CVE-2026-31844 - Authenticated SQL Injection in Koha displayby parameter of suggestion.pl
CVE ID :CVE-2026-31844
Published : March 11, 2026, 7:16 a.m. | 29 minutes ago
Description :An authenticated SQL Injection vulnerability (CWE-89) in the displayby parameter of /cgi-bin/koha/suggestion/suggestion.pl in Koha allows a low-privileged staff user to execute arbitrary SQL queries and retrieve sensitive database information.
Severity: 9.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-31844
Published : March 11, 2026, 7:16 a.m. | 29 minutes ago
Description :An authenticated SQL Injection vulnerability (CWE-89) in the displayby parameter of /cgi-bin/koha/suggestion/suggestion.pl in Koha allows a low-privileged staff user to execute arbitrary SQL queries and retrieve sensitive database information.
Severity: 9.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-3534 - Astra <= 4.12.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta
CVE ID :CVE-2026-3534
Published : March 11, 2026, 7:16 a.m. | 29 minutes ago
Description :The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `ast-page-background-meta` and `ast-content-background-meta` post meta fields in all versions up to, and including, 4.12.3. This is due to insufficient input sanitization on meta registration and missing output escaping in the `astra_get_responsive_background_obj()` function for four CSS-context sub-properties (`background-color`, `background-image`, `overlay-color`, `overlay-gradient`). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-3534
Published : March 11, 2026, 7:16 a.m. | 29 minutes ago
Description :The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `ast-page-background-meta` and `ast-content-background-meta` post meta fields in all versions up to, and including, 4.12.3. This is due to insufficient input sanitization on meta registration and missing output escaping in the `astra_get_responsive_background_obj()` function for four CSS-context sub-properties (`background-color`, `background-image`, `overlay-color`, `overlay-gradient`). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-3824 - WellChoose|IFTOP - Open redirect
CVE ID :CVE-2026-3824
Published : March 11, 2026, 7:16 a.m. | 28 minutes ago
Description :IFTOP developed by WellChoose has an Open redirect vulnerability, allowing authenticated remote attackers to craft a URL that tricks users into visiting malicious website.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-3824
Published : March 11, 2026, 7:16 a.m. | 28 minutes ago
Description :IFTOP developed by WellChoose has an Open redirect vulnerability, allowing authenticated remote attackers to craft a URL that tricks users into visiting malicious website.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-3825 - WellChoose|IFTOP - Reflected Cross-site Scripting
CVE ID :CVE-2026-3825
Published : March 11, 2026, 7:16 a.m. | 28 minutes ago
Description :Update to verison IFTOP_P4_181 or later.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-3825
Published : March 11, 2026, 7:16 a.m. | 28 minutes ago
Description :Update to verison IFTOP_P4_181 or later.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-3826 - WellChoose|IFTOP - Local File Inclusion
CVE ID :CVE-2026-3826
Published : March 11, 2026, 7:17 a.m. | 28 minutes ago
Description :IFTOP developed by WellChoose has a Local File Inclusion vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-3826
Published : March 11, 2026, 7:17 a.m. | 28 minutes ago
Description :IFTOP developed by WellChoose has a Local File Inclusion vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-14024 - Video Station
CVE ID :CVE-2024-14024
Published : March 11, 2026, 8:16 a.m. | 1 hour, 32 minutes ago
Description :An improper certificate validation vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: Video Station 5.8.2 and later
Severity: 0.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2024-14024
Published : March 11, 2026, 8:16 a.m. | 1 hour, 32 minutes ago
Description :An improper certificate validation vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: Video Station 5.8.2 and later
Severity: 0.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-14025 - Video Station
CVE ID :CVE-2024-14025
Published : March 11, 2026, 8:16 a.m. | 1 hour, 32 minutes ago
Description :An SQL injection vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: Video Station 5.8.2 and later
Severity: 0.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2024-14025
Published : March 11, 2026, 8:16 a.m. | 1 hour, 32 minutes ago
Description :An SQL injection vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: Video Station 5.8.2 and later
Severity: 0.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-14026 - QTS, QuTS hero
CVE ID :CVE-2024-14026
Published : March 11, 2026, 8:16 a.m. | 1 hour, 32 minutes ago
Description :A command injection vulnerability has been reported to affect several QNAP operating system versions. If an attacker gains local network access who have also gained a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.3.3006 build 20250108 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.3.3006 build 20250108 and later
Severity: 2.0 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2024-14026
Published : March 11, 2026, 8:16 a.m. | 1 hour, 32 minutes ago
