46547 matches found
NPM: devbridge-autocomplete has XSS in its default formatters: formatGroup and formatResult fail to escape HTML in untrusted inputs
NPM: devbridge-autocomplete has XSS in its default formatters: formatGroup and formatResult fail to escape HTML in untrusted inputs vulnerability discovered by ? in WordPress Npm devbridge-autocomplete versions = 2.0.0...
NPM: scimPatch vulnerable to prototype pollution via unfiltered keys in patch
NPM: scimPatch vulnerable to prototype pollution via unfiltered keys in patch vulnerability discovered by ? in WordPress Npm scim-patch versions = 0.9.0...
WordPress Transbank Webpay plugin < 1.14.0 - Unauthenticated Stored XSS vulnerability
Unauthenticated Stored XSS vulnerability discovered by Mateo Contenla & Matías Schiappacasse in WordPress Plugin Transbank Webpay REST versions 1.14.0...
WordPress CF7 Auto Responder Addon plugin < 2.5 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Plugin CF7 Auto Responder Addon versions 2.5...
WordPress LBG Zoominoutslider plugin <= 5.4.4 - SQL Injection vulnerability
SQL Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Plugin LBG Zoominoutslider versions = 5.4.4...
WordPress Vitepos plugin < 3.4.2 - Outlet Manager+ Privilege Escalation vulnerability
Outlet Manager+ Privilege Escalation vulnerability discovered by RealKingEngine ISAL FRAMEWORK in WordPress Plugin Vitepos versions 3.4.2...
WordPress Simple File List plugin <= 6.3.7 - Missing Authorization to Unauthenticated File Modification via simplefilelist_edit_job AJAX Action vulnerability
Missing Authorization to Unauthenticated File Modification via simplefilelisteditjob AJAX Action vulnerability discovered by WordFence in WordPress Plugin Simple File List versions = 6.3.7...
WordPress Simple File List plugin <= 6.3.7 - Unauthenticated Arbitrary File Deletion via Path Traversal in 'eeSubFolder' Parameter vulnerability
Unauthenticated Arbitrary File Deletion via Path Traversal in 'eeSubFolder' Parameter vulnerability discovered by WordFence in WordPress Plugin Simple File List versions = 6.3.7...
WordPress Database for Contact Form 7, WPforms, Elementor forms plugin <= 1.5.1 - Unauthenticated Arbitrary File Deletion via CF7 File Field POST Value vulnerability
Unauthenticated Arbitrary File Deletion via CF7 File Field POST Value vulnerability discovered by daroo in WordPress Plugin Contact Form Entries versions = 1.5.1...
WordPress Branda - White Label & Branding, Free Login Page Customizer plugin <= 3.4.29 - Unauthenticated Privilege Escalation via Account Takeover vulnerability
WordPress Branda - White Label & Branding, Free Login Page Customizer plugin = 3.4.29 - Unauthenticated Privilege Escalation via Account Takeover vulnerability discovered by thevietronin - GalaxyOne in WordPress Plugin Branda versions = 3.4.29...
WordPress Motors Car Dealership & Classified Listings plugin < 1.4.110 - Unauthenticated Post-Meta Write via stm_ajax_add_a_car_media vulnerability
Unauthenticated Post-Meta Write via stmajaxaddacarmedia vulnerability discovered by Mustafa Ahmed in WordPress Plugin Motors versions 1.4.110...
WordPress Pie Register plugin < 3.8.4.10 - Unauthenticated Email Verification Bypass via Predictable Token vulnerability
Unauthenticated Email Verification Bypass via Predictable Token vulnerability discovered by Haitam Lazaar in WordPress Plugin Pie Register versions 3.8.4.10...
WordPress Simple File List plugin <= 6.3.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Operations (Deletion / Move / Folder Creation / Download) via 'frontmanage' Shortcode Attribute vulnerability
Missing Authorization to Authenticated Contributor+ Arbitrary File Operations Deletion / Move / Folder Creation / Download via 'frontmanage' Shortcode Attribute vulnerability discovered by WordFence in WordPress Plugin Simple File List versions = 6.3.7...
WordPress User Registration plugin <= 5.2.2 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by nobody09 in WordPress Plugin User Registration versions = 5.2.2...
