Security Bulletin 8 Jan 2025

Published on 08 Jan 2025

SingCERT's Security Bulletin summarises the list of vulnerabilities collated from the National Institute of Standards and Technology (NIST)'s National Vulnerability Database (NVD) in the past week.

The vulnerabilities are tabled based on severity, in accordance to their CVSSv3 base scores:


Criticalvulnerabilities with a base score of 9.0 to 10.0
Highvulnerabilities with a base score of 7.0 to 8.9
Mediumvulnerabilities with a base score of 4.0 to 6.9
Lowvulnerabilities with a base score of 0.1 to 3.9
Nonevulnerabilities with a base score of 0.0

For those vulnerabilities without assigned CVSS scores, please visit NVD for the updated CVSS vulnerability entries.

CRITICAL VULNERABILITIES
CVE NumberDescriptionBase ScoreReference
CVE-2024-43243Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGlow JobBoard Job listing allows Upload a Web Shell to a Web Server.This issue affects JobBoard Job listing: from n/a through 1.2.6.10https://nvd.nist.gov/vuln/detail/CVE-2024-43243
CVE-2024-56829Huang Yaoshi Pharmaceutical Management Software through 16.0 allows arbitrary file upload via a .asp filename in the fileName element of the UploadFile element in a SOAP request to /XSDService.asmx.10https://nvd.nist.gov/vuln/detail/CVE-2024-56829
CVE-2025-22133WeGIA is a web manager for charitable institutions. Prior to 3.2.8, a critical vulnerability was identified in the /WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. The endpoint accepts file uploads without proper validation, allowing the upload of malicious files, such as .phar, which can then be executed by the server. This vulnerability is fixed in 3.2.8.9.9https://nvd.nist.gov/vuln/detail/CVE-2025-22133
CVE-2024-12583The Dynamics 365 Integration plugin for WordPress is vulnerable to Remote Code Execution and Arbitrary File Read in all versions up to, and including, 1.3.23 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.9.9https://nvd.nist.gov/vuln/detail/CVE-2024-12583
CVE-2025-21624ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 239, a file upload vulnerability exists in the Manage Playlist functionality of the application, specifically surrounding the uploading of playlist cover images. Without proper checks, an attacker can upload a PHP script file instead of an image file, thus allowing a webshell or other malicious files to be stored and executed on the server. This attack vector exists in both the admin area and low-level user area. This vulnerability is fixed in 5.5.1 - 239.9.8https://nvd.nist.gov/vuln/detail/CVE-2025-21624
CVE-2024-49649Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Abdul Hakeem Build App Online allows PHP Local File Inclusion.This issue affects Build App Online: from n/a through 1.0.23.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-49649
CVE-2024-49222Deserialization of Untrusted Data vulnerability in Amento Tech Pvt ltd WPGuppy allows Object Injection.This issue affects WPGuppy: from n/a through 1.1.0.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-49222
CVE-2024-8855The WordPress Auction Plugin WordPress plugin through 3.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing editors and above to perform SQL injection attacks9.8https://nvd.nist.gov/vuln/detail/CVE-2024-8855
CVE-2024-12470The School Management System – SakolaWP plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.8. This is due to the registration function not properly limiting what roles a user can register as. This makes it possible for unauthenticated attackers to register as an administrative user.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-12470
CVE-2024-12264The PayU CommercePro Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.8.3. This is due to /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost REST API endpoints not properly verifying a user's identity prior to setting the users ID and auth cookies. This makes it possible for unauthenticated attackers to create new administrative user accounts.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-12264
CVE-2024-12252The SEO LAT Auto Post plugin for WordPress is vulnerable to file overwrite due to a missing capability check on the remote_update AJAX action in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to overwrite the seo-beginner-auto-post.php file which can be leveraged to achieve remote code execution.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-12252
CVE-2024-12402The Themes Coder – Create Android & iOS Apps For Your Woocommerce Site plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.4. This is due to the plugin not properly validating a user's identity prior to updating their password through the update_user_profile() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-12402
CVE-2024-55529Z-BlogPHP 1.7.3 is vulnerable to arbitrary code execution via \\zb_users\\theme\\shell\\template.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-55529
CVE-2024-46622An Escalation of Privilege security vulnerability was found in SecureAge Security Suite software 7.0.x before 7.0.38, 7.1.x before 7.1.11, 8.0.x before 8.0.18, and 8.1.x before 8.1.18 that allows arbitrary file creation, modification and deletion.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-46622
CVE-2025-21613go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.9.8https://nvd.nist.gov/vuln/detail/CVE-2025-21613
CVE-2024-20148In wlan STA FW, there is a possible out of bounds write due to improper input validation. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00389045 / ALPS09136494; Issue ID: MSV-1796.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-20148
CVE-2025-22376In Net::OAuth::Client in the Net::OAuth package before 0.29 for Perl, the default nonce is a 32-bit integer generated from the built-in rand() function, which is not cryptographically strong.9.8https://nvd.nist.gov/vuln/detail/CVE-2025-22376
CVE-2024-55507An issue in CodeAstro Complaint Management System v.1.0 allows a remote attacker to escalate privileges via the delete_e.php component.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-55507
CVE-2024-55078An arbitrary file upload vulnerability in the component /adminUser/updateImg of WukongCRM-11.0-JAVA v11.3.3 allows attackers to execute arbitrary code via uploading a crafted file.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-55078
CVE-2024-9140Moxa’s cellular routers, secure routers, and network security appliances are affected by a critical vulnerability, CVE-2024-9140. This vulnerability allows OS command injection due to improperly restricted commands, potentially enabling attackers to execute arbitrary code. This poses a significant risk to the system’s security and functionality.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-9140
CVE-2024-53842In cc_SendCcImsInfoIndMsg of cc_MmConManagement.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-53842
CVE-2024-56290Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce allows SQL Injection.This issue affects Multiple Shipping And Billing Address For Woocommerce: from n/a through 1.2.9.3https://nvd.nist.gov/vuln/detail/CVE-2024-56290
CVE-2024-56284Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SSL Wireless SSL Wireless SMS Notification allows SQL Injection.This issue affects SSL Wireless SMS Notification: from n/a through 3.5.0.9.3https://nvd.nist.gov/vuln/detail/CVE-2024-56284
CVE-2025-22275iTerm2 3.5.6 through 3.5.10 before 3.5.11 sometimes allows remote attackers to obtain sensitive information from terminal commands by reading the /tmp/framer.txt file. This can occur for certain it2ssh and SSH Integration configurations, during remote logins to hosts that have a common Python installation.9.3https://nvd.nist.gov/vuln/detail/CVE-2025-22275
CVE-2024-56278Improper Control of Generation of Code ('Code Injection') vulnerability in Smackcoders WP Ultimate Exporter allows PHP Remote File Inclusion.This issue affects WP Ultimate Exporter: from n/a through 2.9.1.9.1https://nvd.nist.gov/vuln/detail/CVE-2024-56278
CVE-2024-54880SeaCMS V13.1 is vulnerable to Incorrect Access Control. A logic flaw can be exploited by an attacker to allow any user to register accounts in bulk.9.1https://nvd.nist.gov/vuln/detail/CVE-2024-54880
CVE-2024-54879SeaCMS V13.1 is vulnerable to Incorrect Access Control. A logic flaw can be exploited by an attacker to allow any user to recharge members indefinitely.9.1https://nvd.nist.gov/vuln/detail/CVE-2024-54879
CVE-2024-5594OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which attackers can use to inject unexpected arbitrary data into third-party executables or plug-ins.9.1https://nvd.nist.gov/vuln/detail/CVE-2024-5594
CVE-2024-56249Unrestricted Upload of File with Dangerous Type vulnerability in Webdeclic WPMasterToolKit allows Upload a Web Shell to a Web Server.This issue affects WPMasterToolKit: from n/a through 1.13.1.9.1https://nvd.nist.gov/vuln/detail/CVE-2024-56249

OTHER VULNERABILITIES
CVE NumberDescriptionBase ScoreReference
CVE-2024-55555Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values. The route/{hash} route defined in the invoiceninja/routes/client.php file can be accessed without authentication. The parameter {hash} is passed to the function decrypt that expects a Laravel ciphered value containing a serialized object. (Furthermore, Laravel contains several gadget chains usable to trigger remote command execution from arbitrary deserialization.) Therefore, an attacker in possession of the APP_KEY is able to fully control a string passed to an unserialize function.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-55555
CVE-2024-53345An authenticated arbitrary file upload vulnerability in Car Rental Management System v1.0 to v1.3 allows attackers to execute arbitrary code via uploading a crafted file.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-53345
CVE-2024-56280Incorrect Privilege Assignment vulnerability in Amento Tech Pvt ltd WPGuppy allows Privilege Escalation.This issue affects WPGuppy: from n/a through 1.1.0.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-56280
CVE-2024-49644Incorrect Privilege Assignment vulnerability in AllAccessible Team Accessibility by AllAccessible allows Privilege Escalation.This issue affects Accessibility by AllAccessible: from n/a through 1.3.4.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-49644
CVE-2024-47398in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the device is unable to boot up through out-of-bounds write.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-47398
CVE-2024-12202The Croma Music plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'ironMusic_ajax' function in all versions up to, and including, 3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-12202
CVE-2024-11725The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the updateWcWarrantySettings() function in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. Please note this requires the woocommerce-warranty plugin to be installed in order to be exploited.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-11725
CVE-2024-12471The Post Saint: ChatGPT, GPT4, DALL-E, Stable Diffusion, Pexels, Dezgo AI Text & Image Generator plugin for WordPress is vulnerable to arbitrary files uploads due to a missing capability check and file type validation on the add_image_to_library AJAX action function in all versions up to, and including, 1.3.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files that make remote code execution possible.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-12471
CVE-2024-12322The ThePerfectWedding.nl Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8. This is due to missing or incorrect nonce validation on the 'update_option' function. This makes it possible for unauthenticated attackers to update the 'tpwKey' option with stored cross-site scripting via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-12322
CVE-2024-55074The edit profile function of Grocy through 4.3.0 allows stored XSS and resultant privilege escalation by uploading a crafted HTML or SVG file, a different issue than CVE-2024-8370.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-55074
CVE-2025-21611tgstation-server is a production scale tool for BYOND server management. Prior to 6.12.3, roles used to authorize API methods were incorrectly OR'd instead of AND'ed with the role used to determine if a user was enabled. This allows enabled users access to most, but not all, authorized actions regardless of their permissions. Notably, the WriteUsers right is unaffected so users may not use this bug to permanently elevate their account permissions. The fix is release in tgstation-server-v6.12.3.8.8https://nvd.nist.gov/vuln/detail/CVE-2025-21611
CVE-2024-10957The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to PHP Object Injection in all versions from 1.23.8 to 1.24.11 via deserialization of untrusted input in the 'recursive_unserialized_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. An administrator must perform a search and replace action to trigger the exploit.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-10957
CVE-2024-10932The Backup Migration plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site in order to trigger the exploit.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-10932
CVE-2024-13129A vulnerability was found in Roxy-WI up to 8.1.3. It has been declared as critical. Affected by this vulnerability is the function action_service of the file app/modules/roxywi/roxy.py. The manipulation of the argument action/service leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 8.1.4 is able to address this issue. The identifier of the patch is 32313928eb9ce906887b8a30bf7b9a3d5c0de1be. It is recommended to upgrade the affected component.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-13129
CVE-2024-35365FFmpeg version n6.1.1 has a double-free vulnerability in the fftools/ffmpeg_mux_init.c component of FFmpeg, specifically within the new_stream_audio function.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-35365
CVE-2024-43767In prepare_to_draw_into_mask of SkBlurMaskFilterImpl.cpp, there is a possible heap overflow due to improper input validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-43767
CVE-2024-39623Cross-Site Request Forgery (CSRF) vulnerability in CridioStudio ListingPro allows Authentication Bypass.This issue affects ListingPro: from n/a through 2.9.4.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-39623
CVE-2023-47179Missing Authorization vulnerability in ByConsole WooODT Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooODT Lite: from n/a through 2.4.6.8.8https://nvd.nist.gov/vuln/detail/CVE-2023-47179
CVE-2024-49249Path Traversal vulnerability in SMSA Express SMSA Shipping allows Path Traversal.This issue affects SMSA Shipping: from n/a through 2.3.8.6https://nvd.nist.gov/vuln/detail/CVE-2024-49249
CVE-2024-12535The Host PHP Info plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when including the 'phpinfo' function in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to read configuration settings and predefined variables on the site's server. The plugin does not need to be activated for the vulnerability to be exploited.8.6https://nvd.nist.gov/vuln/detail/CVE-2024-12535
CVE-2025-21612TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Prior to 2.7.2, TabberTransclude.php doesn't escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This vulnerability is fixed in 2.7.2.8.6https://nvd.nist.gov/vuln/detail/CVE-2025-21612
CVE-2025-22519Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in eDoc Intelligence LLC eDoc Easy Tables allows SQL Injection.This issue affects eDoc Easy Tables: from n/a through 1.29.8.5https://nvd.nist.gov/vuln/detail/CVE-2025-22519
CVE-2025-22348Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RTO GmbH DynamicTags allows Blind SQL Injection.This issue affects DynamicTags: from n/a through 1.4.0.8.5https://nvd.nist.gov/vuln/detail/CVE-2025-22348
CVE-2024-51715Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickWhale ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages allows Blind SQL Injection.This issue affects ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages: from n/a through 2.4.1.8.5https://nvd.nist.gov/vuln/detail/CVE-2024-51715
CVE-2024-11626Improper Neutralization of Input During CMS Backend (adminstrative section) Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Progress Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.8.4https://nvd.nist.gov/vuln/detail/CVE-2024-11626
CVE-2021-27285An issue was discovered in Inspur ClusterEngine v4.0 that allows attackers to gain escalated Local privileges and execute arbitrary commands via /opt/tsce4/torque6/bin/getJobsByShell.8.4https://nvd.nist.gov/vuln/detail/CVE-2021-27285
CVE-2024-45555Memory corruption can occur if an already verified IFS2 image is overwritten, bypassing boot verification. This allows unauthorized programs to be injected into security-sensitive images, enabling the booting of a tampered IFS2 system image.8.4https://nvd.nist.gov/vuln/detail/CVE-2024-45555
CVE-2024-21464Memory corruption while processing IPA statistics, when there are no active clients registered.8.4https://nvd.nist.gov/vuln/detail/CVE-2024-21464
CVE-2025-22132WeGIA is a web manager for charitable institutions. A Cross-Site Scripting (XSS) vulnerability was identified in the file upload functionality of the WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. By uploading a file containing malicious JavaScript code, an attacker can execute arbitrary scripts in the context of a victim's browser. This can lead to information theft, session hijacking, and other forms of client-side exploitation. This vulnerability is fixed in 3.2.7.8.3https://nvd.nist.gov/vuln/detail/CVE-2025-22132
CVE-2024-40702IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow an unauthorized user to obtain valid tokens to gain access to protected resources due to improper certificate validation.8.2https://nvd.nist.gov/vuln/detail/CVE-2024-40702
CVE-2025-22347Cross-Site Request Forgery (CSRF) vulnerability in BannerSky.com BSK Forms Blacklist allows Blind SQL Injection.This issue affects BSK Forms Blacklist: from n/a through 3.9.8.2https://nvd.nist.gov/vuln/detail/CVE-2025-22347
CVE-2025-22395Dell Update Package Framework, versions prior to 22.01.02, contain(s) a Local Privilege Escalation Vulnerability. A local low privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary remote scripts on the server. Exploitation may lead to a denial of service by an attacker.8.2https://nvd.nist.gov/vuln/detail/CVE-2025-22395
CVE-2024-53800Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Rezgo Rezgo allows PHP Local File Inclusion.This issue affects Rezgo: from n/a through 4.15.8.1https://nvd.nist.gov/vuln/detail/CVE-2024-53800
CVE-2024-56291Deserialization of Untrusted Data vulnerability in plainware.com PlainInventory allows Object Injection.This issue affects PlainInventory: from n/a through 3.1.6.8.1https://nvd.nist.gov/vuln/detail/CVE-2024-56291
CVE-2024-56283Deserialization of Untrusted Data vulnerability in plainware.com Locatoraid Store Locator allows Object Injection.This issue affects Locatoraid Store Locator: from n/a through 3.9.50.8.1https://nvd.nist.gov/vuln/detail/CVE-2024-56283
CVE-2024-12313The Compare Products for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.1 via deserialization of untrusted input from the 'woo_compare_list' cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.8.1https://nvd.nist.gov/vuln/detail/CVE-2024-12313
CVE-2024-55076Grocy through 4.3.0 has no CSRF protection, as demonstrated by changing the Administrator's password.8.1https://nvd.nist.gov/vuln/detail/CVE-2024-55076
CVE-2024-20154In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY00720348; Issue ID: MSV-2392.8.1https://nvd.nist.gov/vuln/detail/CVE-2024-20154
CVE-2024-20146In wlan STA driver, there is a possible out of bounds write due to improper input validation. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00389496 / ALPS09137491; Issue ID: MSV-1835.8.1https://nvd.nist.gov/vuln/detail/CVE-2024-20146
CVE-2024-55410An issue in the 690b33e1-0462-4e84-9bea-c7552b45432a.sys component of Asus GPU Tweak II Program Driver v1.0.0.0 allows attackers to perform arbitrary read and write actions via supplying crafted IOCTL requests.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-55410
CVE-2024-55407An issue in the DeviceloControl function of ITE Tech. Inc ITE IO Access v1.0.0.0 allows attackers to perform arbitrary port read and write actions via supplying crafted IOCTL requests.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-55407
CVE-2024-56766In the Linux kernel, the following vulnerability has been resolved:

mtd: rawnand: fix double free in atmel_pmecc_create_user()

The "user" pointer was converted from being allocated with kzalloc() to
being allocated by devm_kzalloc(). Calling kfree(user) will lead to a
double free.
7.8https://nvd.nist.gov/vuln/detail/CVE-2024-56766
CVE-2024-56765In the Linux kernel, the following vulnerability has been resolved:

powerpc/pseries/vas: Add close() callback in vas_vm_ops struct

The mapping VMA address is saved in VAS window struct when the
paste address is mapped. This VMA address is used during migration
to unmap the paste address if the window is active. The paste
address mapping will be removed when the window is closed or with
the munmap(). But the VMA address in the VAS window is not updated
with munmap() which is causing invalid access during migration.

The KASAN report shows:
[16386.254991] BUG: KASAN: slab-use-after-free in reconfig_close_windows+0x1a0/0x4e8
[16386.255043] Read of size 8 at addr c00000014a819670 by task drmgr/696928

[16386.255096] CPU: 29 UID: 0 PID: 696928 Comm: drmgr Kdump: loaded Tainted: G B 6.11.0-rc5-nxgzip #2
[16386.255128] Tainted: [B]=BAD_PAGE
[16386.255148] Hardware name: IBM,9080-HEX Power11 (architected) 0x820200 0xf000007 of:IBM,FW1110.00 (NH1110_016) hv:phyp pSeries
[16386.255181] Call Trace:
[16386.255202] [c00000016b297660] [c0000000018ad0ac] dump_stack_lvl+0x84/0xe8 (unreliable)
[16386.255246] [c00000016b297690] [c0000000006e8a90] print_report+0x19c/0x764
[16386.255285] [c00000016b297760] [c0000000006e9490] kasan_report+0x128/0x1f8
[16386.255309] [c00000016b297880] [c0000000006eb5c8] __asan_load8+0xac/0xe0
[16386.255326] [c00000016b2978a0] [c00000000013f898] reconfig_close_windows+0x1a0/0x4e8
[16386.255343] [c00000016b297990] [c000000000140e58] vas_migration_handler+0x3a4/0x3fc
[16386.255368] [c00000016b297a90] [c000000000128848] pseries_migrate_partition+0x4c/0x4c4
...

[16386.256136] Allocated by task 696554 on cpu 31 at 16377.277618s:
[16386.256149] kasan_save_stack+0x34/0x68
[16386.256163] kasan_save_track+0x34/0x80
[16386.256175] kasan_save_alloc_info+0x58/0x74
[16386.256196] __kasan_slab_alloc+0xb8/0xdc
[16386.256209] kmem_cache_alloc_noprof+0x200/0x3d0
[16386.256225] vm_area_alloc+0x44/0x150
[16386.256245] mmap_region+0x214/0x10c4
[16386.256265] do_mmap+0x5fc/0x750
[16386.256277] vm_mmap_pgoff+0x14c/0x24c
[16386.256292] ksys_mmap_pgoff+0x20c/0x348
[16386.256303] sys_mmap+0xd0/0x160
...

[16386.256350] Freed by task 0 on cpu 31 at 16386.204848s:
[16386.256363] kasan_save_stack+0x34/0x68
[16386.256374] kasan_save_track+0x34/0x80
[16386.256384] kasan_save_free_info+0x64/0x10c
[16386.256396] __kasan_slab_free+0x120/0x204
[16386.256415] kmem_cache_free+0x128/0x450
[16386.256428] vm_area_free_rcu_cb+0xa8/0xd8
[16386.256441] rcu_do_batch+0x2c8/0xcf0
[16386.256458] rcu_core+0x378/0x3c4
[16386.256473] handle_softirqs+0x20c/0x60c
[16386.256495] do_softirq_own_stack+0x6c/0x88
[16386.256509] do_softirq_own_stack+0x58/0x88
[16386.256521] __irq_exit_rcu+0x1a4/0x20c
[16386.256533] irq_exit+0x20/0x38
[16386.256544] interrupt_async_exit_prepare.constprop.0+0x18/0x2c
...

[16386.256717] Last potentially related work creation:
[16386.256729] kasan_save_stack+0x34/0x68
[16386.256741] __kasan_record_aux_stack+0xcc/0x12c
[16386.256753] __call_rcu_common.constprop.0+0x94/0xd04
[16386.256766] vm_area_free+0x28/0x3c
[16386.256778] remove_vma+0xf4/0x114
[16386.256797] do_vmi_align_munmap.constprop.0+0x684/0x870
[16386.256811] __vm_munmap+0xe0/0x1f8
[16386.256821] sys_munmap+0x54/0x6c
[16386.256830] system_call_exception+0x1a0/0x4a0
[16386.256841] system_call_vectored_common+0x15c/0x2ec

[16386.256868] The buggy address belongs to the object at c00000014a819670
which belongs to the cache vm_area_struct of size 168
[16386.256887] The buggy address is located 0 bytes inside of
freed 168-byte region [c00000014a819670, c00000014a819718)

[16386.256915] The buggy address belongs to the physical page:
[16386.256928] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a81
[16386.256950] memcg:c0000000ba430001
[16386.256961] anon flags: 0x43ffff800000000(node=4|zone=0|lastcpupid=0x7ffff)
[16386.256975] page_type: 0xfdffffff(slab)
[16386
---truncated---
7.8https://nvd.nist.gov/vuln/detail/CVE-2024-56765
CVE-2024-56764In the Linux kernel, the following vulnerability has been resolved:

ublk: detach gendisk from ublk device if add_disk() fails

Inside ublk_abort_requests(), gendisk is grabbed for aborting all
inflight requests. And ublk_abort_requests() is called when exiting
the uring context or handling timeout.

