Published on 08 Jan 2025
SingCERT's Security Bulletin summarises the list of vulnerabilities collated from the National Institute of Standards and Technology (NIST)'s National Vulnerability Database (NVD) in the past week.
The vulnerabilities are tabled based on severity, in accordance to their CVSSv3 base scores:
Critical | vulnerabilities with a base score of 9.0 to 10.0 |
High | vulnerabilities with a base score of 7.0 to 8.9 |
Medium | vulnerabilities with a base score of 4.0 to 6.9 |
Low | vulnerabilities with a base score of 0.1 to 3.9 |
None | vulnerabilities with a base score of 0.0 |
For those vulnerabilities without assigned CVSS scores, please visit NVD for the updated CVSS vulnerability entries.
CVE Number | Description | Base Score | Reference |
---|---|---|---|
CVE-2024-43243 | Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGlow JobBoard Job listing allows Upload a Web Shell to a Web Server.This issue affects JobBoard Job listing: from n/a through 1.2.6. | 10 | https://nvd.nist.gov/vuln/detail/CVE-2024-43243 |
CVE-2024-56829 | Huang Yaoshi Pharmaceutical Management Software through 16.0 allows arbitrary file upload via a .asp filename in the fileName element of the UploadFile element in a SOAP request to /XSDService.asmx. | 10 | https://nvd.nist.gov/vuln/detail/CVE-2024-56829 |
CVE-2025-22133 | WeGIA is a web manager for charitable institutions. Prior to 3.2.8, a critical vulnerability was identified in the /WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. The endpoint accepts file uploads without proper validation, allowing the upload of malicious files, such as .phar, which can then be executed by the server. This vulnerability is fixed in 3.2.8. | 9.9 | https://nvd.nist.gov/vuln/detail/CVE-2025-22133 |
CVE-2024-12583 | The Dynamics 365 Integration plugin for WordPress is vulnerable to Remote Code Execution and Arbitrary File Read in all versions up to, and including, 1.3.23 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. | 9.9 | https://nvd.nist.gov/vuln/detail/CVE-2024-12583 |
CVE-2025-21624 | ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 239, a file upload vulnerability exists in the Manage Playlist functionality of the application, specifically surrounding the uploading of playlist cover images. Without proper checks, an attacker can upload a PHP script file instead of an image file, thus allowing a webshell or other malicious files to be stored and executed on the server. This attack vector exists in both the admin area and low-level user area. This vulnerability is fixed in 5.5.1 - 239. | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2025-21624 |
CVE-2024-49649 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Abdul Hakeem Build App Online allows PHP Local File Inclusion.This issue affects Build App Online: from n/a through 1.0.23. | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-49649 |
CVE-2024-49222 | Deserialization of Untrusted Data vulnerability in Amento Tech Pvt ltd WPGuppy allows Object Injection.This issue affects WPGuppy: from n/a through 1.1.0. | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-49222 |
CVE-2024-8855 | The WordPress Auction Plugin WordPress plugin through 3.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing editors and above to perform SQL injection attacks | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-8855 |
CVE-2024-12470 | The School Management System – SakolaWP plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.8. This is due to the registration function not properly limiting what roles a user can register as. This makes it possible for unauthenticated attackers to register as an administrative user. | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-12470 |
CVE-2024-12264 | The PayU CommercePro Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.8.3. This is due to /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost REST API endpoints not properly verifying a user's identity prior to setting the users ID and auth cookies. This makes it possible for unauthenticated attackers to create new administrative user accounts. | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-12264 |
CVE-2024-12252 | The SEO LAT Auto Post plugin for WordPress is vulnerable to file overwrite due to a missing capability check on the remote_update AJAX action in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to overwrite the seo-beginner-auto-post.php file which can be leveraged to achieve remote code execution. | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-12252 |
CVE-2024-12402 | The Themes Coder – Create Android & iOS Apps For Your Woocommerce Site plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.4. This is due to the plugin not properly validating a user's identity prior to updating their password through the update_user_profile() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-12402 |
CVE-2024-55529 | Z-BlogPHP 1.7.3 is vulnerable to arbitrary code execution via \\zb_users\\theme\\shell\\template. | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-55529 |
CVE-2024-46622 | An Escalation of Privilege security vulnerability was found in SecureAge Security Suite software 7.0.x before 7.0.38, 7.1.x before 7.1.11, 8.0.x before 8.0.18, and 8.1.x before 8.1.18 that allows arbitrary file creation, modification and deletion. | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-46622 |
CVE-2025-21613 | go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0. | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2025-21613 |
CVE-2024-20148 | In wlan STA FW, there is a possible out of bounds write due to improper input validation. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00389045 / ALPS09136494; Issue ID: MSV-1796. | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-20148 |
CVE-2025-22376 | In Net::OAuth::Client in the Net::OAuth package before 0.29 for Perl, the default nonce is a 32-bit integer generated from the built-in rand() function, which is not cryptographically strong. | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2025-22376 |
CVE-2024-55507 | An issue in CodeAstro Complaint Management System v.1.0 allows a remote attacker to escalate privileges via the delete_e.php component. | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-55507 |
CVE-2024-55078 | An arbitrary file upload vulnerability in the component /adminUser/updateImg of WukongCRM-11.0-JAVA v11.3.3 allows attackers to execute arbitrary code via uploading a crafted file. | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-55078 |
CVE-2024-9140 | Moxa’s cellular routers, secure routers, and network security appliances are affected by a critical vulnerability, CVE-2024-9140. This vulnerability allows OS command injection due to improperly restricted commands, potentially enabling attackers to execute arbitrary code. This poses a significant risk to the system’s security and functionality. | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-9140 |
CVE-2024-53842 | In cc_SendCcImsInfoIndMsg of cc_MmConManagement.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-53842 |
CVE-2024-56290 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce allows SQL Injection.This issue affects Multiple Shipping And Billing Address For Woocommerce: from n/a through 1.2. | 9.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-56290 |
CVE-2024-56284 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SSL Wireless SSL Wireless SMS Notification allows SQL Injection.This issue affects SSL Wireless SMS Notification: from n/a through 3.5.0. | 9.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-56284 |
CVE-2025-22275 | iTerm2 3.5.6 through 3.5.10 before 3.5.11 sometimes allows remote attackers to obtain sensitive information from terminal commands by reading the /tmp/framer.txt file. This can occur for certain it2ssh and SSH Integration configurations, during remote logins to hosts that have a common Python installation. | 9.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-22275 |
CVE-2024-56278 | Improper Control of Generation of Code ('Code Injection') vulnerability in Smackcoders WP Ultimate Exporter allows PHP Remote File Inclusion.This issue affects WP Ultimate Exporter: from n/a through 2.9.1. | 9.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56278 |
CVE-2024-54880 | SeaCMS V13.1 is vulnerable to Incorrect Access Control. A logic flaw can be exploited by an attacker to allow any user to register accounts in bulk. | 9.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-54880 |
CVE-2024-54879 | SeaCMS V13.1 is vulnerable to Incorrect Access Control. A logic flaw can be exploited by an attacker to allow any user to recharge members indefinitely. | 9.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-54879 |
CVE-2024-5594 | OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which attackers can use to inject unexpected arbitrary data into third-party executables or plug-ins. | 9.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-5594 |
CVE-2024-56249 | Unrestricted Upload of File with Dangerous Type vulnerability in Webdeclic WPMasterToolKit allows Upload a Web Shell to a Web Server.This issue affects WPMasterToolKit: from n/a through 1.13.1. | 9.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56249 |
CVE Number | Description | Base Score | Reference |
---|---|---|---|
CVE-2024-55555 | Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values. The route/{hash} route defined in the invoiceninja/routes/client.php file can be accessed without authentication. The parameter {hash} is passed to the function decrypt that expects a Laravel ciphered value containing a serialized object. (Furthermore, Laravel contains several gadget chains usable to trigger remote command execution from arbitrary deserialization.) Therefore, an attacker in possession of the APP_KEY is able to fully control a string passed to an unserialize function. | 8.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-55555 |
CVE-2024-53345 | An authenticated arbitrary file upload vulnerability in Car Rental Management System v1.0 to v1.3 allows attackers to execute arbitrary code via uploading a crafted file. | 8.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-53345 |
CVE-2024-56280 | Incorrect Privilege Assignment vulnerability in Amento Tech Pvt ltd WPGuppy allows Privilege Escalation.This issue affects WPGuppy: from n/a through 1.1.0. | 8.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-56280 |
CVE-2024-49644 | Incorrect Privilege Assignment vulnerability in AllAccessible Team Accessibility by AllAccessible allows Privilege Escalation.This issue affects Accessibility by AllAccessible: from n/a through 1.3.4. | 8.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-49644 |
CVE-2024-47398 | in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the device is unable to boot up through out-of-bounds write. | 8.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-47398 |
CVE-2024-12202 | The Croma Music plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'ironMusic_ajax' function in all versions up to, and including, 3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | 8.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-12202 |
CVE-2024-11725 | The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the updateWcWarrantySettings() function in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. Please note this requires the woocommerce-warranty plugin to be installed in order to be exploited. | 8.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-11725 |
CVE-2024-12471 | The Post Saint: ChatGPT, GPT4, DALL-E, Stable Diffusion, Pexels, Dezgo AI Text & Image Generator plugin for WordPress is vulnerable to arbitrary files uploads due to a missing capability check and file type validation on the add_image_to_library AJAX action function in all versions up to, and including, 1.3.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files that make remote code execution possible. | 8.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-12471 |
CVE-2024-12322 | The ThePerfectWedding.nl Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8. This is due to missing or incorrect nonce validation on the 'update_option' function. This makes it possible for unauthenticated attackers to update the 'tpwKey' option with stored cross-site scripting via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 8.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-12322 |
CVE-2024-55074 | The edit profile function of Grocy through 4.3.0 allows stored XSS and resultant privilege escalation by uploading a crafted HTML or SVG file, a different issue than CVE-2024-8370. | 8.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-55074 |
CVE-2025-21611 | tgstation-server is a production scale tool for BYOND server management. Prior to 6.12.3, roles used to authorize API methods were incorrectly OR'd instead of AND'ed with the role used to determine if a user was enabled. This allows enabled users access to most, but not all, authorized actions regardless of their permissions. Notably, the WriteUsers right is unaffected so users may not use this bug to permanently elevate their account permissions. The fix is release in tgstation-server-v6.12.3. | 8.8 | https://nvd.nist.gov/vuln/detail/CVE-2025-21611 |
CVE-2024-10957 | The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to PHP Object Injection in all versions from 1.23.8 to 1.24.11 via deserialization of untrusted input in the 'recursive_unserialized_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. An administrator must perform a search and replace action to trigger the exploit. | 8.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-10957 |
CVE-2024-10932 | The Backup Migration plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site in order to trigger the exploit. | 8.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-10932 |
CVE-2024-13129 | A vulnerability was found in Roxy-WI up to 8.1.3. It has been declared as critical. Affected by this vulnerability is the function action_service of the file app/modules/roxywi/roxy.py. The manipulation of the argument action/service leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 8.1.4 is able to address this issue. The identifier of the patch is 32313928eb9ce906887b8a30bf7b9a3d5c0de1be. It is recommended to upgrade the affected component. | 8.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-13129 |
CVE-2024-35365 | FFmpeg version n6.1.1 has a double-free vulnerability in the fftools/ffmpeg_mux_init.c component of FFmpeg, specifically within the new_stream_audio function. | 8.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-35365 |
CVE-2024-43767 | In prepare_to_draw_into_mask of SkBlurMaskFilterImpl.cpp, there is a possible heap overflow due to improper input validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 8.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-43767 |
CVE-2024-39623 | Cross-Site Request Forgery (CSRF) vulnerability in CridioStudio ListingPro allows Authentication Bypass.This issue affects ListingPro: from n/a through 2.9.4. | 8.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-39623 |
CVE-2023-47179 | Missing Authorization vulnerability in ByConsole WooODT Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooODT Lite: from n/a through 2.4.6. | 8.8 | https://nvd.nist.gov/vuln/detail/CVE-2023-47179 |
CVE-2024-49249 | Path Traversal vulnerability in SMSA Express SMSA Shipping allows Path Traversal.This issue affects SMSA Shipping: from n/a through 2.3. | 8.6 | https://nvd.nist.gov/vuln/detail/CVE-2024-49249 |
CVE-2024-12535 | The Host PHP Info plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when including the 'phpinfo' function in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to read configuration settings and predefined variables on the site's server. The plugin does not need to be activated for the vulnerability to be exploited. | 8.6 | https://nvd.nist.gov/vuln/detail/CVE-2024-12535 |
CVE-2025-21612 | TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Prior to 2.7.2, TabberTransclude.php doesn't escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This vulnerability is fixed in 2.7.2. | 8.6 | https://nvd.nist.gov/vuln/detail/CVE-2025-21612 |
CVE-2025-22519 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in eDoc Intelligence LLC eDoc Easy Tables allows SQL Injection.This issue affects eDoc Easy Tables: from n/a through 1.29. | 8.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22519 |
CVE-2025-22348 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RTO GmbH DynamicTags allows Blind SQL Injection.This issue affects DynamicTags: from n/a through 1.4.0. | 8.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22348 |
CVE-2024-51715 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickWhale ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages allows Blind SQL Injection.This issue affects ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages: from n/a through 2.4.1. | 8.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-51715 |
CVE-2024-11626 | Improper Neutralization of Input During CMS Backend (adminstrative section) Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Progress Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421. | 8.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-11626 |
CVE-2021-27285 | An issue was discovered in Inspur ClusterEngine v4.0 that allows attackers to gain escalated Local privileges and execute arbitrary commands via /opt/tsce4/torque6/bin/getJobsByShell. | 8.4 | https://nvd.nist.gov/vuln/detail/CVE-2021-27285 |
CVE-2024-45555 | Memory corruption can occur if an already verified IFS2 image is overwritten, bypassing boot verification. This allows unauthorized programs to be injected into security-sensitive images, enabling the booting of a tampered IFS2 system image. | 8.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-45555 |
CVE-2024-21464 | Memory corruption while processing IPA statistics, when there are no active clients registered. | 8.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-21464 |
CVE-2025-22132 | WeGIA is a web manager for charitable institutions. A Cross-Site Scripting (XSS) vulnerability was identified in the file upload functionality of the WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. By uploading a file containing malicious JavaScript code, an attacker can execute arbitrary scripts in the context of a victim's browser. This can lead to information theft, session hijacking, and other forms of client-side exploitation. This vulnerability is fixed in 3.2.7. | 8.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-22132 |
CVE-2024-40702 | IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow an unauthorized user to obtain valid tokens to gain access to protected resources due to improper certificate validation. | 8.2 | https://nvd.nist.gov/vuln/detail/CVE-2024-40702 |
CVE-2025-22347 | Cross-Site Request Forgery (CSRF) vulnerability in BannerSky.com BSK Forms Blacklist allows Blind SQL Injection.This issue affects BSK Forms Blacklist: from n/a through 3.9. | 8.2 | https://nvd.nist.gov/vuln/detail/CVE-2025-22347 |
CVE-2025-22395 | Dell Update Package Framework, versions prior to 22.01.02, contain(s) a Local Privilege Escalation Vulnerability. A local low privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary remote scripts on the server. Exploitation may lead to a denial of service by an attacker. | 8.2 | https://nvd.nist.gov/vuln/detail/CVE-2025-22395 |
CVE-2024-53800 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Rezgo Rezgo allows PHP Local File Inclusion.This issue affects Rezgo: from n/a through 4.15. | 8.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-53800 |
CVE-2024-56291 | Deserialization of Untrusted Data vulnerability in plainware.com PlainInventory allows Object Injection.This issue affects PlainInventory: from n/a through 3.1.6. | 8.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56291 |
CVE-2024-56283 | Deserialization of Untrusted Data vulnerability in plainware.com Locatoraid Store Locator allows Object Injection.This issue affects Locatoraid Store Locator: from n/a through 3.9.50. | 8.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56283 |
CVE-2024-12313 | The Compare Products for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.1 via deserialization of untrusted input from the 'woo_compare_list' cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | 8.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12313 |
CVE-2024-55076 | Grocy through 4.3.0 has no CSRF protection, as demonstrated by changing the Administrator's password. | 8.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-55076 |
CVE-2024-20154 | In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY00720348; Issue ID: MSV-2392. | 8.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-20154 |
CVE-2024-20146 | In wlan STA driver, there is a possible out of bounds write due to improper input validation. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00389496 / ALPS09137491; Issue ID: MSV-1835. | 8.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-20146 |
CVE-2024-55410 | An issue in the 690b33e1-0462-4e84-9bea-c7552b45432a.sys component of Asus GPU Tweak II Program Driver v1.0.0.0 allows attackers to perform arbitrary read and write actions via supplying crafted IOCTL requests. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-55410 |
CVE-2024-55407 | An issue in the DeviceloControl function of ITE Tech. Inc ITE IO Access v1.0.0.0 allows attackers to perform arbitrary port read and write actions via supplying crafted IOCTL requests. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-55407 |
CVE-2024-56766 | In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: fix double free in atmel_pmecc_create_user() The "user" pointer was converted from being allocated with kzalloc() to being allocated by devm_kzalloc(). Calling kfree(user) will lead to a double free. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-56766 |
CVE-2024-56765 | In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/vas: Add close() callback in vas_vm_ops struct The mapping VMA address is saved in VAS window struct when the paste address is mapped. This VMA address is used during migration to unmap the paste address if the window is active. The paste address mapping will be removed when the window is closed or with the munmap(). But the VMA address in the VAS window is not updated with munmap() which is causing invalid access during migration. The KASAN report shows: [16386.254991] BUG: KASAN: slab-use-after-free in reconfig_close_windows+0x1a0/0x4e8 [16386.255043] Read of size 8 at addr c00000014a819670 by task drmgr/696928 [16386.255096] CPU: 29 UID: 0 PID: 696928 Comm: drmgr Kdump: loaded Tainted: G B 6.11.0-rc5-nxgzip #2 [16386.255128] Tainted: [B]=BAD_PAGE [16386.255148] Hardware name: IBM,9080-HEX Power11 (architected) 0x820200 0xf000007 of:IBM,FW1110.00 (NH1110_016) hv:phyp pSeries [16386.255181] Call Trace: [16386.255202] [c00000016b297660] [c0000000018ad0ac] dump_stack_lvl+0x84/0xe8 (unreliable) [16386.255246] [c00000016b297690] [c0000000006e8a90] print_report+0x19c/0x764 [16386.255285] [c00000016b297760] [c0000000006e9490] kasan_report+0x128/0x1f8 [16386.255309] [c00000016b297880] [c0000000006eb5c8] __asan_load8+0xac/0xe0 [16386.255326] [c00000016b2978a0] [c00000000013f898] reconfig_close_windows+0x1a0/0x4e8 [16386.255343] [c00000016b297990] [c000000000140e58] vas_migration_handler+0x3a4/0x3fc [16386.255368] [c00000016b297a90] [c000000000128848] pseries_migrate_partition+0x4c/0x4c4 ... [16386.256136] Allocated by task 696554 on cpu 31 at 16377.277618s: [16386.256149] kasan_save_stack+0x34/0x68 [16386.256163] kasan_save_track+0x34/0x80 [16386.256175] kasan_save_alloc_info+0x58/0x74 [16386.256196] __kasan_slab_alloc+0xb8/0xdc [16386.256209] kmem_cache_alloc_noprof+0x200/0x3d0 [16386.256225] vm_area_alloc+0x44/0x150 [16386.256245] mmap_region+0x214/0x10c4 [16386.256265] do_mmap+0x5fc/0x750 [16386.256277] vm_mmap_pgoff+0x14c/0x24c [16386.256292] ksys_mmap_pgoff+0x20c/0x348 [16386.256303] sys_mmap+0xd0/0x160 ... [16386.256350] Freed by task 0 on cpu 31 at 16386.204848s: [16386.256363] kasan_save_stack+0x34/0x68 [16386.256374] kasan_save_track+0x34/0x80 [16386.256384] kasan_save_free_info+0x64/0x10c [16386.256396] __kasan_slab_free+0x120/0x204 [16386.256415] kmem_cache_free+0x128/0x450 [16386.256428] vm_area_free_rcu_cb+0xa8/0xd8 [16386.256441] rcu_do_batch+0x2c8/0xcf0 [16386.256458] rcu_core+0x378/0x3c4 [16386.256473] handle_softirqs+0x20c/0x60c [16386.256495] do_softirq_own_stack+0x6c/0x88 [16386.256509] do_softirq_own_stack+0x58/0x88 [16386.256521] __irq_exit_rcu+0x1a4/0x20c [16386.256533] irq_exit+0x20/0x38 [16386.256544] interrupt_async_exit_prepare.constprop.0+0x18/0x2c ... [16386.256717] Last potentially related work creation: [16386.256729] kasan_save_stack+0x34/0x68 [16386.256741] __kasan_record_aux_stack+0xcc/0x12c [16386.256753] __call_rcu_common.constprop.0+0x94/0xd04 [16386.256766] vm_area_free+0x28/0x3c [16386.256778] remove_vma+0xf4/0x114 [16386.256797] do_vmi_align_munmap.constprop.0+0x684/0x870 [16386.256811] __vm_munmap+0xe0/0x1f8 [16386.256821] sys_munmap+0x54/0x6c [16386.256830] system_call_exception+0x1a0/0x4a0 [16386.256841] system_call_vectored_common+0x15c/0x2ec [16386.256868] The buggy address belongs to the object at c00000014a819670 which belongs to the cache vm_area_struct of size 168 [16386.256887] The buggy address is located 0 bytes inside of freed 168-byte region [c00000014a819670, c00000014a819718) [16386.256915] The buggy address belongs to the physical page: [16386.256928] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a81 [16386.256950] memcg:c0000000ba430001 [16386.256961] anon flags: 0x43ffff800000000(node=4|zone=0|lastcpupid=0x7ffff) [16386.256975] page_type: 0xfdffffff(slab) [16386 ---truncated--- | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-56765 |
CVE-2024-56764 | In the Linux kernel, the following vulnerability has been resolved: ublk: detach gendisk from ublk device if add_disk() fails Inside ublk_abort_requests(), gendisk is grabbed for aborting all inflight requests. And ublk_abort_requests() is called when exiting the uring context or handling timeout. If add_disk() fails, the gendisk may have been freed when calling ublk_abort_requests(), so use-after-free can be caused when getting disk's reference in ublk_abort_requests(). Fixes the bug by detaching gendisk from ublk device if add_disk() fails. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-56764 |
CVE-2024-56759 | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free when COWing tree bock and tracing is enabled When a COWing a tree block, at btrfs_cow_block(), and we have the tracepoint trace_btrfs_cow_block() enabled and preemption is also enabled (CONFIG_PREEMPT=y), we can trigger a use-after-free in the COWed extent buffer while inside the tracepoint code. This is because in some paths that call btrfs_cow_block(), such as btrfs_search_slot(), we are holding the last reference on the extent buffer @buf so btrfs_force_cow_block() drops the last reference on the @buf extent buffer when it calls free_extent_buffer_stale(buf), which schedules the release of the extent buffer with RCU. This means that if we are on a kernel with preemption, the current task may be preempted before calling trace_btrfs_cow_block() and the extent buffer already released by the time trace_btrfs_cow_block() is called, resulting in a use-after-free. Fix this by moving the trace_btrfs_cow_block() from btrfs_cow_block() to btrfs_force_cow_block() before the COWed extent buffer is freed. This also has a side effect of invoking the tracepoint in the tree defrag code, at defrag.c:btrfs_realloc_node(), since btrfs_force_cow_block() is called there, but this is fine and it was actually missing there. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-56759 |
CVE-2024-45553 | Memory corruption can occur when process-specific maps are added to the global list. If a map is removed from the global list while another thread is using it for a process-specific task, issues may arise. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-45553 |
CVE-2024-45550 | Memory corruption occurs when invoking any IOCTL-calling application that executes all MCDM driver IOCTL calls. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-45550 |
CVE-2024-45548 | Memory corruption while processing FIPS encryption or decryption validation functionality IOCTL call. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-45548 |
CVE-2024-45547 | Memory corruption while processing IOCTL call invoked from user-space to verify non extension FIPS encryption and decryption functionality. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-45547 |
CVE-2024-45546 | Memory corruption while processing FIPS encryption or decryption IOCTL call invoked from user-space. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-45546 |
CVE-2024-45542 | Memory corruption when IOCTL call is invoked from user-space to write board data to WLAN driver. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-45542 |
CVE-2024-45541 | Memory corruption when IOCTL call is invoked from user-space to read board data. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-45541 |
CVE-2024-53841 | In startListeningForDeviceStateChanges, there is a possible Permission Bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-53841 |
CVE-2024-53840 | there is a possible biometric bypass due to an unusual root cause. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-53840 |
CVE-2024-53838 | In Exynos_parsing_user_data_registered_itu_t_t35 of VendorVideoAPI.cpp, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-53838 |
CVE-2024-53837 | In prepare_response of lwis_periodic_io.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-53837 |
CVE-2024-53835 | there is a possible biometric bypass due to an unusual root cause. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-53835 |
CVE-2024-53833 | In prepare_response_locked of lwis_transaction.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-53833 |
CVE-2024-47032 | In construct_transaction_from_cmd of lwis_ioctl.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-47032 |
CVE-2024-11624 | there is a possible to add apps to bypass VPN due to Undeclared Permission . This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-11624 |
CVE-2024-43769 | In isPackageDeviceAdmin of PackageManagerService.java, there is a possible edge case which could prevent the uninstallation of CloudDpc due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-43769 |
CVE-2024-43768 | In skia_alloc_func of SkDeflate.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-43768 |
CVE-2024-43764 | In onPrimaryClipChanged of ClipboardListener.java, there is a possible way to partially bypass lock screen. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-43764 |
CVE-2024-43762 | In multiple locations, there is a possible way to avoid unbinding of a service from the system due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-43762 |
CVE-2024-43097 | In resizeToAtLeast of SkRegion.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-43097 |
CVE-2024-43077 | In DevmemValidateFlags of devicemem_server.c , there is a possible out of bounds write due to memory corruption. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 7.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-43077 |
CVE-2024-11625 | Information Exposure Through an Error Message vulnerability in Progress Software Corporation Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421. | 7.7 | https://nvd.nist.gov/vuln/detail/CVE-2024-11625 |
CVE-2025-22350 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WpIndeed Ultimate Learning Pro allows SQL Injection.This issue affects Ultimate Learning Pro: from n/a through 3.9. | 7.6 | https://nvd.nist.gov/vuln/detail/CVE-2025-22350 |
CVE-2025-22536 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Hiren Patel WP Music Player allows SQL Injection.This issue affects WP Music Player: from n/a through 1.3. | 7.6 | https://nvd.nist.gov/vuln/detail/CVE-2025-22536 |
CVE-2025-22533 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WOOEXIM.COM WOOEXIM allows SQL Injection.This issue affects WOOEXIM: from n/a through 5.0.0. | 7.6 | https://nvd.nist.gov/vuln/detail/CVE-2025-22533 |
CVE-2025-22507 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Benjamin Santalucia (ben@woow-fr.com) WPMU Prefill Post allows SQL Injection.This issue affects WPMU Prefill Post: from n/a through 1.02. | 7.6 | https://nvd.nist.gov/vuln/detail/CVE-2025-22507 |
CVE-2025-22502 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mindvalley MindValley Super PageMash allows SQL Injection.This issue affects MindValley Super PageMash: from n/a through 1.1. | 7.6 | https://nvd.nist.gov/vuln/detail/CVE-2025-22502 |
CVE-2025-22352 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes allows Blind SQL Injection.This issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes: from n/a through 1.4.8. | 7.6 | https://nvd.nist.gov/vuln/detail/CVE-2025-22352 |
CVE-2025-22351 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PenguinArts Contact Form 7 Database – CFDB7 allows SQL Injection.This issue affects Contact Form 7 Database – CFDB7: from n/a through 1.0.0. | 7.6 | https://nvd.nist.gov/vuln/detail/CVE-2025-22351 |
CVE-2025-22349 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Owen Cutajar & Hyder Jaffari WordPress Auction Plugin allows SQL Injection.This issue affects WordPress Auction Plugin: from n/a through 3.7. | 7.6 | https://nvd.nist.gov/vuln/detail/CVE-2025-22349 |
CVE-2024-56250 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in GregRoss Just Writing Statistics allows SQL Injection.This issue affects Just Writing Statistics: from n/a through 4.7. | 7.6 | https://nvd.nist.gov/vuln/detail/CVE-2024-56250 |
CVE-2024-56247 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AF themes WP Post Author allows SQL Injection.This issue affects WP Post Author: from n/a through 3.8.2. | 7.6 | https://nvd.nist.gov/vuln/detail/CVE-2024-56247 |
CVE-2024-8361 | In SiWx91x devices, the SHA2/224 algorithm returns a hash of 256 bits instead of 224 bits. This incorrect hash length triggers a software assertion, which subsequently causes a Denial of Service (DoS). If a watchdog is implemented, device will restart after watch dog expires. If watchdog is not implemented, device can be recovered only after a hard reset | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-8361 |
CVE-2025-22592 | Missing Authorization vulnerability in Lenderd 1003 Mortgage Application allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects 1003 Mortgage Application: from n/a through 1.87. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22592 |
CVE-2025-21623 | ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 238, ClipBucket V5 allows unauthenticated attackers to change the template directory via a directory traversal, which results in a denial of service. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-21623 |
CVE-2025-21622 | ClipBucket V5 provides open source video hosting with PHP. During the user avatar upload workflow, a user can choose to upload and change their avatar at any time. During deletion, ClipBucket checks for the avatar_url as a filepath within the avatars subdirectory. If the URL path exists within the avatars directory, ClipBucket will delete it. There is no check for path traversal sequences in the provided user input (stored in the DB as avatar_url) therefore the final $file variable could be tainted with path traversal sequences. This leads to file deletion outside of the intended scope of the avatars folder. This vulnerability is fixed in 5.5.1 - 237. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-21622 |
CVE-2024-46603 | An XML External Entity (XXE) vulnerability in Elspec Engineering G5 Digital Fault Recorder Firmware v1.2.1.12 allows attackers to cause a Denial of Service (DoS) via a crafted XML payload. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-46603 |
CVE-2024-46602 | An issue was discovered in Elspec G5 digital fault recorder version 1.2.1.12 and earlier. An XML External Entity (XXE) vulnerability may allow an attacker to cause a Denial of Service (DoS) via a crafted XML payload. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-46602 |
CVE-2024-46242 | An issue in the validate_email function in CTFd/utils/validators/__init__.py of CTFd 3.7.3 allows attackers to cause a Regular expression Denial of Service (ReDoS) via supplying a crafted string as e-mail address during registration. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-46242 |
CVE-2025-22364 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Service Shogun Ach Invoice App allows PHP Local File Inclusion.This issue affects Ach Invoice App: from n/a through 1.0.1. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22364 |
CVE-2024-56300 | Insertion of Sensitive Information Into Sent Data vulnerability in WPSpins Post/Page Copying Tool allows Retrieve Embedded Sensitive Data.This issue affects Post/Page Copying Tool: from n/a through 2.0.0. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56300 |
CVE-2024-56286 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Classic Addons Classic Addons – WPBakery Page Builder allows PHP Local File Inclusion.This issue affects Classic Addons – WPBakery Page Builder: from n/a through 3.0. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56286 |
CVE-2024-56282 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elicus WPMozo Addons Lite for Elementor allows PHP Local File Inclusion.This issue affects WPMozo Addons Lite for Elementor: from n/a through 1.1.0. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56282 |
CVE-2024-56281 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodeMShop 워드프레스 결제 심플페이 allows PHP Local File Inclusion.This issue affects 워드프레스 결제 심플페이: from n/a through 5.2.0. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56281 |
CVE-2024-12152 | The MIPL WC Multisite Sync plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.5 via the 'mipl_wc_sync_download_log' action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-12152 |
CVE-2024-12849 | The Error Log Viewer By WP Guru plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1.3 via the wp_ajax_nopriv_elvwp_log_download AJAX action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-12849 |
CVE-2024-12157 | The Popup – MailChimp, GetResponse and ActiveCampaign Intergrations plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'upc_delete_db_record' AJAX action in all versions up to, and including, 3.2.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-12157 |
CVE-2024-12416 | The Live Sales Notification for Woocommerce – Woomotiv plugin for WordPress is vulnerable to SQL Injection via the 'woomotiv_seen_products_.*' cookie in all versions up to, and including, 3.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-12416 |
CVE-2025-21620 | Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain. This vulnerability is fixed in 2.1.2. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-21620 |
CVE-2024-55553 | In FRRouting (FRR) before 10.3, it is possible for an attacker to trigger repeated RIB revalidation by sending approximately 500 RPKI updates, potentially leading to prolonged revalidation times and a Denial of Service (DoS) scenario. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-55553 |
CVE-2024-54767 | An access control issue in the component /juis_boxinfo.xml of AVM FRITZ!Box 7530 AX v7.59 allows attackers to obtain sensitive information without authentication. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-54767 |
CVE-2024-48457 | An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and 3.0.0.3503 and Netis Wifi 11AC Router NC21 3.0.0.3800, 3.0.0.3500 and 3.0.0.3329 and Netis Wifi Router MW5360 1.0.1.3442 and 1.0.1.3031 allows a remote attacker to obtain sensitive information via the endpoint /cgi-bin/skk_set.cgi and binary /bin/scripts/start_wifi.sh | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-48457 |
CVE-2024-48456 | An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and 3.0.0.3503 and Netis Wifi 11AC Router NC21 3.0.0.3800, 3.0.0.3500 and 3.0.0.3329 and Netis Wifi Router MW5360 1.0.1.3442 and 1.0.1.3031 allows a remote attacker to obtain sensitive information via the parameter password at the change admin password page at the router web interface. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-48456 |
CVE-2024-55629 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, TCP streams with TCP urgent data (out of band data) can lead to Suricata analyzing data differently than the applications at the TCP endpoints, leading to possible evasions. Suricata 7.0.8 includes options to allow users to configure how to handle TCP urgent data. In IPS mode, you can use a rule such as drop tcp any any -> any any (sid:1; tcp.flags:U*;) to drop all the packets with urgent flag set. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-55629 |
CVE-2024-55628 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.8, DNS resource name compression can lead to small DNS messages containing very large hostnames which can be costly to decode, and lead to very large DNS log records. While there are limits in place, they were too generous. The issue has been addressed in Suricata 7.0.8. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-55628 |
CVE-2025-21618 | NiceGUI is an easy-to-use, Python-based UI framework. Prior to 2.9.1, authenticating with NiceGUI logged in the user for all browsers, including browsers in incognito mode. This vulnerability is fixed in 2.9.1. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-21618 |
CVE-2025-21614 | go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-21614 |
CVE-2024-55605 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a large input buffer to the to_lowercase, to_uppercase, strip_whitespace, compress_whitespace, dotprefix, header_lowercase, strip_pseudo_headers, url_decode, or xor transform can lead to a stack overflow causing Suricata to crash. The issue has been addressed in Suricata 7.0.8. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-55605 |
CVE-2024-8474 | OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traffic | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-8474 |
CVE-2024-45558 | Transient DOS can occur when the driver parses the per STA profile IE and tries to access the EXTN element ID without checking the IE length. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-45558 |
CVE-2024-43064 | Uncontrolled resource consumption when a driver, an application or a SMMU client tries to access the global registers through SMMU. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-43064 |
CVE-2024-20153 | In wlan STA, there is a possible way to trick a client to connect to an AP with spoofed SSID. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08990446 / ALPS09057442; Issue ID: MSV-1598. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-20153 |
CVE-2024-20150 | In Modem, there is a possible system crash due to a logic error. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01412526; Issue ID: MSV-2018. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-20150 |
CVE-2024-20149 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01231341 / MOLY01263331 / MOLY01233835; Issue ID: MSV-2165. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-20149 |
CVE-2024-41766 | IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 could allow a remote attacker to cause a denial of service using a complex regular expression. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-41766 |
CVE-2025-22390 | An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS due to insufficient enforcement of password complexity requirements. The application permits users to set passwords with a minimum length of 6 characters, lacking adequate complexity to resist modern attack techniques such as password spraying or offline password cracking. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22390 |
CVE-2025-22387 | An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity issue exists in requests for resources where the session token is submitted as a URL parameter. This exposes information about the authenticated session, which can be leveraged for session hijacking. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22387 |
CVE-2025-22384 | An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity issue concerning business logic exists in the Commerce B2B application, which allows storefront visitors to purchase discontinued products in specific scenarios where requests are altered before reaching the server. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22384 |
CVE-2024-48814 | SQL Injection vulnerability in Silverpeas 6.4.1 allows a remote attacker to obtain sensitive information via the ViewType parameter of the findbywhereclause function | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-48814 |
CVE-2024-53834 | In sms_DisplayHexDumpOfPrivacyBuffer of sms_Utilities.c, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-53834 |
CVE-2023-47693 | Missing Authorization vulnerability in Themefic Ultimate Addons for Contact Form 7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for Contact Form 7: from n/a through 3.2.6. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2023-47693 |
CVE-2023-47648 | Missing Authorization vulnerability in spider-themes EazyDocs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EazyDocs: from n/a through 2.3.5. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2023-47648 |
CVE-2023-47224 | Missing Authorization vulnerability in WP Travel WP Travel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Travel: from n/a through 7.8.0. | 7.5 | https://nvd.nist.gov/vuln/detail/CVE-2023-47224 |
CVE-2025-0233 | A vulnerability was found in Codezips Project Management System 1.0. It has been classified as critical. This affects an unknown part of the file /pages/forms/course.php. The manipulation of the argument course_name leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 7.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0233 |
CVE-2024-41767 | IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. | 7.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-41767 |
CVE-2025-0210 | A vulnerability has been found in Campcodes School Faculty Scheduling System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/ajax.php?action=login. The manipulation of the argument username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 7.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0210 |
CVE-2025-0207 | A vulnerability, which was classified as critical, has been found in code-projects Online Shoe Store 1.0. Affected by this issue is some unknown functionality of the file /function/login.php. The manipulation of the argument password leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 7.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0207 |
CVE-2025-22386 | An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity session issue exists in the Commerce B2B application, affecting the longevity of active sessions in the storefront. This allows session tokens tied to logged-out sessions to still be active and usable. | 7.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-22386 |
CVE-2024-11733 | The The WordPress Popular Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | 7.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-11733 |
CVE-2023-45104 | Missing Authorization vulnerability in WPDeveloper BetterLinks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BetterLinks: from n/a through 1.6.0. | 7.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-45104 |
CVE-2024-54007 | Multiple command injection vulnerabilities exist in the web interface of the 501 Wireless Client Bridge which could lead to authenticated remote command execution. Successful exploitation of these vulnerabilities result in the ability of an attacker to execute arbitrary commands as a privileged user on the underlying operating system. Exploitation requires administrative authentication credentials on the host system. | 7.2 | https://nvd.nist.gov/vuln/detail/CVE-2024-54007 |
CVE-2024-54006 | Multiple command injection vulnerabilities exist in the web interface of the 501 Wireless Client Bridge which could lead to authenticated remote command execution. Successful exploitation of these vulnerabilities result in the ability of an attacker to execute arbitrary commands as a privileged user on the underlying operating system. Exploitation requires administrative authentication credentials on the host system. | 7.2 | https://nvd.nist.gov/vuln/detail/CVE-2024-54006 |
CVE-2024-48245 | Vehicle Management System 1.0 is vulnerable to SQL Injection. A guest user can exploit vulnerable POST parameters in various administrative actions, such as booking a vehicle or confirming a booking. The affected parameters include "Booking ID", "Action Name", and "Payment Confirmation ID", which are present in /newvehicle.php and /newdriver.php. | 7.2 | https://nvd.nist.gov/vuln/detail/CVE-2024-48245 |
CVE-2024-11465 | The Custom Product Tabs for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8.5 via deserialization of untrusted input in the 'yikes_woo_products_tabs' post meta parameter. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | 7.2 | https://nvd.nist.gov/vuln/detail/CVE-2024-11465 |
CVE-2023-6605 | A flaw was found in FFmpeg's DASH playlist support. This vulnerability allows arbitrary HTTP GET requests to be made on behalf of the machine running FFmpeg via a crafted DASH playlist containing malicious URLs. | 7.2 | https://nvd.nist.gov/vuln/detail/CVE-2023-6605 |
CVE-2024-9138 | Moxa’s cellular routers, secure routers, and network security appliances are affected by a high-severity vulnerability, CVE-2024-9138. This vulnerability involves hard-coded credentials, enabling an authenticated user to escalate privileges and gain root-level access to the system, posing a significant security risk. | 7.2 | https://nvd.nist.gov/vuln/detail/CVE-2024-9138 |
CVE-2024-13062 | An unintended entry point vulnerability has been identified in certain router models, which may allow for arbitrary command execution. Refer to the ' 01/02/2025 ASUS Router AiCloud vulnerability' section on the ASUS Security Advisory for more information. | 7.2 | https://nvd.nist.gov/vuln/detail/CVE-2024-13062 |
CVE-2024-12912 | An improper input insertion vulnerability in AiCloud on certain router models may lead to arbitrary command execution. Refer to the '01/02/2025 ASUS Router AiCloud vulnerability' section on the ASUS Security Advisory for more information. | 7.2 | https://nvd.nist.gov/vuln/detail/CVE-2024-12912 |
CVE-2025-22593 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Burria Laika Pedigree Tree allows Stored XSS.This issue affects Laika Pedigree Tree: from n/a through 1.4. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22593 |
CVE-2025-22590 | Cross-Site Request Forgery (CSRF) vulnerability in mmrs151 Prayer Times Anywhere allows Stored XSS.This issue affects Prayer Times Anywhere: from n/a through 2.0.1. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22590 |
CVE-2025-22589 | Cross-Site Request Forgery (CSRF) vulnerability in bozdoz Quote Tweet allows Stored XSS.This issue affects Quote Tweet: from n/a through 0.7. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22589 |
CVE-2025-22582 | Cross-Site Request Forgery (CSRF) vulnerability in Scott Nellé Uptime Robot allows Stored XSS.This issue affects Uptime Robot: from n/a through 0.1.3. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22582 |
CVE-2025-22571 | Cross-Site Request Forgery (CSRF) vulnerability in Instabot Instabot allows Cross Site Request Forgery.This issue affects Instabot: from n/a through 1.10. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22571 |
CVE-2025-22559 | Cross-Site Request Forgery (CSRF) vulnerability in Mario Mansour and Geoff Peters TubePress.NET allows Cross Site Request Forgery.This issue affects TubePress.NET: from n/a through 4.0.1. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22559 |
CVE-2025-22557 | Cross-Site Request Forgery (CSRF) vulnerability in WPMagic News Publisher Autopilot allows Cross Site Request Forgery.This issue affects News Publisher Autopilot: from n/a through 2.1.4. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22557 |
CVE-2025-22556 | Cross-Site Request Forgery (CSRF) vulnerability in Greg Whitehead Norse Rune Oracle Plugin allows Cross Site Request Forgery.This issue affects Norse Rune Oracle Plugin: from n/a through 1.4.1. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22556 |
CVE-2025-22555 | Cross-Site Request Forgery (CSRF) vulnerability in Noel Jarencio. Smoothness Slider Shortcode allows Cross Site Request Forgery.This issue affects Smoothness Slider Shortcode: from n/a through v1.2.2. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22555 |
CVE-2025-22552 | Cross-Site Request Forgery (CSRF) vulnerability in Jason Keeley, Bryan Nielsen Affiliate Disclosure Statement allows Cross Site Request Forgery.This issue affects Affiliate Disclosure Statement: from n/a through 0.3. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22552 |
CVE-2025-22548 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Frank Koenen ldap_login_password_and_role_manager allows Stored XSS.This issue affects ldap_login_password_and_role_manager: from n/a through 1.0.12. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22548 |
CVE-2025-22547 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jay Krishnan G JK Html To Pdf allows Stored XSS.This issue affects JK Html To Pdf: from n/a through 1.0.0. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22547 |
CVE-2025-22538 | Cross-Site Request Forgery (CSRF) vulnerability in Ofek Nakar Virtual Bot allows Stored XSS.This issue affects Virtual Bot: from n/a through 1.0.0. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22538 |
CVE-2025-22522 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Roya Khosravi SingSong allows Stored XSS.This issue affects SingSong: from n/a through 1.2. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22522 |
CVE-2025-22520 | Cross-Site Request Forgery (CSRF) vulnerability in Tock Tock Widget allows Cross Site Request Forgery.This issue affects Tock Widget: from n/a through 1.1. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22520 |
CVE-2025-22338 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in lich_wang WP-tagMaker allows Reflected XSS.This issue affects WP-tagMaker: from n/a through 0.2.2. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22338 |
CVE-2025-22335 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Md. Rajib Dewan Opencart Product in WP allows Reflected XSS.This issue affects Opencart Product in WP: from n/a through 1.0.1. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22335 |
CVE-2025-22294 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gravity Master Custom Field For WP Job Manager allows Reflected XSS.This issue affects Custom Field For WP Job Manager: from n/a through 1.3. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22294 |
CVE-2024-56056 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kmfoysal06 SimpleCharm allows Reflected XSS.This issue affects SimpleCharm: from n/a through 1.4.3. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56056 |
CVE-2025-22359 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PJFC SyncFields allows Reflected XSS.This issue affects SyncFields: from n/a through 2.1. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22359 |
CVE-2025-22358 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marcon Simone Wp advertising management allows Reflected XSS.This issue affects Wp advertising management: from n/a through 1.0.3. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22358 |
CVE-2025-22357 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Simple Plugins Target Notifications allows Reflected XSS.This issue affects Target Notifications: from n/a through 1.1.1. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22357 |
CVE-2025-22355 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kiKx Kikx Simple Post Author Filter allows Reflected XSS.This issue affects Kikx Simple Post Author Filter: from n/a through 1.0. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22355 |
CVE-2025-22353 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Balcom-Vetillo Design, Inc. BVD Easy Gallery Manager allows Reflected XSS.This issue affects BVD Easy Gallery Manager: from n/a through 1.0.6. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22353 |
CVE-2025-22343 | Cross-Site Request Forgery (CSRF) vulnerability in Dennis Koot wpSOL allows Stored XSS.This issue affects wpSOL: from n/a through 1.2.0. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22343 |
CVE-2025-22342 | Cross-Site Request Forgery (CSRF) vulnerability in Jens Törnell WP Simple Sitemap allows Stored XSS.This issue affects WP Simple Sitemap: from n/a through 0.2. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22342 |
CVE-2025-22336 | Cross-Site Request Forgery (CSRF) vulnerability in WordPress 智库 Wizhi Multi Filters by Wenprise allows Stored XSS.This issue affects Wizhi Multi Filters by Wenprise: from n/a through 1.8.6. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22336 |
CVE-2025-22328 | Cross-Site Request Forgery (CSRF) vulnerability in Elevio Elevio allows Stored XSS.This issue affects Elevio: from n/a through 4.4.1. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22328 |
CVE-2025-22326 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 5centsCDN 5centsCDN allows Reflected XSS.This issue affects 5centsCDN: from n/a through 24.8.16. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22326 |
CVE-2025-22325 | Cross-Site Request Forgery (CSRF) vulnerability in Nik Chankov Autocompleter allows Stored XSS.This issue affects Autocompleter: from n/a through 1.3.5.2. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22325 |
CVE-2025-22324 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Andon Ivanov OZ Canonical allows Reflected XSS.This issue affects OZ Canonical: from n/a through 0.5. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22324 |
CVE-2025-22320 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProductDyno ProductDyno allows Reflected XSS.This issue affects ProductDyno: from n/a through 1.0.24. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-22320 |
CVE-2024-56299 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pektsekye Notify Odoo allows Stored XSS.This issue affects Notify Odoo: from n/a through 1.0.0. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56299 |
CVE-2024-56296 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hometory Mang Board WP allows Reflected XSS.This issue affects Mang Board WP: from n/a through 1.8.4. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56296 |
CVE-2024-56289 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Groundhogg Inc. Groundhogg allows Reflected XSS.This issue affects Groundhogg: from n/a through 3.7.3.3. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56289 |
CVE-2024-51700 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 김 민준 (Minjun Kim) NAVER Analytics allows Stored XSS.This issue affects NAVER Analytics: from n/a through 0.9. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-51700 |
CVE-2024-49633 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Designinvento DirectoryPress allows Reflected XSS.This issue affects DirectoryPress: from n/a through 3.6.19. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-49633 |
CVE-2024-12633 | The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page parameter in all versions up to, and including, 5.6.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12633 |
CVE-2023-48758 | Missing Authorization vulnerability in Crocoblock JetEngine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through 3.2.4. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2023-48758 |
CVE-2024-56014 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Markyis Cool Olivia allows Reflected XSS.This issue affects Olivia: from n/a through 0.9.5. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56014 |
CVE-2024-56267 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fla-shop.com Interactive UK Map allows Stored XSS.This issue affects Interactive UK Map: from n/a through 3.4.8. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56267 |
CVE-2024-56026 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Greg Priday Simple Proxy allows Reflected XSS.This issue affects Simple Proxy: from n/a through 1.0. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56026 |
CVE-2024-56025 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AdWorkMedia.com AdWork Media EZ Content Locker allows Reflected XSS.This issue affects AdWork Media EZ Content Locker: from n/a through 3.0. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56025 |
CVE-2024-56024 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DuoGeek Custom Dashboard Widget allows Reflected XSS.This issue affects Custom Dashboard Widget: from n/a through 1.0.0. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56024 |
CVE-2024-56023 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Perfect Solution WP eCommerce Quickpay allows Reflected XSS.This issue affects WP eCommerce Quickpay: from n/a through 1.1.0. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56023 |
CVE-2024-56022 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress Monsters Preloader by WordPress Monsters allows Reflected XSS.This issue affects Preloader by WordPress Monsters: from n/a through 1.2.3. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56022 |
CVE-2024-56018 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Boston University (IS&T) BU Section Editing allows Reflected XSS.This issue affects BU Section Editing: from n/a through 0.9.9. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56018 |
CVE-2023-46632 | Missing Authorization vulnerability in David Cramer My Shortcodes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Shortcodes: from n/a through 2.3. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2023-46632 |
CVE-2024-56069 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Azzaroco WP SuperBackup allows Reflected XSS.This issue affects WP SuperBackup: from n/a through 2.3.3. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56069 |
CVE-2024-56060 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HTML Forms allows Reflected XSS.This issue affects HTML Forms: from n/a through 1.4.1. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56060 |
CVE-2024-56038 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SendSMS allows Reflected XSS.This issue affects SendSMS: from n/a through 1.2.9. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56038 |
CVE-2024-56037 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Md Maruf Adnan Sami User Referral allows Reflected XSS.This issue affects User Referral: from n/a through 8.0. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56037 |
CVE-2024-56036 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ondrej Donek odPhotogallery allows Reflected XSS.This issue affects odPhotogallery: from n/a through 0.5.3. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56036 |
CVE-2024-56035 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kurt Payne Upload Scanner allows Reflected XSS.This issue affects Upload Scanner: from n/a through 1.2. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56035 |
CVE-2024-56034 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Irshad Services updates for customers allows Reflected XSS.This issue affects Services updates for customers: from n/a through 1.0. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56034 |
CVE-2024-56033 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Think201 FAQs allows Reflected XSS.This issue affects FAQs: from n/a through 1.0.2. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56033 |
CVE-2024-56032 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Foliovision FV Descriptions allows Reflected XSS.This issue affects FV Descriptions: from n/a through 1.4. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56032 |
CVE-2024-56030 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10CentMail allows Reflected XSS.This issue affects 10CentMail: from n/a through 2.1.50. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56030 |
CVE-2024-56029 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dreamwinner Easy Language Switcher allows Reflected XSS.This issue affects Easy Language Switcher: from n/a through 1.0. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56029 |
CVE-2024-56028 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lemonade Coding Studio Lemonade Social Networks Autoposter Pinterest allows Reflected XSS.This issue affects Lemonade Social Networks Autoposter Pinterest: from n/a through 2.0. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56028 |
CVE-2024-56027 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BizSwoop a CPF Concepts, LLC Brand Leads CRM allows Reflected XSS.This issue affects Leads CRM: from n/a through 2.0.13. | 7.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56027 |
CVE-2024-12430 | An attacker who successfully exploited these vulnerabilities could cause enable command execution. A vulnerability exists in the AC500 V3 version mentioned. After successfully exploiting CVE-2024-12429 (directory traversal), a successfully authenticated attacker can inject arbitrary commands into a specifically crafted file, which then will be executed by root user. All AC500 V3 products (PM5xxx) with firmware version earlier than 3.8.0 are affected by this vulnerability. | 7 | https://nvd.nist.gov/vuln/detail/CVE-2024-12430 |
CVE-2024-46981 | Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands. | 7 | https://nvd.nist.gov/vuln/detail/CVE-2024-46981 |
CVE-2024-11681 | A malicious or compromised MacPorts mirror can execute arbitrary commands as root on the machine of a client running port selfupdate against the mirror. | 6.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-11681 |
CVE-2024-11627 | : Insufficient Session Expiration vulnerability in Progress Sitefinity allows : Session Fixation.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421. | 6.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-11627 |
CVE-2024-33061 | Information disclosure while processing IOCTL call made for releasing a trusted VM process release or opening a channel without initializing the process. | 6.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-33061 |
CVE-2024-56137 | MaxKB, which stands for Max Knowledge Base, is an open source knowledge base question-answering system based on a large language model and retrieval-augmented generation (RAG). Prior to version 1.9.0, a remote command execution vulnerability exists in the module of function library. The vulnerability allow privileged users to execute OS command in custom scripts. The vulnerability has been fixed in v1.9.0. | 6.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-56137 |
CVE-2024-33059 | Memory corruption while processing frame command IOCTL calls. | 6.7 | https://nvd.nist.gov/vuln/detail/CVE-2024-33059 |
CVE-2024-33055 | Memory corruption while invoking IOCTL calls to unmap the DMA buffers. | 6.7 | https://nvd.nist.gov/vuln/detail/CVE-2024-33055 |
CVE-2024-33041 | Memory corruption when input parameter validation for number of fences is missing for fence frame IOCTL calls, | 6.7 | https://nvd.nist.gov/vuln/detail/CVE-2024-33041 |
CVE-2024-20151 | In Modem, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: MOLY01399339; Issue ID: MSV-1928. | 6.7 | https://nvd.nist.gov/vuln/detail/CVE-2024-20151 |
CVE-2024-20140 | In power, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS09270402; Issue ID: MSV-2020. | 6.7 | https://nvd.nist.gov/vuln/detail/CVE-2024-20140 |
CVE-2024-20105 | In m4u, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS09062027; Issue ID: MSV-1743. | 6.7 | https://nvd.nist.gov/vuln/detail/CVE-2024-20105 |
CVE-2024-53836 | In wbrc_bt_dev_write of wb_regon_coordinator.c, there is a possible out of bounds write due to a buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. | 6.7 | https://nvd.nist.gov/vuln/detail/CVE-2024-53836 |
CVE-2024-23366 | Information Disclosure while invoking the mailbox write API when message received from user is larger than mailbox size. | 6.6 | https://nvd.nist.gov/vuln/detail/CVE-2024-23366 |
CVE-2024-20145 | In V6 DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09290940; Issue ID: MSV-2040. | 6.6 | https://nvd.nist.gov/vuln/detail/CVE-2024-20145 |
CVE-2024-20144 | In V6 DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09167056; Issue ID: MSV-2041. | 6.6 | https://nvd.nist.gov/vuln/detail/CVE-2024-20144 |
CVE-2024-20143 | In V6 DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09167056; Issue ID: MSV-2069. | 6.6 | https://nvd.nist.gov/vuln/detail/CVE-2024-20143 |
CVE-2024-56264 | Unrestricted Upload of File with Dangerous Type vulnerability in Beee ACF City Selector allows Upload a Web Shell to a Web Server.This issue affects ACF City Selector: from n/a through 1.14.0. | 6.6 | https://nvd.nist.gov/vuln/detail/CVE-2024-56264 |
CVE-2025-22500 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ali Ali Alpha Price Table For Elementor allows DOM-Based XSS.This issue affects Alpha Price Table For Elementor: from n/a through 1.0.8. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22500 |
CVE-2025-22365 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric McNiece EMC2 Alert Boxes allows Stored XSS.This issue affects EMC2 Alert Boxes: from n/a through 1.3. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22365 |
CVE-2025-22354 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Code Themes Digi Store allows DOM-Based XSS.This issue affects Digi Store: from n/a through 1.1.4. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22354 |
CVE-2025-22334 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FilaThemes Education LMS allows Stored XSS.This issue affects Education LMS: from n/a through 0.0.7. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22334 |
CVE-2025-22296 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HashThemes Hash Elements.This issue affects Hash Elements: from n/a through 1.4.9. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22296 |
CVE-2025-22585 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themebon Ultimate Image Hover Effects allows DOM-Based XSS.This issue affects Ultimate Image Hover Effects: from n/a through 1.1.2. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22585 |
CVE-2025-22584 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pluginspoint Timeline Pro allows DOM-Based XSS.This issue affects Timeline Pro: from n/a through 1.3. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22584 |
CVE-2025-22581 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bytephp Arcade Ready allows Stored XSS.This issue affects Arcade Ready: from n/a through 1.1. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22581 |
CVE-2025-22580 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Biltorvet A/S Biltorvet Dealer Tools allows Stored XSS.This issue affects Biltorvet Dealer Tools: from n/a through 1.0.22. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22580 |
CVE-2025-22577 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Damion Armentrout Able Player allows DOM-Based XSS.This issue affects Able Player: from n/a through 1.0. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22577 |
CVE-2025-22574 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joe Motacek ICS Button allows Stored XSS.This issue affects ICS Button: from n/a through 0.6. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22574 |
CVE-2025-22573 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in copist Icons Enricher allows Stored XSS.This issue affects Icons Enricher: from n/a through 1.0.8. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22573 |
CVE-2025-22572 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brianmiyaji Legacy ePlayer allows Stored XSS.This issue affects Legacy ePlayer: from n/a through 0.9.9. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22572 |
CVE-2025-22558 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marcus C. J. Hartmann mcjh button shortcode allows Stored XSS.This issue affects mcjh button shortcode: from n/a through 1.6.4. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22558 |
CVE-2025-22554 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric Franklin Video Embed Optimizer allows Stored XSS.This issue affects Video Embed Optimizer: from n/a through 1.0.0. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22554 |
CVE-2025-22551 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Julien Crego Boot-Modal allows Stored XSS.This issue affects Boot-Modal: from n/a through 1.9.1. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22551 |
CVE-2025-22550 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AddFunc AddFunc Mobile Detect allows Stored XSS.This issue affects AddFunc Mobile Detect: from n/a through 3.1. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22550 |
CVE-2025-22549 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pablo Cornehl WP Github allows Stored XSS.This issue affects WP Github: from n/a through 1.3.3. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22549 |
CVE-2025-22546 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in One Plus Solution jQuery TwentyTwenty allows Stored XSS.This issue affects jQuery TwentyTwenty: from n/a through 1.0. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22546 |
CVE-2025-22545 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sw-galati.ro iframe to embed allows Stored XSS.This issue affects iframe to embed: from n/a through 1.2. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22545 |
CVE-2025-22544 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mind Doodle Mind Doodle Visual Sitemaps & Tasks allows Stored XSS.This issue affects Mind Doodle Visual Sitemaps & Tasks: from n/a through 1.6. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22544 |
CVE-2025-22532 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nagy Sandor Simple Photo Sphere allows Stored XSS.This issue affects Simple Photo Sphere: from n/a through 0.0.10. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22532 |
CVE-2025-22531 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M Bilal M Urdu Formatter – Shamil allows Stored XSS.This issue affects Urdu Formatter – Shamil: from n/a through 0.1. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22531 |
CVE-2025-22530 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SIOT 아임포트 결제버튼 생성 플러그인 allows Stored XSS.This issue affects 아임포트 결제버튼 생성 플러그인: from n/a through 1.1.19. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22530 |
CVE-2025-22529 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WORDPRESTEEM WE Blocks allows Stored XSS.This issue affects WE Blocks: from n/a through 1.3.5. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22529 |
CVE-2025-22528 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Huurkalender Huurkalender WP allows Stored XSS.This issue affects Huurkalender WP: from n/a through 1.5.6. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22528 |
CVE-2025-22525 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bharatkambariya Donation Block For PayPal allows Stored XSS.This issue affects Donation Block For PayPal: from n/a through 2.2.0. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22525 |
CVE-2025-22524 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in instaform.ir فرم ساز فرم افزار allows Stored XSS.This issue affects فرم ساز فرم افزار: from n/a through 2.0. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22524 |
CVE-2025-22518 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in KentoThemes Justified Image Gallery allows Stored XSS.This issue affects Justified Image Gallery: from n/a through 1.0. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22518 |
CVE-2025-22517 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ben Huson List Pages at Depth allows Stored XSS.This issue affects List Pages at Depth: from n/a through 1.5. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22517 |
CVE-2025-22516 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hitesh Patel Metadata SEO allows Stored XSS.This issue affects Metadata SEO: from n/a through 2.3. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22516 |
CVE-2025-22515 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Simon Chuang Show Google Analytics widget allows Stored XSS.This issue affects Show Google Analytics widget: from n/a through 1.5.4. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22515 |
CVE-2025-22511 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ella van Durpe Slides & Presentations allows Stored XSS.This issue affects Slides & Presentations: from n/a through 0.0.39. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22511 |
CVE-2024-28778 | IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 is vulnerable to exposure of Artifactory API keys. This vulnerability allows users to publish code to private packages or repositories under the name of the organization. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-28778 |
CVE-2025-22362 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Powerfusion WPAchievements Free allows Stored XSS.This issue affects WPAchievements Free: from n/a through 1.2.0. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22362 |
CVE-2025-22339 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aThemeArt Store Commerce allows DOM-Based XSS.This issue affects Store Commerce: from n/a through 1.2.3. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22339 |
CVE-2025-22333 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Piotnet Piotnet Addons For Elementor allows Stored XSS.This issue affects Piotnet Addons For Elementor: from n/a through 2.4.31. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22333 |
CVE-2025-22327 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Olaf Lederer EO4WP allows Stored XSS.This issue affects EO4WP: from n/a through 1.0.7. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22327 |
CVE-2025-22323 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jewel Theme Image Hover Effects for Elementor allows Stored XSS.This issue affects Image Hover Effects for Elementor: from n/a through 1.0.2.3. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22323 |
CVE-2025-22321 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TheInnovs ElementsCSS Addons for Elementor allows Stored XSS.This issue affects ElementsCSS Addons for Elementor: from n/a through 1.0.8.7. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22321 |
CVE-2025-22315 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Typing Text allows Stored XSS.This issue affects Typing Text: from n/a through 1.2.7. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22315 |
CVE-2025-22312 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress Thim Elementor Kit allows DOM-Based XSS.This issue affects Thim Elementor Kit: from n/a through 1.2.8. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22312 |
CVE-2025-22310 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TemplatesNext TemplatesNext ToolKit allows Stored XSS.This issue affects TemplatesNext ToolKit: from n/a through 3.2.9. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22310 |
CVE-2025-22309 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve D SpeakOut! Email Petitions allows DOM-Based XSS.This issue affects SpeakOut! Email Petitions: from n/a through 4.4.2. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22309 |
CVE-2025-22308 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in inc2734 Smart Custom Fields allows Stored XSS.This issue affects Smart Custom Fields: from n/a through 5.0.0. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22308 |
CVE-2025-22305 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP OnlineSupport, Essential Plugin Hero Banner Ultimate allows PHP Local File Inclusion.This issue affects Hero Banner Ultimate: from n/a through 1.4.2. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22305 |
CVE-2025-22293 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gutentor Gutentor allows DOM-Based XSS.This issue affects Gutentor: from n/a through 3.4.0. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22293 |
CVE-2025-22261 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pixelite WP FullCalendar allows Stored XSS.This issue affects WP FullCalendar: from n/a through 1.5. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-22261 |
CVE-2024-56287 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in biztechc WP jQuery DataTable allows Stored XSS.This issue affects WP jQuery DataTable: from n/a through 4.0.1. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56287 |
CVE-2024-56285 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPBits WPBITS Addons For Elementor Page Builder allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through 1.5.1. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56285 |
CVE-2024-56274 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Astra Widgets allows Stored XSS.This issue affects Astra Widgets: from n/a through 1.2.15. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56274 |
CVE-2024-12332 | The School Management System – WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'cid' parameter in all versions up to, and including, 2.2.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Student/Parent-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-12332 |
CVE-2024-11496 | The Infility Global plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the infility_global_ajax function in all versions up to, and including, 2.9.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin options and potentially break the site. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-11496 |
CVE-2024-12419 | The The Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. This functionality is also vulnerable to Reflected Cross-Site Scripting. Version 1.7.0 patched the Reflected XSS issue, however, the arbitrary shortcode execution issue remains. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-12419 |
CVE-2024-54764 | An access control issue in the component /login/hostinfo2.cgi of ipTIME A2004 v12.17.0 allows attackers to obtain sensitive information without authentication. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-54764 |
CVE-2024-54763 | An access control issue in the component /login/hostinfo.cgi of ipTIME A2004 v12.17.0 allows attackers to obtain sensitive information without authentication. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-54763 |
CVE-2024-53935 | The com.callos14.callscreen.colorphone (aka iCall OS17 - Color Phone Flash) application through 4.3 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.callos14.callscreen.colorphone.DialerActivity component. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-53935 |
CVE-2024-12311 | The Email Subscribers by Icegram Express WordPress plugin before 5.7.44 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-12311 |
CVE-2024-41768 | IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 could allow a remote attacker to cause an unhandled SSL exception which could leave the connection in an unexpected or insecure state. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-41768 |
CVE-2024-41765 | IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-41765 |
CVE-2024-12195 | The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to SQL Injection via the 'project_id' parameter of the /wp-json/pm/v2/projects/2/task-lists REST API endpoint in all versions up to, and including, 2.6.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, who have been granted access to a project, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-12195 |
CVE-2023-45633 | Missing Authorization vulnerability in IDX IMPress Listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects IMPress Listings: from n/a through 2.6.2. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2023-45633 |
CVE-2023-40327 | Missing Authorization vulnerability in Putler / Storeapps Putler Connector for WooCommerce.This issue affects Putler Connector for WooCommerce: from n/a through 2.12.0. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2023-40327 |
CVE-2022-45830 | Missing Authorization vulnerability in Analytify.This issue affects Analytify: from n/a through 4.2.3. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2022-45830 |
CVE-2024-56268 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Hait Post Grid Elementor Addon allows Stored XSS.This issue affects Post Grid Elementor Addon: from n/a through 2.0.18. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56268 |
CVE-2024-56257 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CoolPlugins Coins MarketCap allows DOM-Based XSS.This issue affects Coins MarketCap: from n/a through 5.5.8. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56257 |
CVE-2024-56302 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ConvertCalculator ConvertCalculator for WordPress allows Stored XSS.This issue affects ConvertCalculator for WordPress: from n/a through 1.1.1. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56302 |
CVE-2024-56263 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GS Plugins GS Shots for Dribbble allows DOM-Based XSS.This issue affects GS Shots for Dribbble: from n/a through 1.2.0. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56263 |
CVE-2024-56262 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GS Plugins GS Coaches allows Stored XSS.This issue affects GS Coaches: from n/a through 1.1.0. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56262 |
CVE-2024-56261 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GS Plugins Project Showcase allows Stored XSS.This issue affects Project Showcase: from n/a through 1.1.1. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56261 |
CVE-2024-56260 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StorePlugin ShopElement allows Stored XSS.This issue affects ShopElement: from n/a through 2.0.0. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56260 |
CVE-2024-56259 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AyeCode - WP Business Directory Plugins GeoDirectory allows Stored XSS.This issue affects GeoDirectory: from n/a through 2.3.84. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56259 |
CVE-2024-56258 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPBlockArt Magazine Blocks allows Stored XSS.This issue affects Magazine Blocks: from n/a through 1.3.20. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56258 |
CVE-2024-56254 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in moveaddons Move Addons for Elementor allows Stored XSS.This issue affects Move Addons for Elementor: from n/a through 1.3.6. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56254 |
CVE-2024-56252 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeLooks Enter Addons allows Stored XSS.This issue affects Enter Addons: from n/a through 2.1.9. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56252 |
CVE-2024-56246 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POSIMYTH Nexter Blocks allows DOM-Based XSS.This issue affects Nexter Blocks: from n/a through 4.0.4. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56246 |
CVE-2024-56245 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Leap13 Premium Blocks – Gutenberg Blocks for WordPress allows Stored XSS.This issue affects Premium Blocks – Gutenberg Blocks for WordPress: from n/a through 2.1.42. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56245 |
CVE-2024-56242 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tyche Softwares Arconix Shortcodes allows Stored XSS.This issue affects Arconix Shortcodes: from n/a through 2.1.14. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56242 |
CVE-2024-56241 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPKoi WPKoi Templates for Elementor allows Stored XSS.This issue affects WPKoi Templates for Elementor: from n/a through 3.1.3. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56241 |
CVE-2024-56240 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pronamic Pronamic Google Maps allows Stored XSS.This issue affects Pronamic Google Maps: from n/a through 2.3.2. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56240 |
CVE-2024-56239 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themify Themify Audio Dock allows Stored XSS.This issue affects Themify Audio Dock: from n/a through 2.0.4. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56239 |
CVE-2024-38790 | Cross-Site Request Forgery (CSRF) vulnerability in Smartsupp Smartsupp – live chat, chatbots, AI and lead generation allows Cross Site Request Forgery.This issue affects Smartsupp – live chat, chatbots, AI and lead generation: from n/a through 3.6. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-38790 |
CVE-2023-47689 | Missing Authorization vulnerability in Toast Plugins Animator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Animator: from n/a through 3.0.10. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2023-47689 |
CVE-2023-47180 | Missing Authorization vulnerability in XLPlugins Finale Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Finale Lite: from n/a through 2.16.0. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2023-47180 |
CVE-2023-46644 | Missing Authorization vulnerability in WP CTA PRO WordPress CTA allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress CTA: from n/a through 1.5.8. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2023-46644 |
CVE-2023-46631 | Missing Authorization vulnerability in RevenueHunt Product Recommendation Quiz for eCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Recommendation Quiz for eCommerce: from n/a through 2.1.2. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2023-46631 |
CVE-2023-46610 | Missing Authorization vulnerability in quillforms.com Quill Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quill Forms: from n/a through 3.3.0. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2023-46610 |
CVE-2023-46609 | Missing Authorization vulnerability in FeedFocal FeedFocal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FeedFocal: from n/a through 1.2.2. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2023-46609 |
CVE-2023-46195 | Missing Authorization vulnerability in CoSchedule Headline Analyzer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Headline Analyzer: from n/a through 1.3.1. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2023-46195 |
CVE-2023-45275 | Missing Authorization vulnerability in Kali Forms Contact Form builder with drag & drop - Kali Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form builder with drag & drop - Kali Forms: from n/a through 2.3.28. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2023-45275 |
CVE-2024-56019 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gavin Rehkemper Inline Footnotes allows Stored XSS.This issue affects Inline Footnotes: from n/a through 2.3.0. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56019 |
CVE-2024-56021 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ibnuyahya Category Post Shortcode allows Stored XSS.This issue affects Category Post Shortcode: from n/a through 2.4. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56021 |
CVE-2024-56020 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mario Di Pasquale SvegliaT Buttons allows Stored XSS.This issue affects SvegliaT Buttons: from n/a through 1.3.0. | 6.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56020 |
CVE-2025-22621 | In versions 1.0.67 and lower of the Splunk App for SOAR, the Splunk documentation for that app recommended adding the `admin_all_objects` capability to the `splunk_app_soar` role. This addition could lead to improper access control for a low-privileged user that does not hold the “admin“ Splunk roles. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2025-22621 |
CVE-2024-11826 | The Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'quillforms-popup' shortcode in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-11826 |
CVE-2024-56294 | Missing Authorization vulnerability in POSIMYTH Nexter Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Nexter Blocks: from n/a through 4.0.7. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-56294 |
CVE-2024-56279 | Server-Side Request Forgery (SSRF) vulnerability in Tips and Tricks HQ Compact WP Audio Player allows Server Side Request Forgery.This issue affects Compact WP Audio Player: from n/a through 1.9.14. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-56279 |
CVE-2024-12699 | The Service Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-12699 |
CVE-2024-12516 | The Coupon Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Coupon Code' parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-12516 |
CVE-2024-9502 | The Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Tooltip module in all versions up to, and including, 2.0.6.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-9502 |
CVE-2024-12624 | The Sina Extension for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Sina Image Differ widget in all versions up to, and including, 3.5.91 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-12624 |
CVE-2024-12499 | The WP jQuery DataTable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_jdt' shortcode in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-12499 |
CVE-2024-12495 | The Bootstrap Blocks for WP Editor v2 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gtb-bootstrap/column' block in all versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-12495 |
CVE-2024-12437 | The Marketplace Items plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'envato' shortcode in all versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-12437 |
CVE-2024-11764 | The Solar Wizard Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'solar_wizard' shortcode in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-11764 |
CVE-2024-9702 | The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'socialrocket-floating' shortcode in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-9702 |
CVE-2024-12464 | The Chatroll Live Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'chatroll' shortcode in all versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-12464 |
CVE-2024-12440 | The Candifly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'candifly' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-12440 |
CVE-2024-12439 | The Marketplace Items plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'marketplace' shortcode in all versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-12439 |
CVE-2024-12073 | The Meteor Slides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slide_url_value' parameter in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-12073 |
CVE-2024-11887 | The Geo Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'geotargetlygeocontent' shortcode in all versions up to, and including, 6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-11887 |
CVE-2024-11756 | The SweepWidget Contests, Giveaways, Photo Contests, Competitions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sweepwidget' shortcode in all versions up to, and including, 2.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-11756 |
CVE-2024-11749 | The App Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'appizy' shortcode in all versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-11749 |
CVE-2024-12462 | The YOGO Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'yogo-calendar' shortcode in all versions up to, and including, 1.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-12462 |
CVE-2024-12457 | The Chat Support for Viber – Chat Bubble and Chat Button for Gutenberg, Elementor and Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vchat' shortcode in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-12457 |
CVE-2024-12453 | The Uptodown APK Download Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'utd-widget' shortcode in all versions up to, and including, 0.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-12453 |
CVE-2024-12445 | The RightMessage WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rm_area' shortcode in all versions up to, and including, 0.9.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-12445 |
CVE-2024-11445 | The Image Magnify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'image_magnify' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-11445 |
CVE-2024-11383 | The CC Canadian Mortgage Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cc-mortgage-canada' shortcode in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-11383 |
CVE-2024-11382 | The Common Ninja: Fully Customizable & Perfectly Responsive Free Widgets for WordPress Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'commonninja' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-11382 |
CVE-2024-11338 | The PIXNET Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gtm' and 'venue' parameters in all versions up to, and including, 2.9.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-11338 |
CVE-2024-11337 | The Horoscope And Tarot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'divine_horoscope' shortcode in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-11337 |
CVE-2024-12592 | The Sellsy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'testSellsy' shortcode in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-12592 |
CVE-2024-12590 | The WP Youtube Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in all versions up to, and including, 1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-12590 |
CVE-2024-12528 | The WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpsurveypoll_results' shortcode in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-12528 |
CVE-2024-11934 | The Formaloo Form Maker & Customer Analytics for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘address’ parameter in all versions up to, and including, 2.1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-11934 |
CVE-2024-11899 | The Slider Pro Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sliderpro' shortcode in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-11899 |
CVE-2024-11777 | The Sell Media plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sell_media_search_form_gutenberg' shortcode in all versions up to, and including, 2.5.8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-11777 |
CVE-2024-31914 | IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-31914 |
CVE-2024-12475 | The WP Multi Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-12475 |
CVE-2024-11930 | The Taskbuilder – WordPress Project & Task Management plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wppm_tasks shortcode in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 6.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-11930 |
CVE-2025-0300 | A vulnerability classified as critical was found in code-projects Online Book Shop 1.0. Affected by this vulnerability is an unknown functionality of the file /subcat.php. The manipulation of the argument cat leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0300 |
CVE-2025-0299 | A vulnerability classified as critical has been found in code-projects Online Book Shop 1.0. Affected is an unknown function of the file /search_result.php. The manipulation of the argument s leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0299 |
CVE-2025-0298 | A vulnerability was found in code-projects Online Book Shop 1.0. It has been rated as critical. This issue affects some unknown processing of the file /process_login.php. The manipulation of the argument usernm leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0298 |
CVE-2025-0297 | A vulnerability was found in code-projects Online Book Shop 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /detail.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0297 |
CVE-2025-0296 | A vulnerability was found in code-projects Online Book Shop 1.0. It has been classified as critical. This affects an unknown part of the file /booklist.php. The manipulation of the argument subcatid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0296 |
CVE-2024-7696 | Seth Fogie, member of AXIS Camera Station Pro Bug Bounty Program, has found that it is possible for an authenticated malicious client to tamper with audit log creation in AXIS Camera Station, or perform a Denial-of-Service attack on the AXIS Camera Station server using maliciously crafted audit log entries. Axis has released a patched version for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-7696 |
CVE-2024-13145 | A vulnerability classified as critical was found in zhenfeng13 My-Blog 1.0. Affected by this vulnerability is the function upload of the file src/main/java/com/site/blog/my/core/controller/admin/uploadController. java. The manipulation of the argument file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-13145 |
CVE-2024-13144 | A vulnerability classified as critical has been found in zhenfeng13 My-Blog 1.0. Affected is the function uploadFileByEditomd of the file src/main/java/com/site/blog/my/core/controller/admin/BlogController.java. The manipulation of the argument editormd-image-file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-13144 |
CVE-2025-0232 | A vulnerability was found in Codezips Blood Bank Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /successadmin.php. The manipulation of the argument psw leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0232 |
CVE-2025-0231 | A vulnerability has been found in Codezips Gym Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /dashboard/admin/submit_payments.php. The manipulation of the argument m_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0231 |
CVE-2025-0230 | A vulnerability, which was classified as critical, was found in code-projects Responsive Hotel Site 1.0. Affected is an unknown function of the file /admin/print.php. The manipulation of the argument pid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0230 |
CVE-2025-0229 | A vulnerability, which was classified as critical, has been found in code-projects Travel Management System 1.0. This issue affects some unknown processing of the file /enquiry.php. The manipulation of the argument pid/t1/t2/t3/t4/t5/t6/t7 leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0229 |
CVE-2024-13139 | A vulnerability was found in wangl1989 mysiteforme 1.0. It has been rated as critical. This issue affects the function doContent of the file src/main/java/com/mysiteform/admin/controller/system/FileController. The manipulation of the argument content leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-13139 |
CVE-2024-13136 | A vulnerability was found in wangl1989 mysiteforme 1.0 and classified as critical. Affected by this issue is the function rememberMeManager of the file src/main/java/com/mysiteforme/admin/config/ShiroConfig.java. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-13136 |
CVE-2024-13134 | A vulnerability, which was classified as critical, was found in ZeroWdd studentmanager 1.0. Affected is the function addTeacher/editTeacher of the file src/main/Java/com/wdd/studentmanager/controller/TeacherController. java. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-13134 |
CVE-2024-13133 | A vulnerability, which was classified as critical, has been found in ZeroWdd studentmanager 1.0. This issue affects the function addStudent/editStudent of the file src/main/Java/com/wdd/studentmanager/controller/StudentController. java. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-13133 |
CVE-2025-0213 | A vulnerability was found in Campcodes Project Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /forms/update_forms.php?action=change_pic2&id=4. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0213 |
CVE-2025-0212 | A vulnerability was found in Campcodes Student Grading System 1.0. It has been classified as critical. This affects an unknown part of the file /view_students.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0212 |
CVE-2025-0211 | A vulnerability was found in Campcodes School Faculty Scheduling System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/index.php. The manipulation of the argument page leads to file inclusion. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0211 |
CVE-2025-0208 | A vulnerability, which was classified as critical, was found in code-projects Online Shoe Store 1.0. This affects an unknown part of the file /summary.php. The manipulation of the argument tid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0208 |
CVE-2025-0205 | A vulnerability classified as critical has been found in code-projects Online Shoe Store 1.0. Affected is an unknown function of the file /details2.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0205 |
CVE-2025-0204 | A vulnerability was found in code-projects Online Shoe Store 1.0. It has been rated as critical. This issue affects some unknown processing of the file /details.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0204 |
CVE-2025-0203 | A vulnerability was found in code-projects Student Management System 1.0. It has been declared as critical. This vulnerability affects the function showSubject1 of the file /config/DbFunction.php. The manipulation of the argument sid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0203 |
CVE-2025-0201 | A vulnerability was found in code-projects Point of Sales and Inventory Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /user/update_account.php. The manipulation of the argument username leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0201 |
CVE-2025-0200 | A vulnerability has been found in code-projects Point of Sales and Inventory Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /user/search_num.php. The manipulation of the argument search leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0200 |
CVE-2025-0199 | A vulnerability, which was classified as critical, was found in code-projects Point of Sales and Inventory Management System 1.0. Affected is an unknown function of the file /user/minus_cart.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0199 |
CVE-2025-0198 | A vulnerability, which was classified as critical, has been found in code-projects Point of Sales and Inventory Management System 1.0. This issue affects some unknown processing of the file /user/search_result.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0198 |
CVE-2025-0197 | A vulnerability classified as critical was found in code-projects Point of Sales and Inventory Management System 1.0. This vulnerability affects unknown code of the file /user/search.php. The manipulation of the argument name leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0197 |
CVE-2025-0196 | A vulnerability classified as critical has been found in code-projects Point of Sales and Inventory Management System 1.0. This affects an unknown part of the file /user/plist.php. The manipulation of the argument cat leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0196 |
CVE-2025-0195 | A vulnerability was found in code-projects Point of Sales and Inventory Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /user/del_product.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0195 |
CVE-2025-0176 | A vulnerability was found in code-projects Point of Sales and Inventory Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /user/add_cart.php. The manipulation of the argument id/qty leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0176 |
CVE-2025-0174 | A vulnerability was found in code-projects Point of Sales and Inventory Management System 1.0. It has been classified as critical. This affects an unknown part of the file /user/search_result2.php of the component Parameter Handler. The manipulation of the argument search leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0174 |
CVE-2025-0173 | A vulnerability was found in SourceCodester Online Eyewear Shop 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /orders/view_order.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0173 |
CVE-2025-0172 | A vulnerability has been found in code-projects Chat System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/deleteroom.php. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0172 |
CVE-2025-0171 | A vulnerability, which was classified as critical, was found in code-projects Chat System 1.0. Affected is an unknown function of the file /admin/deleteuser.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0171 |
CVE-2024-56266 | Missing Authorization vulnerability in Sonaar Music MP3 Audio Player for Music, Radio & Podcast by Sonaar allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through 5.8. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-56266 |
CVE-2024-13093 | A vulnerability, which was classified as critical, has been found in code-projects Job Recruitment 1.0. This issue affects some unknown processing of the file /_parse/_call_main_search_ajax.php of the component Seeker Profile Handler. The manipulation of the argument s1 leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-13093 |
CVE-2024-13092 | A vulnerability classified as critical was found in code-projects Job Recruitment 1.0. This vulnerability affects unknown code of the file /_parse/_call_job/search_ajax.php of the component Job Post Handler. The manipulation of the argument n leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-13092 |
CVE-2025-0168 | A vulnerability classified as critical has been found in code-projects Job Recruitment 1.0. This affects an unknown part of the file /_parse/_feedback_system.php. The manipulation of the argument person leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 6.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0168 |
CVE-2024-36613 | FFmpeg n6.1.1 has a vulnerability in the DXA demuxer of the libavformat library allowing for an integer overflow, potentially resulting in a denial-of-service (DoS) condition or other undefined behavior. | 6.2 | https://nvd.nist.gov/vuln/detail/CVE-2024-36613 |
CVE-2024-40747 | Various module chromes didn't properly process inputs, leading to XSS vectors. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-40747 |
CVE-2024-12738 | The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several user meta parameters in all versions up to, and including, 3.12.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and clicks a link to show user meta. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12738 |
CVE-2024-12077 | The Booking Calendar and Booking Calendar Pro plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the ‘calendar_id’ parameter in all versions up to, and including, 3.2.19 and 11.2.19 respectively, due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12077 |
CVE-2024-9354 | The Estatik Mortgage Calculator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'color' parameter in all versions up to, and including, 2.0.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-9354 |
CVE-2024-12438 | The WooCommerce Digital Content Delivery (incl. DRM) – FlickRocket plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'start_date’ and 'end_date' parameters in all versions up to, and including, 4.74 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12438 |
CVE-2024-12384 | The Binary MLM Woocommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page’ parameter in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12384 |
CVE-2024-12383 | The Binary MLM Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing or incorrect nonce validation on the 'bmw_display_pv_set_page' function and insufficient input sanitization and output escaping of the 'product_points' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12383 |
CVE-2024-12261 | The SmartEmailing.cz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'se-lists-updated' parameter in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12261 |
CVE-2024-11369 | The Store credit / Gift cards for woocommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'coupon', 'start_date', and 'end_date' parameters in all versions up to, and including, 1.0.49.46 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-11369 |
CVE-2024-9208 | The Enable Accessibility plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.4.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-9208 |
CVE-2024-12435 | The Compare Products for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘s_feature’ parameter in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12435 |
CVE-2024-12324 | The Unilevel MLM Plan plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12324 |
CVE-2024-12291 | The ViewMedica 9 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.15. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12291 |
CVE-2024-12290 | The Infility Global plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘set_type’ parameter in all versions up to, and including, 2.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12290 |
CVE-2024-12288 | The Simple add pages or posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12288 |
CVE-2024-12256 | The Simple Video Management System plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'analytics_video' parameter in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12256 |
CVE-2024-12214 | The WooCommerce HSS Extension for Streaming Video plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘videolink’ parameter in all versions up to, and including, 3.31 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12214 |
CVE-2024-12153 | The GDY Modular Content plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 0.9.91. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12153 |
CVE-2024-12126 | The SEO Keywords plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘google_error’ parameter in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12126 |
CVE-2024-12124 | The Role Includer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘user_id’ parameter in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12124 |
CVE-2024-12049 | The Woo Ukrposhta plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'order', 'post', and 'idd' parameters in all versions up to, and including, 1.17.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12049 |
CVE-2024-11810 | The PayGreen Payment Gateway plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'message_id' parameter in all versions up to, and including, 1.0.26 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-11810 |
CVE-2024-11690 | The Financial Stocks & Crypto Market Data Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'e' parameter in all versions up to, and including, 1.10.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-11690 |
CVE-2024-11434 | The WP – Bulk SMS – by SMS.to plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-11434 |
CVE-2024-11378 | The Bizapp for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'error' parameter in all versions up to, and including, 2.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-11378 |
CVE-2024-11377 | The Automate Hub Free by Sperse.IO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'id' parameter in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-11377 |
CVE-2024-11375 | The WC1C plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 0.23.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-11375 |
CVE-2024-11363 | The Same but Different – Related Posts by Taxonomy plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-11363 |
CVE-2024-12557 | The Transporters.io plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.84. This is due to missing nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12557 |
CVE-2024-12540 | The LDD Directory Lite plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12540 |
CVE-2024-12098 | The ARS Affiliate Page Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'utm_keyword' parameter in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12098 |
CVE-2024-35498 | A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-35498 |
