Cross-site scripting in Veritas InfoScale VIOM 9.1.3 allows a low-privileged authenticated attacker to inject malicious scripts into the web application, which execute in the browser context of other users - including potentially administrators. The CVSS 3.1 score of 5.4 with Changed scope (S:C) indicates the injected payload can cross security boundaries and impact principals beyond the originating session. No public exploit code has been identified at time of analysis, and CISA SSVC assessment confirms no active exploitation.
Improper authentication on an undocumented administrative endpoint in ArcGIS Server 11.1 through 12.0 allows unauthenticated remote attackers to disrupt the web-based browsing interface by sending a crafted HTTP request. The vulnerability is classified as CWE-287 and carries a CVSS 5.3 medium score, reflecting network-reachable, zero-privilege exploitation offset by limited impact (integrity only, no confidentiality or availability loss). No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Path traversal exploitation in NVIDIA Triton Inference Server enables unauthenticated remote attackers to cause denial of service by submitting crafted requests containing malicious path components. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero authentication or user interaction is required, making this broadly reachable from the network with low attack complexity. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis; however, the no-prerequisite attack profile warrants patching per NVIDIA's advisory at nvidia.custhelp.com.
Resource exhaustion in ISC BIND 9's resolver state machine allows remote unauthenticated attackers to trigger an unbounded resend loop by sending crafted DNS queries that activate bad-server retry conditions, degrading resolver availability. Multiple active release branches are affected across standard and Subscription Edition builds spanning versions 9.18.36 through 9.21.21. No public exploit has been identified and the vulnerability is not listed in CISA KEV; however, the fully network-accessible, zero-authentication attack vector makes every exposed BIND 9 resolver a potential target.
Unauthenticated remote flooding of Progress Software MOVEit Automation exploits a missing resource throttling control (CWE-770), allowing an attacker to degrade service availability without any credentials or user interaction. Affected versions span the 2025.0.x branch (before 2025.0.11) and the 2025.1.x branch (before 2025.1.7). Progress Software has released patched versions; no public exploit code or CISA KEV listing has been identified at time of analysis, though MOVEit products remain high-value targets given their history as enterprise MFT infrastructure.
Unauthorized template creation in the Xpro Addons for Elementor WordPress plugin exposes sites to unauthenticated content injection via a missing capability check on the get_content_editor AJAX function. All plugin versions through 1.5.0 are affected, allowing any remote attacker without credentials to create and publish Xpro templates on targeted WordPress sites. No public exploit identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial remote exploitability against default installations with no preconditions.
Sensitive information exposure in the Slider Revolution WordPress plugin (versions up to and including 7.0.9) allows unauthenticated remote attackers to bypass WordPress's native password-protection mechanism and retrieve the full content of protected posts, pages, and WooCommerce products via the vulnerable `get_stream_data()` function. The CVSS vector confirms no authentication, no user interaction, and no special conditions are required, making this trivially exploitable against any affected installation. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Cross-origin data leakage in Google Chrome prior to 148.0.7778.179 exposes sensitive information to attackers who have already achieved renderer process compromise. The flaw stems from insufficient input validation (CWE-20) in Chrome's Input handling, enabling a crafted HTML page to exfiltrate data across origin boundaries. No active exploitation is confirmed - SSVC assigns exploitation status 'none' and the vulnerability is not listed in CISA KEV - but the confidentiality impact is rated High by CVSS, warranting prompt patching.
Missing authorization in Movable Type allows authenticated non-administrator users to trigger unintended update operations under certain conditions. Affecting Movable Type, Movable Type Advanced, and Movable Type Premium products by Six Apart Ltd., the flaw (CWE-862) permits a low-privileged user to bypass access controls and perform write operations that should be restricted to administrators. No public exploit or CISA KEV listing exists at time of analysis; the vendor released a fix in version 9.0.8 on 2026-05-20 per the Six Apart advisory.
Amplified resource exhaustion in ISC BIND 9 resolvers enables remote unauthenticated attackers to cause disproportionate resource consumption by directing a victim resolver to query a specially crafted authoritative DNS zone. All major BIND 9 resolver branches are affected, spanning versions 9.11.x through 9.21.x including BIND 9 Supported (S1) variants, representing a broad deployment footprint across enterprise and ISP resolver infrastructure. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; ISC has released patched versions.