If add_disk() fails, the gendisk may have been freed when calling
ublk_abort_requests(), so use-after-free can be caused when getting
disk's reference in ublk_abort_requests().

Fixes the bug by detaching gendisk from ublk device if add_disk() fails.
7.8https://nvd.nist.gov/vuln/detail/CVE-2024-56764
CVE-2024-56759In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix use-after-free when COWing tree bock and tracing is enabled

When a COWing a tree block, at btrfs_cow_block(), and we have the
tracepoint trace_btrfs_cow_block() enabled and preemption is also enabled
(CONFIG_PREEMPT=y), we can trigger a use-after-free in the COWed extent
buffer while inside the tracepoint code. This is because in some paths
that call btrfs_cow_block(), such as btrfs_search_slot(), we are holding
the last reference on the extent buffer @buf so btrfs_force_cow_block()
drops the last reference on the @buf extent buffer when it calls
free_extent_buffer_stale(buf), which schedules the release of the extent
buffer with RCU. This means that if we are on a kernel with preemption,
the current task may be preempted before calling trace_btrfs_cow_block()
and the extent buffer already released by the time trace_btrfs_cow_block()
is called, resulting in a use-after-free.

Fix this by moving the trace_btrfs_cow_block() from btrfs_cow_block() to
btrfs_force_cow_block() before the COWed extent buffer is freed.
This also has a side effect of invoking the tracepoint in the tree defrag
code, at defrag.c:btrfs_realloc_node(), since btrfs_force_cow_block() is
called there, but this is fine and it was actually missing there.
7.8https://nvd.nist.gov/vuln/detail/CVE-2024-56759
CVE-2024-45553Memory corruption can occur when process-specific maps are added to the global list. If a map is removed from the global list while another thread is using it for a process-specific task, issues may arise.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-45553
CVE-2024-45550Memory corruption occurs when invoking any IOCTL-calling application that executes all MCDM driver IOCTL calls.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-45550
CVE-2024-45548Memory corruption while processing FIPS encryption or decryption validation functionality IOCTL call.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-45548
CVE-2024-45547Memory corruption while processing IOCTL call invoked from user-space to verify non extension FIPS encryption and decryption functionality.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-45547
CVE-2024-45546Memory corruption while processing FIPS encryption or decryption IOCTL call invoked from user-space.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-45546
CVE-2024-45542Memory corruption when IOCTL call is invoked from user-space to write board data to WLAN driver.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-45542
CVE-2024-45541Memory corruption when IOCTL call is invoked from user-space to read board data.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-45541
CVE-2024-53841In startListeningForDeviceStateChanges, there is a possible Permission Bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-53841
CVE-2024-53840there is a possible biometric bypass due to an unusual root cause. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-53840
CVE-2024-53838In Exynos_parsing_user_data_registered_itu_t_t35 of VendorVideoAPI.cpp, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-53838
CVE-2024-53837In prepare_response of lwis_periodic_io.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-53837
CVE-2024-53835there is a possible biometric bypass due to an unusual root cause. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-53835
CVE-2024-53833In prepare_response_locked of lwis_transaction.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-53833
CVE-2024-47032In construct_transaction_from_cmd of lwis_ioctl.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-47032
CVE-2024-11624there is a possible to add apps to bypass VPN due to Undeclared Permission . This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-11624
CVE-2024-43769In isPackageDeviceAdmin of PackageManagerService.java, there is a possible edge case which could prevent the uninstallation of CloudDpc due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-43769
CVE-2024-43768In skia_alloc_func of SkDeflate.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-43768
CVE-2024-43764In onPrimaryClipChanged of ClipboardListener.java, there is a possible way to partially bypass lock screen. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-43764
CVE-2024-43762In multiple locations, there is a possible way to avoid unbinding of a service from the system due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-43762
CVE-2024-43097In resizeToAtLeast of SkRegion.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-43097
CVE-2024-43077In DevmemValidateFlags of devicemem_server.c , there is a possible out of bounds write due to memory corruption. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-43077
CVE-2024-11625Information Exposure Through an Error Message vulnerability in Progress Software Corporation Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.7.7https://nvd.nist.gov/vuln/detail/CVE-2024-11625
CVE-2025-22350Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WpIndeed Ultimate Learning Pro allows SQL Injection.This issue affects Ultimate Learning Pro: from n/a through 3.9.7.6https://nvd.nist.gov/vuln/detail/CVE-2025-22350
CVE-2025-22536Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Hiren Patel WP Music Player allows SQL Injection.This issue affects WP Music Player: from n/a through 1.3.7.6https://nvd.nist.gov/vuln/detail/CVE-2025-22536
CVE-2025-22533Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WOOEXIM.COM WOOEXIM allows SQL Injection.This issue affects WOOEXIM: from n/a through 5.0.0.7.6https://nvd.nist.gov/vuln/detail/CVE-2025-22533
CVE-2025-22507Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Benjamin Santalucia (ben@woow-fr.com) WPMU Prefill Post allows SQL Injection.This issue affects WPMU Prefill Post: from n/a through 1.02.7.6https://nvd.nist.gov/vuln/detail/CVE-2025-22507
CVE-2025-22502Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mindvalley MindValley Super PageMash allows SQL Injection.This issue affects MindValley Super PageMash: from n/a through 1.1.7.6https://nvd.nist.gov/vuln/detail/CVE-2025-22502
CVE-2025-22352Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes allows Blind SQL Injection.This issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes: from n/a through 1.4.8.7.6https://nvd.nist.gov/vuln/detail/CVE-2025-22352
CVE-2025-22351Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PenguinArts Contact Form 7 Database – CFDB7 allows SQL Injection.This issue affects Contact Form 7 Database – CFDB7: from n/a through 1.0.0.7.6https://nvd.nist.gov/vuln/detail/CVE-2025-22351
CVE-2025-22349Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Owen Cutajar & Hyder Jaffari WordPress Auction Plugin allows SQL Injection.This issue affects WordPress Auction Plugin: from n/a through 3.7.7.6https://nvd.nist.gov/vuln/detail/CVE-2025-22349
CVE-2024-56250Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in GregRoss Just Writing Statistics allows SQL Injection.This issue affects Just Writing Statistics: from n/a through 4.7.7.6https://nvd.nist.gov/vuln/detail/CVE-2024-56250
CVE-2024-56247Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AF themes WP Post Author allows SQL Injection.This issue affects WP Post Author: from n/a through 3.8.2.7.6https://nvd.nist.gov/vuln/detail/CVE-2024-56247
CVE-2024-8361In SiWx91x devices, the SHA2/224 algorithm returns a hash of 256 bits instead of 224 bits. This incorrect hash length triggers a software assertion, which subsequently causes a Denial of Service (DoS).
If a watchdog is implemented, device will restart after watch dog expires. If watchdog is not implemented, device can be recovered only after a hard reset
7.5https://nvd.nist.gov/vuln/detail/CVE-2024-8361
CVE-2025-22592Missing Authorization vulnerability in Lenderd 1003 Mortgage Application allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects 1003 Mortgage Application: from n/a through 1.87.7.5https://nvd.nist.gov/vuln/detail/CVE-2025-22592
CVE-2025-21623ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 238, ClipBucket V5 allows unauthenticated attackers to change the template directory via a directory traversal, which results in a denial of service.7.5https://nvd.nist.gov/vuln/detail/CVE-2025-21623
CVE-2025-21622ClipBucket V5 provides open source video hosting with PHP. During the user avatar upload workflow, a user can choose to upload and change their avatar at any time. During deletion, ClipBucket checks for the avatar_url as a filepath within the avatars subdirectory. If the URL path exists within the avatars directory, ClipBucket will delete it. There is no check for path traversal sequences in the provided user input (stored in the DB as avatar_url) therefore the final $file variable could be tainted with path traversal sequences. This leads to file deletion outside of the intended scope of the avatars folder. This vulnerability is fixed in 5.5.1 - 237.7.5https://nvd.nist.gov/vuln/detail/CVE-2025-21622
CVE-2024-46603An XML External Entity (XXE) vulnerability in Elspec Engineering G5 Digital Fault Recorder Firmware v1.2.1.12 allows attackers to cause a Denial of Service (DoS) via a crafted XML payload.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-46603
CVE-2024-46602An issue was discovered in Elspec G5 digital fault recorder version 1.2.1.12 and earlier. An XML External Entity (XXE) vulnerability may allow an attacker to cause a Denial of Service (DoS) via a crafted XML payload.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-46602
CVE-2024-46242An issue in the validate_email function in CTFd/utils/validators/__init__.py of CTFd 3.7.3 allows attackers to cause a Regular expression Denial of Service (ReDoS) via supplying a crafted string as e-mail address during registration.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-46242
CVE-2025-22364Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Service Shogun Ach Invoice App allows PHP Local File Inclusion.This issue affects Ach Invoice App: from n/a through 1.0.1.7.5https://nvd.nist.gov/vuln/detail/CVE-2025-22364
CVE-2024-56300Insertion of Sensitive Information Into Sent Data vulnerability in WPSpins Post/Page Copying Tool allows Retrieve Embedded Sensitive Data.This issue affects Post/Page Copying Tool: from n/a through 2.0.0.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-56300
CVE-2024-56286Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Classic Addons Classic Addons – WPBakery Page Builder allows PHP Local File Inclusion.This issue affects Classic Addons – WPBakery Page Builder: from n/a through 3.0.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-56286
CVE-2024-56282Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elicus WPMozo Addons Lite for Elementor allows PHP Local File Inclusion.This issue affects WPMozo Addons Lite for Elementor: from n/a through 1.1.0.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-56282
CVE-2024-56281Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodeMShop 워드프레스 결제 심플페이 allows PHP Local File Inclusion.This issue affects 워드프레스 결제 심플페이: from n/a through 5.2.0.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-56281
CVE-2024-12152The MIPL WC Multisite Sync plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.5 via the 'mipl_wc_sync_download_log' action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-12152
CVE-2024-12849The Error Log Viewer By WP Guru plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1.3 via the wp_ajax_nopriv_elvwp_log_download AJAX action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-12849
CVE-2024-12157The Popup – MailChimp, GetResponse and ActiveCampaign Intergrations plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'upc_delete_db_record' AJAX action in all versions up to, and including, 3.2.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-12157
CVE-2024-12416The Live Sales Notification for Woocommerce – Woomotiv plugin for WordPress is vulnerable to SQL Injection via the 'woomotiv_seen_products_.*' cookie in all versions up to, and including, 3.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-12416
CVE-2025-21620Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain. This vulnerability is fixed in 2.1.2.7.5https://nvd.nist.gov/vuln/detail/CVE-2025-21620
CVE-2024-55553In FRRouting (FRR) before 10.3, it is possible for an attacker to trigger repeated RIB revalidation by sending approximately 500 RPKI updates, potentially leading to prolonged revalidation times and a Denial of Service (DoS) scenario.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-55553
CVE-2024-54767An access control issue in the component /juis_boxinfo.xml of AVM FRITZ!Box 7530 AX v7.59 allows attackers to obtain sensitive information without authentication.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-54767
CVE-2024-48457An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and 3.0.0.3503 and Netis Wifi 11AC Router NC21 3.0.0.3800, 3.0.0.3500 and 3.0.0.3329 and Netis Wifi Router MW5360 1.0.1.3442 and 1.0.1.3031 allows a remote attacker to obtain sensitive information via the endpoint /cgi-bin/skk_set.cgi and binary /bin/scripts/start_wifi.sh7.5https://nvd.nist.gov/vuln/detail/CVE-2024-48457
CVE-2024-48456An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and 3.0.0.3503 and Netis Wifi 11AC Router NC21 3.0.0.3800, 3.0.0.3500 and 3.0.0.3329 and Netis Wifi Router MW5360 1.0.1.3442 and 1.0.1.3031 allows a remote attacker to obtain sensitive information via the parameter password at the change admin password page at the router web interface.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-48456
CVE-2024-55629Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, TCP streams with TCP urgent data (out of band data) can lead to Suricata analyzing data differently than the applications at the TCP endpoints, leading to possible evasions. Suricata 7.0.8 includes options to allow users to configure how to handle TCP urgent data. In IPS mode, you can use a rule such as drop tcp any any -> any any (sid:1; tcp.flags:U*;) to drop all the packets with urgent flag set.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-55629
CVE-2024-55628Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.8, DNS resource name compression can lead to small DNS messages containing very large hostnames which can be costly to decode, and lead to very large DNS log records. While there are limits in place, they were too generous. The issue has been addressed in Suricata 7.0.8.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-55628
CVE-2025-21618NiceGUI is an easy-to-use, Python-based UI framework. Prior to 2.9.1, authenticating with NiceGUI logged in the user for all browsers, including browsers in incognito mode. This vulnerability is fixed in 2.9.1.7.5https://nvd.nist.gov/vuln/detail/CVE-2025-21618
CVE-2025-21614go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.7.5https://nvd.nist.gov/vuln/detail/CVE-2025-21614
CVE-2024-55605Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a large input buffer to the to_lowercase, to_uppercase, strip_whitespace, compress_whitespace, dotprefix, header_lowercase, strip_pseudo_headers, url_decode, or xor transform can lead to a stack overflow causing Suricata to crash. The issue has been addressed in Suricata 7.0.8.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-55605
CVE-2024-8474OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traffic7.5https://nvd.nist.gov/vuln/detail/CVE-2024-8474
CVE-2024-45558Transient DOS can occur when the driver parses the per STA profile IE and tries to access the EXTN element ID without checking the IE length.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-45558
CVE-2024-43064Uncontrolled resource consumption when a driver, an application or a SMMU client tries to access the global registers through SMMU.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-43064
CVE-2024-20153In wlan STA, there is a possible way to trick a client to connect to an AP with spoofed SSID. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08990446 / ALPS09057442; Issue ID: MSV-1598.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-20153
CVE-2024-20150In Modem, there is a possible system crash due to a logic error. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01412526; Issue ID: MSV-2018.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-20150
CVE-2024-20149In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01231341 / MOLY01263331 / MOLY01233835; Issue ID: MSV-2165.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-20149
CVE-2024-41766IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 could allow a remote attacker to cause a denial of service using a complex regular expression.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-41766
CVE-2025-22390An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS due to insufficient enforcement of password complexity requirements. The application permits users to set passwords with a minimum length of 6 characters, lacking adequate complexity to resist modern attack techniques such as password spraying or offline password cracking.7.5https://nvd.nist.gov/vuln/detail/CVE-2025-22390
CVE-2025-22387An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity issue exists in requests for resources where the session token is submitted as a URL parameter. This exposes information about the authenticated session, which can be leveraged for session hijacking.7.5https://nvd.nist.gov/vuln/detail/CVE-2025-22387
CVE-2025-22384An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity issue concerning business logic exists in the Commerce B2B application, which allows storefront visitors to purchase discontinued products in specific scenarios where requests are altered before reaching the server.7.5https://nvd.nist.gov/vuln/detail/CVE-2025-22384
CVE-2024-48814SQL Injection vulnerability in Silverpeas 6.4.1 allows a remote attacker to obtain sensitive information via the ViewType parameter of the findbywhereclause function7.5https://nvd.nist.gov/vuln/detail/CVE-2024-48814
CVE-2024-53834In sms_DisplayHexDumpOfPrivacyBuffer of sms_Utilities.c, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-53834
CVE-2023-47693Missing Authorization vulnerability in Themefic Ultimate Addons for Contact Form 7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for Contact Form 7: from n/a through 3.2.6.7.5https://nvd.nist.gov/vuln/detail/CVE-2023-47693
CVE-2023-47648Missing Authorization vulnerability in spider-themes EazyDocs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EazyDocs: from n/a through 2.3.5.7.5https://nvd.nist.gov/vuln/detail/CVE-2023-47648
CVE-2023-47224Missing Authorization vulnerability in WP Travel WP Travel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Travel: from n/a through 7.8.0.7.5https://nvd.nist.gov/vuln/detail/CVE-2023-47224
CVE-2025-0233A vulnerability was found in Codezips Project Management System 1.0. It has been classified as critical. This affects an unknown part of the file /pages/forms/course.php. The manipulation of the argument course_name leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.7.3https://nvd.nist.gov/vuln/detail/CVE-2025-0233
CVE-2024-41767IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.7.3https://nvd.nist.gov/vuln/detail/CVE-2024-41767
CVE-2025-0210A vulnerability has been found in Campcodes School Faculty Scheduling System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/ajax.php?action=login. The manipulation of the argument username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.7.3https://nvd.nist.gov/vuln/detail/CVE-2025-0210
CVE-2025-0207A vulnerability, which was classified as critical, has been found in code-projects Online Shoe Store 1.0. Affected by this issue is some unknown functionality of the file /function/login.php. The manipulation of the argument password leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.7.3https://nvd.nist.gov/vuln/detail/CVE-2025-0207
CVE-2025-22386An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity session issue exists in the Commerce B2B application, affecting the longevity of active sessions in the storefront. This allows session tokens tied to logged-out sessions to still be active and usable.7.3https://nvd.nist.gov/vuln/detail/CVE-2025-22386
CVE-2024-11733The The WordPress Popular Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.7.3https://nvd.nist.gov/vuln/detail/CVE-2024-11733
CVE-2023-45104Missing Authorization vulnerability in WPDeveloper BetterLinks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BetterLinks: from n/a through 1.6.0.7.3https://nvd.nist.gov/vuln/detail/CVE-2023-45104
CVE-2024-54007Multiple command injection vulnerabilities exist in the web interface of the 501 Wireless Client Bridge which could lead to authenticated remote command execution. Successful exploitation of these vulnerabilities result in the ability of an attacker to execute arbitrary commands as a privileged user on the underlying operating system. Exploitation requires administrative authentication credentials on the host system.7.2https://nvd.nist.gov/vuln/detail/CVE-2024-54007
CVE-2024-54006Multiple command injection vulnerabilities exist in the web interface of the 501 Wireless Client Bridge which could lead to authenticated remote command execution. Successful exploitation of these vulnerabilities result in the ability of an attacker to execute arbitrary commands as a privileged user on the underlying operating system. Exploitation requires administrative authentication credentials on the host system.7.2https://nvd.nist.gov/vuln/detail/CVE-2024-54006
CVE-2024-48245Vehicle Management System 1.0 is vulnerable to SQL Injection. A guest user can exploit vulnerable POST parameters in various administrative actions, such as booking a vehicle or confirming a booking. The affected parameters include "Booking ID", "Action Name", and "Payment Confirmation ID", which are present in /newvehicle.php and /newdriver.php.7.2https://nvd.nist.gov/vuln/detail/CVE-2024-48245
CVE-2024-11465The Custom Product Tabs for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8.5 via deserialization of untrusted input in the 'yikes_woo_products_tabs' post meta parameter. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.7.2https://nvd.nist.gov/vuln/detail/CVE-2024-11465
CVE-2023-6605A flaw was found in FFmpeg's DASH playlist support. This vulnerability allows arbitrary HTTP GET requests to be made on behalf of the machine running FFmpeg via a crafted DASH playlist containing malicious URLs.7.2https://nvd.nist.gov/vuln/detail/CVE-2023-6605
CVE-2024-9138Moxa’s cellular routers, secure routers, and network security appliances are affected by a high-severity vulnerability, CVE-2024-9138. This vulnerability involves hard-coded credentials, enabling an authenticated user to escalate privileges and gain root-level access to the system, posing a significant security risk.7.2https://nvd.nist.gov/vuln/detail/CVE-2024-9138
CVE-2024-13062An unintended entry point vulnerability has been identified in certain router models, which may allow for arbitrary command execution.
Refer to the ' 01/02/2025 ASUS Router AiCloud vulnerability' section on the ASUS Security Advisory for more information.
7.2https://nvd.nist.gov/vuln/detail/CVE-2024-13062
CVE-2024-12912An improper input insertion vulnerability in AiCloud on certain router models may lead to arbitrary command execution.
Refer to the '01/02/2025 ASUS Router AiCloud vulnerability' section on the ASUS Security Advisory for more information.
7.2https://nvd.nist.gov/vuln/detail/CVE-2024-12912
CVE-2025-22593Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Burria Laika Pedigree Tree allows Stored XSS.This issue affects Laika Pedigree Tree: from n/a through 1.4.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22593
CVE-2025-22590Cross-Site Request Forgery (CSRF) vulnerability in mmrs151 Prayer Times Anywhere allows Stored XSS.This issue affects Prayer Times Anywhere: from n/a through 2.0.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22590
CVE-2025-22589Cross-Site Request Forgery (CSRF) vulnerability in bozdoz Quote Tweet allows Stored XSS.This issue affects Quote Tweet: from n/a through 0.7.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22589
CVE-2025-22582Cross-Site Request Forgery (CSRF) vulnerability in Scott Nellé Uptime Robot allows Stored XSS.This issue affects Uptime Robot: from n/a through 0.1.3.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22582
CVE-2025-22571Cross-Site Request Forgery (CSRF) vulnerability in Instabot Instabot allows Cross Site Request Forgery.This issue affects Instabot: from n/a through 1.10.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22571
CVE-2025-22559Cross-Site Request Forgery (CSRF) vulnerability in Mario Mansour and Geoff Peters TubePress.NET allows Cross Site Request Forgery.This issue affects TubePress.NET: from n/a through 4.0.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22559
CVE-2025-22557Cross-Site Request Forgery (CSRF) vulnerability in WPMagic News Publisher Autopilot allows Cross Site Request Forgery.This issue affects News Publisher Autopilot: from n/a through 2.1.4.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22557
CVE-2025-22556Cross-Site Request Forgery (CSRF) vulnerability in Greg Whitehead Norse Rune Oracle Plugin allows Cross Site Request Forgery.This issue affects Norse Rune Oracle Plugin: from n/a through 1.4.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22556
CVE-2025-22555Cross-Site Request Forgery (CSRF) vulnerability in Noel Jarencio. Smoothness Slider Shortcode allows Cross Site Request Forgery.This issue affects Smoothness Slider Shortcode: from n/a through v1.2.2.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22555
CVE-2025-22552Cross-Site Request Forgery (CSRF) vulnerability in Jason Keeley, Bryan Nielsen Affiliate Disclosure Statement allows Cross Site Request Forgery.This issue affects Affiliate Disclosure Statement: from n/a through 0.3.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22552
CVE-2025-22548Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Frank Koenen ldap_login_password_and_role_manager allows Stored XSS.This issue affects ldap_login_password_and_role_manager: from n/a through 1.0.12.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22548
CVE-2025-22547Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jay Krishnan G JK Html To Pdf allows Stored XSS.This issue affects JK Html To Pdf: from n/a through 1.0.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22547
CVE-2025-22538Cross-Site Request Forgery (CSRF) vulnerability in Ofek Nakar Virtual Bot allows Stored XSS.This issue affects Virtual Bot: from n/a through 1.0.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22538
CVE-2025-22522Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Roya Khosravi SingSong allows Stored XSS.This issue affects SingSong: from n/a through 1.2.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22522
CVE-2025-22520Cross-Site Request Forgery (CSRF) vulnerability in Tock Tock Widget allows Cross Site Request Forgery.This issue affects Tock Widget: from n/a through 1.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22520
CVE-2025-22338Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in lich_wang WP-tagMaker allows Reflected XSS.This issue affects WP-tagMaker: from n/a through 0.2.2.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22338
CVE-2025-22335Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Md. Rajib Dewan Opencart Product in WP allows Reflected XSS.This issue affects Opencart Product in WP: from n/a through 1.0.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22335
CVE-2025-22294Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gravity Master Custom Field For WP Job Manager allows Reflected XSS.This issue affects Custom Field For WP Job Manager: from n/a through 1.3.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22294
CVE-2024-56056Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kmfoysal06 SimpleCharm allows Reflected XSS.This issue affects SimpleCharm: from n/a through 1.4.3.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56056
CVE-2025-22359Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PJFC SyncFields allows Reflected XSS.This issue affects SyncFields: from n/a through 2.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22359
CVE-2025-22358Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marcon Simone Wp advertising management allows Reflected XSS.This issue affects Wp advertising management: from n/a through 1.0.3.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22358
CVE-2025-22357Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Simple Plugins Target Notifications allows Reflected XSS.This issue affects Target Notifications: from n/a through 1.1.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22357
CVE-2025-22355Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kiKx Kikx Simple Post Author Filter allows Reflected XSS.This issue affects Kikx Simple Post Author Filter: from n/a through 1.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22355
CVE-2025-22353Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Balcom-Vetillo Design, Inc. BVD Easy Gallery Manager allows Reflected XSS.This issue affects BVD Easy Gallery Manager: from n/a through 1.0.6.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22353
CVE-2025-22343Cross-Site Request Forgery (CSRF) vulnerability in Dennis Koot wpSOL allows Stored XSS.This issue affects wpSOL: from n/a through 1.2.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22343
CVE-2025-22342Cross-Site Request Forgery (CSRF) vulnerability in Jens Törnell WP Simple Sitemap allows Stored XSS.This issue affects WP Simple Sitemap: from n/a through 0.2.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22342
CVE-2025-22336Cross-Site Request Forgery (CSRF) vulnerability in WordPress 智库 Wizhi Multi Filters by Wenprise allows Stored XSS.This issue affects Wizhi Multi Filters by Wenprise: from n/a through 1.8.6.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22336
CVE-2025-22328Cross-Site Request Forgery (CSRF) vulnerability in Elevio Elevio allows Stored XSS.This issue affects Elevio: from n/a through 4.4.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22328
CVE-2025-22326Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 5centsCDN 5centsCDN allows Reflected XSS.This issue affects 5centsCDN: from n/a through 24.8.16.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22326
CVE-2025-22325Cross-Site Request Forgery (CSRF) vulnerability in Nik Chankov Autocompleter allows Stored XSS.This issue affects Autocompleter: from n/a through 1.3.5.2.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22325
CVE-2025-22324Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Andon Ivanov OZ Canonical allows Reflected XSS.This issue affects OZ Canonical: from n/a through 0.5.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22324
CVE-2025-22320Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProductDyno ProductDyno allows Reflected XSS.This issue affects ProductDyno: from n/a through 1.0.24.7.1https://nvd.nist.gov/vuln/detail/CVE-2025-22320
CVE-2024-56299Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pektsekye Notify Odoo allows Stored XSS.This issue affects Notify Odoo: from n/a through 1.0.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56299
CVE-2024-56296Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hometory Mang Board WP allows Reflected XSS.This issue affects Mang Board WP: from n/a through 1.8.4.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56296
CVE-2024-56289Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Groundhogg Inc. Groundhogg allows Reflected XSS.This issue affects Groundhogg: from n/a through 3.7.3.3.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56289
