Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aviplugins.com Custom Post Type Attachment custom-post-type-pdf-attachment allows Stored XSS.This issue affects Custom Post Type Attachment: from n/a through <= 3.4.6.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Justin Tadlock Query Posts query-posts allows Stored XSS.This issue affects Query Posts: from n/a through <= 0.3.2.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ben Huson WP Geo wp-geo allows Stored XSS.This issue affects WP Geo: from n/a through <= 3.5.1.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WeblineIndia Popular Posts by Webline popular-posts-by-webline allows Stored XSS.This issue affects Popular Posts by Webline: from n/a through <= 1.1.1.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Maarten Links shortcode links-shortcode allows Stored XSS.This issue affects Links shortcode: from n/a through <= 1.8.3.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in magicoders ACF Recent Posts Widget acf-recent-posts-widget allows Stored XSS.This issue affects ACF Recent Posts Widget: from n/a through <= 5.9.3.
DOM-based cross-site scripting (XSS) in RexTheme WP VR WordPress plugin up to version 8.5.48 allows authenticated users with low privileges to inject malicious scripts that execute in other users' browsers with site-wide scope. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability equally. Exploitation requires valid WordPress account credentials but carries moderate real-world risk given the low EPSS score (0.02%) and authenticated requirement despite the CVSS 6.5 rating.
DOM-based cross-site scripting (XSS) in RomanCode MapSVG WordPress plugin versions up to 8.7.22 allows remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability requires user interaction (UI:R) and affects the confidentiality and integrity of web sessions. Although the CVSS score is 6.1 (medium), the EPSS exploitation probability is very low at 0.02%, and no public exploit code or active exploitation has been identified; this suggests the practical attack likelihood is minimal despite the moderate CVSS rating.
DOM-based cross-site scripting (XSS) in Marquee Addons for Elementor WordPress plugin versions through 3.8.2 allows remote attackers to inject malicious scripts through improper input neutralization during web page generation. The vulnerability requires user interaction (UI:R) and affects the confidentiality and integrity of affected websites. While CVSS scores 6.1 (medium), the 0.02% EPSS percentile indicates low real-world exploitation probability despite public awareness.
Stored cross-site scripting (XSS) in WPClever WPC Smart Messages for WooCommerce plugin versions up to 4.2.8 allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity through script injection, with a CVSS score of 5.4 reflecting moderate risk; however, the 0.02% EPSS score indicates minimal real-world exploitation probability at time of analysis, and no public exploit code or active exploitation has been confirmed.
DOM-based cross-site scripting (XSS) in King Addons for Elementor plugin versions up to 51.1.61 allows authenticated users with low privileges to inject malicious scripts that execute in other users' browsers when they interact with affected pages. The vulnerability requires user interaction (clicking a link) and affects the confidentiality and integrity of website content, with an EPSS score of 0.02% indicating low real-world exploitation probability despite the moderate CVSS rating of 5.4.
A weakness has been identified in Hasleo Backup Suite up to 5.2. Impacted is an unknown function of the component HasleoImageMountService/HasleoBackupSuiteService. This manipulation causes unquoted search path. The attack is restricted to local execution. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been made available to the public and could be exploited. Upgrading the affected component is advised.
Command injection in D-Link DI-7001 MINI firmware versions 19.09.19A1 and 24.04.18B1 allows authenticated remote attackers to execute arbitrary commands via the cmd parameter in /msp_info.htm. The vulnerability has a public exploit available, though the extremely low CVSS score (2.1) and EPSS percentile (24th) indicate limited real-world exploitability despite network accessibility, as exploitation requires valid login credentials and results in low-impact information disclosure rather than system compromise.
Remote code execution in Shiyi Blog up to version 1.2.1 allows authenticated remote attackers to execute arbitrary code via unsafe deserialization in the Job Handler component (SysJobController.java). The CVSS score of 2.1 reflects required authenticated access and limited scope, but the combination of public exploit availability, demonstrated deserialization flaw, and network accessibility creates moderate operational risk despite the low severity rating.
LearnHouse allows authenticated remote users to upload arbitrary files via unrestricted manipulation of the thumbnail parameter in the Course Thumbnail Handler endpoint (/api/v1/courses/), enabling potential malicious file storage and execution. The vulnerability affects all versions up to commit 98dfad76aad70711a8113f6c1fdabfccf10509ca, with publicly available exploit code disclosed despite vendor non-response to early notification. While CVSS is low (2.1) and EPSS exploitation probability is minimal (0.06%), the presence of public exploits and authentication-only barrier warrants prioritization in environments where account compromise or insider risk is elevated.
