Memory corruption while calling the NPU driver APIs concurrently. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
Memory corruption while processing camera use case IOCTL call. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Memory corruption may occur in keyboard virtual device due to guest VM interaction. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Memory corruption may occur while processing message from frontend during allocation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In KeyInstall, there is a possible out of bounds write due to a missing bounds check. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A Cross Site Scripting (XSS) vulnerability in GitLab-EE affecting all versions from 16.6 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows an attacker to bypass security controls. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable. No vendor patch available.
Arbitrary file deletion in Helloprint WordPress plugin (versions up to 2.0.7) allows authenticated attackers with low privileges to delete critical system files via path traversal, potentially causing complete site unavailability. The CVSS 7.7 score reflects the Changed scope and High availability impact - an attacker can traverse directories to target files outside the plugin's intended boundary, triggering denial of service. EPSS score of 0.18% (40th percentile) indicates low current exploitation probability, and no active exploitation or public POC has been identified at time of analysis.
Insecure deserialization and improper certificate validation in Checkmk Exchange plugin check-mk-api prior to 5.8.1. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
Blind SQL injection in the NotFound Social Links WordPress plugin (versions ≤1.2) allows authenticated administrators with high privileges to extract sensitive database contents remotely. The CVSS scope change indicates potential compromise beyond the vulnerable plugin's database context. EPSS score of 0.12% suggests low automated exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis. However, the privileged access requirement significantly limits real-world risk to scenarios involving compromised admin accounts or malicious insiders.
Absolute path traversal in Sports Rankings and Lists WordPress plugin versions up to 1.0.2 allows unauthenticated remote attackers to read arbitrary files from the server filesystem. The vulnerability enables unauthorized access to sensitive configuration files, credentials, and source code without requiring authentication or user interaction. EPSS score of 0.25% suggests low probability of mass exploitation, and no public exploit code or active exploitation has been identified at time of analysis.
Local File Inclusion (LFI) in Doctor Appointment Booking WordPress plugin version 1.0.0 and earlier allows authenticated attackers with low privileges to read arbitrary files from the server filesystem, potentially exposing configuration files, credentials, and sensitive application data. Despite the network attack vector, exploitation requires high complexity conditions and low-level authentication. EPSS score of 0.24% (47th percentile) suggests low probability of widespread exploitation, with no CISA KEV listing or confirmed active exploitation at time of analysis.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Popliup allows PHP Local File Inclusion.1.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Authentication bypass vulnerability exists in FutureNet AS series (Industrial Routers) provided by Century Systems Co., Ltd. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Abacus is a highly scalable and stateless counting API. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Transient DOS may occur while processing the country IE. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Copy without Size Check vulnerability could allow attackers to overflow a buffer to corrupt adjacent memory.
Path traversal in Delete Comments By Status (WordPress plugin) versions up to 2.1.1 enables remote attackers to include arbitrary PHP files from the local filesystem, potentially achieving remote code execution. Attack requires high complexity (AC:H) and user interaction (UI:R), limiting exploitation to social engineering scenarios. EPSS score of 0.18% (39th percentile) indicates low widespread exploitation probability. No active exploitation confirmed (not in CISA KEV), and no public POC identified at time of analysis.
FACTION is a PenTesting Report Generation and Collaboration Framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An information disclosure vulnerability in the component /rest/cb/executeBasicSearch of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows attackers to access. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
IBM Engineering Requirements Management DOORS Next 7.0.2, 7.0.3, and 7.1 could allow a remote attacker to download temporary files which could expose application logic or other sensitive information. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
IBM Engineering Requirements Management DOORS Next 7.0.2, 7.0.3, and 7.1 could allow a remote attacker to download temporary files which could expose application logic or other sensitive information. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authorization Bypass Through User-Controlled Key vulnerability in Proliz Software OBS allows Exploiting Incorrectly Configured Access Control Security Levels.0927. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL injection in the Cozy Vision 'SMS Alert Order Notifications - WooCommerce' WordPress plugin (all versions up to and including 3.7.8) lets remote attackers inject crafted SQL into backend database queries, enabling extraction of arbitrary data such as customer records, order details, and WordPress credential hashes. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates network-reachable, low-complexity exploitation with high confidentiality impact and no integrity or availability impact, consistent with a read-oriented (e.g. UNION/blind) injection. No public exploit was identified at time of analysis and EPSS is low (0.11%, 30th percentile), but the flaw was reported by Patchstack, a credible WordPress vulnerability research source.
There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Vim is an open source, command line text editor. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.
Deserialization of Untrusted Data vulnerability in Brent Jett Assistant allows Object Injection.5.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Reflected cross-site scripting (XSS) in the WordPress plugin 'Contact Us By Lord Linus' (versions up to 2.6) allows remote attackers to execute arbitrary JavaScript in victim browsers by crafting malicious URLs. Exploitation requires user interaction (clicking a link or visiting a crafted page), but no authentication is needed. CVSS 7.1 reflects scope change indicating potential session hijacking across security contexts. EPSS score of 0.15% (36th percentile) suggests low mass-exploitation probability, though XSS vulnerabilities in WordPress plugins remain attractive targets for phishing and account takeover campaigns.
Reflected cross-site scripting in Status Updater WordPress plugin (versions ≤1.9.2) allows remote unauthenticated attackers to inject malicious scripts that execute in victims' browsers with changed security context (CVSS scope change). Attack vector is network-based with low complexity but requires user interaction (typically clicking a crafted link). EPSS score of 0.15% (36th percentile) indicates low automated exploitation probability. No CISA KEV listing or public POC identified at time of analysis. Patchstack database entry suggests this may be part of a broader WordPress plugin vulnerability pattern, though reference URLs contain inconsistent metadata (titles reference different plugin 'WP Spell Check' despite CVE being for Status Updater).
Reflected cross-site scripting in Implied Cookie Consent WordPress plugin through version 1.3 allows remote attackers to execute arbitrary JavaScript in victims' browsers via crafted URLs requiring user interaction. Reported by Patchstack's security audit team, this network-accessible vulnerability scores CVSS 7.1 due to scope change enabling attacks across security contexts. EPSS exploitation probability is low at 0.15% (36th percentile), and no active exploitation has been confirmed in CISA KEV, though Patchstack tracking suggests awareness in vulnerability databases targeting WordPress plugins.
Reflected cross-site scripting in Appointment Buddy Widget (WordPress plugin) versions up to 1.2 allows remote attackers to execute malicious scripts in victim browsers via crafted URLs. Scope change in CVSS vector indicates potential session hijacking or data exfiltration across origin boundaries. EPSS score of 0.15% (36th percentile) suggests low likelihood of mass exploitation, but XSS remains a viable social engineering attack vector. Reported by Patchstack audit team with public disclosure via vulnerability database.
Reflected cross-site scripting (XSS) in All push notification for WP plugin versions through 1.5.3 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs requiring user interaction. While CVSS rates this 7.1 (High) with changed scope indicating potential token theft or session hijacking beyond the plugin context, EPSS exploitation probability remains low at 0.15% (36th percentile), and no public exploit code or active exploitation (non-KEV) has been identified. Patchstack identified and reported this vulnerability, indicating security research focus on WordPress plugins.
Reflected cross-site scripting in Image Rotator WordPress plugin allows remote attackers to inject malicious JavaScript via crafted URLs that execute in victim browsers when users click attacker-controlled links. Affects all versions through 2.0 with no public exploit identified at time of analysis. EPSS score of 0.15% (36th percentile) indicates low predicted exploitation probability, consistent with typical WordPress plugin XSS requiring user interaction.
Stored cross-site scripting (XSS) in Album Reviewer WordPress plugin versions up to 2.0.2 allows remote unauthenticated attackers to inject malicious JavaScript into album review content that executes when other users view the compromised pages. The vulnerability enables session hijacking, credential theft, and malicious actions performed in the context of victim users, with cross-site scope allowing attacks beyond the vulnerable component's security boundary. EPSS score of 0.15% (36th percentile) indicates relatively low automated exploitation probability, and no active exploitation is documented in CISA KEV at time of analysis.
Missing Authorization vulnerability in SEO Squirrly SEO Plugin by Squirrly SEO.4.05. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Reflected cross-site scripting in Flashfader WordPress plugin through version 1.1.1 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs requiring user interaction. EPSS exploitation probability is low (0.09%, 26th percentile) with no confirmed active exploitation (not in CISA KEV). Patchstack vulnerability database lists this as a reflected XSS requiring social engineering or phishing to trick users into clicking malicious links. The changed scope (S:C) in CVSS indicates potential for cross-context attacks including session hijacking or privilege escalation within WordPress admin environments.
Reflected cross-site scripting in AcuGIS Leaflet Maps WordPress plugin (versions through 5.1.1.0) allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but no authentication, enabling potential session hijacking, credential theft, or malicious actions in the context of authenticated WordPress users. EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation, and no public exploit code has been identified at time of analysis.
Reflected cross-site scripting (XSS) in WOO Codice Fiscale WordPress plugin versions up to 1.6.3 enables remote attackers to execute arbitrary JavaScript in victim browsers when users click malicious links. The vulnerability requires user interaction (clicking a crafted URL) but no authentication, allowing attackers to steal session cookies, perform actions as the victim, or deliver malware. EPSS score of 0.09% (26th percentile) indicates low likelihood of mass exploitation. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept at time of analysis.
Reflected XSS in DB Tables Import/Export WordPress plugin through version 1.0.1 allows remote attackers to execute arbitrary JavaScript in victim browsers through crafted links requiring user interaction. The vulnerability stems from inadequate input sanitization during web page generation, enabling scope change attacks with potential for session hijacking, credential theft, and administrative action execution. EPSS score of 0.09% (26th percentile) indicates low current exploitation probability, with no CISA KEV listing or public exploit code identified at time of analysis.
Reflected cross-site scripting in .htaccess Login block WordPress plugin versions up to 0.9a allows remote unauthenticated attackers to execute malicious JavaScript in victim browsers through crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but enables session hijacking, credential theft, and malicious actions in the context of authenticated WordPress administrators. EPSS score of 0.09% (26th percentile) indicates low probability of widespread exploitation, and no active exploitation or public POC has been identified at time of analysis.
Reflected cross-site scripting in Variable Inspector WordPress plugin versions up to 2.6.2 enables remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs requiring user interaction. The vulnerability stems from improper neutralization of input during page generation (CWE-79). With CVSS 7.1 and scope change capability, successful exploitation allows limited data theft, session hijacking, and malicious actions under victim context. EPSS score of 0.09% (26th percentile) suggests low probability of mass exploitation. No public exploit identified at time of analysis, and no CISA KEV listing indicates no confirmed active exploitation campaigns.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cristián Lávaque s2Member Pro allows Reflected XSS. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Reflected cross-site scripting in IE CSS3 Support WordPress plugin through version 2.0.1 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but needs no authentication and can impact other site origins due to changed scope (S:C in CVSS). EPSS probability is low (0.09%, 26th percentile) with no confirmed active exploitation or CISA KEV listing, indicating limited real-world targeting despite moderate CVSS 7.1 scoring.
Reflected cross-site scripting (XSS) in the WordPress TTT Crop plugin versions up to 1.0 enables remote attackers to inject malicious JavaScript into victim browsers via crafted URLs. With a CVSS score of 7.1 and changed scope, successful exploitation allows attackers to steal session tokens, perform actions as the victim, or deliver phishing content within the WordPress admin context. EPSS exploitation probability is low at 0.09% (26th percentile), and no public exploit code or active exploitation has been identified at time of analysis.
Reflected cross-site scripting (XSS) in sidebarTabs WordPress plugin versions ≤3.1 enables remote attackers to inject malicious scripts via crafted URLs that execute in victim browsers when user interaction occurs. Reported by Patchstack security research (audit@patchstack.com), this vulnerability exploits improper input neutralization during page generation. EPSS score of 0.09% (26th percentile) suggests low widespread exploitation probability, with no CISA KEV listing or public POC identified at time of analysis, indicating limited active exploitation despite moderate CVSS severity.
Reflected XSS in Events Planner WordPress plugin versions up to 1.3.10 allows remote attackers to inject malicious scripts via crafted URLs that execute in victims' browsers when clicked. Reported by Patchstack security researchers, the vulnerability requires user interaction (opening a malicious link) but needs no authentication, enabling session hijacking, credential theft, or malicious actions in the context of authenticated WordPress users. EPSS score of 0.09% (26th percentile) indicates low observed exploitation probability in the wild, with no CISA KEV listing or public proof-of-concept identified at time of analysis.
Reflected cross-site scripting in DL Leadback WordPress plugin versions up to 1.2.1 allows remote attackers to inject malicious scripts that execute in victim browsers when users click crafted links. The vulnerability permits theft of session cookies, credential harvesting, or defacement of WordPress admin interfaces. EPSS score of 0.09% (26th percentile) suggests low observed exploitation activity, and no active exploitation is confirmed via CISA KEV. Patchstack documented this XSS flaw affecting all installations through version 1.2.1.
Reflected cross-site scripting (XSS) in the Rocket Mobile WordPress plugin through version 1.3.3 allows remote attackers to inject malicious scripts via crafted URLs. Successful exploitation requires victim interaction (clicking a malicious link). The vulnerability enables scope change (S:C), allowing attackers to execute JavaScript in the context of another user's session, potentially leading to session hijacking, credential theft, or site defacement. EPSS score of 0.09% (26th percentile) suggests low observed exploitation in the wild, and no public exploit code or CISA KEV listing identified at time of analysis.
Reflected cross-site scripting (XSS) in ViperBar WordPress plugin versions up to 2.0 allows remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs requiring user interaction. Reported by Patchstack security researchers, this network-exploitable vulnerability has a low EPSS score (0.09%, 26th percentile) indicating minimal observed exploitation activity. The changed scope (S:C) in the CVSS vector indicates potential impact beyond the vulnerable component, enabling session hijacking or privilege escalation within WordPress installations.
Reflected cross-site scripting in the Migrate Posts WordPress plugin (versions ≤1.0) allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted requests. Attack requires user interaction (CVSS UI:R) but no authentication (PR:N), enabling social engineering vectors such as malicious links in phishing emails. Exploitation probability is low (EPSS 0.09%, 26th percentile) with no public exploit identified at time of analysis. Patchstack vulnerability database confirms the flaw but patch status requires verification with plugin maintainers.
Reflected cross-site scripting (XSS) in Authors Autocomplete Meta Box WordPress plugin versions up to 1.2 allows remote attackers to execute arbitrary JavaScript in victim browsers. Exploitation requires user interaction - a logged-in administrator or editor must click a malicious link. While CVSS rates this 7.1 (High) due to changed scope, the EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation. No active exploitation confirmed; no CISA KEV listing.
Stored Cross-Site Scripting (XSS) in WordPress Staff Directory Plugin (Company Directory) versions up to 4.3 allows remote unauthenticated attackers to inject malicious JavaScript that executes in victims' browsers. The CVSS 7.1 score reflects Changed scope (S:C), indicating the injected script can operate outside the vulnerable component's security context. EPSS probability is low (0.09%, 26th percentile) with no confirmed active exploitation. Patchstack database identifies this as a stored XSS variant, meaning the malicious payload persists in the WordPress database and triggers whenever affected pages are viewed.