CVE-2024-51700Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 김 민준 (Minjun Kim) NAVER Analytics allows Stored XSS.This issue affects NAVER Analytics: from n/a through 0.9.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-51700
CVE-2024-49633Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Designinvento DirectoryPress allows Reflected XSS.This issue affects DirectoryPress: from n/a through 3.6.19.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-49633
CVE-2024-12633The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page parameter in all versions up to, and including, 5.6.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-12633
CVE-2023-48758Missing Authorization vulnerability in Crocoblock JetEngine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through 3.2.4.7.1https://nvd.nist.gov/vuln/detail/CVE-2023-48758
CVE-2024-56014Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Markyis Cool Olivia allows Reflected XSS.This issue affects Olivia: from n/a through 0.9.5.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56014
CVE-2024-56267Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fla-shop.com Interactive UK Map allows Stored XSS.This issue affects Interactive UK Map: from n/a through 3.4.8.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56267
CVE-2024-56026Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Greg Priday Simple Proxy allows Reflected XSS.This issue affects Simple Proxy: from n/a through 1.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56026
CVE-2024-56025Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AdWorkMedia.com AdWork Media EZ Content Locker allows Reflected XSS.This issue affects AdWork Media EZ Content Locker: from n/a through 3.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56025
CVE-2024-56024Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DuoGeek Custom Dashboard Widget allows Reflected XSS.This issue affects Custom Dashboard Widget: from n/a through 1.0.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56024
CVE-2024-56023Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Perfect Solution WP eCommerce Quickpay allows Reflected XSS.This issue affects WP eCommerce Quickpay: from n/a through 1.1.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56023
CVE-2024-56022Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress Monsters Preloader by WordPress Monsters allows Reflected XSS.This issue affects Preloader by WordPress Monsters: from n/a through 1.2.3.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56022
CVE-2024-56018Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Boston University (IS&T) BU Section Editing allows Reflected XSS.This issue affects BU Section Editing: from n/a through 0.9.9.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56018
CVE-2023-46632Missing Authorization vulnerability in David Cramer My Shortcodes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Shortcodes: from n/a through 2.3.7.1https://nvd.nist.gov/vuln/detail/CVE-2023-46632
CVE-2024-56069Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Azzaroco WP SuperBackup allows Reflected XSS.This issue affects WP SuperBackup: from n/a through 2.3.3.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56069
CVE-2024-56060Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HTML Forms allows Reflected XSS.This issue affects HTML Forms: from n/a through 1.4.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56060
CVE-2024-56038Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SendSMS allows Reflected XSS.This issue affects SendSMS: from n/a through 1.2.9.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56038
CVE-2024-56037Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Md Maruf Adnan Sami User Referral allows Reflected XSS.This issue affects User Referral: from n/a through 8.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56037
CVE-2024-56036Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ondrej Donek odPhotogallery allows Reflected XSS.This issue affects odPhotogallery: from n/a through 0.5.3.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56036
CVE-2024-56035Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kurt Payne Upload Scanner allows Reflected XSS.This issue affects Upload Scanner: from n/a through 1.2.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56035
CVE-2024-56034Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Irshad Services updates for customers allows Reflected XSS.This issue affects Services updates for customers: from n/a through 1.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56034
CVE-2024-56033Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Think201 FAQs allows Reflected XSS.This issue affects FAQs: from n/a through 1.0.2.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56033
CVE-2024-56032Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Foliovision FV Descriptions allows Reflected XSS.This issue affects FV Descriptions: from n/a through 1.4.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56032
CVE-2024-56030Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10CentMail allows Reflected XSS.This issue affects 10CentMail: from n/a through 2.1.50.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56030
CVE-2024-56029Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dreamwinner Easy Language Switcher allows Reflected XSS.This issue affects Easy Language Switcher: from n/a through 1.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56029
CVE-2024-56028Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lemonade Coding Studio Lemonade Social Networks Autoposter Pinterest allows Reflected XSS.This issue affects Lemonade Social Networks Autoposter Pinterest: from n/a through 2.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56028
CVE-2024-56027Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BizSwoop a CPF Concepts, LLC Brand Leads CRM allows Reflected XSS.This issue affects Leads CRM: from n/a through 2.0.13.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56027
CVE-2024-12430An attacker who successfully exploited these vulnerabilities could cause enable command execution. A vulnerability exists in the AC500 V3 version mentioned. After successfully exploiting CVE-2024-12429 (directory traversal), a successfully authenticated attacker can inject arbitrary commands into a specifically crafted file, which then will be executed by root user.
All AC500 V3 products (PM5xxx) with firmware version earlier than 3.8.0 are affected by this vulnerability.
7https://nvd.nist.gov/vuln/detail/CVE-2024-12430
CVE-2024-46981Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.7https://nvd.nist.gov/vuln/detail/CVE-2024-46981
CVE-2024-11681A malicious or compromised MacPorts mirror can execute arbitrary commands as root on the machine of a client running port selfupdate against the mirror.6.8https://nvd.nist.gov/vuln/detail/CVE-2024-11681
CVE-2024-11627: Insufficient Session Expiration vulnerability in Progress Sitefinity allows : Session Fixation.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.6.8https://nvd.nist.gov/vuln/detail/CVE-2024-11627
CVE-2024-33061Information disclosure while processing IOCTL call made for releasing a trusted VM process release or opening a channel without initializing the process.6.8https://nvd.nist.gov/vuln/detail/CVE-2024-33061
CVE-2024-56137MaxKB, which stands for Max Knowledge Base, is an open source knowledge base question-answering system based on a large language model and retrieval-augmented generation (RAG). Prior to version 1.9.0, a remote command execution vulnerability exists in the module of function library. The vulnerability allow privileged‌ users to execute OS command in custom scripts. The vulnerability has been fixed in v1.9.0.6.8https://nvd.nist.gov/vuln/detail/CVE-2024-56137
CVE-2024-33059Memory corruption while processing frame command IOCTL calls.6.7https://nvd.nist.gov/vuln/detail/CVE-2024-33059
CVE-2024-33055Memory corruption while invoking IOCTL calls to unmap the DMA buffers.6.7https://nvd.nist.gov/vuln/detail/CVE-2024-33055
CVE-2024-33041Memory corruption when input parameter validation for number of fences is missing for fence frame IOCTL calls,6.7https://nvd.nist.gov/vuln/detail/CVE-2024-33041
CVE-2024-20151In Modem, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: MOLY01399339; Issue ID: MSV-1928.6.7https://nvd.nist.gov/vuln/detail/CVE-2024-20151
CVE-2024-20140In power, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS09270402; Issue ID: MSV-2020.6.7https://nvd.nist.gov/vuln/detail/CVE-2024-20140
CVE-2024-20105In m4u, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS09062027; Issue ID: MSV-1743.6.7https://nvd.nist.gov/vuln/detail/CVE-2024-20105
CVE-2024-53836In wbrc_bt_dev_write of wb_regon_coordinator.c, there is a possible out of bounds write due to a buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.6.7https://nvd.nist.gov/vuln/detail/CVE-2024-53836
CVE-2024-23366Information Disclosure while invoking the mailbox write API when message received from user is larger than mailbox size.6.6https://nvd.nist.gov/vuln/detail/CVE-2024-23366
CVE-2024-20145In V6 DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09290940; Issue ID: MSV-2040.6.6https://nvd.nist.gov/vuln/detail/CVE-2024-20145
CVE-2024-20144In V6 DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09167056; Issue ID: MSV-2041.6.6https://nvd.nist.gov/vuln/detail/CVE-2024-20144
CVE-2024-20143In V6 DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09167056; Issue ID: MSV-2069.6.6https://nvd.nist.gov/vuln/detail/CVE-2024-20143
CVE-2024-56264Unrestricted Upload of File with Dangerous Type vulnerability in Beee ACF City Selector allows Upload a Web Shell to a Web Server.This issue affects ACF City Selector: from n/a through 1.14.0.6.6https://nvd.nist.gov/vuln/detail/CVE-2024-56264
CVE-2025-22500Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ali Ali Alpha Price Table For Elementor allows DOM-Based XSS.This issue affects Alpha Price Table For Elementor: from n/a through 1.0.8.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22500
CVE-2025-22365Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric McNiece EMC2 Alert Boxes allows Stored XSS.This issue affects EMC2 Alert Boxes: from n/a through 1.3.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22365
CVE-2025-22354Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Code Themes Digi Store allows DOM-Based XSS.This issue affects Digi Store: from n/a through 1.1.4.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22354
CVE-2025-22334Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FilaThemes Education LMS allows Stored XSS.This issue affects Education LMS: from n/a through 0.0.7.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22334
CVE-2025-22296Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HashThemes Hash Elements.This issue affects Hash Elements: from n/a through 1.4.9.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22296
CVE-2025-22585Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themebon Ultimate Image Hover Effects allows DOM-Based XSS.This issue affects Ultimate Image Hover Effects: from n/a through 1.1.2.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22585
CVE-2025-22584Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pluginspoint Timeline Pro allows DOM-Based XSS.This issue affects Timeline Pro: from n/a through 1.3.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22584
CVE-2025-22581Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bytephp Arcade Ready allows Stored XSS.This issue affects Arcade Ready: from n/a through 1.1.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22581
CVE-2025-22580Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Biltorvet A/S Biltorvet Dealer Tools allows Stored XSS.This issue affects Biltorvet Dealer Tools: from n/a through 1.0.22.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22580
CVE-2025-22577Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Damion Armentrout Able Player allows DOM-Based XSS.This issue affects Able Player: from n/a through 1.0.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22577
CVE-2025-22574Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joe Motacek ICS Button allows Stored XSS.This issue affects ICS Button: from n/a through 0.6.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22574
CVE-2025-22573Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in copist Icons Enricher allows Stored XSS.This issue affects Icons Enricher: from n/a through 1.0.8.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22573
CVE-2025-22572Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brianmiyaji Legacy ePlayer allows Stored XSS.This issue affects Legacy ePlayer: from n/a through 0.9.9.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22572
CVE-2025-22558Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marcus C. J. Hartmann mcjh button shortcode allows Stored XSS.This issue affects mcjh button shortcode: from n/a through 1.6.4.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22558
CVE-2025-22554Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric Franklin Video Embed Optimizer allows Stored XSS.This issue affects Video Embed Optimizer: from n/a through 1.0.0.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22554
CVE-2025-22551Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Julien Crego Boot-Modal allows Stored XSS.This issue affects Boot-Modal: from n/a through 1.9.1.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22551
CVE-2025-22550Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AddFunc AddFunc Mobile Detect allows Stored XSS.This issue affects AddFunc Mobile Detect: from n/a through 3.1.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22550
CVE-2025-22549Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pablo Cornehl WP Github allows Stored XSS.This issue affects WP Github: from n/a through 1.3.3.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22549
CVE-2025-22546Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in One Plus Solution jQuery TwentyTwenty allows Stored XSS.This issue affects jQuery TwentyTwenty: from n/a through 1.0.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22546
CVE-2025-22545Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sw-galati.ro iframe to embed allows Stored XSS.This issue affects iframe to embed: from n/a through 1.2.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22545
CVE-2025-22544Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mind Doodle Mind Doodle Visual Sitemaps & Tasks allows Stored XSS.This issue affects Mind Doodle Visual Sitemaps & Tasks: from n/a through 1.6.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22544
CVE-2025-22532Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nagy Sandor Simple Photo Sphere allows Stored XSS.This issue affects Simple Photo Sphere: from n/a through 0.0.10.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22532
CVE-2025-22531Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M Bilal M Urdu Formatter – Shamil allows Stored XSS.This issue affects Urdu Formatter – Shamil: from n/a through 0.1.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22531
CVE-2025-22530Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SIOT 아임포트 결제버튼 생성 플러그인 allows Stored XSS.This issue affects 아임포트 결제버튼 생성 플러그인: from n/a through 1.1.19.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22530
CVE-2025-22529Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WORDPRESTEEM WE Blocks allows Stored XSS.This issue affects WE Blocks: from n/a through 1.3.5.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22529
CVE-2025-22528Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Huurkalender Huurkalender WP allows Stored XSS.This issue affects Huurkalender WP: from n/a through 1.5.6.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22528
CVE-2025-22525Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bharatkambariya Donation Block For PayPal allows Stored XSS.This issue affects Donation Block For PayPal: from n/a through 2.2.0.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22525
CVE-2025-22524Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in instaform.ir فرم ساز فرم افزار allows Stored XSS.This issue affects فرم ساز فرم افزار: from n/a through 2.0.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22524
CVE-2025-22518Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in KentoThemes Justified Image Gallery allows Stored XSS.This issue affects Justified Image Gallery: from n/a through 1.0.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22518
CVE-2025-22517Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ben Huson List Pages at Depth allows Stored XSS.This issue affects List Pages at Depth: from n/a through 1.5.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22517
CVE-2025-22516Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hitesh Patel Metadata SEO allows Stored XSS.This issue affects Metadata SEO: from n/a through 2.3.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22516
CVE-2025-22515Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Simon Chuang Show Google Analytics widget allows Stored XSS.This issue affects Show Google Analytics widget: from n/a through 1.5.4.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22515
CVE-2025-22511Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ella van Durpe Slides & Presentations allows Stored XSS.This issue affects Slides & Presentations: from n/a through 0.0.39.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22511
CVE-2024-28778IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 is vulnerable to exposure of Artifactory API keys. This vulnerability allows users to publish code to private packages or repositories under the name of the organization.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-28778
CVE-2025-22362Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Powerfusion WPAchievements Free allows Stored XSS.This issue affects WPAchievements Free: from n/a through 1.2.0.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22362
CVE-2025-22339Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aThemeArt Store Commerce allows DOM-Based XSS.This issue affects Store Commerce: from n/a through 1.2.3.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22339
CVE-2025-22333Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Piotnet Piotnet Addons For Elementor allows Stored XSS.This issue affects Piotnet Addons For Elementor: from n/a through 2.4.31.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22333
CVE-2025-22327Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Olaf Lederer EO4WP allows Stored XSS.This issue affects EO4WP: from n/a through 1.0.7.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22327
CVE-2025-22323Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jewel Theme Image Hover Effects for Elementor allows Stored XSS.This issue affects Image Hover Effects for Elementor: from n/a through 1.0.2.3.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22323
CVE-2025-22321Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TheInnovs ElementsCSS Addons for Elementor allows Stored XSS.This issue affects ElementsCSS Addons for Elementor: from n/a through 1.0.8.7.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22321
CVE-2025-22315Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Typing Text allows Stored XSS.This issue affects Typing Text: from n/a through 1.2.7.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22315
CVE-2025-22312Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress Thim Elementor Kit allows DOM-Based XSS.This issue affects Thim Elementor Kit: from n/a through 1.2.8.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22312
CVE-2025-22310Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TemplatesNext TemplatesNext ToolKit allows Stored XSS.This issue affects TemplatesNext ToolKit: from n/a through 3.2.9.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22310
CVE-2025-22309Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve D SpeakOut! Email Petitions allows DOM-Based XSS.This issue affects SpeakOut! Email Petitions: from n/a through 4.4.2.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22309
CVE-2025-22308Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in inc2734 Smart Custom Fields allows Stored XSS.This issue affects Smart Custom Fields: from n/a through 5.0.0.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22308
CVE-2025-22305Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP OnlineSupport, Essential Plugin Hero Banner Ultimate allows PHP Local File Inclusion.This issue affects Hero Banner Ultimate: from n/a through 1.4.2.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22305
CVE-2025-22293Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gutentor Gutentor allows DOM-Based XSS.This issue affects Gutentor: from n/a through 3.4.0.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22293
CVE-2025-22261Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pixelite WP FullCalendar allows Stored XSS.This issue affects WP FullCalendar: from n/a through 1.5.6.5https://nvd.nist.gov/vuln/detail/CVE-2025-22261
CVE-2024-56287Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in biztechc WP jQuery DataTable allows Stored XSS.This issue affects WP jQuery DataTable: from n/a through 4.0.1.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56287
CVE-2024-56285Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPBits WPBITS Addons For Elementor Page Builder allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through 1.5.1.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56285
CVE-2024-56274Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Astra Widgets allows Stored XSS.This issue affects Astra Widgets: from n/a through 1.2.15.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56274
CVE-2024-12332The School Management System – WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'cid' parameter in all versions up to, and including, 2.2.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Student/Parent-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-12332
CVE-2024-11496The Infility Global plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the infility_global_ajax function in all versions up to, and including, 2.9.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin options and potentially break the site.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-11496
CVE-2024-12419The The Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. This functionality is also vulnerable to Reflected Cross-Site Scripting. Version 1.7.0 patched the Reflected XSS issue, however, the arbitrary shortcode execution issue remains.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-12419
CVE-2024-54764An access control issue in the component /login/hostinfo2.cgi of ipTIME A2004 v12.17.0 allows attackers to obtain sensitive information without authentication.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54764
CVE-2024-54763An access control issue in the component /login/hostinfo.cgi of ipTIME A2004 v12.17.0 allows attackers to obtain sensitive information without authentication.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54763
CVE-2024-53935The com.callos14.callscreen.colorphone (aka iCall OS17 - Color Phone Flash) application through 4.3 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.callos14.callscreen.colorphone.DialerActivity component.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-53935
CVE-2024-12311The Email Subscribers by Icegram Express WordPress plugin before 5.7.44 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks6.5https://nvd.nist.gov/vuln/detail/CVE-2024-12311
CVE-2024-41768IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 could allow a remote attacker to cause an unhandled SSL exception which could leave the connection in an unexpected or insecure state.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-41768
CVE-2024-41765IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-41765
CVE-2024-12195The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to SQL Injection via the 'project_id' parameter of the /wp-json/pm/v2/projects/2/task-lists REST API endpoint in all versions up to, and including, 2.6.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, who have been granted access to a project, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-12195
CVE-2023-45633Missing Authorization vulnerability in IDX IMPress Listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects IMPress Listings: from n/a through 2.6.2.6.5https://nvd.nist.gov/vuln/detail/CVE-2023-45633
CVE-2023-40327Missing Authorization vulnerability in Putler / Storeapps Putler Connector for WooCommerce.This issue affects Putler Connector for WooCommerce: from n/a through 2.12.0.6.5https://nvd.nist.gov/vuln/detail/CVE-2023-40327
CVE-2022-45830Missing Authorization vulnerability in Analytify.This issue affects Analytify: from n/a through 4.2.3.6.5https://nvd.nist.gov/vuln/detail/CVE-2022-45830
CVE-2024-56268Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Hait Post Grid Elementor Addon allows Stored XSS.This issue affects Post Grid Elementor Addon: from n/a through 2.0.18.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56268
CVE-2024-56257Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CoolPlugins Coins MarketCap allows DOM-Based XSS.This issue affects Coins MarketCap: from n/a through 5.5.8.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56257
CVE-2024-56302Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ConvertCalculator ConvertCalculator for WordPress allows Stored XSS.This issue affects ConvertCalculator for WordPress: from n/a through 1.1.1.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56302
CVE-2024-56263Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GS Plugins GS Shots for Dribbble allows DOM-Based XSS.This issue affects GS Shots for Dribbble: from n/a through 1.2.0.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56263
CVE-2024-56262Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GS Plugins GS Coaches allows Stored XSS.This issue affects GS Coaches: from n/a through 1.1.0.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56262
CVE-2024-56261Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GS Plugins Project Showcase allows Stored XSS.This issue affects Project Showcase: from n/a through 1.1.1.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56261
CVE-2024-56260Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StorePlugin ShopElement allows Stored XSS.This issue affects ShopElement: from n/a through 2.0.0.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56260
CVE-2024-56259Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AyeCode - WP Business Directory Plugins GeoDirectory allows Stored XSS.This issue affects GeoDirectory: from n/a through 2.3.84.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56259
CVE-2024-56258Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPBlockArt Magazine Blocks allows Stored XSS.This issue affects Magazine Blocks: from n/a through 1.3.20.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56258
CVE-2024-56254Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in moveaddons Move Addons for Elementor allows Stored XSS.This issue affects Move Addons for Elementor: from n/a through 1.3.6.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56254
CVE-2024-56252Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeLooks Enter Addons allows Stored XSS.This issue affects Enter Addons: from n/a through 2.1.9.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56252
CVE-2024-56246Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POSIMYTH Nexter Blocks allows DOM-Based XSS.This issue affects Nexter Blocks: from n/a through 4.0.4.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56246
CVE-2024-56245Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Leap13 Premium Blocks – Gutenberg Blocks for WordPress allows Stored XSS.This issue affects Premium Blocks – Gutenberg Blocks for WordPress: from n/a through 2.1.42.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56245
CVE-2024-56242Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tyche Softwares Arconix Shortcodes allows Stored XSS.This issue affects Arconix Shortcodes: from n/a through 2.1.14.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56242
CVE-2024-56241Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPKoi WPKoi Templates for Elementor allows Stored XSS.This issue affects WPKoi Templates for Elementor: from n/a through 3.1.3.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56241
CVE-2024-56240Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pronamic Pronamic Google Maps allows Stored XSS.This issue affects Pronamic Google Maps: from n/a through 2.3.2.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56240
CVE-2024-56239Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themify Themify Audio Dock allows Stored XSS.This issue affects Themify Audio Dock: from n/a through 2.0.4.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56239
CVE-2024-38790Cross-Site Request Forgery (CSRF) vulnerability in Smartsupp Smartsupp – live chat, chatbots, AI and lead generation allows Cross Site Request Forgery.This issue affects Smartsupp – live chat, chatbots, AI and lead generation: from n/a through 3.6.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-38790
CVE-2023-47689Missing Authorization vulnerability in Toast Plugins Animator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Animator: from n/a through 3.0.10.6.5https://nvd.nist.gov/vuln/detail/CVE-2023-47689
CVE-2023-47180Missing Authorization vulnerability in XLPlugins Finale Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Finale Lite: from n/a through 2.16.0.6.5https://nvd.nist.gov/vuln/detail/CVE-2023-47180
CVE-2023-46644Missing Authorization vulnerability in WP CTA PRO WordPress CTA allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress CTA: from n/a through 1.5.8.6.5https://nvd.nist.gov/vuln/detail/CVE-2023-46644
CVE-2023-46631Missing Authorization vulnerability in RevenueHunt Product Recommendation Quiz for eCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Recommendation Quiz for eCommerce: from n/a through 2.1.2.6.5https://nvd.nist.gov/vuln/detail/CVE-2023-46631
CVE-2023-46610Missing Authorization vulnerability in quillforms.com Quill Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quill Forms: from n/a through 3.3.0.6.5https://nvd.nist.gov/vuln/detail/CVE-2023-46610
CVE-2023-46609Missing Authorization vulnerability in FeedFocal FeedFocal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FeedFocal: from n/a through 1.2.2.6.5https://nvd.nist.gov/vuln/detail/CVE-2023-46609
CVE-2023-46195Missing Authorization vulnerability in CoSchedule Headline Analyzer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Headline Analyzer: from n/a through 1.3.1.6.5https://nvd.nist.gov/vuln/detail/CVE-2023-46195
CVE-2023-45275Missing Authorization vulnerability in Kali Forms Contact Form builder with drag & drop - Kali Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form builder with drag & drop - Kali Forms: from n/a through 2.3.28.6.5https://nvd.nist.gov/vuln/detail/CVE-2023-45275
CVE-2024-56019Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gavin Rehkemper Inline Footnotes allows Stored XSS.This issue affects Inline Footnotes: from n/a through 2.3.0.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56019
CVE-2024-56021Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ibnuyahya Category Post Shortcode allows Stored XSS.This issue affects Category Post Shortcode: from n/a through 2.4.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56021
CVE-2024-56020Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mario Di Pasquale SvegliaT Buttons allows Stored XSS.This issue affects SvegliaT Buttons: from n/a through 1.3.0.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56020
