46578 matches found
NPM: DOMPurify: `IN_PLACE` mode trusts attacker-controlled `nodeName` on live non-form nodes, allowing script retention and XSS via attacker-supplied DOM objects
NPM: DOMPurify: INPLACE mode trusts attacker-controlled nodeName on live non-form nodes, allowing script retention and XSS via attacker-supplied DOM objects vulnerability discovered by ? in WordPress Npm dompurify versions = 3.4.6...
NPM: DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`
NPM: DOMPurify: Hook mutation of data.allowedTags / data.allowedAttributes permanently pollutes DEFAULTALLOWEDTAGS / DEFAULTALLOWEDATTR vulnerability discovered by ? in WordPress Npm dompurify versions 3.4.7...
NPM: DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks
NPM: DOMPurify: Cross-realm INPLACE sanitization leaves executable markup intact via realm-bound instanceof checks vulnerability discovered by ? in WordPress Npm dompurify versions = 3.4.5...
NPM: DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM
NPM: DOMPurify: INPLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM vulnerability discovered by ? in WordPress Npm dompurify versions = 3.4.5...
NPM: Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary message header injection
NPM: Nodemailer: CRLF injection in Nodemailer List- header comments allows arbitrary message header injection vulnerability discovered by ? in WordPress Npm nodemailer versions = 8.0.8...
NPM: Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess during message normalization
NPM: Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess during message normalization vulnerability discovered by ? in WordPress Npm nodemailer versions = 8.0.8...
NPM: Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables Credential Interception
NPM: Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables Credential Interception vulnerability discovered by ? in WordPress Npm nodemailer versions = 8.0.7...
NPM: protobufjs: Denial of service through unbounded Any expansion during JSON conversion
NPM: protobufjs: Denial of service through unbounded Any expansion during JSON conversion vulnerability discovered by ? in WordPress Npm protobufjs versions = 7.6.0...
NPM: protobufjs : Schema-derived names can shadow runtime-significant properties
NPM: protobufjs : Schema-derived names can shadow runtime-significant properties vulnerability discovered by ? in WordPress Npm protobufjs versions = 7.6.2...
NPM: protobufjs : Schema-derived names can shadow runtime-significant properties
NPM: protobufjs : Schema-derived names can shadow runtime-significant properties vulnerability discovered by ? in WordPress Npm protobufjs-cli versions = 1.3.2...
NPM: form-data: CRLF injection in form-data via unescaped multipart field names and filenames
NPM: form-data: CRLF injection in form-data via unescaped multipart field names and filenames vulnerability discovered by ? in WordPress Npm form-data versions 2.5.6...
NPM: node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)
NPM: node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential file smuggling vulnerability discovered by ? in WordPress Npm tar versions = 7.5.15...
NPM: launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
NPM: launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows vulnerability discovered by ? in WordPress Npm vite-plus versions = 0.1.23...
NPM: launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
NPM: launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows vulnerability discovered by ? in WordPress Npm launch-editor versions = 2.14.0...
NPM: launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
NPM: launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows vulnerability discovered by ? in WordPress Npm vite versions = 6.4.2...
NPM: vite: `server.fs.deny` bypass on Windows alternate paths
NPM: vite: server.fs.deny bypass on Windows alternate paths vulnerability discovered by ? in WordPress Npm vite versions = 6.4.2...
NPM: vite: `server.fs.deny` bypass on Windows alternate paths
NPM: vite: server.fs.deny bypass on Windows alternate paths vulnerability discovered by ? in WordPress Npm vite-plus versions = 0.1.23...
WordPress RTMKit plugin <= 2.0.7 - Authenticated (Contributor+) Missing Authorization to Arbitrary Form Submission Access vulnerability
Authenticated Contributor+ Missing Authorization to Arbitrary Form Submission Access vulnerability discovered by wesley wcraft in WordPress Plugin RTMKit versions = 2.0.7...
NPM: JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
NPM: JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases vulnerability discovered by ? in WordPress Npm js-yaml versions = 4.1.1...
NPM: tmp: Type-confusion bypass of _assertPath allows path traversal via non-string prefix/postfix/template
NPM: tmp: Type-confusion bypass of assertPath allows path traversal via non-string prefix/postfix/template vulnerability discovered by ? in WordPress Npm tmp versions = 0.2.6, 0.2.7...
NPM: ws: Memory exhaustion DoS from tiny fragments and data chunks
NPM: ws: Memory exhaustion DoS from tiny fragments and data chunks vulnerability discovered by ? in WordPress Npm ws versions = 1.1.0, 5.2.5...
WordPress Static Block plugin <= 2.2 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure vulnerability
Insecure Direct Object Reference to Authenticated Contributor+ Sensitive Information Disclosure vulnerability discovered by dyingman in WordPress Plugin Static Block versions = 2.2...
WordPress Abandoned Contact Form 7 plugin <= 2.5 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by g0wthr in WordPress Plugin Abandoned Contact Form 7 versions = 2.5...
WordPress Video Conferencing with Zoom plugin <= 4.6.7 - Missing Authorization to Unauthenticated Zoom SDK Credential Exposure vulnerability
Missing Authorization to Unauthenticated Zoom SDK Credential Exposure vulnerability discovered by aetta in WordPress Plugin Video Conferencing with Zoom versions = 4.6.7...
WordPress Pods plugin <= 3.3.8 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by Bonds in WordPress Plugin Pods versions = 3.3.8...
WordPress Media LIbrary Assistant plugin <= 3.35 - Reflected Cross Site Scripting (XSS) vulnerability
Reflected Cross Site Scripting XSS vulnerability discovered by Bonds in WordPress Plugin Media LIbrary Assistant versions = 3.35...
WordPress JetEngine plugin <= 3.8.10.1 - SQL Injection vulnerability
SQL Injection vulnerability discovered by VanTastic in WordPress Plugin JetEngine versions = 3.8.10.1...
WordPress Envira Photo Gallery plugin <= 1.12.5 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Tiago Ventura @perses in WordPress Plugin Envira Photo Gallery versions = 1.12.5...
WordPress GetGenie plugin <= 4.4.1 - Sensitive Data Exposure vulnerability
Sensitive Data Exposure vulnerability discovered by hhhai in WordPress Plugin GetGenie versions = 4.4.1...
WordPress GEO my WordPress plugin <= 4.5.5 - SQL Injection vulnerability
SQL Injection vulnerability discovered by alvarodh5 in WordPress Plugin GEO my WordPress versions = 4.5.5...
WordPress SEO Plugin by Squirrly SEO plugin <= 12.4.16 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin SEO Plugin by Squirrly SEO versions = 12.4.16...
WordPress WooCommerce POS plugin <= 1.8.14 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin WooCommerce POS versions = 1.8.14...
WordPress Attendance Manager plugin <= 0.6.2 - SQL Injection vulnerability
SQL Injection vulnerability discovered by daroo in WordPress Plugin Attendance Manager versions = 0.6.2...
WordPress Elite Elementor Addons and Widgets plugin <= 1.2.2 - Other vulnerability Type vulnerability
Other vulnerability Type vulnerability discovered by mcdruid in WordPress Plugin Elite Elementor Addons and Widgets versions = 1.2.2...
WordPress WP Event SOlution plugin <= 4.1.12 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by l3m3s in WordPress Plugin WP Event SOlution versions = 4.1.12...
WordPress Arabesque theme <= 1.6 - Local File Inclusion vulnerability
Local File Inclusion vulnerability discovered by Bonds in WordPress Theme Arabesque versions = 1.6...
WordPress ShiftUp theme <= 1.2.1 - Local File Inclusion vulnerability
Local File Inclusion vulnerability discovered by Bonds in WordPress Theme ShiftUp versions = 1.2.1...
WordPress Avada theme <= 3.15.3 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by daroo in WordPress Theme Avada versions = 3.15.3...
WordPress Fusion Builder plugin <= 3.15.4 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by daroo in WordPress Plugin Fusion Builder versions = 3.15.4...
WordPress WorkScout-Core plugin <= 1.7.11 - Arbitrary File Deletion vulnerability
Arbitrary File Deletion vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin WorkScout-Core versions = 1.7.11...
WordPress Potisen theme <= 1.2.7 - Local File Inclusion vulnerability
Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Potisen versions = 1.2.7...
WordPress WebOn theme <= 1.4 - Local File Inclusion vulnerability
Local File Inclusion vulnerability discovered by Bonds in WordPress Theme WebOn versions = 1.4...
WordPress SigmaForms Pro – AI Generated Forms plugin <= 1.4.5 - Arbitrary File Upload vulnerability
Arbitrary File Upload vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin SigmaForms Pro – AI Generated Forms versions = 1.4.5...
WordPress WooCommerce PDF Invoice Builder plugin <= 2.0.8 - Remote Code Execution (RCE) vulnerability
Remote Code Execution RCE vulnerability discovered by she11f in WordPress Plugin WooCommerce PDF Invoice Builder versions = 2.0.8...
WordPress Online Scheduling and Appointment Booking System – Bookly plugin <= 27.2 - Unauthenticated Stored Cross-Site Scripting vulnerability
Unauthenticated Stored Cross-Site Scripting vulnerability discovered by Naoya Takahashi nakko in WordPress Plugin Bookly versions = 27.2...
WordPress GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites plugin <= 2.31 - Unauthenticated Stored Cross-Site Scripting vulnerability
Unauthenticated Stored Cross-Site Scripting vulnerability discovered by ? in WordPress Plugin GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites versions = 2.31...
WordPress Customer Support Ticket System & Helpdesk plugin <= 6.0.4 - Unauthenticated SQL Injection vulnerability
Unauthenticated SQL Injection vulnerability discovered by she11f in WordPress Plugin WP Ticket Customer Service Software & Support Ticket System versions = 6.0.4...
NPM: Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization
NPM: Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization vulnerability discovered by ? in WordPress Npm fabric versions 7.4.0...
WordPress Hash Elements plugin <= 1.5.4 - Sensitive Data Exposure vulnerability
Sensitive Data Exposure vulnerability discovered by theviper17 in WordPress Plugin Hash Elements versions = 1.5.4...
NPM: Withdrawn Advisory: esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY
NPM: Withdrawn Advisory: esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPMCONFIGREGISTRY vulnerability discovered by ? in WordPress Npm esbuild versions = 0.17.0, 0.28.1...