CVE-2024-46073 | A reflected Cross-Site Scripting (XSS) vulnerability exists in the login page of IceHRM v32.4.0.OS. The vulnerability is due to improper sanitization of the "next" parameter, which is included in the application's response without adequate escaping. An attacker can exploit this flaw by tricking a user into visiting a specially crafted URL, causing the execution of arbitrary JavaScript code in the context of the victim's browser. The issue occurs even though the application has sanitization mechanisms in place. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-46073 |
CVE-2024-51112 | Open Redirect vulnerability in Pnetlab 5.3.11 allows an attacker to manipulate URLs to redirect users to arbitrary external websites via a crafted script | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-51112 |
CVE-2024-43063 | information disclosure while invoking the mailbox read API. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-43063 |
CVE-2024-33067 | Information disclosure while invoking callback function of sound model driver from ADSP for every valid opcode received from sound model driver. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-33067 |
CVE-2024-12302 | The Icegram Engage WordPress plugin before 3.1.32 does not sanitise and escape some of its Campaign settings, which could allow authors and above to perform Stored Cross-Site Scripting attacks | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12302 |
CVE-2024-11849 | The Pods WordPress plugin before 3.2.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-11849 |
CVE-2024-11356 | The tourmaster WordPress plugin before 5.3.4 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated users to perform Cross-Site Scripting attacks. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-11356 |
CVE-2024-12279 | The WP Social AutoConnect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12279 |
CVE-2024-12221 | The Turnkey bbPress by WeaverTheme plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘_wpnonce’ parameter in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12221 |
CVE-2024-12701 | The WP Smart Import : Import any XML File to WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘ page’ parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12701 |
CVE-2024-12047 | The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘custom_server’ parameter in all versions up to, and including, 6.30.03 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-12047 |
CVE-2024-11974 | The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘smc_settings_tab', 'unattachfixit-action', and 'woofixit-action’ parameters in all versions up to, and including, 3.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-11974 |
CVE-2024-11846 | The does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 6.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-11846 |
CVE-2025-22579 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arefly WP Header Notification allows Stored XSS.This issue affects WP Header Notification: from n/a through 1.2.7. | 5.9 | https://nvd.nist.gov/vuln/detail/CVE-2025-22579 |
CVE-2025-22578 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AazzTech WP Cookie allows Stored XSS.This issue affects WP Cookie: from n/a through 1.0.0. | 5.9 | https://nvd.nist.gov/vuln/detail/CVE-2025-22578 |
CVE-2024-52366 | IBM Concert Software 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. | 5.9 | https://nvd.nist.gov/vuln/detail/CVE-2024-52366 |
CVE-2025-22316 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPBits WPBITS Addons For Elementor Page Builder allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through 1.5.1. | 5.9 | https://nvd.nist.gov/vuln/detail/CVE-2025-22316 |
CVE-2024-56298 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 5 Star Plugins Pretty Simple Popup Builder allows Stored XSS.This issue affects Pretty Simple Popup Builder: from n/a through 1.0.9. | 5.9 | https://nvd.nist.gov/vuln/detail/CVE-2024-56298 |
CVE-2024-56297 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dn88 Highlight allows Stored XSS.This issue affects Highlight: from n/a through 2.0.2. | 5.9 | https://nvd.nist.gov/vuln/detail/CVE-2024-56297 |
CVE-2024-56293 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nasirahmed Advanced Form Integration allows Stored XSS.This issue affects Advanced Form Integration: from n/a through 1.95.0. | 5.9 | https://nvd.nist.gov/vuln/detail/CVE-2024-56293 |
CVE-2024-56292 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevelop, oplugins Email Reminders allows Stored XSS.This issue affects Email Reminders: from n/a through 2.0.5. | 5.9 | https://nvd.nist.gov/vuln/detail/CVE-2024-56292 |
CVE-2024-56288 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fahad Mahmood WP Docs allows Stored XSS.This issue affects WP Docs: from n/a through 2.2.1. | 5.9 | https://nvd.nist.gov/vuln/detail/CVE-2024-56288 |
CVE-2024-55627 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a specially crafted TCP stream can lead to a very large buffer overflow while being zero-filled during initialization with memset due to an unsigned integer underflow. The issue has been addressed in Suricata 7.0.8. | 5.9 | https://nvd.nist.gov/vuln/detail/CVE-2024-55627 |
CVE-2024-41763 | IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 5.9 | https://nvd.nist.gov/vuln/detail/CVE-2024-41763 |
CVE-2025-22385 | An issue was discovered in Optimizely Configured Commerce before 5.2.2408. For newly created accounts, the Commerce B2B application does not require email confirmation. This medium-severity issue allows the mass creation of accounts. This could affect database storage; also, non-requested storefront accounts can be created on behalf of visitors. | 5.9 | https://nvd.nist.gov/vuln/detail/CVE-2025-22385 |
CVE-2024-8447 | A security issue was discovered in the LRA Coordinator component of Narayana. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may crash or hang indefinitely, leading to a denial of service. | 5.9 | https://nvd.nist.gov/vuln/detail/CVE-2024-8447 |
CVE-2024-56237 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Contest Gallery Contest Gallery allows Stored XSS.This issue affects Contest Gallery: from n/a through 24.0.3. | 5.9 | https://nvd.nist.gov/vuln/detail/CVE-2024-56237 |
CVE-2024-11357 | The goodlayers-core WordPress plugin before 2.0.10 does not sanitise and escape some of its settings, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 5.9 | https://nvd.nist.gov/vuln/detail/CVE-2024-11357 |
CVE-2025-22388 | An issue was discovered in Optimizely EPiServer.CMS.Core before 12.22.0. A high-severity Stored Cross-Site Scripting (XSS) vulnerability exists in the CMS, allowing malicious actors to inject and execute arbitrary JavaScript code, potentially compromising user data, escalating privileges, or executing unauthorized actions. The issue exists in multiple areas, including content editing, link management, and file uploads. | 5.7 | https://nvd.nist.gov/vuln/detail/CVE-2025-22388 |
CVE-2024-13111 | A vulnerability classified as critical was found in Beijing Yunfan Internet Technology Yunfan Learning Examination System 1.9.2. Affected by this vulnerability is an unknown functionality of the file src/main/java/com/yf/exam/modules/sys/user/controller/SysUserControl of the component JWT Token Handler. The manipulation leads to improper authentication. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | 5.6 | https://nvd.nist.gov/vuln/detail/CVE-2024-13111 |
CVE-2025-0218 | When batch jobs are executed by pgAgent, a script is created in a temporary directory and then executed. In versions of pgAgent prior to 4.2.3, an insufficiently seeded random number generator is used when generating the directory name, leading to the possibility for a local attacker to pre-create the directory and thus prevent pgAgent from executing jobs, disrupting scheduled tasks. | 5.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-0218 |
CVE-2024-45070 | in OpenHarmony v4.1.2 and prior versions allow a local attacker cause information leak through out-of-bounds Read. | 5.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-45070 |
CVE-2025-21615 | AAT (Another Activity Tracker) is a GPS-tracking application for tracking sportive activities, with emphasis on cycling. Versions lower than v1.26 of AAT are vulnerable to data exfiltration from malicious apps installed on the same device. | 5.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-21615 |
CVE-2024-56769 | In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg Syzbot reports [1] an uninitialized value issue found by KMSAN in dib3000_read_reg(). Local u8 rb[2] is used in i2c_transfer() as a read buffer; in case that call fails, the buffer may end up with some undefined values. Since no elaborate error handling is expected in dib3000_write_reg(), simply zero out rb buffer to mitigate the problem. [1] Syzkaller report dvb-usb: bulk message failed: -22 (6/0) ===================================================== BUG: KMSAN: uninit-value in dib3000mb_attach+0x2d8/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758 dib3000mb_attach+0x2d8/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758 dibusb_dib3000mb_frontend_attach+0x155/0x2f0 drivers/media/usb/dvb-usb/dibusb-mb.c:31 dvb_usb_adapter_frontend_init+0xed/0x9a0 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:290 dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:90 [inline] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:186 [inline] dvb_usb_device_init+0x25a8/0x3760 drivers/media/usb/dvb-usb/dvb-usb-init.c:310 dibusb_probe+0x46/0x250 drivers/media/usb/dvb-usb/dibusb-mb.c:110 ... Local variable rb created at: dib3000_read_reg+0x86/0x4e0 drivers/media/dvb-frontends/dib3000mb.c:54 dib3000mb_attach+0x123/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758 ... | 5.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56769 |
CVE-2024-56768 | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix bpf_get_smp_processor_id() on !CONFIG_SMP On x86-64 calling bpf_get_smp_processor_id() in a kernel with CONFIG_SMP disabled can trigger the following bug, as pcpu_hot is unavailable: [ 8.471774] BUG: unable to handle page fault for address: 00000000936a290c [ 8.471849] #PF: supervisor read access in kernel mode [ 8.471881] #PF: error_code(0x0000) - not-present page Fix by inlining a return 0 in the !CONFIG_SMP case. | 5.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56768 |
CVE-2024-56767 | In the Linux kernel, the following vulnerability has been resolved: dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset The at_xdmac_memset_create_desc may return NULL, which will lead to a null pointer dereference. For example, the len input is error, or the atchan->free_descs_list is empty and memory is exhausted. Therefore, add check to avoid this. | 5.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56767 |
CVE-2024-56763 | In the Linux kernel, the following vulnerability has been resolved: tracing: Prevent bad count for tracing_cpumask_write If a large count is provided, it will trigger a warning in bitmap_parse_user. Also check zero for it. | 5.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56763 |
CVE-2024-56761 | In the Linux kernel, the following vulnerability has been resolved: x86/fred: Clear WFE in missing-ENDBRANCH #CPs An indirect branch instruction sets the CPU indirect branch tracker (IBT) into WAIT_FOR_ENDBRANCH (WFE) state and WFE stays asserted across the instruction boundary. When the decoder finds an inappropriate instruction while WFE is set ENDBR, the CPU raises a #CP fault. For the "kernel IBT no ENDBR" selftest where #CPs are deliberately triggered, the WFE state of the interrupted context needs to be cleared to let execution continue. Otherwise when the CPU resumes from the instruction that just caused the previous #CP, another missing-ENDBRANCH #CP is raised and the CPU enters a dead loop. This is not a problem with IDT because it doesn't preserve WFE and IRET doesn't set WFE. But FRED provides space on the entry stack (in an expanded CS area) to save and restore the WFE state, thus the WFE state is no longer clobbered, so software must clear it. Clear WFE to avoid dead looping in ibt_clear_fred_wfe() and the !ibt_fatal code path when execution is allowed to continue. Clobbering WFE in any other circumstance is a security-relevant bug. [ dhansen: changelog rewording ] | 5.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56761 |
CVE-2024-56760 | In the Linux kernel, the following vulnerability has been resolved: PCI/MSI: Handle lack of irqdomain gracefully Alexandre observed a warning emitted from pci_msi_setup_msi_irqs() on a RISCV platform which does not provide PCI/MSI support: WARNING: CPU: 1 PID: 1 at drivers/pci/msi/msi.h:121 pci_msi_setup_msi_irqs+0x2c/0x32 __pci_enable_msix_range+0x30c/0x596 pci_msi_setup_msi_irqs+0x2c/0x32 pci_alloc_irq_vectors_affinity+0xb8/0xe2 RISCV uses hierarchical interrupt domains and correctly does not implement the legacy fallback. The warning triggers from the legacy fallback stub. That warning is bogus as the PCI/MSI layer knows whether a PCI/MSI parent domain is associated with the device or not. There is a check for MSI-X, which has a legacy assumption. But that legacy fallback assumption is only valid when legacy support is enabled, but otherwise the check should simply return -ENOTSUPP. Loongarch tripped over the same problem and blindly enabled legacy support without implementing the legacy fallbacks. There are weak implementations which return an error, so the problem was papered over. Correct pci_msi_domain_supports() to evaluate the legacy mode and add the missing supported check into the MSI enable path to complete it. | 5.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56760 |
CVE-2024-56758 | In the Linux kernel, the following vulnerability has been resolved: btrfs: check folio mapping after unlock in relocate_one_folio() When we call btrfs_read_folio() to bring a folio uptodate, we unlock the folio. The result of that is that a different thread can modify the mapping (like remove it with invalidate) before we call folio_lock(). This results in an invalid page and we need to try again. In particular, if we are relocating concurrently with aborting a transaction, this can result in a crash like the following: BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 76 PID: 1411631 Comm: kworker/u322:5 Workqueue: events_unbound btrfs_reclaim_bgs_work RIP: 0010:set_page_extent_mapped+0x20/0xb0 RSP: 0018:ffffc900516a7be8 EFLAGS: 00010246 RAX: ffffea009e851d08 RBX: ffffea009e0b1880 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffc900516a7b90 RDI: ffffea009e0b1880 RBP: 0000000003573000 R08: 0000000000000001 R09: ffff88c07fd2f3f0 R10: 0000000000000000 R11: 0000194754b575be R12: 0000000003572000 R13: 0000000003572fff R14: 0000000000100cca R15: 0000000005582fff FS: 0000000000000000(0000) GS:ffff88c07fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000407d00f002 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __die+0x78/0xc0 ? page_fault_oops+0x2a8/0x3a0 ? __switch_to+0x133/0x530 ? wq_worker_running+0xa/0x40 ? exc_page_fault+0x63/0x130 ? asm_exc_page_fault+0x22/0x30 ? set_page_extent_mapped+0x20/0xb0 relocate_file_extent_cluster+0x1a7/0x940 relocate_data_extent+0xaf/0x120 relocate_block_group+0x20f/0x480 btrfs_relocate_block_group+0x152/0x320 btrfs_relocate_chunk+0x3d/0x120 btrfs_reclaim_bgs_work+0x2ae/0x4e0 process_scheduled_works+0x184/0x370 worker_thread+0xc6/0x3e0 ? blk_add_timer+0xb0/0xb0 kthread+0xae/0xe0 ? flush_tlb_kernel_range+0x90/0x90 ret_from_fork+0x2f/0x40 ? flush_tlb_kernel_range+0x90/0x90 ret_from_fork_asm+0x11/0x20 </TASK> This occurs because cleanup_one_transaction() calls destroy_delalloc_inodes() which calls invalidate_inode_pages2() which takes the folio_lock before setting mapping to NULL. We fail to check this, and subsequently call set_extent_mapping(), which assumes that mapping != NULL (in fact it asserts that in debug mode) Note that the "fixes" patch here is not the one that introduced the race (the very first iteration of this code from 2009) but a more recent change that made this particular crash happen in practice. | 5.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56758 |
CVE-2024-56757 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: mediatek: add intf release flow when usb disconnect MediaTek claim an special usb intr interface for ISO data transmission. The interface need to be released before unregistering hci device when usb disconnect. Removing BT usb dongle without properly releasing the interface may cause Kernel panic while unregister hci device. | 5.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-56757 |
CVE-2024-31913 | IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 5.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-31913 |
CVE-2024-45559 | Transient DOS can occur when GVM sends a specific message type to the Vdev-FastRPC backend. | 5.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-45559 |
CVE-2025-0223 | A vulnerability was found in IObit Protected Folder up to 13.6.0.5. It has been classified as problematic. Affected is the function 0x8001E000/0x8001E00C/0x8001E004/0x8001E010 in the library IURegistryFilter.sys of the component IOCTL Handler. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 5.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-0223 |
CVE-2025-0222 | A vulnerability was found in IObit Protected Folder up to 13.6.0.5 and classified as problematic. This issue affects the function 0x8001E000/0x8001E004 in the library IUProcessFilter.sys of the component IOCTL Handler. The manipulation leads to null pointer dereference. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 5.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-0222 |
CVE-2025-0221 | A vulnerability has been found in IOBit Protected Folder up to 1.3.0 and classified as problematic. This vulnerability affects the function 0x22200c in the library pffilter.sys of the component IOCTL Handler. The manipulation leads to null pointer dereference. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 5.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-0221 |
CVE-2025-0202 | A vulnerability was found in TCS BaNCS 10. It has been classified as problematic. This affects an unknown part of the file /REPORTS/REPORTS_SHOW_FILE.jsp. The manipulation of the argument FilePath leads to file inclusion. | 5.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-0202 |
CVE-2024-53839 | In GetCellInfoList() of protocolnetadapter.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with baseband firmware compromise required. User Interaction is not needed for exploitation. | 5.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-53839 |
CVE-2024-44450 | Multiple functions are vulnerable to Authorization Bypass in AIMS eCrew. The issue was fixed in version JUN23 #190. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-44450 |
CVE-2025-22543 | Missing Authorization vulnerability in Beautiful Templates ST Gallery WP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ST Gallery WP: from n/a through 1.0.8. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2025-22543 |
CVE-2025-22541 | Missing Authorization vulnerability in Etruel Developments LLC WP Delete Post Copies allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Delete Post Copies: from n/a through 5.5. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2025-22541 |
CVE-2025-22534 | Missing Authorization vulnerability in Ella van Durpe Slides & Presentations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Slides & Presentations: from n/a through 0.0.39. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2025-22534 |
CVE-2024-52891 | IBM Concert Software 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3 could allow an authenticated user to inject malicious information or obtain information from log files due to improper log neutralization. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-52891 |
CVE-2025-22301 | Cross-Site Request Forgery (CSRF) vulnerability in Stormhill Media MyBookTable Bookstore allows Cross Site Request Forgery.This issue affects MyBookTable Bookstore: from n/a through 3.5.3. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2025-22301 |
CVE-2025-22300 | Cross-Site Request Forgery (CSRF) vulnerability in PixelYourSite PixelYourSite – Your smart PIXEL (TAG) Manager allows Cross Site Request Forgery.This issue affects PixelYourSite – Your smart PIXEL (TAG) Manager: from n/a through 10.0.1.2. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2025-22300 |
CVE-2024-12170 | The ViewMedica 9 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.15. This is due to missing or incorrect nonce validation on the 'Viewmedica-Admin' page. This makes it possible for unauthenticated attackers to inject arbitrary SQL queries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-12170 |
CVE-2024-12541 | The Chative Live chat and Chatbot plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the add_chative_widget_action() function. This makes it possible for unauthenticated attackers to change the channel ID or organization ID via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This could lead to redirecting the live chat widget to an attacker-controlled channel. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-12541 |
CVE-2025-21616 | Plane is an open-source project management tool. A cross-site scripting (XSS) vulnerability has been identified in Plane versions prior to 0.23. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2025-21616 |
CVE-2024-46209 | A stored cross-site scripting (XSS) vulnerability in the component /media/test.html of REDAXO CMS v5.17.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the password parameter. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-46209 |
CVE-2024-12545 | The Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.1. This is due to missing nonce validation on the reset_installation() function. This makes it possible for unauthenticated attackers to reset the plugin’s installation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-12545 |
CVE-2024-55896 | IBM PowerHA SystemMirror for i 7.4 and 7.5 contains improper restrictions when rendering content via iFrames. This vulnerability could allow an attacker to gain improper access and perform unauthorized actions on the system. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-55896 |
CVE-2023-23672 | Missing Authorization vulnerability in Liquid Web / StellarWP GiveWP.This issue affects GiveWP: from n/a through 2.25.1. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2023-23672 |
CVE-2022-45811 | Missing Authorization vulnerability in WeyHan Ng Post Teaser.This issue affects Post Teaser: from n/a through 4.1.5. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2022-45811 |
CVE-2023-45272 | Missing Authorization vulnerability in 10Web 10Web Map Builder for Google Maps allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 10Web Map Builder for Google Maps: from n/a through 1.0.73. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2023-45272 |
CVE-2023-32240 | Missing Authorization vulnerability in Xtemos WoodMart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WoodMart: from n/a through 7.2.1. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2023-32240 |
CVE-2024-37925 | Cross-Site Request Forgery (CSRF) vulnerability in BUDDYBOSS LLC BuddyBoss Theme allows Cross Site Request Forgery.This issue affects BuddyBoss Theme: from n/a through 2.4.61. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-37925 |
CVE-2024-37438 | Cross-Site Request Forgery (CSRF) vulnerability in Uncanny Owl Uncanny Toolkit Pro for LearnDash allows Cross Site Request Forgery.This issue affects Uncanny Toolkit Pro for LearnDash: from n/a before 4.1.4.1. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-37438 |
CVE-2024-56253 | Missing Authorization vulnerability in supsystic.com Data Tables Generator by Supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Data Tables Generator by Supsystic: from n/a through 1.10.36. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-56253 |
CVE-2024-56244 | Missing Authorization vulnerability in WP Royal Ashe Extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ashe Extra: from n/a through 1.2.92. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-56244 |
CVE-2024-38789 | Cross-Site Request Forgery (CSRF) vulnerability in Marco Milesi Telegram Bot & Channel allows Cross Site Request Forgery.This issue affects Telegram Bot & Channel: from n/a through 3.8.2. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-38789 |
CVE-2024-38729 | Cross-Site Request Forgery (CSRF) vulnerability in MBE Worldwide S.p.A. MBE eShip allows Cross Site Request Forgery.This issue affects MBE eShip: from n/a through 2.1.2. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-38729 |
CVE-2024-37469 | Cross-Site Request Forgery (CSRF) vulnerability in CreativeThemes Blocksy allows Cross Site Request Forgery.This issue affects Blocksy: from n/a through 2.0.22. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-37469 |
CVE-2023-47661 | Missing Authorization vulnerability in Dragfy Dragfy Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dragfy Addons for Elementor: from n/a through 1.0.2. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2023-47661 |
CVE-2023-47225 | Missing Authorization vulnerability in KaizenCoders Short URL allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Short URL: from n/a through 1.6.8. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2023-47225 |
CVE-2023-47187 | Missing Authorization vulnerability in Labib Ahmed Animated Rotating Words allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Animated Rotating Words: from n/a through 5.4. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2023-47187 |
CVE-2023-46633 | Missing Authorization vulnerability in TCBarrett Glossary allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Glossary: from n/a through 3.1.2. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2023-46633 |
CVE-2023-46616 | Missing Authorization vulnerability in NSquared Draw Attention allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Draw Attention: from n/a through 2.0.15. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2023-46616 |
CVE-2023-46607 | Missing Authorization vulnerability in WP iCal Availability WP iCal Availability allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP iCal Availability: from n/a through 1.0.3. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2023-46607 |
CVE-2023-46079 | Missing Authorization vulnerability in WP Royal Ashe Extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ashe Extra: from n/a through 1.2.9. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2023-46079 |
CVE-2023-45828 | Missing Authorization vulnerability in RumbleTalk Ltd RumbleTalk Live Group Chat allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RumbleTalk Live Group Chat: from n/a through 6.2.5. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2023-45828 |
CVE-2023-45636 | Missing Authorization vulnerability in WebToffee WordPress Backup & Migration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Backup & Migration: from n/a through 1.4.1. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2023-45636 |
CVE-2023-45045 | Missing Authorization vulnerability in Kishor Khambu WP Custom Widget area allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Custom Widget area: from n/a through 1.2.5. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2023-45045 |
CVE-2024-56830 | The Net::EasyTCP package 0.15 through 0.26 for Perl uses Perl's builtin rand() if no strong randomization module is present. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-56830 |
CVE-2002-20002 | The Net::EasyTCP package before 0.15 for Perl always uses Perl's builtin rand(), which is not a strong random number generator, for cryptographic keys. | 5.4 | https://nvd.nist.gov/vuln/detail/CVE-2002-20002 |
CVE-2025-22363 | Missing Authorization vulnerability in ORION Allada T-shirt Designer for Woocommerce.This issue affects Allada T-shirt Designer for Woocommerce: from n/a through 1.1. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-22363 |
CVE-2025-22306 | Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Link Whisper Link Whisper Free.This issue affects Link Whisper Free: from n/a through 0.7.7. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-22306 |
CVE-2024-56270 | Missing Authorization vulnerability in SecureSubmit WP SecureSubmit.This issue affects WP SecureSubmit: from n/a through 1.5.16. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-56270 |
CVE-2025-22560 | Missing Authorization vulnerability in Saoshyant.1994 Saoshyant Page Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Saoshyant Page Builder: from n/a through 3.8. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-22560 |
CVE-2024-45640 | IBM Security ReaQta 3.12 returns sensitive information in an HTTP response that could be used in further attacks against the system. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-45640 |
CVE-2024-52893 | IBM Concert Software 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-52893 |