Prototype pollution in MongoDB Compass's CSV import parsing logic creates a '1-click' command execution path across versions 1.36.x through 1.49.5. A crafted CSV file can pollute JavaScript object prototypes during the import workflow, causing untrusted file paths to reach Electron's shell.openExternal() API and be executed by the operating system's default handler. No public exploit code has been identified and this CVE is absent from CISA KEV, but the passive user-interaction requirement - simply importing a CSV as part of routine database work - makes targeted social engineering a credible delivery vector in data-heavy environments.
MISP's CSP report endpoint in versions 2.5.0 through 2.5.37 accepts payloads up to 1 MB per report instead of the developer-intended 1 KB limit, due to a 1,024x magnitude error in the truncation guard (`1024 * 1024` instead of `1024`). On deployments where the endpoint is reachable by untrusted clients, unauthenticated remote parties (per CVSS PR:N) can abuse this discrepancy to flood application logs with oversized reports, contributing to disk exhaustion or log integrity degradation. No public exploit code exists and active exploitation has not been confirmed; the CVSS 4.0 score of 5.1 (Low-Medium) reflects the limited, availability-only impact.
Reflected cross-site scripting in Open ISES Tickets before v3.44.2 allows attackers to inject arbitrary JavaScript into victim browsers via the unsanitized `frm_query` POST parameter in `search.php`, which is echoed verbatim into an HTML input `VALUE` attribute. The CVSS 4.0 score of 5.1 (Medium) reflects a required active user interaction step (UI:A) that limits opportunistic exploitation - a victim must be induced to submit a crafted request. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, a vendor-released patch (v3.44.2) is available and should be applied immediately, as it simultaneously addresses 88 security vulnerabilities - including 68 additional XSS flaws across 22 files - indicating systemic insecurity in all prior versions.
Reflected XSS in Open ISES Tickets before 3.44.2 enables injection of arbitrary JavaScript via the unsanitized `the_ticket` GET parameter in do_unit_mail.php, which is written directly into a JavaScript variable assignment without output encoding. An attacker who can deliver a crafted URL to a user of the application can execute arbitrary JavaScript in that user's browser session, enabling session hijacking, credential theft, or UI redirection. No active exploitation is confirmed (not in CISA KEV), and no public POC is identified at time of analysis, though a patch commit and vendor release are publicly available, raising the exposure window.
Reflected cross-site scripting in Open ISES Tickets before 3.44.2 allows injection of arbitrary JavaScript via the ticket_id GET parameter in routes_nm.php, which is unsanitized and written directly into an HTML hidden input field VALUE attribute. The CVSS 4.0 vector (PR:N) indicates no privileges are required, but the CVE description explicitly characterizes the attacker as authenticated - this discrepancy must be verified with the vendor before determining actual exploitation prerequisites. Active user interaction is required (UI:A), meaning exploitation depends on a victim clicking a crafted URL. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.
Reflected XSS in Open ISES Tickets before version 3.44.2 allows an attacker to inject arbitrary JavaScript into a victim's browser session via the thelat and thelng GET parameters in street_view.php, where values are passed unsanitized directly into JavaScript variable assignments. The attack requires user interaction - a victim must visit a crafted URL - and the CVSS 4.0 score of 5.1 reflects limited scope impact (SC:L/SI:L). Notably, this CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 release, which also addressed 19 SQL injection flaws and 5 hardcoded secrets, indicating severe systemic security debt in the codebase. No public exploit identified at time of analysis, and no CISA KEV listing.
Reflected XSS in Open ISES Tickets before version 3.44.2 enables JavaScript injection via the ticket_id GET parameter in add_facnote.php, which is written unsanitized into a hidden HTML input field's VALUE attribute. An attacker can craft a URL containing a JavaScript payload and trick a user into visiting it, causing script execution in the victim's browser session within the application's origin. No public exploit has been identified at time of analysis, and a vendor-released patch is confirmed at v3.44.2. Notably, this CVE is one of at least 69 XSS vulnerabilities addressed in the same release, indicating systemic input sanitization failures across the codebase.
Reflected cross-site scripting in Open ISES Tickets before v3.44.2 allows attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted URL containing a payload in the `frm_call` GET parameter of `opena.php`, which is reflected directly into page output without sanitization. The CVSS 4.0 vector scores this at 5.1 (Medium), with impact limited to the subsequent browser context (SC:L/SI:L) rather than the server itself. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV - however, the v3.44.2 release patched 88 total vulnerabilities including 19 SQL injection flaws, indicating systemic security debt warranting urgent upgrade regardless of this CVE's moderate score.
