AhnLab EPP 1.0.15 is vulnerable to SQL Injection via the "preview parameter.". Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Path traversal in Apache Tomcat versions 9.x through 11.x allows authenticated attackers to bypass security constraints protecting /WEB-INF/ and /META-INF/ directories when URL rewriting rules manipulate query parameters. Successful exploitation combined with enabled PUT requests enables remote code execution through malicious file upload. Apache Security Team confirms publicly available exploit code exists. The vulnerability stems from a regression in the fix for bug 60013, where URL normalization occurs before decoding, creating an exploitable window in specific rewrite configurations.
Buffer overflow in Tenda CH22 router firmware 1.0.0.1 allows authenticated attackers on the adjacent network to execute arbitrary code with high impact to confidentiality, integrity, and availability. The vulnerability exists in the fromSetIpBind function accessible via /goform/SetIpBind endpoint when processing the 'page' parameter. A public proof-of-concept exploit has been published on GitHub, lowering the barrier to exploitation, though no active exploitation has been confirmed by CISA KEV at time of analysis.
Cross-Site Request Forgery (CSRF) vulnerability in Andrea Landonio CloudSearch cloud-search allows Stored XSS.This issue affects CloudSearch: from n/a through <= 3.0.0.
Cross-Site Request Forgery (CSRF) vulnerability in NikanWP NikanWP WooCommerce Reporting wc-reports-lite allows Stored XSS.This issue affects NikanWP WooCommerce Reporting: from n/a through <= 1.0.0.
Cross-Site Request Forgery (CSRF) vulnerability in iseremet Reloadly reloadly-topup-widget allows Stored XSS.This issue affects Reloadly: from n/a through <= 2.0.1.
Cross-Site Request Forgery (CSRF) vulnerability in Eduard Pinuaga Linares Did Prestashop Display did-prestashop-display allows Stored XSS.This issue affects Did Prestashop Display: from n/a through <= 1.0.30.
Cross-Site Request Forgery (CSRF) vulnerability in Mejar WP Business Hours wp-business-hours allows Stored XSS.This issue affects WP Business Hours: from n/a through <= 1.4.
Cross-Site Request Forgery (CSRF) vulnerability in Prakash Awesome Testimonials awesome-testimonials allows Stored XSS.This issue affects Awesome Testimonials: from n/a through <= 2.2.1.
Cross-Site Request Forgery (CSRF) vulnerability in digitaldonkey Multilang Contact Form multilang-contact-form allows Stored XSS.This issue affects Multilang Contact Form: from n/a through <= 1.5.
Cross-site request forgery enables stored XSS injection in WordPress Pricing Table builder plugin versions up to 1.5.3. Remote unauthenticated attackers can trick authenticated WordPress administrators into executing malicious requests that inject persistent JavaScript payloads into pricing table configurations. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability, and no active exploitation has been confirmed via CISA KEV. The changed scope (S:C) in CVSS vector indicates potential for broader site compromise beyond the plugin's security context.