Description :A command injection vulnerability has been reported to affect several QNAP operating system versions. If an attacker gains local network access who have also gained a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.3.3006 build 20250108 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.3.3006 build 20250108 and later
Severity: 2.0 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1708 - Appointment Booking Calendar <= 1.6.9.27 - Unauthenticated SQL Injection via 'append_where_sql' Parameter
CVE ID :CVE-2026-1708
Published : March 11, 2026, 8:16 a.m. | 1 hour, 32 minutes ago
Description :The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection in all versions up to, and including, 1.6.9.27. This is due to the `db_where_conditions` method in the `TD_DB_Model` class failing to prevent the `append_where_sql` parameter from being passed through JSON request bodies, while only checking for its presence in the `$_REQUEST` superglobal. This makes it possible for unauthenticated attackers to append arbitrary SQL commands to queries and extract sensitive information from the database via the `append_where_sql` parameter in JSON payloads granted they have obtained a valid `public_token` that is inadvertently exposed during the booking flow.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-1708
Published : March 11, 2026, 8:16 a.m. | 1 hour, 32 minutes ago
Description :The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection in all versions up to, and including, 1.6.9.27. This is due to the `db_where_conditions` method in the `TD_DB_Model` class failing to prevent the `append_where_sql` parameter from being passed through JSON request bodies, while only checking for its presence in the `$_REQUEST` superglobal. This makes it possible for unauthenticated attackers to append arbitrary SQL commands to queries and extract sensitive information from the database via the `append_where_sql` parameter in JSON payloads granted they have obtained a valid `public_token` that is inadvertently exposed during the booking flow.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-2917 - Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Post Duplication via 'post_id' Parameter
CVE ID :CVE-2026-2917
Published : March 11, 2026, 8:16 a.m. | 1 hour, 32 minutes ago
Description :The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_duplicate_thing` admin action handler. This is due to the `can_clone()` method only checking `current_user_can('edit_posts')` (a general capability) without performing object-level authorization such as `current_user_can('edit_post', $post_id)`, and the nonce being tied to the generic action name `ha_duplicate_thing` rather than to a specific post ID. This makes it possible for authenticated attackers, with Contributor-level access and above, to clone any published post, page, or custom post type by obtaining a valid clone nonce from their own posts and changing the `post_id` parameter to target other users' content. The clone operation copies the full post content, all post metadata (including potentially sensitive widget configurations and API tokens), and taxonomies into a new draft owned by the attacker.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-2917
Published : March 11, 2026, 8:16 a.m. | 1 hour, 32 minutes ago
Description :The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_duplicate_thing` admin action handler. This is due to the `can_clone()` method only checking `current_user_can('edit_posts')` (a general capability) without performing object-level authorization such as `current_user_can('edit_post', $post_id)`, and the nonce being tied to the generic action name `ha_duplicate_thing` rather than to a specific post ID. This makes it possible for authenticated attackers, with Contributor-level access and above, to clone any published post, page, or custom post type by obtaining a valid clone nonce from their own posts and changing the `post_id` parameter to target other users' content. The clone operation copies the full post content, all post metadata (including potentially sensitive widget configurations and API tokens), and taxonomies into a new draft owned by the attacker.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-2918 - Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Stored Cross-Site Scripting via Template Conditions
CVE ID :CVE-2026-2918
Published : March 11, 2026, 8:16 a.m. | 1 hour, 32 minutes ago
Description :The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is due to the `validate_reqeust()` method using `current_user_can('edit_posts', $template_id)` instead of `current_user_can('edit_post', $template_id)` — failing to perform object-level authorization. Additionally, the `ha_get_current_condition` AJAX action lacks a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify the display conditions of any published `ha_library` template. Because the `cond_to_html()` renderer outputs condition values into HTML attributes without proper escaping (using string concatenation instead of `esc_attr()`), an attacker can inject event handler attributes (e.g., `onmouseover`) that execute JavaScript when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-2918
Published : March 11, 2026, 8:16 a.m. | 1 hour, 32 minutes ago