NPM: appium-mcp: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI)
NPM: appium-mcp: Unescaped Locator Data XSS in MCP-UI Resource createLocatorGeneratorUI vulnerability discovered by ? in WordPress Npm appium-mcp versions = 1.85.9...
NPM: parse-server: LiveQuery discloses object data to a subscriber across an ACL read-access change
NPM: parse-server: LiveQuery discloses object data to a subscriber across an ACL read-access change vulnerability discovered by ? in WordPress Npm parse-server versions = 8.6.82...
NPM: SearXNG MCP Server: DNS-resolved Private Hostname SSRF in `web_url_read`
NPM: SearXNG MCP Server: DNS-resolved Private Hostname SSRF in weburlread vulnerability discovered by ? in WordPress Npm mcp-searxng versions 1.7.1...
NPM: SearXNG MCP Server: Unbounded Response Body Read Bypasses URL Size Limit in `web_url_read`
NPM: SearXNG MCP Server: Unbounded Response Body Read Bypasses URL Size Limit in weburlread vulnerability discovered by ? in WordPress Npm mcp-searxng versions 1.7.1...
NPM: Network-AI: EnvironmentManager.restore() backup ID path traversal copies arbitrary directories into environment data
NPM: Network-AI: EnvironmentManager.restore backup ID path traversal copies arbitrary directories into environment data vulnerability discovered by ? in WordPress Npm network-ai versions = 5.12.1...
NPM: Network-AI: EnvironmentManager.backup() follows symlinked directories and copies files outside the environment root into backups
NPM: Network-AI: EnvironmentManager.backup follows symlinked directories and copies files outside the environment root into backups vulnerability discovered by ? in WordPress Npm network-ai versions = 5.12.1...
NPM: Network-AI: ApprovalInbox HTTP server has no authentication — anyone can approve pending agent actions
NPM: Network-AI: ApprovalInbox HTTP server has no authentication — anyone can approve pending agent actions vulnerability discovered by ? in WordPress Npm network-ai versions = 5.0.0, = 5.12.1...
NPM: Network-AI: AgentRuntime sandbox path-prefix checks allow file access outside the configured base directory
NPM: Network-AI: AgentRuntime sandbox path-prefix checks allow file access outside the configured base directory vulnerability discovered by ? in WordPress Npm network-ai versions = 5.12.1...
NPM: Network-AI: Poisoned environment backup manifest allows arbitrary recursive deletion during backup pruning
NPM: Network-AI: Poisoned environment backup manifest allows arbitrary recursive deletion during backup pruning vulnerability discovered by ? in WordPress Npm network-ai versions = 5.12.1...
NPM: TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover
NPM: TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover vulnerability discovered by ? in WordPress Npm tinacms versions 3.9.3...
NPM: flat-to-nested: Prototype pollution in flat-to-nested convert() via __proto__ parent/id key
NPM: flat-to-nested: Prototype pollution in flat-to-nested convert via proto parent/id key vulnerability discovered by ? in WordPress Npm flat-to-nested versions = 1.1.1...
NPM: Kozou: Unauthenticated MCP HTTP server and bundled dev-stack hardening (DNS-rebinding, request-body limits, read-only reads, default network exposure)
NPM: Kozou: Unauthenticated MCP HTTP server and bundled dev-stack hardening DNS-rebinding, request-body limits, read-only reads, default network exposure vulnerability discovered by ? in WordPress Npm kozou versions = 1.8.0...
NPM: parse-server: Stored XSS via non-standard file extension bypassing file upload extension blocklist
NPM: parse-server: Stored XSS via non-standard file extension bypassing file upload extension blocklist vulnerability discovered by ? in WordPress Npm parse-server versions = 8.6.80...
NPM: parse-server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL
NPM: parse-server: Relation $relatedTo query bypasses protectedFields and owning-object ACL vulnerability discovered by ? in WordPress Npm parse-server versions 8.6.80...
NPM: parse-server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied
NPM: parse-server: Endpoints /login and /verifyPassword disclose MFA secrets and protected fields when User get is denied vulnerability discovered by ? in WordPress Npm parse-server versions = 9.8.0, 9.9.1-alpha.5...
NPM: parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist
NPM: parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist vulnerability discovered by ? in WordPress Npm parse-server versions = 8.6.78...