Unrestricted file upload in Bdtask Flight Booking Software up to version 3.1 via the Package Information Module endpoint /b2c/package-information allows authenticated remote attackers to upload arbitrary files with low confidentiality and integrity impact. Publicly available exploit code exists; the vulnerability carries a low CVSS score (2.1) due to requiring prior authentication and limited scope, but the ease of exploitation (AC:L, public POC) and vendor non-responsiveness elevate practical risk for deployed instances.
Path traversal in givanz Vvveb up to 1.0.7.3 allows authenticated remote attackers to manipulate the File argument in the Code Editor's sanitizeFileName function, enabling unauthorized file system access with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, though EPSS score of 0.05% suggests limited real-world exploitation despite the availability of proof-of-concept.
LearnHouse allows authenticated remote attackers to access unauthorized student assignment files through improper control of resource identifiers in the Student Assignment Submission Handler API endpoint, enabling information disclosure of sensitive academic materials. The vulnerability affects all versions up to commit 98dfad76aad70711a8113f6c1fdabfccf10509ca, with publicly available exploit code disclosed. EPSS exploitation probability is 0.04% (13th percentile), indicating low real-world exploitation likelihood despite public POC availability.
Reflected cross-site scripting (XSS) in code-projects E-Commerce Website 1.0 allows remote attackers to inject malicious scripts via the prod_name, prod_desc, or prod_cost parameters in /pages/product_add.php. The vulnerability requires user interaction (UI:P per CVSS 4.0) but can be exploited remotely without authentication. Publicly available exploit code exists, though EPSS scoring (0.04%, percentile 11%) indicates low real-world exploitation probability despite public POC availability.
Reflected cross-site scripting (XSS) in code-projects E-Commerce Website 1.0 allows remote attackers to inject malicious scripts via the supp_name and supp_address parameters in /pages/supplier_add.php. The vulnerability requires user interaction (clicking a crafted link) but enables session hijacking, credential theft, and malware distribution. Publicly available exploit code exists; however, the EPSS score of 0.04% (11th percentile) indicates exploitation remains uncommon despite disclosure, likely due to limited deployment of this niche e-commerce platform.
Cross-site request forgery (CSRF) in ajayrandhawa User-Management-PHP-MYSQL allows remote attackers to perform unauthorized actions via crafted requests, requiring user interaction (UI:P). Publicly available exploit code exists, but the extremely low EPSS score (0.04%, 11th percentile) and vendor non-responsiveness suggest limited real-world exploitation despite public POC availability. CVSS 2.1 reflects low integrity impact and user-interaction requirement.
Authorization bypass in Bdtask Pharmacy Management System up to version 9.4 allows authenticated remote attackers to manipulate user profile data via the /user/edit_user/ endpoint, escalating privileges or modifying other users' accounts without proper access controls. The vulnerability has publicly available exploit code and affects the User Profile Handler component, though vendor response to disclosure has been absent.
Cross-site scripting (XSS) in Simple Food Ordering System 1.0 allows remote attackers to inject malicious scripts via unsanitized input parameters (pname, category, price) in the /editproduct.php endpoint. The vulnerability requires user interaction (UI:P) but carries low integrity impact and has publicly available exploit code; EPSS probability remains minimal (0.03%) despite public POC availability, suggesting limited real-world adoption or exploitation barriers.
Stored cross-site scripting (XSS) in Simple Food Ordering System 1.0 allows remote attackers to inject malicious scripts via the cname parameter in /addcategory.php, which are executed in the browsers of users viewing affected content. The vulnerability requires user interaction (UI:P) to exploit but has a public proof-of-concept available. Despite the low CVSS score (2.1) and minimal EPSS percentile (10%), the combination of remote network access and public exploit code necessitates prompt patching to prevent account compromise and session hijacking.
Stored cross-site scripting (XSS) in Simple Food Ordering System 1.0 allows remote attackers to inject malicious scripts through the pname, category, or price parameters in /addproduct.php, requiring user interaction to trigger payload execution. Public exploit code is available, and the vulnerability carries low severity (CVSS 2.1) due to the requirement for user interaction and limited scope of impact.
Reflected cross-site scripting (XSS) in Simple Food Ordering System 1.0 via the pname parameter in /editcategory.php allows remote attackers to inject malicious JavaScript that executes in users' browsers with minimal user interaction. The vulnerability requires user interaction (clicking a malicious link) but has low technical complexity and publicly available exploit code, though active exploitation remains unconfirmed and real-world impact is limited by the low EPSS score of 0.03% despite public POC availability.