Description :The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is due to the `validate_reqeust()` method using `current_user_can('edit_posts', $template_id)` instead of `current_user_can('edit_post', $template_id)` — failing to perform object-level authorization. Additionally, the `ha_get_current_condition` AJAX action lacks a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify the display conditions of any published `ha_library` template. Because the `cond_to_html()` renderer outputs condition values into HTML attributes without proper escaping (using string concatenation instead of `esc_attr()`), an attacker can inject event handler attributes (e.g., `onmouseover`) that execute JavaScript when an administrator views the Template Conditions panel, resulting in Stored Cross-Site Scripting.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-3903 - Modular Connector <= 2.5.1 - Cross-Site Request Forgery via postConfirmOauth
CVE ID :CVE-2026-3903
Published : March 11, 2026, 8:16 a.m. | 1 hour, 32 minutes ago
Description :The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1. This is due to missing nonce validation on the postConfirmOauth() function. This makes it possible for unauthenticated attackers to disconnect the plugin's OAuth/SSO connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-3903
Published : March 11, 2026, 8:16 a.m. | 1 hour, 32 minutes ago
Description :The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1. This is due to missing nonce validation on the postConfirmOauth() function. This makes it possible for unauthenticated attackers to disconnect the plugin's OAuth/SSO connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1454 - Responsive Contact Form Builder & Lead Generation Plugin <= 2.0.1 - Unauthenticated Stored Cross-Site Scripting
CVE ID :CVE-2026-1454
Published : March 11, 2026, 9:16 a.m. | 31 minutes ago
Description :The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 via form field submissions. This is due to insufficient input sanitization in the lfb_lead_sanitize() function which omits certain field types from its sanitization whitelist, combined with an overly permissive wp_kses() filter at output time that allows onclick attributes on anchor tags. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the lead entries in the WordPress dashboard.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-1454
Published : March 11, 2026, 9:16 a.m. | 31 minutes ago
Description :The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 via form field submissions. This is due to insufficient input sanitization in the lfb_lead_sanitize() function which omits certain field types from its sanitization whitelist, combined with an overly permissive wp_kses() filter at output time that allows onclick attributes on anchor tags. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the lead entries in the WordPress dashboard.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1993 - ExactMetrics 7.1.0 - 9.0.2 - Authenticated (Custom) Improper Privilege Management to Role Privilege Escalation via Settings Update
CVE ID :CVE-2026-1993
Published : March 11, 2026, 9:25 a.m. | 22 minutes ago
Description :The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to modify any plugin setting, including the `save_settings` option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting `save_settings` to include `subscriber`, an attacker can grant plugin administrative access to all subscribers on the site.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-1993
Published : March 11, 2026, 9:25 a.m. | 22 minutes ago
Description :The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to modify any plugin setting, including the `save_settings` option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting `save_settings` to include `subscriber`, an attacker can grant plugin administrative access to all subscribers on the site.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1992 - ExactMetrics 8.6.0 - 9.0.2 - Authenticated (Custom) Insecure Direct Object Reference to Arbitrary Plugin Installation
CVE ID :CVE-2026-1992
Published : March 11, 2026, 9:25 a.m. | 22 minutes ago
Description :The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in the `ExactMetrics_Onboarding` class accepting a user-supplied `triggered_by` parameter that is used instead of the current user's ID to check permissions. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to bypass the `install_plugins` capability check by specifying an administrator's user ID in the `triggered_by` parameter, allowing them to install arbitrary plugins and achieve Remote Code Execution. This vulnerability only affects sites on which administrator has given other user types the permission to view reports and can only be exploited by users of that type.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-1992
Published : March 11, 2026, 9:25 a.m. | 22 minutes ago
Description :The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in the `ExactMetrics_Onboarding` class accepting a user-supplied `triggered_by` parameter that is used instead of the current user's ID to check permissions. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to bypass the `install_plugins` capability check by specifying an administrator's user ID in the `triggered_by` parameter, allowing them to install arbitrary plugins and achieve Remote Code Execution. This vulnerability only affects sites on which administrator has given other user types the permission to view reports and can only be exploited by users of that type.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-3492 - Gravity Forms <= 2.9.28.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Form Title
