https://vulnerability.circl.lu/rss/recent/github/10 2025-04-25T11:11:04.773446+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent entries. https://vulnerability.circl.lu/vuln/ghsa-4vcr-xh7r-34v9 2025-04-25T11:11:04.779460+00:00 The Add Google +1 (Plus one) social share Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the google-plus-one-share-button page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. https://vulnerability.circl.lu/vuln/ghsa-mghj-58qq-48h7 2025-04-25T11:11:04.779445+00:00 The Custom Admin-Bar Favorites plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'menuObject' parameter in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. https://vulnerability.circl.lu/vuln/ghsa-mrfc-r624-5cgr 2025-04-25T11:11:04.779430+00:00 The Vikinger theme for WordPress is vulnerable to privilege in all versions up to, and including, 1.9.30. This is due to insufficient user_meta restrictions in the 'vikinger_user_meta_update_ajax' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator-level. https://vulnerability.circl.lu/vuln/ghsa-2vhv-mf9g-gm93 2025-04-25T11:11:04.779416+00:00 Missing Authorization vulnerability in AlphaEfficiencyTeam Custom Login and Registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom Login and Registration: from n/a through 1.0.0. https://vulnerability.circl.lu/vuln/ghsa-3gqj-8wmx-4j7x 2025-04-25T11:11:04.779402+00:00 The BM Content Builder plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ux_cb_tools_import_item_ajax AJAX action in all versions up to, and including, 3.16.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. https://vulnerability.circl.lu/vuln/ghsa-8p8h-vpmc-q8xq 2025-04-25T11:11:04.779387+00:00 Quantum StorNext Web GUI API before 7.2.4 grants access to internal StorNext configuration and unauthorized modification of some software configuration parameters via undocumented user credentials. This affects StorNext RYO before 7.2.4, StorNext Xcellis Workflow Director before 7.2.4, and ActiveScale Cold Storage. https://vulnerability.circl.lu/vuln/ghsa-c4p7-3xph-5f74 2025-04-25T11:11:04.779372+00:00 The 1 Decembrie 1918 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.dec.2012. This is due to missing or incorrect nonce validation on the 1-decembrie-1918/1-decembrie-1918.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. https://vulnerability.circl.lu/vuln/ghsa-fhwh-5w3x-c8g5 2025-04-25T11:11:04.779356+00:00 The Ajax Comment Form CST plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation via the 'acform_cst_settings' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. https://vulnerability.circl.lu/vuln/ghsa-p2h6-wjr5-7mx4 2025-04-25T11:11:04.779336+00:00 Quantum StorNext Web GUI API before 7.2.4 allows potential Arbitrary Remote Code Execution (RCE) via upload of a file. This affects StorNext RYO before 7.2.4, StorNext Xcellis Workflow Director before 7.2.4, and ActiveScale Cold Storage. https://vulnerability.circl.lu/vuln/ghsa-v22r-2c57-5frw 2025-04-25T11:11:04.779286+00:00 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MyThemeShop WP Quiz allows Stored XSS.This issue affects WP Quiz: from n/a through 2.0.10.