Reflected XSS in Open ISES Tickets before 3.44.2 enables JavaScript injection via the ticket_id GET parameter in patient_JF.php, where the unsanitized value is written directly into a JavaScript variable assignment in the server response. The CVSS 4.0 vector (PR:N, UI:A) indicates no authentication is required from the attacker's side, though the CVE description contradicts this by specifying 'authenticated attackers' - this conflict should be verified with the vendor. Exploitation requires the victim to actively visit a crafted URL, limiting mass exploitation, but the broader v3.44.2 release context - which patches 88 total vulnerabilities including 19 SQL injection flaws - signals systemic input validation failures across the codebase. No public exploit code or CISA KEV listing has been identified at time of analysis.
Reflected XSS in Open ISES Tickets before 3.44.2 allows injection of arbitrary JavaScript via the unsanitized ticket_id GET parameter in add_note.php, with payload execution occurring in the browser of any authenticated user who visits a crafted URL. The CVSS 4.0 score of 5.1 (Medium) reflects the mandatory user interaction requirement and impact scope limited to the browser context, with no server-side confidentiality or integrity impact. No public exploit code or active exploitation has been identified at time of analysis; the vendor released v3.44.2 as a critical security update that addresses this issue alongside 87 additional vulnerabilities.
Reflected cross-site scripting in Open ISES Tickets before version 3.44.2 allows an attacker to inject arbitrary JavaScript via the ticket_id GET parameter in single.php, which is rendered unsanitized into an HTML attribute and executed in a victim's browser upon visiting a crafted URL. This vulnerability is one of 69 XSS issues patched in the v3.44.2 release, which also addressed 19 SQL injection flaws and hardcoded credentials - signaling systemic input handling deficiencies across the application. No public exploit code or CISA KEV listing has been identified at time of analysis, but the CVSS 4.0 score of 5.1 and mandatory user interaction (UI:A) limit automated exploitation.
Reflected XSS in Open ISES Tickets before version 3.44.2 allows attackers to inject arbitrary JavaScript into a victim's browser session via the unsanitized 'id' GET parameter in single_unit.php. The injected value is written directly into an HTML attribute without escaping, enabling session hijacking, credential theft, or malicious redirects when a victim visits an attacker-crafted URL. This CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 security release - indicating systemic input validation failures across the application. No public exploit or CISA KEV listing has been identified at time of analysis.
Missing authorization in PDF for Elementor Forms + Drag And Drop Template Builder (WordPress plugin by ADD-ONS.ORG) allows an authenticated low-privilege user to exploit incorrectly configured access control security levels, resulting in unauthorized integrity modifications with changed scope. All plugin versions through 5.5.1 are affected. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, placing this in a monitor-and-patch priority tier rather than emergency response.
Time-based blind SQL injection in the Read More & Accordion WordPress plugin (slug: expand-maker) through version 3.5.7 enables authenticated administrators to exfiltrate arbitrary database contents, including administrator password hashes, by manipulating the orderby GET parameter. The flaw exists in two data-retrieval functions in ReadMoreData.php, where user input bypasses effective sanitization and is concatenated unquoted into an ORDER BY SQL clause. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, though the high-confidentiality CVSS impact (C:H) reflects genuine data-exposure potential.
Open redirect vulnerability in ArcGIS Server 11.5 allows an attacker to craft a malicious login-workflow URL that, upon user authentication, silently redirects the victim's browser to an attacker-controlled external site. The flaw lies in insufficient input validation of the redirect parameter within the login redirection workflow, with impact explicitly limited to client-side browser navigation - no server-side compromise or cross-component data exposure is possible. No active exploitation has been confirmed (not in CISA KEV), no public exploit code has been identified at time of analysis, and EPSS data was not present in the available intelligence feed.
Heap out-of-bounds read in Unbound's DNSCrypt packet handling allows a remote unauthenticated attacker to potentially crash the resolver with a single malformed query, causing denial of service. Affected are all Unbound installations from version 1.6.2 through 1.25.0 that were compiled with the optional '--enable-dnscrypt' flag. The crash is probabilistic rather than guaranteed - whether the out-of-bounds read escalates to a heap overflow depends entirely on the memory allocator behavior and heap layout at runtime; absent a crash, Unbound's own packet validation will discard the offending query. No public exploit exists and no active exploitation has been identified at time of analysis.
