Responsible Disclosure

CVEs.

Assigned vulnerabilities with official CVE identifiers, advisory references and direct links to the public record.

11 CVE identifiers 9 published CVE records 2 CVE publications pending
Assigned Entries

All CVE records

9 published · 2 CVE publications pending
CVE-2026-14231
2026
LifterLMS < 10.0.10 - Authenticated (Subscriber+) Sensitive Information Disclosure via 'select2_query_posts'

The plugin only verifies that a user is logged in when handling a select2 query request and does not perform the required capability check. Subscriber-level attackers can supply an internal post type and retrieve otherwise restricted titles, including coupon codes.

CVSS 4.3 Medium Sensitive Data Exposure CWE-200 Fixed in 10.0.10 Advisory published Jul 10, 2026 Verified by WPScan CVE publication pending
CVE-2026-49030
2026
pathe <= 2.0.3 - Path Traversal via Cross-Platform Backslash Normalization

On POSIX systems, pathe unconditionally converts backslashes to forward slashes before resolving a path. Inputs such as ..\..\..\etc\passwd can bypass validation that only blocks ../, then escape the intended base directory through join(), resolve() or normalize(), enabling arbitrary file read or write when the resolved path is used.

CVSS Pending Path Traversal CWE-22 Affects <= 2.0.3 Reported Apr 2026 CNA: MITRE CVE publication pending
CVE-2026-39244
2026
adm-zip < 0.5.18 - Denial of Service via Unbounded Memory Allocation

The package allocates memory from an untrusted ZIP uncompressed-size header without an upper bound. A crafted file of roughly 120 bytes can request nearly 4 GB before CRC validation, immediately crashing applications that read or extract it.

CVSS 7.5 High Denial of Service CWE-400 / CWE-789 Fixed in 0.5.18 Published Jul 10, 2026 CNA: MITRE
CVE-2026-39246
2026
decompress <= 4.2.1 - Arbitrary Symlink Creation and Information Disclosure

The package creates symlinks from archive entries without validating their targets. An attacker can place links to sensitive files outside the extraction directory and expose any data the application later reads or serves.

CVSS 7.5 High Symlink CWE-59 / CWE-61 Affects <= 4.2.1 Published Jul 9, 2026 CNA: MITRE
CVE-2026-39245
2026
decompress <= 4.2.1 - Path Containment Bypass and Arbitrary File Write

A flawed String.indexOf() containment check accepts sibling directories that share the extraction path prefix. Combined with symlink creation, a crafted archive can write files outside the intended output directory and bypass the fix for CVE-2020-12265.

CVSS 6.2 Medium Path Traversal CWE-22 Affects <= 4.2.1 Published Jul 9, 2026 CNA: MITRE
CVE-2026-39243
2026
decompress <= 4.2.1 - Arbitrary Hardlink Creation, File Disclosure and Corruption

The package passes an archive-controlled hardlink target directly to fs.link(). A crafted archive can expose a file on the same filesystem through the extraction directory, and changes made through that hardlink can corrupt the original file.

CVSS 5.5 Medium Hardlink CWE-59 Affects <= 4.2.1 Published Jul 9, 2026 CNA: MITRE
CVE-2026-11367
2026
PixMagix <= 1.7.2 - Authenticated (Author+) Path Traversal in 'layers[].id' Parameter

The plugin's move_image_on_server function concatenates an unsanitized layer ID into a filesystem path passed to PHP's copy(), allowing authenticated Author-level attackers to use traversal sequences to write attacker-controlled files to arbitrary locations on the server.

CVSS 6.5 Medium Path Traversal CWE-22 Affects <= 1.7.2 Published Jun 30, 2026 Verified by Wordfence
CVE-2026-39447
2026
Simply Schedule Appointments <= 1.6.10.6 - Cross Site Scripting (XSS)

The plugin fails to properly neutralize input during page generation, allowing attackers to inject JavaScript through a cross-site scripting vulnerability in affected WordPress installations.

CVSS 7.1 High XSS CWE-79 Fixed in 1.6.11.0 Published May 28, 2026 Verified by Patchstack
CVE-2026-42725
2026
Checkout Files Upload for WooCommerce <= 2.2.5 - Unauthenticated Insecure Direct Object References (IDOR)

The plugin fails to properly validate object ownership on file access, allowing unauthenticated attackers to bypass authorization and access files uploaded by other users during checkout.

CVSS 6.5 Medium IDOR CWE-639 Affects <= 2.2.5 Published May 12, 2026 Verified by Patchstack
CVE-2026-6379
2026
WP Photo Album Plus < 9.1.11.001 - Unauthenticated SQL Injection via 'wppa-supersearch' Parameter

The plugin does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks.

CVSS 8.6 High SQLI CWE-89 Fixed in 9.1.11.001 Published Apr 27, 2026 Verified by WPScan
CVE-2026-6449
2026
Amelia < 2.3 - Unauthenticated Improper Authorization on Booking Status

A logical flaw in the booking authorization check skips token validation when the booking status is 'waiting', allowing unauthenticated attackers to approve arbitrary bookings via the admin-ajax endpoint.

CVSS 5.3 Medium AuthZ CWE-285 Fixed in 2.3 Published Apr 14, 2026 Verified by WPScan