Tag: wordpress

All the articles with the tag "wordpress".

• [CVE-2025-11368] LearnPress REST Endpoint Leaks Quiz Answers and Other Confidential Course Content

  21 Nov, 2025

  A missing capability check in a LearnPress REST route lets anyone harvest curriculum HTML, quiz questions and their correct answers without logging in.

• [CVE-2025-12197] The Events Calendar WordPress Plugin Blind SQL Injection Exposes Site Databases

  5 Nov, 2025

  Unauthenticated SQL injection in a widely installed WordPress events plugin lets attackers exfiltrate data through crafted search requests. Updating to version 6.15.10 closes the hole.

• [CVE-2025-11372] Unauthenticated REST call in LearnPress lets anyone reshape your WordPress database

  18 Oct, 2025

  All LearnPress versions up to 4.2.9.3 register an admin-only REST endpoint with a permissive permission callback. Any Internet user can drop or create indexes on arbitrary database tables, including wp_options, and grind a site to a halt.

• [CVE-2025-9083] Unauthenticated PHP Object Injection in Ninja Forms Hands WordPress Attackers the Keys

  18 Sep, 2025

  A flaw in the Repeatable Fieldset component lets anyone send a crafted form submission that Ninja Forms unserializes. If a gadget chain exists on the site, the attacker can pivot to remote code execution without logging in.