Hard-coded credentials embedded in TP-Link Archer C50 (V3 through V5) and C20 V5 firmware enable attackers with local network access and limited privileges to decrypt configuration files (config.xml), potentially exposing sensitive network settings, credentials, and device state. CVSS 6.9 reflects high confidentiality impact despite local-only attack vector. EPSS score of 0.03% (10th percentile) suggests low real-world exploitation probability, contradicting the publicly disclosed vulnerability mechanics.
Local file inclusion vulnerability in HT Contact Form 7 plugin version 2.0.0 and earlier allows unauthenticated attackers to read arbitrary files from the server filesystem, potentially exposing sensitive configuration files, credentials, and source code. The vulnerability exists in PHP file inclusion/require statements that fail to properly validate or sanitize user-supplied input, enabling attackers to traverse the directory structure and access files outside the intended directory scope. With an EPSS score of 0.14% indicating low exploitation probability despite the technical capability, this vulnerability requires direct web interaction but poses information disclosure risks rather than remote code execution.
CodeSolz Ultimate Push Notifications WordPress plugin through version 1.2.0 contains a missing authorization vulnerability allowing unauthenticated attackers to exploit incorrectly configured access control to bypass security levels and gain unauthorized access to sensitive functionality. The vulnerability is classified as CWE-862 (Missing Authorization) with low exploitation probability (EPSS 0.07%, 22nd percentile), indicating real-world exploitation risk is minimal despite the access control deficiency.
Missing authorization controls in the Internal Linking of Related Contents WordPress plugin (versions up to 1.1.8) allow attackers to exploit incorrectly configured access control security levels, potentially enabling unauthorized access to plugin functionality. The vulnerability stems from improper implementation of access controls (CWE-862) and carries a low EPSS score of 0.07% despite the authorization flaw, suggesting limited real-world exploitation probability at time of analysis.
Missing authorization in WPFactory Wishlist for WooCommerce through version 3.2.3 allows unauthenticated attackers to exploit incorrectly configured access controls to perform unauthorized actions on wishlists. The vulnerability stems from broken access control mechanisms (CWE-862) that fail to properly validate user permissions before granting access to sensitive wish-list functionality. With an EPSS score of 0.07% (22nd percentile), real-world exploitation likelihood is currently low, but the issue affects a popular WooCommerce plugin used across numerous e-commerce sites.
Missing authorization controls in WPFactory's Product XML Feed Manager for WooCommerce through version 2.9.2 allow attackers to exploit incorrectly configured access control security levels, potentially exposing sensitive product feed data or enabling unauthorized administrative actions. The vulnerability affects all versions up to and including 2.9.2, with no publicly available exploit code identified at time of analysis, and an EPSS score of 0.07% indicating very low real-world exploitation probability despite the authorization defect.
Missing Authorization vulnerability in activity-log.com Profiler - What Slowing Down Your WP profiler-what-slowing-down allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Profiler - What Slowing Down Your WP: from n/a through <= 1.0.0.
Stored cross-site scripting (XSS) vulnerability in bPlugins LightBox Block WordPress plugin versions 1.1.30 and earlier allows authenticated attackers to inject malicious scripts that execute in the browsers of site administrators and other users viewing affected content. The vulnerability exists in the web page generation process where user input is not properly neutralized before being rendered, enabling persistence of malicious payloads within the WordPress database. No active exploitation has been confirmed, though the low EPSS score (0.04%, 13th percentile) suggests minimal real-world exploitation risk despite the stored nature of the vulnerability.
DOM-based cross-site scripting (XSS) in WPAdverts WordPress plugin versions 2.2.5 and earlier allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability enables arbitrary JavaScript execution in the context of affected websites, potentially leading to session hijacking, credential theft, or malware distribution. No active exploitation has been confirmed, and EPSS probability remains low at 0.04%.
