Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce. The default nonce was generated using an MD5 hash of the epoch time, which is predictable.
Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions.
Unauthenticated Path Traversal in FastDup <= 2.7.2 versions.
Unauthenticated Cross Site Scripting (XSS) in SEO Redirection <= 9.17 versions.
Subscriber SQL Injection in WCMultiShipping <= 3.0.2 versions.
Unauthenticated Insecure Direct Object References (IDOR) in VikRentCar <= 1.4.5 versions.
Subscriber SQL Injection in Taskbuilder <= 5.0.7 versions.
Unauthenticated Sensitive Data Exposure in ABC Crypto Checkout <= 1.8.2 versions.
Unauthenticated Sensitive Data Exposure in Signature Add-On for WooCommerce <= 2.0 versions.
Unauthenticated SQL Injection in eCommerce Product Catalog <= 3.5.5 versions.
Unauthenticated Sensitive Data Exposure in Affiliates Manager <= 2.9.50 versions.
Unauthenticated PHP Object Injection in OttoKit <= 1.1.27 versions.
Customer Privilege Escalation in Dokan <= 5.0.2 versions.
Unauthenticated SQL Injection in GPTranslate โ Multilingual AI Translation for WordPress: Automatically Translate Websites <= 2.32.6 versions.
Unauthenticated Broken Access Control in Welcart e-Commerce <= 2.11.28 versions.
Subscriber Cross Site Scripting (XSS) in FV Flowplayer Video Player < 7.5.51.7212 versions.
Unauthenticated PHP Object Injection in WP Travel Engine <= 6.7.12 versions.
Unauthenticated PHP Object Injection in wpForo Forum <= 3.1.0 versions.
Unauthenticated PHP Object Injection in Happyforms <= 1.26.13 versions.
Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions.