by ? in WordPress Npm remotion versions 4.0.410...
NPM: Remotion: remote code execution (RCE) vulnerability
NPM: Remotion: remote code execution RCE vulnerability discovered by ? in WordPress Npm remotion versions 4.0.410...
NPM: Nuxt: Dev server discloses project absolute path and persistent workspace UUID via `/.well-known/appspecific/com.chrome.devtools.json`
NPM: Nuxt: Dev server discloses project absolute path and persistent workspace UUID via /.well-known/appspecific/com.chrome.devtools.json vulnerability discovered by ? in WordPress Npm nuxt versions = 4.0.0-alpha.1, 4.4.7...
NPM: aws-cdk-lib: OS Command Injection in NodejsFunction Bundling
NPM: aws-cdk-lib: OS Command Injection in NodejsFunction Bundling vulnerability discovered by ? in WordPress Npm aws-cdk-lib versions 2.246.0...
NPM: markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations
NPM: markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations vulnerability discovered by ? in WordPress Npm markdown-it versions = 14.1.1...
NPM: Electron: Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow
NPM: Electron: Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow vulnerability discovered by ? in WordPress Npm electron versions = 42.3.1, 42.3.3...
NPM: UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`
NPM: UAParser.js: Unbounded Sec-CH-UA-Model parsing can trigger ReDoS in withClientHints vulnerability discovered by ? in WordPress Npm ua-parser-js versions = 2.0.1, 2.0.10...
NPM: protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names
NPM: protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names vulnerability discovered by ? in WordPress Npm protobufjs-cli versions = 1.3.1...
NPM: protobufjs: Memory amplification from preserved unknown fields in binary decode
NPM: protobufjs: Memory amplification from preserved unknown fields in binary decode vulnerability discovered by ? in WordPress Npm protobufjs versions = 8.2.0, = 8.4.2...
NPM: DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output
NPM: DOMPurify: Trusted Types policy survives clearConfig and can poison later RETURNTRUSTEDTYPE output vulnerability discovered by ? in WordPress Npm dompurify versions 3.4.9...
NPM: React Router: Potential CSRF via PUT/PATCH/DELETE document requests
NPM: React Router: Potential CSRF via PUT/PATCH/DELETE document requests vulnerability discovered by ? in WordPress Npm react-router versions = 7.12.0, 7.15.1...
NPM: Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE
NPM: Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE vulnerability discovered by ? in WordPress Npm vite-plus versions = 0.1.23...
NPM: DOMPurify: SAFE_FOR_TEMPLATES bypass - template expressions survive sanitization inside <template> content when using DOM output modes
template expressions survive sanitization inside content when using DOM output modes vulnerability discovered by ? in WordPress Npm dompurify versions = 3.0.0, = 3.4.7...
NPM: DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content
NPM: DOMPurify INPLACE Sanitization Bypass via Attached Shadow Root Inside .content vulnerability discovered by ? in WordPress Npm dompurify versions = 3.4.6...
NPM: DOMPurify: `IN_PLACE` mode trusts attacker-controlled `nodeName` on live non-form nodes, allowing script retention and XSS via attacker-supplied DOM objects
NPM: DOMPurify: INPLACE mode trusts attacker-controlled nodeName on live non-form nodes, allowing script retention and XSS via attacker-supplied DOM objects vulnerability discovered by ? in WordPress Npm dompurify versions = 3.4.6...
NPM: DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`
NPM: DOMPurify: Hook mutation of data.allowedTags / data.allowedAttributes permanently pollutes DEFAULTALLOWEDTAGS / DEFAULTALLOWEDATTR vulnerability discovered by ? in WordPress Npm dompurify versions 3.4.7...
NPM: DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks
NPM: DOMPurify: Cross-realm INPLACE sanitization leaves executable markup intact via realm-bound instanceof checks vulnerability discovered by ? in WordPress Npm dompurify versions = 3.4.5...
NPM: DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM
NPM: DOMPurify: INPLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM vulnerability discovered by ? in WordPress Npm dompurify versions = 3.4.5...
NPM: Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary message header injection
NPM: Nodemailer: CRLF injection in Nodemailer List- header comments allows arbitrary message header injection vulnerability discovered by ? in WordPress Npm nodemailer versions = 8.0.8...
NPM: Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess during message normalization
NPM: Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess during message normalization vulnerability discovered by ? in WordPress Npm nodemailer versions = 8.0.8...
NPM: Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables Credential Interception
NPM: Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables Credential Interception vulnerability discovered by ? in WordPress Npm nodemailer versions = 8.0.7...