DOM-based cross-site scripting (XSS) vulnerability in WP Delicious plugin versions 1.8.4 and earlier allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper neutralization of user input during web page generation, enabling stored or reflected XSS attacks against WordPress sites using the affected plugin. No CVSS score or exploitation data is available, but the low EPSS score (0.04%) suggests limited real-world exploitation probability at the time of analysis.
DOM-based cross-site scripting (XSS) in Kyle Gilman Videopack plugin for WordPress (versions up to 4.10.3) allows authenticated attackers to inject malicious scripts into video embed pages. The vulnerability improperly neutralizes user input during web page generation, enabling attackers to execute arbitrary JavaScript in the context of affected video pages. No active exploitation has been confirmed, and the EPSS score of 0.04% indicates minimal probability of exploitation.
Stored cross-site scripting (XSS) in Crocoblock JetSmartFilters WordPress plugin through version 3.6.8 allows attackers to inject persistent malicious scripts that execute in the browsers of site administrators and users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to compromise site integrity and steal sensitive data or session tokens. No public exploit code has been identified at the time of analysis, and the low EPSS score (0.04%, 13th percentile) suggests limited real-world exploitation likelihood despite the high-severity XSS classification.
Stored cross-site scripting (XSS) in Bold Page Builder WordPress plugin through version 5.4.1 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users viewing affected pages. The vulnerability stems from improper input neutralization during page generation, enabling attackers with page creation or editing capabilities to embed persistent XSS payloads. No public exploit code or active exploitation has been confirmed; the low EPSS score (0.04th percentile) reflects limited real-world attack probability despite the vulnerability's presence in a widely-installed page builder plugin.
Stored cross-site scripting (XSS) in Crocoblock JetSearch WordPress plugin versions 3.5.10.1 and earlier allows attackers to inject malicious scripts that persist in the application and execute in users' browsers when the affected pages are viewed. The vulnerability resides in improper input neutralization during web page generation, enabling attackers with sufficient permissions to store XSS payloads that compromise other users' sessions and data. No public exploit code or active exploitation has been confirmed; however, the low EPSS score (0.04%, 13th percentile) suggests limited real-world attack probability despite the persistent nature of the vulnerability.
Stored XSS vulnerability in Crocoblock JetPopup WordPress plugin up to version 2.0.15.1 allows authenticated attackers to inject malicious scripts that execute in the browsers of site visitors and administrators. The vulnerability exists in web page generation logic where user input is not properly sanitized before being rendered, enabling persistent script injection. Despite low EPSS score (0.04%), stored XSS in WordPress plugins poses significant risk due to broad exposure to site visitors and the potential for session hijacking, credential theft, or privilege escalation when executed in admin contexts.
Improper input neutralization in Crocoblock JetPopup plugin (versions up to 2.0.15) allows DOM-based cross-site scripting (XSS) attacks. The vulnerability enables attackers to inject and execute malicious JavaScript in the context of a web browser when a user interacts with a popup, potentially leading to session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed; the low EPSS score (0.04%, 13th percentile) suggests minimal real-world exploitation likelihood despite the vulnerability being disclosed.
Stored cross-site scripting (XSS) in Crocoblock JetTricks WordPress plugin versions up to 1.5.4.1 allows authenticated attackers to inject malicious scripts that persist in the application and execute in the browsers of other users. The vulnerability stems from improper input sanitization during web page generation, enabling attackers with plugin access to compromise site visitors. No public exploit code or active exploitation has been identified at the time of analysis.
Stored cross-site scripting in Crocoblock JetBlocks For Elementor plugin versions up to 1.3.19 enables authenticated attackers to inject malicious scripts into web pages that execute in the browsers of site visitors and administrators. The vulnerability resides in improper input sanitization during page generation, allowing persistent XSS payload storage in the WordPress database. No public exploit code has been identified at time of analysis, though the low EPSS score (0.04%) suggests limited real-world exploitation despite the stored XSS vector.