Heap use-after-free in Unbound's RPZ (Response Policy Zone) subsystem crashes the DNS resolver under a specific race condition affecting multi-threaded deployments. Versions 1.14.0 through 1.25.0 are affected when an RPZ zone with 'rpz-nsip' or 'rpz-nsdname' triggers is served via XFR (zone transfer) and a simultaneous read occurs in another thread. The crash is remotely triggerable by timing a DNS query against an in-progress XFR, but requires multiple co-occurring non-default conditions; no public exploit exists and no active exploitation has been confirmed.
Silent file download in RoboForm Password Manager for Android (Siber Systems, Inc.) can be triggered by a co-installed malicious application delivering a crafted Android Intent containing an attacker-controlled URL. RoboForm fails to validate the URL destination, request user confirmation, or surface any notification before fetching and writing remote content to the device. Reported by JPCERT (JVNVU93461473) with no CISA KEV listing and no public exploit identified at time of analysis, placing this in a moderate-low real-world risk category despite the sensitive nature of the affected product - a password manager.
Stored Cross-Site Scripting in the Anomify AI WordPress plugin (versions ≤ 0.3.6) allows authenticated administrators to persist malicious scripts in the plugin's settings that execute in any user's browser upon visiting the settings page. The flaw exists because the plugin applies sanitize_text_field() to the anomify_api_key input - a function that strips HTML tags but does not encode double-quote characters - then echoes the stored value directly into an HTML attribute context (value="...") without the appropriate esc_attr() call. No public exploit code has been identified at time of analysis, and CISA KEV does not list this CVE; the CVSS score of 4.4 reflects the high privilege bar and high complexity required to exploit.
Stored Cross-Site Scripting in the General Options WordPress plugin (versions up to and including 1.1.0) allows authenticated attackers holding Administrator-level privileges to persist malicious JavaScript in the Contact Number settings field, which executes in the browser of any administrator who subsequently visits the plugin's settings page. The flaw is rooted in the misapplication of sanitize_text_field() for output escaping - a function that strips HTML tags but does not encode double-quote characters, enabling attribute context breakout when the stored value is echoed inside a double-quoted HTML attribute. WordPress's wp_magic_quotes backslash-prefixing mechanism provides no protection here because HTML parsers treat the backslash as a literal character rather than an escape sequence. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.
Mesalvo Meona's Client Launcher and Server components fail to verify data authenticity (CWE-345), enabling a locally authenticated low-privileged user to send email messages to arbitrary recipients. Both the Client Launcher Component through version 19.06.2020 15:11:49 and the Server Component through version 2025.04 5+323020 are affected per NVD CPE data. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog, but the integrity and information disclosure impact could enable internal email abuse or phishing pivots from a compromised endpoint.
Unauthenticated resource exhaustion in Progress Software MOVEit Automation enables a low-privileged remote attacker to degrade availability by triggering excessive resource allocation without server-side throttling controls. Affecting all MOVEit Automation releases prior to 2025.0.11 and the 2025.1.x branch prior to 2025.1.7, successful exploitation results in limited availability impact (A:L per CVSS) against the targeted instance. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis; the vendor has released patched versions.
ServiceWorker policy enforcement failure in Google Chrome prior to version 148.0.7778.179 enables unauthenticated remote attackers to leak cross-origin data by luring a victim to a crafted HTML page. The vulnerability stems from Chrome's ServiceWorker layer failing to adequately enforce isolation boundaries (CWE-693), allowing a malicious origin to read data it should not have access to under the same-origin policy. No public exploit identified at time of analysis, and the CVSS score of 4.3 reflects limited confidentiality impact; however, the zero-privilege, network-accessible attack vector means any Chrome user browsing a malicious page could be affected.
Panic-triggered denial of service in Nimiq's core-rs-albatross (versions prior to 1.4.0) allows a network-level attacker to crash the node's RPC task by injecting a signed PeerContact with an empty addresses list into the libp2p peer discovery layer. The crash is deferred: the malicious contact is accepted and stored silently, but any subsequent call to get_address_book - from an RPC client or web client - triggers an unconditional Rust panic via .expect() on an empty iterator. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the low attack complexity and network-accessible vector make casual exploitation plausible against any exposed node operator workflow.