NPM: parse-server: Server option routeAllowList is bypassable through batch sub-requests
NPM: parse-server: Server option routeAllowList is bypassable through batch sub-requests vulnerability discovered by ? in WordPress Npm parse-server versions = 9.8.0, 9.9.1-alpha.3...
NPM: TypeORM: SQL Injection in UpdateQueryBuilder/SoftDeleteQueryBuilder orderBy (MySQL/MariaDB)
NPM: TypeORM: SQL Injection in UpdateQueryBuilder/SoftDeleteQueryBuilder orderBy MySQL/MariaDB vulnerability discovered by ? in WordPress Npm typeorm versions = 0.1.12, = 0.3.28...
NPM: Agentic-Flow: OS Command Injection in agentic-flow MCP server tools via unsanitized tool-parameter interpolation into execSync
NPM: Agentic-Flow: OS Command Injection in agentic-flow MCP server tools via unsanitized tool-parameter interpolation into execSync vulnerability discovered by ? in WordPress Npm agentic-flow versions = 2.0.13...
NPM: parse-server: Denial of service via exponential-time processing of deeply nested query operators
NPM: parse-server: Denial of service via exponential-time processing of deeply nested query operators vulnerability discovered by ? in WordPress Npm parse-server versions 8.6.82...
NPM: undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching
NPM: undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching vulnerability discovered by ? in WordPress Npm undici versions 6.27.0...
NPM: undici WebSocket client vulnerable to denial of service via fragment count bypass
NPM: undici WebSocket client vulnerable to denial of service via fragment count bypass vulnerability discovered by ? in WordPress Npm undici versions 6.27.0...
NPM: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
NPM: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding vulnerability discovered by ? in WordPress Npm undici versions 6.27.0...
NPM: undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse
NPM: undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse vulnerability discovered by ? in WordPress Npm undici versions = 7.23.0, 7.28.0...
NPM: undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
NPM: undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse vulnerability discovered by ? in WordPress Npm undici versions 6.27.0...
NPM: Network-AI: Improper Neutralization of Special Elements used in an OS Command
NPM: Network-AI: Improper Neutralization of Special Elements used in an OS Command vulnerability discovered by ? in WordPress Npm network-ai versions 5.9.1...
NPM: Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests
NPM: Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests vulnerability discovered by ? in WordPress Npm network-ai versions = 5.7.1...
WordPress WP Hotel Booking plugin < 2.3.1 - Subscriber+ Missing Authorization in Multiple AJAX Handlers vulnerability
Subscriber+ Missing Authorization in Multiple AJAX Handlers vulnerability discovered by Sanjorn Keeratirungsan in WordPress Plugin WP Hotel Booking versions 2.3.1...
WordPress WP Go Maps plugin <= 10.1.01 - Unauthenticated Arbitrary Record Creation vulnerability
Unauthenticated Arbitrary Record Creation vulnerability discovered by Thanh Điềm in WordPress Plugin WP Go Maps versions = 10.1.01...
WordPress UPI QR Code Payment Gateway for WooCommerce plugin <= 1.6.2 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by ParkHyunWoo in WordPress Plugin UPI QR Code Payment Gateway for WooCommerce versions = 1.6.2...
WordPress Paymob for WooCommerce plugin <= 4.1.3 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Sajjad Haqi in WordPress Plugin Paymob for WooCommerce versions = 4.1.3...
WordPress Master Slider plugin <= 3.11.2 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Master Slider versions = 3.11.2...
WordPress License Manager for WooCommerce plugin <= 3.0.15 - Insecure Direct Object References (IDOR) vulnerability
Insecure Direct Object References IDOR vulnerability discovered by dodoh4t in WordPress Plugin License Manager for WooCommerce versions = 3.0.15...
WordPress WP Activity Log plugin <= 5.6.3.1 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by daroo in WordPress Plugin WP Activity Log versions = 5.6.3.1...
WordPress CheckView Automated Testing plugin <= 2.1.0 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by sequenceX0 in WordPress Plugin CheckView Automated Testing versions = 2.1.0...
WordPress MapPress Maps for WordPress plugin <= 2.97.3 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by l3m3s in WordPress Plugin MapPress Maps for WordPress versions = 2.97.3...