CVE-2025-22621In versions 1.0.67 and lower of the Splunk App for SOAR, the Splunk documentation for that app recommended adding the `admin_all_objects` capability to the `splunk_app_soar` role. This addition could lead to improper access control for a low-privileged user that does not hold the “admin“ Splunk roles.6.4https://nvd.nist.gov/vuln/detail/CVE-2025-22621
CVE-2024-11826The Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'quillforms-popup' shortcode in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11826
CVE-2024-56294Missing Authorization vulnerability in POSIMYTH Nexter Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Nexter Blocks: from n/a through 4.0.7.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-56294
CVE-2024-56279Server-Side Request Forgery (SSRF) vulnerability in Tips and Tricks HQ Compact WP Audio Player allows Server Side Request Forgery.This issue affects Compact WP Audio Player: from n/a through 1.9.14.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-56279
CVE-2024-12699The Service Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12699
CVE-2024-12516The Coupon Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Coupon Code' parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12516
CVE-2024-9502The Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Tooltip module in all versions up to, and including, 2.0.6.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-9502
CVE-2024-12624The Sina Extension for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Sina Image Differ widget in all versions up to, and including, 3.5.91 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12624
CVE-2024-12499The WP jQuery DataTable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_jdt' shortcode in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12499
CVE-2024-12495The Bootstrap Blocks for WP Editor v2 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gtb-bootstrap/column' block in all versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12495
CVE-2024-12437The Marketplace Items plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'envato' shortcode in all versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12437
CVE-2024-11764The Solar Wizard Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'solar_wizard' shortcode in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11764
CVE-2024-9702The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'socialrocket-floating' shortcode in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-9702
CVE-2024-12464The Chatroll Live Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'chatroll' shortcode in all versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12464
CVE-2024-12440The Candifly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'candifly' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12440
CVE-2024-12439The Marketplace Items plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'marketplace' shortcode in all versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12439
CVE-2024-12073The Meteor Slides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slide_url_value' parameter in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12073
CVE-2024-11887The Geo Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'geotargetlygeocontent' shortcode in all versions up to, and including, 6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11887
CVE-2024-11756The SweepWidget Contests, Giveaways, Photo Contests, Competitions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sweepwidget' shortcode in all versions up to, and including, 2.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11756
CVE-2024-11749The App Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'appizy' shortcode in all versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11749
CVE-2024-12462The YOGO Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'yogo-calendar' shortcode in all versions up to, and including, 1.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12462
CVE-2024-12457The Chat Support for Viber – Chat Bubble and Chat Button for Gutenberg, Elementor and Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vchat' shortcode in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12457
CVE-2024-12453The Uptodown APK Download Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'utd-widget' shortcode in all versions up to, and including, 0.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12453
CVE-2024-12445The RightMessage WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rm_area' shortcode in all versions up to, and including, 0.9.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12445
CVE-2024-11445The Image Magnify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'image_magnify' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11445
CVE-2024-11383The CC Canadian Mortgage Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cc-mortgage-canada' shortcode in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11383
CVE-2024-11382The Common Ninja: Fully Customizable & Perfectly Responsive Free Widgets for WordPress Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'commonninja' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11382
CVE-2024-11338The PIXNET Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gtm' and 'venue' parameters in all versions up to, and including, 2.9.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11338
CVE-2024-11337The Horoscope And Tarot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'divine_horoscope' shortcode in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11337
CVE-2024-12592The Sellsy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'testSellsy' shortcode in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12592
CVE-2024-12590The WP Youtube Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in all versions up to, and including, 1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12590
CVE-2024-12528The WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpsurveypoll_results' shortcode in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12528
CVE-2024-11934The Formaloo Form Maker & Customer Analytics for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘address’ parameter in all versions up to, and including, 2.1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11934
CVE-2024-11899The Slider Pro Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sliderpro' shortcode in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11899
CVE-2024-11777The Sell Media plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sell_media_search_form_gutenberg' shortcode in all versions up to, and including, 2.5.8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11777
CVE-2024-31914IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-31914
CVE-2024-12475The WP Multi Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12475
CVE-2024-11930The Taskbuilder – WordPress Project & Task Management plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wppm_tasks shortcode in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11930
CVE-2025-0300A vulnerability classified as critical was found in code-projects Online Book Shop 1.0. Affected by this vulnerability is an unknown functionality of the file /subcat.php. The manipulation of the argument cat leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0300
CVE-2025-0299A vulnerability classified as critical has been found in code-projects Online Book Shop 1.0. Affected is an unknown function of the file /search_result.php. The manipulation of the argument s leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0299
CVE-2025-0298A vulnerability was found in code-projects Online Book Shop 1.0. It has been rated as critical. This issue affects some unknown processing of the file /process_login.php. The manipulation of the argument usernm leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0298
CVE-2025-0297A vulnerability was found in code-projects Online Book Shop 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /detail.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0297
CVE-2025-0296A vulnerability was found in code-projects Online Book Shop 1.0. It has been classified as critical. This affects an unknown part of the file /booklist.php. The manipulation of the argument subcatid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0296
CVE-2024-7696Seth Fogie, member of AXIS Camera Station Pro Bug Bounty Program, has found that it is possible for an authenticated malicious client to tamper with audit log creation in AXIS Camera Station, or perform a Denial-of-Service attack on the AXIS Camera Station server using maliciously crafted audit log entries.
Axis has released a patched version for the highlighted flaw. Please
refer to the Axis security advisory for more information and solution.
6.3https://nvd.nist.gov/vuln/detail/CVE-2024-7696
CVE-2024-13145A vulnerability classified as critical was found in zhenfeng13 My-Blog 1.0. Affected by this vulnerability is the function upload of the file src/main/java/com/site/blog/my/core/controller/admin/uploadController. java. The manipulation of the argument file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-13145
CVE-2024-13144A vulnerability classified as critical has been found in zhenfeng13 My-Blog 1.0. Affected is the function uploadFileByEditomd of the file src/main/java/com/site/blog/my/core/controller/admin/BlogController.java. The manipulation of the argument editormd-image-file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-13144
CVE-2025-0232A vulnerability was found in Codezips Blood Bank Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /successadmin.php. The manipulation of the argument psw leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0232
CVE-2025-0231A vulnerability has been found in Codezips Gym Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /dashboard/admin/submit_payments.php. The manipulation of the argument m_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0231
CVE-2025-0230A vulnerability, which was classified as critical, was found in code-projects Responsive Hotel Site 1.0. Affected is an unknown function of the file /admin/print.php. The manipulation of the argument pid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0230
CVE-2025-0229A vulnerability, which was classified as critical, has been found in code-projects Travel Management System 1.0. This issue affects some unknown processing of the file /enquiry.php. The manipulation of the argument pid/t1/t2/t3/t4/t5/t6/t7 leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0229
CVE-2024-13139A vulnerability was found in wangl1989 mysiteforme 1.0. It has been rated as critical. This issue affects the function doContent of the file src/main/java/com/mysiteform/admin/controller/system/FileController. The manipulation of the argument content leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-13139
CVE-2024-13136A vulnerability was found in wangl1989 mysiteforme 1.0 and classified as critical. Affected by this issue is the function rememberMeManager of the file src/main/java/com/mysiteforme/admin/config/ShiroConfig.java. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-13136
CVE-2024-13134A vulnerability, which was classified as critical, was found in ZeroWdd studentmanager 1.0. Affected is the function addTeacher/editTeacher of the file src/main/Java/com/wdd/studentmanager/controller/TeacherController. java. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-13134
CVE-2024-13133A vulnerability, which was classified as critical, has been found in ZeroWdd studentmanager 1.0. This issue affects the function addStudent/editStudent of the file src/main/Java/com/wdd/studentmanager/controller/StudentController. java. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-13133
CVE-2025-0213A vulnerability was found in Campcodes Project Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /forms/update_forms.php?action=change_pic2&id=4. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0213
CVE-2025-0212A vulnerability was found in Campcodes Student Grading System 1.0. It has been classified as critical. This affects an unknown part of the file /view_students.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0212
CVE-2025-0211A vulnerability was found in Campcodes School Faculty Scheduling System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/index.php. The manipulation of the argument page leads to file inclusion. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0211
CVE-2025-0208A vulnerability, which was classified as critical, was found in code-projects Online Shoe Store 1.0. This affects an unknown part of the file /summary.php. The manipulation of the argument tid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0208
CVE-2025-0205A vulnerability classified as critical has been found in code-projects Online Shoe Store 1.0. Affected is an unknown function of the file /details2.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0205
CVE-2025-0204A vulnerability was found in code-projects Online Shoe Store 1.0. It has been rated as critical. This issue affects some unknown processing of the file /details.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0204
CVE-2025-0203A vulnerability was found in code-projects Student Management System 1.0. It has been declared as critical. This vulnerability affects the function showSubject1 of the file /config/DbFunction.php. The manipulation of the argument sid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0203
CVE-2025-0201A vulnerability was found in code-projects Point of Sales and Inventory Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /user/update_account.php. The manipulation of the argument username leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0201
CVE-2025-0200A vulnerability has been found in code-projects Point of Sales and Inventory Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /user/search_num.php. The manipulation of the argument search leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0200
CVE-2025-0199A vulnerability, which was classified as critical, was found in code-projects Point of Sales and Inventory Management System 1.0. Affected is an unknown function of the file /user/minus_cart.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0199
CVE-2025-0198A vulnerability, which was classified as critical, has been found in code-projects Point of Sales and Inventory Management System 1.0. This issue affects some unknown processing of the file /user/search_result.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0198
CVE-2025-0197A vulnerability classified as critical was found in code-projects Point of Sales and Inventory Management System 1.0. This vulnerability affects unknown code of the file /user/search.php. The manipulation of the argument name leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0197
CVE-2025-0196A vulnerability classified as critical has been found in code-projects Point of Sales and Inventory Management System 1.0. This affects an unknown part of the file /user/plist.php. The manipulation of the argument cat leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0196
CVE-2025-0195A vulnerability was found in code-projects Point of Sales and Inventory Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /user/del_product.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0195
CVE-2025-0176A vulnerability was found in code-projects Point of Sales and Inventory Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /user/add_cart.php. The manipulation of the argument id/qty leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0176
CVE-2025-0174A vulnerability was found in code-projects Point of Sales and Inventory Management System 1.0. It has been classified as critical. This affects an unknown part of the file /user/search_result2.php of the component Parameter Handler. The manipulation of the argument search leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0174
CVE-2025-0173A vulnerability was found in SourceCodester Online Eyewear Shop 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /orders/view_order.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0173
CVE-2025-0172A vulnerability has been found in code-projects Chat System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/deleteroom.php. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0172
CVE-2025-0171A vulnerability, which was classified as critical, was found in code-projects Chat System 1.0. Affected is an unknown function of the file /admin/deleteuser.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0171
CVE-2024-56266Missing Authorization vulnerability in Sonaar Music MP3 Audio Player for Music, Radio & Podcast by Sonaar allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through 5.8.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-56266
CVE-2024-13093A vulnerability, which was classified as critical, has been found in code-projects Job Recruitment 1.0. This issue affects some unknown processing of the file /_parse/_call_main_search_ajax.php of the component Seeker Profile Handler. The manipulation of the argument s1 leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-13093
CVE-2024-13092A vulnerability classified as critical was found in code-projects Job Recruitment 1.0. This vulnerability affects unknown code of the file /_parse/_call_job/search_ajax.php of the component Job Post Handler. The manipulation of the argument n leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-13092
CVE-2025-0168A vulnerability classified as critical has been found in code-projects Job Recruitment 1.0. This affects an unknown part of the file /_parse/_feedback_system.php. The manipulation of the argument person leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2025-0168
CVE-2024-36613FFmpeg n6.1.1 has a vulnerability in the DXA demuxer of the libavformat library allowing for an integer overflow, potentially resulting in a denial-of-service (DoS) condition or other undefined behavior.6.2https://nvd.nist.gov/vuln/detail/CVE-2024-36613
CVE-2024-40747Various module chromes didn't properly process inputs, leading to XSS vectors.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-40747
CVE-2024-12738The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several user meta parameters in all versions up to, and including, 3.12.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and clicks a link to show user meta.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12738
CVE-2024-12077The Booking Calendar and Booking Calendar Pro plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the ‘calendar_id’ parameter in all versions up to, and including, 3.2.19 and 11.2.19 respectively, due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12077
CVE-2024-9354The Estatik Mortgage Calculator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'color' parameter in all versions up to, and including, 2.0.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-9354
CVE-2024-12438The WooCommerce Digital Content Delivery (incl. DRM) – FlickRocket plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'start_date’ and 'end_date' parameters in all versions up to, and including, 4.74 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12438
CVE-2024-12384The Binary MLM Woocommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page’ parameter in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12384
CVE-2024-12383The Binary MLM Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing or incorrect nonce validation on the 'bmw_display_pv_set_page' function and insufficient input sanitization and output escaping of the 'product_points' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12383
CVE-2024-12261The SmartEmailing.cz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'se-lists-updated' parameter in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12261
CVE-2024-11369The Store credit / Gift cards for woocommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'coupon', 'start_date', and 'end_date' parameters in all versions up to, and including, 1.0.49.46 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-11369
CVE-2024-9208The Enable Accessibility plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.4.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-9208
CVE-2024-12435The Compare Products for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘s_feature’ parameter in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12435
CVE-2024-12324The Unilevel MLM Plan plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12324
CVE-2024-12291The ViewMedica 9 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.15. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12291
CVE-2024-12290The Infility Global plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘set_type’ parameter in all versions up to, and including, 2.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12290
CVE-2024-12288The Simple add pages or posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12288
CVE-2024-12256The Simple Video Management System plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'analytics_video' parameter in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12256
CVE-2024-12214The WooCommerce HSS Extension for Streaming Video plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘videolink’ parameter in all versions up to, and including, 3.31 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12214
CVE-2024-12153The GDY Modular Content plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 0.9.91. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12153
CVE-2024-12126The SEO Keywords plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘google_error’ parameter in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12126
CVE-2024-12124The Role Includer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘user_id’ parameter in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12124
CVE-2024-12049The Woo Ukrposhta plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'order', 'post', and 'idd' parameters in all versions up to, and including, 1.17.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12049
CVE-2024-11810The PayGreen Payment Gateway plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'message_id' parameter in all versions up to, and including, 1.0.26 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-11810
CVE-2024-11690The Financial Stocks & Crypto Market Data Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'e' parameter in all versions up to, and including, 1.10.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-11690
CVE-2024-11434The WP – Bulk SMS – by SMS.to plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-11434
CVE-2024-11378The Bizapp for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'error' parameter in all versions up to, and including, 2.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-11378
CVE-2024-11377The Automate Hub Free by Sperse.IO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'id' parameter in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-11377
CVE-2024-11375The WC1C plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 0.23.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-11375
CVE-2024-11363The Same but Different – Related Posts by Taxonomy plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-11363
CVE-2024-12557The Transporters.io plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.84. This is due to missing nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12557
CVE-2024-12540The LDD Directory Lite plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12540
CVE-2024-12098The ARS Affiliate Page Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'utm_keyword' parameter in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12098
CVE-2024-35498A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-35498
CVE-2024-46073A reflected Cross-Site Scripting (XSS) vulnerability exists in the login page of IceHRM v32.4.0.OS. The vulnerability is due to improper sanitization of the "next" parameter, which is included in the application's response without adequate escaping. An attacker can exploit this flaw by tricking a user into visiting a specially crafted URL, causing the execution of arbitrary JavaScript code in the context of the victim's browser. The issue occurs even though the application has sanitization mechanisms in place.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-46073
CVE-2024-51112Open Redirect vulnerability in Pnetlab 5.3.11 allows an attacker to manipulate URLs to redirect users to arbitrary external websites via a crafted script6.1https://nvd.nist.gov/vuln/detail/CVE-2024-51112
CVE-2024-43063information disclosure while invoking the mailbox read API.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-43063
CVE-2024-33067Information disclosure while invoking callback function of sound model driver from ADSP for every valid opcode received from sound model driver.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-33067
CVE-2024-12302The Icegram Engage WordPress plugin before 3.1.32 does not sanitise and escape some of its Campaign settings, which could allow authors and above to perform Stored Cross-Site Scripting attacks6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12302
CVE-2024-11849The Pods WordPress plugin before 3.2.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).6.1https://nvd.nist.gov/vuln/detail/CVE-2024-11849
CVE-2024-11356The tourmaster WordPress plugin before 5.3.4 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated users to perform Cross-Site Scripting attacks.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-11356
CVE-2024-12279The WP Social AutoConnect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12279
CVE-2024-12221The Turnkey bbPress by WeaverTheme plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘_wpnonce’ parameter in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12221
CVE-2024-12701The WP Smart Import : Import any XML File to WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘ page’ parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12701
CVE-2024-12047The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘custom_server’ parameter in all versions up to, and including, 6.30.03 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12047
CVE-2024-11974The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘smc_settings_tab', 'unattachfixit-action', and 'woofixit-action’ parameters in all versions up to, and including, 3.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-11974
CVE-2024-11846The does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin6.1https://nvd.nist.gov/vuln/detail/CVE-2024-11846
CVE-2025-22579Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arefly WP Header Notification allows Stored XSS.This issue affects WP Header Notification: from n/a through 1.2.7.5.9https://nvd.nist.gov/vuln/detail/CVE-2025-22579
CVE-2025-22578Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AazzTech WP Cookie allows Stored XSS.This issue affects WP Cookie: from n/a through 1.0.0.5.9https://nvd.nist.gov/vuln/detail/CVE-2025-22578
CVE-2024-52366IBM Concert Software 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.5.9https://nvd.nist.gov/vuln/detail/CVE-2024-52366
CVE-2025-22316Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPBits WPBITS Addons For Elementor Page Builder allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through 1.5.1.5.9https://nvd.nist.gov/vuln/detail/CVE-2025-22316
CVE-2024-56298Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 5 Star Plugins Pretty Simple Popup Builder allows Stored XSS.This issue affects Pretty Simple Popup Builder: from n/a through 1.0.9.5.9https://nvd.nist.gov/vuln/detail/CVE-2024-56298
CVE-2024-56297Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dn88 Highlight allows Stored XSS.This issue affects Highlight: from n/a through 2.0.2.5.9https://nvd.nist.gov/vuln/detail/CVE-2024-56297
CVE-2024-56293Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nasirahmed Advanced Form Integration allows Stored XSS.This issue affects Advanced Form Integration: from n/a through 1.95.0.5.9https://nvd.nist.gov/vuln/detail/CVE-2024-56293
CVE-2024-56292Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevelop, oplugins Email Reminders allows Stored XSS.This issue affects Email Reminders: from n/a through 2.0.5.5.9https://nvd.nist.gov/vuln/detail/CVE-2024-56292
CVE-2024-56288Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fahad Mahmood WP Docs allows Stored XSS.This issue affects WP Docs: from n/a through 2.2.1.5.9https://nvd.nist.gov/vuln/detail/CVE-2024-56288
CVE-2024-55627Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a specially crafted TCP stream can lead to a very large buffer overflow while being zero-filled during initialization with memset due to an unsigned integer underflow. The issue has been addressed in Suricata 7.0.8.5.9https://nvd.nist.gov/vuln/detail/CVE-2024-55627
CVE-2024-41763IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.5.9https://nvd.nist.gov/vuln/detail/CVE-2024-41763
CVE-2025-22385An issue was discovered in Optimizely Configured Commerce before 5.2.2408. For newly created accounts, the Commerce B2B application does not require email confirmation. This medium-severity issue allows the mass creation of accounts. This could affect database storage; also, non-requested storefront accounts can be created on behalf of visitors.5.9https://nvd.nist.gov/vuln/detail/CVE-2025-22385
CVE-2024-8447A security issue was discovered in the LRA Coordinator component of Narayana. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may crash or hang indefinitely, leading to a denial of service.5.9https://nvd.nist.gov/vuln/detail/CVE-2024-8447
CVE-2024-56237Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Contest Gallery Contest Gallery allows Stored XSS.This issue affects Contest Gallery: from n/a through 24.0.3.5.9https://nvd.nist.gov/vuln/detail/CVE-2024-56237
CVE-2024-11357The goodlayers-core WordPress plugin before 2.0.10 does not sanitise and escape some of its settings, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.5.9https://nvd.nist.gov/vuln/detail/CVE-2024-11357
CVE-2025-22388An issue was discovered in Optimizely EPiServer.CMS.Core before 12.22.0. A high-severity Stored Cross-Site Scripting (XSS) vulnerability exists in the CMS, allowing malicious actors to inject and execute arbitrary JavaScript code, potentially compromising user data, escalating privileges, or executing unauthorized actions. The issue exists in multiple areas, including content editing, link management, and file uploads.5.7https://nvd.nist.gov/vuln/detail/CVE-2025-22388
CVE-2024-13111A vulnerability classified as critical was found in Beijing Yunfan Internet Technology Yunfan Learning Examination System 1.9.2. Affected by this vulnerability is an unknown functionality of the file src/main/java/com/yf/exam/modules/sys/user/controller/SysUserControl of the component JWT Token Handler. The manipulation leads to improper authentication. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.5.6https://nvd.nist.gov/vuln/detail/CVE-2024-13111
CVE-2025-0218When batch jobs are executed by pgAgent, a script is created in a temporary directory and then executed. In versions of pgAgent prior to 4.2.3, an insufficiently seeded random number generator is used when generating the directory name, leading to the possibility for a local attacker to pre-create the directory and thus prevent pgAgent from executing jobs, disrupting scheduled tasks.5.5https://nvd.nist.gov/vuln/detail/CVE-2025-0218
CVE-2024-45070in OpenHarmony v4.1.2 and prior versions allow a local attacker cause information leak through out-of-bounds Read.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-45070
CVE-2025-21615AAT (Another Activity Tracker) is a GPS-tracking application for tracking sportive activities, with emphasis on cycling. Versions lower than v1.26 of AAT are vulnerable to data exfiltration from malicious apps installed on the same device.5.5https://nvd.nist.gov/vuln/detail/CVE-2025-21615
CVE-2024-56769In the Linux kernel, the following vulnerability has been resolved:

