Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zionbuilder ZionBuilder zionbuilder allows Stored XSS.6.16. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codexshaper Advanced Element Bucket Addons for Elementor cs-element-bucket allows Stored XSS.0.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in captivateaudio Captivate Sync captivatesync-trade allows Stored XSS.0.22. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Noor Alam Magical Addons For Elementor magical-addons-for-elementor allows Stored XSS.3.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FuturioWP Futurio Extra futurio-extra allows Stored XSS.0.14. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryo Arkhe Blocks arkhe-blocks allows Stored XSS.27.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in boldthemes Bold Page Builder bold-page-builder allows Stored XSS.2.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themesflat themesflat-addons-for-elementor themesflat-addons-for-elementor allows DOM-Based. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Stored XSS.8.4.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'sort[]' parameter of the static_data_list AJAX action in all versions up to, and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'service_list[0][service_id]' parameter of the get_widget_payment_options AJAX. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
The NewsMash theme for WordPress is vulnerable to Stored Cross-Site Scripting via a malicious display name in all versions up to, and including, 1.0.71 due to insufficient input sanitization and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Slider and Carousel slider by Depicter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘addExtraMimeType’ function in versions up to, and including, 3.2.1 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The ONLYOFFICE Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'onlyoffice' shortcode in all versions up to, and including, 2.0.0 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The TwentyTwenty plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'twentytwenty' shortcode in all versions up to, and including, 1.0.1 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Smart PopUp Blaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spb-button' shortcode in all versions up to, and including, 1.4.3 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Cookielay plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cookielay shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The myCred - Loyalty Points and Rewards plugin for WordPress and WooCommerce - Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Splash Sync plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including,. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The ForumWP - Forum & Discussion Board plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 2.1.2 due to insufficient. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The ForumWP - Forum & Discussion Board plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The The Pojo Forms plugin for WordPress is vulnerable to arbitrary shortcode execution via form_preview_shortcode AJAX action in all versions up to, and including, 1.4.7. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The The ARMember - Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In OpenBSD 7.4 before errata 014, vmm(4) did not restore GDTR limits properly on Intel (VMX) CPUs. Rated medium severity (CVSS 6.2), this vulnerability is low attack complexity.
Jirafeau normally prevents browser preview for SVG files due to the possibility that manipulated SVG files could be exploited for cross site scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
The WP Media Optimizer (.webp) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘wpmowebp-css-resources’ and 'wpmowebp-js-resources' parameters in all versions up to, and. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The WP System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Folder Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'foldergallery' shortcode in all versions up to, and including, 1.7.4 due to insufficient input. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Next-Cart Store to WooCommerce Migration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 3.9.2 due to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Clickbank WordPress Plugin (Storefront) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The PDF Builder for WooCommerce. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Broadcast plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'do_check' parameter in all versions up to, and including, 51.01 due to insufficient input sanitization and. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Flixita theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.0.82 due to insufficient input sanitization and output. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Marka WordPress Auction Plugin wp-auctions allows Stored XSS.7. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in URBAN BASE Z-Downloads z-downloads allows Stored XSS.11.7. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Visualmodo Borderless borderless allows Cross-Site Scripting (XSS).5.8. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The authentication process to the web server uses a challenge response procedure which inludes the nonce and additional information. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
HCL Launch stores potentially sensitive information in log files that could be read by a local user with access to HTTP request logs. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Hi e-learning Learning Management System (LMS) allows Reflected XSS.12.2024. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Missing Authorization vulnerability in yonifre Maspik - Spam blacklist contact-forms-anti-spam allows Exploiting Incorrectly Configured Access Control Security Levels.2.7. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
The Event Tickets with Ticket Scanner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data' parameters in all versions up to, and including, 2.4.4 due to insufficient input. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Friends plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in all versions up to, and including, 3.2.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Ultimate Coming Soon & Maintenance plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ucsm_activate_lite_template_lite function in. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The WP Private Content Plus plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.1 via the WordPress core search feature. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Missing Authorization vulnerability in WPSight WPCasa wpcasa allows Accessing Functionality Not Properly Constrained by ACLs.2.13. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Missing Authorization vulnerability in andy_moyle Church Admin church-admin allows Accessing Functionality Not Properly Constrained by ACLs.0.8. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Tungsten Automation (Kofax) TotalAgility in versions all through 7.9.0.25.0.954 is vulnerable to a Reflected XSS attacks through mfpScreenResolutionWidth parameter manipulation in a form sent to an. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Tungsten Automation (Kofax) TotalAgility in versions all through 7.9.0.25.0.954 is vulnerable to a Reflected XSS attacks through mfpConnectionId parameter manipulation in a form sent to endpoints. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.