The Signalgate scandal that enveloped US Secretary of Defense Pete Hegseth in March appears to be symptomatic of a wider
Vulnerabilities
CVE-2025-13922 | Tag, Category, and Taxonomy Manager Plugin up to 3.40.1 on WordPress AJAX Endpoint existing_terms_orderby sql injection
A vulnerability marked as critical has been reported in Tag, Category, and Taxonomy Manager Plugin up to 3.40.1 on WordPress.
CVE-2025-11263 | Link Whisper Free Plugin up to 0.8.8 on WordPress Type cross site scripting
A vulnerability described as problematic has been identified in Link Whisper Free Plugin up to 0.8.8 on WordPress. This issue
CVE-2025-64374 | Motors Plugin up to 5.6.82 on WordPress Plugin Installation mvl_theme_install_base authorization
A vulnerability classified as critical has been found in Motors Plugin up to 5.6.82 on WordPress. Impacted is the function
CVE-2025-12505 | weDocs Plugin up to 2.1.14 on WordPress Setting create_item_permissions_check authorization
A vulnerability classified as problematic was found in weDocs Plugin up to 2.1.14 on WordPress. The affected element is the
CVE-2025-66546 | Nextcloud Calendar up to 4.7.18/5.5.5/6.0.0 authorization
A vulnerability, which was classified as problematic, has been found in Nextcloud Calendar up to 4.7.18/5.5.5/6.0.0. The impacted element is
CVE-2025-64188 | Soledad Plugin up to 8.6.9 on WordPress penci_update_option authorization
A vulnerability, which was classified as problematic, was found in Soledad Plugin up to 8.6.9 on WordPress. This affects the
CVE-2025-13857 | Yet Another WebClap Plugin up to 0.2 on WordPress Shortcode text cross site scripting
A vulnerability has been found in Yet Another WebClap Plugin up to 0.2 on WordPress and classified as problematic. This
CVE-2025-14126 | TOZED ZLT M30S/ZLT M30S PRO 1.47/3.09.06 Web Interface hard-coded credentials
A vulnerability was found in TOZED ZLT M30S and ZLT M30S PRO 1.47/3.09.06 and classified as critical. Affected is an
CVE-2025-14133 | Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 mod_form.so AP_get_wireless_clientlist_setClientsName clientsname_0 stack-based overflow
A vulnerability was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. It has been classified as critical.
CVE-2025-14134 | Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 mod_form.so clientsname_0 stack-based overflow
A vulnerability was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. It has been declared as critical.
CVE-2025-14135 | Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 mod_form.so AP_get_wired_clientlist_setClientsName clientsname_0 stack-based overflow
A vulnerability was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. It has been rated as critical.
CVE-2025-14136 | Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 mod_form.so clientsname_0 stack-based overflow
A vulnerability categorized as critical has been discovered in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This vulnerability
Ubuntu 22.04 LTS: Linux Kernel Critical Security Vulnerability USN-7889-5
Several security issues were fixed in the Linux kernel.LinuxSecurity – Security AdvisoriesRead More
Ubuntu 25.10: Linux GCP Kernel Critical Security Issues USN-7906-2
Several security issues were fixed in the Linux kernel.LinuxSecurity – Security AdvisoriesRead More
Ubuntu 22.04: Linux Kernel Azure Important Security Flaws USN-7910-2
Several security issues were fixed in the Linux kernel.LinuxSecurity – Security AdvisoriesRead More
Ubuntu 22.04: Important Linux Kernel Updates Addressing Security Flaws
Several security issues were fixed in the Linux kernel.LinuxSecurity – Security AdvisoriesRead More
CVE-2025-6966 | Canonical python-apt deb822 File TagSection.keys null pointer dereference