media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg

Syzbot reports [1] an uninitialized value issue found by KMSAN in
dib3000_read_reg().

Local u8 rb[2] is used in i2c_transfer() as a read buffer; in case
that call fails, the buffer may end up with some undefined values.

Since no elaborate error handling is expected in dib3000_write_reg(),
simply zero out rb buffer to mitigate the problem.

[1] Syzkaller report
dvb-usb: bulk message failed: -22 (6/0)
=====================================================
BUG: KMSAN: uninit-value in dib3000mb_attach+0x2d8/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758
dib3000mb_attach+0x2d8/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758
dibusb_dib3000mb_frontend_attach+0x155/0x2f0 drivers/media/usb/dvb-usb/dibusb-mb.c:31
dvb_usb_adapter_frontend_init+0xed/0x9a0 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:290
dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:90 [inline]
dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:186 [inline]
dvb_usb_device_init+0x25a8/0x3760 drivers/media/usb/dvb-usb/dvb-usb-init.c:310
dibusb_probe+0x46/0x250 drivers/media/usb/dvb-usb/dibusb-mb.c:110
...
Local variable rb created at:
dib3000_read_reg+0x86/0x4e0 drivers/media/dvb-frontends/dib3000mb.c:54
dib3000mb_attach+0x123/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758
...
5.5https://nvd.nist.gov/vuln/detail/CVE-2024-56769
CVE-2024-56768In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix bpf_get_smp_processor_id() on !CONFIG_SMP

On x86-64 calling bpf_get_smp_processor_id() in a kernel with CONFIG_SMP
disabled can trigger the following bug, as pcpu_hot is unavailable:

[ 8.471774] BUG: unable to handle page fault for address: 00000000936a290c
[ 8.471849] #PF: supervisor read access in kernel mode
[ 8.471881] #PF: error_code(0x0000) - not-present page

Fix by inlining a return 0 in the !CONFIG_SMP case.
5.5https://nvd.nist.gov/vuln/detail/CVE-2024-56768
CVE-2024-56767In the Linux kernel, the following vulnerability has been resolved:

dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset

The at_xdmac_memset_create_desc may return NULL, which will lead to a
null pointer dereference. For example, the len input is error, or the
atchan->free_descs_list is empty and memory is exhausted. Therefore, add
check to avoid this.
5.5https://nvd.nist.gov/vuln/detail/CVE-2024-56767
CVE-2024-56763In the Linux kernel, the following vulnerability has been resolved:

tracing: Prevent bad count for tracing_cpumask_write

If a large count is provided, it will trigger a warning in bitmap_parse_user.
Also check zero for it.
5.5https://nvd.nist.gov/vuln/detail/CVE-2024-56763
CVE-2024-56761In the Linux kernel, the following vulnerability has been resolved:

x86/fred: Clear WFE in missing-ENDBRANCH #CPs

An indirect branch instruction sets the CPU indirect branch tracker
(IBT) into WAIT_FOR_ENDBRANCH (WFE) state and WFE stays asserted
across the instruction boundary. When the decoder finds an
inappropriate instruction while WFE is set ENDBR, the CPU raises a #CP
fault.

For the "kernel IBT no ENDBR" selftest where #CPs are deliberately
triggered, the WFE state of the interrupted context needs to be
cleared to let execution continue. Otherwise when the CPU resumes
from the instruction that just caused the previous #CP, another
missing-ENDBRANCH #CP is raised and the CPU enters a dead loop.

This is not a problem with IDT because it doesn't preserve WFE and
IRET doesn't set WFE. But FRED provides space on the entry stack
(in an expanded CS area) to save and restore the WFE state, thus the
WFE state is no longer clobbered, so software must clear it.

Clear WFE to avoid dead looping in ibt_clear_fred_wfe() and the
!ibt_fatal code path when execution is allowed to continue.

Clobbering WFE in any other circumstance is a security-relevant bug.

[ dhansen: changelog rewording ]
5.5https://nvd.nist.gov/vuln/detail/CVE-2024-56761
CVE-2024-56760In the Linux kernel, the following vulnerability has been resolved:

PCI/MSI: Handle lack of irqdomain gracefully

Alexandre observed a warning emitted from pci_msi_setup_msi_irqs() on a
RISCV platform which does not provide PCI/MSI support:

WARNING: CPU: 1 PID: 1 at drivers/pci/msi/msi.h:121 pci_msi_setup_msi_irqs+0x2c/0x32
__pci_enable_msix_range+0x30c/0x596
pci_msi_setup_msi_irqs+0x2c/0x32
pci_alloc_irq_vectors_affinity+0xb8/0xe2

RISCV uses hierarchical interrupt domains and correctly does not implement
the legacy fallback. The warning triggers from the legacy fallback stub.

That warning is bogus as the PCI/MSI layer knows whether a PCI/MSI parent
domain is associated with the device or not. There is a check for MSI-X,
which has a legacy assumption. But that legacy fallback assumption is only
valid when legacy support is enabled, but otherwise the check should simply
return -ENOTSUPP.

Loongarch tripped over the same problem and blindly enabled legacy support
without implementing the legacy fallbacks. There are weak implementations
which return an error, so the problem was papered over.

Correct pci_msi_domain_supports() to evaluate the legacy mode and add
the missing supported check into the MSI enable path to complete it.
5.5https://nvd.nist.gov/vuln/detail/CVE-2024-56760
CVE-2024-56758In the Linux kernel, the following vulnerability has been resolved:

btrfs: check folio mapping after unlock in relocate_one_folio()

When we call btrfs_read_folio() to bring a folio uptodate, we unlock the
folio. The result of that is that a different thread can modify the
mapping (like remove it with invalidate) before we call folio_lock().
This results in an invalid page and we need to try again.

In particular, if we are relocating concurrently with aborting a
transaction, this can result in a crash like the following:

BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 0 P4D 0
Oops: 0000 [#1] SMP
CPU: 76 PID: 1411631 Comm: kworker/u322:5
Workqueue: events_unbound btrfs_reclaim_bgs_work
RIP: 0010:set_page_extent_mapped+0x20/0xb0
RSP: 0018:ffffc900516a7be8 EFLAGS: 00010246
RAX: ffffea009e851d08 RBX: ffffea009e0b1880 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffc900516a7b90 RDI: ffffea009e0b1880
RBP: 0000000003573000 R08: 0000000000000001 R09: ffff88c07fd2f3f0
R10: 0000000000000000 R11: 0000194754b575be R12: 0000000003572000
R13: 0000000003572fff R14: 0000000000100cca R15: 0000000005582fff
FS: 0000000000000000(0000) GS:ffff88c07fd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000407d00f002 CR4: 00000000007706f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
? __die+0x78/0xc0
? page_fault_oops+0x2a8/0x3a0
? __switch_to+0x133/0x530
? wq_worker_running+0xa/0x40
? exc_page_fault+0x63/0x130
? asm_exc_page_fault+0x22/0x30
? set_page_extent_mapped+0x20/0xb0
relocate_file_extent_cluster+0x1a7/0x940
relocate_data_extent+0xaf/0x120
relocate_block_group+0x20f/0x480
btrfs_relocate_block_group+0x152/0x320
btrfs_relocate_chunk+0x3d/0x120
btrfs_reclaim_bgs_work+0x2ae/0x4e0
process_scheduled_works+0x184/0x370
worker_thread+0xc6/0x3e0
? blk_add_timer+0xb0/0xb0
kthread+0xae/0xe0
? flush_tlb_kernel_range+0x90/0x90
ret_from_fork+0x2f/0x40
? flush_tlb_kernel_range+0x90/0x90
ret_from_fork_asm+0x11/0x20
</TASK>

This occurs because cleanup_one_transaction() calls
destroy_delalloc_inodes() which calls invalidate_inode_pages2() which
takes the folio_lock before setting mapping to NULL. We fail to check
this, and subsequently call set_extent_mapping(), which assumes that
mapping != NULL (in fact it asserts that in debug mode)

Note that the "fixes" patch here is not the one that introduced the
race (the very first iteration of this code from 2009) but a more recent
change that made this particular crash happen in practice.
5.5https://nvd.nist.gov/vuln/detail/CVE-2024-56758
CVE-2024-56757In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btusb: mediatek: add intf release flow when usb disconnect

MediaTek claim an special usb intr interface for ISO data transmission.
The interface need to be released before unregistering hci device when
usb disconnect. Removing BT usb dongle without properly releasing the
interface may cause Kernel panic while unregister hci device.
5.5https://nvd.nist.gov/vuln/detail/CVE-2024-56757
CVE-2024-31913IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-31913
CVE-2024-45559Transient DOS can occur when GVM sends a specific message type to the Vdev-FastRPC backend.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-45559
CVE-2025-0223A vulnerability was found in IObit Protected Folder up to 13.6.0.5. It has been classified as problematic. Affected is the function 0x8001E000/0x8001E00C/0x8001E004/0x8001E010 in the library IURegistryFilter.sys of the component IOCTL Handler. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.5.5https://nvd.nist.gov/vuln/detail/CVE-2025-0223
CVE-2025-0222A vulnerability was found in IObit Protected Folder up to 13.6.0.5 and classified as problematic. This issue affects the function 0x8001E000/0x8001E004 in the library IUProcessFilter.sys of the component IOCTL Handler. The manipulation leads to null pointer dereference. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.5.5https://nvd.nist.gov/vuln/detail/CVE-2025-0222
CVE-2025-0221A vulnerability has been found in IOBit Protected Folder up to 1.3.0 and classified as problematic. This vulnerability affects the function 0x22200c in the library pffilter.sys of the component IOCTL Handler. The manipulation leads to null pointer dereference. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.5.5https://nvd.nist.gov/vuln/detail/CVE-2025-0221
CVE-2025-0202A vulnerability was found in TCS BaNCS 10. It has been classified as problematic. This affects an unknown part of the file /REPORTS/REPORTS_SHOW_FILE.jsp. The manipulation of the argument FilePath leads to file inclusion.5.5https://nvd.nist.gov/vuln/detail/CVE-2025-0202
CVE-2024-53839In GetCellInfoList() of protocolnetadapter.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with baseband firmware compromise required. User Interaction is not needed for exploitation.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-53839
CVE-2024-44450Multiple functions are vulnerable to Authorization Bypass in AIMS eCrew. The issue was fixed in version JUN23 #190.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-44450
CVE-2025-22543Missing Authorization vulnerability in Beautiful Templates ST Gallery WP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ST Gallery WP: from n/a through 1.0.8.5.4https://nvd.nist.gov/vuln/detail/CVE-2025-22543
CVE-2025-22541Missing Authorization vulnerability in Etruel Developments LLC WP Delete Post Copies allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Delete Post Copies: from n/a through 5.5.5.4https://nvd.nist.gov/vuln/detail/CVE-2025-22541
CVE-2025-22534Missing Authorization vulnerability in Ella van Durpe Slides & Presentations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Slides & Presentations: from n/a through 0.0.39.5.4https://nvd.nist.gov/vuln/detail/CVE-2025-22534
CVE-2024-52891IBM Concert Software 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3

could allow an authenticated user to inject malicious information or obtain information from log files due to improper log neutralization.
5.4https://nvd.nist.gov/vuln/detail/CVE-2024-52891
CVE-2025-22301Cross-Site Request Forgery (CSRF) vulnerability in Stormhill Media MyBookTable Bookstore allows Cross Site Request Forgery.This issue affects MyBookTable Bookstore: from n/a through 3.5.3.5.4https://nvd.nist.gov/vuln/detail/CVE-2025-22301
CVE-2025-22300Cross-Site Request Forgery (CSRF) vulnerability in PixelYourSite PixelYourSite – Your smart PIXEL (TAG) Manager allows Cross Site Request Forgery.This issue affects PixelYourSite – Your smart PIXEL (TAG) Manager: from n/a through 10.0.1.2.5.4https://nvd.nist.gov/vuln/detail/CVE-2025-22300
CVE-2024-12170The ViewMedica 9 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.15. This is due to missing or incorrect nonce validation on the 'Viewmedica-Admin' page. This makes it possible for unauthenticated attackers to inject arbitrary SQL queries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-12170
CVE-2024-12541The Chative Live chat and Chatbot plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the add_chative_widget_action() function. This makes it possible for unauthenticated attackers to change the channel ID or organization ID via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This could lead to redirecting the live chat widget to an attacker-controlled channel.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-12541
CVE-2025-21616Plane is an open-source project management tool. A cross-site scripting (XSS) vulnerability has been identified in Plane versions prior to 0.23. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image.5.4https://nvd.nist.gov/vuln/detail/CVE-2025-21616
CVE-2024-46209A stored cross-site scripting (XSS) vulnerability in the component /media/test.html of REDAXO CMS v5.17.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the password parameter.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-46209
CVE-2024-12545The Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.1. This is due to missing nonce validation on the reset_installation() function. This makes it possible for unauthenticated attackers to reset the plugin’s installation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-12545
CVE-2024-55896IBM PowerHA SystemMirror for i 7.4 and 7.5 contains improper restrictions when rendering content via iFrames.  This vulnerability could allow an attacker to gain improper access and perform unauthorized actions on the system.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-55896
CVE-2023-23672Missing Authorization vulnerability in Liquid Web / StellarWP GiveWP.This issue affects GiveWP: from n/a through 2.25.1.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-23672
CVE-2022-45811Missing Authorization vulnerability in WeyHan Ng Post Teaser.This issue affects Post Teaser: from n/a through 4.1.5.5.4https://nvd.nist.gov/vuln/detail/CVE-2022-45811
CVE-2023-45272Missing Authorization vulnerability in 10Web 10Web Map Builder for Google Maps allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 10Web Map Builder for Google Maps: from n/a through 1.0.73.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-45272
CVE-2023-32240Missing Authorization vulnerability in Xtemos WoodMart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WoodMart: from n/a through 7.2.1.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-32240
CVE-2024-37925Cross-Site Request Forgery (CSRF) vulnerability in BUDDYBOSS LLC BuddyBoss Theme allows Cross Site Request Forgery.This issue affects BuddyBoss Theme: from n/a through 2.4.61.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-37925
CVE-2024-37438Cross-Site Request Forgery (CSRF) vulnerability in Uncanny Owl Uncanny Toolkit Pro for LearnDash allows Cross Site Request Forgery.This issue affects Uncanny Toolkit Pro for LearnDash: from n/a before 4.1.4.1.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-37438
CVE-2024-56253Missing Authorization vulnerability in supsystic.com Data Tables Generator by Supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Data Tables Generator by Supsystic: from n/a through 1.10.36.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-56253
CVE-2024-56244Missing Authorization vulnerability in WP Royal Ashe Extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ashe Extra: from n/a through 1.2.92.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-56244
CVE-2024-38789Cross-Site Request Forgery (CSRF) vulnerability in Marco Milesi Telegram Bot & Channel allows Cross Site Request Forgery.This issue affects Telegram Bot & Channel: from n/a through 3.8.2.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-38789
CVE-2024-38729Cross-Site Request Forgery (CSRF) vulnerability in MBE Worldwide S.p.A. MBE eShip allows Cross Site Request Forgery.This issue affects MBE eShip: from n/a through 2.1.2.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-38729
CVE-2024-37469Cross-Site Request Forgery (CSRF) vulnerability in CreativeThemes Blocksy allows Cross Site Request Forgery.This issue affects Blocksy: from n/a through 2.0.22.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-37469
CVE-2023-47661Missing Authorization vulnerability in Dragfy Dragfy Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dragfy Addons for Elementor: from n/a through 1.0.2.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-47661
CVE-2023-47225Missing Authorization vulnerability in KaizenCoders Short URL allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Short URL: from n/a through 1.6.8.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-47225
CVE-2023-47187Missing Authorization vulnerability in Labib Ahmed Animated Rotating Words allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Animated Rotating Words: from n/a through 5.4.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-47187
CVE-2023-46633Missing Authorization vulnerability in TCBarrett Glossary allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Glossary: from n/a through 3.1.2.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-46633
CVE-2023-46616Missing Authorization vulnerability in NSquared Draw Attention allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Draw Attention: from n/a through 2.0.15.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-46616
CVE-2023-46607Missing Authorization vulnerability in WP iCal Availability WP iCal Availability allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP iCal Availability: from n/a through 1.0.3.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-46607
CVE-2023-46079Missing Authorization vulnerability in WP Royal Ashe Extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ashe Extra: from n/a through 1.2.9.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-46079
CVE-2023-45828Missing Authorization vulnerability in RumbleTalk Ltd RumbleTalk Live Group Chat allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RumbleTalk Live Group Chat: from n/a through 6.2.5.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-45828
CVE-2023-45636Missing Authorization vulnerability in WebToffee WordPress Backup & Migration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Backup & Migration: from n/a through 1.4.1.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-45636
CVE-2023-45045Missing Authorization vulnerability in Kishor Khambu WP Custom Widget area allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Custom Widget area: from n/a through 1.2.5.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-45045
CVE-2024-56830The Net::EasyTCP package 0.15 through 0.26 for Perl uses Perl's builtin rand() if no strong randomization module is present.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-56830
CVE-2002-20002The Net::EasyTCP package before 0.15 for Perl always uses Perl's builtin rand(), which is not a strong random number generator, for cryptographic keys.5.4https://nvd.nist.gov/vuln/detail/CVE-2002-20002
CVE-2025-22363Missing Authorization vulnerability in ORION Allada T-shirt Designer for Woocommerce.This issue affects Allada T-shirt Designer for Woocommerce: from n/a through 1.1.5.3https://nvd.nist.gov/vuln/detail/CVE-2025-22363
CVE-2025-22306Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Link Whisper Link Whisper Free.This issue affects Link Whisper Free: from n/a through 0.7.7.5.3https://nvd.nist.gov/vuln/detail/CVE-2025-22306
CVE-2024-56270Missing Authorization vulnerability in SecureSubmit WP SecureSubmit.This issue affects WP SecureSubmit: from n/a through 1.5.16.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-56270
CVE-2025-22560Missing Authorization vulnerability in Saoshyant.1994 Saoshyant Page Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Saoshyant Page Builder: from n/a through 3.8.5.3https://nvd.nist.gov/vuln/detail/CVE-2025-22560
CVE-2024-45640IBM Security ReaQta 3.12 returns sensitive information in an HTTP response that could be used in further attacks against the system.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-45640
CVE-2024-52893IBM Concert Software 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3 

