Mattermost Plugins versions <=11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries...
Sales Representative SQL Injection in Groundhogg <= 4.5 versions.
Unauthenticated Insecure Direct Object References (IDOR) in GravityView <= 3.0.0 versions.
Unauthenticated Sensitive Data Exposure in Bopo โ WooCommerce Product Bundle Builder <= 1.1.6 versions.
Contributor SQL Injection in Recipe Maker For Your Food Blog from Zip Recipes <= 8.2.7 versions.
Contributor SQL Injection in Contest Gallery <= 30.0.0 versions.
Subscriber Broken Access Control in WPComplete <= 2.9.5.5 versions.
Unauthenticated Broken Access Control in Booking and Rental Manager <= 2.7.1 versions.
Unauthenticated Cross Site Request Forgery (CSRF) in Paid Memberships Pro - Add Member From Admin <= 0.7.2 versions.
Administrator Arbitrary File Upload in TemplateSpare <= 4.2.0 versions.
Unauthenticated Cross Site Request Forgery (CSRF) in Gmail SMTP <= 1.2.3.19 versions.
Author Cross Site Scripting (XSS) in Hester Core <= 1.1.8 versions.
Unauthenticated Cross Site Request Forgery (CSRF) in Child Theme Wizard <= 1.4 versions.
Affiliate Broken Access Control in Affiliates Manager <= 2.9.49 versions.
Contributor SQL Injection in WP Job Portal <= 2.5.2 versions.
Unauthenticated Insecure Direct Object References (IDOR) in JS Help Desk <= 3.1.0 versions.
Contributor Cross Site Scripting (XSS) in Ghost Kit <= 3.6.0 versions.
Contributor Cross Site Scripting (XSS) in Magazine Blocks <= 1.8.3 versions.
Subscriber Broken Access Control in Shoppable Images Lite <= 1.3 versions.
Contributor Broken Access Control in Nelio Content <= 4.3.4 versions.