Threat Intelligence Database

This entry is a Reddit post linking to a Medium article where the author shares an idea about intelligent network scanners for routers. It is a discussion request rather than a report of a security vulnerability or threat.

The RegistrationMagic WordPress plugin up to version 6.0.8.6 contains an authentication bypass vulnerability due to insufficient verification of data authenticity in its PayPal IPN callback handler. This flaw allows unauthenticated attackers to forge IPN requests that manipulate payment log entries, enabling them to authenticate as any WordPress user, including administrators.

The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker WordPress plugin up to version 11.1.4 contains an authorization bypass vulnerability. Authenticated users with contributor-level access or higher can create, modify, and delete quiz output templates without proper authorization checks. This includes the ability to store unsanitized HTML content such as arbitrary script tags, potentially leading to content injection issues.

The Frisbii Pay plugin for WordPress contains a missing authorization vulnerability in its 'upload_csv' and 'process_batch' functions. This flaw affects all versions up to and including 1.8.9 and allows authenticated users with Subscriber-level access or higher to upload arbitrary CSV files. Exploiting this vulnerability enables overwriting of WooCommerce payment tokens, postmeta, and order meta data, potentially impacting data integrity.

The Page Builder by SiteOrigin WordPress plugin contains a stored cross-site scripting (XSS) vulnerability in the panels_data parameter affecting all versions up to and including 2.34.3. Authenticated users with Contributor-level access or higher can inject malicious scripts into pages, which execute when other users view those pages. This occurs due to insufficient input sanitization and output escaping, combined with the storage of panels_data as post meta outside WordPress's usual filtering mechanisms. The vulnerability has a medium severity rating with a CVSS score of 6.4.

The Spexo WordPress theme by templatescoderthemes contains a vulnerability due to missing authorization checks in the activate_plugin function. This flaw affects all versions up to and including 2.0.11 and allows authenticated users with Subscriber-level access or higher to activate certain plugins without proper permissions. The vulnerability has a medium severity rating with a CVSS score of 4.3.

The WP Full Stripe Free plugin for WordPress (Stripe Payment Forms by WP Full Pay) contains a missing authorization vulnerability in versions up to and including 8.4.3. The vulnerability exists in the wpfs_update_failed_payment_status AJAX action, which lacks capability checks, nonce verification, and logged-in user verification. This allows unauthenticated attackers who have a valid Stripe Payment Intent ID to manipulate payment records, marking successful payments as failed and overwriting failure details.

The Gutenverse – WordPress Blocks, Page Builder & Site Editor plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting all versions up to and including 3.8.0. This vulnerability arises from insufficient input sanitization and output escaping in admin settings. It allows authenticated users with editor-level permissions or higher to inject malicious scripts that execute when other users access the affected pages. The issue specifically impacts multi-site installations and sites where the unfiltered_html capability is disabled.

Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress contains an authorization bypass vulnerability (CVE-2026-11987) affecting all versions up to 5.0.4. Authenticated users with subscriber-level access or higher can exploit a missing validation on the 'id' parameter to access other vendors' products, including unpublished drafts and pending listings. This exposure includes sensitive product details such as names, prices, SKUs, and descriptions. The issue arises because permission checks verify only generic vendor capabilities rather than confirming product ownership or author identity.

A stored cross-site scripting (XSS) vulnerability exists in the Dokan AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress. The issue arises from insufficient input sanitization and output escaping of the Product SKU field in all versions up to and including 5.0.4. Authenticated users with custom-level access or higher can inject malicious scripts that execute when any user, including unauthenticated visitors, views the affected pages. The vulnerability is triggered via the store search widget, which inserts unescaped AJAX response HTML into the DOM using jQuery's .html() method.