could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
5.3https://nvd.nist.gov/vuln/detail/CVE-2024-52893
CVE-2024-52367IBM Concert Software 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3 could disclose sensitive system information to an unauthorized actor that could be used in further attacks against the system.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-52367
CVE-2024-12711The RSVP and Event Management plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX functions like bulk_delete_attendees() and bulk_delete_questions() in all versions up to, and including, 2.7.13. This makes it possible for unauthenticated attackers to delete questions and attendees and for authenticated users to update question menu orders.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-12711
CVE-2024-12316The Jupiter X Core plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_popup_action() function in all versions up to, and including, 4.8.5. This makes it possible for unauthenticated attackers to export popup templates.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-12316
CVE-2025-22303Insertion of Sensitive Information Into Sent Data vulnerability in brandtoss WP Mailster allows Retrieve Embedded Sensitive Data.This issue affects WP Mailster: from n/a through 1.8.17.0.5.3https://nvd.nist.gov/vuln/detail/CVE-2025-22303
CVE-2025-22302Missing Authorization vulnerability in WP Wand WP Wand allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Wand: from n/a through 1.2.5.5.3https://nvd.nist.gov/vuln/detail/CVE-2025-22302
CVE-2024-51651Missing Authorization vulnerability in CubeWP CubeWP Forms – All-in-One Form Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CubeWP Forms – All-in-One Form Builder: from n/a through 1.1.5.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-51651
CVE-2024-10866The Export Import Menus plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the dsp_export_import_menus() function in all versions up to, and including, 1.9.1. This makes it possible for unauthenticated attackers to export menu data and settings.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-10866
CVE-2024-11282The Passster – Password Protect Pages and Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.10 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-11282
CVE-2024-9697The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tweet_settings_save() and tweet_settings_update() functions in all versions up to, and including, 1.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-9697
CVE-2024-11606The Tabs Shortcode WordPress plugin through 2.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-11606
CVE-2024-12176The WordLift – AI powered SEO – Schema plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'wl_config_plugin' AJAX action in all versions up to, and including, 3.54.0. This makes it possible for unauthenticated attackers to update the plugin's settings.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-12176
CVE-2024-12159The Optimize Your Campaigns – Google Shopping – Google Ads – Google Adwords plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.1 due to the print_php_information.php being publicly accessible. This makes it possible for unauthenticated attackers to extract sensitive configuration data that can be leveraged in another attack.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-12159
CVE-2024-12158The Popup – MailChimp, GetResponse and ActiveCampaign Intergrations plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'upc_delete_db_data' AJAX action in all versions up to, and including, 3.2.6. This makes it possible for unauthenticated attackers to delete the DB data for the plugin.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-12158
CVE-2024-11290The Member Access plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.6 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-11290
CVE-2024-12559The ClickDesigns plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'clickdesigns_add_api' and the 'clickdesigns_remove_api' functions in all versions up to, and including, 1.8.0. This makes it possible for unauthenticated attackers to modify or remove the plugin's API key.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-12559
CVE-2024-12022The WP Menu Image plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wmi_delete_img_menu' function in all versions up to, and including, 2.2. This makes it possible for unauthenticated attackers to delete images from menus.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-12022
CVE-2024-55408An issue in the AsusSAIO.sys component of ASUS System Analysis IO v1.0.0 allows attackers to perform arbitrary read and write actions via supplying crafted IOCTL requests.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-55408
CVE-2023-6604A flaw was found in FFmpeg. This vulnerability allows unexpected additional CPU load and storage consumption, potentially leading to degraded performance or denial of service via the demuxing of arbitrary data as XBIN-formatted data without proper format validation.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-6604
CVE-2025-0224A vulnerability was found in Provision-ISR SH-4050A-2, SH-4100A-2L(MM), SH-8100A-2L(MM), SH-16200A-2(1U), SH-16200A-5(1U) and NVR5-8200PX up to 20241220. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /server.js. The manipulation leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.5.3https://nvd.nist.gov/vuln/detail/CVE-2025-0224
CVE-2024-13131A vulnerability classified as problematic has been found in Dahua IPC-HFW1200S, IPC-HFW2300R-Z, IPC-HFW5220E-Z and IPC-HDW1200S up to 20241222. This affects an unknown part of the file /web_caps/webCapsConfig of the component Web Interface. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-13131
CVE-2025-0206A vulnerability classified as critical was found in code-projects Online Shoe Store 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/index.php. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.5.3https://nvd.nist.gov/vuln/detail/CVE-2025-0206
CVE-2024-56332Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. This vulnerability can also be used as a Denial of Wallet (DoW) attack when deployed in providers billing by response times. (Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.). Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing. This is the same issue as if the incoming HTTP request has an invalid `Content-Length` header or never closes. If the host has no other mitigations to those then this vulnerability is novel. This vulnerability affects only Next.js deployments using Server Actions. The issue was resolved in Next.js 13.5.8, 14.2.21, and 15.1.2. We recommend that users upgrade to a safe version. There are no official workarounds.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-56332
CVE-2025-21610Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.12 are vulnerable to cross-site scripting when pasting malicious code in the link field. An attacker could trick the user to copy&paste a malicious `javascript\:` URL as a link that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. Users should upgrade to Trix editor version 2.1.12 or later to receive a patch. In addition to upgrading, affected users can disallow browsers that don't support a Content Security Policy (CSP) as a workaround for this and other cross-site scripting vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem.5.3https://nvd.nist.gov/vuln/detail/CVE-2025-21610
CVE-2022-47601Missing Authorization vulnerability in JoomUnited WP Table Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Table Manager: from n/a through 3.5.2.5.3https://nvd.nist.gov/vuln/detail/CVE-2022-47601
CVE-2023-48739Missing Authorization vulnerability in Porto Theme Porto Theme - Functionality allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Porto Theme - Functionality: from n/a before 2.12.1.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-48739
CVE-2024-13109A vulnerability was found in Beijing Yunfan Internet Technology Yunfan Learning Examination System 1.9.2. It has been rated as critical. This issue affects some unknown processing of the file /doc.html. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-13109
CVE-2024-13108A vulnerability was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. It has been declared as critical. This vulnerability affects unknown code of the file /goform/form2NetSniper.cgi. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-13108
CVE-2024-56238Missing Authorization vulnerability in QunatumCloud Floating Action Buttons allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Floating Action Buttons: from n/a through 0.9.1.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-56238
CVE-2024-13107A vulnerability was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. It has been classified as critical. This affects an unknown part of the file /goform/form2LocalAclEditcfg.cgi of the component ACL Handler. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-13107
CVE-2024-13106A vulnerability was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210 and classified as critical. Affected by this issue is some unknown functionality of the file /goform/form2IPQoSTcAdd of the component IP QoS Handler. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-13106
CVE-2023-47515Missing Authorization vulnerability in Seers Seers allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Seers: from n/a through 8.1.1.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-47515
CVE-2023-47241Missing Authorization vulnerability in CoCart Headless, LLC CoCart – Headless ecommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CoCart – Headless ecommerce: from n/a through 3.11.2.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-47241
CVE-2023-47188Missing Authorization vulnerability in PressTigers Simple Job Board allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Job Board: from n/a through 2.10.5.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-47188
CVE-2023-47183Missing Authorization vulnerability in GiveWP GiveWP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GiveWP: from n/a through 2.33.1.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-47183
CVE-2023-46639Missing Authorization vulnerability in FeedbackWP kk Star Ratings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects kk Star Ratings: from n/a through 5.4.5.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-46639
CVE-2023-46637Missing Authorization vulnerability in Saurav Sharma Generate Dummy Posts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Generate Dummy Posts: from n/a through 1.0.0.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-46637
CVE-2023-46635Missing Authorization vulnerability in YITH YITH WooCommerce Product Add-Ons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.2.0.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-46635
CVE-2023-46611Authentication Bypass by Primary Weakness vulnerability in yourownprogrammer YOP Poll allows Authentication Bypass.This issue affects YOP Poll: from n/a through 6.5.28.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-46611
CVE-2023-46608Missing Authorization vulnerability in WPDO DoLogin Security allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DoLogin Security: from n/a through 3.7.1.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-46608
CVE-2023-46606Missing Authorization vulnerability in AtomChat AtomChat allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AtomChat: from n/a through 1.1.4.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-46606
CVE-2023-46605Missing Authorization vulnerability in Ruslan Suhar Convertful – Your Ultimate On-Site Conversion Tool allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Convertful – Your Ultimate On-Site Conversion Tool: from n/a through 2.5.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-46605
CVE-2023-46309Missing Authorization vulnerability in gVectors Team wpDiscuz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpDiscuz: from n/a through 7.6.10.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-46309
CVE-2023-46206Missing Authorization vulnerability in websoudan MW WP Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MW WP Form: from n/a through 4.4.5.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-46206
CVE-2023-46083Missing Authorization vulnerability in Kali Forms Contact Form builder with drag & drop - Kali Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form builder with drag & drop - Kali Forms: from n/a through 2.3.27.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-46083
CVE-2023-46082Missing Authorization vulnerability in Cyberlord92 Broken Link Checker | Finder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broken Link Checker | Finder: from n/a through 2.4.2.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-46082
CVE-2023-46073Missing Authorization vulnerability in nofearinc DX Delete Attached Media allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DX Delete Attached Media: from n/a through 2.0.5.1.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-46073
CVE-2023-45766Missing Authorization vulnerability in Poll Maker Team Poll Maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Poll Maker: from n/a through 4.7.1.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-45766
CVE-2023-45649Missing Authorization vulnerability in CodePeople Appointment Hour Booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Appointment Hour Booking: from n/a through 1.4.23.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-45649
CVE-2023-45061Missing Authorization vulnerability in AWSM Innovations WP Job Openings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Openings: from n/a through 3.4.1.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-45061
CVE-2023-44258Missing Authorization vulnerability in Schema App Schema App Structured Data allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Schema App Structured Data: from n/a through 1.23.1.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-44258
CVE-2024-13105A vulnerability has been found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /goform/form2Dhcpd.cgi of the component DHCPD Setting Handler. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-13105
CVE-2024-13104A vulnerability, which was classified as critical, was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. Affected is an unknown function of the file /goform/form2AdvanceSetup.cgi of the component WiFi Settings Handler. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-13104
CVE-2024-13103A vulnerability, which was classified as critical, has been found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. This issue affects some unknown processing of the file /goform/form2AddVrtsrv.cgi of the component Virtual Service Handler. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-13103
CVE-2024-13102A vulnerability classified as critical was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. This vulnerability affects unknown code of the file /goform/DDNS of the component DDNS Service. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-13102
CVE-2024-56199phpMyFAQ is an open source FAQ web application. Starting no later than version 3.2.10 and prior to version 4.0.2, an attacker can inject malicious HTML content into the FAQ editor at `http[:]//localhost/admin/index[.]php?action=editentry`, resulting in a complete disruption of the FAQ page's user interface. By injecting malformed HTML elements styled to cover the entire screen, an attacker can render the page unusable. This injection manipulates the page structure by introducing overlapping buttons, images, and iframes, breaking the intended layout and functionality. Exploiting this issue can lead to Denial of Service for legitimate users, damage to the user experience, and potential abuse in phishing or defacement attacks. Version 4.0.2 contains a patch for the vulnerability.5.2https://nvd.nist.gov/vuln/detail/CVE-2024-56199
CVE-2024-47475Dell PowerScale OneFS 8.2.2.x through 9.8.0.x contains an incorrect permission assignment for critical resource vulnerability. A locally authenticated attacker could potentially exploit this vulnerability, leading to denial of service.5https://nvd.nist.gov/vuln/detail/CVE-2024-47475
CVE-2024-45100IBM Security ReaQta 3.12 could allow a privileged user to cause a denial of service by sending multiple administration requests due to improper allocation of resources.4.9https://nvd.nist.gov/vuln/detail/CVE-2024-45100
CVE-2024-11437The Timeline Designer plugin for WordPress is vulnerable to SQL Injection via the 's' parameter in all versions up to, and including, 1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.4.9https://nvd.nist.gov/vuln/detail/CVE-2024-11437
CVE-2024-56248Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Webdeclic WPMasterToolKit allows Path Traversal.This issue affects WPMasterToolKit: from n/a through 1.13.1.4.9https://nvd.nist.gov/vuln/detail/CVE-2024-56248
CVE-2024-9638The Category Posts Widget WordPress plugin before 4.9.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).4.8https://nvd.nist.gov/vuln/detail/CVE-2024-9638
CVE-2024-8857The WordPress Auction Plugin WordPress plugin through 3.7 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Stored Cross-Site Scripting attacks.4.8https://nvd.nist.gov/vuln/detail/CVE-2024-8857
CVE-2024-11184The wp-enable-svg WordPress plugin through 0.7 does not sanitize SVG files when uploaded, allowing for authors and above to upload SVGs containing malicious scripts4.8https://nvd.nist.gov/vuln/detail/CVE-2024-11184
CVE-2025-0294A vulnerability has been found in SourceCodester Home Clean Services Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /public_html/admin/process.php. The manipulation of the argument type/length/business leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.4.7https://nvd.nist.gov/vuln/detail/CVE-2025-0294
CVE-2023-6601A flaw was found in FFmpeg's HLS demuxer. This vulnerability allows bypassing unsafe file extension checks and triggering arbitrary demuxers via base64-encoded data URIs appended with specific file extensions.4.7https://nvd.nist.gov/vuln/detail/CVE-2023-6601
CVE-2024-13138A vulnerability was found in wangl1989 mysiteforme 1.0. It has been declared as critical. This vulnerability affects the function upload of the file src/main/java/com/mysiteform/admin/service/ipl/LocalUploadServiceImpl. The manipulation of the argument test leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.4.7https://nvd.nist.gov/vuln/detail/CVE-2024-13138
CVE-2024-48197Cross Site Scripting vulnerability in Audiocodes MP-202b v.4.4.3 allows a remote attacker to escalate privileges via the login page of the web interface.4.7https://nvd.nist.gov/vuln/detail/CVE-2024-48197
CVE-2024-12595The AHAthat Plugin WordPress plugin through 1.6 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers4.7https://nvd.nist.gov/vuln/detail/CVE-2024-12595
CVE-2025-22383An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity input validation issue exists in the Commerce B2B application, affecting the Contact Us functionality. This allows visitors to send e-mail messages that could contain unfiltered HTML markup in specific scenarios.4.6https://nvd.nist.gov/vuln/detail/CVE-2025-22383
CVE-2024-54030in OpenHarmony v4.1.2 and prior versions allow a local attacker cause DOS through use after free.4.4https://nvd.nist.gov/vuln/detail/CVE-2024-54030
CVE-2024-12207The Toggles Shortcode and Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 1.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.4.4https://nvd.nist.gov/vuln/detail/CVE-2024-12207
CVE-2024-51741Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem is fixed in Redis 7.2.7 and 7.4.2.4.4https://nvd.nist.gov/vuln/detail/CVE-2024-51741
CVE-2024-20152In wlan STA driver, there is a possible reachable assertion due to improper exception handling. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: WCNCR00389047 / ALPS09136505; Issue ID: MSV-1798.4.4https://nvd.nist.gov/vuln/detail/CVE-2024-20152
CVE-2025-22319Missing Authorization vulnerability in DearHive Social Media Share Buttons | MashShare.This issue affects Social Media Share Buttons | MashShare: from n/a through 4.0.47.4.3https://nvd.nist.gov/vuln/detail/CVE-2025-22319
CVE-2024-56272Missing Authorization vulnerability in ThemeSupport Hide Category by User Role for WooCommerce.This issue affects Hide Category by User Role for WooCommerce: from n/a through 2.1.1.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-56272
CVE-2024-12429An attacker who successfully exploited these vulnerabilities could grant read access to files. A vulnerability exists in the AC500 V3 version mentioned. A successfully
authenticated attacker can use this vulnerability to read system wide files and configuration


All AC500 V3 products (PM5xxx) with firmware version earlier than 3.8.0 are affected by this vulnerability.
4.3https://nvd.nist.gov/vuln/detail/CVE-2024-12429
CVE-2025-22591Missing Authorization vulnerability in Lenderd 1003 Mortgage Application allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 1003 Mortgage Application: from n/a through 1.87.4.3https://nvd.nist.gov/vuln/detail/CVE-2025-22591
CVE-2025-22563Cross-Site Request Forgery (CSRF) vulnerability in Faaiq Pretty Url allows Cross Site Request Forgery.This issue affects Pretty Url: from n/a through 1.5.4.4.3https://nvd.nist.gov/vuln/detail/CVE-2025-22563
CVE-2025-22562Cross-Site Request Forgery (CSRF) vulnerability in Jason Funk Title Experiments Free allows Cross Site Request Forgery.This issue affects Title Experiments Free: from n/a through 9.0.4.4.3https://nvd.nist.gov/vuln/detail/CVE-2025-22562
CVE-2025-22512Missing Authorization vulnerability in Sprout Apps Help Scout allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Help Scout: from n/a through 6.5.1.4.3https://nvd.nist.gov/vuln/detail/CVE-2025-22512
CVE-2025-22503Cross-Site Request Forgery (CSRF) vulnerability in Digital Zoom Studio Admin debug wordpress – enable debug allows Cross Site Request Forgery.This issue affects Admin debug wordpress – enable debug: from n/a through 1.0.13.4.3https://nvd.nist.gov/vuln/detail/CVE-2025-22503
CVE-2024-52813matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. Versions of the matrix-sdk-crypto Rust crate before 0.8.0 lack a dedicated mechanism to notify that a user's cryptographic identity has changed from a verified to an unverified one, which could cause client applications relying on the SDK to overlook such changes. matrix-sdk-crypto 0.8.0 adds a new VerificationLevel::VerificationViolation enum variant which indicates that a previously verified identity has been changed.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-52813
CVE-2024-25037IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-25037
CVE-2022-22363IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.4.3https://nvd.nist.gov/vuln/detail/CVE-2022-22363
CVE-2024-12131The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.5 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit resumes for other applicants when applying for jobs.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-12131
CVE-2024-12532The BWD Elementor Addons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.18 in widgets/bwdeb-content-switcher.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-12532
CVE-2024-12033The Jupiter X Core plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the sync_libraries() function in all versions up to, and including, 4.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to sync libraries4.3https://nvd.nist.gov/vuln/detail/CVE-2024-12033
CVE-2025-22304Missing Authorization vulnerability in osamaesh WP Visitor Statistics (Real Time Traffic) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through 7.3.4.3https://nvd.nist.gov/vuln/detail/CVE-2025-22304
CVE-2025-22299Missing Authorization vulnerability in spacecodes AI for SEO allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI for SEO: from n/a through 1.2.9.4.3https://nvd.nist.gov/vuln/detail/CVE-2025-22299
CVE-2025-22298Missing Authorization vulnerability in Hive Support Hive Support – WordPress Help Desk allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hive Support – WordPress Help Desk: from n/a through 1.1.6.4.3https://nvd.nist.gov/vuln/detail/CVE-2025-22298
CVE-2025-22297Cross-Site Request Forgery (CSRF) vulnerability in AIpost AI WP Writer allows Cross Site Request Forgery.This issue affects AI WP Writer: from n/a through 3.8.4.4.4.3https://nvd.nist.gov/vuln/detail/CVE-2025-22297
CVE-2024-56276Missing Authorization vulnerability in WPForms Contact Form by WPForms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by WPForms: from n/a through 1.9.2.2.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-56276
CVE-2024-56273Missing Authorization vulnerability in WPvivid Backup & Migration WPvivid Backup and Migration allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPvivid Backup and Migration: from n/a through 0.9.106.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-56273
CVE-2024-56271Missing Authorization vulnerability in SecureSubmit WP SecureSubmit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP SecureSubmit: from n/a through 1.5.16.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-56271
CVE-2024-49294Cross-Site Request Forgery (CSRF) vulnerability in MagePeople Team Bus Ticket Booking with Seat Reservation allows Cross Site Request Forgery.This issue affects Bus Ticket Booking with Seat Reservation: from n/a through 5.4.3.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-49294
CVE-2024-12719The WordPress File Upload plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wfu_ajax_action_read_subfolders' function in all versions up to, and including, 4.24.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform limited path traversal to view directories and subdirectories in WordPress. Files cannot be viewed.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-12719
CVE-2024-12781The Aurum - WordPress & WooCommerce Shopping Theme theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'lab_1cl_demo_install_package_content' function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite content with imported demo content.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-12781
CVE-2024-10536The FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_block_shortcode_export() function in all versions up to, and including, 6.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export shortcodes.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-10536
CVE-2024-12327The LazyLoad Background Images plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pblzbg_save_settings() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-12327
CVE-2024-12208The Backup and Restore WordPress – Backup Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.50. This is due to missing or incorrect nonce validation on the ajax_queue_manual_backup() function. This makes it possible for unauthenticated attackers to trigger backups via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-12208
CVE-2024-12140The Elementor Addons AI Addons – 70 Widgets, Premium Templates, Ultimate Elements plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.1 via the render function due to insufficient restrictions on which templates can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft templates that they should not have access to.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-12140
CVE-2024-12538The Duplicate Post, Page and Any Custom Post plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.3 via the 'dpp_duplicate_as_draft' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract potentially sensitive data from draft, scheduled (future), private, and password protected posts.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-12538
CVE-2024-55075Grocy through 4.3.0 allows remote attackers to obtain sensitive information via direct requests to pages that are not shown in the UI, such as calendar and recipes.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-55075
CVE-2025-0227A vulnerability, which was classified as problematic, was found in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). This affects an unknown part of the file /Logs/Annals/downLoad.html. The manipulation of the argument path leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.4.3https://nvd.nist.gov/vuln/detail/CVE-2025-0227
CVE-2025-0226A vulnerability, which was classified as problematic, has been found in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). Affected by this issue is the function download of the file /collect/PortV4/downLoad.html. The manipulation of the argument path leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.4.3https://nvd.nist.gov/vuln/detail/CVE-2025-0226
CVE-2025-0225A vulnerability classified as problematic was found in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). Affected by this vulnerability is an unknown functionality of the file /setting/ClassFy/exampleDownload.html. The manipulation of the argument name leads to path traversal: '/../filedir'. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.4.3https://nvd.nist.gov/vuln/detail/CVE-2025-0225
CVE-2024-13130A vulnerability was found in Dahua IPC-HFW1200S, IPC-HFW2300R-Z, IPC-HFW5220E-Z and IPC-HDW1200S up to 20241222. It has been rated as problematic. Affected by this issue is some unknown functionality of the file ../mtd/Config/Sha1Account1 of the component Web Interface. The manipulation leads to path traversal: '../filedir'. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-13130
CVE-2024-55897IBM PowerHA SystemMirror for i 7.4 and 7.5

does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
4.3https://nvd.nist.gov/vuln/detail/CVE-2024-55897
CVE-2024-12237The Photo Gallery Slideshow & Masonry Tiled Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.15 via the rjg_get_youtube_info_justified_gallery_callback function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to retrieve limited information from internal services.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-12237
CVE-2024-5591IBM Jazz Foundation 7.0.2, 7.0.3, and 7.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-5591
CVE-2024-12132The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.4 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create jobs for companies that are unaffiliated with the attacker.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-12132
CVE-2023-47807Missing Authorization vulnerability in 10Web 10WebAnalytics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 10WebAnalytics: from n/a through 1.2.12.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-47807
CVE-2023-47778Missing Authorization vulnerability in LuckyWP LuckyWP Scripts Control allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LuckyWP Scripts Control: from n/a through 1.2.1.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-47778
CVE-2023-39994Missing Authorization vulnerability in Repute InfoSystems ARMember Premium allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ARMember Premium: from n/a through 5.9.2.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-39994
CVE-2022-43476Missing Authorization vulnerability in Daniel Söderström / Sidney van de Stouwe Subscribe to Category allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscribe to Category: from n/a through 2.7.4.4.3https://nvd.nist.gov/vuln/detail/CVE-2022-43476
CVE-2022-41995Missing Authorization vulnerability in Galleryape Gallery Images Ape allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gallery Images Ape: from n/a through 2.2.8.4.3https://nvd.nist.gov/vuln/detail/CVE-2022-41995
CVE-2024-38732Cross-Site Request Forgery (CSRF) vulnerability in VolThemes Patricia Blog allows Cross Site Request Forgery.This issue affects Patricia Blog: from n/a through 1.2.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-38732
CVE-2024-38731Cross-Site Request Forgery (CSRF) vulnerability in Marsian i-amaze allows Cross Site Request Forgery.This issue affects i-amaze: from n/a through 1.3.7.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-38731
CVE-2024-37931Cross-Site Request Forgery (CSRF) vulnerability in Creativthemes Point allows Cross Site Request Forgery.This issue affects Point: from n/a through 1.1.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37931
CVE-2024-37452Cross-Site Request Forgery (CSRF) vulnerability in MyThemeShop Schema Lite allows Cross Site Request Forgery.This issue affects Schema Lite: from n/a through 1.2.2.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37452
CVE-2024-37241Cross-Site Request Forgery (CSRF) vulnerability in Automattic WP Job Manager - Resume Manager allows Cross Site Request Forgery.This issue affects WP Job Manager - Resume Manager: from n/a through 2.1.0.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37241
CVE-2024-37237Cross-Site Request Forgery (CSRF) vulnerability in FS-code FS Poster allows Cross Site Request Forgery.This issue affects FS Poster: from n/a through 6.5.8.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37237
CVE-2024-13110A vulnerability classified as problematic has been found in Beijing Yunfan Internet Technology Yunfan Learning Examination System 1.9.2. Affected is an unknown function of the file src/main/java/com/yf/exam/modules/paper/controller/PaperController.java, of the component Exam Answer Handler. The manipulation leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-13110
CVE-2024-38778Cross-Site Request Forgery (CSRF) vulnerability in Epsiloncool WP Fast Total Search.This issue affects WP Fast Total Search: from n/a through 1.69.234.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-38778
CVE-2024-38764Cross-Site Request Forgery (CSRF) vulnerability in Marsian allows Cross Site Request Forgery.This issue affects i-transform: from n/a through 3.0.9.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-38764
CVE-2024-56255Missing Authorization vulnerability in AyeCode AyeCode Connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AyeCode Connect: from n/a through 1.3.8.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-56255
CVE-2024-56251Cross-Site Request Forgery (CSRF) vulnerability in Event Espresso Event Espresso 4 Decaf allows Cross Site Request Forgery.This issue affects Event Espresso 4 Decaf: from n/a through 5.0.28.decaf.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-56251
CVE-2024-56243Missing Authorization vulnerability in JS Morisset WPSSO Core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPSSO Core: from n/a through 18.18.1.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-56243
CVE-2024-56236Missing Authorization vulnerability in Jakob Bouchard Hestia Nginx Cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hestia Nginx Cache: from n/a through 2.4.0.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-56236
CVE-2024-43927Cross-Site Request Forgery (CSRF) vulnerability in Till Krüss Email Address Encoder allows Cross Site Request Forgery.This issue affects Email Address Encoder: from n/a through 1.0.23.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-43927
CVE-2024-38766Cross-Site Request Forgery (CSRF) vulnerability in Matomo Matomo Analytics allows Cross Site Request Forgery.This issue affects Matomo Analytics: from n/a through 5.1.1.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-38766
CVE-2024-38765Cross-Site Request Forgery (CSRF) vulnerability in Freelancelot Oceanic allows Cross Site Request Forgery.This issue affects Oceanic: from n/a through 1.0.48.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-38765
CVE-2024-38763Cross-Site Request Forgery (CSRF) vulnerability in Themes4WP Popularis Verse allows Cross Site Request Forgery.This issue affects Popularis Verse: from n/a through 1.1.1.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-38763
CVE-2024-38762Cross-Site Request Forgery (CSRF) vulnerability in The Events Calendar Event Tickets allows Cross Site Request Forgery.This issue affects Event Tickets: from n/a through 5.11.0.4.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-38762
CVE-2024-38754Cross-Site Request Forgery (CSRF) vulnerability in Tagbox Taggbox allows Cross Site Request Forgery.This issue affects Taggbox: from n/a through 3.3.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-38754
CVE-2024-38753Cross-Site Request Forgery (CSRF) vulnerability in Labib Ahmed Animated Rotating Words allows Cross Site Request Forgery.This issue affects Animated Rotating Words: from n/a through 5.6.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-38753
CVE-2024-38751Cross-Site Request Forgery (CSRF) vulnerability in Magazine3 Google Adsense & Banner Ads by AdsforWP allows Cross Site Request Forgery.This issue affects Google Adsense & Banner Ads by AdsforWP: from n/a through 1.9.28.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-38751
CVE-2024-38691Cross-Site Request Forgery (CSRF) vulnerability in Metorik Metorik – Reports & Email Automation for WooCommerce allows Cross Site Request Forgery.This issue affects Metorik – Reports & Email Automation for WooCommerce: from n/a through 1.7.1.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-38691
CVE-2024-37937Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Rara Business allows Cross Site Request Forgery.This issue affects Rara Business: from n/a through 1.2.5.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37937
CVE-2024-37543Cross-Site Request Forgery (CSRF) vulnerability in Nitesh Singh Ultimate Auction allows Cross Site Request Forgery.This issue affects Ultimate Auction : from n/a through 4.2.5.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37543
CVE-2024-37540Cross-Site Request Forgery (CSRF) vulnerability in Leaky Paywall Leaky Paywall allows Cross Site Request Forgery.This issue affects Leaky Paywall: from n/a through 4.21.2.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37540
CVE-2024-37518Cross-Site Request Forgery (CSRF) vulnerability in The Events Calendar The Events Calendar allows Cross Site Request Forgery.This issue affects The Events Calendar: from n/a through 6.5.1.4.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37518
CVE-2024-37511Cross-Site Request Forgery (CSRF) vulnerability in SWTE Swift Performance Lite allows Cross Site Request Forgery.This issue affects Swift Performance Lite: from n/a through 2.3.6.20.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37511
CVE-2024-37508Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Construction Landing Page allows Cross Site Request Forgery.This issue affects Construction Landing Page: from n/a through 1.3.5.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37508
CVE-2024-37503Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Lawyer Landing Page allows Cross Site Request Forgery.This issue affects Lawyer Landing Page: from n/a through 1.2.4.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37503
CVE-2024-37493Cross-Site Request Forgery (CSRF) vulnerability in SKT Themes Posterity allows Cross Site Request Forgery.This issue affects Posterity: from n/a through 3.3.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37493
CVE-2024-37491Cross-Site Request Forgery (CSRF) vulnerability in Apollo13Themes Rife Free allows Cross Site Request Forgery.This issue affects Rife Free: from n/a through 2.4.18.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37491
CVE-2024-37490Cross-Site Request Forgery (CSRF) vulnerability in WP Royal Bard allows Cross Site Request Forgery.This issue affects Bard: from n/a through 2.210.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37490
CVE-2024-37478Cross-Site Request Forgery (CSRF) vulnerability in WP Royal Ashe allows Cross Site Request Forgery.This issue affects Ashe: from n/a through 2.233.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37478
CVE-2024-37473Cross-Site Request Forgery (CSRF) vulnerability in BlazeThemes Trendy News allows Cross Site Request Forgery.This issue affects Trendy News: from n/a through 1.0.15.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37473
CVE-2024-37467Cross-Site Request Forgery (CSRF) vulnerability in ThemeIsle Hestia allows Cross Site Request Forgery.This issue affects Hestia: from n/a through 3.1.2.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37467
CVE-2024-37458Cross-Site Request Forgery (CSRF) vulnerability in ExtendThemes Highlight allows Cross Site Request Forgery.This issue affects Highlight: from n/a through 1.0.29.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37458
CVE-2024-37451Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Travel Agency allows Cross Site Request Forgery.This issue affects Travel Agency: from n/a through 1.4.9.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37451
CVE-2024-37450Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Benevolent allows Cross Site Request Forgery.This issue affects Benevolent: from n/a through 1.3.4.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37450
CVE-2024-37448Cross-Site Request Forgery (CSRF) vulnerability in FameThemes OnePress allows Cross Site Request Forgery.This issue affects OnePress: from n/a through 2.3.6.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37448
CVE-2024-37441Cross-Site Request Forgery (CSRF) vulnerability in DesertThemes NewsMash allows Cross Site Request Forgery.This issue affects NewsMash: from n/a through 1.0.34.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37441
CVE-2024-37435Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Perfect Portfolio allows Cross Site Request Forgery.This issue affects Perfect Portfolio: from n/a through 1.2.0.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37435
CVE-2024-37431Cross-Site Request Forgery (CSRF) vulnerability in Horea Radu Mesmerize allows Cross Site Request Forgery.This issue affects Mesmerize: from n/a through 1.6.120.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37431
CVE-2024-37426Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Elegant Pink allows Cross Site Request Forgery.This issue affects Elegant Pink: from n/a through 1.3.0.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37426
CVE-2024-37421Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme JobScout allows Cross Site Request Forgery.This issue affects JobScout: from n/a through 1.1.4.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37421
CVE-2024-37417Cross-Site Request Forgery (CSRF) vulnerability in Coachify Coachify allows Cross Site Request Forgery.This issue affects Coachify: from n/a through 1.0.7.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37417
CVE-2024-37413Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Preschool and Kindergarten allows Cross Site Request Forgery.This issue affects Preschool and Kindergarten: from n/a through 1.2.1.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37413
CVE-2024-37412Cross-Site Request Forgery (CSRF) vulnerability in Blossom Themes Blossom Shop allows Cross Site Request Forgery.This issue affects Blossom Shop: from n/a through 1.1.7.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37412
CVE-2024-37274Cross-Site Request Forgery (CSRF) vulnerability in Freshlight Lab WP Mobile Menu allows Cross Site Request Forgery.This issue affects WP Mobile Menu: from n/a through 2.8.4.3.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37274
CVE-2024-37272Cross-Site Request Forgery (CSRF) vulnerability in WP Travel Engine Travel Monster allows Cross Site Request Forgery.This issue affects Travel Monster: from n/a through 1.1.2.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37272
CVE-2024-37243Cross-Site Request Forgery (CSRF) vulnerability in Blossom Themes Vandana Lite allows Cross Site Request Forgery.This issue affects Vandana Lite: from n/a through 1.1.9.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37243
CVE-2024-37242Cross-Site Request Forgery (CSRF) vulnerability in Automattic Newspack Newsletters allows Cross Site Request Forgery.This issue affects Newspack Newsletters: from n/a through 2.13.2.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37242
CVE-2024-37240Cross-Site Request Forgery (CSRF) vulnerability in Faboba Falang multilanguage allows Cross Site Request Forgery.This issue affects Falang multilanguage: from n/a through 1.3.51.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37240
CVE-2024-37238Cross-Site Request Forgery (CSRF) vulnerability in Greg Winiarski WPAdverts – Classifieds Plugin allows Cross Site Request Forgery.This issue affects WPAdverts – Classifieds Plugin: from n/a through 2.1.2.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37238
CVE-2024-37236Cross-Site Request Forgery (CSRF) vulnerability in Tim Whitlock Loco Translate allows Cross Site Request Forgery.This issue affects Loco Translate: from n/a through 2.6.9.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37236
CVE-2024-37235Cross-Site Request Forgery (CSRF) vulnerability in Groundhogg Inc. Groundhogg allows Cross Site Request Forgery.This issue affects Groundhogg: from n/a through 3.4.2.3.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37235
CVE-2024-37104Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Chic Lite allows Cross Site Request Forgery.This issue affects Chic Lite: from n/a through 1.1.3.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37104
CVE-2024-37103Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Education Zone allows Cross Site Request Forgery.This issue affects Education Zone: from n/a through 1.3.4.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37103
CVE-2024-37102Cross-Site Request Forgery (CSRF) vulnerability in Blossom Themes Vilva allows Cross Site Request Forgery.This issue affects Vilva: from n/a through 1.2.2.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37102
CVE-2024-37093Cross-Site Request Forgery (CSRF) vulnerability in StylemixThemes MasterStudy LMS allows Cross Site Request Forgery.This issue affects MasterStudy LMS: from n/a through 3.2.1.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37093
CVE-2023-47692Missing Authorization vulnerability in Flothemes Flo Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flo Forms: from n/a through 1.0.41.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-47692
CVE-2023-47647Missing Authorization vulnerability in LearningTimes BadgeOS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BadgeOS: from n/a through 3.7.1.6.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-47647
CVE-2023-47557Missing Authorization vulnerability in wp-buy Visitors Traffic Real Time Statistics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Visitors Traffic Real Time Statistics: from n/a through 7.2.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-47557
CVE-2023-47523Missing Authorization vulnerability in Ecreate Infotech Auto Tag Creator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Auto Tag Creator: from n/a through 1.0.2.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-47523
CVE-2023-46628Missing Authorization vulnerability in RedLettuce Plugins WP Word Count allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Word Count: from n/a through 3.2.4.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-46628
CVE-2023-46612Missing Authorization vulnerability in codedrafty Mediabay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mediabay: from n/a through 1.6.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-46612
CVE-2023-46203Missing Authorization vulnerability in JustCoded / Alex Prokopenko Just Custom Fields allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Just Custom Fields: from n/a through 3.3.2.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-46203
CVE-2023-46196Missing Authorization vulnerability in Repuso Social proof testimonials and reviews by Repuso allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Social proof testimonials and reviews by Repuso: from n/a through 4.97.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-46196
CVE-2023-46188Missing Authorization vulnerability in Jose Mortellaro Freesoul Deactivate Plugins – Plugin manager and cleanup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Freesoul Deactivate Plugins – Plugin manager and cleanup: from n/a through 2.1.3.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-46188
CVE-2023-46080Missing Authorization vulnerability in Farhan Noor ApplyOnline – Application Form Builder and Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ApplyOnline – Application Form Builder and Manager: from n/a through 2.5.3.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-46080
CVE-2023-45765Missing Authorization vulnerability in weDevs WP ERP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP ERP: from n/a through 1.12.6.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-45765
CVE-2023-45760Missing Authorization vulnerability in gVectors Team wpDiscuz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpDiscuz: from n/a through 7.6.3.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-45760
CVE-2023-45631Missing Authorization vulnerability in wpdevart Responsive Image Gallery, Gallery Album allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Image Gallery, Gallery Album: from n/a through 2.0.3.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-45631
CVE-2023-45271Missing Authorization vulnerability in WowStore Team ProductX – Gutenberg WooCommerce Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ProductX – Gutenberg WooCommerce Blocks: from n/a through 2.7.8.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-45271
CVE-2023-45110Missing Authorization vulnerability in BoldThemes Bold Timeline Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bold Timeline Lite: from n/a through 1.1.9.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-45110
CVE-2023-45101Missing Authorization vulnerability in CusRev Customer Reviews for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Customer Reviews for WooCommerce: from n/a through 5.36.0.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-45101
CVE-2023-45002Missing Authorization vulnerability in weDevs WP User Frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through 3.6.8.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-45002
CVE-2023-44988Missing Authorization vulnerability in Martin Gibson WP Custom Admin Interface allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Custom Admin Interface: from n/a through 7.32.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-44988
CVE-2025-22214Landray EIS 2001 through 2006 allows Message/fi_message_receiver.aspx?replyid= SQL injection.4.3https://nvd.nist.gov/vuln/detail/CVE-2025-22214
CVE-2024-41780IBM Jazz Foundation 7.0.2, 7.0.3, and 7.1.0 could

