WordPress WEN Logo Slider plugin <= 3.4.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nabil Irawan in WordPress Plugin WEN Logo Slider versions = 3.4.0...

WordPress Bus Ticket Booking with Seat Reservation plugin < 5.6.8 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Bus Ticket Booking with Seat Reservation versions 5.6.8...

WordPress Team Member plugin <= 8.5 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Jarno Vos jrn5151 in WordPress Plugin Team Member versions = 8.5...

WordPress WPGraphQL plugin <= 2.5.3 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Nabil Irawan in WordPress Plugin WPGraphQL versions = 2.5.3...

WordPress Happy Addons for Elementor plugin <= 3.20.8 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Shrikant Bhosale in WordPress Plugin Happy Addons for Elementor versions = 3.20.8...

WordPress YITH WooCommerce Wishlist plugin <= 4.12.0 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by PPzzAArr in WordPress Plugin YITH WooCommerce Wishlist versions = 4.12.0...

WordPress Royal Elementor Addons plugin < 1.7.1053 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Bao - BlueRock in WordPress Plugin Royal Elementor Addons versions 1.7.1053...

WordPress Royal Elementor Addons plugin < 1.7.1053 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Peter Thaleikis in WordPress Plugin Royal Elementor Addons versions 1.7.1053...

WordPress wpForo Forum plugin <= 3.0.4 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin wpForo Forum versions = 3.0.4...

NPM: vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution

NPM: vm2 NodeVM nesting: true bypasses require: false allowing sandbox escape and arbitrary OS command execution vulnerability discovered by ? in WordPress Npm vm2 versions = 3.11.0...

NPM: vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape

NPM: vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape vulnerability discovered by ? in WordPress Npm vm2 versions 3.10.5...

NPM: vm2's Transformer Fast-Path Bypass Exposes Internal State Variable

NPM: vm2's Transformer Fast-Path Bypass Exposes Internal State Variable vulnerability discovered by ? in WordPress Npm vm2 versions = 3.10.5...

NPM: vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak

NPM: vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak vulnerability discovered by ? in WordPress Npm vm2 versions = 3.10.5...

NPM: vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary

NPM: vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary vulnerability discovered by ? in WordPress Npm vm2 versions = 3.10.5...

NPM: vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion

NPM: vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion vulnerability discovered by ? in WordPress Npm vm2 versions = 3.10.5...

NPM: vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)

NPM: vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection Process Crash DoS vulnerability discovered by ? in WordPress Npm vm2 versions = 3.10.5...

NPM: vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape

NPM: vm2 has a NodeVM builtin allowlist bypass via module builtin's Module.load that allows sandbox escape vulnerability discovered by ? in WordPress Npm vm2 versions 3.10.5...

NPM: vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape

NPM: vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape vulnerability discovered by ? in WordPress Npm vm2 versions = 3.9.6, = 3.10.5...

NPM: vm2 Access to Host Object Enables Sandbox Escape

NPM: vm2 Access to Host Object Enables Sandbox Escape vulnerability discovered by ? in WordPress Npm vm2 versions = 3.10.5...

NPM: vm2 has a Sandbox Escape Vulnerability

NPM: vm2 has a Sandbox Escape Vulnerability discovered by ? in WordPress Npm vm2 versions = 3.10.5...

NPM: Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect

NPM: Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect vulnerability discovered by ? in WordPress Npm kiota-typescript versions 1.0.0-preview.100...

NPM: Vercel: Non-interactive mode includes CLI arguments in suggested command output

NPM: Vercel: Non-interactive mode includes CLI arguments in suggested command output vulnerability discovered by ? in WordPress Npm vercel versions = 50.16.0, = 52.0.0...

NPM: Hono: bodyLimit() can be bypassed for chunked / unknown-length requests

NPM: Hono: bodyLimit can be bypassed for chunked / unknown-length requests vulnerability discovered by ? in WordPress Npm hono versions 4.12.16...

NPM: hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection

NPM: hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection vulnerability discovered by ? in WordPress Npm hono versions 4.12.16...

NPM: Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules

NPM: Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules vulnerability discovered by ? in WordPress Npm nitro versions 3.0.260429-beta...

NPM: Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules

NPM: Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules vulnerability discovered by ? in WordPress Npm nitropack versions 2.13.4...

NPM: Nitro has a proxy scope bypass via percent-encoded path traversal in `routeRules`

NPM: Nitro has a proxy scope bypass via percent-encoded path traversal in routeRules vulnerability discovered by ? in WordPress Npm nitro versions 3.0.260429-beta...

NPM: Nitro has a proxy scope bypass via percent-encoded path traversal in `routeRules`

NPM: Nitro has a proxy scope bypass via percent-encoded path traversal in routeRules vulnerability discovered by ? in WordPress Npm nitropack versions 2.13.4...

NPM: fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver

NPM: fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver vulnerability discovered by ? in WordPress Npm fast-jwt versions = 6.2.3...

NPM: basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering

NPM: basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering vulnerability discovered by ? in WordPress Npm basic-ftp versions = 5.3.0...

NPM: dssrf: every IPv6 category bypasses is_url_safe

NPM: dssrf: every IPv6 category bypasses isurlsafe vulnerability discovered by ? in WordPress Npm dssrf versions 1.3.0...

NPM: next-intl has prototype pollution with `experimental.messages.precompile` via attacker-controlled translation catalog keys

NPM: next-intl has prototype pollution with experimental.messages.precompile via attacker-controlled translation catalog keys vulnerability discovered by ? in WordPress Npm next-intl versions = 4.9.1...

NPM: mcp-data-vis vulnerable to denial of service via unsanitized `select` key lookup on `Object.prototype` with `precompile: true`

NPM: mcp-data-vis vulnerable to denial of service via unsanitized select key lookup on Object.prototype with precompile: true vulnerability discovered by ? in WordPress Npm icu-minify versions = 4.9.1...

NPM: Auth.js SDK has Improper Permission Checking

NPM: Auth.js SDK has Improper Permission Checking vulnerability discovered by ? in WordPress Npm auth0-js versions = 8.11.0, = 9.32.0...

WordPress LatePoint – Calendar Booking Plugin for Appointments and Events plugin <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by Ly Hoang in WordPress Plugin LatePoint versions = 5.5.0...

WordPress LatePoint – Calendar Booking Plugin for Appointments and Events plugin <= 5.5.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by Niv Kochan in WordPress Plugin LatePoint versions = 5.5.0...

WordPress LatePoint – Calendar Booking Plugin for Appointments and Events plugin <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by AmonRa in WordPress Plugin LatePoint versions = 5.5.0...

WordPress WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin <= 4.5.2 - Authenticated (Author+) Arbitrary File Deletion vulnerability

Authenticated Author+ Arbitrary File Deletion vulnerability discovered by Ly Hoang in WordPress Plugin WP-Optimize versions = 4.5.2...

NPM: Flowise: Bcrypt Password Hash Exposure

NPM: Flowise: Bcrypt Password Hash Exposure vulnerability discovered by ? in WordPress Npm flowise versions = 3.0.12...

WordPress All-in-One WP Migration Unlimited Extension plugin <= 2.83 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Backup Schedule Creation and Backup File Download vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Backup Schedule Creation and Backup File Download vulnerability discovered by Sélim Lanouar whattheslime in WordPress Plugin All-in-One WP Migration Unlimited Extension versions = 2.83...

WordPress Betheme theme <= 28.4 - Authenticated (Author+) Arbitrary File Upload to Remote Code Execution vulnerability

Authenticated Author+ Arbitrary File Upload to Remote Code Execution vulnerability discovered by Wordfence in WordPress Theme Betheme versions = 28.4...

WordPress Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin <= 1.51.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure vulnerability

Missing Authorization to Authenticated Subscriber+ Sensitive Information Disclosure vulnerability discovered by anhcd05 - VNPT Cyber Immunity in WordPress Plugin Forminator versions = 1.51.1...

WordPress ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor plugin <= 3.8.2 - Missing Authorization to Unauthenticated Widget Content Overwrite vulnerability

Missing Authorization to Unauthenticated Widget Content Overwrite vulnerability discovered by Jack Pas Dark. - Black Lantern Security in WordPress Plugin ElementsKit Elementor addons Lite versions = 3.8.2...

WordPress Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin <= 1.7.1056 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by andrea bocchetti in WordPress Plugin Royal Elementor Addons versions = 1.7.1056...

WordPress Blog Settings plugin <= 1.0 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Julian Chibuike Nwadinobi Wackydawg - streamio in WordPress Plugin Blog Settings versions = 1.0...

WordPress Zingaya Click-to-Call plugin <= 1.0 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Julian Chibuike Nwadinobi Wackydawg - streamio in WordPress Plugin Zingaya Click-to-Call versions = 1.0...

WordPress NEX-Forms – Ultimate Forms Plugin for WordPress plugin <= 9.1.11 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by Naoya Takahashi nakko in WordPress Plugin NEX-Forms versions = 9.1.11...

WordPress Quiz Maker by AYS plugin <= 6.7.1.29 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by CHOIGYEONGMIN in WordPress Plugin Quiz Maker versions = 6.7.1.29...

WordPress Brizy – Page Builder plugin <= 2.8.11 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by momopon1415 in WordPress Plugin Brizy versions = 2.8.11...

WordPress PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin <= 12.5.0.1 - Unauthenticated Blind Server-Side Request Forgery vulnerability

Unauthenticated Blind Server-Side Request Forgery vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin PixelYourSite PRO versions = 12.5.0.1...