CVE ID :CVE-2026-3492
Published : March 11, 2026, 9:25 a.m. | 22 minutes ago
Description :The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the `create_from_template` AJAX endpoint (allowing any authenticated user to create forms), insufficient input sanitization (`sanitize_text_field()` preserves single quotes), and missing output escaping when the form title is rendered in the Form Switcher dropdown (`title` attribute constructed without `esc_attr()`, and JavaScript `saferHtml` utility only escapes `&`, `<`, `>` but not quotes). This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary JavaScript that executes when an Administrator searches in the Form Switcher dropdown in the Form Editor.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-3492
Published : March 11, 2026, 9:25 a.m. | 22 minutes ago
Description :The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the `create_from_template` AJAX endpoint (allowing any authenticated user to create forms), insufficient input sanitization (`sanitize_text_field()` preserves single quotes), and missing output escaping when the form title is rendered in the Form Switcher dropdown (`title` attribute constructed without `esc_attr()`, and JavaScript `saferHtml` utility only escapes `&`, `<`, `>` but not quotes). This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary JavaScript that executes when an Administrator searches in the Form Switcher dropdown in the Form Editor.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-3906 - WordPress 6.9 - 6.9.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Note Creation via REST API
CVE ID :CVE-2026-3906
Published : March 11, 2026, 9:25 a.m. | 22 minutes ago
Description :WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-3906
Published : March 11, 2026, 9:25 a.m. | 22 minutes ago
Description :WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-3231 - Checkout Field Editor (Checkout Manager) for WooCommerce <= 2.1.7 - Unauthenticated Stored Cross-Site Scripting via Block Checkout Custom Radio Field
CVE ID :CVE-2026-3231
Published : March 11, 2026, 9:25 a.m. | 22 minutes ago
Description :The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the WooCommerce Block Checkout Store API in all versions up to, and including, 2.1.7. This is due to the `prepare_single_field_data()` method in `class-thwcfd-block-order-data.php` first escaping values with `esc_html()` then immediately reversing the escaping with `html_entity_decode()` for radio and checkboxgroup field types, combined with a permissive `wp_kses()` allowlist in `get_allowed_html()` that explicitly permits the `` element with the `onchange` event handler attribute. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via the Store API checkout endpoint that execute when an administrator views the order details page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-3231
Published : March 11, 2026, 9:25 a.m. | 22 minutes ago
Description :The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the WooCommerce Block Checkout Store API in all versions up to, and including, 2.1.7. This is due to the `prepare_single_field_data()` method in `class-thwcfd-block-order-data.php` first escaping values with `esc_html()` then immediately reversing the escaping with `html_entity_decode()` for radio and checkboxgroup field types, combined with a permissive `wp_kses()` allowlist in `get_allowed_html()` that explicitly permits the `` element with the `onchange` event handler attribute. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via the Store API checkout endpoint that execute when an administrator views the order details page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1965 - bad reuse of HTTP Negotiate connection
CVE ID :CVE-2026-1965
Published : March 11, 2026, 11:15 a.m. | 2 hours, 33 minutes ago
Description :libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1... The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`. Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-1965
Published : March 11, 2026, 11:15 a.m. | 2 hours, 33 minutes ago
Description :libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1... The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`. Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-3783 - token leak with redirect and netrc
CVE ID :CVE-2026-3783
Published : March 11, 2026, 11:16 a.m. | 2 hours, 33 minutes ago
Description :When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-3783
Published : March 11, 2026, 11:16 a.m. | 2 hours, 33 minutes ago
Description :When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-3784 - wrong proxy connection reuse with credentials
CVE ID :CVE-2026-3784
Published : March 11, 2026, 11:16 a.m. | 2 hours, 32 minutes ago
Description :curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-3784
Published : March 11, 2026, 11:16 a.m. | 2 hours, 32 minutes ago
Description :curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...