could allow a physical user to obtain sensitive information due to not masking passwords during entry.
4.2https://nvd.nist.gov/vuln/detail/CVE-2024-41780
CVE-2024-56275Server-Side Request Forgery (SSRF) vulnerability in Envato Envato Elements allows Server Side Request Forgery.This issue affects Envato Elements: from n/a through 2.0.14.4.1https://nvd.nist.gov/vuln/detail/CVE-2024-56275
CVE-2024-51111Cross-Site Scripting (XSS) vulnerability in Pnetlab 5.3.11 allows an attacker to inject malicious scripts into a web page, which are executed in the context of the victim's browser.4.1https://nvd.nist.gov/vuln/detail/CVE-2024-51111
CVE-2025-0214A vulnerability was found in TMD Custom Header Menu 4.0.0.1 on OpenCart. It has been rated as problematic. This issue affects some unknown processing of the file /admin/index.php. The manipulation of the argument headermenu_id leads to sql injection. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component.4.1https://nvd.nist.gov/vuln/detail/CVE-2025-0214
CVE-2024-12970Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TUBITAK BILGEM Pardus OS My Computer allows OS Command Injection.This issue affects Pardus OS My Computer: before 0.7.2.3.9https://nvd.nist.gov/vuln/detail/CVE-2024-12970
CVE-2024-56321GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse the backup configuration "post-backup script" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD's user, rather than pre-configured scripts. In practice the impact of this vulnerability is limited, as in most configurations a user who can log into the GoCD UI as an admin also has host administration permissions for the host/container that GoCD runs on, in order to manage artifact storage and other service-level configuration options. Additionally, since a GoCD admin has ability to configure and schedule pipelines tasks on all GoCD agents available to the server, the fundamental functionality of GoCD allows co-ordinated task execution similar to that of post-backup-scripts. However in restricted environments where the host administration is separated from the role of a GoCD admin, this may be unexpected. The issue is fixed in GoCD 24.5.0. Post-backup scripts can no longer be executed from within certain sensitive locations on the GoCD server. No known workarounds are available.3.8https://nvd.nist.gov/vuln/detail/CVE-2024-56321
CVE-2021-20455IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.3.7https://nvd.nist.gov/vuln/detail/CVE-2021-20455
CVE-2025-0301A vulnerability, which was classified as problematic, has been found in code-projects Online Book Shop 1.0. Affected by this issue is some unknown functionality of the file /subcat.php. The manipulation of the argument catnm leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.3.5https://nvd.nist.gov/vuln/detail/CVE-2025-0301
CVE-2025-0295A vulnerability was found in code-projects Online Book Shop 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /booklist.php?subcatid=1. The manipulation of the argument subcatnm leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.3.5https://nvd.nist.gov/vuln/detail/CVE-2025-0295
CVE-2024-13141A vulnerability classified as problematic was found in osuuu LightPicture up to 1.2.2. This vulnerability affects unknown code of the file /api/upload of the component SVG File Upload Handler. The manipulation of the argument file leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.3.5https://nvd.nist.gov/vuln/detail/CVE-2024-13141
CVE-2024-13140A vulnerability classified as problematic has been found in Emlog Pro up to 2.4.3. Affected is an unknown function of the file /admin/article.php?action=upload_cover of the component Cover Upload Handler. The manipulation of the argument image leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.3.5https://nvd.nist.gov/vuln/detail/CVE-2024-13140
CVE-2024-13135A vulnerability has been found in Emlog Pro 2.4.3 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/twitter.php of the component Subpage Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.3.5https://nvd.nist.gov/vuln/detail/CVE-2024-13135
CVE-2024-13132A vulnerability classified as problematic was found in Emlog Pro up to 2.4.3. This vulnerability affects unknown code of the file /admin/article.php of the component Subpage Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.3.5https://nvd.nist.gov/vuln/detail/CVE-2024-13132
CVE-2025-0175A vulnerability was found in code-projects Online Shop 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /view.php. The manipulation of the argument name/details leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.3.5https://nvd.nist.gov/vuln/detail/CVE-2025-0175
CVE-2024-55626Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a large BPF filter file provided to Suricata at startup can lead to a buffer overflow at Suricata startup. The issue has been addressed in Suricata 7.0.8.3.3https://nvd.nist.gov/vuln/detail/CVE-2024-55626
CVE-2024-10527The Spacer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the motech_spacer_callback() function in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view limited setting information.3.1https://nvd.nist.gov/vuln/detail/CVE-2024-10527
CVE-2024-51472IBM UrbanCode Deploy (UCD) 7.2 through 7.2.3.13, 7.3 through 7.3.2.8, and IBM DevOps Deploy 8.0 through 8.0.1.3 are vulnerable to HTML injection. This vulnerability may allow a user to embed arbitrary HTML tags in the Web UI potentially leading to sensitive information disclosure.3.1https://nvd.nist.gov/vuln/detail/CVE-2024-51472
CVE-2024-10562The Form Maker by 10Web WordPress plugin before 1.15.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).2.7https://nvd.nist.gov/vuln/detail/CVE-2024-10562
CVE-2024-10102The Photo Gallery, Images, Slider in Rbs Image Gallery WordPress plugin before 3.2.22 does not sanitise and escape some of its Gallery settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks2.7https://nvd.nist.gov/vuln/detail/CVE-2024-10102
CVE-2024-48455An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and 3.0.0.3503 and Netis Wifi 11AC Router NC21 3.0.0.3800, 3.0.0.3500 and 3.0.0.3329 and Netis Wifi Router MW5360 1.0.1.3442 and 1.0.1.3031 allows a remote attacker to obtain sensitive information via the mode_name, wl_link parameters of the skk_get.cgi component.2.7https://nvd.nist.gov/vuln/detail/CVE-2024-48455
CVE-2024-13143A vulnerability was found in ZeroWdd studentmanager 1.0. It has been rated as problematic. This issue affects the function submitAddPermission of the file src/main/java/com/zero/system/controller/PermissionController. java. The manipulation of the argument url leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.2.4https://nvd.nist.gov/vuln/detail/CVE-2024-13143
CVE-2024-13142A vulnerability was found in ZeroWdd studentmanager 1.0. It has been declared as problematic. This vulnerability affects the function submitAddRole of the file src/main/java/com/zero/system/controller/RoleController. java. The manipulation of the argument name leads to cross site scripting. The attack can be initiated remotely.2.4https://nvd.nist.gov/vuln/detail/CVE-2024-13142
CVE-2025-0228A vulnerability has been found in code-projects Local Storage Todo App 1.0 and classified as problematic. This vulnerability affects unknown code of the file /js-todo-app/index.html. The manipulation of the argument Add leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.2.4https://nvd.nist.gov/vuln/detail/CVE-2025-0228
CVE-2025-0220A vulnerability, which was classified as problematic, was found in Trimble SPS851 488.01. This affects an unknown part of the component Ethernet Configuration Menu. The manipulation of the argument Hostname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.2.4https://nvd.nist.gov/vuln/detail/CVE-2025-0220
CVE-2024-13137A vulnerability was found in wangl1989 mysiteforme 1.0. It has been classified as problematic. This affects the function RestResponse of the file src/main/java/com/mysiteforme/admin/controller/system/SiteController. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.2.4https://nvd.nist.gov/vuln/detail/CVE-2024-13137
CVE-2025-0219A vulnerability, which was classified as problematic, has been found in Trimble SPS851 488.01. Affected by this issue is some unknown functionality of the component Receiver Status Identity Tab. The manipulation of the argument System Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.2.4https://nvd.nist.gov/vuln/detail/CVE-2025-0219
CVE-2024-55218IceWarp Server 10.2.1 is vulnerable to Cross Site Scripting (XSS) via the meta parameter.https://nvd.nist.gov/vuln/detail/CVE-2024-55218
CVE-2024-54819I, Librarian before and including 5.11.1 is vulnerable to Server-Side Request Forgery (SSRF) due to improper input validation in classes/security/validation.phphttps://nvd.nist.gov/vuln/detail/CVE-2024-54819
CVE-2024-53522Bangkok Medical Software HOSxP XE v4.64.11.3 was discovered to contain a hardcoded IDEA Key-IV pair in the HOSxPXE4.exe and HOS-WIN32.INI components. This allows attackers to access sensitive information.https://nvd.nist.gov/vuln/detail/CVE-2024-53522
CVE-2024-35532An XML External Entity (XXE) injection vulnerability in Intersec Geosafe-ea 2022.12, 2022.13, and 2022.14 allows attackers to perform arbitrary file reading under the privileges of the running process, make SSRF requests, or cause a Denial of Service (DoS) via unspecified vectors.https://nvd.nist.gov/vuln/detail/CVE-2024-35532
CVE-2022-45186An issue was discovered in SuiteCRM 7.12.7. Authenticated users can recover an arbitrary field of a database.https://nvd.nist.gov/vuln/detail/CVE-2022-45186
CVE-2022-45185An issue was discovered in SuiteCRM 7.12.7. Authenticated users can use CRM functions to upload malicious files. Then, deserialization can be used to achieve code execution.https://nvd.nist.gov/vuln/detail/CVE-2022-45185
CVE-2022-41573An issue was discovered in Ovidentia 8.3. The file upload feature does not prevent the uploading of executable files. A user can upload a .png file containing PHP code and then rename it to have the .php extension. It will then be accessible at an images/common/ URI for remote code execution.https://nvd.nist.gov/vuln/detail/CVE-2022-41573
CVE-2022-41572An issue was discovered in EyesOfNetwork (EON) through 5.3.11. Privilege escalation can be accomplished on the server because nmap can be run as root. The attacker achieves total control over the server.https://nvd.nist.gov/vuln/detail/CVE-2022-41572
CVE-2024-40427Stack Buffer Overflow in PX4-Autopilot v1.14.3, which allows attackers to execute commands to exploit this vulnerability and cause the program to refuse to executehttps://nvd.nist.gov/vuln/detail/CVE-2024-40427
CVE-2024-55414A vulnerability exits in driver SmSerl64.sys in Motorola SM56 Modem WDM Driver v6.12.23.0, which allows low-privileged users to mapping physical memory via specially crafted IOCTL requests . This can be exploited for privilege escalation, code execution under high privileges, and information disclosure. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code.https://nvd.nist.gov/vuln/detail/CVE-2024-55414
CVE-2024-55413A vulnerability exits in driver snxppamd.sys in SUNIX Parallel Driver x64 - 10.1.0.0, which allows low-privileged users to read and write arbitary i/o port via specially crafted IOCTL requests . This can be exploited for privilege escalation, code execution under high privileges, and information disclosure. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code.https://nvd.nist.gov/vuln/detail/CVE-2024-55413
CVE-2024-55412A vulnerability exits in driver snxpsamd.sys in SUNIX Serial Driver x64 - 10.1.0.0, which allows low-privileged users to read and write arbitary i/o port via specially crafted IOCTL requests . This can be exploited for privilege escalation, code execution under high privileges, and information disclosure. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code.https://nvd.nist.gov/vuln/detail/CVE-2024-55412
CVE-2024-55411An issue in the snxpcamd.sys component of SUNIX Multi I/O Card v10.1.0.0 allows attackers to perform arbitrary read and write actions via supplying crafted IOCTL requests.https://nvd.nist.gov/vuln/detail/CVE-2024-55411
CVE-2024-50660File Upload Bypass was found in AdPortal 3.0.39 allows a remote attacker to execute arbitrary code via the file upload functionalityhttps://nvd.nist.gov/vuln/detail/CVE-2024-50660
CVE-2024-50659Cross Site Scripting vulnerability iPublish Media Solutions AdPortal 3.0.39 allows a remote attacker to escalate privileges via the shippingAsBilling parameter in updateuserinfo.html.https://nvd.nist.gov/vuln/detail/CVE-2024-50659
CVE-2024-50658Server-Side Template Injection (SSTI) was found in AdPortal 3.0.39 allows a remote attacker to execute arbitrary code via the shippingAsBilling and firstname parameters in updateuserinfo.html filehttps://nvd.nist.gov/vuln/detail/CVE-2024-50658
CVE-2024-40749Improper Access Controls allows access to protected views.https://nvd.nist.gov/vuln/detail/CVE-2024-40749
CVE-2024-40748Lack of output escaping in the id attribute of menu lists.https://nvd.nist.gov/vuln/detail/CVE-2024-40748
CVE-2025-0247Memory safety bugs present in Firefox 133 and Thunderbird 133. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134.https://nvd.nist.gov/vuln/detail/CVE-2025-0247
CVE-2025-0246When using an invalid protocol scheme, an attacker could spoof the address bar.
*Note: This issue only affected Android operating systems. Other operating systems are unaffected.*
*Note: This issue is a different issue from CVE-2025-0244. This vulnerability affects Firefox < 134.
https://nvd.nist.gov/vuln/detail/CVE-2025-0246
CVE-2025-0245Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed. This vulnerability affects Firefox < 134.https://nvd.nist.gov/vuln/detail/CVE-2025-0245
CVE-2025-0244When redirecting to an invalid protocol scheme, an attacker could spoof the address bar.
*Note: This issue only affected Android operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 134.
https://nvd.nist.gov/vuln/detail/CVE-2025-0244
CVE-2025-0243Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6.https://nvd.nist.gov/vuln/detail/CVE-2025-0243
CVE-2025-0242Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, and Firefox ESR < 115.19.https://nvd.nist.gov/vuln/detail/CVE-2025-0242
CVE-2025-0241When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6.https://nvd.nist.gov/vuln/detail/CVE-2025-0241
CVE-2025-0240Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6.https://nvd.nist.gov/vuln/detail/CVE-2025-0240
CVE-2025-0239When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6.https://nvd.nist.gov/vuln/detail/CVE-2025-0239
CVE-2025-0238Assuming a controlled failed memory allocation, an attacker could have caused a use-after-free, leading to a potentially exploitable crash. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, and Firefox ESR < 115.19.https://nvd.nist.gov/vuln/detail/CVE-2025-0238
CVE-2025-0237The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6.https://nvd.nist.gov/vuln/detail/CVE-2025-0237
CVE-2024-55556A vulnerability in Crater Invoice allows an unauthenticated attacker with knowledge of the APP_KEY to achieve remote command execution on the server by manipulating the laravel_session cookie, exploiting arbitrary deserialization through the encrypted session data. The exploitation vector of this vulnerability relies on an attacker obtaining Laravel's secret APP_KEY, which would allow them to decrypt and manipulate session cookies (laravel_session) containing serialized data. By altering this data and re-encrypting it with the APP_KEY, the attacker could trigger arbitrary deserialization on the server, potentially leading to remote command execution (RCE). The vulnerability is primarily exploited by accessing an exposed cookie and manipulating it using the secret key to gain malicious access to the server.https://nvd.nist.gov/vuln/detail/CVE-2024-55556
CVE-2024-55008JATOS 3.9.4 contains a denial-of-service (DoS) vulnerability in the authentication system, where an attacker can prevent legitimate users from accessing their accounts by repeatedly sending multiple failed login attempts. Specifically, by submitting 3 incorrect login attempts every minute, the attacker can trigger the account lockout mechanism on the account level, effectively locking the user out indefinitely. Since the lockout is applied to the user account and not based on the IP address, any attacker can trigger the lockout on any user account, regardless of their privileges.https://nvd.nist.gov/vuln/detail/CVE-2024-55008
CVE-2024-46601Elspec Engineering G5 Digital Fault Recorder Firmware v1.2.1.12 was discovered to contain a buffer overflow.https://nvd.nist.gov/vuln/detail/CVE-2024-46601
CVE-2024-12426Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice.




URLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links.


This issue affects LibreOffice: from 24.8 before < 24.8.4.
https://nvd.nist.gov/vuln/detail/CVE-2024-12426
CVE-2024-12425Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in The Document Foundation LibreOffice allows Absolute Path Traversal.




An attacker can write to arbitrary locations, albeit suffixed with ".ttf", by supplying a file in a format that supports embedded font files.


This issue affects LibreOffice: from 24.8 before < 24.8.4.
https://nvd.nist.gov/vuln/detail/CVE-2024-12425
CVE-2024-53936The com.asianmobile.callcolor (aka Color Phone Call Screen App) application through 24 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.asianmobile.callcolor.ui.component.call.CallActivity component.https://nvd.nist.gov/vuln/detail/CVE-2024-53936
CVE-2024-53934The com.windymob.callscreen.ringtone.callcolor.colorphone (aka Color Phone Call Screen Themes) application through 1.1.2 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.frovis.androidbase.call.DialerActivity component.https://nvd.nist.gov/vuln/detail/CVE-2024-53934
CVE-2024-53933The com.callerscreen.colorphone.themes.callflash (aka Color Call Theme & Call Screen) application through 1.0.7 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.android.call.color.app.activities.DialerActivity component.https://nvd.nist.gov/vuln/detail/CVE-2024-53933
CVE-2024-53932The com.remi.colorphone.callscreen.calltheme.callerscreen (aka Color Phone: Call Screen Theme) application through 21.1.9 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.remi.colorphone.callscreen.calltheme.callerscreen.dialer.DialerActivity component.https://nvd.nist.gov/vuln/detail/CVE-2024-53932
CVE-2024-53931The com.glitter.caller.screen (aka iCaller, Caller Theme & Dialer) application through 1.1 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.glitter.caller.screen.DialerActivity component.https://nvd.nist.gov/vuln/detail/CVE-2024-53931
CVE-2025-21617Guzzle OAuth Subscriber signs Guzzle requests using OAuth 1.0. Prior to 0.8.1, Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source. This can leave servers vulnerable to replay attacks when TLS is not used. This vulnerability is fixed in 0.8.1.https://nvd.nist.gov/vuln/detail/CVE-2025-21617
CVE-2024-56828File Upload vulnerability in ChestnutCMS through 1.5.0. Based on the code analysis, it was determined that the /api/member/avatar API endpoint receives a base64 string as input. This string is then passed to the memberService.uploadAvatarByBase64 method for processing. Within the service, the base64-encoded image is parsed. For example, given a string like: data:image/html;base64,PGh0bWw+PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEpPjwvaHRtbD4= the content after the comma is extracted and decoded using Base64.getDecoder().decode(). The substring from the 11th character up to the first occurrence of a semicolon (;) is assigned to the suffix variable (representing the file extension). The decoded content is then written to a file. However, the file extension is not validated, and since this functionality is exposed to the frontend, it poses significant security risks.https://nvd.nist.gov/vuln/detail/CVE-2024-56828
CVE-2024-56762Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.https://nvd.nist.gov/vuln/detail/CVE-2024-56762
CVE-2025-21604LangChain4j-AIDeepin is a Retrieval enhancement generation (RAG) project. Prior to 3.5.0, LangChain4j-AIDeepin uses MD5 to hash files, which may cause file upload conflicts. This issue is fixed in 3.5.0.https://nvd.nist.gov/vuln/detail/CVE-2025-21604
CVE-2025-22389An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS, where the application does not properly validate uploaded files. This allows the upload of potentially malicious file types, including .docm .html. When accessed by application users, these files can be used to execute malicious actions or compromise users' systems.https://nvd.nist.gov/vuln/detail/CVE-2025-22389
CVE-2024-56412PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to bypass of the cross-site scripting sanitizer using the javascript protocol and special characters. An attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.https://nvd.nist.gov/vuln/detail/CVE-2024-56412
CVE-2024-56411PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability of the hyperlink base in the HTML page header. The HTML page is formed without sanitizing the hyperlink base. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.https://nvd.nist.gov/vuln/detail/CVE-2024-56411
CVE-2024-56410PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability in custom properties. The HTML page is generated without clearing custom properties. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.https://nvd.nist.gov/vuln/detail/CVE-2024-56410
CVE-2025-21609SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. Commit d9887aeec1b27073bec66299a9a4181dc42969f3 fixes this vulnerability and is expected to be available in version 3.1.19.https://nvd.nist.gov/vuln/detail/CVE-2025-21609
CVE-2024-56514Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve the custom resource definitions(CRDs) needed by Karmada. The CRDs are downloaded as a gzipped tarfile and are vulnerable to a TarSlip vulnerability. An attacker able to supply a malicious CRD file into a Karmada initialization could write arbitrary files in arbitrary paths of the filesystem. From Karmada version 1.12.0, when processing custom CRDs files, CRDs archive verification is utilized to enhance file system robustness. A workaround is available. Someone who needs to set flag `--crd` to customize the CRD files required for Karmada initialization when using `karmadactl init` to set up Karmada can manually inspect the CRD files to check whether they contain sequences such as `../` that would alter file paths, to determine if they potentially include malicious files. When using karmada-operator to set up Karmada, one must upgrade one's karmada-operator to one of the fixed versions.https://nvd.nist.gov/vuln/detail/CVE-2024-56514
CVE-2024-56513Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered with the `karmadactl register` command have excessive privileges to access control plane resources. By abusing these permissions, an attacker able to authenticate as the karmada-agent to a karmada cluster would be able to obtain administrative privileges over the entire federation system including all registered member clusters. Since Karmada v1.12.0, command `karmadactl register` restricts the access permissions of pull mode member clusters to control plane resources. This way, an attacker able to authenticate as the karmada-agent cannot control other member clusters in Karmada. As a workaround, one may restrict the access permissions of pull mode member clusters to control plane resources according to Karmada Component Permissions Docs.https://nvd.nist.gov/vuln/detail/CVE-2024-56513
CVE-2024-56409PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Currency.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php` script, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.https://nvd.nist.gov/vuln/detail/CVE-2024-56409
CVE-2024-56366PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Accounting.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php` script, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.https://nvd.nist.gov/vuln/detail/CVE-2024-56366
CVE-2024-56365PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the constructor of the `Downloader` class. Using the `/vendor/phpoffice/phpspreadsheet/samples/download.php` script, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.https://nvd.nist.gov/vuln/detail/CVE-2024-56365
CVE-2024-56408PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no sanitization in the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file, which leads to the possibility of a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.https://nvd.nist.gov/vuln/detail/CVE-2024-56408
CVE-2024-56324GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD "group admins" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to `/go/*/pipelines/snippet` routes from an external reverse proxy or WAF if one's "group admin" users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one's GoCD server to arbitrary locations using some kind of environment egress control.https://nvd.nist.gov/vuln/detail/CVE-2024-56324
CVE-2024-56322GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining with another vulnerability, as only GoCD (super) admins have the ability to abuse this vulnerability. Typically a malicious GoCD admin can cause much larger damage than that they can do with XXE injection. The issue is fixed in GoCD 24.5.0. As a workaround, prevent external access from the GoCD server to arbitrary locations using some kind of environment egress control.https://nvd.nist.gov/vuln/detail/CVE-2024-56322
CVE-2024-56320GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin "Configuration XML" UI feature, and its associated API. A malicious insider/existing authenticated GoCD user with an existing GoCD user account could abuse this vulnerability to access information intended only for GoCD admins, or to escalate their privileges to that of a GoCD admin in a persistent manner. it is not possible for this vulnerability to be abused prior to authentication/login. The issue is fixed in GoCD 24.5.0. GoCD users who are not able to immediate upgrade can mitigate this issue by using a reverse proxy, WAF or similar to externally block access paths with a `/go/rails/` prefix. Blocking this route causes no loss of functionality. If it is not possible to upgrade or block the above route, consider reducing the GoCD user base to more trusted set of users, including temporarily disabling use of plugins such as the guest-login-plugin, which allow limited anonymous access as a regular user account.https://nvd.nist.gov/vuln/detail/CVE-2024-56320
CVE-2024-11717Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might reuse such a token to change user's password and take over the account. Moreover, the tokens also include base64 encoded user email.

This issue impacts releases up to 3.7.4 and was addressed by pull request 2679 https://github.com/CTFd/CTFd/pull/2679  included in 3.7.5 release.
https://nvd.nist.gov/vuln/detail/CVE-2024-11717
CVE-2024-11716While assignment of a user to a team (bracket) in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team while a competition is already ongoing.
This issue impacts releases from 3.7.0 up to 3.7.4 and was addressed by pull request 2636 https://github.com/CTFd/CTFd/pull/2636  included in 3.7.5 release.
https://nvd.nist.gov/vuln/detail/CVE-2024-11716
CVE-2024-9950A vulnerability in Forescout SecureConnector v11.3.07.0109 on Windows allows

unauthenticated user to modify compliance scripts due to insecure temporary directory.
https://nvd.nist.gov/vuln/detail/CVE-2024-9950
CVE-2024-56414Web installer integrity check used weak hash algorithm. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169.https://nvd.nist.gov/vuln/detail/CVE-2024-56414
CVE-2024-56413Missing session invalidation after user deletion. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169.https://nvd.nist.gov/vuln/detail/CVE-2024-56413
CVE-2024-55543Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169.https://nvd.nist.gov/vuln/detail/CVE-2024-55543
CVE-2024-55542Local privilege escalation due to excessive permissions assigned to Tray Monitor service. The following products are affected: Acronis Cyber Protect 16 (Linux, macOS, Windows) before build 39169, Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 35895.https://nvd.nist.gov/vuln/detail/CVE-2024-55542
CVE-2024-55541Stored cross-site scripting (XSS) vulnerability due to missing origin validation in postMessage. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39169.https://nvd.nist.gov/vuln/detail/CVE-2024-55541
CVE-2024-55540Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169.https://nvd.nist.gov/vuln/detail/CVE-2024-55540
CVE-2024-12907Kentico CMS in version 7 is vulnerable to a Reflected XSS attacks through manipulation of a specific GET request parameter sent to /CMSMessages/AccessDenied.aspx endpoint.
Notably, support for this version of Kentico ended in 2016. Version 8 was tested as well and does not contain this vulnerability.
https://nvd.nist.gov/vuln/detail/CVE-2024-12907
CVE-2024-55538Sensitive information disclosure due to missing authentication. The following products are affected: Acronis True Image (macOS) before build 41725, Acronis True Image (Windows) before build 41736.https://nvd.nist.gov/vuln/detail/CVE-2024-55538
CVE-2024-49385Sensitive information disclosure due to insecure folder permissions. The following products are affected: Acronis True Image (Windows) before build 41736.https://nvd.nist.gov/vuln/detail/CVE-2024-49385
CVE-2022-49035In the Linux kernel, the following vulnerability has been resolved:

media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE

I expect that the hardware will have limited this to 16, but just in
case it hasn't, check for this corner case.
https://nvd.nist.gov/vuln/detail/CVE-2022-49035
CVE-2024-23438Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23438
CVE-2024-23437Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23437
CVE-2024-23436Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23436
CVE-2024-23435Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23435
CVE-2024-23434Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23434
CVE-2024-23433Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23433
CVE-2024-23432Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23432
CVE-2024-23431Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23431
CVE-2024-23430Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23430
CVE-2024-23429Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23429
CVE-2024-23428Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23428
CVE-2024-23427Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23427
CVE-2024-23426Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23426
CVE-2024-23425Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23425
CVE-2024-23424Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23424
CVE-2024-23423Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23423
CVE-2024-23422Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23422
CVE-2024-23421Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23421
CVE-2024-23420Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23420
CVE-2024-23419Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23419
CVE-2024-23418Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23418
CVE-2024-23417Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23417
CVE-2024-23416Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23416
CVE-2024-23415Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23415
CVE-2024-23414Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23414
CVE-2024-23413Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23413
CVE-2024-23412Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23412
CVE-2024-23411Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23411
CVE-2024-23410Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23410
CVE-2024-23409Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23409
CVE-2024-23408Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23408
CVE-2024-23407Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23407
CVE-2024-23406Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23406
CVE-2024-23405Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23405
CVE-2024-23404Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23404
CVE-2024-23403Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23403
CVE-2024-23402Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23402
CVE-2024-23401Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23401
CVE-2024-23400Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23400
CVE-2024-23399Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23399
CVE-2024-23398Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23398
CVE-2024-23397Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23397
CVE-2024-23396Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23396
CVE-2024-23395Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23395
CVE-2024-23394Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23394
CVE-2024-23393Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23393
CVE-2024-23392Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23392
CVE-2024-23391Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23391
CVE-2024-23390Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23390
CVE-2024-23389Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-23389
CVE-2024-21721Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21721
CVE-2024-21720Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21720
CVE-2024-21719Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21719
CVE-2024-21718Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21718
CVE-2024-21717Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21717
CVE-2024-21716Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21716
CVE-2024-21715Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21715
CVE-2024-21714Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21714
CVE-2024-21713Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21713
CVE-2024-21712Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21712
CVE-2024-21711Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21711
CVE-2024-21710Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21710
CVE-2024-21709Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21709
CVE-2024-21708Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21708
CVE-2024-21705Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21705
CVE-2024-21704Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21704
CVE-2024-21702Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21702
CVE-2024-21701Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21701
CVE-2024-21696Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21696
CVE-2024-21695Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21695
CVE-2024-21694Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21694
CVE-2024-21693Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21693
CVE-2024-21692Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21692
CVE-2024-21691Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21691
CVE-2024-21688Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21688
CVE-2024-21679Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21679
CVE-2024-21675Rejected reason: To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used.https://nvd.nist.gov/vuln/detail/CVE-2024-21675