Stored XSS vulnerability in Crocoblock JetTabs WordPress plugin version 2.2.9 and earlier allows authenticated attackers to inject malicious scripts into web pages, which execute in the browsers of site visitors. The vulnerability stems from improper input sanitization during web page generation, enabling persistent payload storage and site-wide impact. No public exploit code or active exploitation has been confirmed, and the low EPSS score (0.04%) suggests limited real-world exploitation probability despite the persistent nature of stored XSS.
Stored cross-site scripting (XSS) in Crocoblock JetElements For Elementor plugin version 2.7.7 and earlier allows authenticated users to inject malicious scripts into web pages that execute in the browsers of other users viewing the affected content. The vulnerability exists in the plugin's input handling during web page generation, enabling persistent XSS attacks through stored payloads. While no public exploit code has been identified, the low EPSS score (0.04%) suggests limited real-world exploitation likelihood despite the moderate attack surface of WordPress plugins.
Stored cross-site scripting (XSS) in Easy Elementor Addons WordPress plugin through version 2.2.5 allows authenticated users to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising administrator accounts or website functionality. The vulnerability affects the plugin's web page generation process and has been confirmed by security researchers at Patchstack, though no evidence of active exploitation or public exploit code is documented.
Stored XSS in Parakoos Image Wall WordPress plugin through version 3.1 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers, potentially compromising admin accounts or stealing session data. The vulnerability resides in improper input sanitization during web page generation, affecting a plugin with low real-world exploitation probability (EPSS 0.04%) but representing a functional security flaw in plugin logic.
Stored cross-site scripting (XSS) in CyberChimps Responsive Addons for Elementor versions up to 1.7.3 allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other site visitors, enabling credential theft, malware distribution, or website defacement. The vulnerability requires user interaction and affects WordPress installations using this plugin; exploitation probability is low (EPSS 0.04%) but impact is moderate given the stored nature of the attack.
Cross-site request forgery (CSRF) in BlocksWP Theme Builder For Elementor plugin versions through 1.2.3 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. The vulnerability lacks a published CVSS score and shows minimal exploitation probability (0.02% EPSS), with no public exploit code or active exploitation reported, suggesting limited real-world risk despite the security-conscious WordPress ecosystem.
Cross-site request forgery (CSRF) in the RelyWP Coupon Affiliates WordPress plugin (woo-coupon-usage) through version 6.4.0 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. The vulnerability affects the plugin's coupon management functionality and requires user interaction (tricking an admin into visiting a malicious page), but carries negligible real-world exploitation probability per EPSS scoring (0.02%, 6th percentile).
Stored cross-site scripting in Affiliate Reviews plugin for WordPress (versions up to 1.0.6) allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript via the 'numColumns' parameter, which executes in the browsers of any user viewing the affected page. The vulnerability stems from insufficient input sanitization and output escaping in the block-reviews-grid-style.php template. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored Cross-Site Scripting (XSS) in the Brandfolder WordPress plugin up to version 5.0.19 allows authenticated attackers with Contributor-level permissions or above to inject arbitrary JavaScript via the 'id' parameter, which executes in the browser context of any user accessing the affected page. The vulnerability stems from insufficient input sanitization and output escaping. No public exploit code or active exploitation has been confirmed at the time of analysis; however, the low attack complexity and requirement only for Contributor-level authentication make this a practical risk in multi-user WordPress environments. A patched version (5.0.20) is available from the vendor.
In Eclipse GlassFish versions before 8.0.3 it is possible to perform Login Brute Force attacks as there is no limitation in the number of failed login attempts. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Stored cross-site scripting (XSS) in Welcart e-Commerce WordPress plugin versions 2.11.16 and earlier allows authenticated users to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising administrator accounts or customer data. The vulnerability exists in the web page generation process where user input is not properly sanitized before being stored and rendered to other users. No public exploit code or active exploitation has been confirmed, but the low EPSS score (0.04%) suggests limited real-world attack probability despite the XSS classification.
