WordPress WP Travel plugin <= 11.4.0 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Nhut Quang in WordPress Plugin WP Travel versions = 11.4.0...

WordPress WP Data Access plugin <= 5.5.70 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Mukhlis Amien in WordPress Plugin WP Data Access versions = 5.5.70...

WordPress AI Product Search for WooCommerce – Motive Commerce Search plugin <= 1.38.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Benedictus Jovan aillesim/eneri in WordPress Plugin AI Product Search for WooCommerce Motive Commerce Search versions = 1.38.2...

NPM: Hono has CSS Declaration Injection via Style Object Values in JSX SSR

NPM: Hono has CSS Declaration Injection via Style Object Values in JSX SSR vulnerability discovered by ? in WordPress Npm hono versions 4.12.18...

NPM: Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

NPM: Hono has improper validation of NumericDate claims exp, nbf, iat in JWT verify vulnerability discovered by ? in WordPress Npm hono versions 4.12.18...

NPM: Velocity.js has a Prototype Pollution vulnerability through #set path assignment

NPM: Velocity.js has a Prototype Pollution vulnerability through set path assignment discovered by ? in WordPress Npm velocityjs versions = 2.1.5...

NPM: Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

NPM: Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage vulnerability discovered by ? in WordPress Npm hono versions 4.12.18...

WordPress Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity plugin <= 3.3.6 - Unauthenticated Information Disclosure vulnerability

Unauthenticated Information Disclosure vulnerability discovered by Ronnachai Chaipha rxnr - Reconix Co., Ltd. in WordPress Plugin Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity versions = 3.3.6...

NPM: eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields

NPM: eventsource-encoder vulnerable to SSE event injection via unsanitized event and id fields vulnerability discovered by ? in WordPress Npm eventsource-encoder versions = 1.0.1...

NPM: Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability

NPM: Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability discovered by ? in WordPress Npm cline versions = 2.13.0...

NPM: fast-uri vulnerable to host confusion via percent-encoded authority delimiters

NPM: fast-uri vulnerable to host confusion via percent-encoded authority delimiters vulnerability discovered by ? in WordPress Npm fast-uri versions = 3.1.1...

NPM: open-webui Vulnerable to Stored XSS via Model Description

NPM: open-webui Vulnerable to Stored XSS via Model Description vulnerability discovered by ? in WordPress Npm open-webui versions = 0.8.12...

NPM: Electerm users can run dangrous code through link or command line

NPM: Electerm users can run dangrous code through link or command line vulnerability discovered by ? in WordPress Npm electerm versions = 3.0.6, 3.8.8...

NPM: Electerm Security Vulnerability: RCE via malicious SSH server filename in openFileWithEditor

NPM: Electerm Security Vulnerability: RCE via malicious SSH server filename in openFileWithEditor discovered by ? in WordPress Npm electerm versions = 3.7.8...

NPM: Electerm's full process.env exposed to renderer via window.pre.env

NPM: Electerm's full process.env exposed to renderer via window.pre.env vulnerability discovered by ? in WordPress Npm electerm versions = 3.8.15...

NPM: Electerm has an unvalidated shell.openExternal that allows arbitrary protocol execution via terminal link click

NPM: Electerm has an unvalidated shell.openExternal that allows arbitrary protocol execution via terminal link click vulnerability discovered by ? in WordPress Npm electerm versions = 3.8.15...

NPM: Electerm runWidget has a path traversal that leads to arbitrary code execution

NPM: Electerm runWidget has a path traversal that leads to arbitrary code execution vulnerability discovered by ? in WordPress Npm electerm versions 3.7.16...

NPM: fast-uri vulnerable to path traversal via percent-encoded dot segments

NPM: fast-uri vulnerable to path traversal via percent-encoded dot segments vulnerability discovered by ? in WordPress Npm fast-uri versions = 3.1.0...

NPM: n8n-mcp affected by path traversal, redirect-following SSRF, and telemetry payload exposure

NPM: n8n-mcp affected by path traversal, redirect-following SSRF, and telemetry payload exposure vulnerability discovered by ? in WordPress Npm n8n-mcp versions 2.50.1...

NPM: n8n-mcp webhook and API client paths has an authenticated SSRF

NPM: n8n-mcp webhook and API client paths has an authenticated SSRF vulnerability discovered by ? in WordPress Npm n8n-mcp versions = 2.18.7, 2.50.2...

NPM: fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes

NPM: fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes vulnerability discovered by ? in WordPress Npm fast-xml-builder versions = 1.1.6...

NPM: fast-xml-builder Comment Value regex can be bypassed

NPM: fast-xml-builder Comment Value regex can be bypassed vulnerability discovered by ? in WordPress Npm fast-xml-builder versions 1.1.5...

NPM: vm2 has access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL`

NPM: vm2 has access to VM2INTERNALSTATEDONOTUSEORPROGRAMWILLFAIL vulnerability discovered by ? in WordPress Npm vm2 versions 3.11.2...

NPM: vm2 has Sandbox Breakout Through Null Proto Exception

NPM: vm2 has Sandbox Breakout Through Null Proto Exception vulnerability discovered by ? in WordPress Npm vm2 versions 3.11.2...

