Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.

Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers. This issue affects Apache APISIX: from 2.12.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.

The Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versions up to, and including, 4.1.8. This makes it possible for …

The The Germanized for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution via 'account_holder' parameter in all versions up to, and including, 3.20.5. This is due to the software allowing users to execute an action that does not properly validate a value before running …

The Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.12 via deserialization of untrusted input in the import_shortcodes() function. This makes it possible for authenticat…

The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the woolentor_quickview_button shortcode's button_text attribute in all versions up to, and including, 3.3.5. This is due to insufficient input sanitization and missing output escaping on user-supplied shortcode at…

The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers…

The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `surbma-bookingcom` shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl…

PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/checkout without setting persist-credentials: false. By default, actions/checkout writes the GITHUB_TOK…

PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote session hijacking due to missing authentication and a bypassable origin check on its /ws WebSocket end…