CVE-2024-52367 | IBM Concert Software 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3 could disclose sensitive system information to an unauthorized actor that could be used in further attacks against the system. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-52367 |
CVE-2024-12711 | The RSVP and Event Management plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX functions like bulk_delete_attendees() and bulk_delete_questions() in all versions up to, and including, 2.7.13. This makes it possible for unauthenticated attackers to delete questions and attendees and for authenticated users to update question menu orders. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-12711 |
CVE-2024-12316 | The Jupiter X Core plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_popup_action() function in all versions up to, and including, 4.8.5. This makes it possible for unauthenticated attackers to export popup templates. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-12316 |
CVE-2025-22303 | Insertion of Sensitive Information Into Sent Data vulnerability in brandtoss WP Mailster allows Retrieve Embedded Sensitive Data.This issue affects WP Mailster: from n/a through 1.8.17.0. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-22303 |
CVE-2025-22302 | Missing Authorization vulnerability in WP Wand WP Wand allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Wand: from n/a through 1.2.5. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-22302 |
CVE-2024-51651 | Missing Authorization vulnerability in CubeWP CubeWP Forms – All-in-One Form Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CubeWP Forms – All-in-One Form Builder: from n/a through 1.1.5. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-51651 |
CVE-2024-10866 | The Export Import Menus plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the dsp_export_import_menus() function in all versions up to, and including, 1.9.1. This makes it possible for unauthenticated attackers to export menu data and settings. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-10866 |
CVE-2024-11282 | The Passster – Password Protect Pages and Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.10 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-11282 |
CVE-2024-9697 | The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tweet_settings_save() and tweet_settings_update() functions in all versions up to, and including, 1.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-9697 |
CVE-2024-11606 | The Tabs Shortcode WordPress plugin through 2.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-11606 |
CVE-2024-12176 | The WordLift – AI powered SEO – Schema plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'wl_config_plugin' AJAX action in all versions up to, and including, 3.54.0. This makes it possible for unauthenticated attackers to update the plugin's settings. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-12176 |
CVE-2024-12159 | The Optimize Your Campaigns – Google Shopping – Google Ads – Google Adwords plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.1 due to the print_php_information.php being publicly accessible. This makes it possible for unauthenticated attackers to extract sensitive configuration data that can be leveraged in another attack. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-12159 |
CVE-2024-12158 | The Popup – MailChimp, GetResponse and ActiveCampaign Intergrations plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'upc_delete_db_data' AJAX action in all versions up to, and including, 3.2.6. This makes it possible for unauthenticated attackers to delete the DB data for the plugin. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-12158 |
CVE-2024-11290 | The Member Access plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.6 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-11290 |
CVE-2024-12559 | The ClickDesigns plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'clickdesigns_add_api' and the 'clickdesigns_remove_api' functions in all versions up to, and including, 1.8.0. This makes it possible for unauthenticated attackers to modify or remove the plugin's API key. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-12559 |
CVE-2024-12022 | The WP Menu Image plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wmi_delete_img_menu' function in all versions up to, and including, 2.2. This makes it possible for unauthenticated attackers to delete images from menus. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-12022 |
CVE-2024-55408 | An issue in the AsusSAIO.sys component of ASUS System Analysis IO v1.0.0 allows attackers to perform arbitrary read and write actions via supplying crafted IOCTL requests. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-55408 |
CVE-2023-6604 | A flaw was found in FFmpeg. This vulnerability allows unexpected additional CPU load and storage consumption, potentially leading to degraded performance or denial of service via the demuxing of arbitrary data as XBIN-formatted data without proper format validation. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-6604 |
CVE-2025-0224 | A vulnerability was found in Provision-ISR SH-4050A-2, SH-4100A-2L(MM), SH-8100A-2L(MM), SH-16200A-2(1U), SH-16200A-5(1U) and NVR5-8200PX up to 20241220. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /server.js. The manipulation leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0224 |
CVE-2024-13131 | A vulnerability classified as problematic has been found in Dahua IPC-HFW1200S, IPC-HFW2300R-Z, IPC-HFW5220E-Z and IPC-HDW1200S up to 20241222. This affects an unknown part of the file /web_caps/webCapsConfig of the component Web Interface. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-13131 |
CVE-2025-0206 | A vulnerability classified as critical was found in code-projects Online Shoe Store 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/index.php. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0206 |
CVE-2024-56332 | Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. This vulnerability can also be used as a Denial of Wallet (DoW) attack when deployed in providers billing by response times. (Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.). Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing. This is the same issue as if the incoming HTTP request has an invalid `Content-Length` header or never closes. If the host has no other mitigations to those then this vulnerability is novel. This vulnerability affects only Next.js deployments using Server Actions. The issue was resolved in Next.js 13.5.8, 14.2.21, and 15.1.2. We recommend that users upgrade to a safe version. There are no official workarounds. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-56332 |
CVE-2025-21610 | Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.12 are vulnerable to cross-site scripting when pasting malicious code in the link field. An attacker could trick the user to copy&paste a malicious `javascript\:` URL as a link that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. Users should upgrade to Trix editor version 2.1.12 or later to receive a patch. In addition to upgrading, affected users can disallow browsers that don't support a Content Security Policy (CSP) as a workaround for this and other cross-site scripting vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-21610 |
CVE-2022-47601 | Missing Authorization vulnerability in JoomUnited WP Table Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Table Manager: from n/a through 3.5.2. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2022-47601 |
CVE-2023-48739 | Missing Authorization vulnerability in Porto Theme Porto Theme - Functionality allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Porto Theme - Functionality: from n/a before 2.12.1. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-48739 |
CVE-2024-13109 | A vulnerability was found in Beijing Yunfan Internet Technology Yunfan Learning Examination System 1.9.2. It has been rated as critical. This issue affects some unknown processing of the file /doc.html. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-13109 |
CVE-2024-13108 | A vulnerability was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. It has been declared as critical. This vulnerability affects unknown code of the file /goform/form2NetSniper.cgi. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-13108 |
CVE-2024-56238 | Missing Authorization vulnerability in QunatumCloud Floating Action Buttons allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Floating Action Buttons: from n/a through 0.9.1. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-56238 |
CVE-2024-13107 | A vulnerability was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. It has been classified as critical. This affects an unknown part of the file /goform/form2LocalAclEditcfg.cgi of the component ACL Handler. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-13107 |
CVE-2024-13106 | A vulnerability was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210 and classified as critical. Affected by this issue is some unknown functionality of the file /goform/form2IPQoSTcAdd of the component IP QoS Handler. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-13106 |
CVE-2023-47515 | Missing Authorization vulnerability in Seers Seers allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Seers: from n/a through 8.1.1. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-47515 |
CVE-2023-47241 | Missing Authorization vulnerability in CoCart Headless, LLC CoCart – Headless ecommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CoCart – Headless ecommerce: from n/a through 3.11.2. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-47241 |
CVE-2023-47188 | Missing Authorization vulnerability in PressTigers Simple Job Board allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Job Board: from n/a through 2.10.5. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-47188 |
CVE-2023-47183 | Missing Authorization vulnerability in GiveWP GiveWP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GiveWP: from n/a through 2.33.1. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-47183 |
CVE-2023-46639 | Missing Authorization vulnerability in FeedbackWP kk Star Ratings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects kk Star Ratings: from n/a through 5.4.5. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-46639 |
CVE-2023-46637 | Missing Authorization vulnerability in Saurav Sharma Generate Dummy Posts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Generate Dummy Posts: from n/a through 1.0.0. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-46637 |
CVE-2023-46635 | Missing Authorization vulnerability in YITH YITH WooCommerce Product Add-Ons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.2.0. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-46635 |
CVE-2023-46611 | Authentication Bypass by Primary Weakness vulnerability in yourownprogrammer YOP Poll allows Authentication Bypass.This issue affects YOP Poll: from n/a through 6.5.28. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-46611 |
CVE-2023-46608 | Missing Authorization vulnerability in WPDO DoLogin Security allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DoLogin Security: from n/a through 3.7.1. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-46608 |
CVE-2023-46606 | Missing Authorization vulnerability in AtomChat AtomChat allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AtomChat: from n/a through 1.1.4. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-46606 |
CVE-2023-46605 | Missing Authorization vulnerability in Ruslan Suhar Convertful – Your Ultimate On-Site Conversion Tool allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Convertful – Your Ultimate On-Site Conversion Tool: from n/a through 2.5. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-46605 |
CVE-2023-46309 | Missing Authorization vulnerability in gVectors Team wpDiscuz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpDiscuz: from n/a through 7.6.10. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-46309 |
CVE-2023-46206 | Missing Authorization vulnerability in websoudan MW WP Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MW WP Form: from n/a through 4.4.5. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-46206 |
CVE-2023-46083 | Missing Authorization vulnerability in Kali Forms Contact Form builder with drag & drop - Kali Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form builder with drag & drop - Kali Forms: from n/a through 2.3.27. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-46083 |
CVE-2023-46082 | Missing Authorization vulnerability in Cyberlord92 Broken Link Checker | Finder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broken Link Checker | Finder: from n/a through 2.4.2. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-46082 |
CVE-2023-46073 | Missing Authorization vulnerability in nofearinc DX Delete Attached Media allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DX Delete Attached Media: from n/a through 2.0.5.1. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-46073 |
CVE-2023-45766 | Missing Authorization vulnerability in Poll Maker Team Poll Maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Poll Maker: from n/a through 4.7.1. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-45766 |
CVE-2023-45649 | Missing Authorization vulnerability in CodePeople Appointment Hour Booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Appointment Hour Booking: from n/a through 1.4.23. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-45649 |
CVE-2023-45061 | Missing Authorization vulnerability in AWSM Innovations WP Job Openings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Openings: from n/a through 3.4.1. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-45061 |
CVE-2023-44258 | Missing Authorization vulnerability in Schema App Schema App Structured Data allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Schema App Structured Data: from n/a through 1.23.1. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-44258 |
CVE-2024-13105 | A vulnerability has been found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /goform/form2Dhcpd.cgi of the component DHCPD Setting Handler. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-13105 |
CVE-2024-13104 | A vulnerability, which was classified as critical, was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. Affected is an unknown function of the file /goform/form2AdvanceSetup.cgi of the component WiFi Settings Handler. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-13104 |
CVE-2024-13103 | A vulnerability, which was classified as critical, has been found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. This issue affects some unknown processing of the file /goform/form2AddVrtsrv.cgi of the component Virtual Service Handler. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-13103 |
CVE-2024-13102 | A vulnerability classified as critical was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. This vulnerability affects unknown code of the file /goform/DDNS of the component DDNS Service. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-13102 |
CVE-2024-56199 | phpMyFAQ is an open source FAQ web application. Starting no later than version 3.2.10 and prior to version 4.0.2, an attacker can inject malicious HTML content into the FAQ editor at `http[:]//localhost/admin/index[.]php?action=editentry`, resulting in a complete disruption of the FAQ page's user interface. By injecting malformed HTML elements styled to cover the entire screen, an attacker can render the page unusable. This injection manipulates the page structure by introducing overlapping buttons, images, and iframes, breaking the intended layout and functionality. Exploiting this issue can lead to Denial of Service for legitimate users, damage to the user experience, and potential abuse in phishing or defacement attacks. Version 4.0.2 contains a patch for the vulnerability. | 5.2 | https://nvd.nist.gov/vuln/detail/CVE-2024-56199 |
CVE-2024-47475 | Dell PowerScale OneFS 8.2.2.x through 9.8.0.x contains an incorrect permission assignment for critical resource vulnerability. A locally authenticated attacker could potentially exploit this vulnerability, leading to denial of service. | 5 | https://nvd.nist.gov/vuln/detail/CVE-2024-47475 |
CVE-2024-45100 | IBM Security ReaQta 3.12 could allow a privileged user to cause a denial of service by sending multiple administration requests due to improper allocation of resources. | 4.9 | https://nvd.nist.gov/vuln/detail/CVE-2024-45100 |
CVE-2024-11437 | The Timeline Designer plugin for WordPress is vulnerable to SQL Injection via the 's' parameter in all versions up to, and including, 1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 4.9 | https://nvd.nist.gov/vuln/detail/CVE-2024-11437 |
CVE-2024-56248 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Webdeclic WPMasterToolKit allows Path Traversal.This issue affects WPMasterToolKit: from n/a through 1.13.1. | 4.9 | https://nvd.nist.gov/vuln/detail/CVE-2024-56248 |
CVE-2024-9638 | The Category Posts Widget WordPress plugin before 4.9.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 4.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-9638 |
CVE-2024-8857 | The WordPress Auction Plugin WordPress plugin through 3.7 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Stored Cross-Site Scripting attacks. | 4.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-8857 |
CVE-2024-11184 | The wp-enable-svg WordPress plugin through 0.7 does not sanitize SVG files when uploaded, allowing for authors and above to upload SVGs containing malicious scripts | 4.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-11184 |
CVE-2025-0294 | A vulnerability has been found in SourceCodester Home Clean Services Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /public_html/admin/process.php. The manipulation of the argument type/length/business leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | 4.7 | https://nvd.nist.gov/vuln/detail/CVE-2025-0294 |
CVE-2023-6601 | A flaw was found in FFmpeg's HLS demuxer. This vulnerability allows bypassing unsafe file extension checks and triggering arbitrary demuxers via base64-encoded data URIs appended with specific file extensions. | 4.7 | https://nvd.nist.gov/vuln/detail/CVE-2023-6601 |
CVE-2024-13138 | A vulnerability was found in wangl1989 mysiteforme 1.0. It has been declared as critical. This vulnerability affects the function upload of the file src/main/java/com/mysiteform/admin/service/ipl/LocalUploadServiceImpl. The manipulation of the argument test leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 4.7 | https://nvd.nist.gov/vuln/detail/CVE-2024-13138 |
CVE-2024-48197 | Cross Site Scripting vulnerability in Audiocodes MP-202b v.4.4.3 allows a remote attacker to escalate privileges via the login page of the web interface. | 4.7 | https://nvd.nist.gov/vuln/detail/CVE-2024-48197 |
CVE-2024-12595 | The AHAthat Plugin WordPress plugin through 1.6 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | 4.7 | https://nvd.nist.gov/vuln/detail/CVE-2024-12595 |
CVE-2025-22383 | An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity input validation issue exists in the Commerce B2B application, affecting the Contact Us functionality. This allows visitors to send e-mail messages that could contain unfiltered HTML markup in specific scenarios. | 4.6 | https://nvd.nist.gov/vuln/detail/CVE-2025-22383 |
CVE-2024-54030 | in OpenHarmony v4.1.2 and prior versions allow a local attacker cause DOS through use after free. | 4.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-54030 |
CVE-2024-12207 | The Toggles Shortcode and Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 1.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 4.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-12207 |
CVE-2024-51741 | Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem is fixed in Redis 7.2.7 and 7.4.2. | 4.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-51741 |
CVE-2024-20152 | In wlan STA driver, there is a possible reachable assertion due to improper exception handling. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: WCNCR00389047 / ALPS09136505; Issue ID: MSV-1798. | 4.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-20152 |
CVE-2025-22319 | Missing Authorization vulnerability in DearHive Social Media Share Buttons | MashShare.This issue affects Social Media Share Buttons | MashShare: from n/a through 4.0.47. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-22319 |
CVE-2024-56272 | Missing Authorization vulnerability in ThemeSupport Hide Category by User Role for WooCommerce.This issue affects Hide Category by User Role for WooCommerce: from n/a through 2.1.1. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-56272 |
CVE-2024-12429 | An attacker who successfully exploited these vulnerabilities could grant read access to files. A vulnerability exists in the AC500 V3 version mentioned. A successfully authenticated attacker can use this vulnerability to read system wide files and configuration All AC500 V3 products (PM5xxx) with firmware version earlier than 3.8.0 are affected by this vulnerability. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-12429 |
CVE-2025-22591 | Missing Authorization vulnerability in Lenderd 1003 Mortgage Application allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 1003 Mortgage Application: from n/a through 1.87. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-22591 |
CVE-2025-22563 | Cross-Site Request Forgery (CSRF) vulnerability in Faaiq Pretty Url allows Cross Site Request Forgery.This issue affects Pretty Url: from n/a through 1.5.4. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-22563 |
CVE-2025-22562 | Cross-Site Request Forgery (CSRF) vulnerability in Jason Funk Title Experiments Free allows Cross Site Request Forgery.This issue affects Title Experiments Free: from n/a through 9.0.4. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-22562 |
CVE-2025-22512 | Missing Authorization vulnerability in Sprout Apps Help Scout allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Help Scout: from n/a through 6.5.1. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-22512 |
CVE-2025-22503 | Cross-Site Request Forgery (CSRF) vulnerability in Digital Zoom Studio Admin debug wordpress – enable debug allows Cross Site Request Forgery.This issue affects Admin debug wordpress – enable debug: from n/a through 1.0.13. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-22503 |
CVE-2024-52813 | matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. Versions of the matrix-sdk-crypto Rust crate before 0.8.0 lack a dedicated mechanism to notify that a user's cryptographic identity has changed from a verified to an unverified one, which could cause client applications relying on the SDK to overlook such changes. matrix-sdk-crypto 0.8.0 adds a new VerificationLevel::VerificationViolation enum variant which indicates that a previously verified identity has been changed. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-52813 |
CVE-2024-25037 | IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-25037 |
CVE-2022-22363 | IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2022-22363 |
CVE-2024-12131 | The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.5 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit resumes for other applicants when applying for jobs. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-12131 |
CVE-2024-12532 | The BWD Elementor Addons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.18 in widgets/bwdeb-content-switcher.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-12532 |
CVE-2024-12033 | The Jupiter X Core plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the sync_libraries() function in all versions up to, and including, 4.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to sync libraries | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-12033 |
CVE-2025-22304 | Missing Authorization vulnerability in osamaesh WP Visitor Statistics (Real Time Traffic) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through 7.3. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-22304 |
CVE-2025-22299 | Missing Authorization vulnerability in spacecodes AI for SEO allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI for SEO: from n/a through 1.2.9. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-22299 |
CVE-2025-22298 | Missing Authorization vulnerability in Hive Support Hive Support – WordPress Help Desk allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hive Support – WordPress Help Desk: from n/a through 1.1.6. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-22298 |
CVE-2025-22297 | Cross-Site Request Forgery (CSRF) vulnerability in AIpost AI WP Writer allows Cross Site Request Forgery.This issue affects AI WP Writer: from n/a through 3.8.4.4. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-22297 |
CVE-2024-56276 | Missing Authorization vulnerability in WPForms Contact Form by WPForms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through 1.9.2.2. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-56276 |
CVE-2024-56273 | Missing Authorization vulnerability in WPvivid Backup & Migration WPvivid Backup and Migration allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPvivid Backup and Migration: from n/a through 0.9.106. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-56273 |
CVE-2024-56271 | Missing Authorization vulnerability in SecureSubmit WP SecureSubmit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP SecureSubmit: from n/a through 1.5.16. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-56271 |
CVE-2024-49294 | Cross-Site Request Forgery (CSRF) vulnerability in MagePeople Team Bus Ticket Booking with Seat Reservation allows Cross Site Request Forgery.This issue affects Bus Ticket Booking with Seat Reservation: from n/a through 5.4.3. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-49294 |
CVE-2024-12719 | The WordPress File Upload plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wfu_ajax_action_read_subfolders' function in all versions up to, and including, 4.24.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform limited path traversal to view directories and subdirectories in WordPress. Files cannot be viewed. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-12719 |
CVE-2024-12781 | The Aurum - WordPress & WooCommerce Shopping Theme theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'lab_1cl_demo_install_package_content' function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite content with imported demo content. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-12781 |
CVE-2024-10536 | The FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_block_shortcode_export() function in all versions up to, and including, 6.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export shortcodes. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-10536 |
CVE-2024-12327 | The LazyLoad Background Images plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pblzbg_save_settings() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-12327 |
CVE-2024-12208 | The Backup and Restore WordPress – Backup Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.50. This is due to missing or incorrect nonce validation on the ajax_queue_manual_backup() function. This makes it possible for unauthenticated attackers to trigger backups via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-12208 |
CVE-2024-12140 | The Elementor Addons AI Addons – 70 Widgets, Premium Templates, Ultimate Elements plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.1 via the render function due to insufficient restrictions on which templates can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft templates that they should not have access to. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-12140 |
CVE-2024-12538 | The Duplicate Post, Page and Any Custom Post plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.3 via the 'dpp_duplicate_as_draft' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract potentially sensitive data from draft, scheduled (future), private, and password protected posts. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-12538 |
CVE-2024-55075 | Grocy through 4.3.0 allows remote attackers to obtain sensitive information via direct requests to pages that are not shown in the UI, such as calendar and recipes. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-55075 |
CVE-2025-0227 | A vulnerability, which was classified as problematic, was found in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). This affects an unknown part of the file /Logs/Annals/downLoad.html. The manipulation of the argument path leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0227 |
CVE-2025-0226 | A vulnerability, which was classified as problematic, has been found in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). Affected by this issue is the function download of the file /collect/PortV4/downLoad.html. The manipulation of the argument path leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0226 |