A vulnerability labeled as problematic has been found in Canonical python-apt. The impacted element is the function TagSection.keys of the
CVE-2025-13654 | zevv Duc up to 1.4.5 buffer_get stack-based overflow
A vulnerability marked as critical has been reported in zevv Duc up to 1.4.5. This affects the function buffer_get. Performing
CVE-2025-14105 | TOZED ZLT M30S/ZLT M30S PRO 1.47/3.09.06 Web Interface /reqproc/proc_post goformId denial of service
A vulnerability described as problematic has been identified in TOZED ZLT M30S and ZLT M30S PRO 1.47/3.09.06. This impacts an
CVE-2025-14106 | ZSPACE Q2C NAS up to 1.1.0210050 HTTP POST Request /v2/file/safe/close zfilev2_api.CloseSafe safe_dir command injection
A vulnerability classified as critical has been found in ZSPACE Q2C NAS up to 1.1.0210050. Affected is the function zfilev2_api.CloseSafe
CVE-2025-14107 | ZSPACE Q2C NAS up to 1.1.0210050 HTTP POST Request /v2/file/safe/status zfilev2_api.SafeStatus safe_dir command injection
A vulnerability classified as critical was found in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this vulnerability is the
CVE-2025-14108 | ZSPACE Q2C NAS up to 1.1.0210050 HTTP POST Request /v2/file/safe/open zfilev2_api.OpenSafe safe_dir command injection
A vulnerability, which was classified as critical, has been found in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this
CVE-2025-14111 | Rarlab RAR App up to 7.11 Build 127 on Android com.rarlab.rar path traversal
A vulnerability, which was classified as critical, was found in Rarlab RAR App up to 7.11 Build 127 on Android.
CVE-2025-14116 | xerrors Yuxi-Know up to 0.4.0 /src/models/embed.py OtherEmbedding.aencode health_url server-side request forgery
A vulnerability has been found in xerrors Yuxi-Know up to 0.4.0 and classified as critical. This vulnerability affects the function
CVE-2025-64057 | Fanvil x210 V2 2.12.20 System Configuration path traversal
A vulnerability was found in Fanvil x210 V2 2.12.20 and classified as critical. This issue affects some unknown processing of
CVE-2025-14117 | fit2cloud Halo 2.21.10 cross-site request forgery
A vulnerability was found in fit2cloud Halo 2.21.10. It has been classified as problematic. Impacted is an unknown function. The
CVE-2025-65730 | GoAway up to 0.62.18 JWT Token hard-coded credentials
A vulnerability was found in GoAway up to 0.62.18. It has been declared as critical. The affected element is an
CVE-2025-64056 | Fanvil x210 V2 2.12.20 unrestricted upload
A vulnerability was found in Fanvil x210 V2 2.12.20. It has been rated as critical. The impacted element is an
CVE-2025-66270 | KDE Connect Protocol 8 authentication spoofing
A vulnerability identified as critical has been detected in KDE Connect Protocol 8. This vulnerability affects unknown code. The manipulation
CVE-2025-32899 | KDE Connect up to 1.32.x on Android Packet improper preservation of consistency between independent representations of shared state
A vulnerability labeled as problematic has been found in KDE Connect up to 1.32.x on Android. This issue affects some
CVE-2016-20023 | CKSource CKFinder prior 2.5.0.1 on ASP.NET path traversal
A vulnerability marked as problematic has been reported in CKSource CKFinder on ASP.NET. Impacted is an unknown function. This manipulation
CVE-2025-32901 | KDE Connect up to 1.32.x on Android Broadcast UDP improper validation of specified type of input
A vulnerability described as problematic has been identified in KDE Connect up to 1.32.x on Android. The affected element is
CVE-2025-61736 | Johnson Controls iSTAR eX improper validation of certificate expiration (icsa-25-338-04)
A vulnerability classified as problematic has been found in Johnson Controls iSTAR eX, iSTAR Edge, iSTAR Ultra LT, iSTAR Ultra
CVE-2025-26381 | Johnson Controls OpenBlue Mobile Web Application direct request (icsa-25-338-03)
A vulnerability classified as problematic was found in Johnson Controls OpenBlue Mobile Web Application. This affects an unknown function. Executing
CVE-2025-14085 | youlaitech youlai-mall 1.0.0/2.0.0 /app-api/v1/orders/ orderId improper control of dynamically-identified variables
A vulnerability, which was classified as critical, has been found in youlaitech youlai-mall 1.0.0/2.0.0. This impacts an unknown function of
CVE-2025-14086 | youlaitech youlai-mall 1.0.0/2.0.0 openid access control
A vulnerability, which was classified as critical, was found in youlaitech youlai-mall 1.0.0/2.0.0. Affected is an unknown function of the
CVE-2025-14088 | ketr JEPaaS up to 7.2.8 /je/load Authorization improper authorization
A vulnerability has been found in ketr JEPaaS up to 7.2.8 and classified as critical. Affected by this vulnerability is
CVE-2025-14089 | Himool ERP up to 2.2 AdminActionViewSet update_account improper authorization
A vulnerability was found in Himool ERP up to 2.2 and classified as critical. Affected by this issue is the
CVE-2025-14090 | AMTT Hotel Broadband Operation System 1.0 cardmake_down.php ID sql injection
A vulnerability was found in AMTT Hotel Broadband Operation System 1.0. It has been classified as critical. This affects an
CVE-2025-14091 | TrippWasTaken PHP-Guitar-Shop up to 6ce0868889617c1975982aae6df8e49555d0d555 Product Details Page /product.php ID sql injection
A vulnerability was found in TrippWasTaken PHP-Guitar-Shop up to 6ce0868889617c1975982aae6df8e49555d0d555. It has been declared as critical. This vulnerability affects unknown
CVE-2025-14092 | Edimax BR-6478AC V3 1.0.15 formDebugDiagnosticRun sub_416898 host os command injection
A vulnerability was found in Edimax BR-6478AC V3 1.0.15. It has been rated as critical. This issue affects the function
CVE-2025-14093 | Edimax BR-6478AC V3 1.0.15 formTracerouteDiagnosticRun sub_416990 host os command injection
A vulnerability categorized as critical has been discovered in Edimax BR-6478AC V3 1.0.15. Impacted is the function sub_416990 of the
CVE-2025-14094 | Edimax BR-6478AC V3 1.0.15 /boafrm/formSysCmd sub_44CCE4 sysCmd os command injection
A vulnerability identified as critical has been detected in Edimax BR-6478AC V3 1.0.15. The affected element is the function sub_44CCE4
Fedora 42: libcoap Security Update 2025-6a43695048 for Denial of Service
Update to security release 4.3.5aLinuxSecurity – Security AdvisoriesRead More
Fedora 42: timg Memory-Safety Fixes Update FEDORA-2025-f0df882417
Rebuilt with latest patched stb_image: memory-safety fixesLinuxSecurity – Security AdvisoriesRead More
Fedora 42: fcgi 2.4.7 Fix CVE-2025-23016 Important Advisory
2.4.7 release, fixes CVE-2025-23016LinuxSecurity – Security AdvisoriesRead More
Fedora 42: alexvsbus Memory Safety Update 2025-9831accfe9
Rebuilt against patched stb_image Initial build for F42LinuxSecurity – Security AdvisoriesRead More
Fedora 42: CuraEngine 5.4.0 Memory Safety Fix FEDORA-2025-fc872e9426
Rebuilt with latest patched stb_image: memory-safety fixesLinuxSecurity – Security AdvisoriesRead More
Fedora 42: xpdf Update 2025-e72c726192 Critical Buffer Overflow Issues
Update to 4.06. Lots of bugfixes, but notably, security fixes for the following CVEs: CVE-2024-2971 CVE-2024-3247 CVE-2024-3248LinuxSecurity – Security AdvisoriesRead
CVE-2025-32898 | KDE Connect verification-code Protocol entropy
A vulnerability was found in KDE Connect verification-code Protocol. It has been declared as problematic. Affected by this vulnerability is
CVE-2025-27389 | ColorOS up to 15 Installation authentication spoofing