NPM: vm2 has sandbox breakout via `neutralizeArraySpeciesBatch`

NPM: vm2 has sandbox breakout via neutralizeArraySpeciesBatch vulnerability discovered by ? in WordPress Npm vm2 versions = 3.11.1...

WordPress LatePoint – Calendar Booking Plugin for Appointments and Events plugin <= 5.5.0 - Unauthenticated Account Takeover vulnerability

Unauthenticated Account Takeover vulnerability discovered by Michael Iden Mickhat - Hack The Box in WordPress Plugin LatePoint versions = 5.5.0...

WordPress Simple Cloudflare Turnstile plugin <= 1.38.0 - Broken Authentication vulnerability

Broken Authentication vulnerability discovered by David Marín in WordPress Plugin Simple Cloudflare Turnstile versions = 1.38.0...

WordPress Avante theme < 3.0.5 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Avante versions 3.0.5...

WordPress Auto Affiliate Links plugin <= 6.8.8 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by DJumanto in WordPress Plugin Auto Affiliate Links versions = 6.8.8...

WordPress User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin <= 4.3.1 - Authenticated (Subscriber+) PHP Object Injection vulnerability

Authenticated Subscriber+ PHP Object Injection vulnerability discovered by d.v4ns3c in WordPress Plugin WP User Frontend versions = 4.3.1...

NPM: short-video-maker has a path traversal vulnerability

NPM: short-video-maker has a path traversal vulnerability discovered by ? in WordPress Npm short-video-maker versions = 1.3.4...

NPM: mcp-ssh-tool has file transfer path policy bypass and bearer token comparison hardening

NPM: mcp-ssh-tool has file transfer path policy bypass and bearer token comparison hardening vulnerability discovered by ? in WordPress Npm mcp-ssh-tool versions = 2.1.0...

WordPress NMR Strava activities plugin <= 1.0.14 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin NMR Strava activities versions = 1.0.14...

NPM: nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect)

NPM: nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix IPv6 + redirect vulnerability discovered by ? in WordPress Npm nuxt-og-image versions = 6.2.5, 6.4.9...

WordPress Sky Addons – Elementor Addons with Widgets & Templates plugin <= 3.3.2 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Sky Addons for Elementor versions = 3.3.2...

WordPress E2Pdf – Export Pdf Tool for WordPress plugin <= 1.32.17 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin e2pdf versions = 1.32.17...

NPM: query-parser-string is vulnerable to Prototype Pollution

NPM: query-parser-string is vulnerable to Prototype Pollution vulnerability discovered by ? in WordPress Npm query-string-parser versions 1.0.0...

NPM: parse-ini is vulnerable to Prototype Pollution in index.js()

NPM: parse-ini is vulnerable to Prototype Pollution in index.js vulnerability discovered by ? in WordPress Npm parse-ini versions 1.0.6...

NPM: youtube-regex vulnerable to Regex Denial of Service

NPM: youtube-regex vulnerable to Regex Denial of Service vulnerability discovered by ? in WordPress Npm youtube-regex versions = 1.0.5...

NPM: Compromised version of intercom-client published to npm

NPM: Compromised version of intercom-client published to npm vulnerability discovered by ? in WordPress Npm intercom-client versions 7.0.4...

NPM: Cinny vulnerable to access token disclosure via invalidated emoji pack avatar URL in service worker

NPM: Cinny vulnerable to access token disclosure via invalidated emoji pack avatar URL in service worker vulnerability discovered by ? in WordPress Npm cinny versions 4.10.3...

NPM: node-ts-ocr is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js

NPM: node-ts-ocr is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js vulnerability discovered by ? in WordPress Npm node-ts-ocr versions 1.0.15...

WordPress bunny.net plugin <= 2.3.6 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by NumeX in WordPress Plugin bunny.net versions = 2.3.6...

WordPress eMagicOne Store Manager plugin <= 1.3.2 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Ossacip Thanh in WordPress Plugin eMagicOne Store Manager versions = 1.3.2...

WordPress Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin <= 1.53.0 - Missing Authorization to Authenticated (Subscriber+) Scheduled Form Submission Export vulnerability

Missing Authorization to Authenticated Subscriber+ Scheduled Form Submission Export vulnerability discovered by anhcd05 - VNPT Cyber Immunity in WordPress Plugin Forminator versions = 1.53.0...

WordPress BEAR plugin <= 1.1.5 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by benzdeus in WordPress Plugin BEAR versions = 1.1.5...

WordPress Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin <= 1.6.10.6 - Unauthenticated Arbitrary Appointment View, Modification and Deletion vulnerability

Unauthenticated Arbitrary Appointment View, Modification and Deletion vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Simply Schedule Appointments versions = 1.6.10.6...

WordPress BetterDocs Pro plugin <= 3.7.0 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by h0xilo in WordPress Plugin BetterDocs Pro versions = 3.7.0...

WordPress Slider Revolution plugin 7.0.0-7.0.10 - 7.0.10 - Authenticated (Subscriber+) Arbitrary File Upload vulnerability

WordPress Slider Revolution plugin 7.0.0-7.0.10 - 7.0.10 - Authenticated Subscriber+ Arbitrary File Upload vulnerability discovered by h0xilo in WordPress Plugin Slider Revolution versions 7.0.0-7.0.10...

WordPress PDF Poster plugin <= 2.4.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by benzdeus in WordPress Plugin PDF Poster versions = 2.4.1...