CVE-2025-0225 | A vulnerability classified as problematic was found in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). Affected by this vulnerability is an unknown functionality of the file /setting/ClassFy/exampleDownload.html. The manipulation of the argument name leads to path traversal: '/../filedir'. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-0225 |
CVE-2024-13130 | A vulnerability was found in Dahua IPC-HFW1200S, IPC-HFW2300R-Z, IPC-HFW5220E-Z and IPC-HDW1200S up to 20241222. It has been rated as problematic. Affected by this issue is some unknown functionality of the file ../mtd/Config/Sha1Account1 of the component Web Interface. The manipulation leads to path traversal: '../filedir'. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-13130 |
CVE-2024-55897 | IBM PowerHA SystemMirror for i 7.4 and 7.5 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-55897 |
CVE-2024-12237 | The Photo Gallery Slideshow & Masonry Tiled Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.15 via the rjg_get_youtube_info_justified_gallery_callback function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to retrieve limited information from internal services. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-12237 |
CVE-2024-5591 | IBM Jazz Foundation 7.0.2, 7.0.3, and 7.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-5591 |
CVE-2024-12132 | The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.4 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create jobs for companies that are unaffiliated with the attacker. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-12132 |
CVE-2023-47807 | Missing Authorization vulnerability in 10Web 10WebAnalytics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 10WebAnalytics: from n/a through 1.2.12. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-47807 |
CVE-2023-47778 | Missing Authorization vulnerability in LuckyWP LuckyWP Scripts Control allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LuckyWP Scripts Control: from n/a through 1.2.1. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-47778 |
CVE-2023-39994 | Missing Authorization vulnerability in Repute InfoSystems ARMember Premium allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ARMember Premium: from n/a through 5.9.2. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-39994 |
CVE-2022-43476 | Missing Authorization vulnerability in Daniel Söderström / Sidney van de Stouwe Subscribe to Category allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscribe to Category: from n/a through 2.7.4. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2022-43476 |
CVE-2022-41995 | Missing Authorization vulnerability in Galleryape Gallery Images Ape allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gallery Images Ape: from n/a through 2.2.8. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2022-41995 |
CVE-2024-38732 | Cross-Site Request Forgery (CSRF) vulnerability in VolThemes Patricia Blog allows Cross Site Request Forgery.This issue affects Patricia Blog: from n/a through 1.2. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-38732 |
CVE-2024-38731 | Cross-Site Request Forgery (CSRF) vulnerability in Marsian i-amaze allows Cross Site Request Forgery.This issue affects i-amaze: from n/a through 1.3.7. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-38731 |
CVE-2024-37931 | Cross-Site Request Forgery (CSRF) vulnerability in Creativthemes Point allows Cross Site Request Forgery.This issue affects Point: from n/a through 1.1. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37931 |
CVE-2024-37452 | Cross-Site Request Forgery (CSRF) vulnerability in MyThemeShop Schema Lite allows Cross Site Request Forgery.This issue affects Schema Lite: from n/a through 1.2.2. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37452 |
CVE-2024-37241 | Cross-Site Request Forgery (CSRF) vulnerability in Automattic WP Job Manager - Resume Manager allows Cross Site Request Forgery.This issue affects WP Job Manager - Resume Manager: from n/a through 2.1.0. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37241 |
CVE-2024-37237 | Cross-Site Request Forgery (CSRF) vulnerability in FS-code FS Poster allows Cross Site Request Forgery.This issue affects FS Poster: from n/a through 6.5.8. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37237 |
CVE-2024-13110 | A vulnerability classified as problematic has been found in Beijing Yunfan Internet Technology Yunfan Learning Examination System 1.9.2. Affected is an unknown function of the file src/main/java/com/yf/exam/modules/paper/controller/PaperController.java, of the component Exam Answer Handler. The manipulation leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-13110 |
CVE-2024-38778 | Cross-Site Request Forgery (CSRF) vulnerability in Epsiloncool WP Fast Total Search.This issue affects WP Fast Total Search: from n/a through 1.69.234. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-38778 |
CVE-2024-38764 | Cross-Site Request Forgery (CSRF) vulnerability in Marsian allows Cross Site Request Forgery.This issue affects i-transform: from n/a through 3.0.9. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-38764 |
CVE-2024-56255 | Missing Authorization vulnerability in AyeCode AyeCode Connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AyeCode Connect: from n/a through 1.3.8. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-56255 |
CVE-2024-56251 | Cross-Site Request Forgery (CSRF) vulnerability in Event Espresso Event Espresso 4 Decaf allows Cross Site Request Forgery.This issue affects Event Espresso 4 Decaf: from n/a through 5.0.28.decaf. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-56251 |
CVE-2024-56243 | Missing Authorization vulnerability in JS Morisset WPSSO Core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPSSO Core: from n/a through 18.18.1. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-56243 |
CVE-2024-56236 | Missing Authorization vulnerability in Jakob Bouchard Hestia Nginx Cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hestia Nginx Cache: from n/a through 2.4.0. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-56236 |
CVE-2024-43927 | Cross-Site Request Forgery (CSRF) vulnerability in Till Krüss Email Address Encoder allows Cross Site Request Forgery.This issue affects Email Address Encoder: from n/a through 1.0.23. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-43927 |
CVE-2024-38766 | Cross-Site Request Forgery (CSRF) vulnerability in Matomo Matomo Analytics allows Cross Site Request Forgery.This issue affects Matomo Analytics: from n/a through 5.1.1. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-38766 |
CVE-2024-38765 | Cross-Site Request Forgery (CSRF) vulnerability in Freelancelot Oceanic allows Cross Site Request Forgery.This issue affects Oceanic: from n/a through 1.0.48. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-38765 |
CVE-2024-38763 | Cross-Site Request Forgery (CSRF) vulnerability in Themes4WP Popularis Verse allows Cross Site Request Forgery.This issue affects Popularis Verse: from n/a through 1.1.1. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-38763 |
CVE-2024-38762 | Cross-Site Request Forgery (CSRF) vulnerability in The Events Calendar Event Tickets allows Cross Site Request Forgery.This issue affects Event Tickets: from n/a through 5.11.0.4. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-38762 |
CVE-2024-38754 | Cross-Site Request Forgery (CSRF) vulnerability in Tagbox Taggbox allows Cross Site Request Forgery.This issue affects Taggbox: from n/a through 3.3. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-38754 |
CVE-2024-38753 | Cross-Site Request Forgery (CSRF) vulnerability in Labib Ahmed Animated Rotating Words allows Cross Site Request Forgery.This issue affects Animated Rotating Words: from n/a through 5.6. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-38753 |
CVE-2024-38751 | Cross-Site Request Forgery (CSRF) vulnerability in Magazine3 Google Adsense & Banner Ads by AdsforWP allows Cross Site Request Forgery.This issue affects Google Adsense & Banner Ads by AdsforWP: from n/a through 1.9.28. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-38751 |
CVE-2024-38691 | Cross-Site Request Forgery (CSRF) vulnerability in Metorik Metorik – Reports & Email Automation for WooCommerce allows Cross Site Request Forgery.This issue affects Metorik – Reports & Email Automation for WooCommerce: from n/a through 1.7.1. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-38691 |
CVE-2024-37937 | Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Rara Business allows Cross Site Request Forgery.This issue affects Rara Business: from n/a through 1.2.5. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37937 |
CVE-2024-37543 | Cross-Site Request Forgery (CSRF) vulnerability in Nitesh Singh Ultimate Auction allows Cross Site Request Forgery.This issue affects Ultimate Auction : from n/a through 4.2.5. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37543 |
CVE-2024-37540 | Cross-Site Request Forgery (CSRF) vulnerability in Leaky Paywall Leaky Paywall allows Cross Site Request Forgery.This issue affects Leaky Paywall: from n/a through 4.21.2. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37540 |
CVE-2024-37518 | Cross-Site Request Forgery (CSRF) vulnerability in The Events Calendar The Events Calendar allows Cross Site Request Forgery.This issue affects The Events Calendar: from n/a through 6.5.1.4. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37518 |
CVE-2024-37511 | Cross-Site Request Forgery (CSRF) vulnerability in SWTE Swift Performance Lite allows Cross Site Request Forgery.This issue affects Swift Performance Lite: from n/a through 2.3.6.20. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37511 |
CVE-2024-37508 | Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Construction Landing Page allows Cross Site Request Forgery.This issue affects Construction Landing Page: from n/a through 1.3.5. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37508 |
CVE-2024-37503 | Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Lawyer Landing Page allows Cross Site Request Forgery.This issue affects Lawyer Landing Page: from n/a through 1.2.4. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37503 |
CVE-2024-37493 | Cross-Site Request Forgery (CSRF) vulnerability in SKT Themes Posterity allows Cross Site Request Forgery.This issue affects Posterity: from n/a through 3.3. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37493 |
CVE-2024-37491 | Cross-Site Request Forgery (CSRF) vulnerability in Apollo13Themes Rife Free allows Cross Site Request Forgery.This issue affects Rife Free: from n/a through 2.4.18. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37491 |
CVE-2024-37490 | Cross-Site Request Forgery (CSRF) vulnerability in WP Royal Bard allows Cross Site Request Forgery.This issue affects Bard: from n/a through 2.210. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37490 |
CVE-2024-37478 | Cross-Site Request Forgery (CSRF) vulnerability in WP Royal Ashe allows Cross Site Request Forgery.This issue affects Ashe: from n/a through 2.233. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37478 |
CVE-2024-37473 | Cross-Site Request Forgery (CSRF) vulnerability in BlazeThemes Trendy News allows Cross Site Request Forgery.This issue affects Trendy News: from n/a through 1.0.15. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37473 |
CVE-2024-37467 | Cross-Site Request Forgery (CSRF) vulnerability in ThemeIsle Hestia allows Cross Site Request Forgery.This issue affects Hestia: from n/a through 3.1.2. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37467 |
CVE-2024-37458 | Cross-Site Request Forgery (CSRF) vulnerability in ExtendThemes Highlight allows Cross Site Request Forgery.This issue affects Highlight: from n/a through 1.0.29. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37458 |
CVE-2024-37451 | Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Travel Agency allows Cross Site Request Forgery.This issue affects Travel Agency: from n/a through 1.4.9. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37451 |
CVE-2024-37450 | Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Benevolent allows Cross Site Request Forgery.This issue affects Benevolent: from n/a through 1.3.4. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37450 |
CVE-2024-37448 | Cross-Site Request Forgery (CSRF) vulnerability in FameThemes OnePress allows Cross Site Request Forgery.This issue affects OnePress: from n/a through 2.3.6. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37448 |
CVE-2024-37441 | Cross-Site Request Forgery (CSRF) vulnerability in DesertThemes NewsMash allows Cross Site Request Forgery.This issue affects NewsMash: from n/a through 1.0.34. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37441 |
CVE-2024-37435 | Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Perfect Portfolio allows Cross Site Request Forgery.This issue affects Perfect Portfolio: from n/a through 1.2.0. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37435 |
CVE-2024-37431 | Cross-Site Request Forgery (CSRF) vulnerability in Horea Radu Mesmerize allows Cross Site Request Forgery.This issue affects Mesmerize: from n/a through 1.6.120. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37431 |
CVE-2024-37426 | Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Elegant Pink allows Cross Site Request Forgery.This issue affects Elegant Pink: from n/a through 1.3.0. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37426 |
CVE-2024-37421 | Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme JobScout allows Cross Site Request Forgery.This issue affects JobScout: from n/a through 1.1.4. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37421 |
CVE-2024-37417 | Cross-Site Request Forgery (CSRF) vulnerability in Coachify Coachify allows Cross Site Request Forgery.This issue affects Coachify: from n/a through 1.0.7. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37417 |
CVE-2024-37413 | Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Preschool and Kindergarten allows Cross Site Request Forgery.This issue affects Preschool and Kindergarten: from n/a through 1.2.1. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37413 |
CVE-2024-37412 | Cross-Site Request Forgery (CSRF) vulnerability in Blossom Themes Blossom Shop allows Cross Site Request Forgery.This issue affects Blossom Shop: from n/a through 1.1.7. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37412 |
CVE-2024-37274 | Cross-Site Request Forgery (CSRF) vulnerability in Freshlight Lab WP Mobile Menu allows Cross Site Request Forgery.This issue affects WP Mobile Menu: from n/a through 2.8.4.3. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37274 |
CVE-2024-37272 | Cross-Site Request Forgery (CSRF) vulnerability in WP Travel Engine Travel Monster allows Cross Site Request Forgery.This issue affects Travel Monster: from n/a through 1.1.2. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37272 |
CVE-2024-37243 | Cross-Site Request Forgery (CSRF) vulnerability in Blossom Themes Vandana Lite allows Cross Site Request Forgery.This issue affects Vandana Lite: from n/a through 1.1.9. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37243 |
CVE-2024-37242 | Cross-Site Request Forgery (CSRF) vulnerability in Automattic Newspack Newsletters allows Cross Site Request Forgery.This issue affects Newspack Newsletters: from n/a through 2.13.2. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37242 |
CVE-2024-37240 | Cross-Site Request Forgery (CSRF) vulnerability in Faboba Falang multilanguage allows Cross Site Request Forgery.This issue affects Falang multilanguage: from n/a through 1.3.51. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37240 |
CVE-2024-37238 | Cross-Site Request Forgery (CSRF) vulnerability in Greg Winiarski WPAdverts – Classifieds Plugin allows Cross Site Request Forgery.This issue affects WPAdverts – Classifieds Plugin: from n/a through 2.1.2. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37238 |
CVE-2024-37236 | Cross-Site Request Forgery (CSRF) vulnerability in Tim Whitlock Loco Translate allows Cross Site Request Forgery.This issue affects Loco Translate: from n/a through 2.6.9. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37236 |
CVE-2024-37235 | Cross-Site Request Forgery (CSRF) vulnerability in Groundhogg Inc. Groundhogg allows Cross Site Request Forgery.This issue affects Groundhogg: from n/a through 3.4.2.3. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37235 |
CVE-2024-37104 | Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Chic Lite allows Cross Site Request Forgery.This issue affects Chic Lite: from n/a through 1.1.3. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37104 |
CVE-2024-37103 | Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Education Zone allows Cross Site Request Forgery.This issue affects Education Zone: from n/a through 1.3.4. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37103 |
CVE-2024-37102 | Cross-Site Request Forgery (CSRF) vulnerability in Blossom Themes Vilva allows Cross Site Request Forgery.This issue affects Vilva: from n/a through 1.2.2. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37102 |
CVE-2024-37093 | Cross-Site Request Forgery (CSRF) vulnerability in StylemixThemes MasterStudy LMS allows Cross Site Request Forgery.This issue affects MasterStudy LMS: from n/a through 3.2.1. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-37093 |
CVE-2023-47692 | Missing Authorization vulnerability in Flothemes Flo Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flo Forms: from n/a through 1.0.41. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-47692 |
CVE-2023-47647 | Missing Authorization vulnerability in LearningTimes BadgeOS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BadgeOS: from n/a through 3.7.1.6. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-47647 |
CVE-2023-47557 | Missing Authorization vulnerability in wp-buy Visitors Traffic Real Time Statistics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Visitors Traffic Real Time Statistics: from n/a through 7.2. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-47557 |
CVE-2023-47523 | Missing Authorization vulnerability in Ecreate Infotech Auto Tag Creator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Auto Tag Creator: from n/a through 1.0.2. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-47523 |
CVE-2023-46628 | Missing Authorization vulnerability in RedLettuce Plugins WP Word Count allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Word Count: from n/a through 3.2.4. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-46628 |
CVE-2023-46612 | Missing Authorization vulnerability in codedrafty Mediabay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mediabay: from n/a through 1.6. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-46612 |
CVE-2023-46203 | Missing Authorization vulnerability in JustCoded / Alex Prokopenko Just Custom Fields allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Just Custom Fields: from n/a through 3.3.2. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-46203 |
CVE-2023-46196 | Missing Authorization vulnerability in Repuso Social proof testimonials and reviews by Repuso allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Social proof testimonials and reviews by Repuso: from n/a through 4.97. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-46196 |
CVE-2023-46188 | Missing Authorization vulnerability in Jose Mortellaro Freesoul Deactivate Plugins – Plugin manager and cleanup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Freesoul Deactivate Plugins – Plugin manager and cleanup: from n/a through 2.1.3. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-46188 |
CVE-2023-46080 | Missing Authorization vulnerability in Farhan Noor ApplyOnline – Application Form Builder and Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ApplyOnline – Application Form Builder and Manager: from n/a through 2.5.3. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-46080 |
CVE-2023-45765 | Missing Authorization vulnerability in weDevs WP ERP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP ERP: from n/a through 1.12.6. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-45765 |
CVE-2023-45760 | Missing Authorization vulnerability in gVectors Team wpDiscuz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpDiscuz: from n/a through 7.6.3. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-45760 |
CVE-2023-45631 | Missing Authorization vulnerability in wpdevart Responsive Image Gallery, Gallery Album allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Image Gallery, Gallery Album: from n/a through 2.0.3. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-45631 |
CVE-2023-45271 | Missing Authorization vulnerability in WowStore Team ProductX – Gutenberg WooCommerce Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ProductX – Gutenberg WooCommerce Blocks: from n/a through 2.7.8. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-45271 |
CVE-2023-45110 | Missing Authorization vulnerability in BoldThemes Bold Timeline Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bold Timeline Lite: from n/a through 1.1.9. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-45110 |
CVE-2023-45101 | Missing Authorization vulnerability in CusRev Customer Reviews for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Customer Reviews for WooCommerce: from n/a through 5.36.0. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-45101 |
CVE-2023-45002 | Missing Authorization vulnerability in weDevs WP User Frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through 3.6.8. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-45002 |
CVE-2023-44988 | Missing Authorization vulnerability in Martin Gibson WP Custom Admin Interface allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Custom Admin Interface: from n/a through 7.32. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2023-44988 |
CVE-2025-22214 | Landray EIS 2001 through 2006 allows Message/fi_message_receiver.aspx?replyid= SQL injection. | 4.3 | https://nvd.nist.gov/vuln/detail/CVE-2025-22214 |
CVE-2024-41780 | IBM Jazz Foundation 7.0.2, 7.0.3, and 7.1.0 could could allow a physical user to obtain sensitive information due to not masking passwords during entry. | 4.2 | https://nvd.nist.gov/vuln/detail/CVE-2024-41780 |
CVE-2024-56275 | Server-Side Request Forgery (SSRF) vulnerability in Envato Envato Elements allows Server Side Request Forgery.This issue affects Envato Elements: from n/a through 2.0.14. | 4.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-56275 |
CVE-2024-51111 | Cross-Site Scripting (XSS) vulnerability in Pnetlab 5.3.11 allows an attacker to inject malicious scripts into a web page, which are executed in the context of the victim's browser. | 4.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-51111 |
CVE-2025-0214 | A vulnerability was found in TMD Custom Header Menu 4.0.0.1 on OpenCart. It has been rated as problematic. This issue affects some unknown processing of the file /admin/index.php. The manipulation of the argument headermenu_id leads to sql injection. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | 4.1 | https://nvd.nist.gov/vuln/detail/CVE-2025-0214 |
CVE-2024-12970 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TUBITAK BILGEM Pardus OS My Computer allows OS Command Injection.This issue affects Pardus OS My Computer: before 0.7.2. | 3.9 | https://nvd.nist.gov/vuln/detail/CVE-2024-12970 |
CVE-2024-56321 | GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse the backup configuration "post-backup script" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD's user, rather than pre-configured scripts. In practice the impact of this vulnerability is limited, as in most configurations a user who can log into the GoCD UI as an admin also has host administration permissions for the host/container that GoCD runs on, in order to manage artifact storage and other service-level configuration options. Additionally, since a GoCD admin has ability to configure and schedule pipelines tasks on all GoCD agents available to the server, the fundamental functionality of GoCD allows co-ordinated task execution similar to that of post-backup-scripts. However in restricted environments where the host administration is separated from the role of a GoCD admin, this may be unexpected. The issue is fixed in GoCD 24.5.0. Post-backup scripts can no longer be executed from within certain sensitive locations on the GoCD server. No known workarounds are available. | 3.8 | https://nvd.nist.gov/vuln/detail/CVE-2024-56321 |
CVE-2021-20455 | IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. | 3.7 | https://nvd.nist.gov/vuln/detail/CVE-2021-20455 |
CVE-2025-0301 | A vulnerability, which was classified as problematic, has been found in code-projects Online Book Shop 1.0. Affected by this issue is some unknown functionality of the file /subcat.php. The manipulation of the argument catnm leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 3.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-0301 |
CVE-2025-0295 | A vulnerability was found in code-projects Online Book Shop 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /booklist.php?subcatid=1. The manipulation of the argument subcatnm leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 3.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-0295 |
CVE-2024-13141 | A vulnerability classified as problematic was found in osuuu LightPicture up to 1.2.2. This vulnerability affects unknown code of the file /api/upload of the component SVG File Upload Handler. The manipulation of the argument file leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 3.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-13141 |
CVE-2024-13140 | A vulnerability classified as problematic has been found in Emlog Pro up to 2.4.3. Affected is an unknown function of the file /admin/article.php?action=upload_cover of the component Cover Upload Handler. The manipulation of the argument image leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 3.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-13140 |
CVE-2024-13135 | A vulnerability has been found in Emlog Pro 2.4.3 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/twitter.php of the component Subpage Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 3.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-13135 |
CVE-2024-13132 | A vulnerability classified as problematic was found in Emlog Pro up to 2.4.3. This vulnerability affects unknown code of the file /admin/article.php of the component Subpage Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 3.5 | https://nvd.nist.gov/vuln/detail/CVE-2024-13132 |
CVE-2025-0175 | A vulnerability was found in code-projects Online Shop 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /view.php. The manipulation of the argument name/details leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 3.5 | https://nvd.nist.gov/vuln/detail/CVE-2025-0175 |
CVE-2024-55626 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a large BPF filter file provided to Suricata at startup can lead to a buffer overflow at Suricata startup. The issue has been addressed in Suricata 7.0.8. | 3.3 | https://nvd.nist.gov/vuln/detail/CVE-2024-55626 |
CVE-2024-10527 | The Spacer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the motech_spacer_callback() function in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view limited setting information. | 3.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-10527 |
CVE-2024-51472 | IBM UrbanCode Deploy (UCD) 7.2 through 7.2.3.13, 7.3 through 7.3.2.8, and IBM DevOps Deploy 8.0 through 8.0.1.3 are vulnerable to HTML injection. This vulnerability may allow a user to embed arbitrary HTML tags in the Web UI potentially leading to sensitive information disclosure. | 3.1 | https://nvd.nist.gov/vuln/detail/CVE-2024-51472 |
CVE-2024-10562 | The Form Maker by 10Web WordPress plugin before 1.15.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 2.7 | https://nvd.nist.gov/vuln/detail/CVE-2024-10562 |
CVE-2024-10102 | The Photo Gallery, Images, Slider in Rbs Image Gallery WordPress plugin before 3.2.22 does not sanitise and escape some of its Gallery settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks | 2.7 | https://nvd.nist.gov/vuln/detail/CVE-2024-10102 |
CVE-2024-48455 | An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and 3.0.0.3503 and Netis Wifi 11AC Router NC21 3.0.0.3800, 3.0.0.3500 and 3.0.0.3329 and Netis Wifi Router MW5360 1.0.1.3442 and 1.0.1.3031 allows a remote attacker to obtain sensitive information via the mode_name, wl_link parameters of the skk_get.cgi component. | 2.7 | https://nvd.nist.gov/vuln/detail/CVE-2024-48455 |
CVE-2024-13143 | A vulnerability was found in ZeroWdd studentmanager 1.0. It has been rated as problematic. This issue affects the function submitAddPermission of the file src/main/java/com/zero/system/controller/PermissionController. java. The manipulation of the argument url leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | 2.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-13143 |