Information disclosure in LearnHouse Image Handler component allows authenticated remote attackers to access sensitive data via the image handling functionality. The vulnerability affects all versions up to commit 98dfad76aad70711a8113f6c1fdabfccf10509ca, with publicly available exploit code documented. Due to LearnHouse's rolling-release model, specific patched version numbers are unavailable, and the vendor has not responded to disclosure attempts.
Reflected cross-site scripting (XSS) in Simple E-Banking System 1.0 allows remote attackers to inject malicious scripts via the Username parameter in /eBank/register.php. The vulnerability requires user interaction (clicking a malicious link) but has low impact on confidentiality and integrity. Publicly available exploit code exists, though EPSS scoring (0.03%, 10th percentile) suggests limited real-world exploitation despite XSS being a common attack vector.
Cross-site scripting (XSS) in Chatwoot up to version 4.7.0 allows remote attackers to inject malicious scripts via the Link argument in the IframeLoader.vue Admin Interface component, requiring user interaction to trigger. The vulnerability has a low CVSS score (2.1) and EPSS percentile (10%) but publicly available exploit code exists, indicating the attack is straightforward to execute once a victim clicks a crafted link.
Unauthenticated authenticated users can disclose sensitive information through an unknown function in UserApiController.java in atjiu pybbs up to version 6.0.0 via remote network access. The vulnerability has a CVSS score of 2.1 with low confidentiality impact and publicly available exploit code, but extremely low real-world exploitation probability (EPSS 0.03%, 8th percentile) and requires authenticated access, limiting practical risk despite public POC availability.
SQL injection in code-projects Online Event Judging System 1.0 allows authenticated remote attackers to manipulate the contestant_id parameter in /edit_contestant.php, resulting in limited confidentiality, integrity, and availability impact. The vulnerability has a publicly available exploit and low EPSS score (0.03%), suggesting it poses minimal real-world risk despite public exploit availability.
SQL injection in code-projects Online Event Judging System 1.0 allows authenticated remote attackers to manipulate the fullname parameter in /add_contestant.php, enabling database queries with limited data access. The vulnerability has low real-world risk despite public exploit availability, as it requires valid user authentication and produces only limited information disclosure (CVSS 2.1, EPSS 0.03%), though organizations running this application should apply fixes promptly to eliminate the attack vector entirely.
SQL injection in code-projects Online Event Judging System 1.0 allows authenticated remote attackers to manipulate the fullname parameter in /add_judge.php, enabling limited data extraction with low confidentiality impact. The CVSS 2.1 score reflects the authentication requirement and bounded scope, but publicly available exploit code exists; however, the 0.03% EPSS percentile indicates minimal real-world exploitation probability despite public POC availability.
SQL injection in code-projects Online Event Judging System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the content parameter in /ajax/action.php, resulting in limited confidentiality, integrity, and availability impact. Publicly available exploit code exists, though EPSS scoring (0.03%) suggests minimal real-world exploitation despite public POC availability. The vulnerability requires prior authentication, significantly limiting practical attack surface.
SQL injection in CodeAstro Gym Management System 1.0 allows authenticated remote attackers to manipulate the ID parameter in /admin/actions/check-attendance.php, resulting in limited confidentiality and integrity compromise. The vulnerability requires valid administrator credentials, has publicly available exploit code, but carries very low real-world risk with an EPSS score of 0.03% due to authentication requirements and limited impact scope (CVE4.0 vector shows only partial confidentiality/integrity loss, no availability impact).
SQL injection in code-projects Online Event Judging System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the judge_id parameter in /edit_judge.php, with publicly available exploit code demonstrating the vulnerability. The low CVSS score (2.1) reflects limited confidentiality impact and required authentication, but the SQL injection itself is a high-severity vulnerability class that could enable data exfiltration or modification depending on database permissions and downstream query construction.
SQL injection in code-projects Online Event Judging System 1.0 via the crit_id parameter in /edit_criteria.php allows authenticated remote attackers to manipulate database queries with low confidentiality and integrity impact. Exploitation requires valid user authentication but can be executed remotely with no user interaction. Publicly available exploit code exists; however, the EPSS score of 0.03% (8th percentile) indicates this vulnerability has minimal real-world exploitation probability despite public disclosure.
SQL injection in code-projects Client Details System 1.0 allows authenticated remote attackers to manipulate the ID parameter in clientdetails/welcome.php, enabling database queries with limited scope impact. CVSS 2.1 reflects low severity due to authentication requirement (PR:L) and limited confidentiality/integrity exposure (VC:L/VI:L), though publicly available exploit code exists and EPSS scoring (0.03%, 8th percentile) indicates minimal real-world exploitation likelihood despite public POC availability.
