On 70mai Dash Cam 1S devices, by connecting directly to the dashcam's network and accessing the API on port 80 and RTSP on port 554, an attacker can bypass the device authorization mechanism from the. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in ryan_xantoo Map Contact allows Stored XSS.0.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in shawfactor LH OGP Meta allows Stored XSS.73. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in bbodine1 cTabs allows Stored XSS.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in alphaomegaplugins AlphaOmega Captcha & Anti-Spam Filter allows Stored XSS.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in ProRankTracker Pro Rank Tracker allows Stored XSS.0.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in hotvanrod AdSense Privacy Policy allows Stored XSS.1.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-Site Request Forgery (CSRF) enables stored cross-site scripting (XSS) in WordPress Admin Bar Improved plugin versions up to 3.3.5, allowing attackers to trick authenticated administrators into executing malicious code that persists in the WordPress admin interface. The vulnerability chains CSRF with stored XSS, enabling attackers to inject scripts that execute whenever any user accesses affected admin pages. EPSS exploitation probability is low (0.08%, 24th percentile), no active exploitation confirmed via CISA KEV, and Patchstack has documented this vulnerability with attack chain details.
CSRF vulnerability in CallPhone'r WordPress plugin through version 1.1.1 enables attackers to trick authenticated administrators into executing malicious requests that inject persistent XSS payloads into the application. This chained attack bypasses CSRF protections, allowing stored cross-site scripting that executes in victim browsers. The vulnerability requires user interaction (tricking an admin to click a malicious link) but needs no authentication from the attacker's perspective. EPSS probability of 0.08% (24th percentile) indicates low observed exploitation in the wild, with no CISA KEV listing or public POC identified at time of analysis.
Cross-Site Request Forgery in Contact Form 7 Material Design plugin versions up to 1.0.0 allows attackers to trick authenticated administrators into executing malicious requests that inject persistent JavaScript, achieving Stored XSS. CVSS 7.1 reflects the changed scope (S:C) and multi-stage attack requiring user interaction. EPSS score of 0.08% (24th percentile) indicates low probability of mass exploitation, with no evidence of active exploitation (not in CISA KEV) or public POC at time of analysis. This CSRF-to-XSS chain targets WordPress site administrators.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in alphasis Related Posts via Categories allows Stored XSS.1.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in mendibass Browser Address Bar Color allows Stored XSS.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in Igor Yavych Simple Rating allows Stored XSS.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Stored cross-site scripting in Banner Manager WordPress plugin through version 16.04.19 is achievable via CSRF attack vector, allowing attackers to inject malicious scripts that execute in victim administrators' browsers. The vulnerability chains a CSRF weakness (CWE-352) with XSS payload injection, enabling attackers to compromise admin sessions by tricking authenticated users into visiting attacker-controlled pages. No public exploit identified at time of analysis, with EPSS indicating 0.04% exploitation probability (12th percentile), suggesting low observed threat actor interest despite the cross-scope impact and network attack vector.
Stored Cross-Site Scripting can be injected into Custom Script Integration for WordPress via Cross-Site Request Forgery attack affecting versions up to and including 2.1. Attackers can trick authenticated administrators into submitting malicious script payloads that persist in the site database and execute in victims' browsers. EPSS score of 0.04% (12th percentile) indicates low automated exploitation likelihood, and no active exploitation or public exploit code has been identified at time of analysis, though the vulnerability has been publicly documented by Patchstack.
Cross-site request forgery (CSRF) in CAS Maestro WordPress plugin versions up to 1.1.3 enables attackers to chain CSRF with stored XSS, allowing malicious scripts to be persistently injected into the application. Attackers trick authenticated administrators into executing forged requests that store malicious payloads, which then execute in victims' browsers with administrator privileges. EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability, and no active exploitation is confirmed in CISA KEV. This WordPress plugin vulnerability requires social engineering to exploit but achieves scope change (S:C) allowing cross-context attacks once the stored XSS payload is injected.
Stored cross-site scripting (XSS) in jQuery Dropdown Menu WordPress plugin (versions up to 3.0) can be triggered via CSRF, allowing remote unauthenticated attackers to inject malicious scripts into the application when an authenticated administrator is tricked into submitting a crafted request. The vulnerability chains CSRF (CWE-352) with stored XSS, enabling persistent code execution in victim browsers with changed origin scope (S:C in CVSS vector). EPSS probability is low (0.04%, 12th percentile) indicating limited observed exploitation activity. No CISA KEV listing or public exploit code identified at time of analysis.
Cross-site request forgery in ANAC XML Render WordPress plugin versions through 1.5.7 enables stored cross-site scripting attacks. Remote unauthenticated attackers can trick authenticated administrators into executing malicious requests that inject persistent JavaScript payloads into the site. EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability, and no public exploit code or active exploitation has been identified at time of analysis.
CSRF vulnerability in WordPres 同步微博 WordPress plugin enables stored XSS attacks against site administrators. Unauthenticated remote attackers can craft malicious pages that trick authenticated administrators into executing attacker-controlled JavaScript stored in the WordPress database, leading to account compromise, content manipulation, or site takeover. EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability, and no active exploitation or public POC has been identified at time of analysis.
Cross-Site Request Forgery (CSRF) vulnerability in kornelly Translator allows Stored XSS.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in coderscom WP Odoo Form Integrator allows Stored XSS.1.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in mandegarweb Replace Default Words allows Stored XSS.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in Anthony WordPress SQL Backup allows Stored XSS.5.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in DEJAN CopyLink allows Stored XSS.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability classified as critical has been found in Digiwin ERP 5.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability has been found in mingyuefusu 明月复苏 tushuguanlixitong 图书管理系统 up to d4836f6b49cd0ac79a4021b15ce99ff7229d4694 and classified as critical. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A stack-based buffer overflow vulnerability (CWE-121) in the profile parser of FortiSandbox version 3.2.2 and below, version 3.1.4 and below may allow an authenticated attacker to potentially execute. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in smartredfox Pretty file links allows Stored XSS.9. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Mattermost Mobile Apps versions <=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Z.com byGMO GMO Font Agent allows Stored XSS.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aryan Themes Clink allows DOM-Based XSS.2.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catchsquare WP Social Widget allows Stored XSS.2.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iografica IG Shortcodes allows DOM-Based XSS.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tstafford include-file allows Stored XSS. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in samsk Include URL allows Stored XSS.3.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Script in Attributes in a Web Page vulnerability in Forcepoint Email Security (Blocked Messages module) allows Stored XSS.5.5. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pixeline issuuPress allows Stored XSS.3.2. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in avaibook AvaiBook allows Stored XSS.2. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Benedikt Mo BMo Expo allows Stored XSS.0.15. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cristian Sarov Upload Quota per User allows Stored XSS.3. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zeitwesentech Beautiful Link Preview allows Stored XSS.5.0. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MorganF Weather Layer allows Stored XSS.2.1. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Atikul AI Preloader allows Stored XSS.0.2. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codetoolbox My Bootstrap Menu allows Stored XSS.2.1. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arefly Login Redirect allows Stored XSS.0.5. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jenst Mobile Navigation allows Stored XSS.5. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mrdenny My Default Post Content allows Stored XSS.7.3. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gopiplus Message ticker allows Stored XSS.3. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rachel Cherry wA11y - The Web Accessibility Toolbox allows Stored XSS.0.3. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Logan Carlile Easy Page Transition allows Stored XSS.0.1. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.