NPM: Axios: HTTP adapter streamed responses bypass maxContentLength

NPM: Axios: HTTP adapter streamed responses bypass maxContentLength vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

NPM: Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking

Response Tampering, Data Exfiltration, and Request Hijacking vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

NPM: Axios: Header Injection via Prototype Pollution

NPM: Axios: Header Injection via Prototype Pollution vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

NPM: Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion

NPM: Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

NPM: Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy

NPM: Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

NPM: Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

NPM: Axios: Incomplete Fix for CVE-2025-62718 — NOPROXY Protection Bypassed via RFC 1122 Loopback Subnet 127.0.0.0/8 in Axios 1.15.0 vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

NPM: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`

NPM: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver vulnerability discovered by ? in WordPress Npm axios versions = 1.0.0, 1.15.2...

NPM: Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams

NPM: Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

WordPress Betheme theme <= 28.4 - Authenticated (Contributor+) Arbitrary File Deletion vulnerability

Authenticated Contributor+ Arbitrary File Deletion vulnerability discovered by ? in WordPress Theme Betheme versions = 28.4...

NPM: OpenClaw's Gateway Control UI bootstrap config required Gateway auth

NPM: OpenClaw's Gateway Control UI bootstrap config required Gateway auth vulnerability discovered by ? in WordPress Npm openclaw versions = 2026.4.21...

NPM: OpenClaw: Workspace dotenv files cannot override connector endpoint hosts

NPM: OpenClaw: Workspace dotenv files cannot override connector endpoint hosts vulnerability discovered by ? in WordPress Npm openclaw versions = 2026.4.21...

NPM: OpenClaw's ACP child sessions inherit subagent security envelope constraints

NPM: OpenClaw's ACP child sessions inherit subagent security envelope constraints vulnerability discovered by ? in WordPress Npm openclaw versions = 2026.4.21...

WordPress User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin <= 5.1.4 - Missing Authorization to Authenticated (Contributor+) Limited Page Content Modification vulnerability

Missing Authorization to Authenticated Contributor+ Limited Page Content Modification vulnerability discovered by Hunter Jensen skid in WordPress Plugin User Registration versions = 5.1.4...

WordPress GenerateBlocks plugin <= 2.2.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure vulnerability

Insecure Direct Object Reference to Authenticated Contributor+ Sensitive Information Exposure vulnerability discovered by kai63001 in WordPress Plugin GenerateBlocks versions = 2.2.0...

WordPress Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin <= 1.52.0 - Missing Authorization to Unauthenticated Stripe PaymentIntent Reuse / Underpayment Bypass vulnerability

Missing Authorization to Unauthenticated Stripe PaymentIntent Reuse / Underpayment Bypass vulnerability discovered by Kittipat Jitphonchana in WordPress Plugin Forminator versions = 1.52.0...

NPM: OpenClaw: Slack thread context could include messages from non-allowlisted senders

NPM: OpenClaw: Slack thread context could include messages from non-allowlisted senders vulnerability discovered by ? in WordPress Npm openclaw versions = 2026.4.1...

WordPress WebinarIgnition plugin < 4.09.86 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Dahmani Toumi pegaSUS in WordPress Plugin WebinarIgnition versions 4.09.86...

WordPress Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel plugin <= 2.7.10 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin Carousel, Slider, Gallery by WP Carousel versions = 2.7.10...

WordPress Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin <= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Caspian in WordPress Plugin Royal Elementor Addons versions = 1.7.1056...

WordPress Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin <= 3.5.3 - Authenticated (Contributor+) Server-Side Request Forgery vulnerability

Authenticated Contributor+ Server-Side Request Forgery vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin Gutenverse versions = 3.5.3...

WordPress EmailKit – Email Customizer for WooCommerce & WP plugin <= 1.6.5 - Authenticated (Author+) Arbitrary File Read vulnerability

Authenticated Author+ Arbitrary File Read vulnerability discovered by Nguyen Cong Quang in WordPress Plugin EmailKit versions = 1.6.5...

WordPress Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin <= 3.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Gutenverse versions = 3.5.3...

WordPress Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website plugin <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website versions = 2.1.0...

WordPress Publish 2 Ping.fm plugin <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Publish 2 Ping.fm versions = 1.1...

WordPress addfreespace plugin <= 0.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin addfreespace versions = 0.1.3...