Sensitive credential exposure in the All in One SEO WordPress plugin (versions up to and including 4.9.7) allows authenticated contributors to harvest API tokens, OAuth credentials, and license keys directly from rendered page source. The plugin passes unmasked internal configuration data to the browser via WordPress's wp_localize_script() mechanism in post editor contexts, making sensitive values accessible to any user with contributor-level access or above. No public exploit code or active exploitation has been identified at time of analysis, but exposed credentials carry secondary risk - compromised API/OAuth tokens could enable account takeover or abuse of connected third-party services.
Authorization bypass in the TypeSquare Webfonts for ConoHa WordPress plugin (all versions through 2.0.4) allows authenticated attackers with subscriber-level access to arbitrarily modify site-wide font configuration by submitting a POST request to any wp-admin page. The plugin fails to verify that the requesting user has permission to alter settings such as typesquare_auth (fontThemeUseType), show_post_form, and typesquare_fonttheme (CWE-862). Compounding the issue, when fontThemeUseType values 1 or 3 are targeted, nonce verification is also absent, making those specific code branches additionally exploitable via cross-site request forgery against higher-privileged users. No public exploit has been identified at time of analysis, and no confirmed patched version has been released.
Same-origin policy bypass in Google Chrome's Service Worker subsystem (all versions prior to 148.0.7778.179) allows remote unauthenticated attackers to read cross-origin data by luring a victim to a crafted HTML page. The flaw originates from insufficient policy enforcement (CWE-693) within the Service Worker layer, enabling unauthorized access to confidential data across origins. No public exploit code has been identified and no active exploitation is confirmed; Google has shipped a fix in stable channel version 148.0.7778.179.
Out-of-bounds memory read in the GPU component of Google Chrome on macOS exposes process memory to remote attackers via a crafted HTML page. Affected versions are all Chrome releases prior to 148.0.7778.179 on Mac; Windows and Linux are not identified as affected. No public exploit or active exploitation has been identified at time of analysis, and SSVC confirms exploitation status as none with non-automatable attack delivery.
Cross-Site Request Forgery in the Child Height Predictor by Ostheimer WordPress plugin (all versions through 1.3) allows unauthenticated remote attackers to modify plugin settings by tricking an authenticated administrator into visiting a malicious page. The vulnerability stems from a complete absence of nonce verification in the options() function - neither wp_nonce_field() in the form template nor check_admin_referer()/wp_verify_nonce() in the handler - meaning any forged POST request from an admin session will be accepted and persisted to the database. No public exploit has been identified at time of analysis, and CVSS scores this as medium severity (4.3), which aligns with the limited integrity impact (settings modification only, no confidentiality or availability loss).
Cross-Site Request Forgery in the Bottom Bar WordPress plugin (all versions up to and including 0.1.7) allows unauthenticated attackers to modify plugin configuration by tricking a logged-in administrator into visiting a malicious page. All three administrative settings forms - main settings, sharing services, and restore defaults - lack both wp_nonce_field() output and server-side check_admin_referer() validation in bottom-bar-admin.php, meaning any POST to those endpoints is processed without request authenticity checks. No public exploit has been identified at time of analysis, no patched version has been confirmed, and the vulnerability is not listed in CISA KEV.
Insecure Direct Object Reference in NextGEN Gallery WordPress plugin through version 4.2.0 allows authenticated attackers with Subscriber-level privileges and the 'NextGEN Manage gallery' capability to delete gallery images belonging to other users, including their physical files from disk. The DELETE /imagely/v1/images/{id} REST endpoint validates only the 'NextGEN Manage gallery' capability, entirely omitting gallery ownership checks and the 'NextGEN Manage others gallery' permission - making cross-user image destruction possible at low privilege. No public exploit code identified at time of analysis and no CISA KEV listing; however, when deleteImg is enabled (default), exploitation results in irreversible file-level data loss beyond what the CVSS 4.3 integrity score alone conveys.
Stored Cross-Site Scripting via CSRF in the Anomify AI WordPress plugin (versions ≤ 0.3.6) allows unauthenticated remote attackers to inject persistent JavaScript into the WordPress admin panel by tricking a logged-in administrator into visiting an attacker-controlled page. The attack chains two flaws: a missing nonce check on the settings handler (no check_admin_referer()) that permits any cross-origin POST to modify plugin settings, and a double-quote escape bypass where the API key value is stored after sanitize_text_field() sanitization but rendered into an HTML attribute via bare echo without esc_attr(), allowing the payload to survive both sanitization and storage. No public exploit has been identified at time of analysis, and the CVE is not listed in the CISA KEV catalog.
Cross-Site Request Forgery in the Amazon Scraper WordPress plugin (submone, all versions through 1.1) allows unauthenticated remote attackers to modify plugin settings and inject persistent malicious scripts by tricking an authenticated site administrator into clicking a crafted link. The root cause is missing or incorrect nonce validation across multiple functions in amazon-admin.php (identified at lines 13, 26, 45, and 49). No public exploit has been identified at time of analysis, and the plugin has not been added to the CISA KEV catalog, but the Wordfence-reported disclosure includes direct source code references making exploitation straightforward for a motivated attacker.
Cross-Site Request Forgery in the JaviBola Custom Theme Test WordPress plugin (all versions through 2.0.5) enables unauthenticated remote attackers to silently replace the site's active theme by forging a request that modifies the `jbct_theme` option. Exploitation requires social-engineering a logged-in site administrator into clicking a crafted link - the CVSS UI:R requirement reflects this dependency. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Cross-Site Request Forgery in the Games Catalog WordPress plugin (versions ≤ 1.2.0) enables unauthenticated attackers to delete arbitrary game catalog entries and their associated WordPress posts by tricking a logged-in site administrator into clicking a crafted link. The vulnerable gc_crud() function in admin-crud.php processes the action=delete parameter via a GET request with no wp_verify_nonce() or check_admin_referer() call, bypassing WordPress's standard CSRF defenses entirely. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the attack surface is fully visible in the public WordPress plugin Trac repository, making it trivially constructible.
Settings-reset CSRF in the Remove Yellow BGBOX WordPress plugin (all versions up to and including 1.0) allows unauthenticated remote attackers to overwrite the plugin's stored configuration by tricking a logged-in site administrator into loading a forged request. The vulnerability stems from absent nonce validation on the rybb_api_settings page, confirmed by Wordfence with direct source code references to admin/rybb_api_settings.php and includes/functions.php. No public exploit code or CISA KEV listing has been identified at time of analysis, and the limited integrity impact keeps real-world priority low.
Cross-Site Request Forgery in the Bigfishgames Syndicate WordPress plugin (all versions through 1.2) enables unauthenticated remote attackers to reset and overwrite plugin settings by forging admin-panel requests. The vulnerability resides in the bigfishgames_syndicate_submenu() function, which lacks proper WordPress nonce validation, meaning any crafted HTTP request bearing a valid admin session will be accepted as legitimate. Exploitation requires tricking an authenticated site administrator into triggering the forged request; no public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.
Cross-origin read access to Algernon's SSE auto-refresh event server (versions ≤ 1.17.6) allows any web page visited by a developer to silently subscribe to the live file-change stream via a browser-native EventSource. The root cause is a hardcoded wildcard `Access-Control-Allow-Origin: *` response header in the dedicated SSE port activated by the `-a` flag, with no origin inspection or allow-list logic present in the vendored recwatch handler. No public exploit identified at time of analysis per KEV absence, though a complete working proof-of-concept - including exploit HTML and curl verification transcript - is published in GHSA-hw27-4v2q-5qff.
Algernon's auto-refresh SSE event server unintentionally exposes developer file-change streams to unauthenticated LAN peers on Linux and macOS due to a platform-dependent bind address default that was never intended to reach adjacent hosts. On non-Windows platforms, the SSE listener resolves to 0.0.0.0:5553 (all interfaces), while Windows correctly binds to 127.0.0.1:5553 - a silent asymmetry introduced in engine/flags.go that leaves developers on the most common Algernon platforms exposed whenever they work on shared networks. A publicly available proof-of-concept demonstrates that any host on the same subnet can enumerate project filenames and edit timing with a single unauthenticated curl command, with no developer interaction required; no public exploit identified at time of analysis rises to confirmed active exploitation (not in CISA KEV).
Missing Authorization in the Image Photo Gallery Final Tiles Grid WordPress plugin (by WP Chill) allows low-privileged authenticated attackers to exploit incorrectly configured access control, resulting in unauthorized read access to restricted data. All plugin versions through 3.6.11 are affected per NVD and Patchstack. No public exploit identified at time of analysis, and the limited confidentiality impact (C:L) and authentication requirement (PR:L) constrain real-world blast radius, though the vulnerability remains a valid risk for multi-tenant or shared-access WordPress deployments.