SQL injection in code-projects Automated Voting System 1.0 allows authenticated remote attackers to manipulate the Username parameter in /admin/user.php, enabling unauthorized database queries with limited confidentiality and integrity impact. The vulnerability requires valid login credentials (PR:L) and has publicly available exploit code, though real-world exploitation risk is minimal given the CVSS 2.1 score and 0.03% EPSS percentile.
Unrestricted file upload in Bdtask Flight Booking Software up to version 3.1 allows authenticated remote attackers to upload arbitrary files via the /admin/transaction/deposit endpoint. The vulnerability requires valid user credentials (PR:L in CVSS vector) but grants attackers capability to upload files with minimal scope impact. Public exploit code is available, though the very low EPSS score (0.02%) and lack of CISA KEV listing suggest limited real-world exploitation despite disclosure.
Authentication bypass in code-projects Client Details System 1.0 allows authenticated remote attackers to gain unauthorized access to protected functionality via an unknown vector. The vulnerability has publicly available exploit code but is rated low-risk due to CVSS 2.1 score and 0.01% EPSS, indicating limited real-world exploitation potential despite remote attack capability.
SQL injection in CodeAstro Gym Management System 1.0 allows authenticated remote attackers to manipulate the ID parameter in /admin/actions/remove-announcement.php, enabling unauthorized database query execution with limited confidentiality and integrity impact. Publicly available exploit code exists, but EPSS exploitation probability is extremely low (0.01th percentile), suggesting the vulnerability requires authenticated access and offers minimal real-world payoff despite network accessibility.
OS command injection in D-Link DAP-2695 firmware 2.00RC13 allows high-privileged remote attackers to execute arbitrary commands through the Firmware Update Handler function sub_4174B0. The vulnerability carries a low real-world risk despite network-accessible attack vector due to requiring administrative credentials (PR:H) and affecting only end-of-life hardware. Publicly available exploit code exists, though EPSS exploitation probability remains minimal at 0.09th percentile.
Unrestricted file upload in ajayrandhawa User-Management-PHP-MYSQL allows high-privilege attackers to upload arbitrary files via the image parameter in /admin/edit-user.php. Exploitation requires administrator credentials but publicly available exploit code exists. With an EPSS score of 0.06% and no active exploitation confirmed in CISA KEV, real-world risk is minimal despite the remote attack vector.
Willow CMS up to version 1.4.0 allows high-privilege authenticated users to upload arbitrary files via an unrestricted file upload vulnerability in the /admin/images/add endpoint. The CVSS 2.0 score reflects the requirement for high-privilege authentication (PR:H), but public exploit code availability combined with low EPSS (0.05th percentile) suggests this is primarily exploitable only by compromised or malicious administrators rather than remote unauthenticated attackers.
SQL injection in SourceCodester Best House Rental Management System 1.0 allows high-privilege remote attackers to manipulate the house_no parameter in the save_house function of /admin_class.php, achieving limited confidentiality and integrity impact. Publicly available exploit code exists but exploitation requires administrative credentials (PR:H), significantly restricting real-world attack surface despite the CVSS 4.0 network vector.
SQL injection in code-projects Food Ordering System 1.0 allows high-privileged remote attackers to manipulate the itemPrice parameter in /admin/menu.php, leading to limited data exposure and modification. The vulnerability requires administrative authentication and has publicly available exploit code, but carries low real-world exploitation risk due to administrative privilege requirement and minimal technical impact (CVSS 2.0, EPSS 0.03%).
SQL injection in code-projects Food Ordering System 1.0 allows remote attackers with high-level administrative privileges to execute arbitrary SQL commands via the itemID parameter in /admin/deleteitem.php. Despite public exploit availability, real-world risk is minimal due to requirement for authenticated administrator access and low CVSS impact scope (CVSS 2.0, EPSS 0.03%). The vulnerability affects only the administrative interface and does not escalate privileges or compromise confidentiality at scale.
SQL injection in SourceCodester Point of Sales 1.0 via the ID parameter in /delete_category.php allows high-privilege remote attackers to manipulate database queries. The vulnerability requires administrative credentials (PR:H) but carries low confidentiality, integrity, and availability impact. Public exploit code exists, though EPSS score (0.03%) suggests limited real-world exploitation despite public availability.
Stored cross-site scripting (XSS) in LearnHouse Account Setting Page allows authenticated users to inject malicious scripts via the /dash/org/settings/previews endpoint, affecting all versions up to commit 98dfad76aad70711a8113f6c1fdabfccf10509ca. An attacker with valid credentials can craft a malicious request that, when viewed by another user (requiring user interaction), executes arbitrary JavaScript in their browser context with potential for data theft or session hijacking. Public exploit code exists, though exploitation requires both login credentials and victim interaction, limiting real-world impact despite the network-accessible vector.