WordPress DX Sources plugin <= 2.0.1 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin DX Sources versions = 2.0.1...

WordPress WP-Clippy plugin <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin WP-Clippy versions = 1.0.0...

WordPress Simple Owl Shortcodes plugin <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by MAJidox in WordPress Plugin Simple Owl Shortcodes versions = 2.1.1...

WordPress Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin <= 4.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin Post Expirator versions = 4.10.0...

WordPress Loco Translate plugin <= 2.8.2 - Authenticated (Translator+) Path Traversal to Limited File Read vulnerability

Authenticated Translator+ Path Traversal to Limited File Read vulnerability discovered by shark3y in WordPress Plugin Loco Translate versions = 2.8.2...

WordPress Simple Membership plugin <= 4.7.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by hhhai in WordPress Plugin Simple Membership versions = 4.7.2...

WordPress Event Tickets plugin <= 5.27.5 - Bypass Vulnerability vulnerability

Bypass Vulnerability vulnerability discovered by endy in WordPress Plugin Event Tickets versions = 5.27.5...

WordPress Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin <= 4.11.70 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Fernando Mecozzi in WordPress Plugin Premium Addons for Elementor versions = 4.11.70...

WordPress Total theme <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Theme Total versions = 2.2.1...

WordPress Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin <= 1.7.1056 - Missing Authorization to Unauthenticated Form Action Meta Modification vulnerability

Missing Authorization to Unauthenticated Form Action Meta Modification vulnerability discovered by Nguyen C in WordPress Plugin Royal Elementor Addons versions = 1.7.1056...

WordPress FundPress – WordPress Donation Plugin plugin <= 2.0.8 - Missing Authorization to Unauthenticated Arbitrary Donation Status Modification vulnerability

Missing Authorization to Unauthenticated Arbitrary Donation Status Modification vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin FundPress versions = 2.0.8...

WordPress Booking for Appointments and Events Calendar – Amelia plugin <= 2.1.2 - Unauthenticated Authorization Bypass vulnerability

Unauthenticated Authorization Bypass vulnerability discovered by awhacken in WordPress Plugin Amelia versions = 2.1.2...

WordPress WP Customer Area plugin <= 8.3.4 - Path Traversal vulnerability

Path Traversal vulnerability discovered by iamlooper in WordPress Plugin WP Customer Area versions = 8.3.4...

WordPress Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin <= 3.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Caspian in WordPress Plugin Jeg Elementor Kit versions = 3.1.0...

WordPress Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin <= 6.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by ? in WordPress Plugin Essential Blocks for Gutenberg versions = 6.0.4...

WordPress App Builder – Create Native Android & iOS Apps On The Flight plugin <= 5.6.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Avatar Modification vulnerability

Insecure Direct Object Reference to Authenticated Subscriber+ Arbitrary User Avatar Modification vulnerability discovered by Ren Voza in WordPress Plugin App Builder versions = 5.6.0...

WordPress Simple Link Directory plugin <= 8.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin Simple Link Directory versions = 8.9.2...

WordPress MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons & Starter Sites plugin <= 2.1.9 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin MaxiBlocks versions = 2.1.9...

WordPress Advanced Classifieds & Directory Pro plugin <= 3.2.4 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Advanced Classifieds & Directory Pro versions = 3.2.4...

WordPress Advanced Scrollbar – Custom Scrollbar Styling and Behavior plugin <= 1.1.3 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Advanced scrollbar versions = 1.1.3...

WordPress AEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image Optimization plugin <= 2.9.2 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Add Expires Headers & Optimized Minify versions = 2.9.2...

WordPress AI Bud – AI Content Generator, AI Chatbot, ChatGPT, Gemini, GPT-4o plugin <= 1.7.2 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin AiBud WP versions = 1.7.2...

WordPress AI Puffer – Chat. Create. Automate. (formerly AI Power) plugin <= 1.8.99 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin GPT3 AI Content Writer versions = 1.8.99...

WordPress AidWP – Donation & Payment Forms (Stripe Powered) plugin <= 3.2.6 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin AidWP versions = 3.2.6...

WordPress Announcement & Notification Banner – Bulletin plugin <= 3.12.1 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin WordPress Announcement & Notification Banner Plugin – Bulletin versions = 3.12.1...