A vulnerability was found in ColorOS up to 15. It has been rated as critical. Affected by this issue is
CVE-2025-32900 | KDE Connect information-exchange Protocol prior 2025-04-18 less trusted source
A vulnerability categorized as problematic has been discovered in KDE Connect information-exchange Protocol. This affects an unknown part. Executing manipulation
Fedora 43: timg Important Memory-Safety Update FEDORA-2025-d2b7d94014
Rebuilt with latest patched stb_image: memory-safety fixesLinuxSecurity – Security AdvisoriesRead More
Fedora 43: fcgi Critical Update CVE-2025-23016 – Remote Access Threat
2.4.7 release, fixes CVE-2025-23016LinuxSecurity – Security AdvisoriesRead More
Fedora 43: jennylux Initial Release Memory Stability Patch 2025-5c2d9f3c672
Rebuilt against patched stb_image Initial build for F43LinuxSecurity – Security AdvisoriesRead More
Fedora 41: fcgi 2.4.7 Critical CVE-2025-23016 DoS Security Advisory
2.4.7 release, fixes CVE-2025-23016LinuxSecurity – Security AdvisoriesRead More
Fedora 41: python-kdcproxy DoS TCP Buffer Overflow CVE-2025-59089
New upstream version (1.1.0) Use DNS discovery for declared realms only (CVE-2025-59088) Fix DoS vulnerability based on unbounded TCP buffering
Fedora 43: libcoap Major Security Flaw Identified 2025-b412c87h5z
Update to security release 4.3.5aLinuxSecurity – Security AdvisoriesRead More
CVE-2025-62223 | Microsoft Edge up to 142.0.3595.53 on iOS clickjacking
A vulnerability was found in Microsoft Edge on iOS. It has been classified as problematic. Affected is an unknown function.
CVE-2025-9127 | Pure Storage PX Enterprise up to 3.3.1.2 escape output
A vulnerability marked as problematic has been reported in Pure Storage PX Enterprise up to 3.3.1.2. This issue affects some
CVE-2025-1910 | WatchGuard Mobile VPN with SSL Client up to 12.11.2 on Windows command injection (wgsa-2025-00008)
A vulnerability described as critical has been identified in WatchGuard Mobile VPN with SSL Client up to 12.11.2 on Windows.
CVE-2025-66576 | Remotecontrolio Remote Keyboard Desktop 1.0.1 rundll32.exe os command injection (Exploit 52299 / EDB-52299)
A vulnerability classified as critical has been found in Remotecontrolio Remote Keyboard Desktop 1.0.1. The affected element is an unknown
CVE-2025-29269 | Allnet ALL-RUT22GW 3.3.8 Parameter popen.cgi command os command injection
A vulnerability classified as critical was found in Allnet ALL-RUT22GW 3.3.8. The impacted element is an unknown function of the
CVE-2025-13488 | Sonatype Nexus Repository up to 3.86.2 Security Header cross site scripting
A vulnerability, which was classified as problematic, has been found in Sonatype Nexus Repository up to 3.86.2. This affects an
CVE-2025-59788 | Nextcloud up to 30.0.16/31.0.9/32.0.0 PDF viewer viewer.html routine (GHSA-24wp-p865-7j4r)
A vulnerability, which was classified as critical, was found in Nextcloud up to 30.0.16/31.0.9/32.0.0. This impacts an unknown function of
CVE-2023-53734 | mayurik dawa-pharma 1.0-2022 sql injection (Exploit 51818 / EDB-51818)
A vulnerability has been found in mayurik dawa-pharma 1.0-2022 and classified as critical. Affected is an unknown function. The manipulation
CVE-2023-53735 | WEBIGniter 28.7.23 cross site scripting (Exploit 51900 / EDB-51900)
A vulnerability was found in WEBIGniter 28.7.23 and classified as problematic. Affected by this vulnerability is an unknown functionality. The
CVE-2025-13936 | WatchGuard Fireware OS up to 12.5.13/12.11.4/2025.1.2 Tigerpaw Technology Integration cross site scripting (wgsa-2025-00021)
A vulnerability was found in WatchGuard Fireware OS up to 12.5.13/12.11.4/2025.1.2. It has been classified as problematic. Affected by this
CVE-2025-13937 | WatchGuard Fireware OS up to 12.5.13/12.11.4/2025.1.2 cross site scripting (wgsa-2025-00022)
A vulnerability was found in WatchGuard Fireware OS up to 12.5.13/12.11.4/2025.1.2. It has been declared as problematic. This affects an
CVE-2025-13938 | WatchGuard Fireware OS up to 12.5.13/12.11.4/2025.1.2 Autotask Technology Integration cross site scripting (wgsa-2025-00023)
A vulnerability was found in WatchGuard Fireware OS up to 12.5.13/12.11.4/2025.1.2. It has been rated as problematic. This vulnerability affects
CVE-2025-13939 | WatchGuard Fireware OS up to 11.12.4+541730/12.5.13/12.11.4/2025.1.2 Gateway Wireless Controller cross site scripting (wgsa-2025-00024)
A vulnerability categorized as problematic has been discovered in WatchGuard Fireware OS up to 11.12.4+541730/12.5.13/12.11.4/2025.1.2. This issue affects some unknown
CVE-2025-13373 | Advantech iView up to 5.7.05.7057/5.8.0 sql injection
A vulnerability identified as critical has been detected in Advantech iView up to 5.7.05.7057/5.8.0. Impacted is an unknown function. The
CVE-2025-66561 | Syslifters SysReptor 2024.40/2025.83 cross site scripting (GHSA-64vw-v5c4-mgvm)
A vulnerability labeled as problematic has been found in Syslifters SysReptor 2024.40/2025.83. The affected element is an unknown function. The
CVE-2025-53704 | MAXHUB Pivot Client Application up to 1.36.1 password recovery
A vulnerability marked as problematic has been reported in MAXHUB Pivot Client Application up to 1.36.1. The impacted element is
CVE-2025-6946 | WatchGuard Fireware OS up to 12.11.2 cross site scripting (wgsa-2025-00011)
A vulnerability described as problematic has been identified in WatchGuard Fireware OS up to 12.11.2. This affects an unknown function.
CVE-2025-63499 | Alinto Sogo 5.12.3 theme cross site scripting
A vulnerability classified as problematic has been found in Alinto Sogo 5.12.3. This impacts an unknown function. Performing manipulation of
CVE-2025-12195 | WatchGuard Fireware OS up to 11.12.4+541730/12.5.13/12.11.4/2025.1.2 IPSec out-of-bounds write (wgsa-2025-00019)
A vulnerability classified as critical was found in WatchGuard Fireware OS up to 11.12.4+541730/12.5.13/12.11.4/2025.1.2. Affected is an unknown function of
CVE-2025-12153 | Featured Image via URL Plugin up to 0.1 on WordPress unrestricted upload
A vulnerability, which was classified as critical, has been found in Featured Image via URL Plugin up to 0.1 on
CVE-2025-13622 | Jabbernotification Plugin up to 0.99-RC2 on WordPress admin.php PATH_INFO cross site scripting
A vulnerability, which was classified as problematic, was found in Jabbernotification Plugin up to 0.99-RC2 on WordPress. Affected by this
CVE-2025-12181 | ContentStudio Plugin up to 1.3.7 on WordPress cstu_update_post unrestricted upload
A vulnerability has been found in ContentStudio Plugin up to 1.3.7 on WordPress and classified as critical. This affects the
CVE-2025-12851 | My Auctions Allegro Plugin up to 3.6.32 on WordPress controller file inclusion
A vulnerability was found in My Auctions Allegro Plugin up to 3.6.32 on WordPress and classified as critical. This vulnerability
CVE-2025-12374 | Email Verification, Email OTP, Block Spam Email, Passwordless Login, Hide Login, Magic Login Plugin user_verification_form_wrap_process_otpLogin improper authentication
A vulnerability was found in Email Verification, Email OTP, Block Spam Email, Passwordless Login, Hide Login, Magic Login Plugin up
CVE-2025-13515 | Nouri.sh Newsletter Plugin up to 1.0.1.3 on WordPress $_SERVER[‘PHP_SELF’] cross site scripting
A vulnerability was found in Nouri.sh Newsletter Plugin up to 1.0.1.3 on WordPress. It has been declared as problematic. Impacted
CVE-2025-12370 | Takeads Plugin up to 1.0.13 on WordPress Setting authorization
A vulnerability was found in Takeads Plugin up to 1.0.13 on WordPress. It has been rated as problematic. The affected
CVE-2025-13623 | Twitscription Plugin up to 0.1.1 on WordPress admin.php PATH_INFO cross site scripting
A vulnerability categorized as problematic has been discovered in Twitscription Plugin up to 0.1.1 on WordPress. The impacted element is
CVE-2025-12354 | Live CSS Preview Plugin up to 2.0.0 on WordPress AJAX Endpoint wp_ajax_frontend_save authorization
A vulnerability identified as problematic has been detected in Live CSS Preview Plugin up to 2.0.0 on WordPress. This affects
CVE-2025-12133 | EPROLO Dropshipping Plugin up to 2.3.1 on WordPress AJAX Endpoint wp_ajax_eprolo_delete_tracking authorization
A vulnerability labeled as problematic has been found in EPROLO Dropshipping Plugin up to 2.3.1 on WordPress. This impacts the
CVE-2025-12093 | Voidek Employee Portal Plugin up to 1.0.6 on WordPress authorization
A vulnerability marked as critical has been reported in Voidek Employee Portal Plugin up to 1.0.6 on WordPress. Affected is
CVE-2025-12355 | Payaza Plugin up to 0.3.8 on WordPress AJAX Endpoint wp_ajax_nopriv_update_order_status authorization
A vulnerability described as problematic has been identified in Payaza Plugin up to 0.3.8 on WordPress. Affected by this vulnerability
CVE-2025-12850 | My Auctions Allegro Plugin up to 3.6.32 on WordPress auction_id sql injection
A vulnerability classified as critical has been found in My Auctions Allegro Plugin up to 3.6.32 on WordPress. Affected by
CVE-2025-13625 | WP-SOS-Donate Donation Sidebar Plugin up to 0.9.2 on WordPress $_SERVER[‘PHP_SELF’] cross site scripting
A vulnerability classified as problematic was found in WP-SOS-Donate Donation Sidebar Plugin up to 0.9.2 on WordPress. This affects an
CVE-2025-12154 | Auto Thumbnailer Plugin up to 1.0 on WordPress uploadThumb unrestricted upload
A vulnerability, which was classified as critical, has been found in Auto Thumbnailer Plugin up to 1.0 on WordPress. This
CVE-2025-12876 | Projectopia Plugin up to 5.1.19 on WordPress pto_delete_file authorization
A vulnerability, which was classified as critical, was found in Projectopia Plugin up to 5.1.19 on WordPress. This issue affects
CVE-2025-12130 | WC Vendors Plugin up to 2.6.4 on WordPress delete cross-site request forgery
A vulnerability has been found in WC Vendors Plugin up to 2.6.4 on WordPress and classified as problematic. Impacted is
CVE-2025-13860 | Easy Jump Links Menus Plugin up to 1.0.0 on WordPress Shortcode h_tags cross site scripting
A vulnerability was found in Easy Jump Links Menus Plugin up to 1.0.0 on WordPress and classified as problematic. The
CVE-2025-13620 | WP Social Login and Register Social Counter Plugin REST Endpoint wslu/v1/check_cache/ authorization
A vulnerability was found in WP Social Login and Register Social Counter Plugin up to 3.1.3 on WordPress. It has
CVE-2025-13144 | ContentStudio Plugin up to 1.3.7 on WordPress Setting add_cstu_settings cross-site request forgery
A vulnerability was found in ContentStudio Plugin up to 1.3.7 on WordPress. It has been declared as problematic. This affects
CVE-2025-12124 | FitVids Plugin up to 4.0.1 on WordPress Setting cross site scripting
A vulnerability was found in FitVids Plugin up to 4.0.1 on WordPress. It has been rated as problematic. This impacts
CVE-2025-12186 | Weekly Planner Plugin up to 1.0 on WordPress Setting cross site scripting
A vulnerability categorized as problematic has been discovered in Weekly Planner Plugin up to 1.0 on WordPress. Affected is an
CVE-2025-12373 | Torod Plugin up to 1.9 on WordPress Setting save_settings cross-site request forgery
A vulnerability identified as problematic has been detected in Torod Plugin up to 1.9 on WordPress. Affected by this vulnerability