News Kit Elementor Addons WordPress plugin version 1.3.4 and earlier contains a missing authorization vulnerability that allows attackers to exploit incorrectly configured access control, potentially bypassing security restrictions on protected functionality. The vulnerability stems from improper access control checks and affects a widely-distributed WordPress plugin used for news content management within Elementor page builder environments. While CVSS scoring is unavailable, the EPSS score of 0.07% indicates low real-world exploitation probability at time of analysis, and no public exploit code or active exploitation has been confirmed.
Missing authorization controls in Chatbox Manager WordPress plugin versions 1.2.5 and earlier allow unauthenticated or low-privileged attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from improper implementation of role-based access checks, potentially enabling unauthorized users to access or modify sensitive chatbox functionality. With an EPSS score of 0.05% and no evidence of active exploitation, this is a lower-priority vulnerability suitable for routine patching cycles.
Cross-site request forgery (CSRF) in Restaurant Menu by MotoPress WordPress plugin versions up to 2.4.6 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators by tricking them into visiting malicious web pages. The vulnerability affects the plugin's core request handling and lacks CVSS score data, but EPSS analysis indicates low exploitation probability (0.02%, 6th percentile). No public exploit code or active exploitation has been identified.
Erik AntiSpam for Contact Form 7 plugin versions through 0.6.3 fails to implement proper CSRF token validation, allowing attackers to forge requests that modify plugin settings or trigger unintended actions on behalf of authenticated administrators. The vulnerability affects WordPress installations with this plugin active, though the extremely low EPSS score (0.02%) suggests practical exploitation barriers or limited real-world impact despite the CVSS categorization.
Missing authorization controls in themeisle Hestia WordPress theme through version 3.2.10 allow unauthenticated attackers to access functionality that should be restricted by access control lists, enabling potential unauthorized actions within affected WordPress installations. The vulnerability has a low exploitation probability (EPSS 0.06%) and no confirmed active exploitation or public exploit code at time of analysis.
Missing authorization controls in the Stop and Block Bots plugin (Anti bots) for WordPress through version 1.48 allows attackers to access functionality that should be restricted by access control lists, enabling unauthorized administrative operations without proper authentication. The vulnerability is classified as broken access control (CWE-862) with low exploitation probability (EPSS 0.06%) and no confirmed active exploitation.
Missing authorization controls in enituretechnology Residential Address Detection WordPress plugin versions up to 2.5.9 allow unauthenticated attackers to access restricted functionality by bypassing access control lists. The vulnerability stems from insufficient ACL enforcement, enabling attackers to invoke protected features without proper permission validation. EPSS exploitation probability is low at 0.06%, though the authentication bypass classification indicates practical attack feasibility.
Server-Side Request Forgery (SSRF) in FG Drupal to WordPress plugin versions 3.90.0 and earlier allows remote attackers to make arbitrary HTTP requests from the affected WordPress server, potentially accessing internal services, cloud metadata endpoints, or other backend resources. The vulnerability has an extremely low EPSS score (0.03%, 10th percentile), indicating minimal observed exploitation probability despite public availability of vulnerability details.
Missing authorization controls in QuanticaLabs Cost Calculator WordPress plugin version 7.4 and earlier allow unauthenticated or low-privileged attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability enables attackers to access or modify calculator functionality that should be restricted, with an extremely low exploitation probability (EPSS 0.05%) suggesting minimal real-world attack activity despite the access control weakness.
Missing authorization in SMTP2GO WordPress plugin versions through 1.12.1 allows unauthenticated attackers to exploit incorrectly configured access control mechanisms to bypass authentication and gain unauthorized access to SMTP2GO functionality. The vulnerability stems from broken access control rather than a cryptographic or input validation flaw, enabling attackers to interact with protected endpoints without proper privilege verification. While EPSS scoring indicates low exploitation probability (0.05%, percentile 17%), the nature of access control bypass vulnerabilities means real-world risk depends heavily on what sensitive operations are exposed.
