tj-actions/changed-files GitHub Action was compromised in a supply chain attack where modified tags pointed to credential-stealing code, exposing secrets from GitHub Actions workflows across thousands of repositories.
PHP object injection in Booking and Rental Manager for WooCommerce (WordPress plugin) versions up to 2.2.6 allows authenticated attackers with low privileges to execute arbitrary PHP code or manipulate application logic through deserialization of untrusted data. The CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, though the low EPSS score (0.23%, 45th percentile) indicates minimal observed exploitation attempts. Patchstack discovered and reported this vulnerability, suggesting patch availability through their advisory.
The Directory Listings WordPress plugin - uListing plugin for WordPress is vulnerable to unauthorized modification of data and PHP Object Injection due to a missing capability check on the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The School Management System - WPSchoolPress plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wpsp_UpdateTeacher() function in all versions up to,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Directory Listings WordPress plugin - uListing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Broken access control in Fresh Framework WordPress plugin through version 1.70.0 allows remote unauthenticated attackers to access privileged functionality without proper authorization checks. The vulnerability bypasses authentication requirements (tagged as Authentication Bypass), enabling unauthorized modification of plugin settings or data (high integrity impact) with partial information disclosure. EPSS probability remains low (0.12%, 31st percentile), indicating limited observed exploitation attempts, though the network-accessible attack vector and lack of complexity make exploitation straightforward once discovered.
Blind SQL injection in All In Menu WordPress plugin versions up to 1.1.5 allows authenticated attackers with low-level privileges to extract sensitive database information and potentially cause limited denial of service. The vulnerability's scope change (S:C) indicates potential cross-boundary impact, enabling attackers to access data beyond the plugin's normal authorization scope. No public exploit identified at time of analysis, with low EPSS score (0.12%, 31st percentile) indicating minimal observed exploitation activity in the wild.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aldo Latino PrivateContent.11.4. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQL injection in FS Poster WordPress plugin version 6.5.8 and earlier allows authenticated attackers with low privileges to extract sensitive database information and potentially cause service disruption. The vulnerability enables cross-scope impact, meaning attackers can access resources beyond their authorized boundary. With a low EPSS score (0.09%, 25th percentile), widespread exploitation is not currently observed, though authenticated exploitation reduces the attack surface compared to unauthenticated flaws. Patchstack has documented this vulnerability, indicating security researcher awareness and potential for proof-of-concept development.
Broken access control in PrivateContent WordPress plugin through version 8.11.5 allows authenticated subscribers to bypass authorization checks and execute high-impact modifications or deletions across the site. Reported by Patchstack security researchers, this vulnerability enables low-privileged users to perform administrative actions they should not have access to. EPSS exploitation probability is low at 0.13% (32nd percentile), and no active exploitation or public exploit code has been identified at time of analysis.
SQL injection in PublishPress Authors plugin (versions ≤4.7.3) allows authenticated high-privilege WordPress administrators to extract database contents and potentially cause denial of service via crafted SQL queries. CVSS vector indicates network-accessible attack with low complexity but requires high-privilege authentication and has changed scope (C:H/I:N/A:L). EPSS score of 0.12% (31st percentile) suggests relatively low probability of exploitation in the wild. No CISA KEV listing or public proof-of-concept identified at time of analysis. Patchstack vulnerability database serves as the primary disclosure source, indicating this was discovered through security research rather than incident response.
The WordPress form builder plugin for contact forms, surveys and quizzes - Tripetto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via attachment uploads in all versions up to, and. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
The WP Test Email plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Email Logs in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Reflected cross-site scripting (XSS) in PrivateContent WordPress plugin through version 8.11.5 allows remote attackers to inject malicious JavaScript into victim browsers by crafting specially-formed URLs. The vulnerability requires user interaction (victim must click malicious link) but no authentication. Exploitation probability is low (EPSS 9%, 26th percentile) with no active exploitation confirmed and no CISA KEV listing. Patchstack has documented this vulnerability, indicating security research awareness.
Reflected cross-site scripting (XSS) in WP AntiDDOS WordPress plugin versions through 2.0 allows remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs requiring user interaction. Reported by Patchstack with CVSS 7.1 due to changed scope, though EPSS score of 0.09% (26th percentile) indicates low observed exploitation probability. No active exploitation confirmed via CISA KEV and no public proof-of-concept identified at time of analysis.
Reflected cross-site scripting in Debug-Bar-Extender WordPress plugin versions through 0.5 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. This requires user interaction (victim must click a malicious link) but no authentication. Exploitation probability is low (EPSS 0.09%, 26th percentile) with no evidence of active exploitation or public proof-of-concept code at time of analysis. The vulnerability affects a WordPress debugging tool typically used in development environments, reducing real-world exposure.
Reflected cross-site scripting (XSS) in WP Discord Post WordPress plugin versions up to 2.1.0 enables remote attackers to execute arbitrary JavaScript in victim browsers via malicious links. Exploitation requires victim interaction (clicking a crafted URL) but no authentication, achieving cross-site scope impact with potential session hijacking and account takeover. Reported by Patchstack's audit team with EPSS exploitation probability at 0.09% (26th percentile), indicating low observed exploitation activity. No CISA KEV listing confirms this remains a theoretical risk rather than widespread active threat.
Reflected cross-site scripting (XSS) in Pre Order Addon for WooCommerce versions through 2.2 allows remote attackers to execute malicious JavaScript in victim browsers via specially crafted URLs. The vulnerability requires victim interaction (UI:R) and enables cross-site scope (S:C) attacks, potentially leading to session hijacking, credential theft, or malicious actions performed in the context of authenticated WooCommerce administrators. EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation, with no public exploit code or CISA KEV listing identified. This is a typical stored input validation flaw in WordPress plugin development affecting e-commerce environments.
Reflected cross-site scripting (XSS) in Random Image Selector WordPress plugin versions through 2.4 allows remote attackers to execute arbitrary JavaScript in victim browsers when users click malicious links. The vulnerability requires user interaction (UI:R) but no authentication (PR:N), enabling attacks via phishing or social engineering. EPSS score of 0.09% (26th percentile) indicates low exploitation probability. No public exploit identified at time of analysis, and vulnerability is not present in CISA KEV, suggesting limited real-world targeting despite medium-high CVSS 7.1.
Reflected cross-site scripting (XSS) in Random Posts, Mp3 Player + ShareButton WordPress plugin through version 1.4.1 allows remote attackers to inject malicious scripts that execute in victim browsers with changed security context (scope change indicated in CVSS). Discovered by Patchstack security audit team. EPSS score of 0.08% (23rd percentile) indicates low current exploitation probability in the wild, and no active exploitation confirmed by CISA KEV. No public exploit code identified at time of analysis, though XSS vulnerabilities typically have low weaponization barriers.