CVE-2024-13142 | A vulnerability was found in ZeroWdd studentmanager 1.0. It has been declared as problematic. This vulnerability affects the function submitAddRole of the file src/main/java/com/zero/system/controller/RoleController. java. The manipulation of the argument name leads to cross site scripting. The attack can be initiated remotely. | 2.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-13142 |
CVE-2025-0228 | A vulnerability has been found in code-projects Local Storage Todo App 1.0 and classified as problematic. This vulnerability affects unknown code of the file /js-todo-app/index.html. The manipulation of the argument Add leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2.4 | https://nvd.nist.gov/vuln/detail/CVE-2025-0228 |
CVE-2025-0220 | A vulnerability, which was classified as problematic, was found in Trimble SPS851 488.01. This affects an unknown part of the component Ethernet Configuration Menu. The manipulation of the argument Hostname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2.4 | https://nvd.nist.gov/vuln/detail/CVE-2025-0220 |
CVE-2024-13137 | A vulnerability was found in wangl1989 mysiteforme 1.0. It has been classified as problematic. This affects the function RestResponse of the file src/main/java/com/mysiteforme/admin/controller/system/SiteController. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-13137 |
CVE-2025-0219 | A vulnerability, which was classified as problematic, has been found in Trimble SPS851 488.01. Affected by this issue is some unknown functionality of the component Receiver Status Identity Tab. The manipulation of the argument System Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2.4 | https://nvd.nist.gov/vuln/detail/CVE-2025-0219 |
CVE-2024-55218 | IceWarp Server 10.2.1 is vulnerable to Cross Site Scripting (XSS) via the meta parameter. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-55218 |
CVE-2024-54819 | I, Librarian before and including 5.11.1 is vulnerable to Server-Side Request Forgery (SSRF) due to improper input validation in classes/security/validation.php | – | https://nvd.nist.gov/vuln/detail/CVE-2024-54819 |
CVE-2024-53522 | Bangkok Medical Software HOSxP XE v4.64.11.3 was discovered to contain a hardcoded IDEA Key-IV pair in the HOSxPXE4.exe and HOS-WIN32.INI components. This allows attackers to access sensitive information. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-53522 |
CVE-2024-35532 | An XML External Entity (XXE) injection vulnerability in Intersec Geosafe-ea 2022.12, 2022.13, and 2022.14 allows attackers to perform arbitrary file reading under the privileges of the running process, make SSRF requests, or cause a Denial of Service (DoS) via unspecified vectors. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-35532 |
CVE-2022-45186 | An issue was discovered in SuiteCRM 7.12.7. Authenticated users can recover an arbitrary field of a database. | – | https://nvd.nist.gov/vuln/detail/CVE-2022-45186 |
CVE-2022-45185 | An issue was discovered in SuiteCRM 7.12.7. Authenticated users can use CRM functions to upload malicious files. Then, deserialization can be used to achieve code execution. | – | https://nvd.nist.gov/vuln/detail/CVE-2022-45185 |
CVE-2022-41573 | An issue was discovered in Ovidentia 8.3. The file upload feature does not prevent the uploading of executable files. A user can upload a .png file containing PHP code and then rename it to have the .php extension. It will then be accessible at an images/common/ URI for remote code execution. | – | https://nvd.nist.gov/vuln/detail/CVE-2022-41573 |
CVE-2022-41572 | An issue was discovered in EyesOfNetwork (EON) through 5.3.11. Privilege escalation can be accomplished on the server because nmap can be run as root. The attacker achieves total control over the server. | – | https://nvd.nist.gov/vuln/detail/CVE-2022-41572 |
CVE-2024-40427 | Stack Buffer Overflow in PX4-Autopilot v1.14.3, which allows attackers to execute commands to exploit this vulnerability and cause the program to refuse to execute | – | https://nvd.nist.gov/vuln/detail/CVE-2024-40427 |
CVE-2024-55414 | A vulnerability exits in driver SmSerl64.sys in Motorola SM56 Modem WDM Driver v6.12.23.0, which allows low-privileged users to mapping physical memory via specially crafted IOCTL requests . This can be exploited for privilege escalation, code execution under high privileges, and information disclosure. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-55414 |
CVE-2024-55413 | A vulnerability exits in driver snxppamd.sys in SUNIX Parallel Driver x64 - 10.1.0.0, which allows low-privileged users to read and write arbitary i/o port via specially crafted IOCTL requests . This can be exploited for privilege escalation, code execution under high privileges, and information disclosure. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-55413 |
CVE-2024-55412 | A vulnerability exits in driver snxpsamd.sys in SUNIX Serial Driver x64 - 10.1.0.0, which allows low-privileged users to read and write arbitary i/o port via specially crafted IOCTL requests . This can be exploited for privilege escalation, code execution under high privileges, and information disclosure. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-55412 |
CVE-2024-55411 | An issue in the snxpcamd.sys component of SUNIX Multi I/O Card v10.1.0.0 allows attackers to perform arbitrary read and write actions via supplying crafted IOCTL requests. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-55411 |
CVE-2024-50660 | File Upload Bypass was found in AdPortal 3.0.39 allows a remote attacker to execute arbitrary code via the file upload functionality | – | https://nvd.nist.gov/vuln/detail/CVE-2024-50660 |
CVE-2024-50659 | Cross Site Scripting vulnerability iPublish Media Solutions AdPortal 3.0.39 allows a remote attacker to escalate privileges via the shippingAsBilling parameter in updateuserinfo.html. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-50659 |
CVE-2024-50658 | Server-Side Template Injection (SSTI) was found in AdPortal 3.0.39 allows a remote attacker to execute arbitrary code via the shippingAsBilling and firstname parameters in updateuserinfo.html file | – | https://nvd.nist.gov/vuln/detail/CVE-2024-50658 |
CVE-2024-40749 | Improper Access Controls allows access to protected views. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-40749 |
CVE-2024-40748 | Lack of output escaping in the id attribute of menu lists. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-40748 |
CVE-2025-0247 | Memory safety bugs present in Firefox 133 and Thunderbird 133. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134. | – | https://nvd.nist.gov/vuln/detail/CVE-2025-0247 |
CVE-2025-0246 | When using an invalid protocol scheme, an attacker could spoof the address bar. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.* *Note: This issue is a different issue from CVE-2025-0244. This vulnerability affects Firefox < 134. | – | https://nvd.nist.gov/vuln/detail/CVE-2025-0246 |
CVE-2025-0245 | Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed. This vulnerability affects Firefox < 134. | – | https://nvd.nist.gov/vuln/detail/CVE-2025-0245 |
CVE-2025-0244 | When redirecting to an invalid protocol scheme, an attacker could spoof the address bar. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 134. | – | https://nvd.nist.gov/vuln/detail/CVE-2025-0244 |
CVE-2025-0243 | Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6. | – | https://nvd.nist.gov/vuln/detail/CVE-2025-0243 |
CVE-2025-0242 | Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, and Firefox ESR < 115.19. | – | https://nvd.nist.gov/vuln/detail/CVE-2025-0242 |
CVE-2025-0241 | When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6. | – | https://nvd.nist.gov/vuln/detail/CVE-2025-0241 |
CVE-2025-0240 | Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6. | – | https://nvd.nist.gov/vuln/detail/CVE-2025-0240 |
CVE-2025-0239 | When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6. | – | https://nvd.nist.gov/vuln/detail/CVE-2025-0239 |
CVE-2025-0238 | Assuming a controlled failed memory allocation, an attacker could have caused a use-after-free, leading to a potentially exploitable crash. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, and Firefox ESR < 115.19. | – | https://nvd.nist.gov/vuln/detail/CVE-2025-0238 |
CVE-2025-0237 | The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6. | – | https://nvd.nist.gov/vuln/detail/CVE-2025-0237 |
CVE-2024-55556 | A vulnerability in Crater Invoice allows an unauthenticated attacker with knowledge of the APP_KEY to achieve remote command execution on the server by manipulating the laravel_session cookie, exploiting arbitrary deserialization through the encrypted session data. The exploitation vector of this vulnerability relies on an attacker obtaining Laravel's secret APP_KEY, which would allow them to decrypt and manipulate session cookies (laravel_session) containing serialized data. By altering this data and re-encrypting it with the APP_KEY, the attacker could trigger arbitrary deserialization on the server, potentially leading to remote command execution (RCE). The vulnerability is primarily exploited by accessing an exposed cookie and manipulating it using the secret key to gain malicious access to the server. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-55556 |
CVE-2024-55008 | JATOS 3.9.4 contains a denial-of-service (DoS) vulnerability in the authentication system, where an attacker can prevent legitimate users from accessing their accounts by repeatedly sending multiple failed login attempts. Specifically, by submitting 3 incorrect login attempts every minute, the attacker can trigger the account lockout mechanism on the account level, effectively locking the user out indefinitely. Since the lockout is applied to the user account and not based on the IP address, any attacker can trigger the lockout on any user account, regardless of their privileges. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-55008 |
CVE-2024-46601 | Elspec Engineering G5 Digital Fault Recorder Firmware v1.2.1.12 was discovered to contain a buffer overflow. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-46601 |
CVE-2024-12426 | Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice. URLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links. This issue affects LibreOffice: from 24.8 before < 24.8.4. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-12426 |
CVE-2024-12425 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in The Document Foundation LibreOffice allows Absolute Path Traversal. An attacker can write to arbitrary locations, albeit suffixed with ".ttf", by supplying a file in a format that supports embedded font files. This issue affects LibreOffice: from 24.8 before < 24.8.4. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-12425 |
CVE-2024-53936 | The com.asianmobile.callcolor (aka Color Phone Call Screen App) application through 24 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.asianmobile.callcolor.ui.component.call.CallActivity component. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-53936 |
CVE-2024-53934 | The com.windymob.callscreen.ringtone.callcolor.colorphone (aka Color Phone Call Screen Themes) application through 1.1.2 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.frovis.androidbase.call.DialerActivity component. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-53934 |
CVE-2024-53933 | The com.callerscreen.colorphone.themes.callflash (aka Color Call Theme & Call Screen) application through 1.0.7 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.android.call.color.app.activities.DialerActivity component. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-53933 |
CVE-2024-53932 | The com.remi.colorphone.callscreen.calltheme.callerscreen (aka Color Phone: Call Screen Theme) application through 21.1.9 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.remi.colorphone.callscreen.calltheme.callerscreen.dialer.DialerActivity component. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-53932 |
CVE-2024-53931 | The com.glitter.caller.screen (aka iCaller, Caller Theme & Dialer) application through 1.1 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.glitter.caller.screen.DialerActivity component. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-53931 |
CVE-2025-21617 | Guzzle OAuth Subscriber signs Guzzle requests using OAuth 1.0. Prior to 0.8.1, Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source. This can leave servers vulnerable to replay attacks when TLS is not used. This vulnerability is fixed in 0.8.1. | – | https://nvd.nist.gov/vuln/detail/CVE-2025-21617 |
CVE-2024-56828 | File Upload vulnerability in ChestnutCMS through 1.5.0. Based on the code analysis, it was determined that the /api/member/avatar API endpoint receives a base64 string as input. This string is then passed to the memberService.uploadAvatarByBase64 method for processing. Within the service, the base64-encoded image is parsed. For example, given a string like: data:image/html;base64,PGh0bWw+PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEpPjwvaHRtbD4= the content after the comma is extracted and decoded using Base64.getDecoder().decode(). The substring from the 11th character up to the first occurrence of a semicolon (;) is assigned to the suffix variable (representing the file extension). The decoded content is then written to a file. However, the file extension is not validated, and since this functionality is exposed to the frontend, it poses significant security risks. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-56828 |
CVE-2024-56762 | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-56762 |
CVE-2025-21604 | LangChain4j-AIDeepin is a Retrieval enhancement generation (RAG) project. Prior to 3.5.0, LangChain4j-AIDeepin uses MD5 to hash files, which may cause file upload conflicts. This issue is fixed in 3.5.0. | – | https://nvd.nist.gov/vuln/detail/CVE-2025-21604 |
CVE-2025-22389 | An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS, where the application does not properly validate uploaded files. This allows the upload of potentially malicious file types, including .docm .html. When accessed by application users, these files can be used to execute malicious actions or compromise users' systems. | – | https://nvd.nist.gov/vuln/detail/CVE-2025-22389 |
CVE-2024-56412 | PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to bypass of the cross-site scripting sanitizer using the javascript protocol and special characters. An attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-56412 |
CVE-2024-56411 | PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability of the hyperlink base in the HTML page header. The HTML page is formed without sanitizing the hyperlink base. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-56411 |
CVE-2024-56410 | PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability in custom properties. The HTML page is generated without clearing custom properties. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-56410 |
CVE-2025-21609 | SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. Commit d9887aeec1b27073bec66299a9a4181dc42969f3 fixes this vulnerability and is expected to be available in version 3.1.19. | – | https://nvd.nist.gov/vuln/detail/CVE-2025-21609 |
CVE-2024-56514 | Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve the custom resource definitions(CRDs) needed by Karmada. The CRDs are downloaded as a gzipped tarfile and are vulnerable to a TarSlip vulnerability. An attacker able to supply a malicious CRD file into a Karmada initialization could write arbitrary files in arbitrary paths of the filesystem. From Karmada version 1.12.0, when processing custom CRDs files, CRDs archive verification is utilized to enhance file system robustness. A workaround is available. Someone who needs to set flag `--crd` to customize the CRD files required for Karmada initialization when using `karmadactl init` to set up Karmada can manually inspect the CRD files to check whether they contain sequences such as `../` that would alter file paths, to determine if they potentially include malicious files. When using karmada-operator to set up Karmada, one must upgrade one's karmada-operator to one of the fixed versions. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-56514 |
CVE-2024-56513 | Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered with the `karmadactl register` command have excessive privileges to access control plane resources. By abusing these permissions, an attacker able to authenticate as the karmada-agent to a karmada cluster would be able to obtain administrative privileges over the entire federation system including all registered member clusters. Since Karmada v1.12.0, command `karmadactl register` restricts the access permissions of pull mode member clusters to control plane resources. This way, an attacker able to authenticate as the karmada-agent cannot control other member clusters in Karmada. As a workaround, one may restrict the access permissions of pull mode member clusters to control plane resources according to Karmada Component Permissions Docs. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-56513 |
CVE-2024-56409 | PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Currency.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php` script, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-56409 |
CVE-2024-56366 | PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Accounting.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php` script, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-56366 |
CVE-2024-56365 | PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the constructor of the `Downloader` class. Using the `/vendor/phpoffice/phpspreadsheet/samples/download.php` script, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-56365 |
CVE-2024-56408 | PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no sanitization in the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file, which leads to the possibility of a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-56408 |
CVE-2024-56324 | GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD "group admins" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to `/go/*/pipelines/snippet` routes from an external reverse proxy or WAF if one's "group admin" users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one's GoCD server to arbitrary locations using some kind of environment egress control. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-56324 |
CVE-2024-56322 | GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining with another vulnerability, as only GoCD (super) admins have the ability to abuse this vulnerability. Typically a malicious GoCD admin can cause much larger damage than that they can do with XXE injection. The issue is fixed in GoCD 24.5.0. As a workaround, prevent external access from the GoCD server to arbitrary locations using some kind of environment egress control. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-56322 |
CVE-2024-56320 | GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin "Configuration XML" UI feature, and its associated API. A malicious insider/existing authenticated GoCD user with an existing GoCD user account could abuse this vulnerability to access information intended only for GoCD admins, or to escalate their privileges to that of a GoCD admin in a persistent manner. it is not possible for this vulnerability to be abused prior to authentication/login. The issue is fixed in GoCD 24.5.0. GoCD users who are not able to immediate upgrade can mitigate this issue by using a reverse proxy, WAF or similar to externally block access paths with a `/go/rails/` prefix. Blocking this route causes no loss of functionality. If it is not possible to upgrade or block the above route, consider reducing the GoCD user base to more trusted set of users, including temporarily disabling use of plugins such as the guest-login-plugin, which allow limited anonymous access as a regular user account. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-56320 |
CVE-2024-11717 | Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might reuse such a token to change user's password and take over the account. Moreover, the tokens also include base64 encoded user email. This issue impacts releases up to 3.7.4 and was addressed by pull request 2679 https://github.com/CTFd/CTFd/pull/2679 included in 3.7.5 release. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-11717 |
CVE-2024-11716 | While assignment of a user to a team (bracket) in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team while a competition is already ongoing. This issue impacts releases from 3.7.0 up to 3.7.4 and was addressed by pull request 2636 https://github.com/CTFd/CTFd/pull/2636 included in 3.7.5 release. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-11716 |
CVE-2024-9950 | A vulnerability in Forescout SecureConnector v11.3.07.0109 on Windows allows unauthenticated user to modify compliance scripts due to insecure temporary directory. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-9950 |
CVE-2024-56414 | Web installer integrity check used weak hash algorithm. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-56414 |
CVE-2024-56413 | Missing session invalidation after user deletion. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-56413 |
CVE-2024-55543 | Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-55543 |
CVE-2024-55542 | Local privilege escalation due to excessive permissions assigned to Tray Monitor service. The following products are affected: Acronis Cyber Protect 16 (Linux, macOS, Windows) before build 39169, Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 35895. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-55542 |
CVE-2024-55541 | Stored cross-site scripting (XSS) vulnerability due to missing origin validation in postMessage. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39169. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-55541 |
CVE-2024-55540 | Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-55540 |
CVE-2024-12907 | Kentico CMS in version 7 is vulnerable to a Reflected XSS attacks through manipulation of a specific GET request parameter sent to /CMSMessages/AccessDenied.aspx endpoint. Notably, support for this version of Kentico ended in 2016. Version 8 was tested as well and does not contain this vulnerability. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-12907 |
CVE-2024-55538 | Sensitive information disclosure due to missing authentication. The following products are affected: Acronis True Image (macOS) before build 41725, Acronis True Image (Windows) before build 41736. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-55538 |
CVE-2024-49385 | Sensitive information disclosure due to insecure folder permissions. The following products are affected: Acronis True Image (Windows) before build 41736. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-49385 |
CVE-2022-49035 | In the Linux kernel, the following vulnerability has been resolved: media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE I expect that the hardware will have limited this to 16, but just in case it hasn't, check for this corner case. | – | https://nvd.nist.gov/vuln/detail/CVE-2022-49035 |
CVE-2024-23438 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23438 |
CVE-2024-23437 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23437 |
CVE-2024-23436 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23436 |
CVE-2024-23435 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23435 |
CVE-2024-23434 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23434 |
CVE-2024-23433 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23433 |
CVE-2024-23432 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23432 |
CVE-2024-23431 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23431 |
CVE-2024-23430 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23430 |
CVE-2024-23429 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23429 |
CVE-2024-23428 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23428 |
CVE-2024-23427 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23427 |
CVE-2024-23426 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23426 |
CVE-2024-23425 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23425 |
CVE-2024-23424 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23424 |
CVE-2024-23423 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23423 |
CVE-2024-23422 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23422 |
CVE-2024-23421 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23421 |
CVE-2024-23420 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23420 |
CVE-2024-23419 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23419 |
CVE-2024-23418 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23418 |
CVE-2024-23417 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23417 |
CVE-2024-23416 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23416 |
CVE-2024-23415 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23415 |
CVE-2024-23414 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23414 |
CVE-2024-23413 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23413 |
CVE-2024-23412 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23412 |
CVE-2024-23411 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23411 |
CVE-2024-23410 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23410 |
CVE-2024-23409 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23409 |
CVE-2024-23408 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23408 |
CVE-2024-23407 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23407 |
CVE-2024-23406 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23406 |
CVE-2024-23405 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23405 |
CVE-2024-23404 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23404 |
CVE-2024-23403 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23403 |
CVE-2024-23402 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23402 |
CVE-2024-23401 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23401 |
CVE-2024-23400 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23400 |
CVE-2024-23399 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23399 |
CVE-2024-23398 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23398 |
CVE-2024-23397 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23397 |
CVE-2024-23396 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23396 |
CVE-2024-23395 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23395 |
CVE-2024-23394 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23394 |
CVE-2024-23393 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23393 |
CVE-2024-23392 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23392 |
CVE-2024-23391 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23391 |
CVE-2024-23390 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23390 |
CVE-2024-23389 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-23389 |
CVE-2024-21721 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21721 |
CVE-2024-21720 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21720 |
CVE-2024-21719 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21719 |
CVE-2024-21718 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21718 |
CVE-2024-21717 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21717 |
CVE-2024-21716 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21716 |
CVE-2024-21715 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21715 |
CVE-2024-21714 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21714 |
CVE-2024-21713 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21713 |
CVE-2024-21712 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21712 |
CVE-2024-21711 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21711 |
CVE-2024-21710 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21710 |
CVE-2024-21709 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21709 |
CVE-2024-21708 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21708 |
CVE-2024-21705 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21705 |
CVE-2024-21704 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21704 |
CVE-2024-21702 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21702 |
CVE-2024-21701 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21701 |
CVE-2024-21696 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21696 |
CVE-2024-21695 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21695 |
CVE-2024-21694 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21694 |
CVE-2024-21693 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21693 |
CVE-2024-21692 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21692 |
CVE-2024-21691 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21691 |
CVE-2024-21688 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21688 |
CVE-2024-21679 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21679 |
CVE-2024-21675 | Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. | – | https://nvd.nist.gov/vuln/detail/CVE-2024-21675 |