Missing authorization controls in favethemes Houzez WordPress theme through version 4.0.4 allow unauthenticated attackers to bypass access control restrictions and access resources they should not be permitted to view. The vulnerability stems from incorrectly configured access control security levels that fail to properly validate user permissions before granting access to sensitive functionality. With an EPSS score of 0.05% (17th percentile), real-world exploitation risk is low despite the vulnerability's presence in a popular real estate theme.
Missing authorization controls in the Real Estate Property 2024 Create Your Own Fields and Search Bar WordPress plugin (versions up to 4.48) permit unauthenticated or low-privileged users to access functionality and data intended for higher privilege levels. The vulnerability stems from inadequately configured access control checks on plugin endpoints, allowing attackers to bypass intended security boundaries. With an EPSS score of 0.05% (17th percentile), real-world exploitation risk is minimal, and no public exploit code or active exploitation has been identified.
Missing authorization controls in CreativeMindsSolutions CM Pop-Up banners WordPress plugin versions 1.8.4 and earlier allow unauthenticated attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from improper implementation of access control checks on sensitive functionality, enabling attackers to perform unauthorized actions through direct API or parameter manipulation without requiring valid credentials or proper authorization validation.
Cross-site request forgery in Xfinitysoft WP Post Hide plugin for WordPress versions 1.0.9 and earlier allows unauthenticated attackers to perform unauthorized actions on behalf of site administrators through malicious web pages, with an EPSS exploitation probability of 0.02% indicating minimal real-world attack likelihood despite the vulnerability's presence.
Cross-site request forgery in WP Swings Wallet System for WooCommerce plugin through version 2.6.7 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious web pages. The vulnerability affects all installations of the plugin up to and including version 2.6.7, with no public exploit code identified at time of analysis, though the low EPSS score (0.02%) suggests minimal real-world exploitation likelihood despite the straightforward attack mechanism.
Cross-site request forgery (CSRF) in Toast Plugins Animator WordPress plugin versions through 3.0.16 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge. The vulnerability affects the scroll-triggered-animations plugin and carries low exploitation probability (EPSS 0.02%, 6th percentile) with no active exploitation confirmed. While CSRF vulnerabilities typically require social engineering to trick users into visiting malicious pages, this issue could be leveraged to modify plugin settings or website content if a site administrator visits an attacker-controlled page.
Cross-site request forgery (CSRF) in Webba Appointment Booking plugin (webba-booking-lite) through version 5.1.20 allows unauthenticated attackers to perform unwanted actions on behalf of authenticated users by crafting malicious requests. The vulnerability affects the WordPress plugin and carries a low exploitation probability (EPSS 0.02%, percentile 6%), with no public exploit code identified at the time of analysis.
Cross-site request forgery in Tribulant Software Newsletters (newsletters-lite) plugin versions up to 4.10 allows attackers to perform unauthorized administrative actions by tricking authenticated users into visiting malicious pages. The vulnerability affects a widely-distributed WordPress plugin with no CVSS vector or CVSS score assigned, though EPSS scoring indicates minimal real-world exploitation probability (0.02%, 6th percentile). No public exploit code or active exploitation has been confirmed.
Cross-Site Request Forgery (CSRF) vulnerability in WesternDeal WooCommerce Google Sheet Connector plugin versions up to 1.3.20 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated WordPress administrators. The plugin fails to implement proper CSRF token validation on critical functionality, enabling attackers to craft malicious requests that execute actions without explicit user consent. Although EPSS scoring indicates low exploitation probability (0.02%), CSRF vulnerabilities targeting WordPress admin functions represent a meaningful risk in multi-admin environments where social engineering can trick administrators into visiting attacker-controlled pages.
Blind SQL injection in Cisco Prime Infrastructure and Evolved Programmable Network Manager (EPNM) REST APIs permits authenticated low-privileged remote attackers to extract data from database tables on the affected device. The vulnerability stems from insufficient validation of user-supplied input passed to the affected API endpoints, enabling an attacker to infer database contents through crafted boolean-based or time-based blind injection requests. No public exploit code has been identified and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis.